Backdoor / rootkit doersam daily Einstellungen

[r00t]

Hallo (mal wieder)

Hab mich lange nicht mehr sehen lassen, an dieser Stelle sorry dafür. Aber nundenn ... ich hab ein Problem ... es handet sich hierbei um ein Trojaner und / oder Virus der mir gefaikte Windows Sicherheitscenter Meldungen schickt und mir mein Anti viren Programm killt genauso wie den Malwarebytes' Anti-Malwareund sowas...

Hier mal meine Loggfile (die BOLD Punkte sind denke ich verdächtiug)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:32:15, on 06.01.2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\RunDLL32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [SPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 cmicnfg3.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O13 - Gopher Prefix:
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://ccfiles.creative.com/Web/softwareup...15108/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Google Update Service (gupdate1ca30ead1ed1c8b) (gupdate1ca30ead1ed1c8b) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--
End of file - 6345 bytes

//edit ... ähm wäre nett wenn ich mein system wieder clean bekommen würde ohne die schnell formatier lösung ;/

mfg

Der Beitrag wurde von r00t bearbeitet: 06.01.2010, 05:40

[r00t]

Combofix.log

ComboFix 10-01-04.01 - n3tgh0st 08.01.2010 16:30:46.1.2 - x86
Microsoft® Windows Vista™ Business 6.0.6000.0.1252.49.1031.18.3326.2457 [GMT 1:00]
ausgeführt von:: c:\users\n3tgh0st\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: AntiVir Desktop *disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Windows-Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-918056312-2952985149-2686913973-500
c:\program files\ICQ6.5\ICQLRun.exe
c:\users\n3tgh0st\AppData\Roaming\Desktopicon
c:\users\n3tgh0st\AppData\Roaming\Desktopicon\eBayShortcuts.exe

.
((((((((((((((((((((((( Dateien erstellt von 2009-12-08 bis 2010-01-08 ))))))))))))))))))))))))))))))
.

2010-01-08 15:34 . 2010-01-08 15:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-08 05:56 . 2010-01-08 05:56 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\Malwarebytes
2010-01-08 04:13 . 2010-01-08 04:13 -------- d-----w- C:\rsit
2010-01-07 00:01 . 2010-01-07 00:01 7168 ----a-w- c:\windows\system32\drivers\utczmjuz.sys
2010-01-07 00:00 . 2010-01-07 00:01 -------- d-----w- c:\program files\AVZ
2010-01-06 06:27 . 2010-01-06 07:19 -------- d-----w- c:\users\n3tgh0st\DoctorWeb
2010-01-06 03:14 . 2009-12-30 13:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-06 03:14 . 2010-01-06 03:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-06 03:14 . 2010-01-06 03:14 -------- d-----w- c:\programdata\Malwarebytes
2010-01-06 03:14 . 2009-12-30 13:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 03:11 . 2010-01-06 03:11 -------- d-----w- c:\program files\CCleaner
2010-01-06 02:38 . 2010-01-06 02:38 -------- d-----w- c:\program files\Trend Micro
2010-01-06 02:14 . 2010-01-08 05:49 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-06 02:14 . 2009-03-30 08:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-01-06 02:14 . 2010-01-06 02:14 -------- d-----w- c:\programdata\Avira
2010-01-06 02:14 . 2010-01-06 02:14 -------- d-----w- c:\program files\Avira
2010-01-04 03:18 . 2010-01-04 03:11 2289 ----a-w- c:\users\n3tgh0st\lol.vbs
2010-01-04 03:15 . 2010-01-04 03:11 2289 ----a-w- C:\lol.vbs
2010-01-01 14:42 . 2010-01-01 14:42 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\UDC Profiles
2010-01-01 14:41 . 2009-09-04 14:09 34680 ----a-w- c:\windows\system32\udcpm.dll
2010-01-01 14:41 . 2010-01-01 14:41 -------- d-----w- c:\program files\Universal Document Converter
2010-01-01 14:37 . 2010-01-01 14:40 -------- d-----w- c:\users\n3tgh0st\AppData\Local\Adobe
2010-01-01 14:35 . 2010-01-01 14:35 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-31 12:15 . 2009-12-31 12:19 -------- d-----w- c:\program files\Common Files\Ahead
2009-12-31 12:15 . 2009-12-31 12:15 -------- d-----w- c:\program files\Nero
2009-12-31 11:54 . 2009-12-31 11:54 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\Nero
2009-12-31 11:41 . 2009-12-31 12:15 -------- d-----w- c:\programdata\Nero
2009-12-31 11:41 . 2009-12-31 12:10 -------- d-----w- c:\program files\Common Files\Nero
2009-12-13 12:56 . 2009-12-13 12:56 272384 ----a-w- c:\users\n3tgh0st\AppData\Roaming\Acreon\WowMatrix\Modules\curl.exe
2009-12-13 12:56 . 2009-12-13 12:56 196608 ----a-w- c:\users\n3tgh0st\AppData\Roaming\Acreon\WowMatrix\Libraries\wmweb.dll
2009-12-13 12:56 . 2009-12-13 12:56 258048 ----a-w- c:\users\n3tgh0st\AppData\Roaming\Acreon\WowMatrix\Libraries\wmzip.dll
2009-12-13 12:56 . 2009-12-13 12:56 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\Acreon
2009-12-13 12:56 . 2009-12-25 07:14 -------- d-----w- c:\users\n3tgh0st\AppData\Local\._Revolution_

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-08 15:34 . 2009-08-03 14:49 -------- d-----w- c:\program files\ICQ6.5
2010-01-08 14:57 . 2009-08-03 14:15 -------- d-----w- c:\programdata\NVIDIA
2010-01-08 14:57 . 2009-08-03 14:17 33164 ----a-w- c:\programdata\nvModes.dat
2010-01-07 22:24 . 2009-11-22 20:50 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\Mumble
2010-01-06 23:50 . 2009-08-05 20:20 -------- d-----w- c:\program files\Curse
2010-01-06 02:18 . 2009-08-03 13:38 1356 ----a-w- c:\users\n3tgh0st\AppData\Local\d3d9caps.dat
2010-01-05 20:29 . 2009-08-03 14:49 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\ICQ
2010-01-01 22:25 . 2006-11-02 15:42 641106 ----a-w- c:\windows\system32\perfh007.dat
2010-01-01 22:25 . 2006-11-02 15:42 116500 ----a-w- c:\windows\system32\perfc007.dat
2009-12-28 00:31 . 2009-08-29 13:13 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\mIRC
2009-12-27 09:59 . 2009-08-29 13:13 -------- d-----w- c:\program files\mIRC
2009-12-23 18:19 . 2009-08-03 16:38 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\teamspeak2
2009-12-07 13:27 . 2009-08-03 16:10 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-12-07 04:10 . 2009-12-07 04:10 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\AVS4YOU
2009-12-07 04:10 . 2009-12-07 04:10 -------- d-----w- c:\programdata\AVS4YOU
2009-12-07 04:10 . 2009-08-03 13:38 60360 ----a-w- c:\users\n3tgh0st\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-07 04:10 . 2009-12-07 04:09 -------- d-----w- c:\program files\AVS4YOU
2009-12-07 04:10 . 2009-12-07 04:09 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-12-07 03:37 . 2009-12-07 03:33 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\Ulead Systems
2009-12-07 03:33 . 2009-12-07 03:25 -------- d-----w- c:\programdata\Ulead Systems
2009-12-07 03:27 . 2009-12-07 03:27 -------- d-----w- c:\program files\Common Files\InterVideo
2009-12-07 03:27 . 2009-12-07 03:27 -------- d-----w- c:\programdata\InterVideo
2009-12-07 03:27 . 2009-08-03 14:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-07 03:27 . 2009-08-03 14:35 -------- d-----w- c:\program files\Common Files\InstallShield
2009-12-07 03:26 . 2009-12-07 03:26 -------- d-----w- c:\program files\Windows Media Components
2009-12-07 03:26 . 2009-12-07 03:25 -------- d-----w- c:\program files\Common Files\Ulead Systems
2009-12-07 03:25 . 2009-12-07 03:25 -------- d-----w- c:\program files\Ulead Systems
2009-11-28 19:04 . 2009-10-25 22:42 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\Ventrilo
2009-11-28 09:47 . 2009-08-03 22:23 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-27 16:10 . 2009-11-27 16:09 -------- d-----w- c:\program files\Ventrilo
2009-11-27 16:09 . 2009-08-03 14:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-27 11:24 . 2009-08-04 17:55 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\Skype
2009-11-27 11:24 . 2009-08-04 17:56 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\skypePM
2009-11-27 08:08 . 2009-08-03 22:19 -------- d-----w- c:\program files\Windows Live
2009-11-23 12:33 . 2009-11-23 12:30 -------- d-----w- c:\program files\Mumble
2009-11-21 08:46 . 2009-11-21 08:46 86016 ----a-w- c:\windows\system32\frapsvid.dll
2009-11-14 07:44 . 2009-11-14 07:41 -------- d-----w- c:\users\n3tgh0st\AppData\Roaming\Ahead
2009-11-14 07:39 . 2009-11-14 07:39 -------- d-----w- c:\programdata\Ahead
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2007-04-17 184320]
"SPIRunE"="SPIRunE.dll" [2009-03-05 18432]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-16 148888]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-02-26 153136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CurseClient]
2009-06-08 14:51 1934336 ----a-w- c:\program files\Curse\CurseClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 15:44 3883840 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
2007-06-18 13:10 271360 ----a-w- c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-07-16 11:20 25604904 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload]
2007-03-03 13:12 341488 ----a-w- c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe

R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [06.01.2010 03:14 108289]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [14.07.2009 11:28 239648]
S2 gupdate1ca30ead1ed1c8b;Google Update Service (gupdate1ca30ead1ed1c8b);c:\program files\Google\Update\GoogleUpdate.exe [09.09.2009 02:14 133104]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [13.08.2009 12:45 79360]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [27.11.2009 09:08 54632]
S3 fsssvc;Windows Live Family Safety-Dienst;c:\program files\Windows Live\Family Safety\fsssvc.exe [05.08.2009 22:48 704864]
S3 t3;Sound Blaster X-Fi Xtreme Audio;c:\windows\System32\drivers\t3.sys [03.08.2009 15:39 413208]
S3 utczmjuz;AVZ Kernel Driver;c:\windows\System32\drivers\utczmjuz.sys [07.01.2010 01:01 7168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Inhalt des "geplante Tasks" Ordners

2010-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-09 01:13]

2010-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-09 01:13]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://start.icq.com/
FF - ProfilePath - c:\users\n3tgh0st\AppData\Roaming\Mozilla\Firefox\Profiles\umn1bxf2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://de.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:de:official
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX Richtlinien ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

HKLM-Run-CmPCIaudio - cmicnfg3.cpl



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-08 16:34
Windows 6.0.6000 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SPIRunE = Rundll32 SPIRunE.dll,RunDLLEntry?

Scanne versteckte Dateien...


c:\users\n3tgh0st\AppData\Local\Temp\catchme.dll 53248 bytes executable

Scan erfolgreich abgeschlossen
versteckte Dateien: 1

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Zeit der Fertigstellung: 2010-01-08 16:35:34
ComboFix-quarantined-files.txt 2010-01-08 15:35

Vor Suchlauf: 7 Verzeichnis(se), 31.183.790.080 Bytes frei
Nach Suchlauf: 10 Verzeichnis(se), 31.230.009.344 Bytes frei

- - End Of File - - 08CF3CB1C80E9B605B440CABCF24CCC0


Das ich noch Updaten muss weiss ich bin ich noch nicht zu gekommen.

interessant finde ich irgendwie
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000 was ist das genau ?

ansonsten sehe ich nix verdächtiges


@aido ... Na ich denke da schon nicht das du mir da was wolltest alles kein Problem. Es hört sich ja auch toll an was du mit dem Image so sagst nur habe ich leider kein Image und deswegen müsste ich halt alles neu installieren + einstellungen ect was ich natürlich auch machen würde wenn ich des rootkit net wegbekommen würde aber ich bin ja im Moment wohl auf einem guten weg hoffe ich

Mich würde irgendwie nur noch interessieren was genau dieser triojaner für eine aufgabe hatte DNCChanger ?! Tcp/ip umkonfigurieren ?

mfg

Der Beitrag wurde von r00t bearbeitet: 08.01.2010, 16:57