Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   TR/Vundo.Gen !! Bitte um einen geschulten Blick auf die Log-File (https://www.trojaner-board.de/56982-tr-vundo-gen-bitte-um-geschulten-blick-log-file.html)

Frando Fantastico 30.07.2008 17:10
TR/Vundo.Gen !! Bitte um einen geschulten Blick auf die Log-File
 
Hab mir den Trojaner TR/Vundo.Gen eingefangen hab schon einiges gelöscht, nun springt immer wieder Spybot - Search & Destroy Resident an und teilt immer wieder Änderungen von cmds in rundll32.exe C:\Users\xxx\AppData\Local Temp\.......
Wer kann mir auf die Log File schauen und sagen von wo die Gefahr ausgeht

Gruß Frando


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:38:07, on 29.08.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Program Files\ATK Hotkey\ASLDRSrv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\P4G\BatteryLife.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\avmwlanstick\WLanGUI.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\phonostar\ps_agent.exe
C:\Program Files\phonostar\ps_timer.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Windows\System32\ACEngSvr.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Program Files\ASUS\Net4Switch\Net4Switch.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\avmwlanstick\WlanNetService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\system32\svchost.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\Windows\System32\PAStiSvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\wsqmcons.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
c:\program files\windows defender\MpCmdRun.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avnotify.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QXK Olive - {2881DA20-2EAD-4741-8AF3-4798FADD0428} - C:\Windows\nfavxwdbpbd.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: fdkowvbp - {65FDCE92-5922-48F2-A5E7-A1981975D160} - C:\Windows\fdkowvbp.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVMWlanClient] C:\Program Files\avmwlanstick\wlangui.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Device Detection] C:\Program Files\fotokasten comfort\dd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\ssqRIARl.dll,#1
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Device Detection] C:\Program Files\LIDL Fotoservice\dd.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PhonostarAgent] C:\Program Files\phonostar\ps_agent.exe
O4 - HKCU\..\Run: [PhonostarTimer] C:\Program Files\phonostar\ps_timer.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [antivirus-2008pro.exe] C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Dagiputz\AppData\Local\Temp\ssqNFWoN.dll,#1
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - HKCU\..\Run: [60ecbcc2] rundll32.exe "C:\Users\Dagiputz\AppData\Local\Temp\joybkeny.dll",b
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Dagiputz\AppData\Local\Temp\tuvTmKEw.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/SCRABBLE/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/SCRABBLE/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O21 - SSODL: wnslvxtf - {388C4998-0A18-4E83-8FE4-961FD94A015E} - C:\Windows\wnslvxtf.dll
O21 - SSODL: eqvwamkl - {EBEA79C6-6D98-4037-A7F9-7BABEFA762C6} - C:\Windows\eqvwamkl.dll
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVM WLAN Connection Service - AVM Berlin - C:\Program Files\avmwlanstick\WlanNetService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIIc\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIIc\RpcSandraSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: STI Simulator - Unknown owner - C:\Windows\System32\PAStiSvc.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--

Sunny 30.07.2008 17:13
Hallo Frando Fantastico und

http://www.mysmilie.de/generator/ablage/156/257.png




Dateien Online überprüfen lassen:
  • Suche die Seite Virtustotal auf, klicke auf den Button „Durchsuchen“ und suche folgende Datei/Dateien:
Code:
C:\Windows\system32\ssqRIARl.dll
  • Lade nun nacheinander jede/alle Datei/Dateien hoch, und warte bis der Scan vorbei ist. (kann bis zu 2 Minuten dauern.)
  • Poste im Anschluss das Ergebnis der Auswertung, alles abkopieren und in einen Beitrag einfügen.
  • Wichtig: Auch die Größenangabe sowie den HASH mit kopieren!



Malwarebytes' Anti-Malware
  • Lies dir die Entfernungsanleitung durch und lass alles entfernen was gefunden wurde:



ComboFix
  • Lade dir das Tool hier herunter auf den Desktop -> KLICK
Das Programm jedoch noch nicht starten sondern zuerst folgendes tun:
  • Schliesse alle Anwendungen und Programme, vor allem deine Antiviren-Software und andere Hintergrundwächter, sowie deinen Internetbrowser.
    Vermeide es auch explizit während das Combofix läuft die Maus und Tastatur zu benutzen.
  • Starte nun die combofix.exe von deinem Desktop aus, bestätige die Warnmeldungen und lass dein System durchsuchen.
  • Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte abkopieren und in deinen Beitrag einfügen. Das log findest du außerdem unter: C:\ComboFix.txt.
Wichtiger Hinweis:
Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.
Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten.

(ausführliche Anleitung -> Ein Leitfaden und Tutorium zur Nutzung von ComboFix)

Frando Fantastico 31.07.2008 16:51
Hallo Sunny, hier die geforderten Daten
AhnLab-V32008.7.29.12008.07.31-AntiVir7.8.1.152008.07.31-Authentium5.1.0.42008.07.31-Avast4.8.1195.02008.07.31Win32:Trojan-gen {Other}AVG8.0.0.1562008.07.31VundoBitDefender7.22008.07.31-CAT-QuickHeal9.502008.07.30-ClamAV0.93.12008.07.31-DrWeb4.44.0.091702008.07.31-eSafe7.0.17.02008.07.29Suspicious FileeTrust-Vet31.6.59972008.07.31-Ewido4.02008.07.31-F-Prot4.4.4.562008.07.30W32/Virtumonde.AC.gen!EldoradoF-Secure7.60.13501.02008.07.31-Fortinet3.14.0.02008.07.31-GData2.0.7306.10232008.07.31Win32:Trojan-gen IkarusT3.1.1.34.02008.07.31-Kaspersky7.0.0.1252008.07.31-McAfee53502008.07.30-Microsoft1.37042008.07.28-NOD32v233142008.07.31-Norman5.80.022008.07.31W32/Vundo.DVVPanda9.0.0.42008.07.31-PCTools4.4.2.02008.07.31-Prevx1V22008.07.31Fraudulent Security ProgramRising20.55.32.002008.07.31-Sophos4.31.02008.07.31-Sunbelt3.1.1537.12008.07.29VIPRE.SuspiciousSymantec102008.07.31-TheHacker6.2.96.3892008.07.25-TrendMicro8.700.0.10042008.07.31-VBA323.12.8.12008.07.31-ViRobot2008.7.31.13192008.07.31Trojan.Win32.Monder.34688VirusBuster4.5.11.02008.07.31-Webwasher-Gateway6.6.22008.07.31Win32.Malware.gen!94 (suspicious) weitere Informationen File size: 34688 bytesMD5...: 7c60d26a98454c166003a23d913d2552SHA1..: ce79aaa343cadfea3f63e764e2fba45741838490SHA256: 9ababe9077276f1e7cba5c2974cedb17b84f60e1118f733bc76eb8b98791d5d1SHA512: 7ccbecfee53812d1181ba8e19240a6ba006a28195ecb5ba221bf139b59822c68
150bac99ce8e2086e5fc54286a7dc1a36236faca199519e3f56bb3ca71f5d38dPEiD..: -PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10001475
timedatestamp.....: 0x48731a76 (Tue Jul 08 07:42:46 2008)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3000 0x3000 4.50 2a61a90c1e97ff8e16fcae94820f5ac3
DATA 0x4000 0x1000 0x800 4.41 bc2439200f0d7640f1790f22e5b169b1
0x5000 0x1000 0x200 7.59 011fb67d370cd7984daf1b68b6631cef
0x6000 0x1000 0xc00 7.94 8771ea431149175e1454b4858f2c7d9a
0x7000 0x1000 0xe00 7.96 c746ed9565a122e2ce06a5b300450a85
0x8000 0x1000 0x200 7.63 ef2f7c10352ced9b3c2ff916e7bb8c53
0x9000 0x1000 0x600 7.88 1cbf7950d38f23f91e7f86355a8307ba
0xa000 0x6000 0x2780 7.67 c8e3bf960fcf2979423cb656788fc5f4

( 3 imports )
> gdi32.dll: Arc, CreateRectRgn, CreateSolidBrush, DeleteDC, DeleteObject, GetDeviceCaps, GetPixel, GetStockObject, MoveToEx, Rectangle, RestoreDC, SaveDC, SelectObject, SetBkColor, SetBkMode, SetBrushOrgEx, SetPixel, SetStretchBltMode, SetTextColor, SetWindowOrgEx, StretchBlt, TextOutA
> comdlg32.dll: GetOpenFileNameA, GetOpenFileNameA
> kernel32.dll: CloseHandle, CreateFileA, DeleteCriticalSection, DeleteFileA, EnterCriticalSection, ExitProcess, FindClose, FindFirstFileA, FreeLibrary, GetCommandLineA, GetCurrentThreadId, GetFileSize, GetFileType, GetLastError, GetModuleFileNameA, GetModuleHandleA, InitializeCriticalSection, LeaveCriticalSection, LocalAlloc, LocalFree, lstrcpyn, lstrlen, MultiByteToWideChar, OpenMutexA, ReadFile, ResumeThread, SetEndOfFile, SetFilePointer, Sleep, TerminateThread, UnhandledExceptionFilter, WaitForSingleObject, WideCharToMultiByte, WinExec, WriteFile

( 0 exports )

Frando Fantastico 31.07.2008 21:02
Hallo Sunny hier nun Teil 2:
Hier die Mbam-logs

Malwarebytes' Anti-Malware 1.24
Datenbank Version: 1012
Windows 6.0.6001 Service Pack 1

19:52:12 31.08.2008
mbam-log-8-31-2008 (19-52-12).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|)
Durchsuchte Objekte: 134822
Laufzeit: 1 hour(s), 34 minute(s), 31 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 6
Infizierte Registrierungswerte: 5
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 3
Infizierte Dateien: 25

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CLASSES_ROOT\CLSID\{e8ac85e8-4634-426d-942b-1f6069723dc7} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\antivirus 2008 pro (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fdkowvbp.bmlb (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fdkowvbp.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e8ac85e8-4634-426d-942b-1f6069723dc7} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msserver (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\60ecbcc2 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmds (Malware.Trace) -> Delete on reboot.

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
C:\Program Files\Antivirus 2008 PRO (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\Infected (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\Suspicious (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\Windows\System32\ssqRIARl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dagiputz\AppData\Local\Temp\vTljKCSK.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dagiputz\AppData\Local\Temp\cbXNFvwW.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dagiputz\AppData\Local\Temp\iifcCsQJ.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dagiputz\AppData\Local\Temp\ddcayYPH.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dagiputz\AppData\Local\Temp\efcYRIyv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dagiputz\AppData\Local\Temp\ljjkKCvS.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dagiputz\AppData\Local\Temp\pmnkKdAp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dagiputz\AppData\Local\Temp\pmnnMgEt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dagiputz\AppData\Local\Temp\qoMcBurp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dagiputz\AppData\Local\Temp\wvUkKbAP.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dagiputz\AppData\Local\Temp\urqPfGWp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dagiputz\AppData\Local\Temp\tmp0000dc37 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dagiputz\AppData\Local\Temp\tmp0000e2be (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dagiputz\AppData\Local\Temp\tmp0000ef70 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dagiputz\AppData\Local\Temp\tmp000106c1 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dagiputz\AppData\Local\Temp\tmp000142e0 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dagiputz\AppData\Local\Temp\tmp00025450 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\Dagiputz\AppData\Local\Temp\tmp0003c9aa (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\eprn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\cbXNhHAS.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\vscan.tsi (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\zlib.dll (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Users\Dagiputz\AppData\Local\Temp\joybkeny.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Dagiputz\AppData\Local\Temp\awtttQGx.dll (Malware.Trace) -> Delete on reboot.

Frando Fantastico 31.07.2008 21:54
Hier nun Teil 3: ComboFix.txt

((((((((((((((((((((((( Dateien erstellt von 2008-07-28 bis 2008-08-31 ))))))))))))))))))))))))))))))
.

2008-08-31 22:25 . 2008-08-31 22:25 <DIR> d-------- C:\Program Files\CCleaner
2008-08-31 22:23 . 2008-08-31 22:23 <DIR> d-------- C:\Program Files\Yahoo!
2008-08-31 17:53 . 2008-08-31 17:53 <DIR> d-------- C:\Users\Dagiputz\AppData\Roaming\Malwarebytes
2008-08-31 17:52 . 2008-08-31 17:52 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-08-31 17:52 . 2008-08-31 17:53 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-31 17:52 . 2008-07-30 20:07 38,472 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-08-31 17:52 . 2008-07-30 20:07 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-08-29 21:01 . 2008-08-29 21:01 <DIR> d-------- C:\VundoFix Backups
2008-08-29 16:57 . 2008-07-28 00:39 <DIR> d-------- C:\SDFix
2008-08-29 16:37 . 2008-08-29 16:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-29 16:28 . 2008-04-26 10:25 3,600,952 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-08-29 16:28 . 2008-04-26 10:25 3,549,240 --a------ C:\Windows\System32\ntoskrnl.exe
2008-08-29 16:28 . 2008-04-26 10:26 891,448 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-08-29 16:28 . 2008-04-12 05:32 784,896 --a------ C:\Windows\System32\rpcrt4.dll
2008-08-29 16:28 . 2008-05-10 05:35 564,736 --a------ C:\Windows\System32\emdmgmt.dll
2008-08-29 16:28 . 2008-04-05 03:21 72,192 --a------ C:\Windows\System32\drivers\pacer.sys
2008-08-29 16:28 . 2008-04-05 05:34 15,360 --a------ C:\Windows\System32\pacerprf.dll
2008-08-29 15:21 . 2008-05-08 23:59 430,080 --a------ C:\Windows\System32\vbscript.dll
2008-08-29 15:21 . 2008-05-08 23:59 180,224 --a------ C:\Windows\System32\scrobj.dll
2008-08-29 15:21 . 2008-05-08 23:59 172,032 --a------ C:\Windows\System32\scrrun.dll
2008-08-29 15:21 . 2008-05-08 23:59 155,648 --a------ C:\Windows\System32\wscript.exe
2008-08-29 15:21 . 2008-05-08 23:58 135,168 --a------ C:\Windows\System32\wshom.ocx
2008-08-29 15:21 . 2008-05-08 23:58 135,168 --a------ C:\Windows\System32\cscript.exe
2008-08-29 15:21 . 2008-05-08 23:59 90,112 --a------ C:\Windows\System32\wshext.dll
2008-07-21 22:43 . 2008-07-21 22:43 <DIR> d-------- C:\Users\Dagiputz\AppData\Roaming\ScreenSeven
2008-07-21 22:43 . 2008-07-23 21:29 <DIR> d-------- C:\Program Files\DEUTSCHLAND SPIELT
2008-07-20 21:12 . 2008-07-20 21:12 <DIR> d-------- C:\ProgramData\eMule
2008-07-18 20:48 . 2008-07-21 22:29 <DIR> d-------- C:\ProgramData\Zylom
2008-07-14 21:23 . 2008-07-14 21:23 <DIR> d-------- C:\Users\Dagiputz\AppData\Roaming\SpinTop
2008-07-14 21:17 . 2008-07-22 21:04 <DIR> d-------- C:\Program Files\eMule
2008-07-12 12:02 . 2008-07-12 12:02 <DIR> d-------- C:\Users\Dagiputz\AppData\Roaming\Zylom
2008-07-11 12:59 . 2008-01-19 09:35 4,497,408 --a------ C:\Windows\System32\NlsData0019.dll

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-31 20:40 --------- d---a-w C:\ProgramData\TEMP
2008-08-31 20:29 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-08-31 18:17 --------- d-----w C:\Program Files\Spyware Doctor
2008-08-31 18:02 --------- d-----w C:\ProgramData\Google Updater
2008-08-29 18:13 45,056 ----a-w C:\Windows\System32\acovcnt.exe
2008-07-25 13:00 --------- d-----w C:\Program Files\Norton Security Scan
2008-07-24 21:16 --------- d-----w C:\Program Files\Bluefish Games
2008-07-24 20:37 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-07-21 20:42 --------- d-----w C:\Program Files\OXXOGames
2008-07-18 13:34 --------- d-----w C:\Users\Dagiputz\AppData\Roaming\BOM
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-05-25 16:40 141,834 ----a-w C:\Users\Dagiputz\AppData\Roaming\mdb.bin
2008-02-01 19:05 112,344 ----a-w C:\Users\Dagiputz\AppData\Roaming\GDIPFONTCACHEV1.DAT
2007-10-20 14:53 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-05-01 22:08 174 --sha-w C:\Program Files\desktop.ini
2007-09-14 13:50 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-09-14 13:50 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-09-14 13:50 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-08-31_22.16.34.13 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-31 17:55:03 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-08-31 20:39:14 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-08-31 17:55:03 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-08-31 20:39:14 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-08-31 17:59:25 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-08-31 20:43:48 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-08-31 17:59:19 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-08-31 20:43:56 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-08-31 17:55:17 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-08-31 17:55:45 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-08-31 17:55:17 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-31 17:55:45 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-31 17:55:17 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-08-31 17:55:45 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-08-31 17:58:56 10,516 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-86957554-3768365177-1958328448-1000_UserData.bin
+ 2008-08-31 20:44:03 10,516 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-86957554-3768365177-1958328448-1000_UserData.bin
- 2008-08-31 17:58:56 67,272 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-08-31 20:44:01 67,382 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-08-31 17:58:47 57,450 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-08-31 20:43:26 57,732 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 21:35 90112]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-14 14:35 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"PhonostarAgent"="C:\Program Files\phonostar\ps_agent.exe" [2007-12-05 16:10 98304]
"PhonostarTimer"="C:\Program Files\phonostar\ps_timer.exe" [2007-12-05 16:14 126976]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-26 20:50 149040]
"eMuleAutoStart"="C:\Program Files\eMule\emule.exe" [2008-05-11 13:19 5423104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-10-09 22:43 729088]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-26 21:12 161328]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-03-26 20:42 1057328]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-22 15:27 815104]
"AVMWlanClient"="C:\Program Files\avmwlanstick\wlangui.exe" [2006-12-28 02:02 1454080]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-09-14 14:39 1836544]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 16:23 266497]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-03-27 08:35 36352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 13:55 1103240]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-22 20:41 185896]
"Malwarebytes Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-07-30 20:07 1187448]
"RtHDVCpl"="RtHDVCpl.exe" [2007-02-15 11:07 4390912 C:\Windows\RtHDVCpl.exe]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 13:44:06 29696]
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2006-12-05 20:14:28 421888]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-09-14 14:35:23 126136]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{6D74064E-E926-4075-84F4-4D75312EC1D4}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{7C892769-857B-42A0-8820-1329DECCC9B6}"= UDP:C:\Program Files\Zugspitze3D\zugspitze3d.exe:Zugspitze3D
"{A8AF7B47-C2A4-49C2-808C-98A7FB62B93F}"= TCP:C:\Program Files\Zugspitze3D\zugspitze3d.exe:Zugspitze3D
"{52645A98-7A1A-4C42-BFEF-31CBC941B884}"= UDP:C:\Program Files\Winamp Remote\bin\Orb.exe:Orb
"{C26330B5-EFAB-4B8D-BE87-0D02D762CF85}"= TCP:C:\Program Files\Winamp Remote\bin\Orb.exe:Orb
"{A8DCE179-3ABE-439B-9A6A-EEB1ED8A6EBD}"= UDP:C:\Program Files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{105D1306-A591-44C2-898B-F272A935B381}"= TCP:C:\Program Files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{461122E3-57C1-4CA1-897A-8157236E8357}"= UDP:C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"{2A4B9376-8FF2-495A-8427-A98DD0EF6C98}"= TCP:C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"TCP Query User{BEA68575-8437-4EA1-AFFB-52988DC89E02}\\\\frando-0b894591\\frando (f)\\homepage\\internetstudio 6.1\\jre\\bin\\javaw.exe"= UDP:\\frando-0b894591\frando (f)\homepage\internetstudio 6.1\jre\bin\javaw.exe:javaw.exe
"UDP Query User{2BF225CC-8DC1-488D-B70B-66E8C07E8F9C}\\\\frando-0b894591\\frando (f)\\homepage\\internetstudio 6.1\\jre\\bin\\javaw.exe"= TCP:\\frando-0b894591\frando (f)\homepage\internetstudio 6.1\jre\bin\javaw.exe:javaw.exe
"TCP Query User{259DA247-34B3-4D8D-A3A6-46CA6484F7F6}\\\\frando-0b894591\\frando (f)\\programme\\esel\\emule\\emule.exe"= UDP:\\frando-0b894591\frando (f)\programme\esel\emule\emule.exe:emule.exe
"UDP Query User{BBC39836-8A91-4A1F-A645-4BA2284CBE82}\\\\frando-0b894591\\frando (f)\\programme\\esel\\emule\\emule.exe"= TCP:\\frando-0b894591\frando (f)\programme\esel\emule\emule.exe:emule.exe
"TCP Query User{77F98668-3D84-4CF7-8A8B-A0F15BDA1EB6}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{0F7D3ECD-CB32-49E3-AB5C-F8AFD25009AF}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"{33F890C7-C1A8-4DE9-8518-410790F0BAF1}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{F8C81EE5-CC82-4E2A-996C-C4FEC21EB74B}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{998C7F47-F59D-4111-8EFE-F5AFE09BED8F}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule
"UDP Query User{3076C2ED-719A-4A11-90B3-F474AC7B3A24}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\fotobuch.de AG\\Designer 2.0\\Designer.exe"= C:\Program Files\fotobuch.de AG\Designer 2.0\Designer.exe:*:Designer.exe

R3 WCPU;WCPU;C:\Program Files\P4G\WCPU.sys [2007-01-03 00:37]
S3 avmeject;AVM Eject;C:\Windows\system32\drivers\avmeject.sys [2006-12-28 02:02]
S3 FWLANUSB;AVM FRITZ!WLAN;C:\Windows\system32\DRIVERS\fwlanusb.sys [2006-12-28 02:02]
S3 PAC7311;Trust Webcam 14839;C:\Windows\system32\DRIVERS\PA707UCM.SYS [2005-10-18 19:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8235f94a-61e6-11dc-b5d4-001d6050f13e}]
\shell\AutoRun\command - F:\pushinst.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f41a68fa-6c2f-11dc-8f76-001d6050f13e}]
\shell\Auto\command - xmsqubxan.exe
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL xmsqubxan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {6173A4FC-D42D-69A6-52CA-A30496389760} /qb
.
Inhalt des "geplante Tasks" Ordners

2008-07-25 C:\Windows\Tasks\Norton Security Scan.job
- C:\Program Files\Norton Security Scan\Nss.exe [2007-09-18 23:42]
.
.
------- Zusätzlicher Scan -------
.
FireFox -: Profile - C:\Users\Dagiputz\AppData\Roaming\Mozilla\Firefox\Profiles\wmt14ijk.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.de


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-31 22:46:19
Windows 6.0.6001 Service Pack 1 NTFS

detected NTDLL code modification:
ZwClose

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-08-31 22:52:28
ComboFix-quarantined-files.txt 2008-08-31 20:51:54
ComboFix2.txt 2008-08-31 20:18:50

Pre-Run: 17 Verzeichnis(se), 15,398,428,672 Bytes frei
Post-Run: 23 Verzeichnis(se), 15,375,970,304 Bytes frei

196 --- E O F --- 2008-08-30 13:18:29


Alle Zeitangaben in WEZ +1. Es ist jetzt 20:31 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131