Trojaner-Board
Seite 1 von 2 1 2
100 Beiträge dieses Themas auf einer Seite anzeigen

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   Vundo/Virtumonde (vermutlich) (https://www.trojaner-board.de/68133-vundo-virtumonde-vermutlich.html)

bakeneko 06.01.2009 18:48
Vundo/Virtumonde (vermutlich)
 
Hallo,

neuer member und dann gleich so ein Thema:kloppen:
Sorry.
Auch wenn das Thema bereits so oft existiert, wage ich mal meinen Fall zu schildern - in der Hoffnung auf Hilfe.

Zum System: Windows XP mit SP2 ... auf nem etwas älteren Computer. Firefox (aber Internet-Explorer ist installiert, sonst spinnt mein MSN :pfui: )
Neu aufsetzen mit format c etc. möchte ich unbedingt vermeiden.

Problem: Extrem langsamer Start. Wenn es nicht "einfriert". Fehlermeldungen der Explorer.exe, die aber ignoriert werden können (kommen als 16 bit-System Meldung).
Allgemeine Langsamkeit. Im Netz kommen "lustige" pop-ups, Google/Yahoo links werden umgeleitet etc, auf Seiten von Anti-Virus-Software kann ich nicht zugreifen...updates für Windows oder Kaspersky (hab 2009 erst nach der Infektion bekommen) runterladen funktioniert auch nicht :koch:. Das "übliche" Vundo-Verhalten (von dem was ich gelesen habe).
In Ad-Aware (welches im Weiteren nutzlos war und de-installiert wurde) war auch mal Vundo/Virtumonde als Meldung aufgetaucht.
Andere Programme (Spybot, Malwarebites) werden gar nicht erst gestartet.


Hijackthis meint:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:48:39, on 06.01.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\system32\Prismsta.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Programme\Logitech\QuickCam\Quickcam.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Gemeinsame Dateien\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\svchost.exe
c:\programme\logitech\quickcam\lu\lulnchr.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
c:\programme\logitech\quickcam\lu\LogitechUpdate.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\kernel.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\sc_watch.exe
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\PROFIL~1.EXE
C:\Programme\Windows Live\Messenger\msnmsgr.exe
C:\Programme\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
c:\lotus\wordpro\wordpro.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\DOKUME~1\***\LOKALE~1\Temp\csrssc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hp://w.accoona.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hp://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hp://w.accoona.com/search?q=%s
R3 - URLSearchHook: (no name) - {2C3C5EB0-DC2C-BFC8-F54F-4B4383BDC9F9} - FLKPT.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [Prism_Utility] Prismsta.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Programme\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [2496af42] rundll32.exe "C:\WINDOWS\system32\arqcykfe.dll",b
O4 - HKCU\..\Run: [Eraser] C:\Programme\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [gadcom] "C:\Dokumente und Einstellungen\***\Anwendungsdaten\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOKUME~1\SEBAST~1\LOKALE~1\Temp\csrssc.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Logitech . Produktregistrierung.lnk = C:\Programme\Logitech\QuickCam\eReg.exe
O4 - Global Startup: Kodak EasyShare Software.lnk = C:\Programme\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Statistik für den Schutz des Web-Datenverkehrs - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: MedionShop - {07E3F115-C445-480D-94CB-ECA914A353CE} - hp://w.medionshop.de/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hp://software-dl.real.com/04a30f04300bfbf27206/netzip/RdxIE601_de.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - hp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE60CE46-C8A7-4F46-9B82-19496EE1E875}: NameServer = 217.237.149.205 217.237.151.51
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: axlrsp.dll wtdhhh.dll qergrj.dll itbhyl.dll glezxi.dll qcrpie.dll ugtpei.dll gromqd.dll vpswlf.dll lceaff.dll dcfkxh.dll wzdgxc.dll slpilz.dll awengh.dll bldqdp.dll oyqtrx.dll pnugaj.dll tmeubo.dll nrohqz.dll xkcgcq.dll syswwb.dll quykcz.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll ejmdtq.dll
O22 - SharedTaskScheduler: KJhaiufhw3nrih7wefywjfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rsekd83jde.dll
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: CA-Lizenz-Client (CA_LIC_CLNT) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA-Lizenzserver (CA_LIC_SRVR) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: hpdj - Unknown owner - C:\DOKUME~1\***\LOKALE~1\Temp\hpdj.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: Ereignisprotokoll-Überwachung (LogWatch) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: TSMService - T-Systems Nova, Berkom - C:\Programme\T-DSL SpeedManager\tsmsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

john.doe 06.01.2009 19:18
Hallo und :hallo:

Arbeite diese Liste ab:

1.) Stell sicher, daß Dir auch alle Dateien angezeigt werden, danach folgende Dateien bei Virustotal.com auswerten lassen und alle Ergebnisse posten, und zwar so, daß man die der einzelnen Virenscanner sehen kann. Bitte mit Dateigrößen und Prüfsummen:
Code:
C:\WINDOWS\system32\arqcykfe.dll
C:\Dokumente und Einstellungen\SEBAST~1\Anwendungsdaten\gadcom\gadcom.exe
C:\DOKUME~1\SEBAST~1\LOKALE~1\Temp\csrssc.exe
C:\WINDOWS\system32\rsekd83jde.dll
Sollte die Meldung kommen, dass die Dateien bereits analysiert wurden, dann klicke trotzdem auf Analysieren.

Poste alle Logfiles bitte mit Codetags umschlossen (#-Button) also so:
HTML-Code:
[code] Hier das Logfile rein! [/code]
2.) Deaktiviere die Systemwiederherstellung, im Verlauf der Infektion wurden auch Malwaredateien in Wiederherstellungspunkten mitgesichert - die sind alle nun unbrauchbar, da ein Zurücksetzen des System durch einen Wiederherstellungspunkt das System wahrscheinlich wieder infizieren würde.

3.) Blacklight und Malwarebytes Antimalware ausführen und Logfiles posten (Wächter Deines Virenscanner vor dem Scannen deaktivieren!)

4.) Superantispyware runterladen und laufenlassen, so wie hier beschrieben: http://www.trojaner-board.de/51871-a...tispyware.html

5.) ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix
  • Lade dir das Tool hier herunter auf den Desktop -> KLICK
Das Programm jedoch noch nicht starten sondern zuerst folgendes tun:
  • Schliesse alle Anwendungen und Programme, vor allem deine Antiviren-Software und andere Hintergrundwächter, sowie deinen Internetbrowser.
    Vermeide es auch explizit während das Combofix läuft die Maus und Tastatur zu benutzen.
  • Starte nun die combofix.exe von deinem Desktop aus, bestätige die Warnmeldungen und lass dein System durchsuchen.
  • Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte abkopieren und in deinen Beitrag einfügen. Das log findest du außerdem unter: C:\ComboFix.txt.
Wichtiger Hinweis:
Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.
Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten.

6.) Poste ein neues Hijackthis Logfile, nimm dazu diese umbenannte hijackthis.exe
Editiere die Links und privaten Infos!!

ciao, andreas

bakeneko 06.01.2009 19:53
Thanks.
Und sorry, wegen den logfile-Format.

Das Problem bei den ersten Schritten (mit Ausnahme von combofix, wovon ich bisher die Finger gelassen habe) ist folgendes:

Ich bekomme keine server-Verbindung zu den Seiten. Alles, was mit Anti-Virus zu tun hat wird geblockt. Virustotal (gerade mehrfach probiert) und die direkten downloads für Malwarebytes etc. auch (wie schon oben beschrieben).
Ich habe mir Malwarebytes und Superantispyware als downloadvon einem anderen rechner ziehen können (Uni-Rechner, da komm ich vor morgen auch nicht dran). Beide Programme werden nicht gestartet. malwarebytes ohne jede Meldung. Superantispyware gibt eine (Windows)Fehlermeldung ohne weitere Begründung.
:(

john.doe 06.01.2009 20:00
Start => Ausführen => devmgmt.msc eingeben und [Enter] drücken
Menüzeile: Ansicht => Ausgeblendete Geräte anzeigen => Nicht-PNP-Treiber

Dort alle Treiber, die mit ADS oder TDS beginnen (vermutlich ist es TDSSserv.sys) deaktivieren
=> Rechner neustarten, nochmal probieren.

ciao, andreas

p.s.: Teste auch das Umbenennen der Programme in z.B. asdf.com

bakeneko 06.01.2009 20:35
Danke. Es war die TDSSserv :)
Ich geh dann mal die Liste durch.

arqcykfe.dll
Code:
Antivirus          Version          letzte aktualisierung          Ergebnis
a-squared        4.0.0.73        2009.01.06        -
AhnLab-V3        2009.1.6.3        2009.01.06        -
AntiVir        7.9.0.45        2009.01.06        HEUR/Crypted
Authentium        5.1.0.4        2009.01.06        -
Avast        4.8.1281.0        2009.01.06        -
AVG        8.0.0.199        2009.01.06        -
BitDefender        7.2        2009.01.06        -
CAT-QuickHeal        10.00        2009.01.06        -
ClamAV        0.94.1        2009.01.06        -
Comodo        884        2009.01.06        -
DrWeb        4.44.0.09170        2009.01.06        -
eTrust-Vet        31.6.6294        2009.01.06        Win32/VundoCryptorAA!generic
Ewido        4.0        2008.12.31        -
F-Prot        4.4.4.56        2009.01.06        -
Fortinet        3.117.0.0        2009.01.06        -
GData        19        2009.01.06        -
Ikarus        T3.1.1.45.0        2009.01.06        -
K7AntiVirus        7.10.578        2009.01.06        -
Kaspersky        7.0.0.125        2009.01.06        -
McAfee        5486        2009.01.05        -
McAfee+Artemis        5487        2009.01.06        Generic!Artemis
Microsoft        1.4205        2009.01.06        Trojan:Win32/Vundo.gen!Y
NOD32        3743        2009.01.06        -
Norman        5.80.02        2009.01.06        -
Panda        9.0.0.4        2009.01.06        -
PCTools        4.4.2.0        2009.01.06        -
Rising        21.11.12.00        2009.01.06        AdWare.Win32.Agent.cqn
SecureWeb-Gateway        6.7.6        2009.01.06        Heuristic.Crypted
Sophos        4.37.0        2009.01.06        Troj/Virtum-Gen
Sunbelt        3.2.1809.2        2008.12.22        VIPRE.Suspicious
Symantec        10        2009.01.06        -
TheHacker        6.3.1.4.205        2009.01.05        -
TrendMicro        8.700.0.1004        2009.01.06        -
VBA32        3.12.8.10        2009.01.06        -
ViRobot        2009.1.6.1546        2009.01.06        -
VirusBuster        4.5.11.0        2009.01.06        -
weitere Informationen
File size: 72704 bytes
MD5...: 442fdfb53d15cdc5f80b0d7793da9369
SHA1..: 70625dce17f0e2c6124c6907d41674f2f32e9965
SHA256: 83e5b83d449322c796e79e623722dfb3fb886b25ac768d501c71a73dc42f7b22
SHA512: 888ee982f2db2f9f7418ef98e5713f13bb0b2fe4bbb771062081bc8f6b6eb102
5ccaa179b15b3b43450c3c8bcd9e297fa024634553f70455793de6b6e2eb2775
ssdeep: 1536:HciZq0r59K8nEMSjkfpY0EjPUGIrp1tokg/04R8G7q0Um+K:HHqS9K8E/jk
6GokY04Zo
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10021526
timedatestamp.....: 0x4823ae2e (Fri May 09 01:51:42 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1000 0x200 7.61 55f1aae89dd4396a0d3bea7efae8c254
text 0x2000 0x1000 0x200 7.61 b945b20c17d84cebd228f92bd47849af
text 0x3000 0x1d000 0xe800 8.00 b70deb00125a5b1b1ac33cc2391c46b6
.reloc 0x20000 0x1000 0x400 2.24 f855c79b5614ab83c10f2d4df14a06c5
.pdata 0x21000 0x3000 0x2800 3.85 383fc4d5935895699d3e53f297381495

( 4 imports )
> USER32.dll: SystemParametersInfoA, GetSystemMetrics
> KERNEL32.dll: ExitProcess, GetSystemInfo, CreateFileA
> GDI32.dll: CreateHalftonePalette
> comdlg32.dll: PrintDlgExW

( 0 exports )

bakeneko 06.01.2009 20:45
csrssc.exe
Code:
Antivirus          Version          letzte aktualisierung          Ergebnis
a-squared        4.0.0.73        2009.01.06        -
AhnLab-V3        2009.1.6.3        2009.01.06        -
AntiVir        7.9.0.45        2009.01.06        TR/Crypt.XPACK.Gen
Authentium        5.1.0.4        2009.01.06        -
Avast        4.8.1281.0        2009.01.06        Win32:Trojan-gen {Other}
AVG        8.0.0.199        2009.01.06        Crypt
BitDefender        7.2        2009.01.06        -
CAT-QuickHeal        10.00        2009.01.06        (Suspicious) - DNAScan
ClamAV        0.94.1        2009.01.06        -
Comodo        884        2009.01.06        -
DrWeb        4.44.0.09170        2009.01.06        -
eTrust-Vet        31.6.6294        2009.01.06        -
Ewido        4.0        2008.12.31        -
F-Prot        4.4.4.56        2009.01.06        -
F-Secure        8.0.14470.0        2009.01.06        -
Fortinet        3.117.0.0        2009.01.06        -
GData        19        2009.01.06        Win32:Trojan-gen {Other}
Ikarus        T3.1.1.45.0        2009.01.06        -
K7AntiVirus        7.10.578        2009.01.06        -
Kaspersky        7.0.0.125        2009.01.06        Trojan-Downloader.Win32.Suurch.hs
McAfee        5486        2009.01.05        Generic Dropper.bu
McAfee+Artemis        5487        2009.01.06        Generic Dropper.bu
Microsoft        1.4205        2009.01.06        PWS:Win32/Ldpinch.BO
NOD32        3743        2009.01.06        -
Norman        5.80.02        2009.01.06        W32/Antivirus2008.BJE
Panda        9.0.0.4        2009.01.06        Adware/ProAntispyware2009
PCTools        4.4.2.0        2009.01.06        -
Prevx1        V2        2009.01.06        Cloaked Malware
Rising        21.11.12.00        2009.01.06        -
SecureWeb-Gateway        6.7.6        2009.01.06        Trojan.Crypt.XPACK.Gen
Sophos        4.37.0        2009.01.06        Mal/Generic-A
Sunbelt        3.2.1809.2        2008.12.22        VIPRE.Suspicious
Symantec        10        2009.01.06        Trojan.Fakeavalert
TheHacker        6.3.1.4.205        2009.01.05        -
TrendMicro        8.700.0.1004        2009.01.06        -
VBA32        3.12.8.10        2009.01.06        -
ViRobot        2009.1.6.1546        2009.01.06        Trojan.Win32.Amvo.Gen
VirusBuster        4.5.11.0        2009.01.06        -
weitere Informationen
File size: 22017 bytes
MD5...: 050c0347af9d75c24a85ab5201b5e067
SHA1..: ec243508b0136f80cce8d846384639189cea9cff
SHA256: 22cd55f6ca4db7c5394abf2e2825308d650c1838b8679a6b8cf4ad42479c681d
SHA512: a12c915dfb4cfebabe5be3078c6942e33e9dedb589b6d533f387fb6bf9e29042
64c1ee74fad438a9a4a9299885279b7b09b4e848bf7454c5b20f72e7de1fc67c
ssdeep: 384:PTv9/7wy+G6HAVOENzkmt42gCjV1hXK8FT4nhJRvTrJ3eWH5sEzAjoSYgiA0
9eRV:7vJaG6H9AAM4RSXXGRvTrJ37Hhz0G9en
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401008
timedatestamp.....: 0x4947f405 (Tue Dec 16 18:31:33 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
0x1000 0x1000 0x400 3.55 e11bce845f5e330eb35c826931262272
0x2000 0x5000 0x4600 7.93 ccb81d4f4f5e83906aa411754dd0fc37
0x7000 0x21000 0x800 4.19 3993efd9a118cf0ff060759f8b45e973

( 3 imports )
> KERNEL32.DLL: ExitProcess, GetProcAddress, lstrcpyn, WaitCommEvent, _lcreat, CreateIoCompletionPort, FindFirstFileExW, SetCommState, BuildCommDCBAndTimeoutsW, GetTimeZoneInformation, SetFileAttributesA, ReadFile, GetVolumeInformationA, GetConsoleCursorInfo, SetMessageWaitingIndicator, TlsFree, GetOEMCP, PulseEvent, GetSystemTimeAdjustment, SetConsoleCtrlHandler, WaitForSingleObject, InterlockedExchangeAdd, DefineDosDeviceA, TlsAlloc, Sleep
> USER32.DLL: GetWindowTextLengthA, InternalGetWindowText, PeekMessageW, OpenIcon, LoadImageW, LoadCursorA, GetMessagePos, DrawMenuBarTemp, EnumChildWindows, IsWindowEnabled, AppendMenuA, GetKeyboardState, SetCursorPos, wvsprintfW, GetClipboardFormatNameA, InsertMenuW, CallMsgFilter, GetKeyState, RegisterClassExA, BringWindowToTop, GetAncestor, GetDlgItemInt, DefMDIChildProcW, DeleteMenu, DialogBoxParamA, EnumDesktopsA, EnumDisplayDevicesA
> GDI32.DLL: CreateCompatibleDC, EnumICMProfilesW, ExcludeClipRect, DPtoLP, EnumICMProfilesA, SwapBuffers, CopyMetaFileA, DeleteMetaFile, CreateDIBitmap, CreateRoundRectRgn, EnumObjects, GetDeviceGammaRamp, CreateEllipticRgnIndirect, ScaleViewportExtEx, GetLayout, CreateScalableFontResourceA, GetTextExtentExPointA, ResetDCW, GetPixelFormat, FlattenPath, RectVisible

( 0 exports )
rsekd83jde.dll

Code:
Antivirus          Version          letzte aktualisierung          Ergebnis
a-squared        4.0.0.73        2009.01.06        Trojan-Clicker.Win32.Klik!IK
AhnLab-V3        2009.1.6.3        2009.01.06        Win-Trojan/Downloader.15000.AB
AntiVir        7.9.0.45        2009.01.06        TR/Dldr.Small.ahhm
Authentium        5.1.0.4        2009.01.06        W32/Trojan3.RF
Avast        4.8.1281.0        2009.01.06        Win32:Zbot-AWR
AVG        8.0.0.199        2009.01.06        Crypt.Y
BitDefender        7.2        2009.01.06        Packer.Malware.Lighty.F
CAT-QuickHeal        10.00        2009.01.06        TrojanDownloader.Small.ahhm
ClamAV        0.94.1        2009.01.06        -
Comodo        884        2009.01.06        TrojWare.Win32.TrojanDownloader.Small.~NQ
DrWeb        4.44.0.09170        2009.01.06        Trojan.DownLoad.4660
eTrust-Vet        31.6.6294        2009.01.06        Win32/FakeAlert.UA
Ewido        4.0        2008.12.31        -
F-Prot        4.4.4.56        2009.01.06        W32/Trojan3.RF
F-Secure        8.0.14470.0        2009.01.06        Trojan-Downloader.Win32.Small.ahhm
Fortinet        3.117.0.0        2009.01.06        W32/Small.AHHM!tr.dldr
GData        19        2009.01.06        Packer.Malware.Lighty.F
Ikarus        T3.1.1.45.0        2009.01.06        Trojan-Clicker.Win32.Klik
K7AntiVirus        7.10.578        2009.01.06        Trojan-Downloader.Win32.Small.ahhm
Kaspersky        7.0.0.125        2009.01.06        Trojan-Downloader.Win32.Small.ahhm
McAfee        5486        2009.01.05        Generic.dx
McAfee+Artemis        5487        2009.01.06        Generic.dx
Microsoft        1.4205        2009.01.06        PWS:Win32/Ldpinch.BO
NOD32        3743        2009.01.06        Win32/TrojanDownloader.Small.NTQ
Norman        5.80.02        2009.01.06        W32/Zbot.BVQ
Panda        9.0.0.4        2009.01.06        Adware/ProAntispyware2009
PCTools        4.4.2.0        2009.01.06        -
Prevx1        V2        2009.01.06        Malicious Software
Rising        21.11.12.00        2009.01.06        Trojan.Win32.Undef.van
SecureWeb-Gateway        6.7.6        2009.01.06        Trojan.Dldr.Small.ahhm
Sophos        4.37.0        2009.01.06        Mal/EncPk-EQ
Sunbelt        3.2.1809.2        2008.12.22        Trojan.FakeAlert
TheHacker        6.3.1.4.205        2009.01.05        Trojan/Downloader.Small.ahhm
TrendMicro        8.700.0.1004        2009.01.06        TROJ_FAKEAV.LIL
VBA32        3.12.8.10        2009.01.06        Trojan-Downloader.Win32.Agent.auij
ViRobot        2009.1.6.1546        2009.01.06        Trojan.Win32.FakeAV.15000
VirusBuster        4.5.11.0        2009.01.06        Trojan.Klik.A
weitere Informationen
File size: 15000 bytes
MD5...: 708d325c4ae65816a9c6054f669a5f56
SHA1..: 7b4008bfbed5571fe181fa66ee87454a09b6f90a
SHA256: 8bb155620f995e250e3d3e09387ba58ba3d2b66c51d5a3bdf2022266c9178d45
SHA512: 622c2d5e33a07570e83c97344af7c19355b643656b1ab4f5e5a546250782a635
2bf023a6082b4eabf6d880ea2b1cfac6f4c068bdd011c073afd86e1c852dc350
ssdeep: 192:c9K93Uh1O7UqUBaziELVcl4TsG1OSo5R2OGXkB4utk6ZZh+A:c9K9H7UjMma
1g5R6l
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10001008
timedatestamp.....: 0x49440237 (Sat Dec 13 18:43:03 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.code 0x1000 0x1000 0x400 3.47 c76420ac393e361622667080ca491e0c
.idata 0x2000 0x2000 0x1600 7.79 611eb23166eeb0db5f00112248c7e54b
.data 0x4000 0x1000 0x800 4.79 cce38e99840c175acea0e1a6a96c5b10
.reloc 0x5000 0x2000 0x200 0.15 b9a28a389cd5a88277ec15d90cd77044

( 3 imports )
> KERNEL32.DLL: Sleep, GetProcAddress, ExitProcess, GetConsoleCursorInfo, Heap32ListFirst, GetStringTypeExW, PrepareTape, GetPrivateProfileStructW, CreateIoCompletionPort, GetAtomNameA, IsDBCSLeadByte, GlobalGetAtomNameA, IsBadHugeReadPtr, GetCurrencyFormatA, FindFirstChangeNotificationA, SetCommMask, GetTapeStatus, GetDefaultCommConfigW, PeekNamedPipe, Thread32First, EnumSystemCodePagesA, EnumCalendarInfoExA, EndUpdateResourceA
> USER32.DLL: SendMessageCallbackW, ArrangeIconicWindows, BroadcastSystemMessageW, UnregisterClassW, DlgDirListComboBoxA, LoadCursorW, CopyRect, GetClassInfoW, InvalidateRgn, UnregisterHotKey, GetWindowTextW, GetFocus, GetKBCodePage, SendInput, OpenWindowStationA, DdeConnect, GetWindowDC, GetMenuItemCount, DialogBoxIndirectParamW, RealChildWindowFromPoint, ChangeDisplaySettingsW, GetSysColor, UnregisterClassA, SetWinEventHook, CreateDesktopA, ToAscii, SetSysColorsTemp, WinHelpA, PackDDElParam
> GDI32.DLL: SetTextJustification, GetICMProfileA, GetObjectW, GetTextFaceW, CreateICA, EnumICMProfilesA, CreatePatternBrush, StartPage, AnimatePalette, GetWindowExtEx, GetMetaFileW, GetCharacterPlacementW, GetStockObject, BeginPath, GetMetaFileA, GetBitmapDimensionEx, SetBkMode, SetViewportOrgEx, PolyDraw, GetBkMode, CreateDIBPatternBrushPt, GetColorAdjustment, GetEnhMetaFileHeader, CreatePenIndirect, GetBkColor, GetBoundsRect, DeleteColorSpace, CancelDC, DeleteMetaFile

( 4 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer
Die gadcom findet er jetzt nicht mehr. Muß ich nochmal nachsehen.

bakeneko 07.01.2009 11:34
Die gadcom war "verschwunden", bei malwarebytes aber wieder da...hmmm.

Code:
Malwarebytes' Anti-Malware 1.32
Datenbank Version: 1625
Windows 5.1.2600 Service Pack 2

07.01.2009 10:22:41
mbam-log-2009-01-07 (10-22-41).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|E:\|)
Durchsuchte Objekte: 131606
Laufzeit: 1 hour(s), 52 minute(s), 39 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 24
Infizierte Registrierungsschlüssel: 46
Infizierte Registrierungswerte: 5
Infizierte Dateiobjekte der Registrierung: 4
Infizierte Verzeichnisse: 1
Infizierte Dateien: 100

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
C:\WINDOWS\system32\arqcykfe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\cbXqNeCV.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fccccaAq.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\axlrsp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wtdhhh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qergrj.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\itbhyl.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\glezxi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qcrpie.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ugtpei.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\gromqd.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vpswlf.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lceaff.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\dcfkxh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wzdgxc.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\slpilz.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\awengh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\bldqdp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tmeubo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\xkcgcq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\syswwb.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\quykcz.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ejmdtq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rsekd83jde.dll (Trojan.BHO) -> Delete on reboot.

Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{662ef556-1d32-46e0-888b-3303695194cd} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{662ef556-1d32-46e0-888b-3303695194cd} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fccccaaq (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8b4428ae-08d2-4526-9ba1-82c10c2dfb48} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8b4428ae-08d2-4526-9ba1-82c10c2dfb48} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8265984b-f5af-4bcd-b76d-ed8751cf6316} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c2df60b2-cd83-4536-8f86-3388ce8d611f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{22d2dbb0-9e59-48e4-9877-f40ea3000887} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{284b08e1-4c87-4e9f-888a-e5d253816c13} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9c8753b1-4982-4424-b491-b6d96b9eeb68} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{24bfb204-db08-40de-931f-146ec2d76dc1} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1dc53d1b-abc3-4d1b-9eaa-0775ca396f5c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3a7e9372-e1a3-4097-b698-b18dbd4864bb} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3674d453-26e8-453e-83be-f63d51ac6fd0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{438180cf-7066-42ae-bd38-e35a13df9878} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3f8598c3-cffa-4a68-9f38-ac379f083028} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{417fa668-b115-4f9c-85d8-dbdf6e7c301f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{768f19e8-64c5-46a8-9b38-22390f35a520} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c1626168-8745-4738-9918-58389052b3cc} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c1626168-8745-4738-9918-58389052b3cc} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{44ee0707-d9a4-4569-afb3-a547b6926d2f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{215def8e-02a6-452d-a92d-810447bd569b} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d202a703-c1d6-48f0-8b49-0f4e304eda3c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6ccb48c5-569e-4931-b865-8f60f2038828} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6cf9f31f-17c1-4fb8-8515-5c0bcbe2ca17} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{662ef556-1d32-46e0-888b-3303695194cd} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2496af42 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jnskdfmf9eldfd (Trojan.Downloader) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\cbxqnecv -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxqnecv  -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
C:\Dokumente und Einstellungen\***\Anwendungsdaten\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\WINDOWS\system32\cbXqNeCV.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\VCeNqXbc.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\VCeNqXbc.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccccaAq.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ahqftnjt.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tjntfqha.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\arqcykfe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\efkycqra.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iibmrwtg.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gtwrmbii.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jdiixahs.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shaxiidj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jrcqcslr.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rlscqcrj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kjopnwpm.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mpwnpojk.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mbhdqwce.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ecwqdhbm.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ngqsleor.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\roelsqgn.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\paqcplmc.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cmlpcqap.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pfeyggtf.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ftggyefp.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qbvjdwdp.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pdwdjvbq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yijhmhxn.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nxhmhjiy.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ylujqqpp.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ppqqjuly.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ypngsfhq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qhfsgnpy.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ytgpbhed.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dehbpgty.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rsekd83jde.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\axlrsp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wtdhhh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qergrj.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\itbhyl.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\glezxi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qcrpie.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ugtpei.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\gromqd.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vpswlf.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lceaff.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\dcfkxh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wzdgxc.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\slpilz.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\awengh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\bldqdp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tmeubo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\xkcgcq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\syswwb.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\quykcz.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ejmdtq.dll (Trojan.Vundo) -> Delete on reboot.
C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Temp\2257539428.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Temp\TDSS60a5.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Temporary Internet Files\Content.IE5\0PYBW1MN\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Temporary Internet Files\Content.IE5\BYJTTXNF\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Temporary Internet Files\Content.IE5\FESFVHK5\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Temporary Internet Files\Content.IE5\SFTB6MN1\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C0D98CBA-6672-47B1-9E43-2A9DE301BFBF}\RP657\A1330617.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iljjrlfg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aiyqoqel.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awytlnst.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dapjurjt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gsgebhix.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lnnonsll.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tavhkuca.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSarxx.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSnpur.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSoitu.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSyoqm.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uwahhiit.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\khfGvtQk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnmkigH.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnnMefc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twqiibst.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\renrjbnw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bsdpmubv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cbXRJBUM.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\arortafu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iuysduut.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mykiuxyw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qhxbkase.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vygppz.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xnlcbjqp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xwthsmao.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yrjduwht.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ywvtdbsa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ioxbsosa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\abitgvlf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\enxaiqnn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\TDSSmxwe.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Temp\csrssc.exe (Trojan.Downloader) -> Delete on reboot.
C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Temp\TDSS60d4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Temp\csrssc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSdxgp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSkkao.log (Trojan.TDSS) -> Quarantined and deleted successfully.

Code:

01/07/09 10:38:43 [Info]: BlackLight Engine 2.2.1092 initialized
01/07/09 10:38:43 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/07/09 10:38:43 [Note]: 7019 4
01/07/09 10:38:43 [Note]: 7005 0
01/07/09 10:38:47 [Note]: 7006 0
01/07/09 10:38:47 [Note]: 7011 1684
01/07/09 10:38:47 [Note]: 7035 0
01/07/09 10:38:48 [Note]: 7026 0
01/07/09 10:38:48 [Note]: 7026 0
01/07/09 10:38:53 [Note]: FSRAW library version 1.7.1024
01/07/09 11:20:50 [Note]: 7007 0

john.doe 07.01.2009 16:22
Zitat:
Infizierte Dateien: 100
Neuer Rekord. :aplaus:

Seit wann hast du denn schon Probleme?

ciao, andreas

bakeneko 07.01.2009 17:03
Zitat:
Zitat von john.doe (Beitrag 404017)
Neuer Rekord. :aplaus:
Yayyyyyyyyyy!
Party!
:taenzer:


Der machte schon immer wieder mal n paar kleiner Probleme... aber direkt mit dem was ich im Eingangspost beschrieben habe seit ca. 5 Tagen. Ja, ich bin langsam :uglyhammer:
Ich hab, wie der log zeigt mal den Kram mit malwarebytes gelöscht und auch neu gebootet und geh grad noch mal damit drüber, um zu sehen was da nun angezeigt wird.

bakeneko 07.01.2009 17:28
So, das ist auch durch.
Komischerweise hat er noch mal 2 Einträge gefunden, aber zumindest nicht mehr 100.

Code:
Malwarebytes' Anti-Malware 1.32
Datenbank Version: 1627
Windows 5.1.2600 Service Pack 2

07.01.2009 16:19:58
mbam-log-2009-01-07 (16-19-58).txt

Scan-Methode: Vollständiger Scan (C:\|)
Durchsuchte Objekte: 128811
Laufzeit: 1 hour(s), 18 minute(s), 41 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 2
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)

bakeneko 07.01.2009 18:23
Superantispyware war dafür fündig.

Code:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/07/2009 at 05:12 PM

Application Version : 4.21.1004

Core Rules Database Version : 3698
Trace Rules Database Version: 1674

Scan type      : Complete Scan
Total Scan Time : 00:43:35

Memory items scanned      : 551
Memory threats detected  : 3
Registry items scanned    : 6010
Registry threats detected : 60
File items scanned        : 26549
File threats detected    : 14

Adware.Vundo/Variant
        C:\WINDOWS\SYSTEM32\OYQTRX.DLL
        C:\WINDOWS\SYSTEM32\OYQTRX.DLL
        C:\WINDOWS\SYSTEM32\PNUGAJ.DLL
        C:\WINDOWS\SYSTEM32\PNUGAJ.DLL
        C:\WINDOWS\SYSTEM32\NROHQZ.DLL
        C:\WINDOWS\SYSTEM32\NROHQZ.DLL

Parasite.WareOut
        HKLM\Software\Classes\CLSID\{2C3C5EB0-DC2C-BFC8-F54F-4B4383BDC9F9}
        HKCR\CLSID\{2C3C5EB0-DC2C-BFC8-F54F-4B4383BDC9F9}
        HKCR\CLSID\{2C3C5EB0-DC2C-BFC8-F54F-4B4383BDC9F9}\InprocServer32
        FLKPT.DLL
        HKU\S-1-5-21-407680594-2896395932-1110299642-1009\Software\Microsoft\Internet Explorer\URLSearchHooks#{2C3C5EB0-DC2C-BFC8-F54F-4B4383BDC9F9}

Adware.Tracking Cookie
**********************************

Adware.Vundo Variant/Rel
        HKLM\SOFTWARE\Microsoft\MS Juan
        HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
        HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM
        HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY
        HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT
        HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
        HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LTM
        HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CDY
        HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CNT
        HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LBL
        HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#MN
        HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg
        HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#LTM
        HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CDY
        HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CNT
        HKLM\SOFTWARE\Microsoft\MS Juan\profiling4
        HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#LTM
        HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CDY
        HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CNT
        HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
        HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#LTM
        HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CDY
        HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CNT
        HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan
        HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM
        HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY
        HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT

Rogue.Component/Trace
        HKLM\Software\Microsoft\2496BDCC
        HKLM\Software\Microsoft\2496BDCC#2496bdcc
        HKLM\Software\Microsoft\2496BDCC#Version
        HKLM\Software\Microsoft\2496BDCC#2496104c
        HKLM\Software\Microsoft\2496BDCC#249679a9
        HKU\S-1-5-21-407680594-2896395932-1110299642-1009\Software\Microsoft\CS41275
        HKU\S-1-5-21-407680594-2896395932-1110299642-1009\Software\Microsoft\FIAS4018

Rootkit.TDSServ
        HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys
        HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#start
        HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#type
        HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#imagepath
        HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys#group
        HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules
        HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#TDSSserv
        HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#TDSSl
        HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssservers
        HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssmain
        HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdsslog
        HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssadw
        HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssinit
        HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdssurls
        HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdsspanels
        HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#tdsserrors
        HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules#TDSSproc
        HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum
        HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#0
        HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#Count
        HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#NextInstance
        HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\Enum#INITSTARTFAILED

Trojan.Unknown Origin
        C:\SYSTEM VOLUME INFORMATION\_RESTORE{C0D98CBA-6672-47B1-9E43-2A9DE301BFBF}\RP657\A1335709.DLL

Trojan.Dropper/Gen
        C:\T_ONLINE\DRELREST.EXE

Adware.Vundo/Variant-Trace
        C:\WINDOWS\SYSTEM32\SVCMLXYB.INI

Rootkit.TDSServ-Trace
        C:\WINDOWS\SYSTEM32\TDSSMTPE.DAT

john.doe 07.01.2009 18:26
ComboFix wird noch mehr finden.

ciao, andreas

bakeneko 07.01.2009 18:43
Das sind ja gute Aussichten :D

Superantispyware war schon ziemlich gut. Allerdings konnt ich jetzt bein restart 4 mal nicht normal booten. Nur in den abgesicherten Modus. Dann kam beim 3./4. mal die Meldung das ein paar Dateien nicht geladen werden konnten (aus System32, also vemutlich infizierte oder Vundo). Jetzt funzt es wieder.
Normal/Okay oder nicht?

john.doe 07.01.2009 18:47
Nö, alles andere als normal. Poste ein aktuelles HJT-Log bevor du weitermachst. ComboFix noch nicht starten.

War eh etwas verblüfft, das SuperAntiSpyware die Sachen, die MbAm schon gelöscht hat, noch einmal löschen kann.

Kontrolliere die Systemwiederherstellung. Sie muss ausgeschaltet sein.

ciao, andreas

bakeneko 07.01.2009 18:50
Okay.
Was nun? Noch einmal von vorn?


Alle Zeitangaben in WEZ +1. Es ist jetzt 15:07 Uhr.
Seite 1 von 2 1 2
100 Beiträge dieses Themas auf einer Seite anzeigen

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55