Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung

Plagegeister aller Art und deren Bekämpfung: [Windows XP] mal wieder Virus

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 27.07.2008, 18:23   #1
c_ararat
 
[Windows XP] mal wieder Virus - Standard

[Windows XP] mal wieder Virus



Hallo Leute,

mal wieder einer, der es geschafft hat, seinen PC mit Viren voll zu packen.
Ist mir heute passiert, hatte den Free AnitVir Guard an, der hat sie auch erkannt, hab dann immer gesagt, dass er sie loeschen soll. Dennoch hat sich mein Hintergrund veraendert und sagt, dass ich einen Virus habe und kann ihn nicht veraendern. Benutze Windows XP.

Habe eben das System pruefen lassen (mit AntiVir Gurad) und da hatte er auch ein paar Viren gefunden, aber irgendwie ist der PC abgestuerzt, nachdem Neustarten habe ich ihn wieder durchlaufen lassen und diesmal hats geklappt, hat aber keinen Virus gefunden. Nun kann ich aber immer noch nicht meinen Hintergrund aendern.

Jetzt weiß ich net, ob ich nen Virus habe oder nicht, daher sicherheitshalber nochmal nachgefragt.

Bitte um Hilfe und schonmal Danke im vorraus.
Ararat Calisir

Alt 27.07.2008, 18:25   #2
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
[Windows XP] mal wieder Virus - Cool

[Windows XP] mal wieder Virus



Wir brauchen mehr Infos. Klick mal auf DSS in meiner Signatur und befolge die Anweisungen.
__________________

__________________

Alt 27.07.2008, 20:06   #3
c_ararat
 
[Windows XP] mal wieder Virus - Standard

[Windows XP] mal wieder Virus



main.txt :
Code:
ATTFilter
Deckard's System Scanner v20071014.68
Run by *** on 2008-07-27 19:56:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-27 19:58:34
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\lphcgtmj0ep1r.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Dokumente und Einstellungen\***\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [lphcgtmj0ep1r] C:\WINDOWS\system32\lphcgtmj0ep1r.exe
O4 - HKLM\..\Run: [SMrhcltmj0ep1r] C:\Programme\rhcltmj0ep1r\rhcltmj0ep1r.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37878.3897453704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: AtiExtEvent - C:\WINDOWS\system32\Ati2evxx.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA-Lizenz-Client (CA_LIC_CLNT) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA-Lizenzserver (CA_LIC_SRVR) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Ereignisprotokoll-Überwachung (LogWatch) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Unknown owner - C:\Programme\Nero\Nero8\Nero
O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\system32\TuneUpDefragService.exe


--
End of file - 5791 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - "regedit.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ssmdrv - c:\windows\system32\drivers\ssmdrv.sys <Not Verified; AVIRA GmbH; >
R2 ACEDRV07 - c:\windows\system32\drivers\acedrv07.sys <Not Verified; Protect Software GmbH; >
R3 CEUSBAUD (Lexicon USB MIDI Driver1) - c:\windows\system32\drivers\ceusbaud.sys <Not Verified; CEntrance, Inc.; USB MIDI device>

S3 catchme - c:\combofix\catchme.sys (file missing)
S3 EVOLUSB (%EVOL_USB_SvcDesc%) - c:\windows\system32\drivers\evolusb.sys (file missing)
S3 SynasUSB - c:\windows\system32\drivers\synasusb.sys (file missing)
S3 w810bus (Sony Ericsson W810 Driver driver (WDM)) - c:\windows\system32\drivers\w810bus.sys <Not Verified; MCCI; Sony Ericsson W810 Driver>
S3 w810mdfl (Sony Ericsson W810 USB WMC Modem Filter) - c:\windows\system32\drivers\w810mdfl.sys <Not Verified; MCCI; Sony Ericsson W810 USB WMC Modem Filter Driver>
S3 w810mdm (Sony Ericsson W810 USB WMC Modem Driver) - c:\windows\system32\drivers\w810mdm.sys <Not Verified; MCCI; Sony Ericsson W810 USB WMC Data Modem>
S3 w810mgmt (Sony Ericsson W810 USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\w810mgmt.sys <Not Verified; MCCI; Sony Ericsson W810 USB WMC Device Management>
S3 w810obex (Sony Ericsson W810 USB WMC OBEX Interface) - c:\windows\system32\drivers\w810obex.sys <Not Verified; MCCI; Sony Ericsson W810 USB WMC OBEX Interface>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (Avira AntiVir Personal – Free Antivirus Planer) - "c:\programme\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; AntiVir Workstation>
R2 LogWatch (Ereignisprotokoll-Überwachung) - c:\programme\ca\sharedcomponents\ca_lic\logwatnt.exe <Not Verified; Computer Associates; Computer Associates LogWatNT>
R2 Nero BackItUp Scheduler 3 - c:\programme\nero\nero8\nero backitup\nbservice.exe
R2 PLFlash DeviceIoControl Service - c:\windows\system32\ioctlsvc.exe <Not Verified; Prolific Technology Inc.; IoctlSvc Application>

S3 CA_LIC_CLNT (CA-Lizenz-Client) - c:\programme\ca\sharedcomponents\ca_lic\lic98rmt.exe <Not Verified; Computer Associates; Computer Associates lic98rmt>
S3 CA_LIC_SRVR (CA-Lizenzserver) - c:\programme\ca\sharedcomponents\ca_lic\lic98rmtd.exe <Not Verified; Computer Associates; Computer Associates lic98rmtd>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: PRISM 802.11g Wireless Adapter (3890)
Device ID: PCI\VEN_1260&DEV_3890&SUBSYS_001417CF&REV_01\4&1F7DBC9F&0&00F0
Manufacturer: Intersil Americas Inc.
Name: PRISM 802.11g Wireless Adapter (3890)
PNP Device ID: PCI\VEN_1260&DEV_3890&SUBSYS_001417CF&REV_01\4&1F7DBC9F&0&00F0
Service: PRISM_A00

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VIA VT6105 Rhine III Fast Ethernet Adapter
Device ID: PCI\VEN_1106&DEV_3106&SUBSYS_52504D4F&REV_8B\4&1F7DBC9F&0&48F0
Manufacturer: VIA Technologies, Inc.
Name: VIA VT6105 Rhine III Fast Ethernet Adapter
PNP Device ID: PCI\VEN_1106&DEV_3106&SUBSYS_52504D4F&REV_8B\4&1F7DBC9F&0&48F0
Service: FETNDISB


-- Scheduled Tasks -------------------------------------------------------------

2008-07-18 17:16:36       378 --a------ C:\WINDOWS\Tasks\1-Klick-Wartung.job


-- Files created between 2008-06-27 and 2008-07-27 -----------------------------

2008-07-27 16:54:01         0 d-------- C:\Programme\rhcltmj0ep1r
2008-07-27 16:47:40     60928 --a------ C:\WINDOWS\system32\blphcgtmj0ep1r.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-07-27 16:47:30    110080 --a------ C:\WINDOWS\system32\lphcgtmj0ep1r.exe
2008-07-27 13:49:01         0 d-------- C:\Programme\Outsim
2008-07-11 11:34:26         0 d-------- C:\Programme\Bla
2008-07-11 00:19:44         0 d-------- C:\Programme\TuneUp Utilities 2008
2008-07-11 00:19:10         0 d-------- C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-07-09 18:02:32         0 d-------- C:\Programme\MagicISO
2008-07-09 17:25:11         0 --a------ C:\WINDOWS\PowerReg.dat
2008-07-09 17:23:03         0 d-------- C:\Programme\Infogrames Interactive
2008-07-09 16:40:49     85408 -ra------ C:\WINDOWS\system32\drivers\w810mgmt.sys <Not Verified; MCCI; Sony Ericsson W810 USB WMC Device Management>
2008-07-09 16:40:45     83344 -ra------ C:\WINDOWS\system32\drivers\w810obex.sys <Not Verified; MCCI; Sony Ericsson W810 USB WMC OBEX Interface>
2008-07-09 16:40:35     94064 -ra------ C:\WINDOWS\system32\drivers\w810mdm.sys <Not Verified; MCCI; Sony Ericsson W810 USB WMC Data Modem>
2008-07-09 16:40:35      8336 -ra------ C:\WINDOWS\system32\drivers\w810mdfl.sys <Not Verified; MCCI; Sony Ericsson W810 USB WMC Modem Filter Driver>
2008-07-09 16:40:35      6176 -ra------ C:\WINDOWS\system32\drivers\w810cmnt.sys <Not Verified; MCCI; Sony Ericsson W810 USB WMC OBEX Interface>
2008-07-09 16:40:35      6176 -ra------ C:\WINDOWS\system32\drivers\w810cm.sys <Not Verified; MCCI; Sony Ericsson W810 USB WMC OBEX Interface>
2008-07-09 16:26:46         0 d-------- C:\WINDOWS\Downloaded Installations
2008-07-09 16:24:30         0 d-------- C:\Programme\DAEMON Tools
2008-07-09 16:05:20         0 d-------- C:\Programme\MyPhoneExplorer
2008-07-06 13:44:38         0 d-------- C:\Programme\Miranda IM
2008-07-03 18:42:51         0 d-------- C:\Programme\uTorrent
2008-07-03 12:09:15     43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-07-03 00:14:28         0 d-------- C:\Programme\Monkey Island 2
2008-07-01 12:37:35         0 d-------- C:\Programme\ScummVM
2008-07-01 12:29:52         0 d-------- C:\Programme\Monkey Island 1


-- Find3M Report ---------------------------------------------------------------

2008-07-27 16:47:53         0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\foobar2000
2008-07-27 16:46:20         0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\uTorrent
2008-07-27 16:16:50         0 d-------- C:\Programme\Warcraft III
2008-07-27 16:15:54    124082 --a------ C:\WINDOWS\War3Unin.dat
2008-07-27 13:49:46         0 d-------- C:\Programme\Image-Line
2008-07-25 10:14:42         0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\OpenOffice.org2
2008-07-25 10:12:18         0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\AdobeUM
2008-07-22 22:49:24         0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\dvdcss
2008-07-11 11:33:40         0 d-------- C:\Programme\OpenOffice.org 2.3
2008-07-11 00:20:06         0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\TuneUp Software
2008-07-11 00:19:10         0 d-------- C:\Programme\Gemeinsame Dateien
2008-07-09 17:23:02         0 d--h----- C:\Programme\InstallShield Installation Information
2008-07-09 17:15:10         0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\MyPhoneExplorer
2008-07-09 16:40:02         0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\Teleca
2008-07-09 16:33:28         0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\Sony Ericsson
2008-07-06 23:23:41         0 d-------- C:\Programme\Paint.NET
2008-07-06 23:21:47         0 d-------- C:\Programme\Gemeinsame Dateien\InstallShield
2008-07-06 21:49:12         0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\Miranda
2008-07-03 22:14:45         0 d-------- C:\Programme\Native Instruments
2008-07-03 12:12:42         0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\Atari
2008-07-03 12:08:22         0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\Leadertech
2008-07-03 11:57:23         0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\DAEMON Tools Pro
2008-07-03 11:29:19         0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\DAEMON Tools
2008-07-02 13:30:12         0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\ICQ
2008-07-01 12:37:39         0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\ScummVM
2008-06-30 14:21:47    410808 --a------ C:\WINDOWS\system32\perfh007.dat
2008-06-30 14:21:47     73994 --a------ C:\WINDOWS\system32\perfc007.dat
2008-06-23 18:11:22         0 d-------- C:\Programme\Mobiola Video Studio
2008-06-23 13:20:54         0 d-------- C:\Programme\Cucusoft
2008-06-22 15:24:35       801 --a------ C:\WINDOWS\mozver.dat
2008-06-22 15:23:41         0 d-------- C:\Programme\DivX
2008-06-22 12:48:05         0 d--hs--c- C:\Programme\Gemeinsame Dateien\WindowsLiveInstaller
2008-06-20 23:27:47         0 d-------- C:\Programme\Gemeinsame Dateien\AVSMedia
2008-06-20 23:27:45         0 d-------- C:\Programme\AVS4YOU
2008-06-19 16:29:45         0 d-------- C:\Programme\GK3neu
2008-06-19 10:05:28         0 d-------- C:\Programme\Messenger
2008-06-18 22:27:01         0 d-------- C:\Programme\MSXML 4.0
2008-06-18 18:12:46         0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\Malwarebytes
2008-06-18 14:14:25         0 d-------- C:\Programme\Avira
2008-05-28 22:36:18         0 d-------- C:\Programme\PokerStars.NET
2008-05-22 16:35:25        16 --a------ C:\WINDOWS\msocreg32.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [19.07.2008 00:53]
"NeroFilterCheck"="C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe" [28.02.2008 10:59]
"lphcgtmj0ep1r"="C:\WINDOWS\system32\lphcgtmj0ep1r.exe" [27.07.2008 16:47]
"SMrhcltmj0ep1r"="C:\Programme\rhcltmj0ep1r\rhcltmj0ep1r.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04.08.2004 00:57]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Programme\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"C:\Programme\ICQLite\ICQLite.exe" -minimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Programme\iTunes\iTunesHelper.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"DAEMON Tools"="C:\Programme\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NBKeyScan"="C:\Programme\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd
"QuickTime Task"="C:\Programme\QuickTime\QTTask.exe" -atboottime

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp




-- End of Deckard's System Scanner: finished at 2008-07-27 19:59:59 ------------
         
__________________

Alt 27.07.2008, 20:07   #4
c_ararat
 
[Windows XP] mal wieder Virus - Standard

[Windows XP] mal wieder Virus



extra.txt :

Code:
ATTFilter
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: German

CPU 0: Intel(R) Pentium(R) 4 CPU 3.00GHz
CPU 1: Intel(R) Pentium(R) 4 CPU 3.00GHz
Percentage of Memory in Use: 28%
Physical Memory (total/avail): 1279.48 MiB / 914.79 MiB
Pagefile Memory (total/avail): 3054.1 MiB / 2795.4 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1926.95 MiB

C: is Fixed (NTFS) - 37.31 GiB total, 20.62 GiB free. 
D: is CDROM (No Media)
G: is CDROM (Unformatted)
H: is CDROM (CDFS)
I: is Removable (No Media)
J: is Removable (No Media)
K: is Removable (No Media)
L: is Removable (No Media)

\\.\PHYSICALDRIVE0 - SAMSUNG SV0411N - 37.31 GiB - 1 partition
  \PARTITION0 (bootable) - Installierbares Dateisystem - 37.31 GiB - C:

\\.\PHYSICALDRIVE3 - Medion Flash XL  MMC/SD USB Device

\\.\PHYSICALDRIVE1 - Medion Flash XL      CF USB Device

\\.\PHYSICALDRIVE2 - Medion Flash XL      MS USB Device

\\.\PHYSICALDRIVE4 - Medion Flash XL      SM USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: Avira AntiVir PersonalEdition v8.0.1.26 (Avira GmbH)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Programme\\Windows Live\\Messenger\\livecall.exe"="C:\\Programme\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\iTunes\\iTunes.exe"="C:\\Programme\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Programme\\uTorrent\\uTorrent.exe"="C:\\Programme\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Programme\\Miranda IM\\miranda32.exe"="C:\\Programme\\Miranda IM\\miranda32.exe:*:Enabled:Miranda IM"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Dokumente und Einstellungen\All Users
APPDATA=C:\Dokumente und Einstellungen\***\Anwendungsdaten
CLASSPATH=.;C:\Programme\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Programme\Gemeinsame Dateien
COMPUTERNAME=***
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Dokumente und Einstellungen\***
LOGONSERVER=\\***
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Programme\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Programme
PROMPT=$P$G
QTJAVA=C:\Programme\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOKUME~1\Ara\LOKALE~1\Temp
TMP=C:\DOKUME~1\Ara\LOKALE~1\Temp
USERDOMAIN=***
USERNAME=***
USERPROFILE=C:\Dokumente und Einstellungen\***
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

*** (admin)


-- Add/Remove Programs ---------------------------------------------------------

 --> C:\Programme\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
 --> C:\WINDOWS\IsUn0407.exe -fC:\WINDOWS\orun32.isu
 --> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
 --> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
 --> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
 --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
 --> C:\WINDOWS\UNRecode.exe /UNINSTALL
 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\System32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 6.0 - Deutsch --> MsiExec.exe /I{AC76BA86-7AD7-1031-7646-000000000001}
AntivirXP08 --> "C:\Programme\rhcltmj0ep1r\uninstall.exe"
ASIO4ALL --> C:\Programme\ASIO4ALL v2\uninstall.exe
ATI - Dienstprogramm zur Deinstallation der Software --> C:\Programme\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI Parental Control & Encoder --> MsiExec.exe /I{36CDA33B-909B-4719-97D1-C4B99309BDC7}
µTorrent --> "C:\Programme\uTorrent\uTorrent.exe" /UNINSTALL
Avira AntiVir Personal - Free Antivirus --> C:\Programme\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
C-Media 3D Audio --> C:\WINDOWS\CMIUnInstall.exe
C-Media WDM Audio Driver --> C:\WINDOWS\system32\cmirmdrv.exe
DivX Web Player --> C:\Programme\DivX\DivXWebPlayerUninstall.exe /PLUGIN
FL Studio 7 --> C:\Programme\Image-Line\FL Studio 7\uninstall.exe
FL Studio 8 --> F:\Fruity Loops\uninstall.exe
FLV Player --> "C:\WINDOWS\FLV Player\uninstall.exe" "/U:C:\Programme\FLV Player\Uninstall\uninstall.xml"
foobar2000 v0.9.5.1 --> "M:\foobar2000\uninstall.exe"
Icy Tower v1.3 --> "c:\Icy Tower\icytower1.3\unins000.exe"
IL Download Manager --> C:\Programme\Image-Line\Downloader\uninstall.exe
iTunes --> MsiExec.exe /I{B045B608-4A47-4C77-9EAD-06C394503306}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Lexicon Omega Studio(remove only) --> F:\Musik machen\Cubase LE\OmegaStudioUninstaller.exe
Magic ISO Maker v5.5 (build 0261) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Mediscript-CD GK3 --> C:\PROGRA~1\GK3neu\UNWISE.EXE C:\PROGRA~1\GK3neu\INSTALL.LOG
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Windows-Journal-Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Miranda IM 0.7.7 --> C:\Programme\Miranda IM\Uninstall.exe
Mozilla Firefox (2.0.0.16) --> C:\Programme\Mozilla Firefox\uninstall\helper.exe
MyPhoneExplorer --> C:\Programme\MyPhoneExplorer\uninstall.exe
Native Instruments Guitar Rig 3 --> F:\MUSIKM~1\GUITAR~2\UNWISE.EXE F:\MUSIKM~1\GUITAR~2\INSTALL.LOG
Nero 8 Trial --> MsiExec.exe /X{BE282C23-5484-47FF-B2C1-EBEA5C891031}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
OpenOffice.org 2.3 --> MsiExec.exe /I{A625D45F-1DC4-47FB-ABCF-6B27684AA717}
PoiZone --> C:\Programme\Image-Line\PoiZone\uninstall.exe
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RollerCoaster Tycoon 2 --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{72DF62BD-FF36-424E-AA5F-D89BAFF2C249}\Setup.exe" -l0x9 
ScummVM 0.11.1 --> "C:\Programme\ScummVM\unins000.exe"
Sicherheitsupdate für Step by Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB890046) --> "C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB893756) --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB896358) --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB896423) --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB896428) --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB899591) --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB900725) --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB901017) --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB901214) --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB902400) --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB905414) --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB905749) --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB908519) --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB911562) --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB911927) --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB914388) --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB914389) --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB918118) --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB918439) --> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB920670) --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB920683) --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB920685) --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB922819) --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB923191) --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB923414) --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB924496) --> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB924667) --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB925902) --> "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB926255) --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB926436) --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB927779) --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB927802) --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB928255) --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB928843) --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB929123) --> "C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB930178) --> "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB931261) --> "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB931784) --> "C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB932168) --> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB933729) --> "C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB935839) --> "C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB935840) --> "C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB936021) --> "C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB938127) --> "C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB941202) --> "C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB941569) --> "C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB941644) --> "C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB941693) --> "C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB943055) --> "C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB943460) --> "C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB943485) --> "C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB944338) --> "C:\WINDOWS\$NtUninstallKB944338$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB944653) --> "C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB945553) --> "C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB946026) --> "C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB948590) --> "C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB950749) --> "C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB950760) --> "C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB950762) --> "C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB951376-v2) --> "C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB951376) --> "C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB951698) --> "C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB951748) --> "C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Steinberg Cubase LE --> "F:\Musik machen\Cubase LE\Steinberg\Cubase LE\Uninstall.exe" "F:\Musik machen\Cubase LE\Steinberg\Cubase LE\Install.log"
Toxic Biohazard --> C:\Programme\Image-Line\Toxic Biohazard\uninstall.exe
TuneUp Utilities 2008 --> MsiExec.exe /I{5888428E-699C-4E71-BF71-94EE06B497DA}
Update für Windows XP (KB894391) --> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update für Windows XP (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update für Windows XP (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update für Windows XP (KB908531) --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Update für Windows XP (KB910437) --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update für Windows XP (KB911280) --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Update für Windows XP (KB916595) --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update für Windows XP (KB920872) --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update für Windows XP (KB922582) --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update für Windows XP (KB927891) --> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update für Windows XP (KB930916) --> "C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update für Windows XP (KB932823-v3) --> "C:\WINDOWS\$NtUninstallKB932823-v3$\spuninst\spuninst.exe"
Update für Windows XP (KB936357) --> "C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Update für Windows XP (KB938828) --> "C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update für Windows XP (KB942763) --> "C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
VideoLAN VLC media player 0.8.6d --> C:\Programme\VideoLAN\VLC\uninstall.exe
Warcraft III: All Products --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat
Windows-Sicherungsprogramm --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows XP-Hotfix - KB873339 --> C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP-Hotfix - KB885836 --> C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP-Hotfix - KB886185 --> C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP-Hotfix - KB887472 --> C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP-Hotfix - KB888302 --> C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP-Hotfix - KB890859 --> "C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP-Hotfix - KB891781 --> C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
WinRAR archiver --> C:\Programme\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type4899 / Warning
Event Submitted/Written: 07/27/2008 04:54:02 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
PHISH/FraudTool.XPAntivirus.MPC:\Programme\rhcltmj0ep1r\rhcltmj0ep1r.exe

Event Record #/Type4898 / Warning
Event Submitted/Written: 07/27/2008 04:54:02 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
PHISH/FraudTool.XPAntivirus.MPC:\Programme\rhcltmj0ep1r\rhcltmj0ep1r.exe

Event Record #/Type4897 / Warning
Event Submitted/Written: 07/27/2008 04:54:02 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
PHISH/FraudTool.XPAntivirus.MPC:\Programme\rhcltmj0ep1r\rhcltmj0ep1r.exe

Event Record #/Type4890 / Warning
Event Submitted/Written: 07/27/2008 04:48:08 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/Dldr.Agent.xkgC:\Dokumente und Einstellungen\Ara\Lokale Einstellungen\Temp\smchk.exe

Event Record #/Type4889 / Warning
Event Submitted/Written: 07/27/2008 04:48:08 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
TR/Dldr.Agent.xkgC:\Dokumente und Einstellungen\Ara\Lokale Einstellungen\Temporary Internet Files\Content.IE5\D9ODWGXL\d226[1].exe



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type62906 / Error
Event Submitted/Written: 07/27/2008 06:04:49 PM
Event ID/Source: 10005 / DCOM
Event Description:
Bei DCOM ist der Fehler "%%1058" aufgetreten, als der Dienst "upnphost" mit den Argumenten ""
gestartet wurde, um den folgenden Server zu verwenden:
{204810B9-73B2-11D4-BF42-00B0D0118B56}

Event Record #/Type62903 / Error
Event Submitted/Written: 07/27/2008 06:04:48 PM
Event ID/Source: 10005 / DCOM
Event Description:
Bei DCOM ist der Fehler "%%1058" aufgetreten, als der Dienst "upnphost" mit den Argumenten ""
gestartet wurde, um den folgenden Server zu verwenden:
{204810B9-73B2-11D4-BF42-00B0D0118B56}

Event Record #/Type62882 / Error
Event Submitted/Written: 07/27/2008 05:16:44 PM
Event ID/Source: 10005 / DCOM
Event Description:
Bei DCOM ist der Fehler "%%1058" aufgetreten, als der Dienst "upnphost" mit den Argumenten ""
gestartet wurde, um den folgenden Server zu verwenden:
{204810B9-73B2-11D4-BF42-00B0D0118B56}

Event Record #/Type62876 / Error
Event Submitted/Written: 07/27/2008 05:16:43 PM
Event ID/Source: 10005 / DCOM
Event Description:
Bei DCOM ist der Fehler "%%1058" aufgetreten, als der Dienst "upnphost" mit den Argumenten ""
gestartet wurde, um den folgenden Server zu verwenden:
{204810B9-73B2-11D4-BF42-00B0D0118B56}

Event Record #/Type62852 / Error
Event Submitted/Written: 07/27/2008 04:52:53 PM
Event ID/Source: 10005 / DCOM
Event Description:
Bei DCOM ist der Fehler "%%1058" aufgetreten, als der Dienst "upnphost" mit den Argumenten ""
gestartet wurde, um den folgenden Server zu verwenden:
{204810B9-73B2-11D4-BF42-00B0D0118B56}



-- End of Deckard's System Scanner: finished at 2008-07-27 19:59:59 ------------
         

Alt 27.07.2008, 21:47   #5
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
[Windows XP] mal wieder Virus - Icon32

[Windows XP] mal wieder Virus



Code:
ATTFilter
C:\Programme\rhcltmj0ep1r\rhcltmj0ep1r.exe
C:\WINDOWS\system32\blphcgtmj0ep1r.scr
C:\WINDOWS\system32\lphcgtmj0ep1r.exe
         
Werte schonmal diese Dateien bei virustotal.com aus und poste die Ergebnisse. Mach danach einen Fullscan mit Malwarebytes Antimalware sowie einen durchlauf mit Blacklight (siehe Signatur) und auch sicherheitshalber diesem MBR-Tool - poste die Logs!

__________________
"Die Wahrheit ist normalerweise nur eine Entschuldigung für einen Mangel an Fantasie." (Elim Garak)

Das Trojaner-Board unterstützen
Warum Linux besser als Windows ist!

Alt 27.07.2008, 22:44   #6
c_ararat
 
[Windows XP] mal wieder Virus - Standard

[Windows XP] mal wieder Virus



C:\Programme\rhcltmj0ep1r\rhcltmj0ep1r.exe
Code:
ATTFilter
0 bytes size received / Se ha recibido un archivo vacio
         

C:\WINDOWS\system32\blphcgtmj0ep1r.scr :

Code:
ATTFilter
MD5:  	538f9ead95eba12134d95b4fe7082331
First received: 	2008.06.11 23:35:27 (CET)
Datum 	2008.07.27 02:27:32 (CET) [<1D]
Ergebnisse 	6/35
Permalink: 	analisis/3b4e666cf740cd20e45a5bb464cf3b8a


Antivirus  	Version  	letzte aktualisierung  	Ergebnis
AhnLab-V3	2008.7.26.0	2008.07.27	Win-AppCare/Xema.716800
AntiVir	7.8.1.12	2008.07.26	-
Authentium	5.1.0.4	2008.07.27	-
Avast	4.8.1195.0	2008.07.26	-
AVG	8.0.0.130	2008.07.27	-
BitDefender	7.2	2008.07.27	-
CAT-QuickHeal	9.50	2008.07.25	-
ClamAV	0.93.1	2008.07.27	-
DrWeb	4.44.0.09170	2008.07.27	-
eSafe	7.0.17.0	2008.07.27	Suspicious File
eTrust-Vet	31.6.5983	2008.07.26	-
Ewido	4.0	2008.07.27	-
F-Prot	4.4.4.56	2008.07.27	-
F-Secure	7.60.13501.0	2008.07.27	-
Fortinet	3.14.0.0	2008.07.26	Joke/Bluescreen
GData	2.0.7306.1023	2008.07.27	-
Ikarus	T3.1.1.34.0	2008.07.27	-
Kaspersky	7.0.0.125	2008.07.27	-
McAfee	5347	2008.07.25	potentially unwanted program Joke-Bluescreen
Microsoft	1.3704	2008.07.27	-
NOD32v2	3301	2008.07.27	-
Norman	5.80.02	2008.07.25	-
Panda	9.0.0.4	2008.07.27	-
PCTools	4.4.2.0	2008.07.27	Application.BluSOD
Prevx1	V2	2008.07.27	Malicious Software
Rising	20.54.62.00	2008.07.27	-
Sophos	4.31.0	2008.07.27	-
Sunbelt	3.1.1536.1	2008.07.25	-
Symantec	10	2008.07.27	Joke.Blusod
TheHacker	6.2.96.389	2008.07.25	-
TrendMicro	8.700.0.1004	2008.07.26	-
VBA32	3.12.8.1	2008.07.27	-
ViRobot	2008.7.26.1311	2008.07.26	Joke.Bluescreen.60928
VirusBuster	4.5.11.0	2008.07.27	-
Webwasher-Gateway	6.6.2	2008.07.27	-
weitere Informationen
File size: 60928 bytes
MD5...: 538f9ead95eba12134d95b4fe7082331
SHA1..: 527c50b92b5cededdd5b7e3edda71cb13d108dac
SHA256: a416bab39037854c14540edaaf80cff7b5f2e9db31eee235527574e8dedd54e6
SHA512: 4631ff7cf868348585ee0e26591b95be3ee8b232c7980f5013f4464f285b0fbd
ef41794c44cb8653d6fb6dc815c0c0a9f4af780bfeb9b23d2f4c3bdc62bf4581
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4b2b20
timedatestamp.....: 0x452e6fe8 (Thu Oct 12 16:40:08 2006)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0xa4000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0xa5000 0xe000 0xde00 7.90 b6d22c9552fb5d20b4877ea36d1dff4f
.rsrc 0xb3000 0x1000 0xc00 3.91 af2222062a7a7f5fda0a2fd3ed07591d

( 8 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> ADVAPI32.dll: RegCloseKey
> COMCTL32.dll: InitCommonControlsEx
> comdlg32.dll: PrintDlgA
> DDRAW.dll: DirectDrawCreate
> GDI32.dll: EndDoc
> USER32.dll: GetDC
> WINMM.dll: timeSetEvent

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=3FB3E960006D9112EEE7009A960AC800008EA791
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=538f9ead95eba12134d95b4fe7082331
packers (F-Prot): UPX
         

C:\WINDOWS\system32\lphcgtmj0ep1r.exe

Code:
ATTFilter
MD5:  	453e5e7037c952afa05a0cfa2d1f155d
First received: 	2008.07.27 15:37:41 (CET)
Datum 	2008.07.27 17:37:01 (CET) [<1D]
Ergebnisse 	10/35
Permalink: 	analisis/38ecc9fc108f29868188717868927a96


Antivirus  	Version  	letzte aktualisierung  	Ergebnis
AhnLab-V3	2008.7.26.0	2008.07.27	-
AntiVir	7.8.1.12	2008.07.26	HEUR/Crypted
Authentium	5.1.0.4	2008.07.27	-
Avast	4.8.1195.0	2008.07.26	-
AVG	8.0.0.130	2008.07.27	Downloader.FraudLoad.A
BitDefender	7.2	2008.07.27	Trojan.Peed.JPX
CAT-QuickHeal	9.50	2008.07.25	(Suspicious) - DNAScan
ClamAV	0.93.1	2008.07.27	-
DrWeb	4.44.0.09170	2008.07.27	-
eSafe	7.0.17.0	2008.07.27	Suspicious File
eTrust-Vet	31.6.5983	2008.07.26	-
Ewido	4.0	2008.07.27	-
F-Prot	4.4.4.56	2008.07.27	-
F-Secure	7.60.13501.0	2008.07.27	-
Fortinet	3.14.0.0	2008.07.26	W32/Tibs.JC!tr
GData	2.0.7306.1023	2008.07.27	-
Ikarus	T3.1.1.34.0	2008.07.27	Trojan.Peed.JPX
Kaspersky	7.0.0.125	2008.07.27	-
McAfee	5347	2008.07.25	-
Microsoft	1.3704	2008.07.27	Worm:Win32/Nuwar.KE
NOD32v2	3301	2008.07.27	-
Norman	5.80.02	2008.07.25	-
Panda	9.0.0.4	2008.07.27	-
PCTools	4.4.2.0	2008.07.27	-
Prevx1	V2	2008.07.27	Malicious Software
Rising	20.54.62.00	2008.07.27	-
Sophos	4.31.0	2008.07.27	-
Sunbelt	3.1.1536.1	2008.07.25	-
Symantec	10	2008.07.27	Packed.Generic.174
TheHacker	6.2.96.389	2008.07.25	-
TrendMicro	8.700.0.1004	2008.07.26	-
VBA32	3.12.8.1	2008.07.27	-
ViRobot	2008.7.26.1311	2008.07.26	-
VirusBuster	4.5.11.0	2008.07.27	-
Webwasher-Gateway	6.6.2	2008.07.27	Heuristic.Crypted
weitere Informationen
File size: 110080 bytes
MD5...: 453e5e7037c952afa05a0cfa2d1f155d
SHA1..: a28d28d3da055d1b13eddeda12d4f2d07173a7d1
SHA256: 04d3bb7d272d8542c0c986579c5cc7422f6c6c76d5b0642222cfb7c1a7b7765e
SHA512: 04401d4937d2d5f265f46598e62e201dde6b2a2d97c4fb5f695ff047e45142f0
d81b4fcf1bf3e0e9ca9648ea5c7e901555a57a9814cdfb6a5bd92ca580ff962e
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x403811
timedatestamp.....: 0x48776b9b (Fri Jul 11 14:18:03 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8f3b 0x6200 7.99 8a5e57ffefbd0f64e9644da2d66da8e0
.rdata 0xa000 0x38ad 0x1600 7.97 a12ba4e6286f830e973fb06a3c6fc722
.data 0xe000 0x25f60 0x11200 8.00 9fc31b11dd8fea75728f9daf48fb43bc
.rsrc 0x34000 0x2000 0x2000 5.31 3b2e0792fe9da580674d305ab7e5ef1a

( 3 imports )
> urlmon.dll: URLOpenStreamA, IsLoggingEnabledA, CoInstall, GetClassFileOrMime, AsyncInstallDistributionUnit, IsValidURL
> gdi32.dll: SetICMMode, SetRelAbs, ResetDCW, StretchBlt, SetDIBColorTable, UpdateColors, SaveDC, TextOutW
> shell32.dll: StrCmpNA, SHFormatDrive, SHAppBarMessage

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=266BA71A006AFBF3AE3401A4CD395A00C0E6BC18
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=453e5e7037c952afa05a0cfa2d1f155d
         
Ich war mir nicht ganz sicher was benoetigt war, daher habe ich alles kopiert,was angezeigt wurde. Die anderen Reports folgen...

Alt 27.07.2008, 23:33   #7
c_ararat
 
[Windows XP] mal wieder Virus - Standard

[Windows XP] mal wieder Virus



Code:
ATTFilter
Malwarebytes' Anti-Malware 1.23
Datenbank Version: 999
Windows 5.1.2600 Service Pack 2

23:32:25 27.07.2008
mbam-log-7-27-2008 (23-32-25).txt

Scan-Methode: Vollständiger Scan (C:\|)
Durchsuchte Objekte: 88109
Laufzeit: 43 minute(s), 14 second(s)

Infizierte Speicherprozesse: 2
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 3
Infizierte Registrierungswerte: 6
Infizierte Dateiobjekte der Registrierung: 2
Infizierte Verzeichnisse: 1
Infizierte Dateien: 14

Infizierte Speicherprozesse:
C:\WINDOWS\system32\blphcgtmj0ep1r.scr (Trojan.FakeAlert) -> Unloaded process successfully.
C:\WINDOWS\system32\lphcgtmj0ep1r.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcltmj0ep1r (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcltmj0ep1r (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcgtmj0ep1r (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhcltmj0ep1r (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
C:\Programme\rhcltmj0ep1r (Rogue.Multiple) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\Programme\rhcltmj0ep1r\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programme\rhcltmj0ep1r\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programme\rhcltmj0ep1r\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programme\rhcltmj0ep1r\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programme\rhcltmj0ep1r\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programme\rhcltmj0ep1r\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programme\rhcltmj0ep1r\rhcltmj0ep1r.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programme\rhcltmj0ep1r\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Ara\Lokale Einstellungen\Temp\.tt15.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Ara\Lokale Einstellungen\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Ara\Lokale Einstellungen\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphcgtmj0ep1r.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphcgtmj0ep1r.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcgtmj0ep1r.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
         

Alt 27.07.2008, 23:50   #8
c_ararat
 
[Windows XP] mal wieder Virus - Standard

[Windows XP] mal wieder Virus



Blacklight (nichts gefunden):

Code:
ATTFilter
07/27/08 23:38:15 [Info]: BlackLight Engine 1.0.70 initialized
07/27/08 23:38:15 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/27/08 23:38:15 [Note]: 7019 4
07/27/08 23:38:15 [Note]: 7005 0
07/27/08 23:38:20 [Note]: 7006 0
07/27/08 23:38:20 [Note]: 7011 1308
07/27/08 23:38:20 [Note]: 7035 0
07/27/08 23:38:20 [Note]: 7026 0
07/27/08 23:38:20 [Note]: 7026 0
07/27/08 23:38:23 [Note]: FSRAW library version 1.7.1024
07/27/08 23:46:55 [Note]: 2000 1012
07/27/08 23:46:55 [Note]: 2000 1012
07/27/08 23:46:55 [Note]: 2000 1012
07/27/08 23:46:55 [Note]: 2000 1012
07/27/08 23:46:55 [Note]: 2000 1012
07/27/08 23:46:55 [Note]: 2000 1012
07/27/08 23:46:55 [Note]: 2000 1012
07/27/08 23:46:55 [Note]: 2000 1012
07/27/08 23:46:55 [Note]: 2000 1012
07/27/08 23:46:55 [Note]: 2000 1012
07/27/08 23:46:55 [Note]: 2000 1012
07/27/08 23:46:55 [Note]: 2000 1012
07/27/08 23:46:55 [Note]: 2000 1012
07/27/08 23:46:55 [Note]: 2000 1012
07/27/08 23:48:31 [Note]: 7007 0
         

MBR-Tool:

Code:
ATTFilter
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
         

Alt 28.07.2008, 09:14   #9
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
[Windows XP] mal wieder Virus - Standard

[Windows XP] mal wieder Virus



Das sieht soweit schon wieder ganz ok aus. Antimalware hat da einiges entfernt.

Erstell noch bitte mal ein Logfile mit silentrunners.
__________________
"Die Wahrheit ist normalerweise nur eine Entschuldigung für einen Mangel an Fantasie." (Elim Garak)

Das Trojaner-Board unterstützen
Warum Linux besser als Windows ist!

Alt 28.07.2008, 14:28   #10
c_ararat
 
[Windows XP] mal wieder Virus - Standard

[Windows XP] mal wieder Virus



Aehm ich weiß nicht, gegen 10 nach 11 das Programm gestartet und da wurde gesagt, dass nahc dem Scan eine Textbox und ein Logfile geoffnet wird, allerdings wurde auch betont, dass dieser Scan sehr lange dauert.

Nunja, bei mir laeuft der bereits seit 3 Stunden und es kam noch nix?

Eine Textfile gibt es aber schon:

Startup Programs (***) 2008-07-28 11.13.12.txt:

Code:
ATTFilter
"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"avgnt" = ""C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"NeroFilterCheck" = "C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe" ["Nero AG"]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
                                        \StubPath   = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
{8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax"
                                       \StubPath   = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]
{94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider"
                                       \StubPath   = "rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "AcroIEHlprObj Class"
                   \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SSVHelper Class"
                   \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
  -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universelle Plug & Play-Geräte"
  -> {HKLM...CLSID} = "Universelle Plug & Play-Geräte"
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\upnpui.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
  -> {HKLM...CLSID} = "iTunes"
                   \InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"
  -> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"
                   \InProcServer32\(Default) = "C:\Programme\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
  -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
  -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                   \InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{BEFAC8C8-2100-4315-AE9A-2A9127AF02D8}" = "MobiolaShlExt extension"
  -> {HKLM...CLSID} = "MobiolaShlExt Class"
                   \InProcServer32\(Default) = "C:\Programme\Mobiola Video Studio\MobiolaExt.dll" [null data]
"{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension"
  -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
                   \InProcServer32\(Default) = "C:\Programme\TuneUp Utilities 2008\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"
  -> {HKLM...CLSID} = "TuneUp Theme Extension"
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
<<!>> ("" [file not found]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
  -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"
  -> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"
                   \InProcServer32\(Default) = "C:\Programme\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
  -> {HKLM...CLSID} = "MShellExtMenu Class"
                   \InProcServer32\(Default) = "C:\Programme\MagicISO\misosh.dll" ["MagicISO, Inc."]
MyPhoneExplorer\(Default) = "{A372C6DF-7A85-41B1-B3B0-D1E24073DCBF}"
  -> {HKLM...CLSID} = "MyPhoneExplorer_ShellEx.ShellExt"
                   \InProcServer32\(Default) = "C:\Programme\MyPhoneExplorer\DLL\ShellMgr.dll" ["F.J. Wechselberger"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                   \InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
SMobiolaShlExt\(Default) = "{BEFAC8C8-2100-4315-AE9A-2A9127AF02D8}"
  -> {HKLM...CLSID} = "MobiolaShlExt Class"
                   \InProcServer32\(Default) = "C:\Programme\Mobiola Video Studio\MobiolaExt.dll" [null data]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
  -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
                   \InProcServer32\(Default) = "C:\Programme\TuneUp Utilities 2008\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
  -> {HKLM...CLSID} = "MShellExtMenu Class"
                   \InProcServer32\(Default) = "C:\Programme\MagicISO\misosh.dll" ["MagicISO, Inc."]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
  -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
                   \InProcServer32\(Default) = "C:\Programme\TuneUp Utilities 2008\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"
  -> {HKLM...CLSID} = "MShellExtMenu Class"
                   \InProcServer32\(Default) = "C:\Programme\MagicISO\misosh.dll" ["MagicISO, Inc."]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                   \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                   \InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                   \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]


Default executables:
--------------------

HKLM\SOFTWARE\Classes\.scr\(Default) = "scrfile"
<<!>> HKLM\SOFTWARE\Classes\scrfile\shell\open\command\(Default) = ""%1" %*" [file not found]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoDispBackgroundPage" = (REG_DWORD) dword:0x00000000
{Hide Desktop tab}

"NoDispScrSavPage" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Policies\Microsoft\Windows\System\

"DisableCMD" = (REG_DWORD) dword:0x00000000
{Disable the command prompt}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

iTunesBurnCDOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.BurnCD"
"InvokeVerb" = "burn"
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]

iTunesImportSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ImportSongsOnCD"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]

iTunesPlaySongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.PlaySongsOnCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]

iTunesShowSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ShowSongsOnCD"
"InvokeVerb" = "showsongs"
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]

MSVideoCameraArrival\
"Provider" = "@C:\Programme\Movie Maker\1031\wmm2res.dll,-100"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Programme\Movie Maker\moviemk.exe" /RECORD"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
  -> {HKLM...CLSID} = "ShellExecute HW Event Handler"
                   \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

NeroAutoPlay8AudioToNeroDigital\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "AudioToNeroDigital_PlayCDAudioOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\AudioToNeroDigital_PlayCDAudioOnArrival\command\(Default) = "C:\Programme\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]

NeroAutoPlay8CDAudio\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "CDAudio_HandleCDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CDAudio_HandleCDBurningOnArrival\command\(Default) = "C:\Programme\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:AudioCD" ["Nero AG"]

NeroAutoPlay8CopyCD\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "CopyCD_PlayMusicFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CopyCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Programme\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:DiscCopy %L" ["Nero AG"]

NeroAutoPlay8DataDisc_CD\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "DataDisc_CD_HandleCDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_CD_HandleCDBurningOnArrival\command\(Default) = "C:\Programme\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:CD %L" ["Nero AG"]

NeroAutoPlay8DataDisc_DVD\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "DataDisc_DVD_HandleDVDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_DVD_HandleDVDBurningOnArrival\command\(Default) = "C:\Programme\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:DVD %L" ["Nero AG"]

NeroAutoPlay8LaunchNeroStartSmart\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "LaunchNeroStartSmart_HandleDVDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\LaunchNeroStartSmart_HandleDVDBurningOnArrival\command\(Default) = "C:\Programme\Nero\Nero8\Nero StartSmart\NeroStartSmart.exe /AutoPlay" ["Nero AG"]

NeroAutoPlay8PlayAudioCD\
"Provider" = "Nero ShowTime"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "PlayAudioCD_PlayMusicFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\PlayAudioCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Programme\Nero\Nero8\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]

NeroAutoPlay8PlayDVD\
"Provider" = "Nero ShowTime"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "PlayDVD_PlayVideoFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\PlayDVD_PlayVideoFilesOnArrival\command\(Default) = "C:\Programme\Nero\Nero8\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]

NeroAutoPlay8RipCD\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "RipCD_PlayCDAudioOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\RipCD_PlayCDAudioOnArrival\command\(Default) = "C:\Programme\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]

NeroAutoPlay8TranscodeVideo\
"Provider" = "Nero Recode"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "TranscodeVideo_PlayDVDMovieOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\TranscodeVideo_PlayDVDMovieOnArrival\command\(Default) = "C:\Programme\Nero\Nero8\Nero Recode\Recode.exe /New:CopyDVDVideo" ["Nero AG"]

NeroAutoPlay8VideoCapture\
"Provider" = "Nero Vision"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Programme\Nero\Nero8\Nero Vision\NeroVision.exe" /New:VideoCapture"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
  -> {HKLM...CLSID} = "ShellExecute HW Event Handler"
                   \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

NeroAutoPlay8ViewPhotos\
"Provider" = "Nero PhotoSnap Viewer"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "ViewPhotos_ShowPicturesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\ViewPhotos_ShowPicturesOnArrival\command\(Default) = "C:\Programme\Nero\Nero8\Nero PhotoSnap\PhotoSnapViewer.exe /" ["Nero AG"]

VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"]

VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"]


Enabled Scheduled Tasks:
------------------------

"1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2008\OneClick.exe /schedulestart" ["TuneUp Software GmbH"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{8DC086C2-5C5E-4B71-8413-18139AC3D9CF}\
"ButtonText" = "MedionShop"
"Exec" = "http://www.medionshop.de/" [file not found]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"
  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"
                   \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"
                   \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" [file not found]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
Avira AntiVir Personal – Free Antivirus Guard, AntiVirService, ""C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"]
Avira AntiVir Personal – Free Antivirus Planer, AntiVirScheduler, ""C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"]
Ereignisprotokoll-Überwachung, LogWatch, "C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe" ["Computer Associates"]
Nero BackItUp Scheduler 3, Nero BackItUp Scheduler 3, "C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe" ["Nero AG"]
PLFlash DeviceIoControl Service, PLFlash DeviceIoControl Service, "C:\WINDOWS\System32\IoctlSvc.exe" ["Prolific Technology Inc."]
TuneUp Designerweiterung, UxTuneUp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]}


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor MP750\Driver = "CNMLM6z.DLL" ["CANON INC."]
LPR Port\Driver = "lprmon.dll" [MS]


---------- (launch time: 2008-07-28 11:13:12)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 70 seconds.
---------- (total run time: 203 seconds)
         

Alt 29.07.2008, 13:33   #11
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
[Windows XP] mal wieder Virus - Cool

[Windows XP] mal wieder Virus



Hmja, silentrunners läuft nicht immer 100% sauber durch, aber das Logfile hat er bei Dir vollständig erzeugt.

Code:
ATTFilter
"C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
"C:\Programme\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
         
Sieh zu, daß Du die veralteten Versionen runterschmeißt und aktuelle installierst!
Ansonsten seh ich keine Auffälligkeiten im Logfile.

Falls sich noch weitere "krumme" Dateien im System befinden, können wir die evtl. so aufspüren:
Über ein filelisting mit diesem script:

- Script abspeichern per Rechtsklick, speichern unter auf dem Desktop
- Doppelklick auf listing8.cmd auf dem Desktop
- nach kurzer Zeit erscheint eine listing.txt auf dem Desktop
Diese listing.txt z.B. bei file-upload.net hochladen und hier verlinken, da dieses Logfile zu groß fürs Board ist.
__________________
"Die Wahrheit ist normalerweise nur eine Entschuldigung für einen Mangel an Fantasie." (Elim Garak)

Das Trojaner-Board unterstützen
Warum Linux besser als Windows ist!

Antwort

Themen zu [Windows XP] mal wieder Virus
abges, anitvir, antivir, arten, erkannt, free, gefunde, geklappt, guard, heute, hintergrund, leute, loeschen, neustarten, schonmal, sicherheitshalber, system, veraendert, viren, virus, voll, windows, windows xp



Ähnliche Themen: [Windows XP] mal wieder Virus


  1. Windows 7: Browser stürzt immer wieder ab + Blue Screen - Virus?
    Log-Analyse und Auswertung - 06.08.2015 (14)
  2. Windows 7: Avira meldet immer wieder ADWARE/Adware.Gen4 bzw. .Gen7, zudem taucht Optimizer Pro immer wieder auf
    Log-Analyse und Auswertung - 14.12.2014 (9)
  3. Interpol Virus, Windows 7, Abgesicherter Modus fährt wieder runter
    Plagegeister aller Art und deren Bekämpfung - 21.10.2013 (1)
  4. GVU Virus eingefangen, Abgesicherter Modus fährt direkt wieder runger, Windows XP
    Plagegeister aller Art und deren Bekämpfung - 29.06.2013 (24)
  5. Mal wieder ein Virus?
    Plagegeister aller Art und deren Bekämpfung - 14.04.2012 (20)
  6. Und wieder der 50€ Virus....
    Plagegeister aller Art und deren Bekämpfung - 10.04.2012 (61)
  7. Mal wieder BKA Virus..
    Plagegeister aller Art und deren Bekämpfung - 24.03.2012 (1)
  8. und ja..... der 50 € Virus hat wieder zugeschlagen.Windows XP
    Log-Analyse und Auswertung - 14.02.2012 (5)
  9. Hilfe habe virus und ich soll 50€ zahlen damit mein windows wieder frei ist
    Alles rund um Windows - 29.01.2012 (1)
  10. Nach Gründlicher Formatierung und Windows Neuinstallation BKA virus WIEDER DA !
    Plagegeister aller Art und deren Bekämpfung - 27.12.2011 (50)
  11. Wie werde ich den Virus/Trojaner "Windows 7 Security 2011" wieder los?
    Plagegeister aller Art und deren Bekämpfung - 19.11.2010 (10)
  12. Wieder Hartnäckiger virus!
    Plagegeister aller Art und deren Bekämpfung - 26.04.2010 (1)
  13. Windows Vista startet nicht, fährt sofort wieder runter und gleich wieder hoch...
    Alles rund um Windows - 03.04.2010 (3)
  14. schon wieder Virus??
    Plagegeister aller Art und deren Bekämpfung - 15.07.2009 (2)
  15. Virus kommt wieder
    Log-Analyse und Auswertung - 11.01.2009 (0)
  16. wieder ein virus
    Log-Analyse und Auswertung - 12.11.2007 (4)
  17. Virus ? Schon wieder?
    Log-Analyse und Auswertung - 02.12.2005 (3)

Zum Thema [Windows XP] mal wieder Virus - Hallo Leute, mal wieder einer, der es geschafft hat, seinen PC mit Viren voll zu packen. Ist mir heute passiert, hatte den Free AnitVir Guard an, der hat sie auch - [Windows XP] mal wieder Virus...
Archiv
Du betrachtest: [Windows XP] mal wieder Virus auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.