Wie erwartet

Flashdisinfector
[*]Lade Flash_Disinfector.exe und speichere es auf Deinen Desktop.
[*]Doppleklicke Flash_Disinfector.exe um es zu starten und folge den Anweisungen.
[*]Das Programm bittet Dich Flash Drives (USB Sticks/Festplatten) und alle entfernbaren Medien (auch Dein Handy) anzuschließen. Bitte mach dies und erlaube dem Programm diese Laufwerke auch zu reinigen.[*]Warte bis das Programm den Scan abgeschlossen hat und schließe das Programm dann.[*]Reboote Deinen Rechner wenn Du die obigen Punkte ausgeführt hast.[/list]
Du musst nach allen Kopien von RavMon.exe suchen und löschen.
Update Avira, stelle die Heuristik auf hoch ein und mache einen Systemscan.
Poste das Log dann hier.

Flash_Disinfector habe ich erledigt.
Rechner neu hochgefahren.

Dann unter der Windows-Suche nach RavMon.exe den Arbeitsplatz durchsuch:

KEINE DATEI GEFUNDEN.


Zu Avira:
Ich bin in Zentralafrika und habe zurzeit eine sehr schlechte Internetverbindung. Das letzte Update hab ich gestern durchführen können. Heute lahmt das Netz extrem, kann im Moment kein Update machen. Ist der Stand von gestern ausreichend?

Zitat:

Zitat von geo-pec

Ist der Stand von gestern ausreichend?

Ja, sollte reichen.
Bitte deinstallie vor dem Scan Combofix

Um Combofix zu loeschen(den qoobox ordner) gebe unter Start /Ausführen "combofix /u" ein. Ohne die " natürlich.

Avira AntiVir Personal
Report file date: 14 June 2008 11:33

Scanning for 1331132 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: AFXPMONAIRDIG02

Version information:
BUILD.DAT : 8.1.00.295 16479 Bytes 09.04.2008 16:24:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 18.03.2008 10:02:56
AVSCAN.DLL : 8.1.1.0 53505 Bytes 07.02.2008 09:43:37
LUKE.DLL : 8.1.2.9 151809 Bytes 28.02.2008 09:41:23
LUKERES.DLL : 8.1.2.1 12033 Bytes 21.02.2008 09:28:40
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18.07.2007 11:33:34
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 07.03.2008 14:08:58
ANTIVIR2.VDF : 7.0.4.120 2206720 Bytes 01.06.2008 15:13:05
ANTIVIR3.VDF : 7.0.4.193 377344 Bytes 13.06.2008 15:13:39
Engineversion : 8.1.0.55
AEVDF.DLL : 8.1.0.5 102772 Bytes 25.02.2008 10:58:21
AESCRIPT.DLL : 8.1.0.40 266618 Bytes 13.06.2008 15:19:56
AESCN.DLL : 8.1.0.21 119156 Bytes 13.06.2008 15:19:38
AERDL.DLL : 8.1.0.20 418165 Bytes 13.06.2008 15:19:26
AEPACK.DLL : 8.1.1.5 364918 Bytes 13.06.2008 15:18:58
AEOFFICE.DLL : 8.1.0.18 192890 Bytes 13.06.2008 15:18:33
AEHEUR.DLL : 8.1.0.30 1253750 Bytes 13.06.2008 15:18:19
AEHELP.DLL : 8.1.0.15 115063 Bytes 13.06.2008 15:15:51
AEGEN.DLL : 8.1.0.28 307572 Bytes 13.06.2008 15:15:12
AEEMU.DLL : 8.1.0.6 430451 Bytes 13.06.2008 15:14:16
AECORE.DLL : 8.1.0.31 168310 Bytes 13.06.2008 15:13:54
AVWINLL.DLL : 1.0.0.7 14593 Bytes 23.01.2008 18:07:53
AVPREF.DLL : 8.0.0.1 25857 Bytes 18.02.2008 11:37:50
AVREP.DLL : 7.0.0.1 155688 Bytes 16.04.2007 14:26:47
AVREG.DLL : 8.0.0.0 30977 Bytes 23.01.2008 18:07:49
AVARKT.DLL : 1.0.0.23 307457 Bytes 12.02.2008 09:29:23
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 28.02.2008 09:31:31
SQLITE3.DLL : 3.3.17.1 339968 Bytes 22.01.2008 18:28:02
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 23.01.2008 18:08:39
NETNT.DLL : 8.0.0.1 7937 Bytes 25.01.2008 13:05:10
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 10.03.2008 15:37:25
RCTEXT.DLL : 8.0.32.0 86273 Bytes 06.03.2008 13:02:11

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: 14 June 2008 11:33

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'update.exe' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'msimn.exe' - '1' Module(s) have been scanned
Scan process 'Acrobat.exe' - '1' Module(s) have been scanned
Scan process 'jucheck.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'fbserver.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'symlcsvc.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'SMAgent.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'SMTray.exe' - '1' Module(s) have been scanned
Scan process 'LogMeIn.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ramaint.exe' - '1' Module(s) have been scanned
Scan process 'fbguard.exe' - '1' Module(s) have been scanned
Scan process 'CDAC11BA.EXE' - '1' Module(s) have been scanned
Scan process 'AluSchedulerSvc.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
41 processes with 41 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
[WARNING] Das Gerät ist nicht bereit.
Master boot sector HD2
[INFO] No virus was found!
[WARNING] Das Gerät ist nicht bereit.
Master boot sector HD3
[INFO] No virus was found!
[WARNING] Das Gerät ist nicht bereit.
Master boot sector HD4
[INFO] No virus was found!
[WARNING] Das Gerät ist nicht bereit.
Master boot sector HD5
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '25' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll
[WARNING] The file could not be opened!


End of the scan: 14 June 2008 12:25
Used time: 51:58 min

The scan has been done completely.

9040 Scanning directories
623904 Files were scanned
0 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
623904 Files not concerned
9506 Archives were scanned
7 Warnings
0 Notes

Bitte führe Combofix nun erneut aus und poste das neue Logfile hier.

ComboFix 08-06-12.2 - DIGuser02 2008-06-15 11:17:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.49.1033.18.2771 [GMT 1:00]
Running from: C:\Documents and Settings\DIGuser02\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.

2008-06-14 08:38 . 2008-06-14 08:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-14 08:38 . 2008-06-14 08:38 <DIR> d-------- C:\Documents and Settings\DIGuser02\Application Data\Malwarebytes
2008-06-14 08:38 . 2008-06-14 08:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-14 08:38 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-14 08:38 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-14 08:19 . 2008-06-14 08:19 <DIR> d-------- C:\Program Files\CCleaner
2008-06-13 18:01 . 2008-06-14 07:32 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-06-13 17:53 . 2008-06-14 07:32 <DIR> d-------- C:\Program Files\Common Files\Softwin
2008-06-13 16:35 . 2008-06-13 17:54 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-06-13 14:40 . 2008-06-13 15:18 <DIR> d-------- C:\USB Stick
2008-06-13 10:57 . 2008-06-13 10:57 96,645 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-13 10:57 . 2008-06-13 10:57 87,941 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-13 10:56 . 2008-06-13 10:56 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-06-13 10:56 . 2008-06-13 11:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-13 10:56 . 2008-06-13 11:01 49,184 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-13 10:56 . 2008-06-13 11:01 1,248 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-13 10:56 . 2008-06-13 11:01 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-13 10:56 . 2008-06-13 11:01 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-13 07:58 . 2008-06-13 07:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-06-13 07:54 . 2007-10-01 11:18 784 --a------ C:\WINDOWS\win.tmp
2008-06-13 07:54 . 2008-06-13 15:35 250 --a------ C:\WINDOWS\system.tmp
2008-06-12 13:35 . 2008-06-14 07:42 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-12 13:31 . 2008-06-14 07:42 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-12 13:31 . 2008-06-12 13:31 <DIR> d-------- C:\Documents and Settings\DIGuser02\Application Data\PC Tools
2008-06-11 09:55 . 2008-06-11 09:55 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-11 09:55 . 2008-06-11 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-11 08:15 . 2008-04-14 12:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 08:15 . 2008-04-14 12:01 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 07:24 . 2008-06-13 16:08 <DIR> d-------- C:\Program Files\Avira
2008-06-11 07:24 . 2008-06-13 16:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-08 14:27 . 2008-06-14 10:42 <DIR> d-------- C:\EM Wette
2008-05-29 17:30 . 2008-06-14 16:30 <DIR> d-------- C:\Documents and Settings\DIGuser02\Application Data\skypePM
2008-05-29 17:30 . 2008-05-29 17:30 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-29 17:29 . 2008-05-29 17:29 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-19 13:35 . 2008-05-19 13:35 <DIR> d----c--- C:\Lizenz
2008-05-19 13:29 . 2008-05-19 13:35 <DIR> d-------- C:\Program Files\GEOgraf
2008-05-19 13:28 . 2008-05-19 14:03 1,570 --a------ C:\WINDOWS\geograf.mif
2008-05-19 09:57 . 2008-05-19 09:57 <DIR> d-------- C:\Program Files\tuloxFreeWBI
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-15 10:08 --------- d-----w C:\Program Files\LogMeIn
2008-06-14 15:52 --------- d-----w C:\Documents and Settings\DIGuser02\Application Data\Skype
2008-06-14 07:11 --------- d-----w C:\Program Files\PC Sync Manager
2008-06-14 07:11 --------- d-----w C:\Program Files\Groove
2008-06-14 06:35 --------- d-----w C:\Documents and Settings\DIGuser02\Application Data\concept design
2008-06-14 06:31 --------- d-----w C:\Program Files\Belkin
2008-06-13 09:26 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2008-06-11 08:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-11 07:10 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-11 07:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-11 07:08 --------- d-----w C:\Program Files\Symantec
2008-05-13 16:09 --------- d-----w C:\Documents and Settings\DIGuser02\Application Data\AdobeUM
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-03 08:47 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-05-03 08:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-03 08:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-29 10:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 10:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 10:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-25 17:21 26,964 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2008-04-23 12:40 --------- d-----w C:\Program Files\Mozilla Thunderbird
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-27 09:23 68856]
"Skype"="REM C:\Program Files\Skype\Phone\Skype.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 17:08 143360]
"SetRefresh"="REM C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [ ]
"VOBRegCheck"="C:\WINDOWS\System32\VOBREGCheck.exe" [2003-01-08 15:55 153088]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-01-13 09:47 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-01-13 09:47 163840]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-01-13 09:46 135168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"avgnt"="REM C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 09:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 18:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 FpFilter;Drive Utility Filter Service;C:\WINDOWS\system32\drivers\fpfilter.sys [2002-10-30 13:13]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe [2004-12-13 01:05]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 15:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 15:09]
R2 mapmem;mapmem;C:\WINDOWS\system32\mapmem.sys [1998-12-10 22:57]
R2 NwSapAgent;SAP Agent;C:\WINDOWS\system32\svchost.exe [2004-08-04 09:00]
R2 UxTuneUp;TuneUp Designerweiterung;C:\WINDOWS\System32\svchost.exe [2004-08-04 09:00]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe [2004-12-13 01:05]
S3 ForteUSB;DK Digital USB Driver Service;C:\WINDOWS\system32\Drivers\ForteUSB.sys [2001-09-08 11:18]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2004-09-07 16:42]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0778e684-1e06-11db-841b-000ffe244163}]
\Shell\AutoRun\command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d6da048-ba64-11db-af3f-000ffe244163}]
\Shell\Auto\command - F:\sss.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d8e55dc-9667-11dc-b084-000ffe244163}]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c59e2aa-1cb2-11db-8417-000ffe244163}]
\Shell\AutoRun\command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36f64100-3467-11dc-affc-000ffe244163}]
\Shell\Auto\command - auto.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
\Shell\explore\Command - F:\RavMon.exe -e
\Shell\open\Command - F:\RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45f579fb-9706-11db-aefb-000ffe244163}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL \SystemVolumeInformation\system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70e3815d-3cab-11db-8445-000ffe244163}]
\Shell\AutoRun\command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76b41158-5172-11dc-b021-000ffe244163}]
\Shell\AutoRun\command - L:\RavMon.exe
\Shell\explore\Command - L:\RavMon.exe -e
\Shell\open\Command - L:\RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aba517bd-3339-11db-8439-000ffe244163}]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1404ced-6b06-11db-9167-000ffe244163}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL \SystemVolumeInformation\system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e87c6264-507b-11dc-b01f-000ffe244163}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL \SystemVolumeInformation\system.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edd7a6ab-2cf8-11db-8432-000ffe244163}]
\Shell\AutoRun\command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f10bdd12-d1f3-11db-af62-000ffe244163}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 11:22:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-06-15 11:29:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-15 10:29:25
ComboFix2.txt 2008-06-14 08:47:46

Pre-Run: 17,904,521,216 bytes free
Post-Run: 17,851,047,936 bytes free

198 --- E O F --- 2008-06-11 10:11:52

Combofix - Scripten

1. Starte das Notepad (Start / Ausführen / notepad[Enter])

2. Jetzt füge mit copy/paste den ganzen Inhalt der untenstehenden Codebox in das Notepad Fenster ein.

Code: Alles auswählenAufklappen

ATTFilter

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0778e684-1e06-11db-841b-000ffe244163}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d6da048-ba64-11db-af3f-000ffe244163}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d8e55dc-9667-11dc-b084-000ffe244163}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c59e2aa-1cb2-11db-8417-000ffe244163}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36f64100-3467-11dc-affc-000ffe244163}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70e3815d-3cab-11db-8445-000ffe244163}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76b41158-5172-11dc-b021-000ffe244163}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aba517bd-3339-11db-8439-000ffe244163}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edd7a6ab-2cf8-11db-8432-000ffe244163}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f10bdd12-d1f3-11db-af62-000ffe244163}]

FileLook::
C:\WINDOWS\system32\lsdelete.exe
         

3. Speichere im Notepad als CFScript.txt auf dem Desktop.

4. Deaktivere den Guard Deines Antivirenprogramms und eine eventuell vorhandene Software Firewall.
(Auch Guards von Ad-, Spyware Programmen und den Tea Timer!)

5. Dann ziehe die CFScript.txt auf die ComboFix.exe, so wie es im unteren Bild zu sehen ist. Damit wird Combofix neu gestartet.





6. Nach dem Neustart (es wird gefragt ob Du neustarten willst), poste bitte die folgenden Log Dateien:
Combofix.txt

Hinweis: Das obige Script ist nur für diesen einen User in dieser Situtation erstellt worden. Es ist auf keinen anderen Rechner portierbar und darf nicht anderweitig verwandt werden, da es das System nachhaltig schädigen kann