Oje. OK, hier das Log:
Combofix Logfile: Code:
ComboFix 11-02-05.01 - JKrell 06.02.2011 17:05:26.2.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.49.1031.18.1976.1008 [GMT 1:00]
ausgeführt von:: c:\users\JKrell\Desktop\3456.com
Benutzte Befehlsschalter :: c:\users\JKrell\Desktop\cfscript.txt
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\JKrell\AppData\Roaming\Igivc\nicoe.exe
c:\users\JKrell\AppData\Roaming\Yfrybo
c:\users\JKrell\AppData\Roaming\Yfrybo\opna.tmp
.
((((((((((((((((((((((( Dateien erstellt von 2011-01-06 bis 2011-02-06 ))))))))))))))))))))))))))))))
.
2011-02-06 16:14 . 2011-02-06 16:17 -------- d-----w- c:\users\JKrell\AppData\Local\temp
2011-02-06 16:14 . 2011-02-06 16:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-06 15:21 . 2011-02-06 15:42 -------- d-----w- C:\3456
2011-02-06 14:27 . 2011-02-06 14:27 -------- d-----w- c:\users\JKrell\AppData\Roaming\Malwarebytes
2011-02-06 14:27 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-06 14:27 . 2011-02-06 14:27 -------- d-----w- c:\programdata\Malwarebytes
2011-02-06 14:27 . 2011-02-06 14:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-06 14:27 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-06 11:25 . 2011-02-06 11:41 -------- d-----w- C:\_OTL
2011-02-04 09:21 . 2011-02-04 09:21 -------- d-----w- c:\program files\Microsoft Analysis Services
2011-01-31 18:54 . 2011-02-05 20:30 -------- d-----w- c:\program files\Panda Security
2011-01-15 14:24 . 2007-06-07 23:08 81920 ----a-w- c:\windows\system32\GkSui20.EXE
2011-01-15 14:23 . 2011-01-15 14:23 -------- d-----w- C:\Topsim
2011-01-10 19:53 . 2010-11-19 14:30 21312 ----a-w- c:\windows\system32\authuitu.dll
2011-01-10 19:53 . 2010-11-19 14:29 30016 ----a-w- c:\windows\system32\uxtuneup.dll
2011-01-10 19:45 . 2011-01-10 19:46 -------- d-----w- c:\program files\Common Files\Adobe
2011-01-08 19:16 . 2011-01-08 19:16 -------- d-----w- C:\westwood
2011-01-08 19:16 . 2011-01-08 19:16 -------- d-----w- C:\Games
2011-01-08 18:49 . 2009-02-24 17:42 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2011-01-08 18:49 . 2011-01-08 18:52 -------- d-----w- c:\program files\MagicDisc
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-31 15:04 . 2010-07-11 14:09 1629 ----a-w- c:\programdata\xml2FD8.tmp
2010-12-31 15:04 . 2010-06-19 10:01 13575 ----a-w- c:\programdata\xmlAE0D.tmp
2010-12-31 15:04 . 2010-06-19 10:01 8192 ----a-w- c:\programdata\xmlA852.tmp
2010-11-19 14:33 . 2009-11-03 15:14 30528 ----a-w- c:\windows\system32\TURegOpt.exe
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883840]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-03 15028104]
"ICQ"="c:\program files\ICQ7.2\ICQ.exe" [2011-01-05 133432]
"{5EB01A1D-0692-03DB-3BA4-4FC0A86371E9}"="c:\users\JKrell\AppData\Roaming\Igivc\nicoe.exe" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-16 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-16 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-16 145944]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-02-22 1037608]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-08-01 405504]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"FreePDF Assistant"="c:\program files\FreePDF_XP\fpassist.exe" [2009-09-05 385024]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-08-22 202256]
"UIExec"="c:\program files\T-Mobile Internet Manager\UIExec.exe" [2010-07-09 138576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
c:\users\JKrell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2011-1-8 576000]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Canon LBP2900 Statusfenster.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Canon LBP2900 Statusfenster.lnk
backup=c:\windows\pss\Canon LBP2900 Statusfenster.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BkupTray]
2008-04-06 20:42 34040 ----a-w- c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-05-21 02:06 6144000 ----a-w- c:\windows\RtHDVCpl.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ICQ"="c:\program files\ICQ6.5\ICQ.exe" silent
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ProductReg"="c:\program files\Acer\WR_PopUp\ProductReg.exe"
"mcagent_exe"=c:\program files\McAfee.com\Agent\mcagent.exe /runkey
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4270798920-779502327-2441995354-1003]
"EnableNotificationsRef"=dword:00000001
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1ca441b10adfc18;Google Update Service (gupdate1ca441b10adfc18);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-03 133104]
R3 massfilter;Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-09-27 9216]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 TpChoice;Touch Pad Detection Filter driver;c:\windows\system32\DRIVERS\TpChoice.sys [2007-12-26 17968]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 ACEDRV09;ACEDRV09;c:\windows\system32\drivers\ACEDRV09.sys [2010-02-01 110304]
S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
S2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
S2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-03-21 24576]
S2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-06 50424]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-04 131072]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-17 11032]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2010-11-19 1051968]
S2 UI Assistant Service;UI Assistant Service;c:\program files\T-Mobile Internet Manager\AssistantServices.exe [2010-07-09 247632]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-03-28 210432]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-30 112128]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-04-15 51160]
S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2008-04-08 43736]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
--- Andere Dienste/Treiber im Speicher ---
*Deregistered* - BMLoad
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Inhalt des "geplante Tasks" Ordners
2011-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-03 11:16]
2011-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-03 11:16]
2011-01-15 c:\windows\Tasks\TuneUpUtilities_Task_BkGndMaintenance.job
- c:\program files\TuneUp Utilities 2010\OneClick.exe [2010-11-19 14:35]
2011-02-06 c:\windows\Tasks\User_Feed_Synchronization-{FE90757D-A62F-4DE0-93B0-B5FB7F2098FA}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:34]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://start.icq.com/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0407&s=2&o=vb32&d=1108&m=extensa_5230
IE: An OneNote s&enden - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Nach Microsoft E&xcel exportieren - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\users\JKrell\AppData\Roaming\Mozilla\Firefox\Profiles\x1kpb5qs.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://start.icq.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - prefs.js: network.proxy.ftp - localhost
FF - prefs.js: network.proxy.ftp_port - 4001
FF - prefs.js: network.proxy.gopher - localhost
FF - prefs.js: network.proxy.gopher_port - 4001
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 4001
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 4001
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 4001
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: ICQ Toolbar: {800b5000-a755-47e1-992b-48a1c1357f07} - %profile%\extensions\{800b5000-a755-47e1-992b-48a1c1357f07}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2011-02-06 17:16
Windows 6.0.6001 Service Pack 1 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
[HKEY_USERS\S-1-5-21-4270798920-779502327-2441995354-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:37,81,67,ba,92,40,75,a4,be,bf,70,6a,21,64,c0,02,a7,5f,87,3b,6a,a0,37,
97,d7,4d,ee,96,69,9b,b7,50,0b,67,7a,ba,88,93,54,40,eb,e9,3b,0e,04,02,9f,81,\
"??"=hex:3c,af,0f,f7,94,71,af,aa,05,bd,30,34,7e,55,9f,83
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
- - - - - - - > 'Explorer.exe'(2484)
c:\windows\System32\SysHook.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\MySQL\MySQL Server 5.1\bin\mysqld.exe
c:\program files\O2Micro Flash Memory Card Driver\o2flash.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
c:\windows\system32\conime.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\windows\system32\CNAB4RPK.EXE
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Zeit der Fertigstellung: 2011-02-06 17:24:19 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2011-02-06 16:24
ComboFix2.txt 2011-02-06 15:42
Vor Suchlauf: 20 Verzeichnis(se), 23.291.981.824 Bytes frei
Nach Suchlauf: 22 Verzeichnis(se), 22.954.549.248 Bytes frei
- - End Of File - - AFFD06344DA7704ED7285BD13CB0FA81
--- --- ---
Wenn ich noch ein Rootkit drauf hatte, bedeutet dass, dass sich noch ne Menge Fieslinge dahinter versteckt haben könnten, oder? |
