Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)

- Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)

- - Tdss (https://www.trojaner-board.de/63394-tdss.html)

Hallo Trojaner-Board,

vorgestern fing ich mir einiges, die Scans ergaben dann FakeAler, brast, karna und TDSServ, der mittlerweile was Suchresultate angeht übrig geblieben ist. Gestern ging ich mal ran und habe mich an dieses Vorgehen gehalten, etwa bis Beitrag 6. TDSSmhxt.sys ließ sich in einem Livevirus löschen, aber das ist nur ein Tropfen...
Dann heute noch einen >300 Minuten langen Dr. Web CureIt scan (gemäß Anleitung), von dem ich nun ein 30MB log habe, der fand einiges. Malwarebytes findet nichts mehr. HJT sieht zur Zeit so aus.

Code:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:34:30, on 01.11.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20900)

Boot mode: Normal
 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\DrWeb\spidernt.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\DrWeb\spiderml.exe

C:\Program Files\DrWeb\DRWEBSCD.EXE

C:\PROGRA~1\DrWeb\spiderui.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\OpenOffice.org 2.2\program\soffice.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"

O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKLM\..\Run: [SpIDerMail] "C:\Program Files\DrWeb\spiderml.exe"

O4 - HKLM\..\Run: [DrWebScheduler] "C:\Program Files\DrWeb\DRWEBSCD.EXE"

O4 - HKLM\..\Run: [SpIDerNT] C:\PROGRA~1\DrWeb\spiderui.exe /agent

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe

O4 - Startup: Wuala.lnk = C:\Program Files\Caleido\Wuala\Wuala.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SpIDer Guard for Windows (SPIDERNT) - Doctor Web, Ltd. - C:\PROGRA~1\DrWeb\spidernt.exe
 

--

End of file - 5365 bytes

Hallo und :hallo:

Zitat:

die Scans ergaben dann FakeAler, brast, karna und TDSServ

Bei karna und tdsserv solltest Du überlegen, ob Du nicht doch besser neu aufsetzt, das ist bei Rootkits/Backdoors immer die bessere Wahl. Allerdings sieht Dein Hijackthis Logfile sauber aus.

Wenn Du das einfach nicht willst :rolleyes: bitte ich Dich dann mal RSIT und Combofix auszuführen.

RSIT:

Lade Random's System Information Tool (RSIT) herunter und speichere es auf Deinem Desktop.
Starte mit Doppelklick die RSIT.exe.
Klicke auf Continue, um die Nutzungsbedingungen zu akzeptieren.
Wenn Du HiJackThis nicht installiert hast, wird RSIT das für Dich herunterladen und installieren.
In dem Fall bitte auch die Nutzungsbedingungen von Trend Micro (http://de.trendmicro.com/de/home) für HJT akzeptieren "I accept".
Wenn Deine Firewall fragt, bitte RSIT erlauben, ins Netz zu gehen.
Der Scan startet automatisch, RSIT checkt nun einige wichtige System-Bereiche und produziert Logfiles als Analyse-Grundlage.
Wenn der Scan beendet ist, werden zwei Logfiles erstellt und in Deinem Editor geöffnet.
Bitte poste den Inhalt von C:\rsit\log.txt und C:\rsit\info.txt (<= minimiert) hier in den Thread, wieder mit Codetags umschlossen.

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix

Lade dir das Tool hier herunter auf den Desktop -> KLICK

Das Programm jedoch noch nicht starten sondern zuerst folgendes tun:

Schliesse alle Anwendungen und Programme, vor allem deine Antiviren-Software und andere Hintergrundwächter, sowie deinen Internetbrowser.
Vermeide es auch explizit während das Combofix läuft die Maus und Tastatur zu benutzen.

Dann folgende Anleitung durchlesen und abarbeiten -> CCleaner Systembereinigung

Starte nun die combofix.exe von deinem Desktop aus, bestätige die Warnmeldungen und lass dein System durchsuchen.

Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte abkopieren und in deinen Beitrag einfügen. Das log findest du außerdem unter: C:\ComboFix.txt.

Wichtiger Hinweis:

Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten.

Poste alle Logfiles bitte mit Codetags umschlossen (#-Button) also so:

HTML-Code:

[code] Hier das Logfile rein! [/code]

GMER meldet beim Starten nicht mehr die versteckten Prozesse in roter Schrift. Unter Rootkit/Malware zweimal ssdt.sys, zwei mal Device (irgend ein 32 Bit Wert), dreimal Attached Device (Werte: zweimal Spidersys (SPiderGUard) und fitmgr.sys).
ComboFix verrichtet entweder keine Arbeit, meldet im Prompt Access Denied oder, bestimmte Dateien könnten nicht kreiert werden. Die RSIT Logs:

RSIT info.txt.

Code:

info.txt logfile of random's system information tool 1.04 2008-11-04 17:48:31
 

======Uninstall list======
 

[qip] 8020 Jeak Edition-->C:\Program Files\QIP\uninstall.exe

-->C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL

-->C:\WINDOWS\UNRecode.exe /UNINSTALL

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}

Adobe Photoshop Elements 6.0-->msiexec /I {F54AC413-D2C6-4A24-B324-370C223C6250}

Adobe Reader 8.1.2 - Deutsch-->MsiExec.exe /I{AC76BA86-7AD7-1031-7B44-A81200000003}

AMIP (remove only)-->"C:\Program Files\Winamp\Plugins\amip_uninstall.exe"

Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE

Avira RootKit Detection-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FD25FCD-6F39-4686-AFBB-7056EBAE5E68}\setup.exe" -l0x9 

Call of Duty-->C:\PROGRA~1\CALLOF~1\Uninstall\Unwise.exe /u C:\PROGRA~1\CALLOF~1\Uninstall\Install.log

CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"

CloneCD-->"C:\Program Files\SlySoft\CloneCD\ccd-uninst.exe" /D="C:\Program Files\SlySoft\CloneCD"

Counter-Strike 1.6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{13B792AA-C078-43A4-8A3A-8B12D629940D}\Setup.exe" -l0x19 

DF CrcSfv 1.3-->"C:\Program Files\DF CrcSfv\unins000.exe"

Dr.Web-->"C:\Program Files\InstallShield Installation Information\{BBE2F69C-4338-11D7-8F0C-00A0244F4E2D}\setup.exe" -runfromtemp -l0x0007 -removeonly

EA SPORTS online 2006-->C:\Program Files\EA SPORTS\EA SPORTS online\EASOUNInstaller.exe

Exact Audio Copy 0.95b4-->C:\Program Files\Exact Audio Copy\uninst.exe

FIFA 06-->C:\Program Files\EA SPORTS\FIFA 06\EAUninstall.exe

FinalBurner Free v1.30.0.127-->"C:\Program Files\FinalBurner\Uninstall.exe" "C:\Program Files\FinalBurner\install.log" -u

GameTap-->C:\Program Files\InstallShield Installation Information\{67E158AF-8856-4337-B483-EA21930786AF}\setup.exe -runfromtemp -l0x0009 -removeonly

GetDataBack for FAT-->"C:\Program Files\Runtime Software\GetDataBack\Uninstall.exe" "C:\Program Files\Runtime Software\GetDataBack\install.log" -u

GrabIt 1.7.2 Beta 3 (build 996)-->"C:\Program Files\GrabIt\unins000.exe"

Guitar Pro 5.2-->"C:\Program Files\Guitar Pro 5\unins000.exe"

HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall

Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"

Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"

IrfanView (remove only)-->C:\Program Files\IrfanView\iv_uninstall.exe

KaLoMa 4.65-->"C:\Program Files\KaLoMa\unins000.exe"

Last.fm 1.5.1.30182-->"C:\Program Files\Last.fm\unins000.exe"

LEd Beta 0.52-->"C:\Program Files\LEd\unins000.exe"

Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"

Matroska Pack - Lazy Man's MKV 0.9.9-->"C:\Program Files\LD-Anime\unins000.exe"

mIRC-->d:\mirc\uninstall.exe _?=d:\mirc

Mozilla Firefox (3.0.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe

Mozilla Thunderbird (2.0.0.6)-->C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe

MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP

MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}

MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}

Nero 7 Ultra Edition-->MsiExec.exe /X{CF097717-F174-4144-954A-FBC4BF301031}

neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}

Net Blitz II-->C:\WINDOWS\Uninstall Net Blitz II.exe

News File Grabber 4.5.0.2-->"C:\Program Files\RSBR-Software\News File Grabber\unins000.exe"

NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI

NVIDIA nForce APU1 Utilities-->C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection Remove_NVAUtilsNT 132 C:\WINDOWS\INF\NVAUtils.inf

OpenOffice.org 2.2-->MsiExec.exe /I{E7DA9B23-5715-45D8-965E-E76688A2B948}

PokerStars.net-->"C:\Program Files\PokerStars.NET\PokerStarsUninstall.exe" /u:PokerStars.net

QIP 2005 Uninstall-->"C:\Program Files\QIP\unqip.exe"

QuickTime-->MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}

Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"

Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"

Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"

Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"

Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"

Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"

Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"

Security Update for Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"

Security Update for Windows XP (KB937894)-->"C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"

Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"

Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"

Security Update for Windows XP (KB941568)-->"C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"

Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"

Security Update for Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"

Security Update for Windows XP (KB941693)-->"C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"

Security Update for Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"

Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"

Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"

Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"

Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"

Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"

Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"

Security Update for Windows XP (KB948590)-->"C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"

Security Update for Windows XP (KB948881)-->"C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"

Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"

Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"

Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"

Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"

Sibelius Scorch Plugin-->"C:\Program Files\Musicnotes\uninstsc.exe"

Skype™ 3.8-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}

The Personal FTP Server 5.52f-->"C:\Program Files\PFTP\unins000.exe"

Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"

Update for Windows XP (KB932823-v3)-->"C:\WINDOWS\$NtUninstallKB932823-v3$\spuninst\spuninst.exe"

Update for Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"

Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"

Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"

Winamp (remove only)-->"C:\Program Files\Winamp\UninstWA.exe"

Windows Live Messenger-->MsiExec.exe /I{279DB581-239C-4E13-97F8-0F48E40BE75C}

WinRAR-->C:\Program Files\WinRAR\uninstall.exe

XP Codec Pack-->C:\Program Files\XP Codec Pack\Uninstall.exe

YouSendIt Express-->C:\Program Files\InstallShield Installation Information\{FA362C5C-A5D2-470F-A2CC-F13546919D36}\setup.exe -runfromtemp -l0x0409
 

======Security center information======
 

AV: Doctor Web Anti-Virus

AV: Avira AntiVir PersonalEdition
 

======Environment variables======
 

"ComSpec"=%SystemRoot%\system32\cmd.exe

"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\

"windir"=%SystemRoot%

"FP_NO_HOST_CHECK"=NO

"OS"=Windows_NT

"PROCESSOR_ARCHITECTURE"=x86

"PROCESSOR_LEVEL"=6

"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 6 Stepping 2, AuthenticAMD

"PROCESSOR_REVISION"=0602

"NUMBER_OF_PROCESSORS"=1

"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

"TEMP"=%SystemRoot%\TEMP

"TMP"=%SystemRoot%\TEMP

"CLASSPATH"=.;C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip

"QTJAVA"=C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
 

-----------------EOF-----------------

Was ist mit dem anderen RSIT-Log?

Achja...

Code:

Logfile of random's system information tool 1.04 (written by random/random)

Run by *** at 2008-11-04 17:46:39

Microsoft Windows XP Professional Service Pack 2

System drive C: has 3 GB (13%) free of 23 GB

Total RAM: 255 MB (19% free)
 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:48:09, on 04.11.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20900)

Boot mode: Normal
 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\DrWeb\spidernt.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\NVATray.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe

C:\Program Files\DrWeb\spiderml.exe

C:\Program Files\DrWeb\DRWEBSCD.EXE

C:\PROGRA~1\DrWeb\spiderui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\OpenOffice.org 2.2\program\soffice.exe

C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\michael\Desktop\RSIT.exe

C:\Program Files\Trend Micro\HijackThis\michael.exe
 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"

O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKLM\..\Run: [SpIDerMail] "C:\Program Files\DrWeb\spiderml.exe"

O4 - HKLM\..\Run: [DrWebScheduler] "C:\Program Files\DrWeb\DRWEBSCD.EXE"

O4 - HKLM\..\Run: [SpIDerNT] C:\PROGRA~1\DrWeb\spiderui.exe /agent

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SpIDer Guard for Windows (SPIDERNT) - Doctor Web, Ltd. - C:\PROGRA~1\DrWeb\spidernt.exe
 

--

End of file - 5686 bytes
 

======Registry dump======
 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"NVIDIA nForce APU1 Utilities"=C:\WINDOWS\system32\NVATray.exe [2001-11-28 45056]

"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-04-27 282624]

"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-01 153136]

"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-22 7700480]

"nwiz"=nwiz.exe /install []

"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-10-22 86016]

"avgnt"=C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-07-17 266497]

"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

"Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe [2007-09-10 67488]

"CloneCDTray"=C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe [2006-09-28 57344]

"SpIDerMail"=C:\Program Files\DrWeb\spiderml.exe [2008-06-10 501080]

"DrWebScheduler"=C:\Program Files\DrWeb\DRWEBSCD.EXE [2008-05-05 283888]

"SpIDerNT"=C:\PROGRA~1\DrWeb\spiderui.exe [2008-10-23 197896]
 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-06-27 152872]
 

C:\Documents and Settings\michael\Start Menu\Programs\Startup

OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll [2007-04-15 133632]
 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys]
 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]
 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]
 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys]
 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"NoDispScrSavPage"=0
 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1
 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveTypeAutoRun"=145
 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"D:\mIRC\mirc.exe"="D:\mIRC\mirc.exe:*:Enabled:mIRC"

"C:\Program Files\Last.fm\LastFM.exe"="C:\Program Files\Last.fm\LastFM.exe:*:Enabled:LastFM"

"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"

"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"

"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

"C:\Program Files\PPMate\ppmate.exe"="C:\Program Files\PPMate\ppmate.exe:*:Enabled:PPMate"

"C:\Program Files\PPMate\ppamnet.exe"="C:\Program Files\PPMate\ppamnet.exe:*:Enabled:PPMate"

"C:\Program Files\QIP\qip.exe"="C:\Program Files\QIP\qip.exe:*:Enabled:Quiet Internet Pager"

"C:\Program Files\PFTP\PFtp.exe"="C:\Program Files\PFTP\PFtp.exe:*:Enabled:The Personal FTP Server"

"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

shell\AutoRun\command - F:\SETUP.EXE
 
 

======List of files/folders created in the last 1 months======
 

2008-11-04 17:46:39 ----D---- C:\rsit

2008-10-31 21:45:59 ----AT---- C:\WINDOWS\system32\DRWEBSP.DLL

2008-10-31 21:45:50 ----D---- C:\Program Files\DrWeb

2008-10-31 19:51:49 ----D---- C:\Avenger

2008-10-31 19:51:49 ----A---- C:\avenger.txt

2008-10-31 17:36:52 ----A---- C:\WINDOWS\ntbtlog.txt

2008-10-31 17:31:42 ----D---- C:\WINDOWS\system32\appmgmt

2008-10-31 17:09:53 ----D---- C:\Program Files\CCleaner

2008-10-31 17:04:58 ----D---- C:\Program Files\Avira GmbH

2008-10-31 11:15:39 ----A---- C:\WINDOWS\gmer.ini

2008-10-31 11:15:36 ----A---- C:\WINDOWS\gmer_uninstall.cmd

2008-10-31 11:15:35 ----A---- C:\WINDOWS\gmer.dll

2008-10-31 11:15:34 ----A---- C:\WINDOWS\gmer.exe

2008-10-31 07:57:47 ----A---- C:\WINDOWS\system32\TDSSfxwp.dll

2008-10-31 07:57:44 ----A---- C:\WINDOWS\system32\TDSScfum.dll

2008-10-31 07:57:32 ----A---- C:\WINDOWS\system32\TDSSofxh.dll

2008-10-25 12:27:04 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$

2008-10-19 09:24:03 ----D---- C:\Program Files\GameTap

2008-10-19 09:24:03 ----D---- C:\Documents and Settings\All Users\Application Data\GameTap

2008-10-19 09:23:16 ----D---- C:\Documents and Settings\michael\Application Data\InstallShield

2008-10-17 09:50:20 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$

2008-10-16 16:36:14 ----D---- C:\Documents and Settings\michael\Application Data\skypePM

2008-10-16 16:33:47 ----D---- C:\Program Files\Common Files\Skype

2008-10-16 11:44:15 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$

2008-10-16 11:44:04 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$

2008-10-16 11:43:52 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$

2008-10-16 11:34:43 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$

2008-10-07 08:38:15 ----D---- C:\WINDOWS\system32\CatRoot_bak
 

======List of files/folders modified in the last 1 months======
 

2008-11-04 17:37:56 ----D---- C:\Program Files\Mozilla Firefox

2008-11-04 17:36:56 ----D---- C:\WINDOWS\Temp

2008-11-04 17:25:24 ----D---- C:\WINDOWS\system32\CatRoot2

2008-11-04 17:20:45 ----D---- C:\Documents and Settings\michael\Application Data\OpenOffice.org2

2008-11-04 07:38:24 ----A---- C:\WINDOWS\SchedLgU.Txt

2008-11-03 23:56:23 ----D---- C:\WINDOWS\Prefetch

2008-11-03 23:55:31 ----D---- C:\WINDOWS

2008-11-03 09:00:40 ----D---- C:\WINDOWS\Minidump

2008-11-01 12:55:59 ----D---- C:\WINDOWS\system32

2008-11-01 11:29:56 ----D---- C:\Program Files\DAEMON Tools

2008-10-31 21:45:50 ----RD---- C:\Program Files

2008-10-31 21:45:50 ----HD---- C:\Program Files\InstallShield Installation Information

2008-10-31 20:00:38 ----D---- C:\WINDOWS\system32\drivers

2008-10-31 18:49:01 ----D---- C:\Documents and Settings

2008-10-31 17:36:44 ----D---- C:\Config.Msi

2008-10-31 17:28:02 ----SHD---- C:\WINDOWS\Installer

2008-10-31 17:15:52 ----D---- C:\WINDOWS\Debug

2008-10-31 09:55:10 ----RSHDC---- C:\WINDOWS\system32\dllcache

2008-10-30 23:28:41 ----D---- C:\Documents and Settings\michael\Application Data\uTorrent

2008-10-26 08:17:49 ----D---- C:\Program Files\aEton CommunicaEor

2008-10-26 08:15:51 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

2008-10-25 12:28:22 ----HD---- C:\WINDOWS\inf

2008-10-25 12:25:49 ----HD---- C:\WINDOWS\$hf_mig$

2008-10-20 14:29:43 ----D---- C:\Documents and Settings\michael\Application Data\Mozilla

2008-10-16 18:08:21 ----D---- C:\Documents and Settings\michael\Application Data\Skype

2008-10-16 16:34:08 ----D---- C:\Program Files\Skype

2008-10-16 16:33:47 ----D---- C:\Program Files\Common Files

2008-10-16 11:42:40 ----D---- C:\Program Files\Internet Explorer

2008-10-16 11:41:45 ----D---- C:\WINDOWS\ie7updates

2008-10-15 17:53:28 ----A---- C:\WINDOWS\system32\netapi32.dll

2008-10-07 09:50:35 ----D---- C:\WINDOWS\system32\CatRoot
 

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
 

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2007-04-15 37376]

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys []

R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2008-07-17 75072]

R1 ElbyCDIO;ElbyCDIO Driver; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [2007-08-07 25160]

R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2008-04-19 21248]

R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]

R2 Aspi32;Aspi32; C:\WINDOWS\system32\drivers\Aspi32.sys [1999-09-10 25244]

R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2004-08-03 88448]

R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2001-08-23 63232]

R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2001-08-23 55936]

R2 rspndr;Link-Layer Topology Discovery Responder; C:\WINDOWS\system32\DRIVERS\rspndr.sys [2007-04-15 62336]

R2 SPIDER;SpIDer Guard File System Monitor; \??\C:\PROGRA~1\DrWeb\spider.sys []

R2 STEC3;STEC3; \??\C:\WINDOWS\system32\STEC3.sys []

R2 X4HSX32;X4HSX32; \??\C:\Program Files\GameTap\bin\Release\X4HSX32.Sys []

R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2007-04-15 60800]

R3 avgntflt;avgntflt; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys []

R3 ElbyCDFL;ElbyCDFL; C:\WINDOWS\System32\Drivers\ElbyCDFL.sys [2007-02-16 34760]

R3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-10-31 85969]

R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2007-04-15 61824]

R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-10-22 3994624]

R3 nvax;Service for NVIDIA® nForce(TM) Audio Enumerator; C:\WINDOWS\system32\drivers\nvax.sys [2001-11-28 13056]

R3 nvnforce;Service for NVIDIA® nForce(TM) Audio; C:\WINDOWS\system32\drivers\nvapu.sys [2001-11-28 162304]

R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]

R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2007-04-15 59264]

R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2007-04-15 17152]

R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]

R3 W8100PCI;ASUS 802.11b/g Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\mrv8k51.sys [2003-12-24 256512]

S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]

S3 ASNDIS5;ASNDIS5 Protocol Driver; \??\C:\WINDOWS\system32\ASNDIS5.SYS []

S3 azwocbxo;azwocbxo; C:\WINDOWS\system32\drivers\azwocbxo.sys []

S3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-23 9600]

S3 mbr;mbr; \??\C:\DOCUME~1\michael\LOCALS~1\Temp\mbr.sys []

S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]

S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2007-04-15 77568]

S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2007-04-15 82944]

S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2004-08-03 73472]
 

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
 

R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6; C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-10 124832]

R2 AntiVirScheduler;AntiVir PersonalEdition Classic Planer; C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-07-17 68865]

R2 AntiVirService;AntiVir PersonalEdition Classic Guard; C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-08-15 149761]

R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-22 159810]

R2 SPIDERNT;SpIDer Guard for Windows; C:\PROGRA~1\DrWeb\spidernt.exe [2008-10-23 197896]

R3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-06-27 279848]

S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-07-14 654848]

S3 usnjsvc;Messenger USN Journal Reader-Service für freigegebene Ordner; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]

S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
 

-----------------EOF-----------------

Hallo,

Entscheide Dich entweder für DrWeb oder AntiVir, aber zwei Virenscanner mit Wächter solltest Du nicht installiert haben.

Stell sicher, daß Dir auch alle Dateien angezeigt werden, danach folgende Dateien bei Virustotal.com auswerten lassen und alle Ergebnisse posten, und zwar so, daß man die der einzelnen Virenscanner sehen kann. Bitte mit Dateigrößen und Prüfsummen:

Code:

C:\WINDOWS\system32\TDSSfxwp.dll

C:\WINDOWS\system32\TDSScfum.dll

C:\WINDOWS\system32\TDSSofxh.dll

C:\WINDOWS\system32\drivers\azwocbxo.sys

C:\WINDOWS\system32\STEC3.sys

Danach:

Anleitung Avenger (by swandog46)

Lade dir das Tool Avenger und speichere es auf dem Desktop:

Doppelklick auf das Avenger-Symbol http://saved.im/mzi3ntr4adf5/trert.jpg

Kopiere nun folgenden Text in das weiße Feld bei -> "input script here"

Code:

files to delete:

C:\WINDOWS\system32\TDSSfxwp.dll

C:\WINDOWS\system32\TDSScfum.dll

C:\WINDOWS\system32\TDSSofxh.dll

C:\WINDOWS\system32\drivers\azwocbxo.sys

C:\WINDOWS\system32\STEC3.sys
 

drivers to delete:

STEC3

azwocbxo
 

registry keys to delete:

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys

http://mitglied.lycos.de/efunction/tb/avenger.png

Schliesse nun alle Programme und Browser-Fenster

Um den Avenger zu starten klicke auf -> Execute
Dann bestätigen mit "Yes" das der Rechner neu startet

Nachdem das System neu gestartet ist, findest du einen Report vom Avenger unter -> C:\avenger.txt

Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.
Poste ein neues Hijackthis Logfile, nimm dazu diese umbenannte hijackthis.exe - editiere die Links und privaten Infos!!

Den Dr.Web hatte ich mir noch extra zugelegt, stand in der Maßnahmenkette sogar recht weit hinten. Dann trenne ich mich mal von einem...

C:\WINDOWS\system32\TDSSfxwp.dll

Code:

File size: 2444 bytes

MD5...: 6a120b0566d05879f006c9cd3b57dc5c

SHA1..: 15598f3e49357c96112a0743100e7de7b3d82334

SHA256: 0ab70f3756b07acea7471cf9142600059db11050b7fa722d9b69ff2f7ae34445

SHA512: ca26d452964de3bb4c0df408f2d675b54460614ec7548bacf83d43ec3ae71840

98b5e8cfc324025b89df2312c1a0ab5b8e95ca510ffa78796872734578973106
 
 

Antivirus          Version          letzte aktualisierung          Ergebnis

AhnLab-V3        2008.11.5.3        2008.11.06        -

AntiVir        7.9.0.26        2008.11.06        -

Authentium        5.1.0.4        2008.11.06        -

Avast        4.8.1248.0        2008.11.06        -

AVG        8.0.0.161        2008.11.06        -

BitDefender        7.2        2008.11.06        -

CAT-QuickHeal        9.50        2008.11.04        -

ClamAV        0.94.1        2008.11.06        -

DrWeb        4.44.0.09170        2008.11.06        -

eSafe        7.0.17.0        2008.11.06        -

eTrust-Vet        31.6.6195        2008.11.06        -

Ewido        4.0        2008.11.06        -

F-Prot        4.4.4.56        2008.11.06        -

F-Secure        8.0.14332.0        2008.11.06        Vundo.DZC

Fortinet        3.117.0.0        2008.11.06        -

GData        19        2008.11.06        -

Ikarus        T3.1.1.45.0        2008.11.06        -

K7AntiVirus        7.10.518        2008.11.06        -

Kaspersky        7.0.0.125        2008.11.06        -

McAfee        5425        2008.11.05        -

Microsoft        1.4005        2008.11.06        -

NOD32        3591        2008.11.06        -

Norman        5.80.02        2008.11.06        Vundo.DZC

Panda        9.0.0.4        2008.11.05        -

PCTools        4.4.2.0        2008.11.06        -

Prevx1        V2        2008.11.06        -

Rising        21.02.32.00        2008.11.06        -

SecureWeb-Gateway        6.7.6        2008.11.06        -

Sophos        4.35.0        2008.11.06        -

Sunbelt        3.1.1783.2        2008.11.05        -

Symantec        10        2008.11.06        -

TheHacker        6.3.1.1.141        2008.11.05        -

TrendMicro        8.700.0.1004        2008.11.06        -

VBA32        3.12.8.9        2008.11.05        -

ViRobot        2008.11.6.1455        2008.11.06        -

VirusBuster        4.5.11.0        2008.11.06        -

C:\WINDOWS\system32\TDSScfum.dll
Guard meldetete die Datei, ignorieren war nicht möglich, ich wählte "desinfizieren", nach Neustart ist die Datei scheinbar nicht mehr vorhanden.

C:\WINDOWS\system32\TDSSofxh.dll

Code:

File size: 26624 bytes

MD5...: 83f257ff1cadb6bd8a24d9921ced0bed

SHA1..: 3b66fb3cc981ee95e30a0a9049d3ff2ea74d756b

SHA256: 47354d57f63c7b8420d5b42a466078b7c19794e0d32e778d419b4d0ee777d317

SHA512: bfbec420e51270dc0b8e0e991ea71ccc2b317dfdfbf6fa38cf43897e0d0bfb0f

a79e0a6e6ce880bcf6e67fbce58ca82b29b07a03747e265b2b8f9fb7edc89419
 
 

AhnLab-V3        2008.11.5.3        2008.11.06        -

AntiVir        7.9.0.26        2008.11.06        TR/Agent.gbt.26624

Authentium        5.1.0.4        2008.11.06        W32/Trojan3.GW

Avast        4.8.1248.0        2008.11.06        -

AVG        8.0.0.161        2008.11.06        -

BitDefender        7.2        2008.11.06        Trojan.FakeAlert.AKV

CAT-QuickHeal        9.50        2008.11.04        -

ClamAV        0.94.1        2008.11.06        -

DrWeb        4.44.0.09170        2008.11.06        BackDoor.Tdss.27

eSafe        7.0.17.0        2008.11.06        Suspicious File

eTrust-Vet        31.6.6195        2008.11.06        -

Ewido        4.0        2008.11.06        -

F-Prot        4.4.4.56        2008.11.06        W32/Trojan3.GW

F-Secure        8.0.14332.0        2008.11.06        -

Fortinet        3.117.0.0        2008.11.06        -

GData        19        2008.11.06        Trojan.FakeAlert.AKV

Ikarus        T3.1.1.45.0        2008.11.06        Trojan-Downloader.Win32.Renos.AQ

K7AntiVirus        7.10.518        2008.11.06        -

Kaspersky        7.0.0.125        2008.11.06        -

McAfee        5426        2008.11.06        Generic.dx

Microsoft        1.4005        2008.11.06        Trojan:Win32/Sudiet.B

NOD32        3592        2008.11.06        -

Norman        5.80.02        2008.11.06        -

Panda        9.0.0.4        2008.11.06        Bck/Tdss.C

PCTools        4.4.2.0        2008.11.06        -

Prevx1        V2        2008.11.06        Cloaked Malware

Rising        21.02.32.00        2008.11.06        -

SecureWeb-Gateway        6.7.6        2008.11.06        Trojan.Agent.gbt.26624

Sophos        4.35.0        2008.11.06        Troj/Tdss-A

Sunbelt        3.1.1783.2        2008.11.05        Trojan.TDSServ

Symantec        10        2008.11.06        -

TheHacker        6.3.1.1.142        2008.11.06        -

TrendMicro        8.700.0.1004        2008.11.06        -

VBA32        3.12.8.9        2008.11.06        -

ViRobot        2008.11.6.1455        2008.11.06        -

VirusBuster        4.5.11.0        2008.11.06        -

C:\WINDOWS\system32\drivers\azwocbxo.sys
Existiert nicht

C:\WINDOWS\system32\STEC3.sys

Code:

File size: 2368 bytes

MD5...: e4ebf293d1f612bda19b646c36715b20

SHA1..: a867e2c752f5cecb279ce5a90b54de9a7b494e6a

SHA256: 39ebd72bf112098032784d4fd84915e936e7594ab25794af5f37fa5b0b6309bc

SHA512: 22ef38256fe206ce3c6467a2905be79deb0ddb250eb7b5752817cc537b3031d1

e739f370983c8b3bf32d3e9783cdcb19de3abfc7a372d8841fc8829bacef5c27
 
 

AhnLab-V3         2008.11.5.3         2008.11.06         -

AntiVir         7.9.0.26         2008.11.06         -

Authentium         5.1.0.4         2008.11.06         -

Avast         4.8.1248.0         2008.11.06         -

AVG         8.0.0.161         2008.11.06         -

BitDefender         7.2         2008.11.06         -

CAT-QuickHeal         9.50         2008.11.04         -

ClamAV         0.94.1         2008.11.06         -

DrWeb         4.44.0.09170         2008.11.06         -

eSafe         7.0.17.0         2008.11.06         -

eTrust-Vet         31.6.6195         2008.11.06         -

Ewido         4.0         2008.11.06         -

F-Prot         4.4.4.56         2008.11.06         -

F-Secure         8.0.14332.0         2008.11.06         -

Fortinet         3.117.0.0         2008.11.06         -

GData         19         2008.11.06         -

Ikarus         T3.1.1.45.0         2008.11.06         -

K7AntiVirus         7.10.518         2008.11.06         -

Kaspersky         7.0.0.125         2008.11.06         -

McAfee         5426         2008.11.06         -

Microsoft         1.4005         2008.11.06         -

NOD32         3592         2008.11.06         -

Norman         5.80.02         2008.11.06         -

Panda         9.0.0.4         2008.11.06         -

PCTools         4.4.2.0         2008.11.06         -

Prevx1         V2         2008.11.06         -

Rising         21.02.32.00         2008.11.06         -

SecureWeb-Gateway         6.7.6         2008.11.06         -

Sophos         4.35.0         2008.11.06         -

Sunbelt         3.1.1783.2         2008.11.05         -

Symantec         10         2008.11.06         -

TheHacker         6.3.1.1.142         2008.11.06         -

TrendMicro         8.700.0.1004         2008.11.06         -

VBA32         3.12.8.9         2008.11.06         -

ViRobot         2008.11.6.1455         2008.11.06         -

VirusBuster         4.5.11.0         2008.11.06         -

Machst Du das noch mit dem Avenger?

avenger.txt

Code:

Logfile of The Avenger Version 2.0, (c) by Swandog46

http://swandog46.geekstogo.com
 

Platform:  Windows XP
 

*******************
 

Script file opened successfully.

Script file read successfully.
 

Backups directory opened successfully at C:\Avenger
 

*******************
 

Beginning to process script file:
 

Rootkit scan active.

No rootkits found!
 

File "C:\WINDOWS\system32\TDSSfxwp.dll" deleted successfully.
 

Error:  file "C:\WINDOWS\system32\TDSScfum.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSScfum.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

  --> the object does not exist
 

File "C:\WINDOWS\system32\TDSSofxh.dll" deleted successfully.
 

Error:  file "C:\WINDOWS\system32\drivers\azwocbxo.sys" not found!

Deletion of file "C:\WINDOWS\system32\drivers\azwocbxo.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

  --> the object does not exist
 

File "C:\WINDOWS\system32\STEC3.sys" deleted successfully.

Driver "STEC3" deleted successfully.
 

Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\azwocbxo" not found!

Deletion of driver "azwocbxo" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

  --> the object does not exist
 

Registry key "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" deleted successfully.

Registry key "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm" deleted successfully.

Registry key "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys" deleted successfully.

Registry key "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" deleted successfully.
 

Completed script processing.
 

*******************
 

Finished!  Terminate.

hijackthis.log

Code:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:38, on 2008-11-07

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20900)

Boot mode: Normal
 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NVATray.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\DrWeb\spiderml.exe

C:\Program Files\DrWeb\DRWEBSCD.EXE

C:\PROGRA~1\DrWeb\spidernt.exe

C:\PROGRA~1\DrWeb\spiderui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\OpenOffice.org 2.2\program\soffice.exe

C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\***\Desktop\qlketzd.com
 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"

O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKLM\..\Run: [SpIDerMail] "C:\Program Files\DrWeb\spiderml.exe"

O4 - HKLM\..\Run: [DrWebScheduler] "C:\Program Files\DrWeb\DRWEBSCD.EXE"

O4 - HKLM\..\Run: [SpIDerNT] C:\PROGRA~1\DrWeb\spiderui.exe /agent

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe

O4 - Startup: Wuala.lnk = C:\Program Files\Caleido\Wuala\Wuala.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SpIDer Guard for Windows (SPIDERNT) - Doctor Web, Ltd. - C:\PROGRA~1\DrWeb\spidernt.exe
 

--

End of file - 5633 bytes

Okay. Probier mal, ob Combofix nun starten will.

Das ging, der Scan ergab:

Code:

ComboFix 08-11-03.06 - *** 2008-11-08 14:23:45.1 - NTFSx86

Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.46 [GMT 1:00]

Running from: c:\documents and settings\***\Desktop\ComboFix.exe

 * Created a new restore point
 
 WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.
 

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.
 

c:\windows\system32\TDSSosvd.dat

c:\windows\system32\TDSStkdv.log
 

.

(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
 

-------\Legacy_SYSREST.SYS

-------\Legacy_TDSSSERV

-------\Legacy_TDSSSERV.SYS
 
 

(((((((((((((((((((((((((   Files Created from 2008-10-08 to 2008-11-08  )))))))))))))))))))))))))))))))

.
 

2008-11-04 17:46 . 2008-11-04 17:48        <DIR>        d--------        C:\rsit

2008-10-31 21:48 . 2008-11-01 10:40        <DIR>        d--------        c:\documents and settings\***\DoctorWeb

2008-10-31 21:45 . 2008-11-08 13:46        <DIR>        d--------        c:\program files\DrWeb

2008-10-31 21:45 . 2008-10-31 21:45        77,824        --a----t-        c:\windows\system32\DRWEBSP.DLL

2008-10-31 18:49 . 2008-10-31 18:49        <DIR>        d--------        c:\documents and settings\Administrator

2008-10-31 17:09 . 2008-10-31 17:09        <DIR>        d--------        c:\program files\CCleaner

2008-10-31 17:04 . 2008-10-31 17:04        <DIR>        d--------        c:\program files\Avira GmbH

2008-10-31 11:15 . 2008-11-05 16:50        250        --a------        c:\windows\gmer.ini

2008-10-19 09:24 . 2008-10-19 09:24        <DIR>        d--------        c:\program files\GameTap

2008-10-19 09:24 . 2008-10-19 10:03        <DIR>        d--------        c:\documents and settings\All Users\Application Data\GameTap

2008-10-19 09:23 . 2008-10-19 09:23        <DIR>        d--------        c:\documents and settings\***\Application Data\InstallShield

2008-10-16 16:36 . 2008-10-16 16:36        <DIR>        d--------        c:\documents and settings\***\Application Data\skypePM

2008-10-16 16:36 . 2008-10-16 16:36        56        --ah-----        c:\windows\system32\ezsidmv.dat

2008-10-16 16:33 . 2008-10-16 16:33        <DIR>        d--------        c:\program files\Common Files\Skype

2008-10-15 16:55 . 2008-08-14 10:57        2,185,984        -----c---        c:\windows\system32\dllcache\ntoskrnl.exe

2008-10-15 16:55 . 2008-08-14 10:55        2,142,720        -----c---        c:\windows\system32\dllcache\ntkrnlmp.exe

2008-10-15 16:55 . 2008-08-14 10:18        2,020,864        -----c---        c:\windows\system32\dllcache\ntkrpamp.exe

2008-10-15 16:54 . 2008-08-14 10:18        2,062,976        -----c---        c:\windows\system32\dllcache\ntkrnlpa.exe
 

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-08 13:42        ---------        d-----w        c:\documents and settings\***\Application Data\OpenOffice.org2

2008-11-01 10:29        ---------        d-----w        c:\program files\DAEMON Tools

2008-10-31 20:45        ---------        d--h--w        c:\program files\InstallShield Installation Information

2008-10-26 07:17        ---------        d-----w        c:\program files\aEton CommunicaEor

2008-10-16 17:08        ---------        d-----w        c:\documents and settings\***\Application Data\Skype

2008-10-16 15:34        ---------        d-----w        c:\program files\Skype

2008-09-30 18:28        ---------        d-----w        c:\program files\GrabIt

2008-09-19 09:08        ---------        d-----w        c:\program files\Trend Micro

2008-09-18 15:37        ---------        d-----w        c:\program files\Malwarebytes' Anti-Malware

2008-09-18 15:37        ---------        d-----w        c:\documents and settings\***\Application Data\Malwarebytes

2008-09-18 15:37        ---------        d-----w        c:\documents and settings\All Users\Application Data\Malwarebytes

2008-09-15 12:17        1,846,912        ----a-w        c:\windows\system32\win32k.sys

2008-08-26 09:08        827,904        ----a-w        c:\windows\system32\wininet.dll

2008-08-14 09:57        2,185,984        ----a-w        c:\windows\system32\ntoskrnl.exe

2008-08-14 09:18        2,062,976        ----a-w        c:\windows\system32\ntkrnlpa.exe

.
 

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4
 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-10 67488]

"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]

"SpIDerMail"="c:\program files\DrWeb\spiderml.exe" [2008-06-10 501080]

"DrWebScheduler"="c:\program files\DrWeb\DRWEBSCD.EXE" [2008-05-05 283888]

"SpIDerNT"="c:\progra~1\DrWeb\spiderui.exe" [2008-10-23 197896]

"NVIDIA nForce APU1 Utilities"="NVATray.exe" [2001-11-28 c:\windows\system32\NVATray.exe]

"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
 

c:\documents and settings\***\Start Menu\Programs\Startup\

OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 393216]

Wuala.lnk - c:\program files\Caleido\Wuala\Wuala.exe [2008-06-13 153600]
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.ffds"= ffdshow.ax
 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"d:\\mIRC\\mirc.exe"=

"c:\\Program Files\\Last.fm\\LastFM.exe"=

"c:\\Program Files\\Valve\\hl.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\QIP\\qip.exe"=

"c:\\Program Files\\PFTP\\PFtp.exe"=

"c:\\Program Files\\Caleido\\Wuala\\Wuala.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
 

R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-10 124832]

R2 SPIDER;SpIDer Guard File System Monitor;c:\progra~1\DrWeb\spider.sys [2008-10-23 268040]

R2 SPIDERNT;SpIDer Guard for Windows;c:\progra~1\DrWeb\spidernt.exe [2008-10-23 197896]

R3 W8100PCI;ASUS 802.11b/g Driver for Windows XP;c:\windows\system32\DRIVERS\mrv8k51.sys [2003-12-24 256512]

S3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.SYS [2002-09-09 16269]
 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

\Shell\AutoRun\command - F:\SETUP.EXE

.

- - - - ORPHANS REMOVED - - - -
 

HKU-Default-Run-brastk - c:\windows\system32\brastk.exe
 
 

.

------- Supplementary Scan -------

.

FireFox -: Profile - c:\documents and settings\***\Application Data\Mozilla\Firefox\Profiles\e1k5rf8g.default\

FF -: plugin - c:\program files\GameTap\bin\Release\npgametaptool.dll

.
 

**************************************************************************
 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-08 14:36:24

Windows 5.1.2600 Service Pack 2 NTFS
 

scanning hidden processes ... 
 

scanning hidden autostart entries ...
 

scanning hidden files ... 
 

scan completed successfully

hidden files: 0
 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\wscntfy.exe

c:\program files\OpenOffice.org 2.2\program\soffice.exe

c:\program files\OpenOffice.org 2.2\program\soffice.bin

c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe

.

**************************************************************************

.

Completion time: 2008-11-08 14:51:32 - machine was rebooted [***]

ComboFix-quarantined-files.txt  2008-11-08 13:51:15
 

Pre-Run: 3,466,813,440 bytes free

Post-Run: 3,414,876,160 bytes free
 

148        --- E O F ---        2008-10-25 11:29:33

Das sieht eigentlich wieder okay aus. Mach nochmal bitte einen Durchlauf mit MalwareBytes.

ich habe tdss gerade erfolgreich von meinem computer gekickt. nachdem ich alle möglichen tools erfolglos ausprobiert hatte, die viren/trojanerjäger haben da keine chance, die melden zwar erfolg, haben aber keine chance!

folgende vorgehensweise war erfolgreich:

mit hilfe der wiederherstellungskonsole alle dateien "SKYNET*.*" einzeln aus den verzeichnissen WINDOWS\system32 und WINDOWS\system32\drivers löschen, nur so lässt sich das ding entfernen!

alle kopien von protect.dll und autochk.dll aus dem dateisystem löschen, die liegen versteckt in sämtlichen profilfpfaden (WINDOWS\system32\config\systemprofile nicht vergessen!) und in WINDOWS\system32
in sämtlichen autostart-ordnern lag noch eine versteckte .lnk -löschen
Wininit.ini enthielt bei mir den eintrag:
[rename]
c:\tempjunk8719.tmp=C:\WINDOWSN\system32\drivers\SKYNETjiuhyiqg.sys_old
nul=c:\tempjunk7555.tmp
c:\tempjunk910.tmp=C:\WINDOWSN\system32\drivers\SKYNETjiuhyiqg.sys
c:\tempjunk103.tmp=C:\WINDOWSN\system32\SKYNETdkmpqqai.dll_old
c:\tempjunk9948.tmp=C:\WINDOWSN\system32\SKYNETdkmpqqai.dll
c:\tempjunk9192.tmp=C:\WINDOWSN\system32\SKYNETwuynilwd.dll_old
c:\tempjunk2148.tmp=C:\WINDOWSN\system32\SKYNETwuynilwd.dll
c:\tempjunk7669.tmp=C:\WINDOWSN\system32\SKYNETeeqtlpab.dat_old
c:\tempjunk2214.tmp=C:\WINDOWSN\system32\SKYNETeeqtlpab.dat
c:\tempjunk1993.tmp=C:\WINDOWSN\system32\SKYNETtetyxvkd.dat_old
c:\tempjunk7555.tmp=C:\WINDOWSN\system32\SKYNETtetyxvkd.dat
leeren!

->SKYNETjiuhyiqg.sys<- DAS IST DER ÜBELTÄTER!!!

in den Lokale Einstellungen fand ich noch diverse versteckte verzeichnisse mit Flash-Playern, die als hiwis für den wurm arbeiteten, darüber hinaus noch ein haufen temp und cache-dateien

die arbeit war mühselig, aber lohnenswert, ich hab dem ding in den hintern getreten und meine mühle ist jetzt sauber wie ein frischgewickelter babypopo

:party: