Trojaner-Board
Seite 1 von 2 1 2
100 Beiträge dieses Themas auf einer Seite anzeigen

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Virusbefall. IE, Firefox und Thunderbird funktionieren nicht mehr ordnungsgemäß. (https://www.trojaner-board.de/61218-virusbefall-ie-firefox-thunderbird-funktionieren-mehr-ordnungsgemaess.html)

Agrajag 03.10.2008 14:58
Virusbefall. IE, Firefox und Thunderbird funktionieren nicht mehr ordnungsgemäß.
 
Guten Tag, meine Damen und Herren,

könnte sich mal jemand meine HJT und Combofix Logfiles ansehen?
Mein Betriebssystem ist Windows XP mit SP3.
Die Maschine ist total am Spinnen. Beim IE und im Firefox öffnen sich, wenn ich Suchergebnisse in Google anklicke irgendwelche Werbeseiten in einem neuen Tab (immer andere, manchmal dubiose Handywerbungen, manchmal Urlaubsbuchungsseiten) und wenn ich den Thunderbird laufen habe kann ich keine Anwendung mehr starten. Es wird dann folgende Fehlermeldung angezeigt:

"Die Anwendung konnte nicht richtig initialisiert werden (0xc0000005). Klicken sie auf "OK", um die Anwendung zu beenden."

Und diese gleich zwei mal hinereinander.

Außerdem erscheint diese Meldung

"Die Anweisung in "0x021873cc" verweist auf Speicher in "x021873cc". Der Vorgang "read" konnte nicht auf dem Speicher durchgeführt werden. "Klicken sie auf "OK", um das Programm zu beenden."

wenn ich Thudnerbird nach Firefox öffne und den Feuerfuchs dann schließe.

Vielen Dank.


Zitat:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:27, on 03.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\SyncroSoft\Pos\H2O\cledx.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\a-squared Anti-Malware\a2service.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
c:\programme\avira\antivir personaledition classic\avcenter.exe
C:\Programme\Safari\Safari.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Programme\iPod\bin\iPodService.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {AF8C97B7-52C5-4CFC-9DFC-B8E2E0240D3E} - (no file)
O2 - BHO: (no name) - {BAFDDE8F-BAB5-4076-9A99-0CB612956C71} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [H2O] C:\Programme\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1606980848-1326574676-839522115-1003\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: , dfwcvm.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Programme\a-squared Anti-Malware\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Druckwarteschlange (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)

--
End of file - 6345 bytes
Zitat:
"***" - 2008-10-03 12:05:59 Service Pack 3
ComboFix 07-05.27.BV - Running from: "C:\Dokumente und Einstellungen\***\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2008-09-03 to 2008-10-03 ))))))))))))))))))))))))))))))))))


2008-10-02 14:12 49,152 --a------ C:\WINDOWS\nircmd.exe
2008-10-02 13:44 110,592 --a------ C:\WINDOWS\system32\giawpjxb.dll
2008-10-02 13:38 1,671 --ahs---- C:\WINDOWS\system32\RAyyyccf.ini2
2008-10-02 10:25 <DIR> d-------- C:\Programme\a-squared Anti-Malware
2008-10-02 10:17 1,482 --ahs---- C:\WINDOWS\system32\npqsAcdd.ini2
2008-10-02 10:12 41,984 --a------ C:\WINDOWS\system32\pmnnNEVP.dll
2008-10-02 10:11 <DIR> d-------- C:\Programme\Lavasoft
2008-10-02 10:10 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-10-01 11:42 <DIR> d-a------ C:\DOKUME~1\ALLUSE~1\ANWEND~1\TEMP
2008-10-01 11:42 <DIR> d-------- C:\Programme\SpywareBlaster
2008-10-01 11:29 <DIR> d-------- C:\Programme\Trend Micro
2008-10-01 10:32 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\nView_Profiles
2008-09-24 20:43 <DIR> d-------- C:\Programme\Antares
2008-09-24 20:30 87,040 --a------ C:\WINDOWS\system32\ra32sipr.dll
2008-09-24 20:30 85,504 --a------ C:\WINDOWS\system32\encdnet.dll
2008-09-24 20:30 81,920 --a------ C:\WINDOWS\system32\ra3214_4.dll
2008-09-24 20:30 72,704 --a------ C:\WINDOWS\system32\ra3228_8.dll
2008-09-24 20:30 61,952 --a------ C:\WINDOWS\system32\decdnet.dll
2008-09-24 20:30 487,936 --a------ C:\WINDOWS\system32\rmbe3260.dll
2008-09-24 20:30 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-09-24 20:30 352,768 --a------ C:\WINDOWS\system32\pngu3263.dll
2008-09-24 20:30 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-09-24 20:30 21,504 --a------ C:\WINDOWS\system32\ra32dnet.dll
2008-09-24 20:30 131,072 --a------ C:\WINDOWS\system32\pneng50.dll
2008-09-24 20:30 130,560 --a------ C:\WINDOWS\system32\pnc3250.dll
2008-09-24 19:58 <DIR> d-------- C:\Programme\East West
2008-09-23 17:28 <DIR> d-------- C:\Programme\Opera
2008-09-23 17:28 <DIR> d-------- C:\DOKUME~1\***\ANWEND~1\Opera
2008-09-22 21:05 <DIR> d-------- C:\Programme\NCH Swift Sound
2008-09-22 20:19 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\SecTaskMan
2008-09-22 20:18 <DIR> d-------- C:\Programme\Security Task Manager
2008-09-20 21:03 <DIR> d-------- C:\WINDOWS\Prefetch
2008-09-20 19:33 <DIR> d-------- C:\WINDOWS\system32\de
2008-09-20 19:33 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-20 19:33 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-19 23:07 95,232 --------- C:\WINDOWS\system32\eappgnui.dll
2008-09-19 23:07 93,184 --------- C:\WINDOWS\system32\msxml6r.dll
2008-09-19 23:07 9,728 --------- C:\WINDOWS\system32\rwnh.dll
2008-09-19 23:07 9,216 --------- C:\WINDOWS\system32\dot3dlg.dll
2008-09-19 23:07 81,408 --------- C:\WINDOWS\system32\msshavmsg.dll
2008-09-19 23:07 76,800 --------- C:\WINDOWS\system32\qutil.dll
2008-09-19 23:07 712,704 --------- C:\WINDOWS\system32\windowscodecs.dll
2008-09-19 23:07 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2008-09-19 23:07 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2008-09-19 23:07 651,264 --------- C:\WINDOWS\system32\dot3ui.dll
2008-09-19 23:07 62,976 --------- C:\WINDOWS\system32\dot3cfg.dll
2008-09-19 23:07 62,464 --------- C:\WINDOWS\system32\qcliprov.dll
2008-09-19 23:07 61,952 --------- C:\WINDOWS\system32\rasqec.dll
2008-09-19 23:07 61,440 --------- C:\WINDOWS\system32\kmsvc.dll
2008-09-19 23:07 6,144 --------- C:\WINDOWS\system32\kbdpash.dll
2008-09-19 23:07 6,144 --------- C:\WINDOWS\system32\kbdnepr.dll
2008-09-19 23:07 6,144 --------- C:\WINDOWS\system32\kbdiultn.dll
2008-09-19 23:07 6,144 --------- C:\WINDOWS\system32\kbdbhc.dll
2008-09-19 23:07 59,392 --------- C:\WINDOWS\system32\eapqec.dll
2008-09-19 23:07 56,832 --------- C:\WINDOWS\system32\dot3msm.dll
2008-09-19 23:07 53,248 --------- C:\WINDOWS\system32\tsgqec.dll
2008-09-19 23:07 50,688 --------- C:\WINDOWS\system32\tspkg.dll
2008-09-19 23:07 48,640 --------- C:\WINDOWS\system32\dhcpqec.dll
2008-09-19 23:07 412,160 --------- C:\WINDOWS\system32\photometadatahandler.dll
2008-09-19 23:07 40,960 --------- C:\WINDOWS\system32\eappprxy.dll
2008-09-19 23:07 397,312 --------- C:\WINDOWS\system32\mmcex.dll
2008-09-19 23:07 39,936 --------- C:\WINDOWS\system32\dot3gpclnt.dll
2008-09-19 23:07 39,936 --------- C:\WINDOWS\system32\dimsroam.dll
2008-09-19 23:07 37,376 --------- C:\WINDOWS\system32\l2gpstore.dll
2008-09-19 23:07 346,112 --------- C:\WINDOWS\system32\windowscodecsext.dll
2008-09-19 23:07 33,792 --------- C:\WINDOWS\system32\mmcperf.exe
2008-09-19 23:07 33,792 --------- C:\WINDOWS\system32\eapsvc.dll
2008-09-19 23:07 32,768 --------- C:\WINDOWS\system32\setupn.exe
2008-09-19 23:07 30,720 --------- C:\WINDOWS\system32\eapolqec.dll
2008-09-19 23:07 30,208 --------- C:\WINDOWS\system32\napipsec.dll
2008-09-19 23:07 294,400 --------- C:\WINDOWS\system32\qagentrt.dll
2008-09-19 23:07 290,304 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-09-19 23:07 276,992 --------- C:\WINDOWS\system32\wmphoto.dll
2008-09-19 23:07 26,112 --------- C:\WINDOWS\system32\dot3api.dll
2008-09-19 23:07 233,472 --------- C:\WINDOWS\system32\azroles.dll
2008-09-19 23:07 198,656 --------- C:\WINDOWS\system32\napmontr.dll
2008-09-19 23:07 19,456 --------- C:\WINDOWS\system32\dimsntfy.dll
2008-09-19 23:07 184,832 --------- C:\WINDOWS\system32\eapp3hst.dll
2008-09-19 23:07 184,320 --------- C:\WINDOWS\system32\microsoft.managementconsole.dl l
2008-09-19 23:07 182,272 --------- C:\WINDOWS\system32\eapphost.dll
2008-09-19 23:07 177,664 --------- C:\WINDOWS\system32\napstat.exe
2008-09-19 23:07 155,136 --------- C:\WINDOWS\system32\mssha.dll
2008-09-19 23:07 151,040 --------- C:\WINDOWS\system32\qagent.dll
2008-09-19 23:07 145,408 --------- C:\WINDOWS\system32\onex.dll
2008-09-19 23:07 144,384 --------- C:\WINDOWS\system32\drivers\hdaudbus.sys
2008-09-19 23:07 136,192 --------- C:\WINDOWS\system32\aaclient.dll
2008-09-19 23:07 133,120 --------- C:\WINDOWS\system32\dot3svc.dll
2008-09-19 23:07 126,976 --------- C:\WINDOWS\system32\eappcfg.dll
2008-09-19 23:07 12,800 --------- C:\WINDOWS\system32\credssp.dll
2008-09-19 23:07 106,496 --------- C:\WINDOWS\system32\mmcfxcommon.dll
2008-09-19 23:07 10,752 --------- C:\WINDOWS\system32\smtpapi.dll
2008-09-19 23:07 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-09-19 23:07 1,306,624 --------- C:\WINDOWS\system32\msxml6.dll
2008-09-16 14:30 <DIR> d-------- C:\Programme\Bonjour
2008-09-16 14:29 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\{3276BE95_AF08_429F_ A64F_CA64CB79BCF6}
2008-09-15 22:38 8,912,896 --a------ C:\Dokumente und Einstellungen\***\ntuser.dat
2008-09-15 22:38 8,912,896 --a------ C:\DOKUME~1\***\ntuser.dat
2008-09-15 19:47 <DIR> d-------- C:\Programme\uTorrent
2008-09-14 22:26 <DIR> d-------- C:\Programme\QuickTime
2008-09-06 10:57 22,528 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-09-06 10:57 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-09-06 10:43 27,136 --a------ C:\WINDOWS\system32\drivers\nchssvad.sys
2008-09-06 10:43 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\NCH Software


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))

2008-10-03 09:00:18 -------- d-----w C:\Programme\Mozilla Thunderbird
2008-10-02 08:03:52 -------- d-----w C:\Programme\eMule
2008-10-02 07:06:42 -------- d-----w C:\Programme\Google
2008-10-01 08:35:03 -------- d-----w C:\Programme\Norton Security Scan
2008-10-01 08:05:42 -------- d-----w C:\Programme\Gemeinsame Dateien\Symantec Shared
2008-09-27 16:26:54 -------- d-----w C:\DOKUME~1\***\ANWEND~1\Skype
2008-09-27 16:12:48 -------- d-----w C:\DOKUME~1\***\ANWEND~1\skypePM
2008-09-24 18:30:00 -------- d-----w C:\Programme\Steinberg
2008-09-23 20:52:39 31,608 ----a-w C:\DOKUME~1\***\ANWEND~1\GDIPFONTCACHEV1.DAT
2008-09-22 19:09:18 -------- d-----w C:\Programme\Audacity
2008-09-22 18:07:36 -------- d-----w C:\Programme\ICQ6
2008-09-22 17:45:00 25,276 ---ha-w C:\WINDOWS\system32\mlfcache.dat
2008-09-20 19:05:36 -------- d-----w C:\DOKUME~1\***\ANWEND~1\uTorrent
2008-09-20 19:05:22 70,580 ----a-w C:\WINDOWS\system32\perfc007.dat
2008-09-20 19:05:22 405,118 ----a-w C:\WINDOWS\system32\perfh007.dat
2008-09-20 17:38:23 -------- d-----w C:\Programme\Messenger
2008-09-20 17:33:15 -------- d-----w C:\Programme\Movie Maker
2008-09-20 17:30:59 -------- d-----w C:\Programme\Windows NT
2008-09-19 12:43:50 -------- d-----w C:\DOKUME~1\***\ANWEND~1\Apple Computer
2008-09-16 12:34:58 -------- d-----w C:\Programme\iPod
2008-09-16 12:30:20 -------- d-----w C:\Programme\Guitar Speed Trainer
2008-09-16 12:30:00 -------- d-----w C:\Programme\iTunes
2008-09-09 08:25:05 -------- d-----w C:\Programme\DivX
2008-09-08 19:15:45 -------- d-----w C:\Programme\Trillian
2008-09-06 08:49:31 -------- d-----w C:\DOKUME~1\***\ANWEND~1\NCH Swift Sound
2008-09-02 08:09:47 -------- d--h--w C:\Programme\InstallShield Installation Information
2008-09-01 08:47:42 -------- d-----w C:\Programme\Finale NotePad 2008
2008-08-29 08:18:58 87,336 ----a-w C:\WINDOWS\system32\dns-sd.exe
2008-08-29 07:53:50 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll
2008-08-28 21:09:47 -------- d-----w C:\DOKUME~1\***\ANWEND~1\Garritan
2008-08-28 21:06:51 -------- d-----w C:\Programme\Garritan
2008-08-28 20:09:28 -------- d-----w C:\Programme\Garritan Personal Orchestra
2008-08-27 20:24:41 48 ---ha-w C:\WINDOWS\system32\ezsidmv.dat
2008-08-27 20:24:12 -------- d-----w C:\Programme\Gemeinsame Dateien\Skype
2008-08-27 19:03:34 -------- d-----w C:\DOKUME~1\***\ANWEND~1\Steinberg
2008-08-27 18:37:07 -------- d-----w C:\Programme\GenieSoft
2008-08-27 16:37:16 -------- d-----w C:\Programme\Digidesign
2008-08-27 16:31:05 -------- d-----w C:\Programme\DAEMON Tools Lite
2008-08-27 16:27:22 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-08-27 16:27:12 -------- d-----w C:\DOKUME~1\***\ANWEND~1\DAEMON Tools
2008-08-23 19:00:41 16 ----a-w C:\WINDOWS\system32\msvcsv60.dll
2008-08-23 19:00:41 16 ----a-w C:\WINDOWS\msocreg32.dat
2008-08-22 07:03:09 -------- d-----w C:\Programme\Guitar Pro 5demo
2008-08-16 15:02:59 -------- d-----w C:\Programme\Apple Software Update
2008-07-25 08:36:00 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-07-25 08:34:54 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-07-25 08:34:52 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-07-25 08:34:50 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-07-25 08:34:46 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-07-25 08:34:46 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-07-25 08:34:46 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-07-25 08:34:46 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-07-25 08:34:46 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-07-25 08:34:42 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-07-25 08:34:40 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-07-25 08:34:40 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-07-25 08:34:40 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-07-25 08:34:36 683,520 ----a-w C:\WINDOWS\system32\DivX.dll
2008-07-25 08:34:30 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-07-23 16:50:52 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-07-23 16:48:40 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-07-23 16:48:40 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-07-23 16:46:38 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-07-18 20:10:48 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10:42 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10:40 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10:20 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:09:46 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09:44 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09:44 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09:42 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 20:07:34 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 20:07:32 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26:58 253,952 ----a-w C:\WINDOWS\system32\es.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-08-14 13:39]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Programme\Java\jre1.6.0_07\bin\ss v.dll [2008-06-10 04:27]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_0 7\bin\jusched.exe" [2008-06-10 04:27]
"avgnt"="C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-18 17:24]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2007-11-17 15:37]
"H2O"="C:\Programme\SyncroSoft\Pos\H2O\cledx.e xe" [2005-05-11 02:46]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SpybotSD TeaTimer"="C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 18:41]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 04:22]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{54A8264B-AFFB-4614-95FE-0234817EA282}"="C:\WINDOWS\system32\hgGyywVp.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
%SystemRoot%\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=, dfwcvm.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages msv1_0 C:\WINDOWS\system32\fccyyyAR

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
napagent


Contents of the 'Scheduled Tasks' folder
2008-08-15 17:31:28 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2008-09-24 17:11:42 C:\WINDOWS\tasks\Norton Security Scan.job

************************************************** ******************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, h**p://www.gmer.net
Rootkit scan 2008-10-03 12:09:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

************************************************** ******************

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\T DSSserv]
"imagepath"="\systemroot\system32\drivers\TDSSserv .sys"

Completion time: 2008-10-03 12:11:01
C:\ComboFix2.txt ... 2008-10-02 21:16
C:\ComboFix3.txt ... 2008-10-02 14:12

--- E O F ---

Zu Hilfe, zu Hilfe, sonst biiiin ich verloooren.

cosinus 04.10.2008 11:49
Hallo und :hallo:

Acker diese Punkte für weitere Analysen ab. Beachte, dass die Programme mit Adminrechten ausgeführt werden müssen, was beim ersten Durchlauf mit Combofix bei Dir nicht der Fall zu sein schien:

Zitat:
disk error: C:\WINDOWS\
please note that you need administrator rights to perform deep scan
1.) Stell sicher, daß Dir auch alle Dateien angezeigt werden, danach folgende Dateien bei Virustotal.com auswerten lassen und alle Ergebnisse posten, und zwar so, daß man die der einzelnen Virenscanner sehen kann. Bitte mit Dateigrößen und Prüfsummen:
Code:
2008-10-02 13:44 110,592 --a------ C:\WINDOWS\system32\giawpjxb.dll
2008-10-02 13:38 1,671 --ahs---- C:\WINDOWS\system32\RAyyyccf.ini2
2008-10-02 10:25 <DIR> d-------- C:\Programme\a-squared Anti-Malware
2008-10-02 10:17 1,482 --ahs---- C:\WINDOWS\system32\npqsAcdd.ini2
2008-10-02 10:12 41,984 --a------ C:\WINDOWS\system32\pmnnNEVP.dll
2.) Deaktiviere die Systemwiederherstellung, im Verlauf der Infektion wurden auch Malwaredateien in Wiederherstellungspunkten mitgesichert - die sind alle nun unbrauchbar, da ein Zurücksetzen des System durch einen Wiederherstellungspunkt das System wahrscheinlich wieder infizieren würde.

3.) Führe dieses MBR-Tool aus und poste die Ausgabe

4.) Blacklight und Malwarebytes Antimalware ausführen und Logfiles posten

5.) Führe Silentrunners nach dieser Anleitung aus und poste das Logfile (mit Codetags umschlossen), falls es zu groß sein sollte kannst Du es (gezippt) bei file-upload.net hochladen und hier verlinken.

6.) ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix
  • Lade dir das Tool hier herunter auf den Desktop -> KLICK
Das Programm jedoch noch nicht starten sondern zuerst folgendes tun:
  • Schliesse alle Anwendungen und Programme, vor allem deine Antiviren-Software und andere Hintergrundwächter, sowie deinen Internetbrowser.
    Vermeide es auch explizit während das Combofix läuft die Maus und Tastatur zu benutzen.
  • Starte nun die combofix.exe von deinem Desktop aus, bestätige die Warnmeldungen und lass dein System durchsuchen.
  • Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte abkopieren und in deinen Beitrag einfügen. Das log findest du außerdem unter: C:\ComboFix.txt.
Wichtiger Hinweis:
Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.
Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten.

Poste alle Logfiles bitte mit Codetags umschlossen (#-Button) also so:

HTML-Code:
[code] Hier das Logfile rein! [/code]
7.) Mach auch ein Filelisting mit diesem script:
  • Script abspeichern per Rechtsklick, speichern unter auf dem Desktop
  • Doppelklick auf listing8.cmd auf dem Desktop
  • nach kurzer Zeit erscheint eine listing.txt auf dem Desktop

Diese listing.txt z.B. bei File-Upload.net hochladen und hier verlinken, da dieses Logfile zu groß fürs Board ist.

8.) Poste ein neues Hijackthis Logfile, nimm dazu diese umbenannte hijackthis.exe - editiere die Links und privaten Infos!!

Agrajag 05.10.2008 11:29
Nun:
Virustotalauswertungen:

1.: Die Datei C:\WINDOWS\system32\giawpjxb.dll

Code:
Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.10.3.0 2008.10.02 - AntiVir 7.8.1.34 2008.10.02 - Authentium 5.1.0.4 2008.10.02 - Avast 4.8.1248.0 2008.10.02 - AVG 8.0.0.161 2008.10.02 - BitDefender 7.2 2008.10.03 - CAT-QuickHeal 9.50 2008.10.01 - ClamAV 0.93.1 2008.10.02 - DrWeb 4.44.0.09170 2008.10.02 - eSafe 7.0.17.0 2008.10.02 Suspicious File eTrust-Vet 31.6.6125 2008.10.02 Win32/VundoCryptorT!generic Ewido 4.0 2008.10.02 - F-Prot 4.4.4.56 2008.10.02 - F-Secure 8.0.14332.0 2008.10.02 - Fortinet 3.113.0.0 2008.10.02 - GData 19 2008.10.02 - Ikarus T3.1.1.34.0 2008.10.02 - K7AntiVirus 7.10.481 2008.10.02 - Kaspersky 7.0.0.125 2008.10.02 - McAfee 5397 2008.10.02 - Microsoft 1.4005 2008.10.03 Trojan:Win32/Vundo.gen!R NOD32 3490 2008.10.02 - Norman 5.80.02 2008.10.02 - Panda 9.0.0.4 2008.10.03 - PCTools 4.4.2.0 2008.10.02 - Prevx1 V2 2008.10.03 Cloaked Malware Rising 20.63.62.00 2008.09.28 Packer.Win32.Agent.v SecureWeb-Gateway 6.7.6 2008.10.02 Win32.Malware.gen (suspicious) Sophos 4.34.0 2008.10.02 Troj/Virtum-Gen Sunbelt 3.1.1675.1 2008.09.27 - Symantec 10 2008.10.02 - TheHacker 6.3.1.0.099 2008.10.03 - TrendMicro 8.700.0.1004 2008.10.02 Possible_Vundo-5 VBA32 3.12.8.6 2008.10.02 - ViRobot 2008.10.2.1403 2008.10.02 - VirusBuster 4.5.11.0 2008.10.02 Trojan.Monder.Gen!Pac weitere Informationen File size: 110592 bytes MD5...: 3725b3655e94fbcc144ad770de0dd587 SHA1..: ad969facd2e3db97daff1f39c65dbdbcdebe1bbb SHA256: 3c14021086002ae93e8fe9d05440b03612285dbe0121c6eecf19f13cb36e48de SHA512: abde98411d1a9eb9af7c16db28f5572e847748855f5964263d070404646fdcfe 7c4c4224a930f0d8566789c37dfb6bcb0aa7cec70005f61802d9405df0fa5938 PEiD..: - TrID..: File type identification Win32 Executable Generic (38.4%) Win32 Dynamic Link Library (generic) (34.2%) Clipper DOS Executable (9.1%) Generic Win/DOS Executable (9.0%) DOS Executable Generic (9.0%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x10001000 timedatestamp.....: 0x0 (Thu Jan 01 00:00:00 1970) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x16000 0x16000 8.00 d7deca0f5bf31c2d5ce29ddda1f2d0d2 .data 0x17000 0x1000 0x400 4.75 66c59ab03ab7e5421e05893deb5c7628 .rdata 0x18000 0x27000 0x4800 7.77 0028dd296a2af28c54a4b48de6713213 ( 3 imports ) > USER32.dll: OemToCharBuffA, MessageBoxA, MessageBeep, LoadCursorFromFileA, LoadCursorA, EndPaint, EndDialog, EmptyClipboard, DrawTextA, DestroyCursor, CreateIconFromResourceEx, CreateDesktopA, CopyRect, CharToOemBuffA, CharNextA, ActivateKeyboardLayout > KERNEL32.dll: lstrcmpiA, ReadFile, MapViewOfFile, InitializeCriticalSection, GetVersionExA, GetSystemTimeAsFileTime, GetStartupInfoA, GetModuleHandleA, ExitProcess, EnumResourceTypesA, EnumResourceLanguagesA, CloseHandle > ADVAPI32.dll: RegQueryValueA, RegOpenKeyExA, RegCloseKey ( 0 exports ) Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=78AF089600DD6659B02C01F03C6841001AA26152
2.: Die Datei C:\WINDOWS\system32\RAyyyccf.ini2

Code:
Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.10.3.2 2008.10.03 - AntiVir 7.8.1.34 2008.10.04 - Authentium 5.1.0.4 2008.10.04 - Avast 4.8.1248.0 2008.10.04 - AVG 8.0.0.161 2008.10.04 - BitDefender 7.2 2008.10.05 - CAT-QuickHeal 9.50 2008.10.04 - ClamAV 0.93.1 2008.10.04 - DrWeb 4.44.0.09170 2008.10.05 - eSafe 7.0.17.0 2008.10.02 - eTrust-Vet 31.6.6129 2008.10.04 - Ewido 4.0 2008.10.05 - F-Prot 4.4.4.56 2008.10.04 - F-Secure 8.0.14332.0 2008.10.05 - Fortinet 3.113.0.0 2008.10.04 - GData 19 2008.10.05 - Ikarus T3.1.1.34.0 2008.10.05 - K7AntiVirus 7.10.484 2008.10.04 - Kaspersky 7.0.0.125 2008.10.05 - McAfee 5398 2008.10.04 - Microsoft 1.4005 2008.10.05 - NOD32 3495 2008.10.04 - Norman 5.80.02 2008.10.03 - Panda 9.0.0.4 2008.10.04 - PCTools 4.4.2.0 2008.10.04 - Prevx1 V2 2008.10.05 - Rising 20.63.62.00 2008.09.28 - SecureWeb-Gateway 6.7.6 2008.10.05 - Sophos 4.34.0 2008.10.05 - Sunbelt 3.1.1675.1 2008.09.27 - Symantec 10 2008.10.05 - TheHacker 6.3.1.0.101 2008.10.04 - TrendMicro 8.700.0.1004 2008.10.03 - VBA32 3.12.8.6 2008.10.04 - ViRobot 2008.10.4.1406 2008.10.04 - VirusBuster 4.5.11.0 2008.10.04 - weitere Informationen File size: 1671 bytes MD5...: 7bc3098752473c4828ce3b1c22815f91 SHA1..: 7fdfc2773e9526c5caa73a553a8eca9831f93fb2 SHA256: 67018d8f4667869ff9fdefc41876cbf262b756627c71ff0a40fe9ca625a43469 SHA512: 4720bdbf6436896a97249179d5097277785c9594d8b2e603ce3745fdadff3cad dff458eb00bb97a05078adac2d296988d752bcae812290256d549e2f33792e69 PEiD..: - TrID..: File type identification Unknown! PEInfo: -
3.: Die Datei C:\Programme\a-squared Anti-Malware

Wurde schon entfernt.

4.: Die Datei C:\WINDOWS\system32\npqsAcdd.ini2

Code:
Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.10.3.2 2008.10.03 - AntiVir 7.8.1.34 2008.10.04 - Authentium 5.1.0.4 2008.10.04 - Avast 4.8.1248.0 2008.10.04 - AVG 8.0.0.161 2008.10.04 - BitDefender 7.2 2008.10.05 - CAT-QuickHeal 9.50 2008.10.04 - ClamAV 0.93.1 2008.10.04 - DrWeb 4.44.0.09170 2008.10.05 - eSafe 7.0.17.0 2008.10.02 - eTrust-Vet 31.6.6129 2008.10.04 - Ewido 4.0 2008.10.05 - F-Prot 4.4.4.56 2008.10.04 - F-Secure 8.0.14332.0 2008.10.05 - Fortinet 3.113.0.0 2008.10.04 - GData 19 2008.10.05 - Ikarus T3.1.1.34.0 2008.10.05 - K7AntiVirus 7.10.484 2008.10.04 - Kaspersky 7.0.0.125 2008.10.05 - McAfee 5398 2008.10.04 - Microsoft 1.4005 2008.10.05 - NOD32 3495 2008.10.04 - Norman 5.80.02 2008.10.03 - Panda 9.0.0.4 2008.10.04 - PCTools 4.4.2.0 2008.10.04 - Prevx1 V2 2008.10.05 - Rising 20.63.62.00 2008.09.28 - SecureWeb-Gateway 6.7.6 2008.10.05 - Sophos 4.34.0 2008.10.05 - Sunbelt 3.1.1675.1 2008.09.27 - Symantec 10 2008.10.05 - TheHacker 6.3.1.0.101 2008.10.04 - TrendMicro 8.700.0.1004 2008.10.03 - VBA32 3.12.8.6 2008.10.04 - ViRobot 2008.10.4.1406 2008.10.04 - VirusBuster 4.5.11.0 2008.10.04 - weitere Informationen File size: 1482 bytes MD5...: 77d305813d7bf4f90278330bbc58a173 SHA1..: 24d32b6b22fcfb3e7f4b503ca6e68e42a1f277dd SHA256: 1f4ddff894ff57f7b3c0980a056f1bffbbe92a549a83467172d031a1edcd7c5f SHA512: b7fe475f7f11e67637a006e8978c6e3cb188a7e1564e027bc0c916000d05dda0 bdc804418564e229110cc275bf1bb3e844e5240876b2dfe514dcf61d19e12d96 PEiD..: - TrID..: File type identification Unknown! PEInfo: -
5.: Die Datei C:\WINDOWS\system32\pmnnNEVP.dll

Ist nicht mehr vorhanden.

MBR Ausgabe:

Code:
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK
Blacklight Log:

Code:
10/05/08 11:39:59 [Info]: BlackLight Engine 2.2.1092 initialized 10/05/08 11:39:59 [Info]: OS: 5.1 build 2600 (Service Pack 3) 10/05/08 11:39:59 [Note]: 7019 4 10/05/08 11:39:59 [Note]: 7005 0 10/05/08 11:40:05 [Note]: 7006 0 10/05/08 11:40:05 [Note]: 7011 1464 10/05/08 11:40:05 [Note]: 7035 0 10/05/08 11:40:05 [Note]: 7026 0 10/05/08 11:40:05 [Note]: 7026 0 10/05/08 11:40:07 [Note]: FSRAW library version 1.7.1024 10/05/08 11:40:15 [Note]: 2000 1012 10/05/08 11:40:15 [Note]: 2000 1012 10/05/08 11:40:38 [Note]: 7007 0
Hier ist die Malwarebytes Log:

Code:
Malwarebytes' Anti-Malware 1.28 Datenbank Version: 1229 Windows 5.1.2600 Service Pack 3 05.10.2008 11:22:45 mbam-log-2008-10-05 (11-22-45).txt Scan-Methode: Vollständiger Scan (C:\|F:\|) Durchsuchte Objekte: 114659 Laufzeit: 40 minute(s), 27 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 9 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 2 Infizierte Verzeichnisse: 0 Infizierte Dateien: 8 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully. Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\SecTaskMan\ddcAsqpn.dll.q_804E003_q (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\SecTaskMan\fccyyyAR.dll.q_804DA03_q (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\pmnnNEVP.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\ (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\BM0fbe0649.xml (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\BM0fbe0649.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

Agrajag 05.10.2008 11:30
Die Silentrunners Log:

Code:
"Silent Runners.vbs", revision 58, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "SpybotSD TeaTimer" = "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"] "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "SunJavaUpdateSched" = ""C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"" ["Sun Microsystems, Inc."] "avgnt" = ""C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"] "TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] "H2O" = "C:\Programme\SyncroSoft\Pos\H2O\cledx.exe" ["Team H2O"] "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = "Spybot-S&D IE Protection" \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung" \InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {HKLM...CLSID} = "Desktop Explorer" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {HKLM...CLSID} = "nView Desktop Context Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders" -> {HKLM...CLSID} = "Meine freigegebenen Ordner" \InProcServer32\(Default) = "C:\Programme\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {HKLM...CLSID} = "iTunes" \InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <<!>> "{54A8264B-AFFB-4614-95FE-0234817EA282}" = "*[*j**J**j*j]***" (unwritable string) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\hgGyywVp.dll" [file not found] HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ <<!>> "Authentication Packages" = "msv1_0"|"C:\WINDOWS\system32\fccyyyAR" HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\ <<!>> "BootExecute" = "autocheck autochk /r \??\F:"|"autocheck autochk *"|"lsdelete" [null data] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> dimsntfy\DLLName = "C:\WINDOWS\System32\dimsntfy.dll" [MS] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] WinUHA\(Default) = "{095177B8-8097-4D32-9081-A8949C47020E}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Programme\WinUHA\shelluha.dll" [null data] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" -> {HKLM...CLSID} = "MBAMShlExt Class" \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"] Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] WinUHA\(Default) = "{095177B8-8097-4D32-9081-A8949C47020E}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Programme\WinUHA\shelluha.dll" [null data] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" -> {HKLM...CLSID} = "MBAMShlExt Class" \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "NoDispBackgroundPage" = (REG_DWORD) dword:0x00000000 {User Configuration|Administrative Templates|Control Panel|Display| Hide Desktop tab} "NoDispScrSavPage" = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Dokumente und Einstellungen\DaviD\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ iTunesBurnCDOnArrival\ "Provider" = "iTunes" "InvokeProgID" = "iTunes.BurnCD" "InvokeVerb" = "burn" HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."] iTunesImportSongsOnArrival\ "Provider" = "iTunes" "InvokeProgID" = "iTunes.ImportSongsOnCD" "InvokeVerb" = "import" HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."] iTunesPlaySongsOnArrival\ "Provider" = "iTunes" "InvokeProgID" = "iTunes.PlaySongsOnCD" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."] iTunesShowSongsOnArrival\ "Provider" = "iTunes" "InvokeProgID" = "iTunes.ShowSongsOnCD" "InvokeVerb" = "showsongs" HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."] PDVDPlayDVDMovieOnArrival\ "Provider" = "PowerDVD" "InvokeProgID" = "DVD" "InvokeVerb" = "PlayWithPowerDVD" HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Programme\CyberLink\PowerDVD\PowerDVD.exe" "%l"" ["CyberLink Corp."] RPCDBurningOnArrival\ "Provider" = "RealPlayer" "InvokeProgID" = "RealPlayer.CDBurn.6" "InvokeVerb" = "open" HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /burn "%1"" ["RealNetworks, Inc."] RPDeviceOnArrival\ "Provider" = "RealPlayer" "ProgID" = "RealPlayer.HWEventHandler" HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}" -> {HKLM...CLSID} = "RealNetworks Scheduler" \LocalServer32\(Default) = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."] RPPlayCDAudioOnArrival\ "Provider" = "RealPlayer" "InvokeProgID" = "RealPlayer.AudioCD.6" "InvokeVerb" = "play" HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /play %1 " ["RealNetworks, Inc."] RPPlayDVDMovieOnArrival\ "Provider" = "RealPlayer" "InvokeProgID" = "RealPlayer.DVD.6" "InvokeVerb" = "play" HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /dvd %1 " ["RealNetworks, Inc."] RPPlayMediaOnArrival\ "Provider" = "RealPlayer" "InvokeProgID" = "RealPlayer.AutoPlay.6" "InvokeVerb" = "open" HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /autoplay "%1"" ["RealNetworks, Inc."] Enabled Scheduled Tasks: ------------------------ "AppleSoftwareUpdate" -> launches: "C:\Programme\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."] "Norton Security Scan" -> launches: "C:\Programme\Norton Security Scan\Nss.exe /scan-full /scheduled" ["Symantec Corporation"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000004\LibraryPath = "C:\Programme\Bonjour\mdnsNSP.dll" ["Apple Inc."] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.6.0_07" \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.6.0_07" \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\npjpi160_07.dll" ["Sun Microsystems, Inc."] {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\ "MenuText" = "Spybot - Search & Destroy Configuration" "CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}" -> {HKLM...CLSID} = "Spybot-S&D IE Protection" \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"] {E2E2DD38-D088-4134-82B7-F2BA38496583}\ "MenuText" = "@xpsp3res.dll,-20001" "Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS] {E59EB121-F339-4851-A3BA-FE49C35617C2}\ "ButtonText" = "ICQ6" "MenuText" = "ICQ6" "Exec" = "C:\Programme\ICQ6\ICQ.exe" ["ICQ, Inc."] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir PersonalEdition Classic Guard, AntiVirService, ""C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"] AntiVir PersonalEdition Classic Planer, AntiVirScheduler, ""C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"] Apple Mobile Device, Apple Mobile Device, ""C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple Inc."] Bonjour-Dienst, Bonjour Service, "C:\Programme\Bonjour\mDNSResponder.exe" ["Apple Inc."] Lavasoft Ad-Aware Service, aawservice, "C:\Programme\Lavasoft\Ad-Aware\aawservice.exe" ["Lavasoft"] NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ SUGS2 Langmon\Driver = "SUGS2LMK.DLL" ["Samsung Electronics."] ---------- (launch time: 2008-10-05 11:42:13) <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 12 seconds. ---------- (total run time: 59 seconds)

Agrajag 05.10.2008 11:31
Und die Combofix Log:

Code:
ComboFix 08-10-04.07 - *** 2008-10-05 12:06:13.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1031.18.1689 [GMT 2:00]

Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.

((((((((((((((((((((((((((((((((((((  Weitere Löschungen  ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\_005819_.tmp.dll
C:\WINDOWS\system32\drivers\tdssserv.sys
C:\WINDOWS\system32\evofhwfn.ini
C:\WINDOWS\system32\giawpjxb.dll
C:\WINDOWS\system32\jvmlwrou.ini
C:\WINDOWS\system32\msvcsv60.dll
C:\WINDOWS\system32\tdssadw.dll
C:\WINDOWS\system32\TDSSerrors.log
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdssservers.dat

.
(((((((((((((((((((((((((((((((((((((((  Treiber/Dienste  )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MCHINJDRV
-------\Legacy_PACKET
-------\Legacy_SYSREST.SYS
-------\Service_Packet
-------\Service_sysrest.sys


(((((((((((((((((((((((  Dateien erstellt von 2008-09-05 bis 2008-10-05  ))))))))))))))))))))))))))))))
.

2008-10-05 10:41 . 2008-10-05 10:41        <DIR>        d--------        C:\Programme\Malwarebytes' Anti-Malware
2008-10-05 10:41 . 2008-10-05 10:41        <DIR>        d--------        C:\Dokumente und Einstellungen\***\Anwendungsdaten\Malwarebytes
2008-10-05 10:41 . 2008-10-05 10:41        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-10-05 10:41 . 2008-09-10 00:04        38,528        --a------        C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-05 10:41 . 2008-09-10 00:03        17,200        --a------        C:\WINDOWS\system32\drivers\mbam.sys
2008-10-02 14:12 . 2005-11-09 00:26        38,400        --a------        C:\WINDOWS\system32\moveex.exe
2008-10-02 13:38 . 2008-10-02 14:10        1,671        --ahs----        C:\WINDOWS\system32\RAyyyccf.ini2
2008-10-02 13:38 . 2008-10-02 14:10        1,671        --ahs----        C:\WINDOWS\system32\RAyyyccf.ini
2008-10-02 10:17 . 2008-10-02 13:16        1,482        --ahs----        C:\WINDOWS\system32\npqsAcdd.ini2
2008-10-02 10:17 . 2008-10-02 13:19        459        --ahs----        C:\WINDOWS\system32\npqsAcdd.ini
2008-10-02 10:11 . 2008-10-02 10:11        <DIR>        d--------        C:\Programme\Lavasoft
2008-10-02 10:10 . 2008-10-02 10:10        <DIR>        d--------        C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-10-01 11:42 . 2008-10-05 11:18        <DIR>        d--------        C:\Programme\SpywareBlaster
2008-10-01 11:42 . 2008-10-02 09:16        <DIR>        d-a------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP
2008-10-01 11:29 . 2008-10-01 11:29        <DIR>        d--------        C:\Programme\Trend Micro
2008-10-01 10:32 . 2008-10-01 10:32        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\nView_Profiles
2008-09-24 20:43 . 2008-09-24 20:43        <DIR>        d--------        C:\Programme\Antares
2008-09-24 19:58 . 2008-09-24 19:58        <DIR>        d--------        C:\Programme\East West
2008-09-23 17:28 . 2008-09-23 17:28        <DIR>        d--------        C:\Programme\Opera
2008-09-22 21:05 . 2008-09-22 21:12        <DIR>        d--------        C:\Programme\NCH Swift Sound
2008-09-22 20:19 . 2008-10-05 11:53        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\SecTaskMan
2008-09-22 20:18 . 2008-09-22 23:35        <DIR>        d--------        C:\Programme\Security Task Manager
2008-09-20 19:33 . 2008-09-20 19:33        <DIR>        d--------        C:\WINDOWS\system32\de
2008-09-20 19:33 . 2008-09-20 19:33        <DIR>        d--------        C:\WINDOWS\system32\bits
2008-09-20 19:33 . 2008-09-20 19:33        <DIR>        d--------        C:\WINDOWS\l2schemas
2008-09-20 03:04 . 2008-09-20 03:04        118        --a------        C:\WINDOWS\system32\MRT.INI
2008-09-19 12:35 . 2008-04-11 21:04        691,712        -----c---        C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-09-19 12:14 . 2008-05-01 16:34        331,776        -----c---        C:\WINDOWS\system32\dllcache\msadce.dll
2008-09-16 14:30 . 2008-09-16 14:30        <DIR>        d--------        C:\Programme\Bonjour
2008-09-16 14:29 . 2008-09-16 14:29        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-15 19:47 . 2008-09-15 19:47        <DIR>        d--------        C:\Programme\uTorrent
2008-09-14 22:26 . 2008-09-14 22:28        <DIR>        d--------        C:\Programme\QuickTime
2008-09-06 15:09 . 2008-09-06 15:09        90,112        --a------        C:\WINDOWS\system32\QuickTimeVR.qtx
2008-09-06 15:09 . 2008-09-06 15:09        57,344        --a------        C:\WINDOWS\system32\QuickTime.qts
2008-09-06 10:57 . 2001-03-17 21:34        22,528        --a------        C:\WINDOWS\system32\WNASPI32.DLL
2008-09-06 10:57 . 2002-07-17 08:05        16,512        --a------        C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-09-06 10:43 . 2008-09-06 10:43        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\NCH Software
2008-09-06 10:43 . 2008-09-06 10:43        27,136        --a------        C:\WINDOWS\system32\drivers\nchssvad.sys

.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-05 09:52        ---------        d-----w        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-10-05 09:15        ---------        d-----w        C:\Programme\Mozilla Thunderbird
2008-10-03 16:01        ---------        d-----w        C:\Programme\Gemeinsame Dateien\Symantec Shared
2008-10-03 16:00        ---------        d-----w        C:\Programme\Norton Security Scan
2008-10-02 08:03        ---------        d-----w        C:\Programme\eMule
2008-10-02 07:06        ---------        d-----w        C:\Programme\Google
2008-09-27 16:26        ---------        d-----w        C:\Dokumente und Einstellungen\***\Anwendungsdaten\Skype
2008-09-27 16:12        ---------        d-----w        C:\Dokumente und Einstellungen\***\Anwendungsdaten\skypePM
2008-09-24 18:30        ---------        d-----w        C:\Programme\Steinberg
2008-09-23 20:52        31,608        ----a-w        C:\Dokumente und Einstellungen\***\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2008-09-22 19:09        ---------        d-----w        C:\Programme\Audacity
2008-09-22 18:07        ---------        d-----w        C:\Programme\ICQ6
2008-09-21 07:16        ---------        d-----w        C:\Programme\Spybot - Search & Destroy
2008-09-20 19:05        ---------        d-----w        C:\Dokumente und Einstellungen\***\Anwendungsdaten\uTorrent
2008-09-19 12:43        ---------        d-----w        C:\Dokumente und Einstellungen\***\Anwendungsdaten\Apple Computer
2008-09-16 12:34        ---------        d-----w        C:\Programme\iPod
2008-09-16 12:30        ---------        d-----w        C:\Programme\iTunes
2008-09-16 12:30        ---------        d-----w        C:\Programme\Guitar Speed Trainer
2008-09-09 08:25        ---------        d-----w        C:\Programme\DivX
2008-09-08 19:15        ---------        d-----w        C:\Programme\Trillian
2008-09-06 08:49        ---------        d-----w        C:\Dokumente und Einstellungen\***\Anwendungsdaten\NCH Swift Sound
2008-09-06 08:45        ---------        d-----w        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\NCH Swift Sound
2008-09-02 08:09        ---------        d--h--w        C:\Programme\InstallShield Installation Information
2008-09-01 08:47        ---------        d-----w        C:\Programme\Finale NotePad 2008
2008-08-28 21:09        ---------        d-----w        C:\Dokumente und Einstellungen\***\Anwendungsdaten\Garritan
2008-08-28 21:06        ---------        d-----w        C:\Programme\Garritan
2008-08-28 20:09        ---------        d-----w        C:\Programme\Garritan Personal Orchestra
2008-08-27 20:24        ---------        d-----w        C:\Programme\Gemeinsame Dateien\Skype
2008-08-27 19:03        ---------        d-----w        C:\Dokumente und Einstellungen\***\Anwendungsdaten\Steinberg
2008-08-27 18:37        ---------        d-----w        C:\Programme\GenieSoft
2008-08-27 16:37        ---------        d-----w        C:\Programme\Digidesign
2008-08-27 16:31        ---------        d-----w        C:\Programme\DAEMON Tools Lite
2008-08-27 16:27        717,296        ----a-w        C:\WINDOWS\system32\drivers\sptd.sys
2008-08-27 16:27        ---------        d-----w        C:\Dokumente und Einstellungen\***\Anwendungsdaten\DAEMON Tools
2008-08-22 07:03        ---------        d-----w        C:\Programme\Guitar Pro 5demo
2008-08-16 15:02        ---------        d-----w        C:\Programme\Apple Software Update
2008-08-13 22:16        ---------        d-----w        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft
2007-11-17 15:11        32        ----a-w        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ezsid.dat
2001-11-23 04:08        712,704        ----a-r        C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((  Autostartpunkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"avgnt"="C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-18 266497]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2007-11-17 185896]
"H2O"="C:\Programme\SyncroSoft\Pos\H2O\cledx.exe" [2005-05-11 200069]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-11 7311360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= dfwcvm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"VIDC.JPGL"= jpgl.dll
"aux1"= ctwdm32.dll
"midi6"= mapledxp.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\DRIVERS\avgntmgr.sys [2008-04-20 22336]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2008-07-18 45376]
R1 mapledxp;mapledxp;C:\WINDOWS\system32\drivers\mapledxp.SYS [2004-05-09 24720]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 33792]
S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]
S3 DivioUSBDCam;D-Link USB CCD Video Camera;C:\WINDOWS\system32\DRIVERS\pcam.sys [2000-11-30 179468]
.
Inhalt des "geplante Tasks" Ordners

2008-08-15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Programme\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-10-03 C:\WINDOWS\Tasks\Norton Security Scan.job
- C:\Programme\Norton Security Scan\Nss.exe [2008-01-09 05:08]
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

BHO-{AF8C97B7-52C5-4CFC-9DFC-B8E2E0240D3E} - (no file)
BHO-{BAFDDE8F-BAB5-4076-9A99-0CB612956C71} - (no file)
ShellExecuteHooks-{54A8264B-AFFB-4614-95FE-0234817EA282} - (no file)
Notify-WgaLogon - (no file)


.
------- Zusätzlicher Suchlauf -------
.
FireFox -: Profile - C:\Dokumente und Einstellungen\***\Anwendungsdaten\Mozilla\Firefox\Profiles\lpd2msfz.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.de/
FF -: plugin - C:\Programme\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, h**p://www.gmer.net
Rootkit scan 2008-10-05 12:11:55
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
------------------------ Weitere laufende Prozesse ------------------------
.
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-10-05 12:18:31 - PC wurde neu gestartet
ComboFix-quarantined-files.txt  2008-10-05 10:18:27
ComboFix2.txt  2008-10-03 10:11:01

Vor Suchlauf: 10 Verzeichnis(se), 60,338,233,344 Bytes frei
Nach Suchlauf: 13 Verzeichnis(se), 60,242,681,856 Bytes frei

188        --- E O F ---        2008-09-21 14:02:27

Agrajag 05.10.2008 11:37
Mache ich was falsch? Bei dem listing Script kommt nur das raus:

Code:
echo LISTING FILE von root24; 28.01.2008  > %temp%\listing.txt

echo "------ SYSTEMROOT ---" >> %temp%\listing.txt
%systemdrive%
cd\
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt


echo "------ SYSTEM32 ---" >> %temp%\listing.txt
cd %windir%
cd system32
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt

echo "------ DOWNLOADED INSTALLATIONS ---" >> %temp%\listing.txt
cd %windir%
cd "Downloaded Installations"
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt

echo "------ DOWNLOADED PROGRAM FILES ---" >> %temp%\listing.txt
cd %windir%
cd "Downloaded Program Files"
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt

echo "------ SYSTEM32-DRIVERS ---" >> %temp%\listing.txt
cd %windir%
cd system32
cd drivers
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt


echo "------ PREFETCH ---" >> %temp%\listing.txt
cd %windir%
cd prefetch
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt


echo "------ TASKS ---" >> %temp%\listing.txt
cd %windir%
cd tasks
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt


echo "------ WINDIR ---" >> %temp%\listing.txt
cd %windir%
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt


echo "------ WINDIR\SYSTEM ---" >> %temp%\listing.txt
cd system
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt


echo "------ WINDOWS\TEMP ---" >> %temp%\listing.txt
cd %windir%
cd temp
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt


echo "------ USER\TEMP ---" >> %temp%\listing.txt
cd %temp%
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt


echo "------ PROGRAMS ---" >> %temp%\listing.txt
cd %programfiles%
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt


echo "------ ALLUSERS ---" >> %temp%\listing.txt
cd %allusersprofile%
cd anwendungsdaten
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt

echo "------ USERS ---" >> %temp%\listing.txt
cd %userprofile%
cd anwendungsdaten
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt

cd %temp%
copy /y listing.txt "%userprofile%"\desktop\listing.txt

Agrajag 05.10.2008 11:40
Hier die HJT Log:

Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:38, on 05.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Programme\Safari\Safari.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Downloads\qlketzd.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [H2O] C:\Programme\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:  dfwcvm.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Druckwarteschlange (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)

--
End of file - 5436 bytes

cosinus 05.10.2008 21:09
Unübersichtlicher kann man nicht posten. :balla:
Poste bitte die Ergebnisse von Virustotal vollständig und so, dass man nicht quer rechts scrollen muss.

Wegen der filelisting-Datei: Ist so nat. falsch gewesen, versuch es so: Geh in Arbeitsplatz / Extras / Ordneroptionen / Ansicht - dort den Haken rausnehmen bei "Erweiterungen bei bekannten Dateitypen ausblenden", fortan werden Dir bei (fast) allen Dateien auch die Endungen angezeigt.

Stell dann sicher, dass mein CMD-Scrript auch tatsächlich dann die Endung .CMD hat und kein .TXT oder so. Sie sollte dann dieses Symbol haben

http://mitglied.lycos.de/efunction/tb/img/cmdsymbol.PNG

Danach sollte durch ein Doppelklick das Script auch ausgeführt werden.

Agrajag 05.10.2008 23:06
C:\WINDOWS\system32\RAyyyccf.ini2

Zitat:
Datei RAyyyccf.ini2 empfangen 2008.10.05 23:59:38 (CET)
Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt
Ergebnis: 0/36 (0%)
Laden der Serverinformationen...
Ihre Datei wartet momentan auf Position: 2.
Geschätzte Startzeit is zwischen 42 und 60 Sekunden.
Dieses Fenster bis zum Abschluss des Scans nicht schließen.
Der Scanner, welcher momentan Ihre Datei bearbeitet ist momentan gestoppt. Wir warten einige Sekunden um Ihr Ergebnis zu erstellen.
Falls Sie längern als fünf Minuten warten, versenden Sie bitte die Datei erneut.
Ihre Datei wird momentan von VirusTotal überprüft,
Ergebnisse werden sofort nach der Generierung angezeigt.
Filter Filter
Drucken der Ergebnisse Drucken der Ergebnisse
Datei existiert nicht oder dessen Lebensdauer wurde überschritten
Dienst momentan gestoppt. Ihre Datei befindet sich in der Warteschlange (position: ). Diese wird abgearbeitet, wenn der Dienst wieder startet.

SIe können auf einen automatischen reload der homepage warten, oder ihre email in das untere formular eintragen. Klicken Sie auf "Anfragen", damit das System sie benachrichtigt wenn die Überprüfung abgeschlossen ist.
Email:

Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.10.3.2 2008.10.03 -
AntiVir 7.8.1.34 2008.10.04 -
Authentium 5.1.0.4 2008.10.05 -
Avast 4.8.1248.0 2008.10.05 -
AVG 8.0.0.161 2008.10.05 -
BitDefender 7.2 2008.10.05 -
CAT-QuickHeal 9.50 2008.10.04 -
ClamAV 0.93.1 2008.10.05 -
DrWeb 4.44.0.09170 2008.10.05 -
eSafe 7.0.17.0 2008.10.05 -
eTrust-Vet 31.6.6129 2008.10.04 -
Ewido 4.0 2008.10.05 -
F-Prot 4.4.4.56 2008.10.05 -
F-Secure 8.0.14332.0 2008.10.05 -
Fortinet 3.113.0.0 2008.10.04 -
GData 19 2008.10.05 -
Ikarus T3.1.1.34.0 2008.10.05 -
K7AntiVirus 7.10.484 2008.10.04 -
Kaspersky 7.0.0.125 2008.10.05 -
McAfee 5398 2008.10.04 -
Microsoft 1.4005 2008.10.05 -
NOD32 3495 2008.10.04 -
Norman 5.80.02 2008.10.03 -
Panda 9.0.0.4 2008.10.05 -
PCTools 4.4.2.0 2008.10.05 -
Prevx1 V2 2008.10.06 -
Rising 20.63.62.00 2008.09.28 -
SecureWeb-Gateway 6.7.6 2008.10.05 -
Sophos 4.34.0 2008.10.05 -
Sunbelt 3.1.1704.1 2008.10.05 -
Symantec 10 2008.10.05 -
TheHacker 6.3.1.0.101 2008.10.04 -
TrendMicro 8.700.0.1004 2008.10.03 -
VBA32 3.12.8.6 2008.10.05 -
ViRobot 2008.10.4.1406 2008.10.04 -
VirusBuster 4.5.11.0 2008.10.05 -
weitere Informationen
File size: 1671 bytes
MD5...: 7bc3098752473c4828ce3b1c22815f91
SHA1..: 7fdfc2773e9526c5caa73a553a8eca9831f93fb2
SHA256: 67018d8f4667869ff9fdefc41876cbf262b756627c71ff0a40fe9ca625a43469
SHA512: 4720bdbf6436896a97249179d5097277785c9594d8b2e603ce3745fdadff3cad
dff458eb00bb97a05078adac2d296988d752bcae812290256d549e2f33792e69
PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -
C:\WINDOWS\system32\npqsAcdd.ini2


Zitat:
Datei npqsAcdd.ini2 empfangen 2008.10.06 00:02:26 (CET)
Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt
Ergebnis: 0/36 (0%)
Laden der Serverinformationen...
Ihre Datei wartet momentan auf Position: ___.
Geschätzte Startzeit is zwischen ___ und ___ .
Dieses Fenster bis zum Abschluss des Scans nicht schließen.
Der Scanner, welcher momentan Ihre Datei bearbeitet ist momentan gestoppt. Wir warten einige Sekunden um Ihr Ergebnis zu erstellen.
Falls Sie längern als fünf Minuten warten, versenden Sie bitte die Datei erneut.
Ihre Datei wird momentan von VirusTotal überprüft,
Ergebnisse werden sofort nach der Generierung angezeigt.
Filter Filter
Drucken der Ergebnisse Drucken der Ergebnisse
Datei existiert nicht oder dessen Lebensdauer wurde überschritten
Dienst momentan gestoppt. Ihre Datei befindet sich in der Warteschlange (position: ). Diese wird abgearbeitet, wenn der Dienst wieder startet.

SIe können auf einen automatischen reload der homepage warten, oder ihre email in das untere formular eintragen. Klicken Sie auf "Anfragen", damit das System sie benachrichtigt wenn die Überprüfung abgeschlossen ist.
Email:

Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.10.3.2 2008.10.03 -
AntiVir 7.8.1.34 2008.10.04 -
Authentium 5.1.0.4 2008.10.05 -
Avast 4.8.1248.0 2008.10.05 -
AVG 8.0.0.161 2008.10.05 -
BitDefender 7.2 2008.10.05 -
CAT-QuickHeal 9.50 2008.10.04 -
ClamAV 0.93.1 2008.10.05 -
DrWeb 4.44.0.09170 2008.10.05 -
eSafe 7.0.17.0 2008.10.05 -
eTrust-Vet 31.6.6129 2008.10.04 -
Ewido 4.0 2008.10.05 -
F-Prot 4.4.4.56 2008.10.05 -
F-Secure 8.0.14332.0 2008.10.05 -
Fortinet 3.113.0.0 2008.10.04 -
GData 19 2008.10.05 -
Ikarus T3.1.1.34.0 2008.10.05 -
K7AntiVirus 7.10.484 2008.10.04 -
Kaspersky 7.0.0.125 2008.10.05 -
McAfee 5398 2008.10.04 -
Microsoft 1.4005 2008.10.05 -
NOD32 3495 2008.10.04 -
Norman 5.80.02 2008.10.03 -
Panda 9.0.0.4 2008.10.05 -
PCTools 4.4.2.0 2008.10.05 -
Prevx1 V2 2008.10.06 -
Rising 20.63.62.00 2008.09.28 -
SecureWeb-Gateway 6.7.6 2008.10.05 -
Sophos 4.34.0 2008.10.05 -
Sunbelt 3.1.1704.1 2008.10.05 -
Symantec 10 2008.10.05 -
TheHacker 6.3.1.0.101 2008.10.04 -
TrendMicro 8.700.0.1004 2008.10.03 -
VBA32 3.12.8.6 2008.10.05 -
ViRobot 2008.10.4.1406 2008.10.04 -
VirusBuster 4.5.11.0 2008.10.05 -
weitere Informationen
File size: 1482 bytes
MD5...: 77d305813d7bf4f90278330bbc58a173
SHA1..: 24d32b6b22fcfb3e7f4b503ca6e68e42a1f277dd
SHA256: 1f4ddff894ff57f7b3c0980a056f1bffbbe92a549a83467172d031a1edcd7c5f
SHA512: b7fe475f7f11e67637a006e8978c6e3cb188a7e1564e027bc0c916000d05dda0
bdc804418564e229110cc275bf1bb3e844e5240876b2dfe514dcf61d19e12d96
PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -

Die restlichen Dateien scheinen von einem der vorher benutzen Programme entfernt.

Hier das filelisting script: File-Upload.net - listing.txt


post scriptum: Falls die Virustotalauflistung noch nicht vollständig genug ist, werde ich aus der Seite nicht schlau.

cosinus 06.10.2008 21:00
Anleitung Avenger (by swandog46)

Lade dir das Tool Avenger und speichere es auf dem Desktop:
  • Kopiere nun folgenden Text in das weiße Feld bei -> "input script here"
Code:
C:\WINDOWS\system32\RAyyyccf.ini
C:\WINDOWS\system32\RAyyyccf.ini2
C:\WINDOWS\system32\npqsAcdd.ini
C:\WINDOWS\system32\npqsAcdd.ini2
C:\WINDOWS\system32\drivers\TDSSserv.sys
http://mitglied.lycos.de/efunction/tb/avenger.png
  • Schliesse nun alle Programme und Browser-Fenster
  • Um den Avenger zu starten klicke auf -> Execute
  • Dann bestätigen mit "Yes" das der Rechner neu startet
  • Nachdem das System neu gestartet ist, findest du einen Report vom Avenger unter -> C:\avenger.txt
  • Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.
  • Poste ein neues Hijackthis Logfile, nimm dazu diese umbenannte hijackthis.exe - editiere die Links und privaten Infos!!

Agrajag 20.10.2008 09:59
Gesagt getan.

Der Avenger aber zeigt mir dieses:

Zitat:
Error: Invalid script. A valid script must begin with a comand directive. Abort Execution!

cosinus 20.10.2008 14:47
Ah sry :schmoll:
Hab mich da vertan. Nimm Folgendes als Script:

Code:
files to delete:
C:\WINDOWS\system32\RAyyyccf.ini
C:\WINDOWS\system32\RAyyyccf.ini2
C:\WINDOWS\system32\npqsAcdd.ini
C:\WINDOWS\system32\npqsAcdd.ini2
C:\WINDOWS\system32\drivers\TDSSserv.sys

Agrajag 20.10.2008 23:24
Code:
//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Oct 19 16:45:29 2008

16:45:29: Error: Invalid script.  A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Oct 19 16:47:42 2008

16:47:42: Error: Invalid script.  A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Oct 19 16:49:09 2008

16:49:09: Error: Invalid script.  A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished!  Terminate.



//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Mon Oct 20 10:25:05 2008

10:25:05: Error: Invalid script.  A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Mon Oct 20 10:27:13 2008

10:27:13: Error: Invalid script.  A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Mon Oct 20 10:27:52 2008

10:27:52: Error: Invalid script.  A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Mon Oct 20 11:01:22 2008

11:01:22: Error: Invalid script.  A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Mon Oct 20 11:03:09 2008

11:03:09: Error: Invalid script.  A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Mon Oct 20 11:03:12 2008

11:03:12: Error: Invalid script.  A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\RAyyyccf.ini" deleted successfully.
File "C:\WINDOWS\system32\RAyyyccf.ini2" deleted successfully.
File "C:\WINDOWS\system32\npqsAcdd.ini" deleted successfully.
File "C:\WINDOWS\system32\npqsAcdd.ini2" deleted successfully.

Error:  file "C:\WINDOWS\system32\drivers\TDSSserv.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\TDSSserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.
Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:25:21, on 21.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\SyncroSoft\Pos\H2O\cledx.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Dokumente und Einstellungen\***\Desktop\qlketzd.com
C:\Dokumente und Einstellungen\***\Desktop\qlketzd.com
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = ***://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = ***://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = ***://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = ***://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {AF8C97B7-52C5-4CFC-9DFC-B8E2E0240D3E} - (no file)
O2 - BHO: (no name) - {BAFDDE8F-BAB5-4076-9A99-0CB612956C71} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [H2O] C:\Programme\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:  dfwcvm.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Druckwarteschlange (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)

--
End of file - 5604 bytes

cosinus 21.10.2008 09:27
Code:
O20 - AppInit_DLLs: dfwcvm.dll
Diesen Eintrag mit Hijackthis fixen! Poste bitte nochmal das Logfile von silentrunners (vollständig und übersichtlich).

Agrajag 23.10.2008 00:35
Code:
"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpybotSD TeaTimer" = "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SunJavaUpdateSched" = ""C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"avgnt" = ""C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"H2O" = "C:\Programme\SyncroSoft\Pos\H2O\cledx.exe" ["Team H2O"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Spybot-S&D IE Protection"
                  \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SSVHelper Class"
                  \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
  -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
                  \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                  \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"
                  \InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                  \InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
                  \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
  -> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
                  \InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
  -> {HKLM...CLSID} = "DesktopContext Class"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
  -> {HKLM...CLSID} = "NVIDIA CPL Extension"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {HKLM...CLSID} = "Desktop Explorer"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
  -> {HKLM...CLSID} = "nView Desktop Context Menu"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
  -> {HKLM...CLSID} = "iTunes"
                  \InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
  -> {HKLM...CLSID} = "Meine freigegebenen Ordner"
                  \InProcServer32\(Default) = "C:\Programme\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk /r \??\F:"|"autocheck autochk *"|"lsdelete" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> dimsntfy\DLLName = "C:\WINDOWS\System32\dimsntfy.dll" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
                  \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                  \InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                  \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinUHA\(Default) = "{095177B8-8097-4D32-9081-A8949C47020E}"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\Programme\WinUHA\shelluha.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                  \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                  \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                  \InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                  \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinUHA\(Default) = "{095177B8-8097-4D32-9081-A8949C47020E}"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\Programme\WinUHA\shelluha.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                  \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]


Default executables:
--------------------

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

iTunesBurnCDOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.BurnCD"
"InvokeVerb" = "burn"
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]

iTunesImportSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ImportSongsOnCD"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]

iTunesPlaySongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.PlaySongsOnCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]

iTunesShowSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ShowSongsOnCD"
"InvokeVerb" = "showsongs"
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]

PDVDPlayDVDMovieOnArrival\
"Provider" = "PowerDVD"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPowerDVD"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Programme\CyberLink\PowerDVD\PowerDVD.exe" "%l"" ["CyberLink Corp."]

RPCDBurningOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.CDBurn.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /burn "%1"" ["RealNetworks, Inc."]

RPDeviceOnArrival\
"Provider" = "RealPlayer"
"ProgID" = "RealPlayer.HWEventHandler"
HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
  -> {HKLM...CLSID} = "RealNetworks Scheduler"
                  \LocalServer32\(Default) = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]

RPPlayCDAudioOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AudioCD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe  /play %1 " ["RealNetworks, Inc."]

RPPlayDVDMovieOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.DVD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe  /dvd %1 " ["RealNetworks, Inc."]

RPPlayMediaOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AutoPlay.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /autoplay "%1"" ["RealNetworks, Inc."]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Programme\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"Norton Security Scan" -> launches: "C:\Programme\Norton Security Scan\Nss.exe /scan-full /scheduled" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Programme\Bonjour\mdnsNSP.dll" ["Apple Inc."]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}"
  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_07"
                  \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_07"
                  \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\npjpi160_07.dll" ["Sun Microsystems, Inc."]

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
  -> {HKLM...CLSID} = "Spybot-S&D IE Protection"
                  \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{E59EB121-F339-4851-A3BA-FE49C35617C2}\
"ButtonText" = "ICQ6"
"MenuText" = "ICQ6"
"Exec" = "C:\Programme\ICQ6\ICQ.exe" ["ICQ, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir PersonalEdition Classic Guard, AntiVirService, ""C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"]
AntiVir PersonalEdition Classic Planer, AntiVirScheduler, ""C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"]
Apple Mobile Device, Apple Mobile Device, ""C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple Inc."]
Bonjour-Dienst, Bonjour Service, "C:\Programme\Bonjour\mDNSResponder.exe" ["Apple Inc."]
Lavasoft Ad-Aware Service, aawservice, "C:\Programme\Lavasoft\Ad-Aware\aawservice.exe" ["Lavasoft"]
Messenger USN Journal Reader-Service für freigegebene Ordner, usnjsvc, ""C:\Programme\Windows Live\Messenger\usnsvc.exe"" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
SUGS2 Langmon\Driver = "SUGS2LMK.DLL" ["Samsung Electronics."]


---------- (launch time: 2008-10-23 01:37:07)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 62 seconds.
---------- (total run time: 131 seconds)


Alle Zeitangaben in WEZ +1. Es ist jetzt 01:52 Uhr.
Seite 1 von 2 1 2
100 Beiträge dieses Themas auf einer Seite anzeigen

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131