So nun schon mal die Logfles:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:23:39, on 24.06.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programme\Java\jre1.6.0_05\bin\jusched.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Lexmark X1100 Series\lxbkbmgr.exe
C:\Programme\Search Settings\SearchSettings.exe
C:\WINDOWS\mrofinu1535.exe
C:\DOKUME~1\DAVIDK~1\LOKALE~1\Temp\winlogan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\DAEMON Tools Lite\daemon.exe
C:\Programme\Windows Live\Messenger\MsnMsgr.Exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Lexmark X1100 Series\lxbkbmon.exe
C:\Programme\ICQ6\ICQ.exe
C:\Programme\Transform XP to Vista\Yahoo! Widgets\Widgets\YahooWidgetEngine.exe
C:\Programme\Transform XP to Vista\Vista Start Menu\VistaStartMenu.exe
C:\DOKUME~1\DAVIDK~1\LOKALE~1\Temp\csrssc.exe
C:\Programme\RALINK\Common\RaUI.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Skype\Plugin Manager\skypePM.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Programme\Search Settings\kb127\SearchSettings.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Programme\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SearchSettings] C:\Programme\Search Settings\SearchSettings.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1535.exe 61A847B5BBF7281337983D466188719AB689201522886B092CBD44BD8689220221DD3 257
O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\DOKUME~1\DAVIDK~1\LOKALE~1\Temp\winlogan.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EA Core] "C:\Programme\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programme\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ICQ] "C:\Programme\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [YahooWidgetEngine.exe] "C:\Programme\Transform XP to Vista\Yahoo! Widgets\Widgets\YahooWidgetEngine.exe"
O4 - HKCU\..\Run: [VistaStartMenu] "C:\Programme\Transform XP to Vista\Vista Start Menu\VistaStartMenu.exe"
O4 - HKCU\..\Run: [jdgf894jrghoiiskd] C:\DOKUME~1\DAVIDK~1\LOKALE~1\Temp\winlogan.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOKUME~1\DAVIDK~1\LOKALE~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Programme\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User 'Default user')
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Programme\RALINK\Common\RaUI.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: In Windows Live Writer in &Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
--
End of file - 8322 bytes
Hier der Logfle vom Malware Prog:
Malwarebytes' Anti-Malware 1.18
Datenbank Version: 870
22:09:53 24.06.2008
mbam-log-6-24-2008 (22-09-29).txt
Scan Art: Komplett Scan (C:\|)
Objekte gescannt: 129390
Scan Dauer: 42 minute(s), 21 second(s)
Infizierte Speicher Prozesse: 3
Infizierte Speicher Module: 3
Infizierte Registrierungsschlüssel: 10
Infizierte Registrierungswerte: 10
Infizierte Datei Objekte der Registrierung: 4
Infizierte Verzeichnisse: 1
Infizierte Dateien: 26
Infizierte Speicher Prozesse:
C:\WINDOWS\mrofinu1535.exe (Trojan.Downloader) -> No action taken.
C:\Dokumente und Einstellungen\David Kirkham\Lokale Einstellungen\Temp\winlogan.exe (Trojan.Downloader) -> No action taken.
C:\Dokumente und Einstellungen\David Kirkham\Lokale Einstellungen\Temp\csrssc.exe (Trojan.Downloader) -> No action taken.
Infizierte Speicher Module:
C:\WINDOWS\system32\hgGvwxwV.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\cbXOHBTL.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\jfiehayd.dll (Trojan.Downloader) -> No action taken.
Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3214e537-9d2c-4f55-9ca0-24464573ec6e} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{3214e537-9d2c-4f55-9ca0-24464573ec6e} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{0f8f84cf-dcba-4426-ac18-30a8ab00c526} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0f8f84cf-dcba-4426-ac18-30a8ab00c526} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbxohbtl (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{c5af49a2-94f3-42bd-f434-2604812c897d} (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5af49a2-94f3-42bd-f434-2604812c897d} (Trojan.Downloader) -> No action taken.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{0f8f84cf-dcba-4426-ac18-30a8ab00c526} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5af49a2-94f3-42bd-f434-2604812c897d} (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runner1 (Trojan.Downloader) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jdgf894jrghoiiskd (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jdgf894jrghoiiskd (Trojan.Downloader) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jnskdfmf9eldfd (Trojan.Downloader) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\{f710fa10-2031-3106-8872-93a2b5c5c620} (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit (Backdoor.Bot) -> No action taken.
Infizierte Datei Objekte der Registrierung:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\hggvwxwv -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\hggvwxwv -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\ntos.exe -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> No action taken.
Infizierte Verzeichnisse:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> No action taken.
Infizierte Dateien:
C:\WINDOWS\system32\hgGvwxwV.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\VwxwvGgh.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\VwxwvGgh.ini2 (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\cbXOHBTL.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\jfiehayd.dll (Trojan.Downloader) -> No action taken.
C:\WINDOWS\mrofinu1535.exe (Trojan.Downloader) -> No action taken.
C:\Dokumente und Einstellungen\David Kirkham\Lokale Einstellungen\Temp\winlogan.exe (Trojan.Downloader) -> No action taken.
C:\Dokumente und Einstellungen\David Kirkham\Lokale Einstellungen\Temp\csrssc.exe (Trojan.Downloader) -> No action taken.
C:\d.exe (Backdoor.Bot) -> No action taken.
C:\Dokumente und Einstellungen\David Kirkham\keygen.exe (Trojan.Downloader) -> No action taken.
C:\Dokumente und Einstellungen\David Kirkham\Lokale Einstellungen\Temp\1892824704.exe (Trojan.Downloader) -> No action taken.
C:\Dokumente und Einstellungen\David Kirkham\Lokale Einstellungen\Temp\189823250.exe (Trojan.Downloader) -> No action taken.
C:\Dokumente und Einstellungen\David Kirkham\Lokale Einstellungen\Temp\2778507842.exe (Trojan.Downloader) -> No action taken.
C:\Dokumente und Einstellungen\David Kirkham\Lokale Einstellungen\Temp\2938249856.exe (Trojan.Downloader) -> No action taken.
C:\Dokumente und Einstellungen\David Kirkham\Lokale Einstellungen\Temp\3275364744.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{28FD2971-9997-4828-8211-941A24806C60}\RP138\A0065109.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\mrofinu1535.exe.tmp (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\ljJCtrst.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\clbdll.dll (Trojan.Agent) -> No action taken.
C:\kbvxxo.exe (Trojan.Agent) -> No action taken.
C:\mxuxc.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\clbdriver.sys (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ntos.exe (Backdoor.Bot) -> No action taken.
Schon mal danke im Vorraus