FakeAlert Trojan-Spy.Win32.GreenScreen etc.

rladmin · 15.09.2008, 20:18

Guten Abend,

heute Nachmittag habe ich mir ein Trojaner eingefangen und erhalte seit dem diverse Warnmeldungen ( Windows Firewall has detected activity of harmful software[...] Trojan-Spy.Win32.GreenScreen, Trojan-Clicker.Win32Tiny.h, Trojan-Spy.Win32.Keylogger.aa, Trojan-Spy.HTML.Bankfraud.dq ).

Zunächst habe ich mit dem Programm "Malware" einige Probleme behoben bzw. in Quarantäne gesetzt. Mein Virenscanner Avira AntiVir hat ebenfalls etwas entfernt, jedoch bekomme ich diese Fakealerts nicht geregelt.

Ich habe ein HJT durchgeführt, werde daraus allerdings nicht schlau. Vielleicht kann mir hier jemand weiterhelfen.

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:01:40, on 15.09.2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\ieconfig_1und1_svc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\conime.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\ProgramData\DscDb\kfohkhod.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = go.1und1.de/links/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=DE_DE&c=71&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=DE_DE&c=71&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hxxp://go.1und1.de/suchbox/1und1suche?su=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer bereitgestellt von 1&1 Internet AG
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: 1&&1 Internet AG Browser Configuration by mquadr.at - {D48FF4B4-E68F-47D1-8E25-81A0F0EEB341} - C:\Windows\System32\ieconfig_1und1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [DscDb] C:\ProgramData\DscDb\kfohkhod.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - Startup: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - hxxp://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: IEConfig 1und1 Edition (serviceIEConfig) - Unknown owner - C:\Windows\System32\ieconfig_1und1_svc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11576 bytes

Ich hoffe mir kann jemand genauere Informationen geben damit das Problem behoben werden kann.

Danke

myrtille · 16.09.2008, 01:18

Hi,

starte den Rechner bitte neu. Arbeite dann bitte folgendes ab:

ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix

Lade dir das Tool hier herunter auf den Desktop -> KLICK

Das Programm jedoch noch nicht starten sondern zuerst folgendes tun:

Schliesse alle Anwendungen und Programme, vor allem deine Antiviren-Software und andere Hintergrundwächter, sowie deinen Internetbrowser. Vermeide es auch explizit während das Combofix läuft die Maus und Tastatur zu benutzen.

Dann folgende Anleitung durchlesen und abarbeiten -> CCleaner Systembereinigung

Starte nun die combofix.exe von deinem Desktop aus, bestätige die Warnmeldungen und lass dein System durchsuchen.

Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte abkopieren und in deinen Beitrag einfügen. Das log findest du außerdem unter: C:\ComboFix.txt.

Wichtiger Hinweis:

Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat! Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten.

lg myrtille

rladmin · 16.09.2008, 08:54

Guten Morgen,

Danke für die Hilfe. Ich habe combofix nun durchgeführt. Hier die Log:

ComboFix 08-09-15.02 - HP 2008-09-16 9:44:32.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1031.18.397 [GMT 2:00]
ausgeführt von:: C:\Users\HP\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
.

((((((((((((((((((((((( Dateien erstellt von 2008-08-16 bis 2008-09-16 ))))))))))))))))))))))))))))))
.

Keine neuen Dateien erstellt in diesem Zeitraum

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-15 18:40 5,822 ----a-w C:\Windows\System32\tmp.reg
2008-09-15 18:36 34,916 ----a-w C:\Users\HP\AppData\Roaming\nvModes.dat
2008-09-15 18:32 --------- d-----w C:\Program Files\Enigma Software Group
2008-09-15 18:01 --------- d-----w C:\Program Files\Trend Micro
2008-09-15 17:38 --------- d---a-w C:\ProgramData\TEMP
2008-09-15 15:32 --------- d-----w C:\ProgramData\ylapqnqf
2008-09-15 15:21 --------- d-----w C:\Users\HP\AppData\Roaming\Malwarebytes
2008-09-15 15:21 --------- d-----w C:\ProgramData\Malwarebytes
2008-09-15 15:21 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-15 14:39 --------- d-----w C:\ProgramData\DscDb
2008-09-14 14:07 --------- d-----w C:\Users\HP\AppData\Roaming\uTorrent
2008-09-11 05:48 --------- d-----w C:\ProgramData\Microsoft Help
2008-09-11 05:45 --------- d-----w C:\Program Files\Microsoft Works
2008-09-09 22:04 38,528 ----a-w C:\Windows\system32\drivers\mbamswissarmy.sys
2008-09-09 22:03 17,200 ----a-w C:\Windows\system32\drivers\mbam.sys
2008-08-27 13:55 --------- d-----w C:\Users\HP\AppData\Roaming\Roxio
2008-08-27 13:54 --------- d-----w C:\ProgramData\Sonic
2008-08-24 17:49 --------- d-----w C:\Program Files\DSL Speed
2008-08-24 15:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-24 15:34 --------- d-----w C:\Users\HP\AppData\Roaming\InstallShield
2008-08-24 15:34 --------- d-----w C:\Program Files\CIB software GmbH
2008-08-24 14:01 --------- d-----w C:\Program Files\Common Files\XPressUpdate
2008-08-24 14:00 --------- d-----w C:\Program Files\PDF Editor 2
2008-08-24 13:41 73,216 ----a-w C:\Windows\cadkasdeinst01.exe
2008-08-24 13:35 --------- d-----w C:\Users\HP\AppData\Roaming\PixelPlanet
2008-08-24 13:35 --------- d-----w C:\ProgramData\PixelPlanet
2008-08-21 13:48 --------- d-----w C:\Program Files\MediaMonkey
2008-08-20 16:24 --------- d-----w C:\ProgramData\Apple Computer
2008-08-20 16:02 --------- d-----w C:\Users\HP\AppData\Roaming\Apple Computer
2008-08-20 16:01 --------- d-----w C:\Program Files\QuickTime
2008-08-20 16:01 --------- d-----w C:\Program Files\Bonjour
2008-08-20 15:59 --------- d-----w C:\Program Files\Apple Software Update
2008-08-20 15:58 --------- d-----w C:\ProgramData\Apple
2008-08-20 15:58 --------- d-----w C:\Program Files\Common Files\Apple
2008-08-19 10:37 --------- d-----w C:\Program Files\EPSON
2008-08-19 10:30 --------- d-----w C:\ProgramData\EPSON
2008-08-18 20:04 --------- d-----w C:\Users\HP\AppData\Roaming\vlc
2008-08-18 18:29 --------- d-----w C:\Program Files\VideoLAN
2008-08-17 19:31 --------- d-----w C:\Users\HP\AppData\Roaming\Winamp
2008-08-17 19:28 --------- d-----w C:\Program Files\Winamp
2008-08-17 18:19 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-08-17 18:18 --------- d-----w C:\Program Files\DVDVideoSoft
2008-08-16 13:18 --------- d-----w C:\Program Files\ElcomSoft
2008-08-14 13:01 --------- d-----w C:\Program Files\Windows Mail
2008-08-13 10:57 --------- d-----w C:\Program Files\Microsoft.NET
2008-08-13 10:43 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-08-13 10:20 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-08-13 10:20 --------- d-----w C:\Users\HP\AppData\Roaming\DAEMON Tools
2008-08-13 09:27 --------- d-----w C:\Program Files\uTorrent
2008-08-13 01:00 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-12 20:24 --------- d-----w C:\Users\HP\AppData\Roaming\DivX
2008-08-12 20:24 --------- d-----w C:\Program Files\DivX
2008-08-12 15:50 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-08-12 15:50 --------- d-----w C:\Program Files\Windows Live Favorites
2008-08-12 15:48 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-12 15:48 --------- d-----w C:\Program Files\Windows Live
2008-08-12 15:41 --------- d-----w C:\ProgramData\WLInstaller
2008-08-12 12:38 --------- d-----w C:\Users\HP\AppData\Roaming\HP
2008-08-12 12:38 --------- d-----w C:\ProgramData\HP
2008-08-07 10:35 174 --sha-w C:\Program Files\desktop.ini
2008-08-07 05:24 --------- d-----w C:\Program Files\Windows Sidebar
2008-08-07 05:24 --------- d-----w C:\Program Files\Windows Defender
2008-08-07 05:24 --------- d-----w C:\Program Files\Windows Calendar
2008-08-07 05:21 87,040 ----a-w C:\Windows\System32\msoert2.dll
2008-08-07 05:21 39,424 ----a-w C:\Windows\System32\ACCTRES.dll
2008-08-07 05:21 205,824 ----a-w C:\Windows\System32\msoeacct.dll
2008-08-07 05:19 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-08-07 05:19 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-08-07 05:18 49,664 ----a-w C:\Windows\System32\csrsrv.dll
2008-08-07 05:18 376,320 ----a-w C:\Windows\System32\winsrv.dll
2008-08-07 05:13 414,208 ----a-w C:\Windows\System32\msscp.dll
2008-08-07 05:13 41,984 ----a-w C:\Windows\system32\drivers\monitor.sys
2008-08-07 05:13 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-08-07 05:12 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2008-08-07 05:12 7,680 ----a-w C:\Windows\System32\spwmp.dll
2008-08-07 05:12 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2008-08-07 05:12 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2008-08-07 05:11 86,016 ----a-w C:\Windows\System32\icfupgd.dll
2008-08-07 05:11 63,488 ----a-w C:\Windows\system32\drivers\mpsdrv.sys
2008-08-07 05:11 61,952 ----a-w C:\Windows\System32\cmifw.dll
2008-08-07 05:11 396,800 ----a-w C:\Windows\System32\MPSSVC.dll
2008-08-07 05:11 392,192 ----a-w C:\Windows\System32\FirewallAPI.dll
2008-08-07 05:11 23,040 ----a-w C:\Windows\system32\drivers\tunnel.sys
2008-08-07 05:11 178,688 ----a-w C:\Windows\System32\iphlpsvc.dll
2008-08-07 05:11 16,896 ----a-w C:\Windows\System32\wfapigp.dll
2008-08-07 05:11 15,360 ----a-w C:\Windows\system32\drivers\TUNMP.SYS
2008-08-07 05:09 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-08-07 05:09 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-08-07 05:09 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-08-07 05:09 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-08-07 05:09 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-08-07 05:09 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-08-07 05:09 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-08-07 05:09 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-08-07 05:08 2,048 ----a-w C:\Windows\System32\msxml3r.dll
2008-08-07 05:08 104,448 ----a-w C:\Windows\System32\DWWIN.EXE
2008-08-07 05:08 1,191,936 ----a-w C:\Windows\System32\msxml3.dll
2008-08-07 05:06 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-08-07 05:06 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-08-07 05:06 22,016 ----a-w C:\Windows\System32\netiougc.exe
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-08-07 1232896]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 125440]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"DscDb"="C:\ProgramData\DscDb\kfohkhod.exe" [2008-09-15 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-12-03 167936]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-12-04 46704]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-01-19 77824]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2006-12-07 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2006-12-07 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2006-12-07 81920]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 262401]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 222208]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
" Malwarebytes Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-09-10 1253040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="C:\Windows\SMINST\launcher.exe" [2006-11-08 44128]

C:\Users\HP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader - Schnellstart.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\Windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-07-24 17:02 490952 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-04 01:02 36352 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{A48C03BA-2FCB-43FE-8E68-D5C07EB45395}"= UDP:C:\Program Files\HP\QuickPlay\QP.exe:QP
"{EA52B341-D4A2-41F2-9D55-C39BCE58F04D}"= TCP:C:\Program Files\HP\QuickPlay\QP.exe:QP
"{56D9FC57-F549-4B58-B626-0E69F28B3D5B}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{7564B209-912E-4E0E-9D17-A0475A2A1733}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{7D5356AC-6305-4466-A573-2427115203C3}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{37DD6216-2589-47A3-99FF-CACC63B97270}"= UDP:39329:Torrent
"{2408813C-86CC-4557-BCD8-66207E6C7853}"= TCP:39329:TorrentUDP
"{BCDD89CD-1840-4F4F-A964-7176E8B8F6EA}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{18123142-A12D-42E9-96E3-CB72430BE11F}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{2F09A5A4-43D5-4C79-97E2-DD6F2E244E88}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{148C9506-6CD8-4871-87A8-1687B13AC50E}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{EECDED33-E68F-4F04-9A55-742DB6F228AD}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 serviceIEConfig;IEConfig 1und1 Edition;C:\Windows\System32\ieconfig_1und1_svc.exe [2008-08-05 1053848]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Inhalt des "geplante Tasks" Ordners
.
.
------- Zusätzlicher Scan -------
.
FireFox -: Profile - C:\Users\HP\AppData\Roaming\Mozilla\Firefox\Profiles\p00m5sdj.default\
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npjava11.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npjava12.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npjava13.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npjava14.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npjava32.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npoji610.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-16 09:48:46
Windows 6.0.6000 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

C:\Users\HP\AppData\Local\Temp\~DFCFA0.tmp 16384 bytes
C:\Users\HP\AppData\Local\Temp\~DFCFA5.tmp 512 bytes

Scan erfolgreich abgeschlossen
versteckte Dateien: 2

**************************************************************************
.
Zeit der Fertigstellung: 2008-09-16 9:50:41
ComboFix-quarantined-files.txt 2008-09-16 07:50:19

Pre-Run: Das System hat keinen Meldungstext für die Meldungsnummer 0x2379 in der Meldungsdatei Application gefunden.
Post-Run: 19 Verzeichnis(se), 110,241,026,048 Bytes frei

217 --- E O F --- 2008-09-13 09:06:30

myrtille · 16.09.2008, 12:16

Hi,

befolge bitte folgendes:

Scripten mit Combofix

Öffne den Editor ( Start -> Zubehör -> Editor ) kopiere nun folgenden Text in das weiße Feld:

Code:

ATTFilter

folder::
C:\ProgramData\ylapqnqf
C:\ProgramData\DscDb
registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DscDb"=-

Speichere diese Datei nun auf dem Desktop unter -> cfscript.txt

Nun die Datei cfscript.txt mit der rechten Maustaste auf das Sysmbol von Combofix ziehen!

Danach das Combofix nochmal ausführen, das System neu starten und das Log von Combofix posten

Hinweis: Das obige Script ist nur für diesen einen User in dieser Situtation erstellt worden. Es ist auf keinen anderen Rechner portierbar und darf nicht anderweitig verwandt werden, da es das System nachhaltig schädigen kann

Lg myrtille

rladmin · 17.09.2008, 13:01

dabei kam das heraus:

ComboFix 08-09-15.02 - HP 2008-09-17 13:52:36.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1031.18.412 [GMT 2:00]
ausgeführt von:: C:\Users\HP\Desktop\ComboFix.exe
Command switches used :: C:\Users\HP\Desktop\cfscript.txt
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\DscDb
C:\ProgramData\DscDb\kfohkhod.exe
C:\ProgramData\ylapqnqf

.
((((((((((((((((((((((( Dateien erstellt von 2008-08-17 bis 2008-09-17 ))))))))))))))))))))))))))))))
.

Keine neuen Dateien erstellt in diesem Zeitraum

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-16 20:07 34,916 ----a-w C:\Users\HP\AppData\Roaming\nvModes.dat
2008-09-15 18:40 5,822 ----a-w C:\Windows\System32\tmp.reg
2008-09-15 18:32 --------- d-----w C:\Program Files\Enigma Software Group
2008-09-15 18:01 --------- d-----w C:\Program Files\Trend Micro
2008-09-15 17:38 --------- d---a-w C:\ProgramData\TEMP
2008-09-15 15:21 --------- d-----w C:\Users\HP\AppData\Roaming\Malwarebytes
2008-09-15 15:21 --------- d-----w C:\ProgramData\Malwarebytes
2008-09-15 15:21 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-14 14:07 --------- d-----w C:\Users\HP\AppData\Roaming\uTorrent
2008-09-11 05:48 --------- d-----w C:\ProgramData\Microsoft Help
2008-09-11 05:45 --------- d-----w C:\Program Files\Microsoft Works
2008-09-09 22:04 38,528 ----a-w C:\Windows\system32\drivers\mbamswissarmy.sys
2008-09-09 22:03 17,200 ----a-w C:\Windows\system32\drivers\mbam.sys
2008-08-27 13:55 --------- d-----w C:\Users\HP\AppData\Roaming\Roxio
2008-08-27 13:54 --------- d-----w C:\ProgramData\Sonic
2008-08-24 17:49 --------- d-----w C:\Program Files\DSL Speed
2008-08-24 15:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-24 15:34 --------- d-----w C:\Users\HP\AppData\Roaming\InstallShield
2008-08-24 15:34 --------- d-----w C:\Program Files\CIB software GmbH
2008-08-24 14:01 --------- d-----w C:\Program Files\Common Files\XPressUpdate
2008-08-24 14:00 --------- d-----w C:\Program Files\PDF Editor 2
2008-08-24 13:41 73,216 ----a-w C:\Windows\cadkasdeinst01.exe
2008-08-24 13:35 --------- d-----w C:\Users\HP\AppData\Roaming\PixelPlanet
2008-08-24 13:35 --------- d-----w C:\ProgramData\PixelPlanet
2008-08-21 13:48 --------- d-----w C:\Program Files\MediaMonkey
2008-08-20 16:24 --------- d-----w C:\ProgramData\Apple Computer
2008-08-20 16:02 --------- d-----w C:\Users\HP\AppData\Roaming\Apple Computer
2008-08-20 16:01 --------- d-----w C:\Program Files\QuickTime
2008-08-20 16:01 --------- d-----w C:\Program Files\Bonjour
2008-08-20 15:59 --------- d-----w C:\Program Files\Apple Software Update
2008-08-20 15:58 --------- d-----w C:\ProgramData\Apple
2008-08-20 15:58 --------- d-----w C:\Program Files\Common Files\Apple
2008-08-19 10:37 --------- d-----w C:\Program Files\EPSON
2008-08-19 10:30 --------- d-----w C:\ProgramData\EPSON
2008-08-18 20:04 --------- d-----w C:\Users\HP\AppData\Roaming\vlc
2008-08-18 18:29 --------- d-----w C:\Program Files\VideoLAN
2008-08-17 19:31 --------- d-----w C:\Users\HP\AppData\Roaming\Winamp
2008-08-17 19:28 --------- d-----w C:\Program Files\Winamp
2008-08-17 18:19 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-08-17 18:18 --------- d-----w C:\Program Files\DVDVideoSoft
2008-08-16 13:18 --------- d-----w C:\Program Files\ElcomSoft
2008-08-14 13:01 --------- d-----w C:\Program Files\Windows Mail
2008-08-13 10:57 --------- d-----w C:\Program Files\Microsoft.NET
2008-08-13 10:43 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-08-13 10:20 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-08-13 10:20 --------- d-----w C:\Users\HP\AppData\Roaming\DAEMON Tools
2008-08-13 09:27 --------- d-----w C:\Program Files\uTorrent
2008-08-13 01:00 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-12 20:24 --------- d-----w C:\Users\HP\AppData\Roaming\DivX
2008-08-12 20:24 --------- d-----w C:\Program Files\DivX
2008-08-12 15:50 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-08-12 15:50 --------- d-----w C:\Program Files\Windows Live Favorites
2008-08-12 15:48 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-12 15:48 --------- d-----w C:\Program Files\Windows Live
2008-08-12 15:41 --------- d-----w C:\ProgramData\WLInstaller
2008-08-12 12:38 --------- d-----w C:\Users\HP\AppData\Roaming\HP
2008-08-12 12:38 --------- d-----w C:\ProgramData\HP
2008-08-07 10:35 174 --sha-w C:\Program Files\desktop.ini
2008-08-07 05:24 --------- d-----w C:\Program Files\Windows Sidebar
2008-08-07 05:24 --------- d-----w C:\Program Files\Windows Defender
2008-08-07 05:24 --------- d-----w C:\Program Files\Windows Calendar
2008-08-07 05:21 87,040 ----a-w C:\Windows\System32\msoert2.dll
2008-08-07 05:21 39,424 ----a-w C:\Windows\System32\ACCTRES.dll
2008-08-07 05:21 205,824 ----a-w C:\Windows\System32\msoeacct.dll
2008-08-07 05:19 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-08-07 05:19 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-08-07 05:18 49,664 ----a-w C:\Windows\System32\csrsrv.dll
2008-08-07 05:18 376,320 ----a-w C:\Windows\System32\winsrv.dll
2008-08-07 05:13 414,208 ----a-w C:\Windows\System32\msscp.dll
2008-08-07 05:13 41,984 ----a-w C:\Windows\system32\drivers\monitor.sys
2008-08-07 05:13 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-08-07 05:12 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2008-08-07 05:12 7,680 ----a-w C:\Windows\System32\spwmp.dll
2008-08-07 05:12 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2008-08-07 05:12 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2008-08-07 05:11 86,016 ----a-w C:\Windows\System32\icfupgd.dll
2008-08-07 05:11 63,488 ----a-w C:\Windows\system32\drivers\mpsdrv.sys
2008-08-07 05:11 61,952 ----a-w C:\Windows\System32\cmifw.dll
2008-08-07 05:11 396,800 ----a-w C:\Windows\System32\MPSSVC.dll
2008-08-07 05:11 392,192 ----a-w C:\Windows\System32\FirewallAPI.dll
2008-08-07 05:11 23,040 ----a-w C:\Windows\system32\drivers\tunnel.sys
2008-08-07 05:11 178,688 ----a-w C:\Windows\System32\iphlpsvc.dll
2008-08-07 05:11 16,896 ----a-w C:\Windows\System32\wfapigp.dll
2008-08-07 05:11 15,360 ----a-w C:\Windows\system32\drivers\TUNMP.SYS
2008-08-07 05:09 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-08-07 05:09 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-08-07 05:09 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-08-07 05:09 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-08-07 05:09 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-08-07 05:09 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-08-07 05:09 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-08-07 05:09 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-08-07 05:08 2,048 ----a-w C:\Windows\System32\msxml3r.dll
2008-08-07 05:08 104,448 ----a-w C:\Windows\System32\DWWIN.EXE
2008-08-07 05:08 1,191,936 ----a-w C:\Windows\System32\msxml3.dll
2008-08-07 05:06 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-08-07 05:06 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-08-07 05:06 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-08-07 05:06 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-08-07 05:06 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
.

((((((((((((((((((((((((((((( snapshot@2008-09-16_ 9.49.32.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-16 07:15:36 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-09-17 11:37:00 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-09-16 07:15:36 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-09-17 11:37:00 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-09-16 07:17:11 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-09-17 11:38:36 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-09-17 11:38:36 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-09-16 07:17:06 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-09-17 11:38:31 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-09-16 07:15:36 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-17 11:39:09 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-09-16 07:15:36 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-17 11:39:09 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-16 07:15:36 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-17 11:39:09 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-16 07:20:47 116,706 ----a-w C:\Windows\System32\perfc007.dat
+ 2008-09-17 11:41:50 116,706 ----a-w C:\Windows\System32\perfc007.dat
- 2008-09-16 07:20:47 103,924 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-09-17 11:41:50 103,924 ----a-w C:\Windows\System32\perfc009.dat
- 2008-09-16 07:20:47 641,344 ----a-w C:\Windows\System32\perfh007.dat
+ 2008-09-17 11:41:50 641,344 ----a-w C:\Windows\System32\perfh007.dat
- 2008-09-16 07:20:47 610,142 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-09-17 11:41:50 610,142 ----a-w C:\Windows\System32\perfh009.dat
- 2008-09-16 07:17:22 6,426 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2566919658-3297028333-1099947430-1000_UserData.bin
+ 2008-09-17 11:38:48 6,426 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2566919658-3297028333-1099947430-1000_UserData.bin
- 2008-09-16 07:17:22 65,474 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-09-17 11:38:48 66,026 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-09-16 07:17:21 34,712 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-09-17 11:38:46 34,784 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-08-07 1232896]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 125440]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-12-03 167936]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-12-04 46704]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-01-19 77824]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2006-12-07 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2006-12-07 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2006-12-07 81920]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 262401]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 222208]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
" Malwarebytes Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-09-10 1253040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="C:\Windows\SMINST\launcher.exe" [2006-11-08 44128]

C:\Users\HP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader - Schnellstart.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\Windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-07-24 17:02 490952 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-04 01:02 36352 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{A48C03BA-2FCB-43FE-8E68-D5C07EB45395}"= UDP:C:\Program Files\HP\QuickPlay\QP.exe:QP
"{EA52B341-D4A2-41F2-9D55-C39BCE58F04D}"= TCP:C:\Program Files\HP\QuickPlay\QP.exe:QP
"{56D9FC57-F549-4B58-B626-0E69F28B3D5B}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{7564B209-912E-4E0E-9D17-A0475A2A1733}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{7D5356AC-6305-4466-A573-2427115203C3}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{37DD6216-2589-47A3-99FF-CACC63B97270}"= UDP:39329:Torrent
"{2408813C-86CC-4557-BCD8-66207E6C7853}"= TCP:39329:TorrentUDP
"{BCDD89CD-1840-4F4F-A964-7176E8B8F6EA}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{18123142-A12D-42E9-96E3-CB72430BE11F}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{2F09A5A4-43D5-4C79-97E2-DD6F2E244E88}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{148C9506-6CD8-4871-87A8-1687B13AC50E}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{EECDED33-E68F-4F04-9A55-742DB6F228AD}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R2 serviceIEConfig;IEConfig 1und1 Edition;C:\Windows\System32\ieconfig_1und1_svc.exe [2008-08-05 1053848]
.
Inhalt des "geplante Tasks" Ordners
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-17 13:57:48
Windows 6.0.6000 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-09-17 13:59:36
ComboFix-quarantined-files.txt 2008-09-17 11:59:11
ComboFix2.txt 2008-09-16 07:50:42

Pre-Run: Das System hat keinen Meldungstext für die Meldungsnummer 0x2379 in der Meldungsdatei Application gefunden.
Post-Run: 19 Verzeichnis(se), 108,865,503,232 Bytes frei

238 --- E O F --- 2008-09-17 07:47:48

LG

myrtille · 17.09.2008, 17:26

Das sieht ganz gut aus. Wie gehts dem Rechner?

lg myrtille

17.09.2008, 17:26	#6
myrtille /// TB-Ausbilder	FakeAlert Trojan-Spy.Win32.GreenScreen etc. Das sieht ganz gut aus. Wie gehts dem Rechner? lg myrtille __________________ --> FakeAlert Trojan-Spy.Win32.GreenScreen etc.

FakeAlert Trojan-Spy.Win32.GreenScreen etc.

Plagegeister aller Art und deren Bekämpfung: FakeAlert Trojan-Spy.Win32.GreenScreen etc.