| |
| |||||||
Log-Analyse und Auswertung: rechner von'virus/hijacker' befallen. bitte um auswertung der logsWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML |
 |
13.07.2008, 10:46
| #1 |
 |  rechner von'virus/hijacker' befallen. bitte um auswertung der logs hallo, wäre sehr nett, wenn ihr mir bald helfen könntet...mein rechner ist von einem 'virus/hijacker' befallen...antirusprogramm-nod32-scan hat es nicht gebracht. ich kann unter aderem nicht mehr meinen explorer ('dateien-explorer') öffnen, nicht auf meine systemsteuerung zugreifen, desktophintergrund wurde in ein 'rotes virus bild' geändert, ie fenster ploppen auf mit 'gefakten' virusprogrammen u.s.w. so schaut das desktopbild aus http://www.trojaner-board.de/attachments/1843d1191864903-brauche-hilfe-das-fuer-ein-virus-virus.jpg folgend die zwei logfiles von hijachthis (system scan) und smitfraudfix (option 1), mit der bitte um auswertung und hilfe  Logfile of HijackThis v1.99.1 Scan saved at 10:54: VIRUS ALERT!, on 13.07.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Programme\Windows Defender\MSASCui.exe C:\Programme\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe C:\Programme\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE C:\Programme\Java\jre1.6.0_05\bin\jusched.exe C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe C:\Programme\Winamp\Winampa.exe C:\Programme\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Programme\QuickTime\QTTask.exe C:\Programme\iTunes\iTunesHelper.exe C:\Programme\Canon\MyPrinter\BJMyPrt.exe C:\Programme\ESET\ESET NOD32 Antivirus\egui.exe C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Messenger\msmsgs.exe C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Programme\Windows Desktop Search\WindowsSearch.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe C:\Programme\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Programme\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Programme\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe C:\Programme\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\wscntfy.exe C:\Programme\PC Connectivity Solution\ServiceLayer.exe C:\Programme\iPod\bin\iPodService.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Dokumente und Einstellungen\neizo_\Desktop\this.exe.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {0A87D0F6-1114-4C93-9084-38F8ADB4E9E8} - C:\WINDOWS\system32\urqQkhFx.dll (file missing) O2 - BHO: (no name) - {73984FE0-9702-4C55-9C7B-9BA3C5861F25} - C:\WINDOWS\system32\pmnlmMfG.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: (no name) - {BEC2C894-8B59-4E19-AF1F-E0DBA3C74E90} - C:\WINDOWS\system32\awtRjhfd.dll O2 - BHO: {fab1fe5a-eb38-dbfb-1d24-76c6ecf05e3f} - {f3e50fce-6c67-42d1-bfbd-83bea5ef1baf} - C:\WINDOWS\system32\elsibi.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [DVDLauncher] "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [Windows Defender] "C:\Programme\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [CTSysVol] C:\Programme\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [CTDVDDET] C:\Programme\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp\Winampa.exe" O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programme\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Programme\Canon\SolutionMenu\CNSLMAIN.exe /logon O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [egui] "C:\Programme\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKLM\..\Run: [38f433ae] rundll32.exe "C:\WINDOWS\system32\saugawud.dll",b O4 - HKLM\..\Run: [BM3bc70032] Rundll32.exe "C:\WINDOWS\system32\bibjgwhu.dll",s O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Programme\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O4 - Startup: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Windows-Desktopsuche.lnk = C:\Programme\Windows Desktop Search\WindowsSearch.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\programme\bonjour\mdnsnsp.dll O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplug.com/StreamPlug/SP.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171724528296 O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://lokalisten.de/iup/ImageUploader4.cab O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/de/TSEasyInstallX.CAB O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{89C95A79-5D48-4E1B-9116-1359ED1424F0}: NameServer = 217.237.151.115 217.237.148.102 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: pmnlmMfG - C:\WINDOWS\SYSTEM32\pmnlmMfG.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programme\Bonjour\mDNSResponder.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Programme\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Programme\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Programme\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Programme\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ServiceLayer - Nokia. - C:\Programme\PC Connectivity Solution\ServiceLayer.exe SmitFraudFix v2.329 Scan done at 11:02:36,01, 13.07.2008 Run from C:\Dokumente und Einstellungen\neizo_\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Programme\Windows Defender\MSASCui.exe C:\Programme\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe C:\Programme\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE C:\Programme\Java\jre1.6.0_05\bin\jusched.exe C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe C:\Programme\Winamp\Winampa.exe C:\Programme\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Programme\QuickTime\QTTask.exe C:\Programme\iTunes\iTunesHelper.exe C:\Programme\Canon\MyPrinter\BJMyPrt.exe C:\Programme\ESET\ESET NOD32 Antivirus\egui.exe C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Messenger\msmsgs.exe C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Programme\Windows Desktop Search\WindowsSearch.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe C:\Programme\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Programme\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Programme\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe C:\Programme\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\wscntfy.exe C:\Programme\PC Connectivity Solution\ServiceLayer.exe C:\Programme\iPod\bin\iPodService.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Programme\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS C:\WINDOWS\privacy_danger FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\neizo_ »»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\neizo_\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOKUME~1\neizo_\FAVORI~1 C:\DOKUME~1\neizo_\FAVORI~1\Error Cleaner.url FOUND ! C:\DOKUME~1\neizo_\FAVORI~1\Privacy Protector.url FOUND ! C:\DOKUME~1\neizo_\FAVORI~1\Spyware?Malware Protection.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Programme »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="file:///C:\\WINDOWS\\privacy_danger\\index.htm" "SubscribedURL"="" "FriendlyName"="Privacy Protection" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="Die derzeitige Homepage" »»»»»»»»»»»»»»»»»»»»»»»» IEDFix !!!Attention, following keys are not inevitably infected!!! IEDFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» VACFix !!!Attention, following keys are not inevitably infected!!! VACFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» 404Fix !!!Attention, following keys are not inevitably infected!!! 404Fix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Userinit"="C:\\WINDOWS\\system32\\userinit.exe," "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Rustock »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: WAN (PPP/SLIP) Interface DNS Server Search Order: 217.237.151.115 DNS Server Search Order: 217.237.148.102 HKLM\SYSTEM\CCS\Services\Tcpip\..\{89C95A79-5D48-4E1B-9116-1359ED1424F0}: NameServer=217.237.151.115 217.237.148.102 HKLM\SYSTEM\CS1\Services\Tcpip\..\{89C95A79-5D48-4E1B-9116-1359ED1424F0}: NameServer=217.237.151.115 217.237.148.102 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End |
|
13.07.2008, 12:01
| #2 |
 | rechner von'virus/hijacker' befallen. bitte um auswertung der logs Hallo und
__________________ Lade bitte folgende Dateien nacheinander auf virustotal hoch und lasse sie auswerten. Die Ergebnisse bitte KOMPLETT ins Forum Posten. Code:
ATTFilter C:\WINDOWS\system32\pmnlmMfG.dll
C:\WINDOWS\system32\awtRjhfd.dll
C:\WINDOWS\system32\elsibi.dll
C:\WINDOWS\system32\saugawud.dll
C:\WINDOWS\system32\bibjgwhu.dll
Danach Report posten. |
|
13.07.2008, 12:41
| #3 |
| | rechner von'virus/hijacker' befallen. bitte um auswertung der logs folgend die auswertung zu
__________________pmnlmMfG.dll (obwohl auf meinem rechner die datei mit 29 kb angegeben wird????) 0 bytes size received / Se ha recibido un archivo vacio |
|
13.07.2008, 12:46
| #4 |
| | rechner von'virus/hijacker' befallen. bitte um auswertung der logs folgend die auswertung zu awtRjhfd.dll oder einfach hier die auswertung nachlesen http://www.virustotal.com/de/analisis/63fa930f4b67cc139f01494a1b601844 Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.7.11.0 2008.07.11 - AntiVir 7.8.0.64 2008.07.11 TR/Crypt.XPACK.Gen Authentium 5.1.0.4 2008.07.13 - Avast 4.8.1195.0 2008.07.13 - AVG 7.5.0.516 2008.07.12 - BitDefender 7.2 2008.07.13 - CAT-QuickHeal 9.50 2008.07.11 - ClamAV 0.93.1 2008.07.13 - DrWeb 4.44.0.09170 2008.07.12 Trojan.Virtumod.based.12 eSafe 7.0.17.0 2008.07.10 - eTrust-Vet 31.6.5949 2008.07.12 - Ewido 4.0 2008.07.13 - F-Prot 4.4.4.56 2008.07.13 - F-Secure 7.60.13501.0 2008.07.12 - Fortinet 3.14.0.0 2008.07.13 - GData 2.0.7306.1023 2008.07.13 - Ikarus T3.1.1.26.0 2008.07.13 - Kaspersky 7.0.0.125 2008.07.13 not-a-virus:AdWare.Win32.Virtumonde.aakx McAfee 5337 2008.07.11 - Microsoft 1.3704 2008.07.13 Trojan:Win32/Vundo.gen!R NOD32v2 3263 2008.07.11 - Norman 5.80.02 2008.07.11 - Panda 9.0.0.4 2008.07.13 - Prevx1 V2 2008.07.13 - Rising 20.52.62.00 2008.07.13 - Sophos 4.31.0 2008.07.13 Sus/Behav-200 Sunbelt 3.1.1536.1 2008.07.12 - Symantec 10 2008.07.13 - TheHacker 6.2.96.378 2008.07.13 - TrendMicro 8.700.0.1004 2008.07.11 - VBA32 3.12.6.9 2008.07.12 - VirusBuster 4.5.11.0 2008.07.12 - Webwasher-Gateway 6.6.2 2008.07.11 Trojan.Crypt.XPACK.Gen weitere Informationen File size: 281088 bytes MD5...: 668eaec75c9e9dc5a1bf90b3e0a07975 SHA1..: da0d59aa7bbb461fa54edd508768e6ed40d06823 SHA256: e8afa2dcc4616d5690a1719ee3fb48339c948b2cf98c39c24367f89aaab73efd SHA512: 3f4d6db43269302d9b846e4f590161fc0e44497f5a717f60556269b5c4fa4f1b 399982a46e6c06ddd500b26d5e1aa728c535c1ae1da9a54736de571a1d566e7d PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x100a5000 timedatestamp.....: 0x4c6e6446 (Fri Aug 20 11:17:26 2010) machinetype.......: 0x14c (I386) ( 5 sections ) name viradd virsiz rawdsiz ntrpy md5 .sforce3 0x1000 0x65000 0x6400 7.96 affbb70c60c129f4e4a603caa428a5e8 .RDATA 0x66000 0x3d000 0x3ca00 8.00 998470b8abd37f854c2118d7b737759f .sforce3 0xa3000 0x1000 0xa00 7.24 51f4ef18f881034d9c262d8f74d812c1 .idata 0xa4000 0x1000 0x400 1.56 0157d6e458cc9bfcb3af8c4aa281a6af .brick 0xa5000 0x1000 0x800 7.47 0efdf23827ac3e849858aad5a2f808c0 ( 1 imports ) > kernel32.dll: ExitProcess, GetCommandLineA, GetModuleHandleA, InitializeCriticalSection, MapViewOfFile, lstrlenA, EnumResourceTypesA ( 0 exports ) |
|
13.07.2008, 12:51
| #5 |
| | rechner von'virus/hijacker' befallen. bitte um auswertung der logs folgend die auswertung für elsibi.dll oder einfach hier die auswertung anschauen http://www.virustotal.com/de/analisis/caac8e330063faf67eceed4fcee620ed Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.7.11.0 2008.07.11 - AntiVir 7.8.0.64 2008.07.11 TR/Crypt.XPACK.Gen Authentium 5.1.0.4 2008.07.13 - Avast 4.8.1195.0 2008.07.13 - AVG 7.5.0.516 2008.07.12 - BitDefender 7.2 2008.07.13 - CAT-QuickHeal 9.50 2008.07.11 - ClamAV 0.93.1 2008.07.13 - DrWeb 4.44.0.09170 2008.07.12 - eSafe 7.0.17.0 2008.07.10 Suspicious File eTrust-Vet 31.6.5949 2008.07.12 - Ewido 4.0 2008.07.13 - F-Prot 4.4.4.56 2008.07.13 - F-Secure 7.60.13501.0 2008.07.12 - Fortinet 3.14.0.0 2008.07.13 - GData 2.0.7306.1023 2008.07.13 - Ikarus T3.1.1.26.0 2008.07.13 - Kaspersky 7.0.0.125 2008.07.13 - McAfee 5337 2008.07.11 - Microsoft 1.3704 2008.07.13 Trojan:Win32/Vundo.gen!R NOD32v2 3263 2008.07.11 - Norman 5.80.02 2008.07.11 - Panda 9.0.0.4 2008.07.13 - Prevx1 V2 2008.07.13 Fraudulent Security Program Rising 20.52.62.00 2008.07.13 - Sophos 4.31.0 2008.07.13 Sus/Behav-200 Sunbelt 3.1.1536.1 2008.07.12 - Symantec 10 2008.07.13 - TheHacker 6.2.96.378 2008.07.13 - TrendMicro 8.700.0.1004 2008.07.11 PAK_Generic.001 VBA32 3.12.6.9 2008.07.12 - VirusBuster 4.5.11.0 2008.07.12 - Webwasher-Gateway 6.6.2 2008.07.11 Trojan.Crypt.XPACK.Gen weitere Informationen File size: 112128 bytes MD5...: 06744355b1952a54b38c37c5f667bab8 SHA1..: c6402b5dd3e00f4adcc9245987690d00475ffb8e SHA256: 07774d436e3de0ec31d865156a19ecee950a129f898e4b8e4999833581f1bcfc SHA512: e3841874887cb1a4ffe55f64efe0376bcc25a6a16f89acfc554714c5780ccc3b e33da9cfcd85fdf4c435847c360490b271f446cb2facb039125d1db4d36d88b9 PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x1003a000 timedatestamp.....: 0x4c64ef32 (Fri Aug 13 07:07:30 2010) machinetype.......: 0x14c (I386) ( 5 sections ) name viradd virsiz rawdsiz ntrpy md5 .sforce3 0x1000 0x23000 0x6600 7.96 9087b10ea8034d8d739eee103e655931 .RDATA 0x24000 0x14000 0x13c00 8.00 e259c5e12790153ddf9883263fda8853 .sforce3 0x38000 0x1000 0x400 7.25 ae20046e6344df55bade0d1dabbe959b .idata 0x39000 0x1000 0x400 1.31 d03a9d5c1904896900ea3c4e2df91070 .brick 0x3a000 0x1000 0x600 7.37 89566488fd36b63106b451a5134d6380 ( 1 imports ) > kernel32.dll: ExitProcess, GetVersion, GetVersionExA, LoadResource, OpenFile, lstrcpynA, CloseHandle ( 0 exports ) Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=FD020BE300477BB1B6B5018967D39F00286C80C6 |
|
13.07.2008, 12:56
| #6 |
| | rechner von'virus/hijacker' befallen. bitte um auswertung der logs folgend die auswertung zu saugawud.dll oder die auswertung hier nachlesen http://www.virustotal.com/de/analisis/70fc40c2f3464982d148e2d384fe3ba7 Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 - - - AntiVir - - HEUR/Crypted Authentium - - - Avast - - - AVG - - - BitDefender - - - CAT-QuickHeal - - - ClamAV - - - DrWeb - - - eSafe - - Suspicious File eTrust-Vet - - - Ewido - - - F-Prot - - - F-Secure - - - Fortinet - - - GData - - - Ikarus - - - Kaspersky - - - McAfee - - - Microsoft - - Trojan:Win32/Vundo.gen!E NOD32v2 - - - Norman - - - Panda - - - Prevx1 - - Fraudulent Security Program Rising - - - Sophos - - Sus/Behav-200 Sunbelt - - - Symantec - - - TheHacker - - - TrendMicro - - PAK_Generic.001 VBA32 - - - VirusBuster - - - Webwasher-Gateway - - Heuristic.Crypted weitere Informationen MD5: 77df0ca5c81be9287eada15db86b37a2 SHA1: edceb7e28832ef14987fb122f69cfac381e80350 SHA256: 3db665c5c754c4ae94c6547b08a01809a94e14de7ce8c06610dc4b0b1f19e04d SHA512: 93eb2347b41f94d3263086a6524e47b113e3211d81aae5239678f502b5fb932cd966d2cf8997fb427895dfc3ea89e6bb84467105f4cfec819198d9ef852c9b25 |
|
13.07.2008, 13:00
| #7 |
| | rechner von'virus/hijacker' befallen. bitte um auswertung der logs folgend die auswertung für bibjgwhu.dll oder hier nachschauen http://www.virustotal.com/de/analisis/d7d6f9f453ad2d3327a009000b879a18 Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 - - - AntiVir - - HEUR/Crypted Authentium - - - Avast - - - AVG - - - BitDefender - - - CAT-QuickHeal - - - ClamAV - - - DrWeb - - - eSafe - - Suspicious File eTrust-Vet - - - Ewido - - - F-Prot - - - F-Secure - - - Fortinet - - - GData - - - Ikarus - - - Kaspersky - - - McAfee - - - Microsoft - - Trojan:Win32/Vundo.gen!G NOD32v2 - - - Norman - - - Panda - - - Prevx1 - - Fraudulent Security Program Rising - - - Sophos - - Sus/Behav-200 Sunbelt - - - Symantec - - - TheHacker - - - TrendMicro - - PAK_Generic.001 VBA32 - - - VirusBuster - - - Webwasher-Gateway - - Heuristic.Crypted weitere Informationen MD5: f0f906c2765cf45a0932d46135db5df8 SHA1: ff252532bc5000c2bfb03494a407aabd6df5d351 SHA256: b2b6783b25eebeabfb82ad471859582143c485ba07b5b822ff405b5dfc08006d SHA512: f43f8092c46f4782a466ec410935aa0abbc6955cdf06caff1a37be4baf1b0e267ffcccd18c2bddbe269ef002650bb6cac48e35398968e3e049a4b1d5a54b0fa7 |
|
13.07.2008, 13:25
| #8 |
| | rechner von'virus/hijacker' befallen. bitte um auswertung der logs -Lade dir das Tool Avenger -Kopiere folgenden Text in die weiße Textbox: Code:
ATTFilter Files to delete:
C:\WINDOWS\system32\pmnlmMfG.dll
C:\WINDOWS\system32\awtRjhfd.dll
C:\WINDOWS\system32\elsibi.dll
C:\WINDOWS\system32\saugawud.dll
C:\WINDOWS\system32\bibjgwhu.dll
-nach dem Anmelden erscheint ein Editor Fenster -kopiere den gesamten Inhalt des Fensters hier ins Forum. Danach fixe in HijackThis folgende Einträge: Code:
ATTFilter R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
O2 - BHO: (no name) - {0A87D0F6-1114-4C93-9084-38F8ADB4E9E8} - C:\WINDOWS\system32\urqQkhFx.dll (file missing)
|
|
13.07.2008, 14:14
| #9 |
| | rechner von'virus/hijacker' befallen. bitte um auswertung der logs o.k. das was du eins weiter oben beschrieben hasst mache ich gleich. jetzt noch hier die auswertung des malewarebytes (infizierte dateien habe ich natürlich gelöscht) Malwarebytes' Anti-Malware 1.20 Datenbank Version: 944 Windows 5.1.2600 Service Pack 2 15:09:57 13.07.2008 mbam-log-7-13-2008 (15-09-57).txt Scan Art: Komplett Scan (C:\|D:\|E:\|) Objekte gescannt: 145032 Scan Dauer: 41 minute(s), 17 second(s) Infizierte Speicher Prozesse: 0 Infizierte Speicher Module: 3 Infizierte Registrierungsschlüssel: 24 Infizierte Registrierungswerte: 4 Infizierte Datei Objekte der Registrierung: 3 Infizierte Verzeichnisse: 6 Infizierte Dateien: 35 Infizierte Speicher Prozesse: (Keine Malware Objekte gefunden) Infizierte Speicher Module: C:\WINDOWS\system32\awtRjhfd.dll (Trojan.Vundo) -> Unloaded module successfully. C:\WINDOWS\system32\saugawud.dll (Trojan.Vundo) -> Unloaded module successfully. C:\WINDOWS\system32\pmnlmMfG.dll (Trojan.Vundo) -> Unloaded module successfully. Infizierte Registrierungsschlüssel: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6ca4e457-b998-4d73-addd-cccc237ae0ee} (Trojan.Vundo) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{6ca4e457-b998-4d73-addd-cccc237ae0ee} (Trojan.Vundo) -> Delete on reboot. HKEY_CLASSES_ROOT\Interface\{42e2b43f-3954-48ec-b549-5c05cb7dbd0a} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{07895222-50a5-4598-acb1-806ef2a9babc} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{bc124914-cd19-4b93-acdd-c9054a58f834} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\antivirus 2008 pro (Rogue.Antivirus2008) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{70e420f8-eb00-4fce-a105-3f675ed241c7} (Trojan.Clicker) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{73984fe0-9702-4c55-9c7b-9ba3c5861f25} (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{73984fe0-9702-4c55-9c7b-9ba3c5861f25} (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmnlmmfg (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{bb65e151-d4ad-4ba2-ada4-8082cbef587b} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{19fba00f-16d5-49ca-98bd-ba096c976825} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{20490bc2-de6f-4aca-b6d5-e8205ad31b3e} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{5b2d8be4-ba74-44f9-a686-c76cbdde112c} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{74993afd-60a4-4ac1-82d9-e83294e7df67} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{7619f6fd-a169-476d-b8fc-2e790a5a88cb} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{ba6e47f3-828f-45a8-850b-051a3cd558f1} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\sqvgnrpx.bwbf (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\sqvgnrpx.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully. Infizierte Registrierungswerte: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\38f433ae (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0\source (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm3bc70032 (Trojan.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{73984fe0-9702-4c55-9c7b-9ba3c5861f25} (Trojan.Vundo) -> Delete on reboot. Infizierte Datei Objekte der Registrierung: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtrjhfd -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtrjhfd -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2) Good: (http://www.google.com/) -> Quarantined and deleted successfully. Infizierte Verzeichnisse: C:\WINDOWS\privacy_danger (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\privacy_danger\images (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Programme\Antivirus 2008 PRO (Rogue.Antivirus2008) -> Quarantined and deleted successfully. C:\Programme\Antivirus 2008 PRO\Infected (Rogue.Antivirus2008) -> Quarantined and deleted successfully. C:\Programme\Antivirus 2008 PRO\Suspicious (Rogue.Antivirus2008) -> Quarantined and deleted successfully. C:\WINDOWS\system32\778670 (Trojan.BHO) -> Quarantined and deleted successfully. Infizierte Dateien: C:\WINDOWS\system32\awtRjhfd.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\dfhjRtwa.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\dfhjRtwa.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\gykpqncd.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\dcnqpkyg.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\saugawud.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\duwaguas.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\neizo_\Lokale Einstellungen\Temp\Zattoo-Update.exe (Adware.Cinmus) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\neizo_\Lokale Einstellungen\Temporary Internet Files\Content.IE5\C9N9E8HM\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\neizo_\Lokale Einstellungen\Temporary Internet Files\Content.IE5\FXV5Z0BG\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{D2B2D564-C972-4CCC-9EB1-2295895D6526}\RP521\A0126191.exe (Adware.Cinmus) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{D2B2D564-C972-4CCC-9EB1-2295895D6526}\RP553\A0128626.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\egxk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\edussl.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\lqhoehih.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\vehtnqie.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\vmsfdn.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\privacy_danger\index.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\privacy_danger\images\capt.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\privacy_danger\images\danger.jpg (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\privacy_danger\images\down.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\privacy_danger\images\spacer.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Programme\Antivirus 2008 PRO\vscan.tsi (Rogue.Antivirus2008) -> Quarantined and deleted successfully. C:\Programme\Antivirus 2008 PRO\zlib.dll (Rogue.Antivirus2008) -> Quarantined and deleted successfully. C:\WINDOWS\Resources\RomSys.dll (Trojan.Clicker) -> Quarantined and deleted successfully. C:\WINDOWS\system32\bibjgwhu.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\pmnlmMfG.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\BM3bc70032.xml (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\BM3bc70032.txt (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\fdxbameg.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\fsrpknov.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\neizo_\Anwendungsdaten\TmpRecentIcons\antivirus-2008pro.lnk (Rogue.Link) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\neizo_\Favoriten\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\neizo_\Favoriten\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\neizo_\Favoriten\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully. |
|
13.07.2008, 14:35
| #10 |
| | rechner von'virus/hijacker' befallen. bitte um auswertung der logs folgend die 'auswertung' vom avenger Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! File "C:\WINDOWS\system32\pmnlmMfG.dll" deleted successfully. File "C:\WINDOWS\system32\awtRjhfd.dll" deleted successfully. File "C:\WINDOWS\system32\elsibi.dll" deleted successfully. File "C:\WINDOWS\system32\saugawud.dll" deleted successfully. File "C:\WINDOWS\system32\bibjgwhu.dll" deleted successfully. Completed script processing. ******************* Finished! Terminate. |
|
13.07.2008, 14:39
| #11 |
| | rechner von'virus/hijacker' befallen. bitte um auswertung der logs von den zwei einträgen im hijack this war nur noch der drin O2 - BHO: (no name) - {0A87D0F6-1114-4C93-9084-38F8ADB4E9E8} - C:\WINDOWS\system32\urqQkhFx.dll (file missing) ich habe ihn gelöscht...folgend der erneute scan von hijack this, nachdem ich den einen eintrag gelöscht habe. Logfile of HijackThis v1.99.1 Scan saved at 15:34:58, on 13.07.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Programme\Windows Defender\MSASCui.exe C:\Programme\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe C:\Programme\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE C:\Programme\Java\jre1.6.0_05\bin\jusched.exe C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe C:\Programme\Winamp\Winampa.exe C:\Programme\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Programme\QuickTime\QTTask.exe C:\Programme\iTunes\iTunesHelper.exe C:\Programme\Canon\MyPrinter\BJMyPrt.exe C:\Programme\ESET\ESET NOD32 Antivirus\egui.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Messenger\msmsgs.exe C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Programme\Windows Desktop Search\WindowsSearch.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe C:\Programme\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Programme\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Programme\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe C:\Programme\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\wscntfy.exe C:\Programme\PC Connectivity Solution\ServiceLayer.exe C:\Programme\iPod\bin\iPodService.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Dokumente und Einstellungen\neizo_\Desktop\this.exe.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: {fab1fe5a-eb38-dbfb-1d24-76c6ecf05e3f} - {f3e50fce-6c67-42d1-bfbd-83bea5ef1baf} - C:\WINDOWS\system32\elsibi.dll (file missing) O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [DVDLauncher] "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [Windows Defender] "C:\Programme\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [CTSysVol] C:\Programme\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [CTDVDDET] C:\Programme\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp\Winampa.exe" O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programme\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Programme\Canon\SolutionMenu\CNSLMAIN.exe /logon O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [egui] "C:\Programme\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Programme\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O4 - Startup: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Windows-Desktopsuche.lnk = C:\Programme\Windows Desktop Search\WindowsSearch.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\programme\bonjour\mdnsnsp.dll O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} (StreamPlug Class) - http://www.streamplug.com/StreamPlug/SP.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171724528296 O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://lokalisten.de/iup/ImageUploader4.cab O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/de/TSEasyInstallX.CAB O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{89C95A79-5D48-4E1B-9116-1359ED1424F0}: NameServer = 217.237.151.115 217.237.148.102 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programme\Bonjour\mDNSResponder.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Programme\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Programme\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Hapatrntes - Creative Technology Ltd - (no file) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Programme\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Programme\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ServiceLayer - Nokia. - C:\Programme\PC Connectivity Solution\ServiceLayer.exe |
|
13.07.2008, 15:31
| #12 |
| | rechner von'virus/hijacker' befallen. bitte um auswertung der logs Bitte noch folgenden Eintrag in HijackThis fixen: Code:
ATTFilter O2 - BHO: {fab1fe5a-eb38-dbfb-1d24-76c6ecf05e3f} - {f3e50fce-6c67-42d1-bfbd-83bea5ef1baf} - C:\WINDOWS\system32\elsibi.dll (file missing)
|
|
13.07.2008, 16:04
| #13 |
| | rechner von'virus/hijacker' befallen. bitte um auswertung der logs o.k. habe ich gemacht. läuft eigentlich alles wieder bestens. dann ist alles gemacht - oder? dann sag ich schon mal vielen dank für die schnelle und kompetente hilfe!!!!!  |
|
13.07.2008, 16:05
| #14 |
| | rechner von'virus/hijacker' befallen. bitte um auswertung der logs Müsste wieder sauber sein! Alles Gute noch weiterhin, und wenn wiedermal was ist, melde dich  |
|
| Themen zu rechner von'virus/hijacker' befallen. bitte um auswertung der logs |
| 32-bit, analysis, antivirus, attention, bho, bonjour, canon, computer, defender, einstellungen, error, eset nod32, excel, firefox, helfen, hijackthis, home, homepage, ie fenster, internet, internet explorer, malware, mozilla, mozilla firefox, object, privacy protection, rundll, senden, software, solution, spyware, unknown file in winsock lsp, urlsearchhook, userinit.exe, virus alert, virus alert!, windows, windows defender, windows xp, wmid |
Linear-Darstellung
