TR/Dropper.gen und TR/Crypt.XPACK.Gen und TR/Crypt.XPACK.Gen2 und TR/Dldr.Agent.cxyf.3

Arinna · 23.07.2010, 20:34

Ist das damit jetzt erledigt?

Vielen Vielen Vielen DANK!!!!!!!!!!
Dankeschön

All processes killed
========== OTL ==========
Process ICQ Service.exe killed successfully!
Service avast! Antivirus stopped successfully!
Service\Driver key avast! Antivirus not found.
File File not found not found.
Service ICQ Service stopped successfully!
Service ICQ Service deleted successfully!
C:\Programme\ICQ6Toolbar\ICQ Service.exe moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2d7ca026-79ad-11dd-94b6-e86ca3a72970}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2d7ca026-79ad-11dd-94b6-e86ca3a72970}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2d7ca026-79ad-11dd-94b6-e86ca3a72970}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2d7ca026-79ad-11dd-94b6-e86ca3a72970}\ not found.
File E:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2d7ca027-79ad-11dd-94b6-e86ca3a72970}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2d7ca027-79ad-11dd-94b6-e86ca3a72970}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2d7ca027-79ad-11dd-94b6-e86ca3a72970}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2d7ca027-79ad-11dd-94b6-e86ca3a72970}\ not found.
File H:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{369e16cc-cec5-11dd-93a1-8a7fa695eb00}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{369e16cc-cec5-11dd-93a1-8a7fa695eb00}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{369e16cc-cec5-11dd-93a1-8a7fa695eb00}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{369e16cc-cec5-11dd-93a1-8a7fa695eb00}\ not found.
File H:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4221e426-6a50-11dd-ae89-9e979c435226}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4221e426-6a50-11dd-ae89-9e979c435226}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4221e426-6a50-11dd-ae89-9e979c435226}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4221e426-6a50-11dd-ae89-9e979c435226}\ not found.
File E:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4221e439-6a50-11dd-ae89-9e979c435226}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4221e439-6a50-11dd-ae89-9e979c435226}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4221e439-6a50-11dd-ae89-9e979c435226}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4221e439-6a50-11dd-ae89-9e979c435226}\ not found.
File G:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{46548092-5d14-11df-9038-a6295ef7deb6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46548092-5d14-11df-9038-a6295ef7deb6}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{46548092-5d14-11df-9038-a6295ef7deb6}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46548092-5d14-11df-9038-a6295ef7deb6}\ not found.
File H:\LaunchU3.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{799dbbcf-c3e8-11dd-a121-b98525fdab3c}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{799dbbcf-c3e8-11dd-a121-b98525fdab3c}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{799dbbcf-c3e8-11dd-a121-b98525fdab3c}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{799dbbcf-c3e8-11dd-a121-b98525fdab3c}\ not found.
File E:\SETUP.EXE not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{799dbbcf-c3e8-11dd-a121-b98525fdab3c}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{799dbbcf-c3e8-11dd-a121-b98525fdab3c}\ not found.
File E:\SETUP.EXE not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{799dbbcf-c3e8-11dd-a121-b98525fdab3c}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{799dbbcf-c3e8-11dd-a121-b98525fdab3c}\ not found.
File E:\SETUP.EXE not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f730144d-6e35-11dd-92b3-9ca1db56280d}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f730144d-6e35-11dd-92b3-9ca1db56280d}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f730144d-6e35-11dd-92b3-9ca1db56280d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f730144d-6e35-11dd-92b3-9ca1db56280d}\ not found.
File E:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f730144e-6e35-11dd-92b3-9ca1db56280d}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f730144e-6e35-11dd-92b3-9ca1db56280d}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f730144e-6e35-11dd-92b3-9ca1db56280d}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f730144e-6e35-11dd-92b3-9ca1db56280d}\ not found.
File G:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f7301450-6e35-11dd-92b3-fa5522f2f577}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f7301450-6e35-11dd-92b3-fa5522f2f577}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f7301450-6e35-11dd-92b3-fa5522f2f577}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f7301450-6e35-11dd-92b3-fa5522f2f577}\ not found.
File E:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G\ not found.
File G:\AutoRun.exe not found.
ADS C:\ProgramData\TEMP:8173A019 deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Kaus.Jacqueline
->Temp folder emptied: 1832115 bytes
->Temporary Internet Files folder emptied: 16187357 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 79399661 bytes
->Flash cache emptied: 6732 bytes

User: KAUS~1~JAC
->Temp folder emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 964064 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 16053988 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 109,00 mb

OTL by OldTimer - Version 3.2.9.1 log created on 07232010_212829

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

cosinus · 23.07.2010, 20:36

Dann bitte jetzt CF ausführen:

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix

Lade dir ComboFix hier herunter auf deinen Desktop. Benenne es beim Runterladen um in cofi.exe.

Dann folgende Anleitung durchlesen und abarbeiten -> CCleaner Systembereinigung

Schliesse alle Programme, vor allem dein Antivirenprogramm und andere Hintergrundwächter sowie deinen Internetbrowser.

Starte cofi.exe von deinem Desktop aus, bestätige die Warnmeldungen, führe die Updates durch (falls vorgeschlagen), installiere die Wiederherstellungskonsole (falls vorgeschlagen) und lass dein System durchsuchen.
Vermeide es auch während Combofix läuft die Maus und Tastatur zu benutzen.

Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte kopieren ([Strg]a, [Strg]c) und in deinen Beitrag einfügen ([Strg]v). Die Datei findest du außerdem unter: C:\ComboFix.txt.

Wichtiger Hinweis:

Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Arinna · 23.07.2010, 21:07

So ich hoffe mal das ist das richtige. So wie das in der anleitung stand konnte ich das nicht machen... ich hab drauf geklickt und schon ist mein PC runtergefahren und beim neu start ging es direkt los mit der Suche....

Denn CCleaner hatte ich aber heute schon mal laufen lassen...

Hier der Log:

Combofix Logfile:

Code:

ATTFilter

ComboFix 10-07-22.06 - Kaus.Jacqueline 23.07.2010  21:51:42.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.49.1031.18.3069.2153 [GMT 2:00]
ausgeführt von:: c:\users\Kaus.Jacqueline\Downloads\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\pswi_preloaded.exe
c:\users\Kaus.Jacqueline\AppData\Roaming\.#
c:\users\Kaus.Jacqueline\AppData\Roaming\.#\MBX@154C@1D52990.###
c:\users\Kaus.Jacqueline\AppData\Roaming\.#\MBX@154C@1D529C0.###
c:\users\Kaus.Jacqueline\AppData\Roaming\.#\MBX@154C@1D529F0.###
c:\users\Kaus.Jacqueline\AppData\Roaming\.#\MBX@554@6B2990.###
c:\users\Kaus.Jacqueline\AppData\Roaming\.#\MBX@554@6B29C0.###
c:\users\Kaus.Jacqueline\AppData\Roaming\.#\MBX@554@6B29F0.###

.
(((((((((((((((((((((((   Dateien erstellt von 2010-06-23 bis 2010-07-23  ))))))))))))))))))))))))))))))
.

2010-07-23 19:36 . 2010-05-21 12:14	221568	------w-	c:\windows\system32\MpSigStub.exe
2010-07-23 19:28 . 2010-07-23 19:28	--------	d-----w-	C:\_OTL
2010-07-23 11:28 . 2010-07-23 11:28	--------	d-----w-	c:\users\Kaus.Jacqueline\AppData\Roaming\Malwarebytes
2010-07-23 11:28 . 2010-04-29 10:19	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-23 11:28 . 2010-07-23 11:28	--------	d-----w-	c:\programdata\Malwarebytes
2010-07-23 11:28 . 2010-04-29 10:19	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-07-23 11:28 . 2010-07-23 11:28	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-07-23 11:09 . 2010-07-23 11:09	--------	d-----w-	c:\program files\CCleaner
2010-07-23 01:02 . 2010-07-23 01:02	--------	d-----w-	c:\programdata\Alwil Software
2010-07-23 01:02 . 2010-07-23 01:02	--------	d-----w-	c:\program files\Alwil Software
2010-07-23 01:00 . 2010-07-23 01:01	--------	d-----w-	c:\programdata\Google Updater
2010-07-19 21:36 . 2010-07-19 21:36	--------	d-----w-	c:\programdata\WindowsSearch
2010-07-16 12:57 . 2010-07-16 12:57	--------	d-----w-	c:\users\Kaus.Jacqueline\AppData\Roaming\Avira
2010-07-15 05:25 . 2010-07-15 05:25	--------	d-----w-	c:\program files\Windows Portable Devices
2010-07-14 21:48 . 2009-09-10 02:00	92672	----a-w-	c:\windows\system32\UIAnimation.dll
2010-07-14 21:48 . 2009-09-10 02:01	3023360	----a-w-	c:\windows\system32\UIRibbon.dll
2010-07-14 21:48 . 2009-09-10 02:00	1164800	----a-w-	c:\windows\system32\UIRibbonRes.dll
2010-07-14 21:48 . 2009-09-25 01:33	369664	----a-w-	c:\windows\system32\WMPhoto.dll
2010-07-14 21:48 . 2009-09-24 22:54	258048	----a-w-	c:\windows\system32\winspool.drv
2010-07-14 21:45 . 2009-10-08 21:07	4096	----a-w-	c:\windows\system32\oleaccrc.dll
2010-07-14 21:45 . 2009-10-08 21:08	555520	----a-w-	c:\windows\system32\UIAutomationCore.dll
2010-07-14 21:45 . 2009-10-08 21:08	234496	----a-w-	c:\windows\system32\oleacc.dll
2010-07-13 20:36 . 2010-07-13 20:36	--------	d-----w-	c:\program files\Common Files\Java
2010-07-13 20:35 . 2010-07-13 20:35	411368	----a-w-	c:\windows\system32\deployJava1.dll
2010-07-13 20:35 . 2010-07-13 20:35	--------	d-----w-	c:\program files\Java
2010-07-13 18:37 . 2010-03-01 07:05	124784	----a-w-	c:\windows\system32\drivers\avipbb.sys
2010-07-13 18:37 . 2010-02-16 11:24	60936	----a-w-	c:\windows\system32\drivers\avgntflt.sys
2010-07-13 18:37 . 2009-05-11 09:49	51992	----a-w-	c:\windows\system32\drivers\avgntdd.sys
2010-07-13 18:37 . 2009-05-11 09:49	17016	----a-w-	c:\windows\system32\drivers\avgntmgr.sys
2010-07-13 18:36 . 2010-07-13 18:36	--------	d-----w-	c:\programdata\Avira
2010-07-13 18:36 . 2010-07-13 18:36	--------	d-----w-	c:\program files\Avira
2010-07-12 18:55 . 2010-07-12 19:00	--------	d-----w-	c:\windows\system32\ca-ES
2010-07-12 18:55 . 2010-07-12 19:00	--------	d-----w-	c:\windows\system32\eu-ES
2010-07-12 18:55 . 2010-07-12 19:00	--------	d-----w-	c:\windows\system32\vi-VN
2010-07-12 16:47 . 2010-07-12 16:47	--------	d-----w-	c:\windows\system32\EventProviders
2010-07-06 16:56 . 2010-07-06 16:56	118	----a-w-	c:\windows\RECHLI.SCR
2010-07-06 16:55 . 2010-07-06 16:56	--------	d-----w-	c:\program files\ETverlag
2010-06-24 20:28 . 2009-11-08 08:55	99176	----a-w-	c:\windows\system32\PresentationHostProxy.dll
2010-06-24 20:28 . 2009-11-08 08:55	49472	----a-w-	c:\windows\system32\netfxperf.dll
2010-06-24 20:28 . 2009-11-08 08:55	297808	----a-w-	c:\windows\system32\mscoree.dll
2010-06-24 20:28 . 2009-11-08 08:55	295264	----a-w-	c:\windows\system32\PresentationHost.exe
2010-06-24 20:28 . 2009-11-08 08:55	1130824	----a-w-	c:\windows\system32\dfshim.dll
2010-06-24 08:06 . 2010-01-06 15:39	1696256	----a-w-	c:\windows\system32\gameux.dll
2010-06-24 08:06 . 2010-04-16 16:43	28672	----a-w-	c:\windows\system32\Apphlpdm.dll
2010-06-24 08:05 . 2010-04-16 14:39	4240384	----a-w-	c:\windows\system32\GameUXLegacyGDFs.dll

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-23 19:56 . 2008-01-21 07:15	628742	----a-w-	c:\windows\system32\perfh007.dat
2010-07-23 19:56 . 2008-01-21 07:15	126454	----a-w-	c:\windows\system32\perfc007.dat
2010-07-23 19:28 . 2008-10-06 22:14	--------	d-----w-	c:\program files\ICQ6Toolbar
2010-07-23 01:00 . 2010-04-27 19:43	--------	d-----w-	c:\program files\Google
2010-07-21 13:01 . 2008-07-28 23:56	1682	--sha-w-	c:\windows\system32\KGyGaAvL.sys
2010-07-21 12:43 . 2008-10-06 22:14	--------	d-----w-	c:\users\Kaus.Jacqueline\AppData\Roaming\ICQ
2010-07-15 05:25 . 2006-11-02 11:18	--------	d-----w-	c:\program files\Windows Mail
2010-07-15 05:24 . 2006-11-02 10:25	665600	----a-w-	c:\windows\inf\drvindex.dat
2010-07-15 05:23 . 2010-07-15 05:23	0	---ha-w-	c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-07-14 21:40 . 2008-03-25 14:26	--------	d-----w-	c:\programdata\Microsoft Help
2010-07-12 19:00 . 2006-11-02 12:37	--------	d-----w-	c:\program files\Windows Calendar
2010-07-12 19:00 . 2006-11-02 12:37	--------	d-----w-	c:\program files\Windows Sidebar
2010-07-12 19:00 . 2006-11-02 12:37	--------	d-----w-	c:\program files\Windows Journal
2010-07-12 19:00 . 2006-11-02 12:37	--------	d-----w-	c:\program files\Windows Collaboration
2010-07-12 19:00 . 2006-11-02 12:37	--------	d-----w-	c:\program files\Windows Photo Gallery
2010-07-12 19:00 . 2006-11-02 12:37	--------	d-----w-	c:\program files\Windows Defender
2010-07-08 12:10 . 2008-03-25 14:39	--------	d-----w-	c:\program files\McAfee
2010-06-28 21:36 . 2009-07-14 15:16	--------	d-----w-	c:\program files\ICQ6.5
2010-06-27 18:24 . 2008-03-25 14:28	--------	d-----w-	c:\program files\Microsoft.NET
2010-06-20 15:07 . 2009-09-13 16:01	--------	d-----w-	c:\program files\Common Files\Symantec Shared
2010-06-18 18:16 . 2010-06-18 18:16	1079048	----a-w-	c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-05-26 17:06 . 2010-06-09 13:35	34304	----a-w-	c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-09 13:36	289792	----a-w-	c:\windows\system32\atmfd.dll
2010-05-04 19:15 . 2010-06-09 13:35	834048	----a-w-	c:\windows\system32\wininet.dll
2010-05-04 18:37 . 2010-06-09 13:35	78336	----a-w-	c:\windows\system32\ieencode.dll
2010-05-01 14:13 . 2010-06-09 13:35	2037248	----a-w-	c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 01:00	39472	----a-w-	c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ClipIncSrvTray"="c:\program files\Tobit ClipInc\Player\ClipIncTray.exe" [2009-03-16 668424]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2008-01-24 102400]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-02-25 518656]
"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-10-10 1286144]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-11-22 178712]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-24 4702208]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-03-11 92704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-11 8534560]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-03-11 88608]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-01-02 707080]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2008-01-22 200704]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"WarReg_PopUp"="c:\program files\Acer\WR_PopUp\WarReg_PopUp.exe" [2008-01-29 303104]
"QuickFinder Scheduler"="c:\program files\WordPerfect Office X3\Programs\QFSCHD130.EXE" [2007-01-02 83568]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Skytel"="Skytel.exe" [2008-01-24 1826816]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2010-07-23 161336]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2008-3-25 535336]
SETAUDIO.EXE [2008-4-4 20480]
SETRES.EXE [2008-4-4 20480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):ef,e3,28,90,f5,21,cb,01

R2 0318981279912539mcinstcleanup;McAfee Application Installer Cleanup (0318981279912539);c:\users\KAUS~1.JAC\AppData\Local\Temp\031898~1.EXE [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-27 136176]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2008-12-06 685816]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [2008-01-04 41456]
S2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2007-09-19 51200]
S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 ClipInc001;ClipInc 001;c:\program files\Tobit ClipInc\Server\ClipInc-Server.exe 001 [x]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-24 179712]
S3 winbondcir;Winbond IR Transceiver;c:\windows\system32\DRIVERS\winbondcir.sys [2008-01-24 43008]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	FontCache
.
Inhalt des "geplante Tasks" Ordners

2010-07-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 12:21]

2010-07-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-07-23 01:00]

2010-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-27 19:43]

2010-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-27 19:43]

2010-07-23 c:\windows\Tasks\Norton Security Scan for Kaus.Jacqueline.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-05-19 07:48]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://start.icq.com/
mStart Page = hxxp://de.intl.acer.yahoo.com
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Öffnen mit WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
FF - ProfilePath - c:\users\Kaus.Jacqueline\AppData\Roaming\Mozilla\Firefox\Profiles\e0pwhaik.default\
FF - prefs.js: browser.startup.homepage - hxxp://ecosia.org/?cc=de&lang=de&nocookie=1
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1970.7372\npCIDetect14.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\Kaus.Jacqueline\Desktop\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: c:\users\Kaus.Jacqueline\Desktop\DivX\DivX Web Player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX Richtlinien ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

HKLM-Run-eRecoveryService - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2010-07-23 22:00
Windows 6.0.6002 Service Pack 2 NTFS

Scanne versteckte Prozesse... 

Scanne versteckte Autostarteinträge... 

Scanne versteckte Dateien... 

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Zeit der Fertigstellung: 2010-07-23  22:02:20
ComboFix-quarantined-files.txt  2010-07-23 20:02

Vor Suchlauf: 13 Verzeichnis(se), 90.459.406.336 Bytes frei
Nach Suchlauf: 17 Verzeichnis(se), 91.422.265.344 Bytes frei

- - End Of File - - 551FAC3DCBDC3A5DE322298585DF88F3

--- --- ---

Das wars aber jetzt oder :-)

Vielen Dank nochmal

cosinus · 23.07.2010, 21:56

Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten. GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus

Anschließend den bootkit_remover herunterladen. Entpacke das Tool in einen eigenen Ordner auf dem Desktop und führe in diesem Ordner die Datei remove.exe aus.

Wenn Du Windows Vista oder Windows 7 verwendest, musst Du die remover.exe über ein Rechtsklick => als Administrator ausführen

Ein schwarzes Fenster wird sich öffnen und automatisch nach bösartigen Veränderungen im MBR suchen.
Poste dann bitte, ob es Veränderungen gibt und wenn ja in welchem device. Am besten alles posten was die remover.exe ausgibt.

Arinna · 23.07.2010, 22:22

Hey,

also GMER stürzt bei mir immer ab.
OSAM und bootkit remover kann ich nicht öffen, da fehlt mir irgentwas für...

Liebe Grüße

cosinus · 23.07.2010, 23:04

Nimm fürs Entpacken bitte 7zip oder WinRAR. Bitte nicht WinZIP benutzen!

Arinna · 24.07.2010, 14:33

ok jetzt klappts,

hier ist Log von Osam

OSAM Logfile:

Code:

ATTFilter

Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 15:30:34 on 24.07.2010

OS: Windows Vista Home Premium Edition Service Pack 2 (Build 6002), 32-bit
Default Browser: Mozilla Corporation Firefox 3.5.11

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries


[Common]
-----( %SystemRoot%\Tasks )-----
"AppleSoftwareUpdate.job" - "Apple Computer, Inc." - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe
"GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe
"Google Software Updater.job" - "Google" - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
"Norton Security Scan for Kaus.Jacqueline.job" - "Symantec Corporation" - C:\Program Files\Norton Security Scan\Norton Security Scan\Engine\2.7.3.34\Nss.exe

[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"bdeadmin.cpl" - "Borland Software Corporation" - C:\Windows\system32\bdeadmin.cpl
"ISUSPM.cpl" - "Macrovision Corporation" - C:\Windows\system32\ISUSPM.cpl
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----
"mlcfg32.cpl" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\MLCFG32.CPL
"QuickTime" - "Apple Computer, Inc." - C:\Program Files\QuickTime\QTSystem\QuickTime.cpl

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"avgntflt" (avgntflt) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avgntflt.sys
"avipbb" (avipbb) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avipbb.sys
"az5h9zji" (az5h9zji) - "Microsoft Corporation" - C:\Windows\system32\drivers\az5h9zji.sys  (Hidden registry entry, rootkit activity | File signed by Microsoft)
"catchme" (catchme) - ? - C:\Users\KAUS~1.JAC\AppData\Local\Temp\catchme.sys  (File not found)
"int15" (int15) - "Acer, Inc." - C:\Acer\Empowering Technology\eRecovery\int15.sys
"IP in IP Tunnel Driver" (IpInIp) - ? - C:\Windows\System32\DRIVERS\ipinip.sys  (File not found)
"IPX Traffic Filter Driver" (NwlnkFlt) - ? - C:\Windows\System32\DRIVERS\nwlnkflt.sys  (File not found)
"IPX Traffic Forwarder Driver" (NwlnkFwd) - ? - C:\Windows\System32\DRIVERS\nwlnkfwd.sys  (File not found)
"PSDFilter" (PSDFilter) - "Egis Incorporated" - C:\Windows\System32\DRIVERS\psdfilter.sys
"PSDNServ" (PSDNServ) - "Egis Incorporated" - C:\Windows\System32\DRIVERS\PSDNServ.sys
"PSDVdisk" (psdvdisk) - "Egis Incorporated" - C:\Windows\System32\DRIVERS\PSDVdisk.sys
"sptd" (sptd) - "Duplex Secure Ltd." - C:\Windows\System32\Drivers\sptd.sys  (File is exclusively opened, access blocked)
"ssmdrv" (ssmdrv) - "Avira GmbH" - C:\Windows\System32\DRIVERS\ssmdrv.sys
"Upper Class Filter Driver" (NTIDrvr) - "NewTech Infosystems, Inc." - C:\Windows\System32\DRIVERS\NTIDrvr.sys
"{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}" ({49DE1C67-83F8-4102-99E0-C16DCC7EEC796}) - "Cyberlink Corp." - C:\Program Files\Acer Arcade Deluxe\Play Movie\000.fcl

[Explorer]
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
-----( HKLM\Software\Classes\Protocols\Filter )-----
{807563E5-5146-11D5-A672-00B0D022E945} "Microsoft Office InfoPath XML Mime Filter" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
-----( HKLM\Software\Classes\Protocols\Handler )-----
{314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
{88FED34C-F0CA-4636-A375-3CB6248B04CD} "Local Groove Web Services Protocol" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
{0A9007C0-4076-11D3-8789-0000F8105754} "Microsoft Infotech Storage Protocol for IE 4.0" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks )-----
{B5A7F190-DDA6-4420-B3BA-52453494E6CD} "Groove GFS Stub Execution Hook" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
{AEB6717E-7E19-11d0-97EE-00C04FD91972} "{AEB6717E-7E19-11d0-97EE-00C04FD91972}" - ? -   (File not found | COM-object registry key not found)
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{911051fa-c21c-4246-b470-070cd8df6dc4} ".cab or .zip files" - ? -   (File not found | COM-object registry key not found)
{23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - C:\Program Files\7-Zip\7-zip.dll
{1b24a030-9b20-49bc-97ac-1be4426f9e59} "ActiveDirectory Folder" - ? -   (File not found | COM-object registry key not found)
{34449847-FD14-4fc8-A75A-7432F5181EFB} "ActiveDirectory Folder" - ? -   (File not found | COM-object registry key not found)
{4EB37360-49E8-11D3-95B5-004033382980} "ALZip 4.0 Context Menu Shell Extension" - ? -   (File not found | COM-object registry key not found)
{0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} "Contacts folder" - ? -   (File not found | COM-object registry key not found)
{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA} "DragDropProtect Class" - "Egis Incorporated" - C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
{2b45bd21-71f8-4c8c-a87a-7eeb25a1a3e0} "EPM-PO Shell Extensions" - ? - epm-po.dll  (File not found)
{2C2577C2-63A7-40e3-9B7F-586602617ECB} "Explorer Query Band" - ? -   (File not found | COM-object registry key not found)
{99FD978C-D287-4F50-827F-B2C658EDA8E7} "Groove Explorer Icon Overlay 1 (GFS Unread Stub)" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} "Groove Explorer Icon Overlay 2 (GFS Stub)" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
{920E6DB1-9907-4370-B3A0-BAFC03D81399} "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
{16F3DD56-1AF5-4347-846D-7C10C4192619} "Groove Explorer Icon Overlay 3 (GFS Folder)" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} "Groove Explorer Icon Overlay 4 (GFS Unread Mark)" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
{2A541AE1-5BF6-4665-A8A3-CFA9672E4291} "Groove Folder Synchronization" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} "Groove GFS Browser Helper" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
{6C467336-8281-4E60-8204-430CED96822D} "Groove GFS Context Menu Handler" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
{B5A7F190-DDA6-4420-B3BA-52453494E6CD} "Groove GFS Stub Execution Hook" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
{A449600E-1DC6-4232-B948-9BD794D62056} "Groove GFS Stub Icon Handler" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
{387E725D-DC16-4D76-B310-2C93ED4752A0} "Groove XML Icon Handler" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
{42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\msohevi.dll
{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C} "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL
{00020d75-0000-0000-c000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL
{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
{0006F045-0000-0000-C000-000000000046} "Outlook File Icon Extension" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL
{C8494E42-ACDD-4739-B0FB-217361E4894F} "Sam Account Folder" - ? -   (File not found | COM-object registry key not found)
{E29F9716-5C08-4FCD-955A-119FDB5A522D} "Sam Account Folder" - ? -   (File not found | COM-object registry key not found)
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\shlext.dll
{da67b8ad-e81b-4c70-9b91b417b5e33527} "Windows Search Shell Service" - ? -   (File not found | COM-object registry key not found)

[Internet Explorer]
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
<binary data> "ITBar7Layout" - ? -   (File not found | COM-object registry key not found)
<binary data> "ITBarLayout" - ? -   (File not found | COM-object registry key not found)
-----( HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks )-----
{855F3B16-6D32-4fe6-8A56-BBB695989046} "ICQToolBar" - "ICQ" - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
 "{855F3B16-6D32-4fe6-8A56-BBB695989046}" - ? -   (File not found | COM-object registry key not found)
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_20" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} "Java Plug-in 1.6.0_20" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_20" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\npjpi160_20.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
{E2883E8F-472F-4FB0-9522-AC9BF37916A7} "{E2883E8F-472F-4FB0-9522-AC9BF37916A7}" - ? -   (File not found | COM-object registry key not found) / hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
{48E73304-E1D6-4330-914C-F5F514E3486C} "An OneNote senden" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
"ICQ6" - "ICQ, LLC." - C:\Program Files\ICQ6.5\ICQ.exe
{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Research" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )-----
<binary data> "Acer eDataSecurity Management" - "Egis Incorporated." - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
{855F3B16-6D32-4fe6-8A56-BBB695989046} "ICQToolBar" - "ICQ" - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
<binary data> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" - ? -   (File not found | COM-object registry key not found)
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "Adobe PDF Reader Link Helper" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} "Google Toolbar Notifier BHO" - "Google Inc." - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} "Groove GFS Browser Helper" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
{DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2ssv.dll

[Logon]
-----( %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"desktop.ini" - ? - C:\Users\Kaus.Jacqueline\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
"Orion.lnk" - ? - C:\Users\Kaus.Jacqueline\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Orion.lnk  (Shortcut exists | File not found)
-----( %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"desktop.ini" - ? - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
"Empowering Technology Launcher.lnk" - "Acer Inc." - C:\Acer\Empowering Technology\eAPLauncher.exe  (Shortcut exists | File exists)
"SETAUDIO.EXE" - ? - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SETAUDIO.EXE
"SETRES.EXE" - ? - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SETRES.EXE
-----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )-----
"ClipIncSrvTray" - "Tobit.Software" - "C:\Program Files\Tobit ClipInc\Player\ClipIncTray.exe"
-----( HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd )-----
"StartupPrograms" - ? - rdpclip  (File not found)
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"Adobe Reader Speed Launcher" - "Adobe Systems Incorporated" - "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"avgnt" - "Avira GmbH" - "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
"eAudio" - "CyberLink" - "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
"eDataSecurity Loader" - "Egis Incorporated" - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
"Google Updater" - "Google" - "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -check_deprecation
"GrooveMonitor" - "Microsoft Corporation" - "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
"IAAnotif" - "Intel Corporation" - C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
"LManager" - "Dritek System Inc." - C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
"PlayMovie" - "CyberLink Corp." - "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"
"PLFSetI" - ? - C:\Windows\PLFSetI.exe
"QuickFinder Scheduler" - "Corel Corporation" - "C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
"QuickTime Task" - "Apple Computer, Inc." - "C:\Program Files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
"WarReg_PopUp" - "Acer Incorporated" - C:\Program Files\Acer\WR_PopUp\WarReg_PopUp.exe

[Print Monitors]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )-----
"Send To Microsoft OneNote Monitor" - "Microsoft Corporation" - C:\Windows\system32\msonpmon.dll

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"@C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe,-100" (WPFFontCache_v0400) - "Microsoft Corporation" - C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
"ALaunch Service" (ALaunchService) - ? - C:\Acer\ALaunch\ALaunchSvc.exe
"Avira AntiVir Guard" (AntiVirService) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
"Avira AntiVir Planer" (AntiVirSchedulerService) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\sched.exe
"ClipInc 001" (ClipInc001) - ? - C:\Program Files\Tobit ClipInc\Server\ClipInc-Server.exe
"Cyberlink RichVideo Service(CRVS)" (RichVideo) - ? - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
"eDataSecurity Service" (eDataSecurity Service) - "Egis Incorporated" - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
"eLock Service" (eLockService) - "Acer Inc." - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
"eNet Service" (eNet Service) - "Acer Inc." - C:\Acer\Empowering Technology\eNet\eNet Service.exe
"ePower Service" (WMIService) - "acer" - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
"eRecovery Service" (eRecoveryService) - "Acer Inc." - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
"eSettings Service" (eSettingsService) - ? - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
"Google Software Updater" (gusvc) - "Google" - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
"Google Update Service (gupdate)" (gupdate) - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe
"Intel(R) Matrix Storage Event Monitor" (IAANTMON) - "Intel Corporation" - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
"LightScribeService Direct Disc Labeling Service" (LightScribeService) - "Hewlett-Packard Company" - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
"McAfee Application Installer Cleanup (0318981279912539)" (0318981279912539mcinstcleanup) - ? - C:\Users\KAUS~1.JAC\AppData\Local\Temp\031898~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service  (File not found)
"Microsoft .NET Framework NGEN v4.0.30319_X86" (clr_optimization_v4.0.30319_32) - "Microsoft Corporation" - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
"Microsoft Office Diagnostics Service" (odserv) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
"Microsoft Office Groove Audit Service" (Microsoft Office Groove Audit Service) - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe
"MobilityService" (MobilityService) - ? - C:\Acer\Mobility Center\MobilityService.exe
"Office Source Engine" (ose) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"ProtexisLicensing" (ProtexisLicensing) - ? - C:\Windows\system32\PSIService.exe
"StarWind AE Service" (StarWindServiceAE) - "Rocket Division Software" - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

===[ Logfile end ]=========================================[ Logfile end ]===

--- --- ---

If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru

Liebe Grüße

Arinna · 24.07.2010, 14:54

Ok bei Bootkit Remover kommt irgentwas komisches, das kann man auch nicht kopieren,aber ich hab hier alles abgetippt :

<c> 2009 eSage Lab
esage lab - main

Program version: 1.1.0.0
OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2
002>, 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDriver0 at offset 0x00000002`af 600000
Boot sector MD5 is: dc220266e2471b59f5999b434394b525

Size Device Name MBR Status
---------------------------------------------------------------------
298 GB \\.\PhysicalDriver0 unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dumo <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>

Done;
Press any key to quit...

cosinus · 26.07.2010, 14:55

Zuerst mal bitte - falls noch nicht getan - die Datei remover.exe (vom BootkitRemover) vom Desktop nach c:\windows\system32 kopieren!
Danach die Konsole starten über Start, Ausführen, cmd eintippen, ok.

Da Du Vista verwendest, solltest Du die cmd.exe bzw. die Eingabeaufforderung per Rechtsklick => "als Administrator ausführen" starten.
Falls wir irgendwie Probleme haben, können wir auch alternativ die UAC deaktivieren

Den Text im folgenden Codefeld eintippen und mit Enter/Return ausführen:

Code:

ATTFilter

remover.exe fix \\.\PhysicalDrive0

Arinna · 26.07.2010, 17:44

Hi, also hab die remover.exe nach windows\system32 kopiert.
Aber :-) was ist die Konsole und wo soll ich das starten, ausführen finden?

und wo soll ich diesen Text eintippen? "Den Text im folgenden Codefeld eintippen und mit Enter/Return ausführen: "

Sorry,

liebe Grüße Danke!

cosinus · 26.07.2010, 22:22

Klick Dich mal durchs Startmenü bis Du die Eingabeaufforderung findest. Die per Rechtsklick => als Admin ausführen.

Alternativ machst Du per Rechtsklick auf einem freien Bereich auf dem Desktop und sagst neue Verknüpfung, als Ziel tippst Du cmd.exe ein und bestätgist alles. Danach ist eine Verknüpfung zur Eingabeaufforderung auf dem Desktop, diese per Rechtsklick => als Admin ausführen

Arinna · 27.07.2010, 13:14

Ok wenn ich das mache kommt ein Sicherheits Hinweis der folgender maßen lautet

You are trying to rewrite boot code at\\.\PhysicalDrive0

It is strongly recommended to reboot immediately after the disinfection.
Otherwise the malicious boot code can be restored by the trojan.

Type "Yes" to allow immediate reboot after the desinfection, or "No" to disinfect without reboot.

Soll ich ja, oder nein klicken?

Liebe Grüße

cosinus · 27.07.2010, 13:35

Hm, ich merk gerade, dass der BootkitRemover nicht mit Vista kompatibel sein könnte. Mach das mal bitte mit einem anderen Tool:

Downloade Dir bitte MBRCheck (by a_d_13) und speichere die Datei auf dem Desktop.

Doppelklick auf die MBRCheck.exe.
Vista und Win7 User mit Rechtsklick "als Administrator starten"
Das Tool braucht nur eine Sekunde.
Danach solltest du eine MBRCheck_<Datum>_<Uhrzeit>.txt auf dem Desktop finden.

Poste mir bitte den Inhalt des .txt Dokumentes

Arinna · 28.07.2010, 19:59

Hi also ich hab das ganze runtergelade und auf ausführen als administrator geklickt....

dann kommt das hier:

MBRCheck, version 1.1.1
<c> 2010,AD

\\.\C: --> \\.\PhysicalDrive0
\\.\D: --> \\.\PhysicalDrive0

Size Device Name MBR Status
----------------------------------------------------------------
298 GB \\.\PhysicalDrive0 Unknown MBR code

Found non-standard or infected MBR.
Enter "y" and hit ENTER for more options, or "N" to exit:

So was soll ich jetzt machen?

Liebe Grüße

cosinus · 29.07.2010, 14:32

Lösche bitte die vorhandenen MBRCheck.txt.

Starte bitte MBRCheck.exe erneut.
Diesmal tippe in das Fenster folgendes ein und bestätige jede Eingabe mit Enter
bei

Enter 'Y' and hit ENTER for more options, or 'N' to exit: y
Enter your choice: 2
Enter the physical disk number to fix (0-99, -1 to cancel): x
PLease select the MBR code to write to this drive: x

Die rot eingerahmten Zahlen aus der Anleitung entnehmen!!! (=> Da Du Vista hast, musst Du als MBR-Code 3 eintragen)

Gib nun Yes ein und bestätige mit ENTER.
Starte den Rechner neu auf.

Nach dem Neustart starte bitte MBRCheck.exe erneut.
Nun findest Du 2 MBRCheck_<Datum>_<Uhrzeit>.txt auf dem Desktop.
Poste mir den Inhalt von beiden .txt Dokumenten

23.07.2010, 23:04	#21
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	TR/Dropper.gen und TR/Crypt.XPACK.Gen und TR/Crypt.XPACK.Gen2 und TR/Dldr.Agent.cxyf.3 Nimm fürs Entpacken bitte 7zip oder WinRAR. Bitte nicht WinZIP benutzen! __________________ --> TR/Dropper.gen und TR/Crypt.XPACK.Gen und TR/Crypt.XPACK.Gen2 und TR/Dldr.Agent.cxyf.3

TR/Dropper.gen und TR/Crypt.XPACK.Gen und TR/Crypt.XPACK.Gen2 und TR/Dldr.Agent.cxyf.3

Plagegeister aller Art und deren Bekämpfung: TR/Dropper.gen und TR/Crypt.XPACK.Gen und TR/Crypt.XPACK.Gen2 und TR/Dldr.Agent.cxyf.3