Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   Virtumonde und Vundo problem auf XP Pro (https://www.trojaner-board.de/60364-virtumonde-vundo-problem-xp-pro.html)

Kazass 21.09.2008 14:07
Virtumonde und Vundo problem auf XP Pro
 
Hallo allerseits!
Bin neu im forum, aber wie so viele andere bin ich wegen nem problem dazugestossen! Es geht wieder mal um den berüchtigten VIrtumonde/Vundo Trojan und Spyware.
Bei mir fings damit an, dass plötzlich der PC längsämer wurde und die suchfunktion von google gestört war. Nach etwas recherche kam ich da auf den Virtumonde, was mir dann auch durch Spybo S&D bestätigt wurde. Den grössten teil der einträge konnte ich dabei fixen nach dem scan, jedoch blieben 2 registry einträge übrig. Ich machte auch gleich nen scan mit meinem McAfee antivir, der fand jedoch nichts, was mich verwunderte da die spyware virtumonde, meinen recherchen zufolge, meistens an den trojan vundo gebunden ist! Nach einem restart nach dem S&D scan jedoch, fing mcafee plötzlich an eine .dll datei in system32 als vundo zu erkennen. Mir scheints dass die 2 übriggeblieben virtumonde einträge nachträglich den vundo trojan heruntergeladen haben. daraufhin kappte ich die internet verbindung des laptops und schaffte es (glaube ich) mit vundofix.exe die infizierte datei loszuwerden. nach diesem (ich glaube) säubern führte ich einen weiteren mcafee scan durch und er fand nichts mehr. S&D fand jedoch weiterhin die registry einträge. Ich versuchte es auch im abgesicherten modus mit S&D, habe auch CCleaner angewendet was merklich etwas brachte, da nach dem ersten S&D scan fehlerhafte registry einträge zurückblieben. Lange rede kurzer sinn, meinen laptop habe ich seit dem immer noch nich ans internet gelassen (ich schreibe von einem anderen aus, der hat ne drecks tastatur, also sry für fehler), die 2 einträge bei S&D können gelöscht werden, werden aber nach nem restart immer wieder gefunden beim scan. ich hab übrigens auch vitumundobegone.exe im abgesicherten modus angewendet, jedoch sagte das log, dass nichts gefunden wurde. Ich würde gerne noch eben diese reste loswerden bevor ich den laptop wieder fürs internet einsetze, da ich sonst befürchte, dass sich der trojan/spyware wieder regenerieren könnte.
Hier noch das HJT-Logfile:

Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:02:08, on 21.09.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\Programme\Intel\Wireless\Bin\WLKeeper.exe
C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\ETHZ\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Network Associates\Common Framework\FrameworkService.exe
C:\Programme\Network Associates\VirusScan\Mcshield.exe
C:\Programme\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Programme\Apoint\Apoint.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Apoint\Apntex.exe
C:\Programme\Dell\QuickSet\quickset.exe
C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programme\Network Associates\VirusScan\SHSTAT.EXE
C:\Programme\Network Associates\Common Framework\UpdaterUI.exe
C:\Programme\Gemeinsame Dateien\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Programme\eFax Messenger 4.2\J2GDllCmd.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Winamp\winampa.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe
C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programme\Digital Line Detect\DLG.exe
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programme\eFax Messenger 4.2\J2GTray.exe
C:\Programme\ETHZ\VPN Client\vpngui.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\ETHZ\VPN Client\ipseclog.exe
C:\Programme\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
D:\bootcd\wintools\autorun.exe
C:\DOKUME~1\****\LOKALE~1\Temp\Hijack.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: {37ff38a9-9d71-899a-0f04-8a30ad92884b} - {b48829da-03a8-40f0-a998-17d99a83ff73} - C:\WINDOWS\system32\cavzig.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Programme\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Programme\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programme\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programme\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Programme\Gemeinsame Dateien\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [eFax 4.2] "C:\Programme\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [10904e30] rundll32.exe "C:\WINDOWS\system32\dqvemuto.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [VodafoneUSBPP.exe] C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe  windows
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Programme\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: eFax 4.2.lnk = C:\Programme\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: ETH Zürich VPN Service.lnk = C:\Programme\ETHZ\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Alles mit FlashGet laden - C:\Programme\FlashGet\jc_all.htm
O8 - Extra context menu item: Mit FlashGet laden - C:\Programme\FlashGet\jc_link.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O20 - AppInit_DLLs: cavzig.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\ETHZ\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework-Dienst (McAfeeFramework) - Network Associates, Inc. - C:\Programme\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NBService - Nero AG - C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Programme\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Programme\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10968 bytes

cosinus 21.09.2008 19:10
hallo und :hallo:

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Du möchstest nach der Bereinigung bitte Dein System aktualisieren - da fehlen mindestens das SP3 und der IE7!

Acker diese Punkte für weitere Analysen ab:

1.) Stell sicher, daß Dir auch alle Dateien angezeigt werden, danach folgende Dateien bei Virustotal.com auswerten lassen und alle Ergebnisse posten, und zwar so, daß man die der einzelnen Virenscanner sehen kann. Bitte mit Dateigrößen und Prüfsummen:
Code:
C:\WINDOWS\system32\dqvemuto.dll
C:\WINDOWS\system32\cavzig.dll
2.) Deaktiviere die Systemwiederherstellung, im Verlauf der Infektion wurden auch Malwaredateien in Wiederherstellungspunkten mitgesichert - die sind alle nun unbrauchbar, da ein Zurücksetzen des System durch einen Wiederherstellungspunkt das System wahrscheinlich wieder infizieren würde.

3.) Führe dieses MBR-Tool aus und poste die Ausgabe

4.) Blacklight und Malwarebytes Antimalware ausführen und Logfiles posten

5.) Führe Silentrunners nach dieser Anleitung aus und poste das Logfile (mit Codetags umschlossen), falls es zu groß sein sollte kannst Du es (gezippt) bei file-upload.net hochladen und hier verlinken.

6.) ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix
  • Lade dir das Tool hier herunter auf den Desktop -> KLICK
Das Programm jedoch noch nicht starten sondern zuerst folgendes tun:
  • Schliesse alle Anwendungen und Programme, vor allem deine Antiviren-Software und andere Hintergrundwächter, sowie deinen Internetbrowser.
    Vermeide es auch explizit während das Combofix läuft die Maus und Tastatur zu benutzen.
  • Starte nun die combofix.exe von deinem Desktop aus, bestätige die Warnmeldungen und lass dein System durchsuchen.
  • Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte abkopieren und in deinen Beitrag einfügen. Das log findest du außerdem unter: C:\ComboFix.txt.
Wichtiger Hinweis:
Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.
Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten.

Poste alle Logfiles bitte mit Codetags umschlossen (#-Button) also so:

HTML-Code:
[code] Hier das Logfile rein! [/code]
7.) Mach auch ein Filelisting mit diesem script:
  • Script abspeichern per Rechtsklick, speichern unter auf dem Desktop
  • Doppelklick auf listing8.cmd auf dem Desktop
  • nach kurzer Zeit erscheint eine listing.txt auf dem Desktop

Diese listing.txt z.B. bei File-Upload.net hochladen und hier verlinken, da dieses Logfile zu groß fürs Board ist.

8.) Poste ein neues Hijackthis Logfile, nimm dazu diese umbenannte hijackthis.exe - editiere die Links und privaten Infos!!

Kazass 22.09.2008 20:15
virustotal.com "dqvemuto.dll" auswertung:

Code:
Antivirus        Version        Last Update        Result
AhnLab-V3        2008.9.19.2        2008.09.19        -
AntiVir        7.8.1.34        2008.09.21        TR/Vundo.JT
Authentium        5.1.0.4        2008.09.21        -
Avast        4.8.1195.0        2008.09.20        Win32:Trojan-gen {Other}
AVG        8.0.0.161        2008.09.21        Generic11.AACA
BitDefender        7.2        2008.09.21        -
CAT-QuickHeal        9.50        2008.09.20        Trojan.Monder.pky
ClamAV        0.93.1        2008.09.21        -
DrWeb        4.44.0.09170        2008.09.21        Trojan.Virtumod.468
eSafe        7.0.17.0        2008.09.21        Win32.Monder.pky
eTrust-Vet        31.6.6098        2008.09.21        Win32/VundoCryptorT!Generic
Ewido        4.0        2008.09.21        -
F-Prot        4.4.4.56        2008.09.21        -
F-Secure        8.0.14332.0        2008.09.21        Trojan.Win32.Monder.pky
Fortinet        3.113.0.0        2008.09.21        PossibleThreat
GData        19        2008.09.21        Trojan.Win32.Monder.pky
Ikarus        T3.1.1.34.0        2008.09.21        Trojan.Win32.Vundo.R
K7AntiVirus        7.10.466        2008.09.20        Trojan.Win32.Monder.pky
Kaspersky        7.0.0.125        2008.09.21        Trojan.Win32.Monder.pky
McAfee        5388        2008.09.19        Vundo
Microsoft        1.3903        2008.09.21        Trojan:Win32/Vundo.gen!R
NOD32v2        3458        2008.09.21        -
Norman        5.80.02        2008.09.19        -
Panda        9.0.0.4        2008.09.21        Spyware/Virtumonde
PCTools        4.4.2.0        2008.09.21        -
Prevx1        V2        2008.09.21        Fraudulent Security Program
Rising        20.62.62.00        2008.09.21        Packer.Win32.Agent.v
Sophos        4.33.0        2008.09.21        Troj/Virtum-Gen
Sunbelt        3.1.1653.1        2008.09.20        Trojan.Win32.Monder.gen
Symantec        10        2008.09.21        Trojan.Vundo
TheHacker        6.3.0.9.090        2008.09.20        -
TrendMicro        8.700.0.1004        2008.09.20        TROJ_VIRTUM.KV
VBA32        3.12.8.5        2008.09.20        -
ViRobot        2008.9.20.1385        2008.09.20        Spyware.Monder.89088
VirusBuster        4.5.11.0        2008.09.21        -
Webwasher-Gateway        6.6.2        2008.09.21        Trojan.Vundo.JT
Additional information
File size: 89088 bytes
MD5...: 4b40a5dbbcbca47f0fad11b3c5dfac5a
SHA1..: e1b4cfbaba173bfcd55fc1ee22d2c6c31f03c6e4
SHA256: 86c7163c28276976654923be2d1d4ddcb341112c02a866b358991c81e0df334e
SHA512: 832777bbfe15c5c1f591921359ee80f601873474ef3fc1f2165f786397471b0a
8606396a09fff9a18a4db11d8fe02e16b5bea05d1db488d3428d5d5ae67ad6bb
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10001000
timedatestamp.....: 0x0 (Thu Jan 01 00:00:00 1970)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xd000 0xc800 7.98 0b4ab701d7edb7a1f548abad197a3173
.data 0xe000 0x1000 0x400 4.64 71a7303083e4a377f1a3ea0d0e886f9c
.rdata 0xf000 0x1c000 0x8c00 7.92 fb7633e47e53dc969945db9566dfbb50

( 3 imports )
> USER32.dll: OemToCharBuffA, MessageBoxA, MessageBeep, LoadCursorFromFileA, LoadCursorA, EndPaint, EndDialog, EmptyClipboard, DrawTextA, DestroyCursor, CreateIconFromResourceEx, CreateDesktopA, CopyRect, CharToOemBuffA, CharNextA, ActivateKeyboardLayout
> KERNEL32.dll: lstrcmpiA, ReadFile, MapViewOfFile, InitializeCriticalSection, GetVersionExA, GetSystemTimeAsFileTime, GetStartupInfoA, GetModuleHandleA, ExitProcess, EnumResourceTypesA, EnumResourceLanguagesA, CloseHandle
> ADVAPI32.dll: RegQueryValueA, RegOpenKeyExA, RegCloseKey

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=2CAF458D00D4DA7D5C5701B8AD4286002828070D
virustotal.com "cavzig.dll" auswertung:

Code:
Antivirus        Version        Last Update        Result
AhnLab-V3        2008.9.19.2        2008.09.19        -
AntiVir        7.8.1.34        2008.09.21        -
Authentium        5.1.0.4        2008.09.21        -
Avast        4.8.1195.0        2008.09.20        Win32:Rootkit-gen
AVG        8.0.0.161        2008.09.21        Generic11.AAHM
BitDefender        7.2        2008.09.21        -
CAT-QuickHeal        9.50        2008.09.20        -
ClamAV        0.93.1        2008.09.21        -
DrWeb        4.44.0.09170        2008.09.21        Trojan.DnsChange.988
eSafe        7.0.17.0        2008.09.21        Suspicious File
eTrust-Vet        31.6.6095        2008.09.19        Win32/VundoCryptorT!Generic
Ewido        4.0        2008.09.21        -
F-Prot        4.4.4.56        2008.09.21        -
F-Secure        8.0.14332.0        2008.09.21        Trojan.Win32.Monder.pru
Fortinet        3.113.0.0        2008.09.21        PossibleThreat
GData        19        2008.09.21        Trojan.Win32.Monder.pru
Ikarus        T3.1.1.34.0        2008.09.21        -
K7AntiVirus        7.10.466        2008.09.20        Trojan.Win32.Malware.1
Kaspersky        7.0.0.125        2008.09.21        Trojan.Win32.Monder.pru
McAfee        5388        2008.09.19        Vundo
Microsoft        1.3903        2008.09.21        Trojan:Win32/Vundo.gen!R
NOD32v2        3458        2008.09.21        -
Norman        5.80.02        2008.09.19        -
Panda        9.0.0.4        2008.09.21        Spyware/Virtumonde
PCTools        4.4.2.0        2008.09.21        -
Prevx1        V2        2008.09.21        Cloaked Malware
Rising        20.62.62.00        2008.09.21        Packer.Win32.Agent.v
Sophos        4.33.0        2008.09.21        Troj/Virtum-Gen
Sunbelt        3.1.1653.1        2008.09.20        -
Symantec        10        2008.09.21        Trojan.Vundo
TheHacker        6.3.0.9.090        2008.09.20        -
TrendMicro        8.700.0.1004        2008.09.20        TROJ_VUNDO.TQ
VBA32        3.12.8.5        2008.09.20        -
ViRobot        2008.9.20.1385        2008.09.20        -
VirusBuster        4.5.11.0        2008.09.21        -
Webwasher-Gateway        6.6.2        2008.09.21        Win32.NewMalware.CM!113152
Additional information
File size: 113152 bytes
MD5...: 05577a32a3876553ca467090dbed5b89
SHA1..: 41643b092aa5eb5f25c08dbad5994fc9ca555be0
SHA256: 86cc68948932c6394f08d69ba769ec3809c7245b514872492ed4c6200d205e7d
SHA512: 4341f2019fc33147240855ac870ae9495999b3eae0498f3b043ccd5e664e4cf5
84b8ae6d814cb7b6044850140748d0f09faa615e354a670cf6df1cf07e661428
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10001000
timedatestamp.....: 0x0 (Thu Jan 01 00:00:00 1970)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xd000 0xc600 7.98 64ffacec17f2758ac05b46c05accccdd
.data 0xe000 0x1000 0x400 4.64 71a7303083e4a377f1a3ea0d0e886f9c
.rdata 0xf000 0x30000 0xec00 7.95 c486e59892504341d20b9fc02c24c513

( 3 imports )
> USER32.dll: OemToCharBuffA, MessageBoxA, MessageBeep, LoadCursorFromFileA, LoadCursorA, EndPaint, EndDialog, EmptyClipboard, DrawTextA, DestroyCursor, CreateIconFromResourceEx, CreateDesktopA, CopyRect, CharToOemBuffA, CharNextA, ActivateKeyboardLayout
> KERNEL32.dll: lstrcmpiA, ReadFile, MapViewOfFile, InitializeCriticalSection, GetVersionExA, GetSystemTimeAsFileTime, GetStartupInfoA, GetModuleHandleA, ExitProcess, EnumResourceTypesA, EnumResourceLanguagesA, CloseHandle
> ADVAPI32.dll: RegQueryValueA, RegOpenKeyExA, RegCloseKey

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=A5E976F7005D4F9BBA48016CC00337007D6884A6
MBR-Log:

Code:
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
Danke für die schnelle antwort!!

Kazass 22.09.2008 20:16
Blacklight funktionierte nicht: "Could not acquire necessary privileges"

Malwarebytes Antimalware log:

Code:
Malwarebytes' Anti-Malware 1.28
Database version: 1127
Windows 5.1.2600 Service Pack 2

22.09.2008 20:29:31
mbam-log-2008-09-22 (20-29-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 93850
Time elapsed: 1 hour(s), 0 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\dqvemuto.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\cavzig.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b48829da-03a8-40f0-a998-17d99a83ff73} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b48829da-03a8-40f0-a998-17d99a83ff73} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\10904e30 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\cavzig.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\dqvemuto.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\otumevqd.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bchpiurq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Silentrunners Log:

Code:
"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Programme\Messenger\msmsgs.exe" /background" [MS]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"" ["Nero AG"]
"VodafoneUSBPP.exe" = "C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe  windows" ["HUAWEI Technologies Co., Ltd."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS]
"Apoint" = "C:\Programme\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."]
"SunJavaUpdateSched" = ""C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"ATIPTA" = ""C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe"" ["ATI Technologies, Inc."]
"IntelWireless" = "C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless" ["Intel Corporation"]
"Dell QuickSet" = "C:\Programme\Dell\QuickSet\quickset.exe" [empty string]
"DVDLauncher" = ""C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe"" ["CyberLink Corp."]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"MSKDetectorExe" = "C:\Programme\McAfee\SpamKiller\MSKDetct.exe /uninstall" ["McAfee, Inc."]
"ShStatEXE" = ""C:\Programme\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE" ["Network Associates, Inc."]
"McAfeeUpdaterUI" = ""C:\Programme\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey" ["Network Associates, Inc."]
"Network Associates Error Reporting Service" = ""C:\Programme\Gemeinsame Dateien\Network Associates\TalkBack\TBMon.exe"" ["Network Associates, Inc."]
"eFax 4.2" = ""C:\Programme\eFax Messenger 4.2\J2GDllCmd.exe" /R" ["j2 Global Communications, Inc."]
"NeroFilterCheck" = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe" ["Nero AG"]
"HP Software Update" = "C:\Programme\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]
"AppleSyncNotifier" = "C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" ["Apple Inc."]
"iTunesHelper" = ""C:\Programme\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"WinampAgent" = "C:\Programme\Winamp\winampa.exe" [null data]
"Adobe Reader Speed Launcher" = ""C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF Link Helper"
                  \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SSVHelper Class"
                  \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
{F156768E-81EF-470C-9057-481BA8380DBA}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "gFlash Class"
                  \InProcServer32\(Default) = "C:\PROGRA~1\FlashGet\getflash.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
  -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
                  \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {HKLM...CLSID} = "Portable Media Devices Menu"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
                  \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{6ff26905-5466-4722-a301-08e22f780280}" = "eFax Messenger - Shell-Erweiterung"
  -> {HKLM...CLSID} = "HotShellExt"
                  \InProcServer32\(Default) = "C:\Programme\eFax Messenger 4.2\J2GShell.dll" ["j2 Global Communications, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
  -> {HKLM...CLSID} = "iTunes"
                  \InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "cavzig.dll" [file not found]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> IntelWireless\DLLName = "C:\Programme\Intel\Wireless\Bin\LgNotify.dll" ["Intel Corporation"]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
                  \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
HotShellExt_40\(Default) = "{6FF26905-5466-4722-A301-08E22F780280}"
  -> {HKLM...CLSID} = "HotShellExt"
                  \InProcServer32\(Default) = "C:\Programme\eFax Messenger 4.2\J2GShell.dll" ["j2 Global Communications, Inc."]
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\Programme\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                  \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\Programme\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                  \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                  \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\Programme\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                  \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                  \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]


Default executables:
--------------------

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
{unrecognized setting}

"InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme
{unrecognized setting}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Dell.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Dell.bmp"


Startup items in "Zeljana" & "All Users" startup folders:
---------------------------------------------------------

C:\Dokumente und Einstellungen\Zeljana\Startmenü\Programme\Autostart
"Adobe Gamma" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Bluetooth Manager" -> shortcut to: "C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe" [null data]
"Digital Line Detect" -> shortcut to: "C:\Programme\Digital Line Detect\DLG.exe" ["BVRP Software"]
"dlbcserv" -> shortcut to: "C:\Programme\Dell Photo Printer 720\dlbcserv.exe" [null data]
"eFax 4.2" -> shortcut to: "C:\Programme\eFax Messenger 4.2\J2GTray.exe" ["j2 Global Communications, Inc."]
"ETH Zürich VPN Service" -> shortcut to: "C:\Programme\ETHZ\VPN Client\vpngui.exe "-user_logon"" ["Cisco Systems, Inc."]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]
"Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Programme\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Programme\Bonjour\mdnsNSP.dll" ["Apple Inc."]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 25
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{E0E899AB-F487-11D5-8D29-0050BA6940E3}" = "FlashGet Bar"
  -> {HKLM...CLSID} = "FlashGet Bar"
                  \InProcServer32\(Default) = "C:\PROGRA~1\FlashGet\fgiebar.dll" ["Amaze Soft"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}"
  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_07"
                  \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_07"
                  \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\npjpi160_07.dll" ["Sun Microsystems, Inc."]

{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\
"ButtonText" = "FlashGet"
"MenuText" = "&FlashGet"
"Exec" = "C:\PROGRA~1\FlashGet\flashget.exe" ["FlashGet.com"]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Apple Mobile Device, Apple Mobile Device, ""C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple Inc."]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Bonjour-Dienst, Bonjour Service, "C:\Programme\Bonjour\mDNSResponder.exe" ["Apple Inc."]
Cisco Systems, Inc. VPN Service, CVPND, ""C:\Programme\ETHZ\VPN Client\cvpnd.exe"" ["Cisco Systems, Inc."]
EvtEng, EvtEng, "C:\Programme\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
HP CUE DeviceDiscovery Service, hpqddsvc, "C:\WINDOWS\system32\svchost.exe -k hpdevmgmt" {"C:\Programme\HP\Digital Imaging\bin\hpqddsvc.dll" ["Hewlett-Packard Co."]}
hpqcxs08, hpqcxs08, "C:\WINDOWS\system32\svchost.exe -k hpdevmgmt" {"C:\Programme\HP\Digital Imaging\bin\hpqcxs08.dll" ["Hewlett-Packard Co."]}
iPod-Dienst, iPod Service, "C:\Programme\iPod\bin\iPodService.exe" ["Apple Inc."]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
McAfee Framework-Dienst, McAfeeFramework, "C:\Programme\Network Associates\Common Framework\FrameworkService.exe /ServiceStart" ["Network Associates, Inc."]
Media Center Extender Service, McrdSvc, "C:\WINDOWS\ehome\mcrdsvc.exe" [MS]
Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]
Media Center-Planerdienst, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS]
Net Driver HPZ12, Net Driver HPZ12, "C:\WINDOWS\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZinw12.dll" ["Hewlett-Packard"]}
Network Associates McShield, McShield, ""C:\Programme\Network Associates\VirusScan\Mcshield.exe"" ["Network Associates, Inc."]
Network Associates Task Manager, McTaskManager, ""C:\Programme\Network Associates\VirusScan\VsTskMgr.exe"" ["Network Associates, Inc."]
NICCONFIGSVC, NICCONFIGSVC, "C:\Programme\Dell\NICCONFIGSVC\NICCONFIGSVC.exe" ["Dell Inc."]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZipm12.dll" ["Hewlett-Packard"]}
RegSrvc, RegSrvc, "C:\Programme\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
Spectrum24 Event Monitor, S24EventMonitor, "C:\Programme\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
WLANKEEPER, WLANKEEPER, "C:\Programme\Intel\Wireless\Bin\WLKeeper.exe" ["Intel® Corporation"]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Dell Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
LIDIL hpzll4v2\Driver = "hpzll4v2.dll" ["Hewlett-Packard Company"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
Toshiba Bluetooth Monitor\Driver = "tbtmon.dll" ["Toshiba America Business Solutions, Inc."]


---------- (launch time: 2008-09-22 20:39:03)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 84 seconds.
---------- (total run time: 124 seconds)

Kazass 22.09.2008 20:18
Combofix Log:

Code:
ComboFix 08-09-20.02 - Zeljana 2008-09-22 20:45:37.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.49.1031.18.977 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Zeljana\Desktop\ComboFix.exe

Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.

(((((((((((((((((((((((  Dateien erstellt von 2008-08-22 bis 2008-09-22  ))))))))))))))))))))))))))))))
.

2008-09-22 19:26 . 2008-09-22 19:26        <DIR>        d--------        C:\!KillBox
2008-09-22 19:22 . 2008-09-22 19:27        <DIR>        d--------        C:\Programme\Malwarebytes' Anti-Malware
2008-09-22 19:22 . 2008-09-22 19:22        <DIR>        d--------        C:\Dokumente und Einstellungen\Zeljana\Anwendungsdaten\Malwarebytes
2008-09-22 19:22 . 2008-09-22 19:22        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-09-22 19:22 . 2008-09-08 00:11        38,528        --a------        C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-22 19:22 . 2008-09-08 00:11        17,200        --a------        C:\WINDOWS\system32\drivers\mbam.sys
2008-09-20 18:00 . 2008-09-20 14:21        96,978        --a------        C:\VirtumundoBeGone.exe
2008-09-18 20:55 . 2008-09-18 20:55        <DIR>        d--------        C:\Dokumente und Einstellungen\Zeljana\Anwendungsdaten\Lavasoft
2008-09-18 18:44 . 2008-09-18 18:44        <DIR>        d--------        C:\VundoFix Backups
2008-09-18 15:29 . 2008-09-18 16:46        75,560,435        --a------        C:\sdat5386.exe
2008-09-18 15:20 . 2008-09-18 16:53        <DIR>        d--------        C:\VDEFS
2008-09-17 23:52 . 2008-09-17 23:55        <DIR>        d--------        C:\Programme\Spybot - Search & Destroy
2008-09-17 23:52 . 2008-09-18 06:36        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-09-16 22:23 . 2008-09-16 22:23        <DIR>        d--------        C:\Programme\totalcmd
2008-09-16 19:20 . 2008-09-21 14:59        <DIR>        d--------        C:\WINDOWS\system32\CatRoot2
2008-09-16 18:33 . 2008-09-16 18:37        462        --a------        C:\WINDOWS\wincmd.ini
2008-09-06 18:36 . 2007-04-03 16:18        29,744        ---------        C:\WINDOWS\system32\InstHelper.dll
2008-09-06 18:35 . 2008-09-06 18:35        8        --a------        C:\WINDOWS\system32\success
2008-09-06 18:34 . 2008-09-06 18:34        <DIR>        d--------        C:\Programme\Gemeinsame Dateien\Deterministic Networks
2008-09-06 18:34 . 2008-09-06 18:34        <DIR>        d--------        C:\Programme\ETHZ
2008-09-06 18:34 . 2007-04-03 16:17        306,295        --a------        C:\WINDOWS\system32\drivers\CVPNDRVA.sys
2008-09-06 18:34 . 2007-04-03 16:18        197,672        --a------        C:\WINDOWS\system32\vpnapi.dll
2008-09-06 18:34 . 2007-04-03 16:18        193,576        --a------        C:\WINDOWS\system32\CSGina.dll
2008-09-06 18:34 . 2007-01-18 14:28        5,275        --a------        C:\WINDOWS\system32\drivers\CVirtA.sys
2008-09-06 18:26 . 2008-09-06 18:27        1,594        --a------        C:\WINDOWS\VPNUnInstall.MIF
2008-09-06 18:15 . 2007-01-24 00:23        127,376        --a------        C:\WINDOWS\system32\drivers\dne2000.sys
2008-09-06 18:15 . 2007-01-24 00:23        101,904        --a------        C:\WINDOWS\system32\dneinobj.dll
2008-09-06 18:14 . 2008-09-06 18:16        1,594        --a------        C:\WINDOWS\VPNInstall.MIF
2008-09-01 14:52 . 2008-09-01 14:59        <DIR>        d--------        C:\Programme\winpwn-2.5
2008-09-01 14:04 . 2008-09-01 14:04        <DIR>        d--------        C:\Dokumente und Einstellungen\Zeljana\Anwendungsdaten\cmw
2008-08-31 18:52 . 2008-08-08 07:04        545        --a------        C:\WINDOWS\UC.PIF
2008-08-31 18:52 . 2008-08-08 07:04        545        --a------        C:\WINDOWS\RAR.PIF
2008-08-31 18:52 . 2008-08-08 07:04        545        --a------        C:\WINDOWS\PKZIP.PIF
2008-08-31 18:52 . 2008-08-08 07:04        545        --a------        C:\WINDOWS\PKUNZIP.PIF
2008-08-31 18:52 . 2008-08-08 07:04        545        --a------        C:\WINDOWS\NOCLOSE.PIF
2008-08-31 18:52 . 2008-08-08 07:04        545        --a------        C:\WINDOWS\LHA.PIF
2008-08-31 18:52 . 2008-08-08 07:04        545        --a------        C:\WINDOWS\ARJ.PIF
2008-08-31 18:35 . 2008-08-31 18:43        <DIR>        d--------        C:\Programme\iPhoneBrowser
2008-08-30 18:36 . 2008-08-30 18:36        <DIR>        d--------        C:\Programme\WinSCP
2008-08-30 02:49 . 2008-08-30 03:01        <DIR>        d--------        C:\Programme\TiEmu
2008-08-27 03:07 . 2008-08-27 03:07        <DIR>        d--------        C:\Dokumente und Einstellungen\Zeljana\Anwendungsdaten\CyberLink
2008-08-26 14:13 . 2008-08-26 14:13        <DIR>        d--------        C:\Dokumente und Einstellungen\Zeljana\Anwendungsdaten\Sonic

.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-18 04:44        ---------        d-----w        C:\Dokumente und Einstellungen\Zeljana\Anwendungsdaten\MailWasherPro
2008-09-16 20:23        ---------        d-----w        C:\Programme\Java
2008-09-16 19:19        ---------        d-----w        C:\Programme\FlashGet
2008-09-16 16:32        ---------        d-----w        C:\Dokumente und Einstellungen\Zeljana\Anwendungsdaten\Azureus
2008-09-06 16:34        ---------        d--h--w        C:\Programme\InstallShield Installation Information
2008-09-01 14:11        ---------        d-----w        C:\Dokumente und Einstellungen\Zeljana\Anwendungsdaten\Apple Computer
2008-08-20 17:44        ---------        d-----w        C:\Dokumente und Einstellungen\Zeljana\Anwendungsdaten\Toshiba
2008-08-20 10:47        ---------        d-----w        C:\Programme\Gemeinsame Dateien\Adobe
2008-08-20 10:44        ---------        d-----w        C:\Programme\Gemeinsame Dateien\Adobe Systems Shared
2008-08-20 10:44        ---------        d-----w        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Adobe Systems
2008-08-11 20:39        ---------        d-----w        C:\Programme\Vuze
2008-08-06 16:03        ---------        d-----w        C:\Programme\Winamp
2008-08-06 16:03        ---------        d-----w        C:\Dokumente und Einstellungen\Zeljana\Anwendungsdaten\Winamp
2008-08-06 14:57        ---------        d-----w        C:\Programme\Exact Audio Copy
2008-08-05 19:36        ---------        d-----w        C:\Programme\iTunes
2008-08-05 19:36        ---------        d-----w        C:\Programme\iPod
2008-08-05 19:35        ---------        d-----w        C:\Programme\Apple Software Update
2008-08-05 13:31        ---------        d-----w        C:\Dokumente und Einstellungen\Zeljana\Anwendungsdaten\CopyTrans
2008-08-05 13:29        ---------        d-----w        C:\Dokumente und Einstellungen\Zeljana\Anwendungsdaten\iCloner
2008-08-05 13:26        ---------        d-----w        C:\Dokumente und Einstellungen\Zeljana\Anwendungsdaten\CopyTransControlCenter
2008-08-05 02:10        ---------        d-----w        C:\Programme\Wide Angle Software
2008-08-05 00:17        ---------        d-----w        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Azureus
2008-08-04 20:39        ---------        d-----w        C:\Programme\Opera
2008-08-03 22:54        ---------        d-----w        C:\Programme\Dell
2008-08-03 14:31        ---------        d-----w        C:\Programme\Corel
2008-08-02 18:32        ---------        d-----w        C:\Programme\eMule
2008-07-22 18:32        32,000        ----a-w        C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-18 20:10        94,920        ----a-w        C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-18 20:10        94,920        ----a-w        C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10        53,448        ----a-w        C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10        53,448        ----a-w        C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-18 20:10        45,768        ----a-w        C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10        36,552        ----a-w        C:\WINDOWS\system32\wups.dll
2008-07-18 20:10        36,552        ----a-w        C:\WINDOWS\system32\dllcache\wups.dll
2008-07-18 20:09        563,912        ----a-w        C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09        563,912        ----a-w        C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-18 20:09        325,832        ----a-w        C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09        325,832        ----a-w        C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-18 20:09        205,000        ----a-w        C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09        205,000        ----a-w        C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-18 20:09        1,811,656        ----a-w        C:\WINDOWS\system32\wuaueng.dll
2008-07-18 20:09        1,811,656        ----a-w        C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-07 20:30        253,952        ----a-w        C:\WINDOWS\system32\es.dll
2008-07-07 20:30        253,952        ------w        C:\WINDOWS\system32\dllcache\es.dll
2008-07-05 17:04        6,216        --sha-w        C:\WINDOWS\system32\KGyGaAvL.sys
2008-06-24 16:22        74,240        ----a-w        C:\WINDOWS\system32\mscms.dll
2008-06-24 16:22        74,240        ------w        C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-23 09:53        18,432        ------w        C:\WINDOWS\system32\dllcache\iedw.exe
.

((((((((((((((((((((((((((((  Autostartpunkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15360]
"MSMSGS"="C:\Programme\Messenger\msmsgs.exe" [2004-10-13 1694208]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264]
"VodafoneUSBPP.exe"="C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe" [2007-03-03 954368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 67584]
"Apoint"="C:\Programme\Apoint\Apoint.exe" [2004-09-13 155648]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ATIPTA"="C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"IntelWireless"="C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"Dell QuickSet"="C:\Programme\Dell\QuickSet\quickset.exe" [2005-09-01 684032]
"DVDLauncher"="C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"MSKDetectorExe"="C:\Programme\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"ShStatEXE"="C:\Programme\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="C:\Programme\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="C:\Programme\Gemeinsame Dateien\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"eFax 4.2"="C:\Programme\eFax Messenger 4.2\J2GDllCmd.exe" [2006-07-14 107008]
"NeroFilterCheck"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"HP Software Update"="C:\Programme\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2008-05-27 413696]
"AppleSyncNotifier"="C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"iTunesHelper"="C:\Programme\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"WinampAgent"="C:\Programme\Winamp\winampa.exe" [2008-08-04 36352]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 15360]

C:\Dokumente und Einstellungen\Zeljana\Startmen \Programme\Autostart\
Adobe Gamma.lnk - C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 18:08 110592 C:\Programme\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=cavzig.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 12:44 81920 C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programme\\Messenger\\msmsgs.exe"=
"C:\\Programme\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programme\\eMule\\emule.exe"=
"C:\\Programme\\Bonjour\\mDNSResponder.exe"=
"C:\\Programme\\Opera\\opera.exe"=
"C:\\Programme\\Vuze\\Azureus.exe"=
"C:\\Programme\\iTunes\\iTunes.exe"=

S3 US122;US122 Driver;C:\WINDOWS\system32\Drivers\US122.sys [2003-04-17 215708]
S3 US122DL;US122 Firmware Downloader;C:\WINDOWS\system32\Drivers\US122DL.sys [2003-04-17 17263]
S3 Us122WdmService;US122 Wdm Audio;C:\WINDOWS\system32\Drivers\US122Wdm.sys [2003-04-17 84092]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12        REG_MULTI_SZ          Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt        REG_MULTI_SZ          hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e157c76-7cc1-11dc-831e-00166f157d4a}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e157c77-7cc1-11dc-831e-00166f157d4a}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e157c78-7cc1-11dc-831e-00166f157d4a}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e157c79-7cc1-11dc-831e-00166f157d4a}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e157c7a-7cc1-11dc-831e-00166f157d4a}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e157c7c-7cc1-11dc-831e-00166f157d4a}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e157c7d-7cc1-11dc-831e-001422eb24fa}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e157c7f-7cc1-11dc-831e-001422eb24fa}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{416ec6a6-7be3-11dc-831a-00166f157d4a}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{416ec6a7-7be3-11dc-831a-00166f157d4a}]
\Shell\AutoRun\command - F:\AutoRun.exe
.
Inhalt des "geplante Tasks" Ordners
.
.
------- Zusätzlicher Suchlauf -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.ch/
R0 -: HKLM-Main,Start Page = hxxp://www.euro.dell.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.euro.dell.com/
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: Alles mit FlashGet laden - C:\Programme\FlashGet\jc_all.htm
O8 -: Mit FlashGet laden - C:\Programme\FlashGet\jc_link.htm
O8 -: Nach Microsoft &Excel exportieren - C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-22 20:47:33
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-09-22 20:49:19
ComboFix-quarantined-files.txt  2008-09-22 18:49:00
ComboFix2.txt  2008-09-20 19:31:21

Vor Suchlauf: 8'717'660'160 Bytes frei
Nach Suchlauf: 8,703,475,712 Bytes frei

216        --- E O F ---        2008-09-11 14:45:56

Kazass 22.09.2008 20:19
Filelisting:
http://www.file-upload.net/download-1130297/listing.txt.html

Neues HJT-Logfile:

Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:04:52, on 22.09.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\Programme\Intel\Wireless\Bin\WLKeeper.exe
C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\ETHZ\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Network Associates\Common Framework\FrameworkService.exe
C:\Programme\Network Associates\VirusScan\Mcshield.exe
C:\Programme\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Programme\Apoint\Apoint.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Dell\QuickSet\quickset.exe
C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programme\Network Associates\VirusScan\SHSTAT.EXE
C:\Programme\Network Associates\Common Framework\UpdaterUI.exe
C:\Programme\Apoint\Apntex.exe
C:\Programme\Gemeinsame Dateien\Network Associates\TalkBack\TBMon.exe
C:\Programme\eFax Messenger 4.2\J2GDllCmd.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Winamp\winampa.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Programme\Digital Line Detect\DLG.exe
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programme\eFax Messenger 4.2\J2GTray.exe
C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programme\ETHZ\VPN Client\vpngui.exe
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\ETHZ\VPN Client\ipseclog.exe
C:\Programme\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Dokumente und Einstellungen\Zeljana\Desktop\Virus2\qlketzd.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Programme\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Programme\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programme\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programme\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Programme\Gemeinsame Dateien\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [eFax 4.2] "C:\Programme\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [VodafoneUSBPP.exe] C:\Programme\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe  windows
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Programme\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: eFax 4.2.lnk = C:\Programme\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: ETH Zürich VPN Service.lnk = C:\Programme\ETHZ\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Alles mit FlashGet laden - C:\Programme\FlashGet\jc_all.htm
O8 - Extra context menu item: Mit FlashGet laden - C:\Programme\FlashGet\jc_link.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O20 - AppInit_DLLs: cavzig.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\ETHZ\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework-Dienst (McAfeeFramework) - Network Associates, Inc. - C:\Programme\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NBService - Nero AG - C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Programme\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Programme\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10684 bytes
Danke für die schnelle antwort!!

cosinus 23.09.2008 18:22
Das sieht an sich okay aus, nur dieser Eintrag

Code:
O20 - AppInit_DLLs: cavzig.dll
sollte noch mit Hijackthis gefixt werden. Außerdem fehlen noch mindestens das SP3 und der IE7!

Code:
C:\sdat5386.exe
C:\VDEFS
Was sind das für Objekte?

Kazass 23.09.2008 19:08
Zitat:
Zitat von root24 (Beitrag 376515)
Das sieht an sich okay aus, nur dieser Eintrag

Code:
O20 - AppInit_DLLs: cavzig.dll
sollte noch mit Hijackthis gefixt werden. Außerdem fehlen noch mindestens das SP3 und der IE7!

Code:
C:\sdat5386.exe
C:\VDEFS
Was sind das für Objekte?
ah, sdat5386.exe sind die virusdefinitionen von mcafee die man auf ihrer page
laden kann. ich habe mit hiren's bootcd gearbeitet, da ich nicht nur meinem mcafee virusscan enterprise vertrauen wollte. aber damit die bootcd auch die neusten definitionen brauchen kann, muss ich den ordner erstellen und die neusten defs dort reinkopieren.
vielen dank für die hilfe!! also du meinst ich kann meinen laptop wieder
problemlos ans internet lassen? ach und wo kann ich am besten das SP3
laden?

cosinus 23.09.2008 19:29
Zitat:
ach und wo kann ich am besten das SP3
laden?
Du weißt wie man Google bedient? ;) Erster Treffer...


Alle Zeitangaben in WEZ +1. Es ist jetzt 16:35 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131