Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   SVCHOST.EXE funktioniert nicht mehr? (https://www.trojaner-board.de/71066-svchost-exe-funktioniert-mehr.html)

crip1 15.03.2009 19:53
SVCHOST.EXE funktioniert nicht mehr?
 
bei jedem systemstart nach der anmeldung wird mein bildschirm schwarz und dann tauch da eine meldung auf : SVCHOST.EXE funktioniert nicht mehr. deswegen muss ich explorer.exe immer von meinem taskmanager aus anmachen hier sind meine logfiles(1 von HJT und 1 von ComboFix)

Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:02:39, on 14.03.2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\explorer.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Lexmark 2600 Series\lxdnmon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Ahmet\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Lexmark 2600 Series\lxdnMsdMon.exe
C:\Windows\system32\Taskmgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) -  - (no file)
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
F2 - REG:system.ini: Shell=explorer.exe C:\Users\Ahmet\AppData\Roaming\scvhost.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [recinfo914] c:\RecInfo\RecInfo.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [lxdnmon.exe] "C:\Program Files\Lexmark 2600 Series\lxdnmon.exe"
O4 - HKLM\..\Run: [lxdnamon] "C:\Program Files\Lexmark 2600 Series\lxdnamon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [bpk] C:\Windows\system32\bpk.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Ahmet\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6.5\ICQ.exe" silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - Startup: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O13 - Gopher Prefix:
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://static.pe.schuelervz.net/photouploader/ImageUploader5.cab?nocache=1222018766
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/TR-TR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxdnCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdnserv.exe
O23 - Service: lxdn_device -  - C:\Windows\system32\lxdncoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe

--
End of file - 10400 bytes

crip1 15.03.2009 19:57
und von combofix:
Code:
ComboFix 09-03-14.01 - ... 2009-03-15 18:49:06.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium  6.0.6001.1.1252.1.1031.18.2047.1267 [GMT 1:00]
ausgeführt von:: c:\users\...\Desktop\ComboFix.exe
 * Neuer Wiederherstellungspunkt wurde erstellt
.

((((((((((((((((((((((((((((((((((((  Weitere Löschungen  ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\28463
c:\windows\system32\28463\MMNP.009
c:\windows\system32\inst.dat
c:\windows\system32\pk.bin

.
(((((((((((((((((((((((  Dateien erstellt von 2009-02-15 bis 2009-03-15  ))))))))))))))))))))))))))))))
.

2009-03-15 14:53 . 2009-03-15 15:15        3,693        --a------        c:\users\...\AppData\Roaming\ntdetect.sys
2009-03-15 13:37 . 2009-03-15 13:37        <DIR>        d--------        c:\users\All Users\NOS
2009-03-15 13:37 . 2009-03-15 13:37        <DIR>        d--------        c:\programdata\NOS
2009-03-15 13:37 . 2009-03-15 13:37        <DIR>        d--------        c:\program files\NOS
2009-03-14 23:21 . 2009-03-14 23:21        <DIR>        d--------        c:\users\All Users\Avira
2009-03-14 23:21 . 2009-03-14 23:21        <DIR>        d--------        c:\programdata\Avira
2009-03-14 23:21 . 2009-03-14 23:21        <DIR>        d--------        c:\program files\Avira
2009-03-14 23:02 . 2009-03-14 23:02        <DIR>        d--------        c:\program files\Trend Micro
2009-03-14 19:11 . 2009-03-14 19:11        <DIR>        d--------        c:\users\...\AppData\Roaming\FOG Downloader
2009-03-14 19:04 . 2009-03-14 19:20        <DIR>        d--------        c:\windows\System32\dt
2009-03-14 18:57 . 2009-03-14 19:13        3,182        --a------        c:\windows\System32\bpk.dat
2009-03-12 18:18 . 2009-03-12 18:57        75        --a------        c:\windows\System32\AttackSettings.ini
2009-03-12 18:04 . 2009-02-20 16:33        216,064        --a------        c:\windows\System32\HD Bot.exe
2009-03-11 19:46 . 2009-03-14 19:19        741,376        --a------        c:\users\...\AppData\Roaming\SCVHOST.EXE
2009-03-11 19:46 . 2009-03-14 19:19        86,528        --a------        c:\users\...\AppData\Roaming\NTCOM.DLL
2009-03-11 09:30 . 2008-12-16 04:29        8,147,456        --a------        c:\windows\System32\wmploc.DLL
2009-03-11 09:30 . 2009-02-09 04:10        2,033,152        --a------        c:\windows\System32\win32k.sys
2009-03-11 09:30 . 2008-11-27 05:43        268,288        --a------        c:\windows\System32\schannel.dll
2009-03-11 09:30 . 2008-12-16 06:31        7,680        --a------        c:\windows\System32\spwmp.dll
2009-03-11 09:30 . 2008-12-16 06:31        4,096        --a------        c:\windows\System32\msdxm.ocx
2009-03-11 09:30 . 2008-12-16 06:31        4,096        --a------        c:\windows\System32\dxmasf.dll
2009-03-05 20:18 . 2009-03-05 21:02        <DIR>        d--------        c:\users\...\AppData\Roaming\Hamachi
2009-03-05 20:18 . 2009-03-05 20:18        <DIR>        d--------        c:\program files\Hamachi
2009-03-05 20:18 . 2009-03-05 20:18        25,280        --a------        c:\windows\System32\drivers\hamachi.sys
2009-02-28 16:38 . 2009-02-28 16:38        <DIR>        d--------        c:\users\All Users\RapidSolution
2009-02-28 16:38 . 2009-02-28 16:38        <DIR>        d--------        c:\programdata\RapidSolution
2009-02-21 13:21 . 2009-02-21 13:21        <DIR>        d--------        c:\windows\System32\Color
2009-02-17 19:34 . 2009-02-27 14:07        <DIR>        d--------        c:\program files\Microsoft Silverlight
2009-02-17 19:33 . 2009-02-17 19:33        <DIR>        d----c---        c:\windows\System32\DRVSTORE
2009-02-17 19:33 . 2009-02-17 19:33        <DIR>        d--------        c:\program files\Microsoft Sync Framework
2009-02-17 19:33 . 2009-02-06 18:08        55,280        --a------        c:\windows\System32\drivers\fssfltr.sys
2009-02-17 19:32 . 2006-11-29 13:06        3,426,072        --a------        c:\windows\System32\d3dx9_32.dll
2009-02-15 19:01 . 2008-12-05 05:32        428,544        --a------        c:\windows\System32\EncDec.dll
2009-02-15 19:01 . 2008-12-05 05:32        293,376        --a------        c:\windows\System32\psisdecd.dll
2009-02-15 19:01 . 2008-12-05 05:31        217,088        --a------        c:\windows\System32\psisrndr.ax
2009-02-15 19:01 . 2008-12-05 05:31        177,664        --a------        c:\windows\System32\mpg2splt.ax
2009-02-15 19:01 . 2008-12-05 05:31        80,896        --a------        c:\windows\System32\MSNP.ax

.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-15 16:13        ---------        d--h--w        c:\program files\InstallShield Installation Information
2009-03-15 16:13        ---------        d-----w        c:\program files\Klett
2009-03-14 21:49        ---------        d-----w        c:\program files\Common Files\Blizzard Entertainment
2009-03-12 10:02        ---------        d-----w        c:\program files\Windows Mail
2009-03-11 15:42        ---------        d-----w        c:\programdata\Lx_cats
2009-03-09 19:20        ---------        d-----w        c:\program files\ICQ6.5
2009-03-07 18:14        ---------        d-----w        c:\users\...\AppData\Roaming\teamspeak2
2009-02-17 18:34        ---------        d-----w        c:\program files\Microsoft
2009-02-17 18:33        ---------        d-----w        c:\program files\Windows Live
2009-02-06 18:46        308,600        ----a-w        c:\windows\WLXPGSS.SCR
2009-02-06 17:52        49,504        ----a-w        c:\windows\System32\sirenacm.dll
2009-01-30 20:53        ---------        d-----w        c:\users\...\AppData\Roaming\Teeworlds
2009-01-29 11:50        ---------        d-----w        c:\programdata\ThumbnailCache4R
2009-01-23 11:17        4        ----a-w        c:\users\...\AppData\Roaming\wklnhst.dat
2009-01-16 12:56        ---------        d-----w        c:\program files\Google
2009-01-15 06:11        827,392        ----a-w        c:\windows\System32\wininet.dll
2009-01-14 18:58        1,868        ----a-w        c:\program files\Windows Movie Maker 2.6.lnk
2008-12-03 19:27        992,209        ----a-w        c:\users\...\Black_Amazon_by_hurtness.exe
2008-09-07 14:06        174        --sha-w        c:\program files\desktop.ini
.

((((((((((((((((((((((((((((  Autostartpunkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Google Update"="c:\users\...\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-01-09 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-16 39408]
"ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2009-03-01 172792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-03 1831936]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-05-02 366400]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-02-26 153136]
"recinfo914"="c:\recinfo\RecInfo.exe" [2007-10-23 2764800]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-06-01 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-01 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-01 81920]
"lxdnmon.exe"="c:\program files\Lexmark 2600 Series\lxdnmon.exe" [2007-12-17 660136]
"lxdnamon"="c:\program files\Lexmark 2600 Series\lxdnamon.exe" [2007-12-17 16040]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"RtHDVCpl"="RtHDVCpl.exe" [2008-02-26 c:\windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-11-20 c:\windows\SkyTel.exe]

c:\users\Ahmet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JPGL"= jpgl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{B73DA30D-EBE7-4CAE-886E-B95FDBF01184}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{2202690F-F251-498B-9BDA-A92122CEE048}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{977A227D-F9DC-47F8-A21F-C0205C031623}"= UDP:c:\program files\Fujitsu Siemens Computers\FSCLounge\FSCWBaseUpdaterService\2\FSCWBaseUpdaterService.exe:FSCLBaseUpdaterService.exe
"{C96F40C4-01CF-475F-9A71-BAD3D5005BC7}"= TCP:c:\program files\Fujitsu Siemens Computers\FSCLounge\FSCWBaseUpdaterService\2\FSCWBaseUpdaterService.exe:FSCLBaseUpdaterService.exe
"TCP Query User{D995AF99-62BF-4A2F-82E2-3EDAB203137E}c:\\users\\ahmet\\downloads\\openoffice.org 2.4 (de) installation files\\wow-dede-installer-downloader.exe"= UDP:c:\users\ahmet\downloads\openoffice.org 2.4 (de) installation files\wow-dede-installer-downloader.exe:wow-dede-installer-downloader.exe
"UDP Query User{4CC47CD8-5DCD-450B-877F-61C30E36CC0A}c:\\users\\ahmet\\downloads\\openoffice.org 2.4 (de) installation files\\wow-dede-installer-downloader.exe"= TCP:c:\users\ahmet\downloads\openoffice.org 2.4 (de) installation files\wow-dede-installer-downloader.exe:wow-dede-installer-downloader.exe
"TCP Query User{5E2FB33C-3A0B-4DB7-8309-1D49E5122456}c:\\users\\ahmet\\downloads\\openoffice.org 2.4 (de) installation files\\wow-burningcrusade-dede-installer-downloader.exe"= UDP:c:\users\ahmet\downloads\openoffice.org 2.4 (de) installation files\wow-burningcrusade-dede-installer-downloader.exe:wow-burningcrusade-dede-installer-downloader.exe
"UDP Query User{C69A3970-50F5-411A-8240-51E27927CE15}c:\\users\\ahmet\\downloads\\openoffice.org 2.4 (de) installation files\\wow-burningcrusade-dede-installer-downloader.exe"= TCP:c:\users\ahmet\downloads\openoffice.org 2.4 (de) installation files\wow-burningcrusade-dede-installer-downloader.exe:wow-burningcrusade-dede-installer-downloader.exe
"{59F6C57D-68C1-44DE-BE67-4E95E254AEA3}"= UDP:c:\windows\System32\lxdncoms.exe:Lexmark Communications System
"{69BB39AF-D65C-42F6-B359-5B9CAE77533B}"= TCP:c:\windows\System32\lxdncoms.exe:Lexmark Communications System
"{496EDA86-20B4-4680-8027-8AB57B5A3DBD}"= UDP:c:\program files\Lexmark 2600 Series\lxdnamon.exe:Lexmark Device Monitor
"{E7A84EC8-EEC1-477F-81D2-9583DE241E63}"= TCP:c:\program files\Lexmark 2600 Series\lxdnamon.exe:Lexmark Device Monitor
"{F984ADDA-928B-4E57-B5F8-39B602FA39B9}"= UDP:c:\program files\Lexmark 2600 Series\frun.exe:Lexmark Productivity Studio
"{1F289207-958D-4C56-B618-4DCA01B34489}"= TCP:c:\program files\Lexmark 2600 Series\frun.exe:Lexmark Productivity Studio
"{CC4D6970-26BF-4084-AEE1-26277D66C71E}"= UDP:c:\program files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe:ABBYY FineReader
"{1AFC4258-8720-4499-B20A-11F6F975C472}"= TCP:c:\program files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe:ABBYY FineReader
"{4B3308B4-CE4A-4E01-AA83-E6B8E7E5C406}"= UDP:c:\program files\Lexmark 2600 Series\lxdnmon.exe:Printer Device Monitor
"{246C1311-141C-469B-B218-11083EDC3781}"= TCP:c:\program files\Lexmark 2600 Series\lxdnmon.exe:Printer Device Monitor
"{DC3AF067-A069-4C9C-9816-FCDC3B81B369}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxdnpswx.exe:Printer Status Window Interface
"{99A21581-C218-4E2D-93EF-B29AFD224A41}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxdnpswx.exe:Printer Status Window Interface
"{55B8FB14-4736-4201-9D29-8792FC021F8E}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxdntime.exe:Lexmark Connect Time Executable
"{151442A7-E9FC-4421-AAB8-3C5DF5199595}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxdntime.exe:Lexmark Connect Time Executable
"{95C694AD-F231-4DC3-AB94-7352DFE644E9}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxdnjswx.exe:Job Status Window Interface
"{38821C20-4293-45FD-B0C3-8771E23DC182}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxdnjswx.exe:Job Status Window Interface
"TCP Query User{5A392E7A-4651-4070-B3E5-B687734CB0AC}c:\\program files\\lexmark 2600 series\\lxdnlscn.exe"= UDP:c:\program files\lexmark 2600 series\lxdnlscn.exe:lxdnlscn
"UDP Query User{B280CDC7-05C1-4746-A2B6-77013F16825C}c:\\program files\\lexmark 2600 series\\lxdnlscn.exe"= TCP:c:\program files\lexmark 2600 series\lxdnlscn.exe:lxdnlscn
"{475A05DF-4E72-4776-948D-5AD858EFE706}"= UDP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-2.4.3-to-3.0.2-deDE-Win-Final-downloader.exe:Blizzard Downloader
"{BE7BFC74-052D-4677-8314-90DC7173F736}"= TCP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-2.4.3-to-3.0.2-deDE-Win-Final-downloader.exe:Blizzard Downloader
"{CB68ECA5-0476-4559-A8F4-4D55C85AC543}"= UDP:3724:Blizzard Downloader: 3724
"TCP Query User{8B857AE9-F57B-4E8D-AB77-5F710CB3427D}c:\\program files\\icq6.5\\icq.exe"= UDP:c:\program files\icq6.5\icq.exe:ICQ Library
"UDP Query User{F3318628-B70E-4841-924D-F7BC14010326}c:\\program files\\icq6.5\\icq.exe"= TCP:c:\program files\icq6.5\icq.exe:ICQ Library
"TCP Query User{5FF54A28-BFA9-4BF6-86D1-EDC4453E04FD}c:\\big fish games\\world of warcraft\\metin2\\metin2.bin"= UDP:c:\big fish games\world of warcraft\metin2\metin2.bin:metin2.bin
"UDP Query User{0D1E81A4-44E5-4121-9A36-69D3E5EC0049}c:\\big fish games\\world of warcraft\\metin2\\metin2.bin"= TCP:c:\big fish games\world of warcraft\metin2\metin2.bin:metin2.bin
"TCP Query User{110F9410-1724-4508-98DB-30F70003904A}c:\\program files\\lexmark 2600 series\\lxdnmon.exe"= UDP:c:\program files\lexmark 2600 series\lxdnmon.exe:Printer Device Monitor
"UDP Query User{D4B6A998-BC57-48BF-AD31-C81EB1122ADE}c:\\program files\\lexmark 2600 series\\lxdnmon.exe"= TCP:c:\program files\lexmark 2600 series\lxdnmon.exe:Printer Device Monitor
"TCP Query User{F1AFFFBF-938E-40D9-B9A2-7A9A983ED6E0}c:\\program files\\icq6.5\\icq.exe"= UDP:c:\program files\icq6.5\icq.exe:ICQ Library
"UDP Query User{FD1CFC1C-50CF-4A33-8090-797DCABECF0B}c:\\program files\\icq6.5\\icq.exe"= TCP:c:\program files\icq6.5\icq.exe:ICQ Library
"{620DA27C-B08F-4F8F-83F5-AD69EF23CE3B}"= UDP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-3.0.1-to-3.0.2-enUS-Win-Update-downloader.exe:Blizzard Downloader
"{AFCCAA51-7014-4B07-BD34-14C41DE2CBF2}"= TCP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-3.0.1-to-3.0.2-enUS-Win-Update-downloader.exe:Blizzard Downloader
"TCP Query User{0AF36C79-0519-481C-BB92-CE89042483E9}c:\\big fish games\\world of warcraft\\cabaltemp\\estsetuploader.exe"= UDP:c:\big fish games\world of warcraft\cabaltemp\estsetuploader.exe:EST! download engine
"UDP Query User{CE0DAEAB-B87E-4623-9909-DEC8FB0B1871}c:\\big fish games\\world of warcraft\\cabaltemp\\estsetuploader.exe"= TCP:c:\big fish games\world of warcraft\cabaltemp\estsetuploader.exe:EST! download engine
"TCP Query User{D7069DFC-9440-42C8-898A-683CCF3C7748}c:\\program files\\games-masters.com\\cabal online (europe)\\launcher\\update\\estdnheadless.exe"= UDP:c:\program files\games-masters.com\cabal online (europe)\launcher\update\estdnheadless.exe:EST! download engine
"UDP Query User{A6279C8D-EAA4-4861-8F88-5F96E135ECE7}c:\\program files\\games-masters.com\\cabal online (europe)\\launcher\\update\\estdnheadless.exe"= TCP:c:\program files\games-masters.com\cabal online (europe)\launcher\update\estdnheadless.exe:EST! download engine
"TCP Query User{1E78F6DA-D4F9-45A6-A89F-B1F637464D7B}c:\\big fish games\\bfg communication\\world of warcraft\\launcher.exe"= UDP:c:\big fish games\bfg communication\world of warcraft\launcher.exe:Blizzard Launcher
"UDP Query User{741D18BC-A7DD-4914-B43B-90E49C3965E9}c:\\big fish games\\bfg communication\\world of warcraft\\launcher.exe"= TCP:c:\big fish games\bfg communication\world of warcraft\launcher.exe:Blizzard Launcher
"{01692E0D-A9DE-4149-B680-9BC92741FBBF}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"TCP Query User{CAE7FED4-29AB-4BCF-8E43-DEC6775BF995}c:\\program files\\valve\\counter-strike source\\hl2.exe"= UDP:c:\program files\valve\counter-strike source\hl2.exe:hl2
"UDP Query User{1DA2B81B-2F98-4890-861F-E5B441D5998C}c:\\program files\\valve\\counter-strike source\\hl2.exe"= TCP:c:\program files\valve\counter-strike source\hl2.exe:hl2
"TCP Query User{F578E068-9762-49DB-AD74-BCADFDE5D9A4}c:\\users\\...\\appdata\\roaming\\mozilla\\firefox\\profiles\\buothxib.default\\extensions\\solidstateion@solidstatenetworks.com\\plugins\\solidnm.exe"= UDP:c:\users\...\appdata\roaming\mozilla\firefox\profiles\buothxib.default\extensions\solidstateion@solidstatenetworks.com\plugins\solidnm.exe:solidnm.exe
"UDP Query User{C9D54685-15BF-4AC8-A62C-50D06B793521}c:\\users\\...\\appdata\\roaming\\mozilla\\firefox\\profiles\\buothxib.default\\extensions\\solidstateion@solidstatenetworks.com\\plugins\\solidnm.exe"= TCP:c:\users\ahmet\appdata\roaming\mozilla\firefox\profiles\buothxib.default\extensions\solidstateion@solidstatenetworks.com\plugins\solidnm.exe:solidnm.exe
"TCP Query User{DBDA7644-A449-4E73-91F7-A37E6AE8E9B3}c:\\users\\ahmet\\downloads\\fogdownloaderde-runesofmagic.exe"= UDP:c:\users\ahmet\downloads\fogdownloaderde-runesofmagic.exe:fogdownloaderde-runesofmagic.exe
"UDP Query User{17BCFD12-00AF-4B85-BF87-938ED392A5A8}c:\\users\\ahmet\\downloads\\fogdownloaderde-runesofmagic.exe"= TCP:c:\users\ahmet\downloads\fogdownloaderde-runesofmagic.exe:fogdownloaderde-runesofmagic.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R2 Automatisches LiveUpdate - Scheduler;Automatisches LiveUpdate - Scheduler;c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe [2008-04-03 554352]
R2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]
R2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\System32\spool\drivers\w32x86\3\lxdnserv.exe [2007-12-05 98984]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
S3 DCamUSBNW800;CIF USB Camera (2110);c:\windows\System32\drivers\pcam800.sys [2002-07-27 210792]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [2009-02-17 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-03-15 33176]
S3 scramby_out;Scramby Output;c:\windows\System32\drivers\scramby_out.sys [2007-08-08 23840]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a80fc8f-7f66-11dd-a363-001d926e0ea9}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe FATMA.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81e34258-7ce5-11dd-946c-001d926e0ea9}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe FATMA.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81e34264-7ce5-11dd-946c-001d926e0ea9}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe FATMA.vbs
.
Inhalt des "geplante Tasks" Ordners

2009-02-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2888669380-1727950260-3000317607-1000.job
- c:\users\...\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-09 14:57]

2009-03-15 c:\windows\Tasks\User_Feed_Synchronization-{8DF981CB-55D3-4D19-8868-D012570C8EBE}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 08:33]
.
.
------- Zusätzlicher Suchlauf -------
.
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=FUJD&bmod=FUJD
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\users\...\AppData\Roaming\Mozilla\Firefox\Profiles\buothxib.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\users\...\AppData\Roaming\Mozilla\Firefox\Profiles\buothxib.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\...\AppData\Local\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\users\...\AppData\Roaming\Mozilla\Firefox\Profiles\buothxib.default\extensions\SolidStateION@solidstatenetworks.com\plugins\npssn.dll

---- FIREFOX Richtlinien ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 600000
FF - user.js: nglayout.initialpaint.delay - 600
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-15 18:50:49
Windows 6.0.6001 Service Pack 1 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2009-03-15 18:52:48
ComboFix-quarantined-files.txt  2009-03-15 17:52:46

Vor Suchlauf: 33 Verzeichnis(se), 184.494.329.856 Bytes frei
Nach Suchlauf: 33 Verzeichnis(se), 185,608,302,592 Bytes frei

229        --- E O F ---        2009-03-14 09:02:13
könntet ihr mir bitte für diese beiden logfiles eine auswertung geben?

john.doe 15.03.2009 20:07
Hallo und :hallo:

Bitte in Zukunft nicht in ComboFix-Logs editieren. Das macht die Bereinigung schwieriger.

Stell sicher, daß Dir auch alle Dateien angezeigt werden, danach folgende Dateien bei Virustotal.com auswerten lassen und alle Ergebnisse posten, und zwar so, daß man die der einzelnen Virenscanner sehen kann. Bitte mit Dateigrößen und Prüfsummen:
Code:
c:\users\...\AppData\Roaming\SCVHOST.EXE
c:\users\...\AppData\Roaming\NTCOM.DLL
c:\windows\System32\HD Bot.exe
Sollte die Meldung kommen, dass die Datei schon analysiert wurde, dann klicke trotzdem auf Analysieren.

ciao, andreas

crip1 15.03.2009 20:13
Code:
Datei SCVHOST.EXE empfangen 2009.03.15 20:09:27 (CET)
Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt
Ergebnis: 10/39 (25.65%)a-squared        4.0.0.101        2009.03.15        Trojan-Dropper.Win32.Delf!IK
AhnLab-V3        5.0.0.2        2009.03.15        -
AntiVir        7.9.0.114        2009.03.13        -
Authentium        5.1.0.4        2009.03.15        -
Avast        4.8.1335.0        2009.03.14        -
AVG        8.0.0.237        2009.03.15        PSW.Delf.CWA
BitDefender        7.2        2009.03.15        -
CAT-QuickHeal        10.00        2009.03.14        Trojan.Agent.IRC
ClamAV        0.94.1        2009.03.15        -
Comodo        1057        2009.03.15        -
DrWeb        4.44.0.09170        2009.03.15        -
eSafe        7.0.17.0        2009.03.15        Win32.TrojanDropperD
eTrust-Vet        31.6.6388        2009.03.09        -
F-Prot        4.4.4.56        2009.03.15        -
F-Secure        8.0.14470.0        2009.03.15        -
Fortinet        3.117.0.0        2009.03.15        PossibleThreat
GData        19        2009.03.15        -
Ikarus        T3.1.1.45.0        2009.03.15        Trojan-Dropper.Win32.Delf
K7AntiVirus        7.10.671        2009.03.14        -
Kaspersky        7.0.0.125        2009.03.15        -
McAfee        5554        2009.03.15        -
McAfee+Artemis        5554        2009.03.15        Generic!Artemis
McAfee-GW-Edition        6.7.6        2009.03.13        -
Microsoft        1.4405        2009.03.15        TrojanDropper:Win32/Delf.TE
NOD32        3937        2009.03.15        -
Norman        6.00.06        2009.03.13        -
nProtect        2009.1.8.0        2009.03.15        -
Panda        10.0.0.10        2009.03.15        Suspicious file
PCTools        4.4.2.0        2009.03.15        -
Prevx1        V2        2009.03.15        Medium Risk Malware
Rising        21.20.62.00        2009.03.15        -
Sophos        4.39.0        2009.03.15        -
Sunbelt        3.2.1858.2        2009.03.15        -
Symantec        1.4.4.12        2009.03.15        -
TheHacker        6.3.3.0.282        2009.03.15        -
TrendMicro        8.700.0.1004        2009.03.13        -
VBA32        3.12.10.1        2009.03.15        -
ViRobot        2009.3.13.1648        2009.03.13        -
VirusBuster        4.6.5.0        2009.03.15        -

crip1 15.03.2009 20:18
dies hier c:\users\...\AppData\Roaming\NTCOM.DLL konnte ich nicht bei virustotal uploaden deswegen habe ich es bei virscan.org upgeloadet
Code:
Datei Informationen
    Dateiname :          NTCOM.DLL
    Größe :          86528 byte
    Typ :          PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
    MD5 :          a2d9e3354c1f792db0a1a724a3f4fe2a
    SHA1 :          b96db2398ef547b9e2fd2136468cfca8ddb682dd

Scan Ergebnis
    Scan Ergebnis :          3% der Scanner (1/37) haben Malware gefunden!
    Zeit :          2009/03/15 20:15:15 (CET)
    Scanner ↓        Engine Ver        Sig Ver        Sig Datum        Scan Ergebnis        Zeit
    a-squared        4.0.0.32        20090315223639        2009-03-15       
    -
            2.460
    AhnLab V3        2009.03.15.00        2009.03.15        2009-03-15       
    -
            1.109
    AntiVir        7.9.0.114        7.1.2.171        2009-03-13       
    -
            1.940
    Antiy        2.0.18        20090315.2217560        2009-03-15       
    -
            0.119
    Authentium        5.1.1        200903141844        2009-03-14       
    -
            1.290
    AVAST!        3.0.1        090314-0        2009-03-14       
    -
            0.010
    AVG        7.5.52.442        270.11.15/2003        2009-03-15       
    PSW.Delf.CVZ
            1.955
    BitDefender        7.81008.2794426        7.24204        2009-03-16       
    -
            2.556
    CA (VET)        9.0.0.143        31.6.6395        2009-03-13       
    -
            3.813
    ClamAV        0.94.2        9110        2009-03-15       
    -
            0.025
    Comodo        3.8        1057        2009-03-15       
    -
            0.509
    CP Secure        1.1.0.715        2009.03.15        2009-03-15       
    -
            7.486
    Dr.Web        4.44.0.9170        2009.03.15        2009-03-15       
    -
            4.174
    F-Prot        4.4.4.56        20090315        2009-03-15       
    -
            1.311
    F-Secure        5.51.6100        2009.03.15.02        2009-03-15       
    -
            0.054
    Fortinet        2.81-3.117        10.161        2009-03-15       
    -
            0.242
    GData        19.3971/19.261        20090315        2009-03-15       
    -
            3.388
    Ikarus        T3.1.01.45        2009.03.15.72430        2009-03-15       
    -
            4.340
    JiangMin        11.0.706        2009.03.15        2009-03-15       
    -
            1.642
    Kaspersky        5.5.10        2009.03.15        2009-03-15       
    -
            0.044
    KingSoft        2009.2.5.15        2009.3.15.20        2009-03-15       
    -
            1.772
    McAfee        5.3.00        5554        2009-03-15       
    -
            2.697
    Microsoft        1.4405        2009.03.15        2009-03-15       
    -
            6.540
    mks_vir        2.01        2009.03.15        2009-03-15       
    -
            2.919
    Norman        6.00.06        6.00.00        2009-03-13       
    -
            8.010
    nProtect        20090315.01        3335700        2009-03-15       
    -
            5.271
    Panda        9.05.01        2009.03.15        2009-03-15       
    -
            1.665
    Quick Heal        10.00        2009.03.14        2009-03-14       
    -
            1.719
    Rising        20.0        21.20.62.00        2009-03-15       
    -
            0.949
    Sophos        2.84.1        4.39        2009-03-16       
    -
            2.116
    Sunbelt        5042        5042        2009-03-14       
    -
            0.696
    Symantec        1.3.0.24        20090315.003        2009-03-15       
    -
            0.048
    The Hacker        6.3.2.7        v00282        2009-03-15       
    -
            0.556
    Trend Micro        8.700-1004        5.896.44        2009-03-15       
    -
            0.029
    VBA32        3.12.10.1        20090314.1951        2009-03-14       
    -
            1.734
    ViRobot        20090313        2009.03.13        2009-03-13       
    -
            0.414
    VirusBuster        4.5.11.10        10.102.11/978871        2009-03-15       
    -
            1.262

crip1 15.03.2009 20:22
dies : c:\windows\System32\HD Bot.exe, ging ebenfalls nicht bei TV also musste ich es wieder bei virscan.org uploaden
Code:
Datei Informationen
    Dateiname :          HD Bot.exe
    Größe :          216064 byte
    Typ :          PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 :          f1ac469009b60c572f052918e1747dcc
    SHA1 :          5bd1a4cc5a54032136f981faca8e3b20697bff68

Scan Ergebnis
    Scan Ergebnis :          Es wurde keine Infektion ermittelt!
    Zeit :          2009/03/15 20:19:51 (CET)
    Scanner ↓        Engine Ver        Sig Ver        Sig Datum        Scan Ergebnis        Zeit
    a-squared        4.0.0.32        20090315223639        2009-03-15       
    -
            2.582
    AhnLab V3        2009.03.15.00        2009.03.15        2009-03-15       
    -
            1.104
    AntiVir        7.9.0.114        7.1.2.171        2009-03-13       
    -
            1.908
    Antiy        2.0.18        20090315.2217560        2009-03-15       
    -
            0.124
    Authentium        5.1.1        200903141844        2009-03-14       
    -
            1.096
    AVAST!        3.0.1        090314-0        2009-03-14       
    -
            0.878
    AVG        7.5.52.442        270.11.15/2003        2009-03-15       
    -
            1.953
    BitDefender        7.81008.2794426        7.24204        2009-03-16       
    -
            2.548
    CA (VET)        9.0.0.143        31.6.6395        2009-03-13       
    -
            5.190
    ClamAV        0.94.2        9110        2009-03-15       
    -
            0.035
    Comodo        3.8        1057        2009-03-15       
    -
            0.515
    CP Secure        1.1.0.715        2009.03.15        2009-03-15       
    -
            7.466
    Dr.Web        4.44.0.9170        2009.03.15        2009-03-15       
    -
            4.169
    F-Prot        4.4.4.56        20090315        2009-03-15       
    -
            1.087
    F-Secure        5.51.6100        2009.03.15.02        2009-03-15       
    -
            4.863
    Fortinet        2.81-3.117        10.161        2009-03-15       
    -
            0.212
    GData        19.3971/19.261        20090315        2009-03-15       
    -
            3.314
    Ikarus        T3.1.01.45        2009.03.15.72430        2009-03-15       
    -
            4.301
    JiangMin        11.0.706        2009.03.15        2009-03-15       
    -
            1.576
    Kaspersky        5.5.10        2009.03.15        2009-03-15       
    -
            0.046
    KingSoft        2009.2.5.15        2009.3.15.20        2009-03-15       
    -
            0.617
    McAfee        5.3.00        5554        2009-03-15       
    -
            2.701
    Microsoft        1.4405        2009.03.15        2009-03-15       
    -
            4.482
    mks_vir        2.01        2009.03.15        2009-03-15       
    -
            2.692
    Norman        6.00.06        6.00.00        2009-03-13       
    -
            8.009
    nProtect        20090315.01        3335700        2009-03-15       
    -
            4.292
    Panda        9.05.01        2009.03.15        2009-03-15       
    -
            3.635
    Quick Heal        10.00        2009.03.14        2009-03-14       
    -
            1.287
    Rising        20.0        21.20.62.00        2009-03-15       
    -
            0.802
    Sophos        2.84.1        4.39        2009-03-16       
    -
            2.077
    Sunbelt        5042        5042        2009-03-14       
    -
            0.562
    Symantec        1.3.0.24        20090315.003        2009-03-15       
    -
            0.050
    The Hacker        6.3.2.7        v00282        2009-03-15       
    -
            0.537
    Trend Micro        8.700-1004        5.896.44        2009-03-15       
    -
            0.029
    VBA32        3.12.10.1        20090314.1951        2009-03-14       
    -
            1.729
    ViRobot        20090313        2009.03.13        2009-03-13       
    -
            0.413
    VirusBuster        4.5.11.10        10.102.11/978871        2009-03-15       
    -
            1.229

john.doe 15.03.2009 20:35
Falls du noch keine Recovery-DVD erstellt hast, solltest du das schnellstens nachholen. Mit schnellstens meine ich nach der Bereinigung.

Scripten mit Combofix
  • Öffne den Editor (Start => Zubehör => Editor ) kopiere nun folgenden Text in das weiße Feld:
Code:
KILLALL::

DirLook::
c:\program files\Common Files\Blizzard Entertainment

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"=-
"swg"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a80fc8f-7f66-11dd-a363-001d926e0ea9}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81e34258-7ce5-11dd-946c-001d926e0ea9}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81e34264-7ce5-11dd-946c-001d926e0ea9}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL

File::
c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2888669380-1727950260-3000317607-1000.job
Speichere diese Datei nun auf dem Desktop unter -> cfscript.txt
  • Nun die Datei cfscript.txt mit der rechten Maustaste auf das Sysmbol von Combofix ziehen!
http://users.pandora.be/bluepatchy/m...s/CFScript.gif
  • Danach das Combofix nochmal ausführen, das System neu starten und das Log von Combofix posten


Hinweis: Das obige Script ist nur für diesen einen User in dieser Situtation erstellt worden. Es ist auf keinen anderen Rechner portierbar und darf nicht anderweitig verwandt werden, da es das System nachhaltig schädigen kann.

ciao, andreas


Alle Zeitangaben in WEZ +1. Es ist jetzt 13:53 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131