"autorun.inf ist der Trojaner: TR/Autorun.TE" Meldung beim Anschluss eines USB Sticks
 

Hallo,
ich habe das Problem, dass Antivir die Warnung ausgibt:

autorun.inf is the trojan horse TR/Autorun.TE

sobald ich einen USB-Stick anschließe.

Habe schon mehrere Viren und spyware-scanner über meine Festplatte laufen lassen. Aber es ist nichts zu finden.

Vielen Dank für eure Unterstützung.

Mein Betriebssystem: Windows XP Professional SP2 Version 2002 englisch

Logfile of HijackThis v1.99.1
Scan saved at 08:51:07, on 14/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\DIGuser02\Desktop\Eingang\Dieter\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://de.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.68.0.28:8080
R3 - URLSearchHook: (no name) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [SetRefresh] REM C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] REM "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: In Adobe PDF konvertieren - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: In vorhandene PDF-Datei konvertieren - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logmein.com/activex/RACtrl.cab
O16 - DPF: {59136DB4-6CA3-4B40-8F2F-BBF84B6F1E91} (Attachment Upload Control) - https://stream.web.de/mail/activex/mail_upload_11213.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.de/scan_de/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144798353625
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{107824C6-0507-4603-B1A8-627654CD0487}: NameServer = 213.187.132.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{107824C6-0507-4603-B1A8-627654CD0487}: NameServer = 213.187.132.70
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

ComboFix

• Download ComboFix von hier oder hier auf Deinen Desktop.
• Deaktivere den Guard Deines Antivirenprogramms und eine eventuell vorhandene Software Firewall.
  (Auch Guards von Ad-, Spyware Programmen!)
  
• Doppelklicke die combofix.exe.
• Wenn Combofix fertig ist, legt es ein Logfile an. Poste dieses Logfile und ein neues HJT Logfile als nächste Antwort

Wichtige Hinweise:

• Combofix darf ausschließlich ausgeführt werden wenn ein erfahrener Helfer dies ausdrücklich empfohlen hat!
  Es sollte nie auf eigene Initiative hin ausgeführt werden. Eine falsche Benutzung kann ernsthalfte Computerprobleme nach sich ziehen.
• Während Combofix läuft klicke nichts an, und benutze den Rechner nicht.
• Alle Guards der Antivirenprogramme sollten wie beschrieben deaktiviert sein.
• Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten.
• Combofix leert die Liste der für das Internet autorisierten Anwendungen. Die meisten Fragen im Folgenden nach einer Erneuten Aufnahme, einige nicht. Wenn es hierdurch zu Problemen kommt, diese im Thread posten.
• Combofix ändert den Standardbrowser auf den Internet Explorer. Diese Änderung nach der Anwendung ggf. manuel wieder ändern.
• Der Desktop wird während Combofix blau werden, die Icons verschinden. Dies Verhalten ist gewollt und bedeutet keine Gefahr.

Ergänzend lies Dir diese Anleitung durch, drucke sie ggf. aus.
Ein Leitfaden und Tutorium zur Nutzung von ComboFix

Problem bei Combofix:
Combofix schein das System neu gestartet zu haben, so dass Windows neu hochgefahren ist. Hierduch hat sich dann mein Antivir-guard wieder öffnen wollen. Aber es scheint, als sei er erst nachdem Combofix fertig war aktiv geworden. Wußte nicht, dass Combofix den Computer runterfährt. Hoffe das ist kein Problem.

COMBOFIX


ComboFix 08-06-12.2 - DIGuser02 2008-06-14 9:34:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.49.1033.18.2740 [GMT 1:00]
Running from: C:\Documents and Settings\DIGuser02\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))))))))
.

2008-06-14 08:38 . 2008-06-14 08:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-14 08:38 . 2008-06-14 08:38 <DIR> d-------- C:\Documents and Settings\DIGuser02\Application Data\Malwarebytes
2008-06-14 08:38 . 2008-06-14 08:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-14 08:38 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-14 08:38 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-14 08:19 . 2008-06-14 08:19 <DIR> d-------- C:\Program Files\CCleaner
2008-06-13 18:01 . 2008-06-14 07:32 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-06-13 17:53 . 2008-06-14 07:32 <DIR> d-------- C:\Program Files\Common Files\Softwin
2008-06-13 16:35 . 2008-06-13 17:54 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-06-13 14:40 . 2008-06-13 15:18 <DIR> d-------- C:\USB Stick
2008-06-13 10:57 . 2008-06-13 10:57 96,645 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-13 10:57 . 2008-06-13 10:57 87,941 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-13 10:56 . 2008-06-13 10:56 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-06-13 10:56 . 2008-06-13 11:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-13 10:56 . 2008-06-13 11:01 49,184 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-13 10:56 . 2008-06-13 11:01 1,248 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-13 10:56 . 2008-06-13 11:01 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-13 10:56 . 2008-06-13 11:01 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-13 07:58 . 2008-06-13 07:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-06-13 07:54 . 2007-10-01 11:18 784 --a------ C:\WINDOWS\win.tmp
2008-06-13 07:54 . 2008-06-13 15:35 250 --a------ C:\WINDOWS\system.tmp
2008-06-12 13:35 . 2008-06-14 07:42 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-12 13:31 . 2008-06-14 07:42 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-12 13:31 . 2008-06-12 13:31 <DIR> d-------- C:\Documents and Settings\DIGuser02\Application Data\PC Tools
2008-06-11 09:55 . 2008-06-11 09:55 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-11 09:55 . 2008-06-11 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-11 08:15 . 2008-04-14 12:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 08:15 . 2008-04-14 12:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 07:24 . 2008-06-13 16:08 <DIR> d-------- C:\Program Files\Avira
2008-06-11 07:24 . 2008-06-13 16:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-08 14:27 . 2008-06-13 07:42 <DIR> d-------- C:\EM Wette
2008-05-29 17:30 . 2008-06-14 09:28 <DIR> d-------- C:\Documents and Settings\DIGuser02\Application Data\skypePM
2008-05-29 17:30 . 2008-05-29 17:30 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-29 17:29 . 2008-05-29 17:29 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-19 13:35 . 2008-05-19 13:35 <DIR> d----c--- C:\Lizenz
2008-05-19 13:29 . 2008-05-19 13:35 <DIR> d-------- C:\Program Files\GEOgraf
2008-05-19 13:28 . 2008-05-19 14:03 1,570 --a------ C:\WINDOWS\geograf.mif
2008-05-19 09:57 . 2008-05-19 09:57 <DIR> d-------- C:\Program Files\tuloxFreeWBI
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-14 08:32 --------- d-----w C:\Documents and Settings\DIGuser02\Application Data\Skype
2008-06-14 07:11 --------- d-----w C:\Program Files\PC Sync Manager
2008-06-14 07:11 --------- d-----w C:\Program Files\Groove
2008-06-14 06:35 --------- d-----w C:\Documents and Settings\DIGuser02\Application Data\concept design
2008-06-14 06:31 --------- d-----w C:\Program Files\Belkin
2008-06-14 06:00 --------- d-----w C:\Program Files\LogMeIn
2008-06-13 09:26 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2008-06-11 08:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-11 07:10 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-11 07:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-11 07:08 --------- d-----w C:\Program Files\Symantec
2008-05-13 16:09 --------- d-----w C:\Documents and Settings\DIGuser02\Application Data\AdobeUM
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-03 08:47 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-05-03 08:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-03 08:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-29 10:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 10:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 10:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-25 17:21 26,964 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2008-04-23 12:40 --------- d-----w C:\Program Files\Mozilla Thunderbird
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 09:23 68856]
"Skype"="REM C:\Program Files\Skype\Phone\Skype.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 17:08 143360]
"SetRefresh"="REM C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [ ]
"VOBRegCheck"="C:\WINDOWS\System32\VOBREGCheck.exe" [2003-01-08 15:55 153088]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-01-13 09:47 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-01-13 09:47 163840]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-01-13 09:46 135168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 09:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 FpFilter;Drive Utility Filter Service;C:\WINDOWS\system32\drivers\fpfilter.sys [2002-10-30 13:13]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe [2004-12-13 01:05]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
R2 mapmem;mapmem;C:\WINDOWS\system32\mapmem.sys [1998-12-10 22:57]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2004-08-04 09:00]
R2 UxTuneUp;TuneUp Designerweiterung;C:\WINDOWS\System32\svchost.exe [2004-08-04 09:00]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe [2004-12-13 01:05]
S3 ForteUSB;DK Digital USB Driver Service;C:\WINDOWS\system32\Drivers\ForteUSB.sys [2001-09-08 11:18]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2004-09-07 16:42]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0778e684-1e06-11db-841b-000ffe244163}]
\Shell\AutoRun\command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d6da048-ba64-11db-af3f-000ffe244163}]
\Shell\Auto\command - F:\sss.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d8e55dc-9667-11dc-b084-000ffe244163}]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c59e2aa-1cb2-11db-8417-000ffe244163}]
\Shell\AutoRun\command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36f64100-3467-11dc-affc-000ffe244163}]
\Shell\Auto\command - auto.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
\Shell\explore\Command - F:\RavMon.exe -e
\Shell\open\Command - F:\RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45f579fb-9706-11db-aefb-000ffe244163}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL \SystemVolumeInformation\system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70e3815d-3cab-11db-8445-000ffe244163}]
\Shell\AutoRun\command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76b41158-5172-11dc-b021-000ffe244163}]
\Shell\AutoRun\command - L:\RavMon.exe
\Shell\explore\Command - L:\RavMon.exe -e
\Shell\open\Command - L:\RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aba517bd-3339-11db-8439-000ffe244163}]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1404ced-6b06-11db-9167-000ffe244163}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL \SystemVolumeInformation\system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e87c6264-507b-11dc-b01f-000ffe244163}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL \SystemVolumeInformation\system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edd7a6ab-2cf8-11db-8432-000ffe244163}]
\Shell\AutoRun\command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f10bdd12-d1f3-11db-af62-000ffe244163}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 09:40:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-06-14 9:47:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-14 08:47:40

Pre-Run: 14,413,889,536 bytes free
Post-Run: 14,932,938,752 bytes free

201 --- E O F --- 2008-06-11 10:11:52


Logfile of HijackThis v1.99.1

[edit]
bitte editiere zukünftig deine links, wie es dir u.a. hier angezeigt wird:
http://www.trojaner-board.de/22771-a...tml#post171958

danke
GUA http://www.smilies.4-user.de/include...lie_be_027.gif
[/edit]

Wie erwartet

Flashdisinfector
[*]Lade Flash_Disinfector.exe und speichere es auf Deinen Desktop.
[*]Doppleklicke Flash_Disinfector.exe um es zu starten und folge den Anweisungen.
[*]Das Programm bittet Dich Flash Drives (USB Sticks/Festplatten) und alle entfernbaren Medien (auch Dein Handy) anzuschließen. Bitte mach dies und erlaube dem Programm diese Laufwerke auch zu reinigen.[*]Warte bis das Programm den Scan abgeschlossen hat und schließe das Programm dann.[*]Reboote Deinen Rechner wenn Du die obigen Punkte ausgeführt hast.[/list]
Du musst nach allen Kopien von RavMon.exe suchen und löschen.
Update Avira, stelle die Heuristik auf hoch ein und mache einen Systemscan.
Poste das Log dann hier.

Flash_Disinfector habe ich erledigt.
Rechner neu hochgefahren.

Dann unter der Windows-Suche nach RavMon.exe den Arbeitsplatz durchsuch:

KEINE DATEI GEFUNDEN.


Zu Avira:
Ich bin in Zentralafrika und habe zurzeit eine sehr schlechte Internetverbindung. Das letzte Update hab ich gestern durchführen können. Heute lahmt das Netz extrem, kann im Moment kein Update machen. Ist der Stand von gestern ausreichend?

Ja, sollte reichen.
Bitte deinstallie vor dem Scan Combofix

Um Combofix zu loeschen(den qoobox ordner) gebe unter Start /Ausführen "combofix /u" ein. Ohne die " natürlich.

http://img247.imageshack.us/img247/7...ombofixvs6.jpg

Avira AntiVir Personal
Report file date: 14 June 2008 11:33

Scanning for 1331132 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: AFXPMONAIRDIG02

Version information:
BUILD.DAT : 8.1.00.295 16479 Bytes 09.04.2008 16:24:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 18.03.2008 10:02:56
AVSCAN.DLL : 8.1.1.0 53505 Bytes 07.02.2008 09:43:37
LUKE.DLL : 8.1.2.9 151809 Bytes 28.02.2008 09:41:23
LUKERES.DLL : 8.1.2.1 12033 Bytes 21.02.2008 09:28:40
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18.07.2007 11:33:34
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 07.03.2008 14:08:58
ANTIVIR2.VDF : 7.0.4.120 2206720 Bytes 01.06.2008 15:13:05
ANTIVIR3.VDF : 7.0.4.193 377344 Bytes 13.06.2008 15:13:39
Engineversion : 8.1.0.55
AEVDF.DLL : 8.1.0.5 102772 Bytes 25.02.2008 10:58:21
AESCRIPT.DLL : 8.1.0.40 266618 Bytes 13.06.2008 15:19:56
AESCN.DLL : 8.1.0.21 119156 Bytes 13.06.2008 15:19:38
AERDL.DLL : 8.1.0.20 418165 Bytes 13.06.2008 15:19:26
AEPACK.DLL : 8.1.1.5 364918 Bytes 13.06.2008 15:18:58
AEOFFICE.DLL : 8.1.0.18 192890 Bytes 13.06.2008 15:18:33
AEHEUR.DLL : 8.1.0.30 1253750 Bytes 13.06.2008 15:18:19
AEHELP.DLL : 8.1.0.15 115063 Bytes 13.06.2008 15:15:51
AEGEN.DLL : 8.1.0.28 307572 Bytes 13.06.2008 15:15:12
AEEMU.DLL : 8.1.0.6 430451 Bytes 13.06.2008 15:14:16
AECORE.DLL : 8.1.0.31 168310 Bytes 13.06.2008 15:13:54
AVWINLL.DLL : 1.0.0.7 14593 Bytes 23.01.2008 18:07:53
AVPREF.DLL : 8.0.0.1 25857 Bytes 18.02.2008 11:37:50
AVREP.DLL : 7.0.0.1 155688 Bytes 16.04.2007 14:26:47
AVREG.DLL : 8.0.0.0 30977 Bytes 23.01.2008 18:07:49
AVARKT.DLL : 1.0.0.23 307457 Bytes 12.02.2008 09:29:23
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 28.02.2008 09:31:31
SQLITE3.DLL : 3.3.17.1 339968 Bytes 22.01.2008 18:28:02
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 23.01.2008 18:08:39
NETNT.DLL : 8.0.0.1 7937 Bytes 25.01.2008 13:05:10
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 10.03.2008 15:37:25
RCTEXT.DLL : 8.0.32.0 86273 Bytes 06.03.2008 13:02:11

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: 14 June 2008 11:33

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'update.exe' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'msimn.exe' - '1' Module(s) have been scanned
Scan process 'Acrobat.exe' - '1' Module(s) have been scanned
Scan process 'jucheck.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'fbserver.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'symlcsvc.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'SMAgent.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'SMTray.exe' - '1' Module(s) have been scanned
Scan process 'LogMeIn.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ramaint.exe' - '1' Module(s) have been scanned
Scan process 'fbguard.exe' - '1' Module(s) have been scanned
Scan process 'CDAC11BA.EXE' - '1' Module(s) have been scanned
Scan process 'AluSchedulerSvc.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
41 processes with 41 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
[WARNING] Das Gerät ist nicht bereit.
Master boot sector HD2
[INFO] No virus was found!
[WARNING] Das Gerät ist nicht bereit.
Master boot sector HD3
[INFO] No virus was found!
[WARNING] Das Gerät ist nicht bereit.
Master boot sector HD4
[INFO] No virus was found!
[WARNING] Das Gerät ist nicht bereit.
Master boot sector HD5
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '25' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll
[WARNING] The file could not be opened!


End of the scan: 14 June 2008 12:25
Used time: 51:58 min

The scan has been done completely.

9040 Scanning directories
623904 Files were scanned
0 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
623904 Files not concerned
9506 Archives were scanned
7 Warnings
0 Notes

Bitte führe Combofix nun erneut aus und poste das neue Logfile hier.

ComboFix 08-06-12.2 - DIGuser02 2008-06-15 11:17:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.49.1033.18.2771 [GMT 1:00]
Running from: C:\Documents and Settings\DIGuser02\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.

2008-06-14 08:38 . 2008-06-14 08:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-14 08:38 . 2008-06-14 08:38 <DIR> d-------- C:\Documents and Settings\DIGuser02\Application Data\Malwarebytes
2008-06-14 08:38 . 2008-06-14 08:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-14 08:38 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-14 08:38 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-14 08:19 . 2008-06-14 08:19 <DIR> d-------- C:\Program Files\CCleaner
2008-06-13 18:01 . 2008-06-14 07:32 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-06-13 17:53 . 2008-06-14 07:32 <DIR> d-------- C:\Program Files\Common Files\Softwin
2008-06-13 16:35 . 2008-06-13 17:54 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-06-13 14:40 . 2008-06-13 15:18 <DIR> d-------- C:\USB Stick
2008-06-13 10:57 . 2008-06-13 10:57 96,645 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-13 10:57 . 2008-06-13 10:57 87,941 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-13 10:56 . 2008-06-13 10:56 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-06-13 10:56 . 2008-06-13 11:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-13 10:56 . 2008-06-13 11:01 49,184 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-13 10:56 . 2008-06-13 11:01 1,248 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-13 10:56 . 2008-06-13 11:01 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-13 10:56 . 2008-06-13 11:01 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-13 07:58 . 2008-06-13 07:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-06-13 07:54 . 2007-10-01 11:18 784 --a------ C:\WINDOWS\win.tmp
2008-06-13 07:54 . 2008-06-13 15:35 250 --a------ C:\WINDOWS\system.tmp
2008-06-12 13:35 . 2008-06-14 07:42 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-12 13:31 . 2008-06-14 07:42 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-12 13:31 . 2008-06-12 13:31 <DIR> d-------- C:\Documents and Settings\DIGuser02\Application Data\PC Tools
2008-06-11 09:55 . 2008-06-11 09:55 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-11 09:55 . 2008-06-11 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-11 08:15 . 2008-04-14 12:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 08:15 . 2008-04-14 12:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 07:24 . 2008-06-13 16:08 <DIR> d-------- C:\Program Files\Avira
2008-06-11 07:24 . 2008-06-13 16:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-08 14:27 . 2008-06-14 10:42 <DIR> d-------- C:\EM Wette
2008-05-29 17:30 . 2008-06-14 16:30 <DIR> d-------- C:\Documents and Settings\DIGuser02\Application Data\skypePM
2008-05-29 17:30 . 2008-05-29 17:30 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-29 17:29 . 2008-05-29 17:29 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-19 13:35 . 2008-05-19 13:35 <DIR> d----c--- C:\Lizenz
2008-05-19 13:29 . 2008-05-19 13:35 <DIR> d-------- C:\Program Files\GEOgraf
2008-05-19 13:28 . 2008-05-19 14:03 1,570 --a------ C:\WINDOWS\geograf.mif
2008-05-19 09:57 . 2008-05-19 09:57 <DIR> d-------- C:\Program Files\tuloxFreeWBI
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-15 10:08 --------- d-----w C:\Program Files\LogMeIn
2008-06-14 15:52 --------- d-----w C:\Documents and Settings\DIGuser02\Application Data\Skype
2008-06-14 07:11 --------- d-----w C:\Program Files\PC Sync Manager
2008-06-14 07:11 --------- d-----w C:\Program Files\Groove
2008-06-14 06:35 --------- d-----w C:\Documents and Settings\DIGuser02\Application Data\concept design
2008-06-14 06:31 --------- d-----w C:\Program Files\Belkin
2008-06-13 09:26 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2008-06-11 08:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-11 07:10 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-11 07:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-11 07:08 --------- d-----w C:\Program Files\Symantec
2008-05-13 16:09 --------- d-----w C:\Documents and Settings\DIGuser02\Application Data\AdobeUM
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-03 08:47 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-05-03 08:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-03 08:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-29 10:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 10:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 10:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-25 17:21 26,964 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2008-04-23 12:40 --------- d-----w C:\Program Files\Mozilla Thunderbird
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 09:23 68856]
"Skype"="REM C:\Program Files\Skype\Phone\Skype.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 17:08 143360]
"SetRefresh"="REM C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [ ]
"VOBRegCheck"="C:\WINDOWS\System32\VOBREGCheck.exe" [2003-01-08 15:55 153088]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-01-13 09:47 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-01-13 09:47 163840]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-01-13 09:46 135168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"avgnt"="REM C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 09:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 FpFilter;Drive Utility Filter Service;C:\WINDOWS\system32\drivers\fpfilter.sys [2002-10-30 13:13]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe [2004-12-13 01:05]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
R2 mapmem;mapmem;C:\WINDOWS\system32\mapmem.sys [1998-12-10 22:57]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2004-08-04 09:00]
R2 UxTuneUp;TuneUp Designerweiterung;C:\WINDOWS\System32\svchost.exe [2004-08-04 09:00]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe [2004-12-13 01:05]
S3 ForteUSB;DK Digital USB Driver Service;C:\WINDOWS\system32\Drivers\ForteUSB.sys [2001-09-08 11:18]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2004-09-07 16:42]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0778e684-1e06-11db-841b-000ffe244163}]
\Shell\AutoRun\command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d6da048-ba64-11db-af3f-000ffe244163}]
\Shell\Auto\command - F:\sss.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d8e55dc-9667-11dc-b084-000ffe244163}]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c59e2aa-1cb2-11db-8417-000ffe244163}]
\Shell\AutoRun\command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36f64100-3467-11dc-affc-000ffe244163}]
\Shell\Auto\command - auto.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
\Shell\explore\Command - F:\RavMon.exe -e
\Shell\open\Command - F:\RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45f579fb-9706-11db-aefb-000ffe244163}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL \SystemVolumeInformation\system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70e3815d-3cab-11db-8445-000ffe244163}]
\Shell\AutoRun\command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76b41158-5172-11dc-b021-000ffe244163}]
\Shell\AutoRun\command - L:\RavMon.exe
\Shell\explore\Command - L:\RavMon.exe -e
\Shell\open\Command - L:\RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aba517bd-3339-11db-8439-000ffe244163}]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1404ced-6b06-11db-9167-000ffe244163}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL \SystemVolumeInformation\system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e87c6264-507b-11dc-b01f-000ffe244163}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL \SystemVolumeInformation\system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edd7a6ab-2cf8-11db-8432-000ffe244163}]
\Shell\AutoRun\command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f10bdd12-d1f3-11db-af62-000ffe244163}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 11:22:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-06-15 11:29:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-15 10:29:25
ComboFix2.txt 2008-06-14 08:47:46

Pre-Run: 17,904,521,216 bytes free
Post-Run: 17,851,047,936 bytes free

198 --- E O F --- 2008-06-11 10:11:52

Combofix - Scripten

1. Starte das Notepad (Start / Ausführen / notepad[Enter])

2. Jetzt füge mit copy/paste den ganzen Inhalt der untenstehenden Codebox in das Notepad Fenster ein.

3. Speichere im Notepad als CFScript.txt auf dem Desktop.

4. Deaktivere den Guard Deines Antivirenprogramms und eine eventuell vorhandene Software Firewall.
(Auch Guards von Ad-, Spyware Programmen und den Tea Timer!)

5. Dann ziehe die CFScript.txt auf die ComboFix.exe, so wie es im unteren Bild zu sehen ist. Damit wird Combofix neu gestartet.

http://users.pandora.be/bluepatchy/m...s/CFScript.gif



6. Nach dem Neustart (es wird gefragt ob Du neustarten willst), poste bitte die folgenden Log Dateien:
Combofix.txt

Hinweis: Das obige Script ist nur für diesen einen User in dieser Situtation erstellt worden. Es ist auf keinen anderen Rechner portierbar und darf nicht anderweitig verwandt werden, da es das System nachhaltig schädigen kann

ComboFix 08-06-12.2 - DIGuser02 2008-06-15 16:54:36.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.49.1033.18.2661 [GMT 1:00]
Running from: C:\Documents and Settings\DIGuser02\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\DIGuser02\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.

2008-06-14 08:38 . 2008-06-14 08:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-14 08:38 . 2008-06-14 08:38 <DIR> d-------- C:\Documents and Settings\DIGuser02\Application Data\Malwarebytes
2008-06-14 08:38 . 2008-06-14 08:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-14 08:38 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-14 08:38 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-14 08:19 . 2008-06-14 08:19 <DIR> d-------- C:\Program Files\CCleaner
2008-06-13 18:01 . 2008-06-14 07:32 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-06-13 17:53 . 2008-06-14 07:32 <DIR> d-------- C:\Program Files\Common Files\Softwin
2008-06-13 16:35 . 2008-06-13 17:54 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-06-13 14:40 . 2008-06-13 15:18 <DIR> d-------- C:\USB Stick
2008-06-13 10:57 . 2008-06-13 10:57 96,645 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-13 10:57 . 2008-06-13 10:57 87,941 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-13 10:56 . 2008-06-13 10:56 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-06-13 10:56 . 2008-06-13 11:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-13 10:56 . 2008-06-13 11:01 49,184 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-13 10:56 . 2008-06-13 11:01 1,248 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-13 10:56 . 2008-06-13 11:01 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-13 10:56 . 2008-06-13 11:01 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-13 07:58 . 2008-06-13 07:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-06-13 07:54 . 2007-10-01 11:18 784 --a------ C:\WINDOWS\win.tmp
2008-06-13 07:54 . 2008-06-13 15:35 250 --a------ C:\WINDOWS\system.tmp
2008-06-12 13:35 . 2008-06-14 07:42 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-12 13:31 . 2008-06-14 07:42 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-12 13:31 . 2008-06-12 13:31 <DIR> d-------- C:\Documents and Settings\DIGuser02\Application Data\PC Tools
2008-06-11 09:55 . 2008-06-11 09:55 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-11 09:55 . 2008-06-11 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-11 08:15 . 2008-04-14 12:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 08:15 . 2008-04-14 12:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 07:24 . 2008-06-13 16:08 <DIR> d-------- C:\Program Files\Avira
2008-06-11 07:24 . 2008-06-13 16:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-08 14:27 . 2008-06-14 10:42 <DIR> d-------- C:\EM Wette
2008-05-29 17:30 . 2008-06-14 16:30 <DIR> d-------- C:\Documents and Settings\DIGuser02\Application Data\skypePM
2008-05-29 17:30 . 2008-05-29 17:30 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-29 17:29 . 2008-05-29 17:29 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-19 13:35 . 2008-05-19 13:35 <DIR> d----c--- C:\Lizenz
2008-05-19 13:29 . 2008-05-19 13:35 <DIR> d-------- C:\Program Files\GEOgraf
2008-05-19 13:28 . 2008-05-19 14:03 1,570 --a------ C:\WINDOWS\geograf.mif
2008-05-19 09:57 . 2008-05-19 09:57 <DIR> d-------- C:\Program Files\tuloxFreeWBI
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-15 10:08 --------- d-----w C:\Program Files\LogMeIn
2008-06-14 15:52 --------- d-----w C:\Documents and Settings\DIGuser02\Application Data\Skype
2008-06-14 07:11 --------- d-----w C:\Program Files\PC Sync Manager
2008-06-14 07:11 --------- d-----w C:\Program Files\Groove
2008-06-14 06:35 --------- d-----w C:\Documents and Settings\DIGuser02\Application Data\concept design
2008-06-14 06:31 --------- d-----w C:\Program Files\Belkin
2008-06-13 09:26 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2008-06-11 08:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-11 07:10 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-11 07:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-11 07:08 --------- d-----w C:\Program Files\Symantec
2008-05-13 16:09 --------- d-----w C:\Documents and Settings\DIGuser02\Application Data\AdobeUM
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-03 08:47 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-05-03 08:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-03 08:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-29 10:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 10:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 10:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-25 17:21 26,964 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2008-04-23 12:40 --------- d-----w C:\Program Files\Mozilla Thunderbird
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\lsdelete.exe -- Unable to find Resource table header.
MD5: e32670083f792c1db5fd7571daf15f7b


((((((((((((((((((((((((((((( snapshot@2008-06-15_11.29.06.34 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-15 10:21:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-15 15:58:01 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 09:23 68856]
"Skype"="REM C:\Program Files\Skype\Phone\Skype.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 17:08 143360]
"SetRefresh"="REM C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [ ]
"VOBRegCheck"="C:\WINDOWS\System32\VOBREGCheck.exe" [2003-01-08 15:55 153088]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-01-13 09:47 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-01-13 09:47 163840]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-01-13 09:46 135168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"avgnt"="REM C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 09:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 FpFilter;Drive Utility Filter Service;C:\WINDOWS\system32\drivers\fpfilter.sys [2002-10-30 13:13]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe [2004-12-13 01:05]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
R2 mapmem;mapmem;C:\WINDOWS\system32\mapmem.sys [1998-12-10 22:57]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2004-08-04 09:00]
R2 UxTuneUp;TuneUp Designerweiterung;C:\WINDOWS\System32\svchost.exe [2004-08-04 09:00]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe [2004-12-13 01:05]
S3 ForteUSB;DK Digital USB Driver Service;C:\WINDOWS\system32\Drivers\ForteUSB.sys [2001-09-08 11:18]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2004-09-07 16:42]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45f579fb-9706-11db-aefb-000ffe244163}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL \SystemVolumeInformation\system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1404ced-6b06-11db-9167-000ffe244163}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL \SystemVolumeInformation\system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e87c6264-507b-11dc-b01f-000ffe244163}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL \SystemVolumeInformation\system.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 16:58:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
.
**************************************************************************
.
Completion time: 2008-06-15 17:05:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-15 16:04:56
ComboFix2.txt 2008-06-15 10:29:31
ComboFix3.txt 2008-06-14 08:47:46

Pre-Run: 17,764,683,776 bytes free
Post-Run: 17,801,531,392 bytes free

180 --- E O F --- 2008-06-11 10:11:52

Sorry wegen der Verspätung. Poste ein neues HiJackThis Logfile.

Um Combofix zu loeschen(den qoobox ordner) gebe unter Start /Ausführen "combofix /u" ein. Ohne die " natürlich.

http://img247.imageshack.us/img247/7...ombofixvs6.jpg

Kein Problem hier der hjt-file:

Ich bin hier auf einer Großbaustelle und der Subunternehmer hat mir den Trojaner durch seinen USB-Stick mitgegeben. Jetzt hab ich das Problem, dass ich mit ihm zusammen arbeiten muß. Da geht leider kein Weg dran vorbei, dass wir Daten austauschen.
Kann ich bei ihm die gleiche Prozedur wie bei meinem System durchführen?
Oder kann ich einfach sein Autorun deaktivieren?


Logfile of HijackThis v1.99.1

[edit]
Bitte editiere zukünftig deine Links, wie es dir u.a. hier angezeigt wird:
http://www.trojaner-board.de/22771-a...tml#post171958

Danke.
Sunny
[/edit]

Da gibt es dauerhaft nur böse Registry Hacks für. Alternativ Shift drücken, bevor der Stick eingesteckt wird.
An sich kannst Du den Flashdisinfector für die Bereinigung der .inf Dateien nehmen.
Den Stick selber dann scannen oder am besten einmal formatieren!
Das HJT ist ok, hast Du noch Probleme / meldungen?

Das System nun mit Avira (vorher updaten und wie hier beschrieben einstellen) scannen.
Den Scanbericht hier posten, es kann durchaus sein das noch Kopien in der Systemwiederherstellung zu finden sind.

Nein hab keine Probleme mehr. Nur Warnungen bei Avira (7 Warnungen)

Also du bist der Ansicht, dass ich seinen Stick mit gedrückter shift-taste einstecken soll. aber dann hat er ja nachwievor den Trojaner. Ferner öffnet sich der Stick bei mir sowieso nicht mehr über autorun. was ich auch ganz gut finde.

den avira-log-file schicke ich gleich

Avira AntiVir Personal
Report file date: 16 June 2008 14:22

Scanning for 1335616 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: AFXPMONAIRDIG02

Version information:
BUILD.DAT : 8.1.0.308 16478 Bytes 28.05.2008 17:03:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 18.03.2008 10:02:56
AVSCAN.DLL : 8.1.1.0 53505 Bytes 07.02.2008 09:43:37
LUKE.DLL : 8.1.2.9 151809 Bytes 28.02.2008 09:41:23
LUKERES.DLL : 8.1.2.1 12033 Bytes 21.02.2008 09:28:40
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18.07.2007 11:33:34
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 07.03.2008 14:08:58
ANTIVIR2.VDF : 7.0.4.195 2546176 Bytes 14.06.2008 10:37:25
ANTIVIR3.VDF : 7.0.4.202 55296 Bytes 16.06.2008 13:09:00
Engineversion : 8.1.0.55
AEVDF.DLL : 8.1.0.5 102772 Bytes 25.02.2008 10:58:21
AESCRIPT.DLL : 8.1.0.40 266618 Bytes 13.06.2008 15:19:56
AESCN.DLL : 8.1.0.21 119156 Bytes 13.06.2008 15:19:38
AERDL.DLL : 8.1.0.20 418165 Bytes 13.06.2008 15:19:26
AEPACK.DLL : 8.1.1.5 364918 Bytes 13.06.2008 15:18:58
AEOFFICE.DLL : 8.1.0.18 192890 Bytes 13.06.2008 15:18:33
AEHEUR.DLL : 8.1.0.30 1253750 Bytes 13.06.2008 15:18:19
AEHELP.DLL : 8.1.0.15 115063 Bytes 13.06.2008 15:15:51
AEGEN.DLL : 8.1.0.28 307572 Bytes 13.06.2008 15:15:12
AEEMU.DLL : 8.1.0.6 430451 Bytes 13.06.2008 15:14:16
AECORE.DLL : 8.1.0.31 168310 Bytes 13.06.2008 15:13:54
AVWINLL.DLL : 1.0.0.7 14593 Bytes 23.01.2008 18:07:53
AVPREF.DLL : 8.0.0.1 25857 Bytes 18.02.2008 11:37:50
AVREP.DLL : 7.0.0.1 155688 Bytes 16.04.2007 14:26:47
AVREG.DLL : 8.0.0.0 30977 Bytes 23.01.2008 18:07:49
AVARKT.DLL : 1.0.0.23 307457 Bytes 12.02.2008 09:29:23
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 28.02.2008 09:31:31
SQLITE3.DLL : 3.3.17.1 339968 Bytes 22.01.2008 18:28:02
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 23.01.2008 18:08:39
NETNT.DLL : 8.0.0.1 7937 Bytes 25.01.2008 13:05:10
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 10.03.2008 15:37:25
RCTEXT.DLL : 8.0.32.0 86273 Bytes 06.03.2008 13:02:11

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: off
Smart extensions.................: on
Deviating archive types..........: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox,
Macro heuristic..................: on
File heuristic...................: high
Deviating risk categories........: +APPL,+GAME,+JOKE,+PCK,+SPR,

Start of the scan: 16 June 2008 14:22

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'ggwin.exe' - '1' Module(s) have been scanned
Scan process 'CardExec.exe' - '1' Module(s) have been scanned
Scan process 'skypePM.exe' - '1' Module(s) have been scanned
Scan process 'Skype.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'SMTray.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'fbserver.exe' - '1' Module(s) have been scanned
Scan process 'symlcsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SMAgent.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'LogMeIn.exe' - '1' Module(s) have been scanned
Scan process 'ramaint.exe' - '1' Module(s) have been scanned
Scan process 'fbguard.exe' - '1' Module(s) have been scanned
Scan process 'CDAC11BA.EXE' - '1' Module(s) have been scanned
Scan process 'AluSchedulerSvc.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
40 processes with 40 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
[WARNING] Das Gerät ist nicht bereit.
Master boot sector HD2
[INFO] No virus was found!
[WARNING] Das Gerät ist nicht bereit.
Master boot sector HD3
[INFO] No virus was found!
[WARNING] Das Gerät ist nicht bereit.
Master boot sector HD4
[INFO] No virus was found!
[WARNING] Das Gerät ist nicht bereit.

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '25' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\DIGuser02\Application Data\Thunderbird\Profiles\go1te8sc.default\Mail\Local Folders\Inbox
[0] Archive type: Netscape/Mozilla Mailbox
--> Mailbox_[Message-ID: <000f01c78040$fdf2ab70$00cd8134@Appointment>][From: "eBay" <meinestory@ebay.de>][Subject: Ebay: Sie haben Ihre Email Adresse geanderter]76.mim
[1] Archive type: MIME
--> 00644.zip
[DETECTION] The file contains an executable. This, however, is disguised by a harmless file extension (HIDDENEXT/Worm.Gen)
--> 00644.zip
[2] Archive type: ZIP
--> Dokument.doc.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.98009
--> Mailbox_[From: "cleverbridge Avira GmbH." <cle@cleverbridge.co][Message-ID: <64297519.20070423115906@cleverbridge.com>][Subject: Referenznr.:595169: Ihre Bestellung von Avira G]92.mim
[1] Archive type: MIME
--> 595169.zip
[2] Archive type: ZIP
--> HBEDV.KEY.exe
[DETECTION] Is the Trojan horse TR/Dldr.iBill.AJ.1
--> Mailbox_[Message-ID: <CD664F03.3274134@northwestern.edu>][From: Antonio <Marta@northwestern.edu>][Subject: RE: Unterlagen]104.mim
[1] Archive type: MIME
--> 64646.zip
[DETECTION] The file contains an executable. This, however, is disguised by a harmless file extension (HIDDENEXT/Worm.Gen)
--> 64646.zip
[2] Archive type: ZIP
--> Vertrag.doc.exe
[DETECTION] Is the Trojan horse TR/Dldr.iBill.AM
--> Mailbox_[Message-ID: <34C81D12.5368055@yrnet.com>][From: Rodrigo <Caroline@yrnet.com>][Subject: RE: Unterlagen]106.mim
[1] Archive type: MIME
--> 57670.zip
[DETECTION] The file contains an executable. This, however, is disguised by a harmless file extension (HIDDENEXT/Worm.Gen)
--> 57670.zip
[2] Archive type: ZIP
--> Vertrag.doc.exe
[DETECTION] Is the Trojan horse TR/Dldr.iBill.AM
--> Mailbox_[Message-ID: <95F89265.7757663@lansheng.net>][From: Eugenia <Glenda@lansheng.net>][Subject: RE: Vertrag]108.mim
[1] Archive type: MIME
--> 29797.zip
[DETECTION] The file contains an executable. This, however, is disguised by a harmless file extension (HIDDENEXT/Worm.Gen)
--> 29797.zip
[2] Archive type: ZIP
--> Vertrag.doc.exe
[DETECTION] Is the Trojan horse TR/Dldr.iBill.AM
--> Mailbox_[Message-ID: <731E5CDE.0640939@nittanylink.com>][From: Blanca <Richie@nittanylink.com>][Subject: RE:]110.mim
[1] Archive type: MIME
--> 79423.zip
[DETECTION] The file contains an executable. This, however, is disguised by a harmless file extension (HIDDENEXT/Worm.Gen)
--> 79423.zip
[2] Archive type: ZIP
--> Vertrag.doc.exe
[DETECTION] Is the Trojan horse TR/Dldr.iBill.AM
--> Mailbox_[Message-ID: <BFEEEDF7.5970521@northwestern.edu>][From: Houston <Ed@northwestern.edu>][Subject: RE: Unterlagen]112.mim
[1] Archive type: MIME
--> 97539.zip
[DETECTION] The file contains an executable. This, however, is disguised by a harmless file extension (HIDDENEXT/Worm.Gen)
--> 97539.zip
[2] Archive type: ZIP
--> Vertrag.doc.exe
[DETECTION] Is the Trojan horse TR/Dldr.iBill.AM
--> Mailbox_[From: "cleverbridge Avira GmbH" <tech@cleverbridge.][Message-ID: <45552870.20070429074304@cleverbridge.com>][Subject: Referenznr.:595169: Ihre Bestellung von Avira G]132.mim
[1] Archive type: MIME
--> 595169.zip
[DETECTION] Is the Trojan horse TR/Dldr.iBill.Zipped
--> 595169.zip
[2] Archive type: ZIP
--> HBEDV.KEY.exe
[DETECTION] Is the Trojan horse TR/Dldr.iBill.AK
--> Mailbox_[From: "cleverbridge Avira GmbH" <tech@cleverbridge.co][Message-ID: <44915428.20070428074012@cleverbridge.com>][Subject: Referenznr.:595169: Ihre Bestellung von Avira G]136.mim
[1] Archive type: MIME
--> 595169.zip
[DETECTION] Is the Trojan horse TR/Dldr.iBill.Zipped
--> 595169.zip
[2] Archive type: ZIP
--> HBEDV.KEY.exe
[DETECTION] Is the Trojan horse TR/Dldr.iBill.AK
--> Mailbox_[From: "cleverbridge Avira GmbH" <list@cleverbridge.][Message-ID: <232502931.20070428154408@cleverbridge.com>][Subject: Referenznr.:595169: Ihre Bestellung von Avira G]138.mim
[1] Archive type: MIME
--> 595169.zip
[DETECTION] Is the Trojan horse TR/Dldr.iBill.Zipped
--> 595169.zip
[2] Archive type: ZIP
--> HBEDV.KEY.exe
[DETECTION] Is the Trojan horse TR/Dldr.iBill.AK
--> Mailbox_[From: "cleverbridge Avira GmbH." <list@cleverbridge.c][Message-ID: <709964972.20070428195904@cleverbridge.com>][Subject: Referenznr.:595169: Ihre Bestellung von Avira G]140.mim
[1] Archive type: MIME
--> 595169.zip
[DETECTION] Is the Trojan horse TR/Dldr.iBill.Zipped
--> 595169.zip
[2] Archive type: ZIP
--> HBEDV.KEY.exe
[DETECTION] Is the Trojan horse TR/Dldr.iBill.AK
[WARNING] This file is a mailbox. To avoid damaging your emails this file will not be repaired or deleted!
C:\Documents and Settings\DIGuser02\My Documents\Wartung\Trojan-board\Flash_Disinfector.exe
[DETECTION] Contains detection pattern of the application APPL/NirCmd.2
[NOTE] The file was moved to '48b76ce9.qua'!
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll
[WARNING] The file could not be opened!


End of the scan: 16 June 2008 15:24
Used time: 1:02:02 min

The scan has been done completely.

9025 Scanning directories
628026 Files were scanned
16 viruses and/or unwanted programs were found
6 Files were classified as suspicious:
0 files were deleted
0 files were repaired
1 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
628010 Files not concerned
10559 Archives were scanned
8 Warnings
1 Notes

Sieht gut aus, Du sollterst allerdings die Inbox Deines Thunderbirds mal aufräumen. ;)

Hallochen!
Ich hab das gleiche Problem. Reicht es, wenn ich im Registry alles was mit "RavMon.exe" ist lösche, das System mit meinem Antivirus Programm (Trend Micro OfficeScan) und mein USB-Stick mit Flash_Disinfector säubere, und das alles ohne Combofix zu nutzen?

Kann mir jemand helfen????? :heulen:

Hallo, liebe Helferinne und Helfer,
ich bin derzeit in USA, und wenn ich meine Kamera anschließe an mein Netbook, kommt diese Meldung.
Ich bin eine ziemliche Laiin. :dummguck:
Jetzt habe ich mir also HijackThis geladen und einen Logfile gemacht, was soll ich als nächstes tun? ich weiß nämlich nicht, welches jetz die "bösen" Dateien sind.
LiGrü
Eveline