Trojaner-Board - TR/Monderb.smp

Trojaner-Board (https://www.trojaner-board.de/)

- Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)

- - TR/Monderb.smp (https://www.trojaner-board.de/61512-tr-monderb-smp.html)

guten Abend

ich hab seit heute eine Fehlermeldung von AntiVir Guard,

dass ich das Trojanische Pferd TR/Monderb.smp habe ....

Es wird mir in 2 Dateien angezeigt

1x in C:\Users\Name\AppData\Local\Temp

und

1x in C:\Windows\SysWOW64

Kann das nicht löschen/zugriff verweigern/in quarantäne schieben, naja

Habe Windows Vista und bin ne totale Nulpe was PCs angeht, also echt bedürftig

Ich sag einfach schonmal :dankeschoen: im Vorraus

lg

Hab ein wenig geschmökert und von HiJackThis gelesen und dank eures Topics das auch mal gemacht, hoffe das stimmt soweit.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:00:01, on 08.10.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Analog Devices\SoundMAX\SoundTray.exe
C:\Program Files (x86)\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files (x86)\Winamp\winampa.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files (x86)\Razer\Diamondback 3G\razerhid.exe
C:\Program Files (x86)\Razer\Diamondback 3G\razertra.exe
C:\Program Files (x86)\Razer\Diamondback 3G\razerofa.exe
C:\Program Files (x86)\World of Warcraft\World of Warcraft\BackgroundDownloader.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Winamp\winamp.exe
C:\Program Files (x86)\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SoundTray] "C:\Program Files (x86)\Analog Devices\SoundMAX\SoundTray.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Diamondback] "C:\Program Files (x86)\Razer\Diamondback 3G\razerhid.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\nNEwvVMf.dll,#1
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\David\AppData\Local\Temp\ddcBSKdb.dll,#1
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files (x86)\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files (x86)\ICQ6\ICQ.exe
O13 - Gopher Prefix:
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Unknown owner - C:\Windows\system32\AEADISRV.EXE (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Marvell RAID Event Agent (Marvell RAID) - Unknown owner - C:\Program Files (x86)\Marvell\61xx\svc\mvraidsvc.exe
O23 - Service: MRU Web Service (MRUWebService) - Apache Software Foundation - C:\Program Files (x86)\Marvell\61xx\Apache2\bin\Apache.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7050 bytes

Hi,

bei 64-bit systemen ist es derzeit etwas schwierig Programme zu finden die funktionieren.

Erstell bitte ein Log mit Malwarebytes und poste es hier (erstmal nichts löschen, bitte).

lg myrtille

bei Scna-Ergebnisse soll ich nichts löschen ?

okay

mom

ed: wenn ich die nicht lösche kann ich den report nicht anklicken

ed2: mmh wo find ich den logfile ? *such*

ed3: habs ^^

Malwarebytes' Anti-Malware 1.28
Datenbank Version: 1242
Windows 6.0.6001 Service Pack 1

08.10.2008 18:20:55
mbam-log-2008-10-08 (18-20-51).txt

Scan-Methode: Vollständiger Scan (C:\|E:\|)
Durchsuchte Objekte: 152156
Laufzeit: 27 minute(s), 3 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 1
Infizierte Registrierungswerte: 3
Infizierte Dateiobjekte der Registrierung: 1
Infizierte Verzeichnisse: 0
Infizierte Dateien: 22

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CLASSES_ROOT\CLSID\{e66f2638-720e-4db7-8224-7ed8942a5594} (Trojan.Vundo) -> No action taken.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e66f2638-720e-4db7-8224-7ed8942a5594} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> No action taken.

Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\\windows\\system32\\yayxyold -> No action taken.

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\Windows\SysWOW64\nNEwvVMf.dll (Trojan.Vundo) -> No action taken.
C:\Users\David\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AK7BXDUF\cntr[1] (Trojan.Vundo) -> No action taken.
C:\Users\David\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AK7BXDUF\cntr[2] (Trojan.Vundo) -> No action taken.
C:\Users\David\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B3S71XOB\cntr[3] (Trojan.Vundo) -> No action taken.
C:\Users\David\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B3S71XOB\cntr[4] (Trojan.Vundo) -> No action taken.
C:\Users\David\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B3S71XOB\cntr[5] (Trojan.Vundo) -> No action taken.
C:\Users\David\AppData\Local\Temp\geBsrQkK.dll (Trojan.Vundo) -> No action taken.
C:\Users\David\AppData\Local\Temp\khFxvwXR.dll (Trojan.Vundo) -> No action taken.
C:\Users\David\AppData\Local\Temp\mlJDtusp.dll (Trojan.Vundo) -> No action taken.
C:\Users\David\AppData\Local\Temp\nnnoMEtU.dll (Trojan.Vundo) -> No action taken.
C:\Users\David\AppData\Local\Temp\pmnljGyX.dll (Trojan.Vundo) -> No action taken.
C:\Users\David\AppData\Local\Temp\pmnnMGxU.dll (Trojan.Vundo) -> No action taken.
C:\Users\David\AppData\Local\Temp\rQhfDtTm.dll (Trojan.Vundo) -> No action taken.
C:\Users\David\AppData\Local\Temp\ssqRHYqp.dll (Trojan.Vundo) -> No action taken.
C:\Users\David\AppData\Local\Temp\vtUolIcD.dll (Trojan.Vundo) -> No action taken.
C:\Users\David\AppData\Local\Temp\vtusRHxx.dll (Trojan.Vundo) -> No action taken.
C:\Users\David\AppData\Local\Temp\wvUlllKB.dll (Trojan.Vundo) -> No action taken.
C:\Users\David\AppData\Local\Temp\xxYpnnNh.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\nNEwvVMf.dll (Trojan.Agent) -> No action taken.
C:\Users\David\AppData\Local\Temp\ddcBSKdb.dll (Trojan.Agent) -> No action taken.
C:\Windows\System32\tuVlligH.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\yayxYoLd.dll (Trojan.Vundo) -> No action taken.

Hi,

das sieht soweit ganz gut aus. :)

Lass bitte alles löschen, poste das Log dann nochmal hier. :)

lg myrtille

mmmmh also das letzte was ich gesehn hab war, dass alle Dateien gelöscht waren, den Log dazu seh ich nicht und hab auch nur noch den einen alten bisher gefunden....

aber scheint bisher alles gut zu sein

Ich such den Log trotzdem mal weiter

Malwarebytes' Anti-Malware 1.28
Datenbank Version: 1242
Windows 6.0.6001 Service Pack 1

09.10.2008 14:45:44
mbam-log-2008-10-09 (14-45-44).txt

Scan-Methode: Vollständiger Scan (A:\|C:\|D:\|E:\|)
Durchsuchte Objekte: 152021
Laufzeit: 18 minute(s), 33 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)

allerdings hatte ich grad eben noch von Antivir die Meldung dass der Trojaner noch da ist.

das hier war der log von gestern abend

Malwarebytes' Anti-Malware 1.28
Datenbank Version: 1242
Windows 6.0.6001 Service Pack 1

08.10.2008 23:55:27
mbam-log-2008-10-08 (23-55-27).txt

Scan-Methode: Vollständiger Scan (C:\|E:\|)
Durchsuchte Objekte: 151834
Laufzeit: 38 minute(s), 49 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 1
Infizierte Registrierungswerte: 3
Infizierte Dateiobjekte der Registrierung: 1
Infizierte Verzeichnisse: 0
Infizierte Dateien: 22

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CLASSES_ROOT\CLSID\{e66f2638-720e-4db7-8224-7ed8942a5594} (Trojan.Vundo) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e66f2638-720e-4db7-8224-7ed8942a5594} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\\windows\\system32\\yayxyold -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\Windows\SysWOW64\nNEwvVMf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\xxx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AK7BXDUF\cntr[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\xxx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AK7BXDUF\cntr[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\xxx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B3S71XOB\cntr[3] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\xxx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B3S71XOB\cntr[4] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\xxx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B3S71XOB\cntr[5] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\xxx\AppData\Local\Temp\geBsrQkK.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\xxx\AppData\Local\Temp\khFxvwXR.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\xxx\AppData\Local\Temp\mlJDtusp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\xxx\AppData\Local\Temp\nnnoMEtU.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\xxx\AppData\Local\Temp\pmnljGyX.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\xxx\AppData\Local\Temp\pmnnMGxU.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\xxx\AppData\Local\Temp\rQhfDtTm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\xxx\AppData\Local\Temp\ssqRHYqp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\xxx\AppData\Local\Temp\vtUolIcD.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\xxx\AppData\Local\Temp\vtusRHxx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\xxx\AppData\Local\Temp\wvUlllKB.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\xxx\AppData\Local\Temp\xxYpnnNh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\nNEwvVMf.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\xxx\AppData\Local\Temp\ddcBSKdb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\tuVlligH.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\yayxYoLd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Hi,

das sieht gut aus. :) Hast du noch Probleme?

Kannst du zur kontrolle bitte nochmal ein Hijackthislog posten. :)

lg myrtille

huhu ich schon wieder ^^

also nachdem mein antivir nochmal mich vor dem trojaner gewarnt hat hab ich grad nen neuen scan gemacht aber da scheint nichts zu sein, er findet nichts ~.~

Hi,

es könnte sich um die Systemwiederherstellung handeln. Wo hat Antivir den Vundo denn noch gefunden gehabt?

lg myrtille

genau da wo er zuvor auch war -.-

C:\Users\Name\AppData\Local\Temp

und

C:\Windows\SysWOW64

antivir findet ihn und malware nicht

Hi,

das ist seltsam. Was befindet sich denn in dem sysWOW64 ordner?

Versuch bitte mal folgendes Programm auszuführen:
Erstelle bitte ein Log mit RSIT. Es werden 2 Dateien erstellt (log.txt und info.txt). Poste den Inhalt beider Dateien hier. (Wenn die Dateien zu lange sind kannst du sie bei file-upload hochladen und die Links hier posten.)

lg myrtille

Hallo.
Sorry wenn ich mich hier einmische, aber ich wollte nur sagen das mir der Tip mit dem Malware Program voll geholfen hat!
Endlich mal jemand der gut erklähren kann!!
Diese Page ist wirklich sehr hilfreich.
Danke !! :singsing:
LG Tina

info.txt:

info.txt logfile of random's system information tool 1.04 2008-10-12 22:07:03

======Uninstall list======

-->C:\Program Files (x86)\DivX\DivXConverterUninstall.exe /CONVERTER
-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{BA8A7C81-B0D0-422D-8FBD-BF2D25986667}\setup.exe" -l0x7
2007 Microsoft Office system-->"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROHYBRIDR /dll OSETUP.DLL
Activation Assistant for the 2007 Microsoft Office suites-->"C:\ProgramData\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}\Microsoft Office Activation Assistant.exe" REMOVE=TRUE MODIFY=FALSE
Adobe Flash Player 9 ActiveX-->C:\Windows\system32\Macromed\Flash\UninstFl.exe -q
Adobe Flash Player Plugin-->C:\Windows\SysWOW64\Macromed\Flash\uninstall_plugin.exe
ASUS WiFi-AP Solo-->C:\Program Files (x86)\InstallShield Installation Information\{295941F1-484E-4C23-B43C-7EFDC3E6DF43}\Setup.exe -runfromtemp -l0x0009 -removeonly
Avira AntiVir Personal - Free Antivirus-->C:\Program Files (x86)\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
DivX Codec-->C:\Program Files (x86)\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->C:\Program Files (x86)\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files (x86)\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player-->C:\Program Files (x86)\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Favorit-->c:\users\david\appdata\local\dzhgtcao.bat
HijackThis 2.0.2-->"C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Host OpenAL (ADI)-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{BA8A7C81-B0D0-422D-8FBD-BF2D25986667}\setup.exe" -l0x7 /remove
ICQ6-->"C:\Program Files (x86)\InstallShield Installation Information\{60DE4033-9503-48D1-A483-7846BD217CA9}\setup.exe" -runfromtemp -l0x0009 -removeonly
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Malwarebytes' Anti-Malware-->"C:\Program Files (x86)\Malwarebytes' Anti-Malware\unins000.exe"
marvell 61xx-->C:\Program Files (x86)\Marvell\61xx\uninst-61xx.exe
Marvell MRU-->C:\Program Files (x86)\Marvell\61xx\un61xxmru.exe
Microsoft Office Access MUI (German) 2007-->MsiExec.exe /X{90120000-0015-0407-0000-0000000FF1CE}
Microsoft Office Excel MUI (German) 2007-->MsiExec.exe /X{90120000-0016-0407-0000-0000000FF1CE}
Microsoft Office Outlook MUI (German) 2007-->MsiExec.exe /X{90120000-001A-0407-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (German) 2007-->MsiExec.exe /X{90120000-0018-0407-0000-0000000FF1CE}
Microsoft Office Professional Hybrid 2007-->MsiExec.exe /X{91120000-0031-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (German) 2007-->MsiExec.exe /X{90120000-001F-0407-0000-0000000FF1CE}
Microsoft Office Proof (Italian) 2007-->MsiExec.exe /X{90120000-001F-0410-0000-0000000FF1CE}
Microsoft Office Proofing (German) 2007-->MsiExec.exe /X{90120000-002C-0407-0000-0000000FF1CE}
Microsoft Office Publisher MUI (German) 2007-->MsiExec.exe /X{90120000-0019-0407-0000-0000000FF1CE}
Microsoft Office Shared MUI (German) 2007-->MsiExec.exe /X{90120000-006E-0407-0000-0000000FF1CE}
Microsoft Office Word MUI (German) 2007-->MsiExec.exe /X{90120000-001B-0407-0000-0000000FF1CE}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022-->MsiExec.exe /X{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}
Mozilla Firefox (3.0.3)-->C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe
Nimo Codecs Pack v5.0 (Remove Only)-->"C:\Program Files (x86)\NimoCodec Pack\uninstall.exe"
OpenOffice.org Installer 1.0-->MsiExec.exe /X{E728E952-DD4F-4BCD-A5C8-40FBFEFF91FE}
Razer Diamondback 3G-->C:\Program Files (x86)\InstallShield Installation Information\{7E659C5C-4DF1-499B-B802-77BAE9ABE4D4}\Setup.exe -runfromtemp -l0x0009 -removeonly
SoundMAX-->C:\Program Files (x86)\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe -runfromtemp -l0x0007 -removeonly
TeamSpeak 2 RC2-->"C:\Program Files (x86)\Teamspeak2_RC2\unins000.exe"
VentriloMix-->"C:\Windows\VentriloMix\uninstall.exe" "/U:C:\Program Files (x86)\VentriloMix\Uninstall\uninstall.xml"
VideoLAN VLC media player 0.8.6i-->C:\Program Files (x86)\VideoLAN\VLC\uninstall.exe
Winamp Toolbar for Firefox-->"C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\dxmm7llp.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\uninstall.exe"
Winamp-->"C:\Program Files (x86)\Winamp\UninstWA.exe"
WinRAR-->C:\Program Files (x86)\WinRAR\uninstall.exe
World of Warcraft-->C:\Program Files (x86)\Common Files\Blizzard Entertainment\WORLD OF WARCRAFT\Uninstall.exe

======Security center information======

AS: Windows Defender

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=AMD64
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=16
"PROCESSOR_IDENTIFIER"=AMD64 Family 16 Model 2 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=0202
"NUMBER_OF_PROCESSORS"=4
"TRACE_FORMAT_SEARCH_PATH"=\\NTREL202.ntdev.corp.microsoft.com\34FB5F65-FFEB-4B61-BF0E-A6A76C450FAA\TraceFormat
"DFSTRACINGON"=FALSE

-----------------EOF-----------------

log.txt:

Logfile of random's system information tool 1.04 (written by random/random)
Run by xxx at 2008-10-12 22:07:00
Microsoft® Windows Vista™ Home Basic Service Pack 1
System drive C: has 2 GB (7%) free of 35 GB
Total RAM: 4094 MB (64% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:07:02, on 12.10.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Users\xxx\AppData\Local\dzhgtcao.exe
C:\Program Files (x86)\Analog Devices\SoundMAX\SoundTray.exe
C:\Program Files (x86)\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files (x86)\Winamp\winampa.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files (x86)\Razer\Diamondback 3G\razerhid.exe
C:\Program Files (x86)\Razer\Diamondback 3G\razertra.exe
C:\Program Files (x86)\Razer\Diamondback 3G\razerofa.exe
C:\Program Files (x86)\World of Warcraft\World of Warcraft\BackgroundDownloader.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEUser.exe
C:\Windows\SysWOW64\conime.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\xxx\Downloads\RSIT.exe
C:\Program Files (x86)\Trend Micro\HijackThis\David.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SoundTray] "C:\Program Files (x86)\Analog Devices\SoundMAX\SoundTray.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Diamondback] "C:\Program Files (x86)\Razer\Diamondback 3G\razerhid.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [dzhgtcao] "c:\users\david\appdata\local\dzhgtcao.exe" dzhgtcao
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files (x86)\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files (x86)\ICQ6\ICQ.exe
O13 - Gopher Prefix:
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Unknown owner - C:\Windows\system32\AEADISRV.EXE (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Marvell RAID Event Agent (Marvell RAID) - Unknown owner - C:\Program Files (x86)\Marvell\61xx\svc\mvraidsvc.exe
O23 - Service: MRU Web Service (MRUWebService) - Apache Software Foundation - C:\Program Files (x86)\Marvell\61xx\Apache2\bin\Apache.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7109 bytes

======Scheduled tasks folder======

C:\Windows\tasks\User_Feed_Synchronization-{C1012E01-2736-45A0-A564-BB7807BD7914}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundTray"=C:\Program Files (x86)\Analog Devices\SoundMAX\SoundTray.exe [2007-09-27 53248]
"avgnt"=C:\Program Files (x86)\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-07-18 266497]
"WinampAgent"=C:\Program Files (x86)\Winamp\winampa.exe [2008-04-01 36352]
"SoundMAXPnP"=C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe [2007-10-25 1302528]
"SunJavaUpdateSched"=C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"Diamondback"=C:\Program Files (x86)\Razer\Diamondback 3G\razerhid.exe [2007-08-01 147456]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-21 1555968]
"WindowsWelcomeCenter"=C:\Windows\system32\oobefldr.dll [2008-01-21 2153472]
"WMPNSCFG"=C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe []
"dzhgtcao"=c:\users\david\appdata\local\dzhgtcao.exe [2008-10-10 282624]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoActiveDesktop"=
"NoActiveDesktopChanges"=
"ForceActiveDesktopOn"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 3 months======

2008-10-12 22:07:00 ----D---- C:\rsit
2008-10-10 02:58:54 ----D---- C:\Program Files (x86)\eMule
2008-10-08 17:52:03 ----D---- C:\Users\David\AppData\Roaming\Malwarebytes
2008-10-08 17:51:59 ----D---- C:\ProgramData\Malwarebytes
2008-10-08 17:51:59 ----D---- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2008-10-08 15:59:54 ----D---- C:\Program Files (x86)\Trend Micro
2008-09-30 16:35:14 ----D---- C:\Program Files (x86)\Logitech
2008-09-30 16:35:12 ----D---- C:\ProgramData\Logitech
2008-09-30 13:30:22 ----D---- C:\Program Files (x86)\Razer
2008-09-18 23:34:27 ----D---- C:\Program Files (x86)\Sun
2008-09-18 23:34:12 ----A---- C:\Windows\system32\javaws.exe
2008-09-18 23:34:12 ----A---- C:\Windows\system32\javaw.exe
2008-09-18 23:34:12 ----A---- C:\Windows\system32\java.exe
2008-09-18 23:33:36 ----D---- C:\Program Files (x86)\Java
2008-09-18 23:33:11 ----D---- C:\Program Files (x86)\Common Files\Java
2008-09-17 23:55:00 ----A---- C:\Windows\system32\nvwgf2um.dll
2008-09-17 23:55:00 ----A---- C:\Windows\system32\nvoglv32.dll
2008-09-17 23:55:00 ----A---- C:\Windows\system32\nvcuda.dll
2008-09-17 23:55:00 ----A---- C:\Windows\system32\nvapi.dll
2008-09-17 00:52:05 ----D---- C:\ProgramData\SonicFocus
2008-09-17 00:51:38 ----D---- C:\Users\David\AppData\Roaming\InstallShield
2008-09-16 17:33:01 ----D---- C:\Windows\VentriloMix
2008-09-16 17:33:01 ----D---- C:\Program Files (x86)\VentriloMix
2008-09-12 02:01:08 ----A---- C:\Windows\system32\msshooks.dll
2008-09-12 02:01:08 ----A---- C:\Windows\system32\msscb.dll
2008-09-12 02:01:08 ----A---- C:\Windows\system32\mimefilt.dll
2008-09-12 02:01:05 ----A---- C:\Windows\system32\SearchFilterHost.exe
2008-09-12 02:01:05 ----A---- C:\Windows\system32\propdefs.dll
2008-09-12 02:01:05 ----A---- C:\Windows\system32\msstrc.dll
2008-09-12 02:01:05 ----A---- C:\Windows\system32\mssitlb.dll
2008-09-12 02:01:04 ----A---- C:\Windows\system32\thawbrkr.dll
2008-09-12 02:01:04 ----A---- C:\Windows\system32\propsys.dll
2008-09-12 02:01:04 ----A---- C:\Windows\system32\offfilt.dll
2008-09-12 02:01:04 ----A---- C:\Windows\system32\mssprxy.dll
2008-09-12 02:01:04 ----A---- C:\Windows\system32\msshsq.dll
2008-09-12 02:01:04 ----A---- C:\Windows\system32\korwbrkr.dll
2008-09-12 02:01:04 ----A---- C:\Windows\system32\chsbrkr.dll
2008-09-12 02:01:03 ----A---- C:\Windows\system32\xmlfilter.dll
2008-09-12 02:01:03 ----A---- C:\Windows\system32\rtffilt.dll
2008-09-12 02:01:03 ----A---- C:\Windows\system32\nlhtml.dll
2008-09-12 02:01:03 ----A---- C:\Windows\system32\chtbrkr.dll
2008-09-12 02:01:02 ----A---- C:\Windows\system32\tquery.dll
2008-09-12 02:01:02 ----A---- C:\Windows\system32\SearchProtocolHost.exe
2008-09-12 02:01:02 ----A---- C:\Windows\system32\SearchIndexer.exe
2008-09-12 02:01:02 ----A---- C:\Windows\system32\mssvp.dll
2008-09-12 02:01:02 ----A---- C:\Windows\system32\mssrch.dll
2008-09-12 02:01:02 ----A---- C:\Windows\system32\mssphtb.dll
2008-09-12 02:01:02 ----A---- C:\Windows\system32\mssph.dll
2008-09-12 02:01:02 ----A---- C:\Windows\system32\msscntrs.dll
2008-09-10 19:35:41 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll
2008-09-10 19:35:41 ----A---- C:\Windows\system32\Apphlpdm.dll
2008-09-10 19:35:37 ----A---- C:\Windows\system32\wmpeffects.dll
2008-09-10 19:35:34 ----A---- C:\Windows\system32\dataclen.dll
2008-09-10 11:01:09 ----D---- C:\Users\David\AppData\Roaming\vlc
2008-09-10 11:00:02 ----D---- C:\Program Files (x86)\VideoLAN
2008-09-10 10:54:40 ----D---- C:\Windows\system32\quicktime
2008-09-10 10:54:40 ----D---- C:\Program Files (x86)\NimoCodec Pack
2008-09-10 10:48:14 ----D---- C:\Users\David\AppData\Roaming\DivX
2008-08-28 18:43:14 ----A---- C:\Windows\system32\wups.dll
2008-08-28 18:43:14 ----A---- C:\Windows\system32\wudriver.dll
2008-08-28 18:43:14 ----A---- C:\Windows\system32\wuapi.dll
2008-08-28 18:43:03 ----A---- C:\Windows\system32\wuwebv.dll
2008-08-28 18:43:03 ----A---- C:\Windows\system32\wuapp.exe
2008-08-14 02:09:44 ----A---- C:\Windows\system32\tzres.dll
2008-08-14 01:24:44 ----A---- C:\Windows\system32\inetcomm.dll
2008-08-14 01:24:43 ----A---- C:\Windows\system32\es.dll
2008-08-14 01:24:42 ----A---- C:\Windows\system32\winipsec.dll
2008-08-14 01:24:42 ----A---- C:\Windows\system32\polstore.dll
2008-08-14 01:24:42 ----A---- C:\Windows\system32\FwRemoteSvr.dll
2008-08-14 01:24:38 ----A---- C:\Windows\system32\mshtml.dll
2008-08-14 01:24:37 ----A---- C:\Windows\system32\wininet.dll
2008-08-14 01:24:37 ----A---- C:\Windows\system32\ieframe.dll
2008-08-14 01:24:36 ----A---- C:\Windows\system32\urlmon.dll
2008-08-14 01:24:36 ----A---- C:\Windows\system32\mstime.dll
2008-08-14 01:24:35 ----A---- C:\Windows\system32\jsproxy.dll
2008-08-02 19:16:30 ----D---- C:\Program Files (x86)\Common Files\PX Storage Engine
2008-08-02 19:16:27 ----D---- C:\Program Files (x86)\DivX
2008-07-25 10:34:54 ----A---- C:\Windows\system32\dpl100.dll
2008-07-25 10:34:52 ----A---- C:\Windows\system32\dtu100.dll
2008-07-25 10:34:50 ----A---- C:\Windows\system32\dpuGUI10.dll
2008-07-25 10:34:46 ----A---- C:\Windows\system32\dpv11.dll
2008-07-25 10:34:46 ----A---- C:\Windows\system32\dpus11.dll
2008-07-25 10:34:46 ----A---- C:\Windows\system32\dpuGUI11.dll
2008-07-25 10:34:46 ----A---- C:\Windows\system32\dpu11.dll
2008-07-25 10:34:46 ----A---- C:\Windows\system32\dpu10.dll
2008-07-25 10:34:42 ----A---- C:\Windows\system32\divx_xx07.dll
2008-07-25 10:34:40 ----A---- C:\Windows\system32\divx_xx11.dll
2008-07-25 10:34:40 ----A---- C:\Windows\system32\divx_xx0c.dll
2008-07-25 10:34:40 ----A---- C:\Windows\system32\divx_xx0a.dll
2008-07-25 10:34:30 ----A---- C:\Windows\system32\DivXCodecVersionChecker.exe
2008-07-23 18:48:40 ----A---- C:\Windows\system32\ssldivx.dll
2008-07-23 18:48:40 ----A---- C:\Windows\system32\libdivx.dll
2008-07-23 18:47:34 ----A---- C:\Windows\system32\dtu100.dll.manifest
2008-07-23 18:47:34 ----A---- C:\Windows\system32\dpl100.dll.manifest
2008-07-23 18:46:38 ----A---- C:\Windows\system32\DivXWMPExtType.dll

======List of files/folders modified in the last 3 months======

2008-10-12 22:06:49 ----D---- C:\Windows\Temp
2008-10-12 18:46:38 ----D---- C:\Windows\System32
2008-10-12 18:46:38 ----D---- C:\Windows\inf
2008-10-11 18:11:34 ----D---- C:\Windows\Minidump
2008-10-11 18:11:29 ----D---- C:\Windows
2008-10-11 01:45:42 ----SHD---- C:\System Volume Information
2008-10-10 18:57:25 ----D---- C:\ProgramData\NVIDIA
2008-10-10 18:56:29 ----D---- C:\Windows\SysWOW64
2008-10-10 02:58:54 ----RD---- C:\Program Files (x86)
2008-10-08 23:22:09 ----D---- C:\Windows\Prefetch
2008-10-08 17:52:30 ----D---- C:\Windows\system32\drivers
2008-10-08 17:51:59 ----HD---- C:\ProgramData
2008-10-04 22:59:40 ----D---- C:\Program Files (x86)\ICQ6
2008-10-04 22:55:00 ----D---- C:\Users\David\AppData\Roaming\uTorrent
2008-09-30 16:35:38 ----SHD---- C:\Windows\Installer
2008-09-30 16:35:01 ----RD---- C:\Program Files
2008-09-30 13:51:46 ----D---- C:\Program Files (x86)\Common Files
2008-09-30 13:47:17 ----RD---- C:\Users
2008-09-30 13:30:21 ----HD---- C:\Program Files (x86)\InstallShield Installation Information
2008-09-28 22:38:06 ----D---- C:\Program Files (x86)\Mozilla Firefox
2008-09-17 23:55:00 ----A---- C:\Windows\system32\nvd3dum.dll
2008-09-17 00:52:53 ----A---- C:\Windows\system32\wrap_oal.dll
2008-09-17 00:52:53 ----A---- C:\Windows\system32\OpenAL32.dll
2008-09-17 00:52:25 ----D---- C:\Program Files (x86)\Analog Devices
2008-09-16 17:33:35 ----D---- C:\Windows\winsxs
2008-09-16 17:33:21 ----D---- C:\Program Files (x86)\Common Files\microsoft shared
2008-09-12 11:52:15 ----D---- C:\Windows\rescache
2008-09-12 11:36:20 ----D---- C:\Windows\system32\de-DE
2008-09-12 11:36:19 ----D---- C:\Windows\PolicyDefinitions
2008-09-11 17:30:09 ----D---- C:\Windows\AppPatch
2008-09-09 19:07:36 ----SD---- C:\Users\David\AppData\Roaming\Microsoft
2008-09-01 18:47:38 ----D---- C:\Users\David\AppData\Roaming\teamspeak2
2008-08-30 11:15:34 ----A---- C:\Windows\ntbtlog.txt
2008-08-27 19:30:38 ----D---- C:\Users\David\AppData\Roaming\Mozilla
2008-08-14 11:38:24 ----D---- C:\Program Files (x86)\Windows Mail
2008-08-14 11:38:22 ----D---- C:\Windows\system32\migration
2008-08-07 23:28:41 ----D---- C:\Windows\LiveKernelReports
2008-07-25 10:36:00 ----A---- C:\Windows\system32\DivXsm.exe
2008-07-23 18:50:52 ----A---- C:\Windows\system32\qt-dx331.dll
2008-07-18 14:25:14 ----SHD---- C:\$Recycle.Bin

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avgntflt;avgntflt; C:\Windows\system32\DRIVERS\avgntflt.sys []
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\ADIHdAud.sys []
R3 athr;Atheros Extensible Wireless LAN device driver; C:\Windows\system32\DRIVERS\athrx.sys []
R3 ksthunk;Kernel Streaming Thunks; C:\Windows\system32\drivers\ksthunk.sys []
R3 MTsensor;ATK0110 ACPI UTILITY; C:\Windows\system32\DRIVERS\ASACPI.sys []
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys []
R3 Razerlow;Razer Pro|Solutions; C:\Windows\system32\drivers\DB3G.sys []
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys []
R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller; C:\Windows\system32\DRIVERS\yk60x64.sys []
S3 CmBatt;Microsoft-Netzteiltreiber; C:\Windows\system32\DRIVERS\CmBatt.sys []
S3 drmkaud;Microsoft Kernel-DRM-Audioentschlüsselung; C:\Windows\system32\drivers\drmkaud.sys []
S3 HdAudAddService;Microsoft 1.1 UAA-Funktionstreiber für High Definition Audio-Dienst; C:\Windows\system32\drivers\HdAudio.sys []
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys []
S3 MSPCLOCK;Microsoft Proxy für Streaming Clock; C:\Windows\system32\drivers\MSPCLOCK.sys []
S3 MSPQM;Microsoft Proxy für Streaming Quality Manager; C:\Windows\system32\drivers\MSPQM.sys []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink-Konvertierung; C:\Windows\system32\drivers\MSTEE.sys []
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys []
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys []
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AEADIFilters;Andrea ADI Filters Service; C:\Windows\system32\AEADISRV.EXE []
R2 AntiVirScheduler;Avira AntiVir Personal – Free Antivirus Planer; C:\Program Files (x86)\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-07-18 68865]
R2 AntiVirService;Avira AntiVir Personal – Free Antivirus Guard; C:\Program Files (x86)\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-08-15 149761]
R2 Marvell RAID;Marvell RAID Event Agent; C:\Program Files (x86)\Marvell\61xx\svc\mvraidsvc.exe [2007-06-12 61440]
R2 MRUWebService;MRU Web Service; C:\Program Files (x86)\Marvell\61xx\Apache2\bin\Apache.exe [2007-05-23 20539]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe []
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64; C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2008-01-21 93696]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 PerfHost;@%systemroot%\sysWow64\perfhost.exe,-2; C:\Windows\SysWow64\perfhost.exe [2008-01-21 19968]

-----------------EOF-----------------

Hi,

der Eintrag in appdata/local ist nicht vundo der immernoch da ist, sondern navipromo, dass neu dazugekommen ist. :schmoll:
Ich guck mal wie man das wegkriegen kann, mit den wenigen Mitteln die uns zu verfügung stehen.

Welche Datei wird in SysWow noch gefunden? Genauer Namen bitte, im Log ist nichts zu sehen.

Bitte das hier noch versuchen:
ein FileListing mit diesem script:

Script abspeichern per Rechtsklick, speichern unter auf dem Desktop
Doppelklick auf listing8.cmd auf dem Desktop
nach kurzer Zeit erscheint eine listing.txt auf dem Desktop

Diese listing.txt z.B. bei File-Upload.net hochladen und hier verlinken, da dieses Logfile zu groß fürs Board ist.

lg myrtille

okay also das mit SysWow hat sich erledigt, da scheint jetzt alles soweit clear zu sein, antivir ist jetzt auch beruhigt ^^ :>

ich hab aber ein Problem mit dem listing8.cmd

wenn ich da doppelklick drauf macheöffnet sich ein editor, sonst nichts....

Hi,

ist in dem Editor irgendwas drin?

(Wenn sich ein leeres Fenster öffnet versuch eventuell mal die datei listing8.cmd in listing8.bat umzubenennen)

lg myrtille

also das ist das was da drinne ist ^^

echo LISTING FILE von root24; 28.01.2008 > %temp%\listing.txt

echo "------ SYSTEMROOT ---" >> %temp%\listing.txt
%systemdrive%
cd\
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt

echo "------ SYSTEM32 ---" >> %temp%\listing.txt
cd %windir%
cd system32
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt

echo "------ DOWNLOADED INSTALLATIONS ---" >> %temp%\listing.txt
cd %windir%
cd "Downloaded Installations"
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt

echo "------ DOWNLOADED PROGRAM FILES ---" >> %temp%\listing.txt
cd %windir%
cd "Downloaded Program Files"
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt

echo "------ SYSTEM32-DRIVERS ---" >> %temp%\listing.txt
cd %windir%
cd system32
cd drivers
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt

echo "------ PREFETCH ---" >> %temp%\listing.txt
cd %windir%
cd prefetch
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt

echo "------ TASKS ---" >> %temp%\listing.txt
cd %windir%
cd tasks
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt

echo "------ WINDIR ---" >> %temp%\listing.txt
cd %windir%
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt

echo "------ WINDIR\SYSTEM ---" >> %temp%\listing.txt
cd system
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt

echo "------ WINDOWS\TEMP ---" >> %temp%\listing.txt
cd %windir%
cd temp
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt

echo "------ USER\TEMP ---" >> %temp%\listing.txt
cd %temp%
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt

echo "------ PROGRAMS ---" >> %temp%\listing.txt
cd %programfiles%
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt

echo "------ ALLUSERS ---" >> %temp%\listing.txt
cd %allusersprofile%
cd anwendungsdaten
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt

echo "------ USERS ---" >> %temp%\listing.txt
cd %userprofile%
cd anwendungsdaten
dir /a:-d /o:-d >> %temp%\listing.txt
dir /a:d /o:-d >> %temp%\listing.txt

cd %temp%
copy /y listing.txt "%userprofile%"\desktop\listing.txt

Ja, das sieht in der Tat nicht ganz richtig aus. :D
Funktioniert es, wenn du die listing.cmd in listing.bat umbenennst?

Ansonsten probier bitte mal folgendes:

Mache bitte alle Dateien sichtbar.

Rufe den Taskamanager auf und beende dort folgende Datei: dzhgtcao.exe

Lösche dann im Ordner C:\Users\xxx\AppData\Local alle Dateien deren Namen mit dzhgtcao beginnen.
Es sollten folgende Dateien zu finden sein:
dzhgtcao.exe
dzhgtcao.dat
dzhgtcao_nav.dat
dzhgtcao_navps.dat

Berichte was du gefunden hast und wie es mit Popups ausschaut.

lg myrtille

So

funktionierte NICHT als ich es in .bat umbenannt habe.

Task beendet, 5 Dateien mit dem Namen unwiderruflich gelöscht

Popups, mom

keine Popups mehr vorhanden

Antivir findet nichts
Malware findet nichts

es scheint als wäre ich clean *nicht zu früh freuen will*

Hi,

wie gesagt: 64bit ist immer etwas tricky und Neuland. Dann lassen wir das mit dem Skript erstmal. :D

Das waren auf jedenfall die "Hauptübeltäter", poste bitte noch ein neues Hijackthislog, dort sollten noch Reste sein, die wir entfernen sollten.

lg myrtille

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:05:55, on 14.10.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Analog Devices\SoundMAX\SoundTray.exe
C:\Program Files (x86)\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files (x86)\Winamp\winampa.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files (x86)\Razer\Diamondback 3G\razerhid.exe
C:\Program Files (x86)\Razer\Diamondback 3G\razertra.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files (x86)\Razer\Diamondback 3G\razerofa.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SoundTray] "C:\Program Files (x86)\Analog Devices\SoundMAX\SoundTray.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Diamondback] "C:\Program Files (x86)\Razer\Diamondback 3G\razerhid.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [dzhgtcao] "c:\users\david\appdata\local\dzhgtcao.exe" dzhgtcao
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files (x86)\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files (x86)\ICQ6\ICQ.exe
O13 - Gopher Prefix:
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Unknown owner - C:\Windows\system32\AEADISRV.EXE (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Marvell RAID Event Agent (Marvell RAID) - Unknown owner - C:\Program Files (x86)\Marvell\61xx\svc\mvraidsvc.exe
O23 - Service: MRU Web Service (MRUWebService) - Apache Software Foundation - C:\Program Files (x86)\Marvell\61xx\Apache2\bin\Apache.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 6811 bytes

Hi,

den Eintrag bitte noch fixen:

Zitat:

O4 - HKCU\..\Run: [dzhgtcao] "c:\users\david\appdata\local\dzhgtcao.exe" dzhgtcao

Der Rest sieht gut aus. :)

Wenn keine Probleme mehr aufgetreten sind, dann kannst du noch die Systemwiederherstellung de- und reaktivieren, indem du unter Start->Systemsteuerung->System->Systemwiederherstellung den Haken bei "Systemwiederherstellung auf allen Laufwerken deaktivieren" setzt und später wieder rausnimmst.
Damit werden alle Wiederherstellungspunkte und darin eventuell vorhandene Reste der Infektion gelöscht.

lg myrtille

huhu

ich find die Datei nicht :nixda:

versteckte Ordner sind angezeigt
im Taskmanager ist nix

ich hoff ich bin grad eifnach nur blöd oder hab was übersehn .--.

Hi,

sorry hab mich undeutlich ausgedrückt:

Du sollst nicht die Datie löschen (das haben wir ja vorhin schon gemacht), sondern den Eintrag mit Hijackthis fixen:

Rufe bitte Hijackthis erneut auf.
Klick auf Do a system scan only
Setzen einen Haken vor folgende Einträge (wenn sie noch vorhanden sind. ;) )

Zitat:

O4 - HKCU\..\Run: [dzhgtcao] "c:\users\david\appdata\local\dzhgtcao.exe" dzhgtcao
Klicke unten auf Fix checked
Poste danach ein neues Hijackthislog hier.

lg myrtille

ah, okidoki:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:14, on 15.10.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Analog Devices\SoundMAX\SoundTray.exe
C:\Program Files (x86)\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files (x86)\Winamp\winampa.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files (x86)\Razer\Diamondback 3G\razerhid.exe
C:\Program Files (x86)\Razer\Diamondback 3G\razertra.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files (x86)\Razer\Diamondback 3G\razerofa.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = htxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = htxp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = htxp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = htxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = htxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = htxp://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SoundTray] "C:\Program Files (x86)\Analog Devices\SoundMAX\SoundTray.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Diamondback] "C:\Program Files (x86)\Razer\Diamondback 3G\razerhid.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files (x86)\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files (x86)\ICQ6\ICQ.exe
O13 - Gopher Prefix:
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Unknown owner - C:\Windows\system32\AEADISRV.EXE (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Marvell RAID Event Agent (Marvell RAID) - Unknown owner - C:\Program Files (x86)\Marvell\61xx\svc\mvraidsvc.exe
O23 - Service: MRU Web Service (MRUWebService) - Apache Software Foundation - C:\Program Files (x86)\Marvell\61xx\Apache2\bin\Apache.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 6845 bytes

Sieht gut aus! :)

lg myrtille

jops, bis jetzt keine weiteren Beschweren

ich atme langsam auf und bedanke mich bei dir !