| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!!Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
15.07.2008, 22:06
| #1 |
| |  Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! Hallo, bräuchte dringend Hilfe bei der Bekämpfung der im Titel genannten Trojaner... Habe über AntiVir schon mehrmals einen Durchlauf gestartet und bei Warnmeldungen des Guard versucht in Quarantäne zu verschieben, den Zugriff zu verweigern bzw zu Löschen.. Allerdings geht das alles anscheinend nicht, die Meldungen kommen sofort wieder.. Der Pfad für die Funde ist beim: TR/Crypt:XPACK.Gen C:\Users\***\AppData\Local\Temp\qsivlial.dll TR/Vundo.Gen C:\Users\***\AppData\Local\...\css4[2] TR/Monder.alx C:\Users\***\AppData\Local\...\labqaass.dll Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:22:14, on 15.07.2008 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\RtHDVCpl.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Steganos Safe Home\SteganosHotKeyService.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Windows\System32\rundll32.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\System32\rundll32.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\ICQ6\ICQ.exe C:\Windows\ehome\ehmsas.exe C:\Windows\System32\rundll32.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\CCleaner\CCleaner.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Windows\system32\SearchFilterHost.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://alice.aol.de R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://alice.aol.de R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://alice.aol.de R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O1 - Hosts: ::1 localhost O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: (no name) - {C4EA560F-5247-463E-BD72-4CF1C25590D5} - C:\Users\Matze\AppData\Local\Temp\wvUnOEuV.dll (file missing) O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE" O4 - HKLM\..\Run: [recinfo4] c:\RecInfo\RecInfo.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [SAFEHOME HotKeys] "C:\Program Files\Steganos Safe Home\SteganosHotKeyService.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorun O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent O4 - HKCU\..\Run: [7485d71c] rundll32.exe "C:\Users\Matze\AppData\Local\Temp\labqaass.dll",b O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Matze\AppData\Local\Temp\iiffExvV.dll,#1 O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user') O4 - Global Startup: VPN Client.lnk = ? O8 - Extra context menu item: &Winamp Toolbar Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - h**p://favorites.live.com/quickadd.aspx O8 - Extra context menu item: Öffnen mit WordPerfect - c:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: In Windows Live Writer in &Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - h**p://www.dwnldietool.com/redirect.php (file missing) O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - h**p://www.dwnldietool.com/redirect.php (file missing) O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O13 - Gopher Prefix: O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{FC0A3CCA-F4BC-4BA4-8A5D-AF93824B59B0}: NameServer = 213.191.74.19 62.109.123.197 O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: ProtexisLicensing - Unknown owner - c:\Windows\system32\PSIService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe -- End of file - 10680 bytes Mein System: MS Windows Vista SP1 Intel Core2 Duo CPU E4500 @2.20GHz, 2,2GB RAM, NVIDIA GeForce 8400 GS Jetzt kam gerade noch eine Meldung vom Guard: TR/Monderb.28288.2 C:\Users\***\AppData\Local\...\efcaWoPi.dll Denke mal, dass ich noch ne ganze Menge anderen Müll auf dem Rechner habe.. Da ich leider nicht so bewandert bin, wäre ich hierbei für jede Hilfe sehr dankbar..  Gruß Geändert von MatzeHRo (15.07.2008 um 22:17 Uhr) |
|
16.07.2008, 09:37
| #2 |
  | Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! Hi und
__________________ Ja du hast schon ein paar Sachen drauf  Bitte lass als erstes Malwarebytes laufen, lass alles löschen was er findet und poste das Log  Dazu dann bitte auch ein frisches HijackThis Log edit: Bitte editiere deine Links im HJT Log
__________________ |
|
16.07.2008, 16:54
| #3 |
| | Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! Alles klar danke erstmal.. Also hab das jetzt gemacht...
__________________Hier der Log von Malwarebytes: Malwarebytes' Anti-Malware 1.20 Datenbank Version: 957 Windows 6.0.6001 Service Pack 1 16:37:31 16.07.2008 mbam-log-7-16-2008 (16-37-31).txt Scan Art: Komplett Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|L:\|M:\|) Objekte gescannt: 343140 Scan Dauer: 1 hour(s), 31 minute(s), 25 second(s) Infizierte Speicher Prozesse: 0 Infizierte Speicher Module: 0 Infizierte Registrierungsschlüssel: 9 Infizierte Registrierungswerte: 3 Infizierte Datei Objekte der Registrierung: 0 Infizierte Verzeichnisse: 2 Infizierte Dateien: 6 Infizierte Speicher Prozesse: (Keine Malware Objekte gefunden) Infizierte Speicher Module: (Keine Malware Objekte gefunden) Infizierte Registrierungsschlüssel: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{99ba268b-4021-4739-9945-3c774217fe75} (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Secure Browsing (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully. Infizierte Registrierungswerte: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7485d71c (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\start (Trojan.Zlob) -> Quarantined and deleted successfully. Infizierte Datei Objekte der Registrierung: (Keine Malware Objekte gefunden) Infizierte Verzeichnisse: C:\Program Files\NetProject (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully. Infizierte Dateien: C:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\sex1.ico (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\sex2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully. Und hier der HijackThis Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:57:05, on 16.07.2008 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\RtHDVCpl.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Steganos Safe Home\SteganosHotKeyService.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Windows\System32\rundll32.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\System32\rundll32.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\ICQ6\ICQ.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O1 - Hosts: ::1 localhost O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: (no name) - {C4EA560F-5247-463E-BD72-4CF1C25590D5} - C:\Users\Matze\AppData\Local\Temp\wvUnOEuV.dll (file missing) O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE" O4 - HKLM\..\Run: [recinfo4] c:\RecInfo\RecInfo.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [SAFEHOME HotKeys] "C:\Program Files\Steganos Safe Home\SteganosHotKeyService.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorun O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user') O4 - Global Startup: VPN Client.lnk = ? O8 - Extra context menu item: &Winamp Toolbar Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - O8 - Extra context menu item: Öffnen mit WordPerfect - c:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: In Windows Live Writer in &Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O13 - Gopher Prefix: O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{FC0A3CCA-F4BC-4BA4-8A5D-AF93824B59B0}: NameServer = 213.191.74.19 62.109.123.197 O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: ProtexisLicensing - Unknown owner - c:\Windows\system32\PSIService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe -- End of file - 9256 bytes Achso hab die Links jetzt mal komlett rausgenommen, weil ich das irgendwie nicht editiert kriege.. Wenn ich das so mache wie es in der Anleitung steht, erscheinen die ja trotzdem (auch wenn mit **).. Achso, danke nochmal für die schnelle antwort...  Geändert von MatzeHRo (16.07.2008 um 17:07 Uhr) |
|
16.07.2008, 17:13
| #4 | |||||
| | Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! Ok, soweit so gut Hast immer noch ne Menge Zeug drauf... Bitte hol die The Avenger(in meiner Signatur zu finden) -Speicher es auf dem Desktop -Starte The Avenger -Gib im weissen feld folgenden text ein: Zitat:
-wenn er fragt ob du Neustarten möchtest, antwortest du mit ja -zum Schluss postest du den Inhalt der C:\Avenger text Datei die dir auch direkt nachdem Neustart geöffnet wird Fixe mit HijackThis folgende Einträge: Zitat:
---->das ganze sollte bei folgenden Einträgen passieren Zitat:
Bitte lade folgende Dateien bei Virustotal hoch und poste das Ergebnis: Zitat:
__________________ Kein Support per PN Zitat:
|
|
16.07.2008, 19:06
| #5 |
| | Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! Ok hier die text Datei von The Avenger: Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows Vista ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! Error: file "C:\Users\Matze\AppData\Local\Temp\iiffExvV.dll" not found! Deletion of file "C:\Users\Matze\AppData\Local\Temp\iiffExvV.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\Users\Matze\AppData\Local\Temp\labqaass.dll" not found! Deletion of file "C:\Users\Matze\AppData\Local\Temp\labqaass.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: folder "C:\Program Files\NetProject" not found! Deletion of folder "C:\Program Files\NetProject" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Folder "C:\RecInfo" deleted successfully. Completed script processing. ******************* Finished! Terminate. Wenn ich die angegebenen Einträge mit HijackThis fixen will, dann sind da einige gar nicht mehr drinne, nachdem ich erneut einen Scan gemacht habe.. Poste diesen mal: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:58:59, on 16.07.2008 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\RtHDVCpl.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Steganos Safe Home\SteganosHotKeyService.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Windows\System32\rundll32.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\System32\rundll32.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\ICQ6\ICQ.exe C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Winamp\winamp.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O1 - Hosts: ::1 localhost O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: (no name) - {C4EA560F-5247-463E-BD72-4CF1C25590D5} - C:\Users\Matze\AppData\Local\Temp\wvUnOEuV.dll (file missing) O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE" O4 - HKLM\..\Run: [recinfo4] c:\RecInfo\RecInfo.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [SAFEHOME HotKeys] "C:\Program Files\Steganos Safe Home\SteganosHotKeyService.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorun O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user') O4 - Global Startup: VPN Client.lnk = ? O8 - Extra context menu item: &Winamp Toolbar Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - O8 - Extra context menu item: Öffnen mit WordPerfect - c:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: In Windows Live Writer in &Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O13 - Gopher Prefix: O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{FC0A3CCA-F4BC-4BA4-8A5D-AF93824B59B0}: NameServer = 213.191.74.19 62.109.123.197 O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: ProtexisLicensing - Unknown owner - c:\Windows\system32\PSIService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe -- End of file - 9643 bytes Also hat er folgende Einträge noch: R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {C4EA560F-5247-463E-BD72-4CF1C25590D5} - C:\Users\Matze\AppData\Local\Temp\wvUnOEuV.dll (file missing) O4 - HKLM\..\Run: [recinfo4] c:\RecInfo\RecInfo.exe O8 - Extra context menu item: &Winamp Toolbar Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html Den Rest wohl nicht mehr... Soll ich diese dann trotzdem fixen Und die anderen beiden Einträge bei Virustotal hochladen?? Danke Geändert von MatzeHRo (16.07.2008 um 19:14 Uhr) |
|
17.07.2008, 13:23
| #6 | |
| | Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! Mach bitte nochmals ein neues HijackThis logfile und poste es Du hast es wohl bevor du The Avenger hast laufen lassen gemacht Ich benötige eins nachdem du The Avenger angewendet hast Die Dateien musst du trozdem auf VirusTotal hochladen und das Ergebnis posten Dann lässt du aber bevor du ein Log mit HijackThis machst nochmals The Avenger laufen und gibst folgenden text ein: Zitat:
__________________ --> Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! |
|
18.07.2008, 12:39
| #7 |
| | Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! So hier erstmal die Ergebnisse von VirusTotal:  für C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL: Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.7.17.0 2008.07.18 - AntiVir 7.8.0.68 2008.07.18 - Authentium 5.1.0.4 2008.07.18 W32/HackTool.AYE Avast 4.8.1195.0 2008.07.18 - AVG 8.0.0.130 2008.07.18 - BitDefender 7.2 2008.07.18 - CAT-QuickHeal 9.50 2008.07.17 AdTool.MyWebSearch.az (Not a Virus) ClamAV 0.93.1 2008.07.18 Adware.Search-2 DrWeb 4.44.0.09170 2008.07.18 - eSafe 7.0.17.0 2008.07.17 - eTrust-Vet 31.6.5965 2008.07.18 - Ewido 4.0 2008.07.18 - F-Prot 4.4.4.56 2008.07.18 W32/HackTool.AYE F-Secure 7.60.13501.0 2008.07.18 AdTool.Win32.MyWebSearch.az Fortinet 3.14.0.0 2008.07.18 W32/MyWebSearch GData 2.0.7306.1023 2008.07.18 - Ikarus T3.1.1.34.0 2008.07.18 - Kaspersky 7.0.0.125 2008.07.18 not-a-virus:AdTool.Win32.MyWebSearch.az McAfee 5341 2008.07.18 potentially unwanted program MWS Microsoft 1.3704 2008.07.18 - NOD32v2 3278 2008.07.18 Win32/Toolbar.AskSBar Norman 5.80.02 2008.07.18 - Panda 9.0.0.4 2008.07.17 - Prevx1 V2 2008.07.18 - Rising 20.53.42.00 2008.07.18 - Sophos 4.31.0 2008.07.18 - Sunbelt 3.1.1536.1 2008.07.17 - Symantec 10 2008.07.18 - TheHacker 6.2.96.381 2008.07.16 Adware/MyWebSearch.az TrendMicro 8.700.0.1004 2008.07.18 - VirusBuster 4.5.11.0 2008.07.17 - Webwasher-Gateway 6.6.2 2008.07.18 - weitere Informationen File size: 245760 bytes MD5...: 59dbfe16aa20144cb11e7fc8b2d21eaa SHA1..: b4403810c1db8482c5a26b418499a8643e4a6410 SHA256: 809bbfa3fb67c79f1901b159b754dd955c5defe28d5879f91972d269d706d55c SHA512: 83ce6c1631d36ebc19be3fc178932f41fdef7c7f8a9dd5d3631527a25f894936 477a053ad96d65ba58b8775732741b52af1edc390b260009775406b05df36297 PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x1000eb25 timedatestamp.....: 0x45819f8c (Thu Dec 14 19:01:32 2006) machinetype.......: 0x14c (I386) ( 6 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x26d92 0x27000 6.50 06d14cbba9a26ba977ecdd7e3825f2b0 .rdata 0x28000 0x3f31 0x4000 5.89 0e7139b9c1817ab81c376e1cb2a5b0bd .data 0x2c000 0x2c37 0x2000 4.73 4628324c0af12e567302d475666b04ef AskTBarS 0x2f000 0x258 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110 .rsrc 0x30000 0x9a58 0xa000 4.92 4cef46525fd59ceb4ec1a33f9237c1f9 .reloc 0x3a000 0x2964 0x3000 5.91 745bcfa73ad4db53c10d428dcfa3b45e ( 8 imports ) > COMCTL32.dll: - > ADVAPI32.dll: RegQueryValueExA, RegCloseKey, RegQueryInfoKeyA, RegCreateKeyExA, RegEnumKeyA, RegOpenKeyExA, RegDeleteKeyA, RegEnumKeyExA, RegDeleteValueA, RegSetValueExA, RegEnumValueA, RegFlushKey > GDI32.dll: ExtTextOutA, SetBkColor, GetRgnBox, CreateRectRgnIndirect, CreateFontIndirectA, DeleteObject, GetDeviceCaps, GetStockObject, SetTextColor, GetTextColor, GetTextExtentPoint32A, GetTextMetricsA, SelectObject, GetTextExtentPoint32W, GetObjectType, GetBitmapBits, GetObjectA, SetBkMode, RectInRegion, OffsetRgn, LineTo, MoveToEx, CreatePen, SelectClipRgn, SetPixel, GetBkColor, SelectClipPath, EndPath, CloseFigure, BeginPath, UpdateColors, DeleteDC, BitBlt, RealizePalette, SelectPalette, CreateCompatibleDC, CreateCompatibleBitmap, CreatePalette, CreateRectRgn, CreateBitmap, GetPixel, SetWindowOrgEx, OffsetWindowOrgEx > KERNEL32.dll: SetFileAttributesA, MultiByteToWideChar, WideCharToMultiByte, SizeofResource, LoadResource, FindResourceA, lstrcmpiA, IsDBCSLeadByte, HeapDestroy, InterlockedIncrement, InterlockedDecrement, LoadLibraryA, FlushInstructionCache, GetCurrentProcess, GetCurrentThreadId, GetSystemDirectoryA, CreateThread, GetLocalTime, CopyFileA, FindClose, FindNextFileA, FindFirstFileA, DebugBreak, HeapReAlloc, HeapFree, GetShortPathNameA, SetCurrentDirectoryA, LockResource, FlushFileBuffers, SetFilePointer, SetThreadPriority, ResumeThread, GetUserDefaultLangID, CompareFileTime, SystemTimeToFileTime, WritePrivateProfileSectionA, GetPrivateProfileIntA, GetPrivateProfileStringA, SetEvent, ResetEvent, CreateEventA, GetCommandLineA, GetDriveTypeA, GetFileAttributesA, GetCurrentDirectoryA, WaitForMultipleObjects, WritePrivateProfileStringA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingA, SetLastError, RemoveDirectoryA, HeapCreate, GetVersionExA, GetSystemInfo, HeapAlloc, DisableThreadLibraryCalls, DeleteCriticalSection, InitializeCriticalSection, LoadLibraryExA, GetProcAddress, EnterCriticalSection, FreeLibrary, LeaveCriticalSection, GetModuleHandleA, lstrlenW, DeleteFileA, CreateProcessA, CreateFileA, GetFileSize, ReadFile, WriteFile, GetExitCodeProcess, lstrcpyA, GetLastError, GetModuleFileNameA, CreateDirectoryA, lstrcmpA, GetTickCount, GetCurrentProcessId, WaitForSingleObject, ReleaseMutex, lstrlenA, lstrcpynA, lstrcatA, CreateMutexA, CloseHandle, GetWindowsDirectoryA, MoveFileA > ole32.dll: CoCreateGuid, CLSIDFromProgID, CoGetInterfaceAndReleaseStream, CreateOleAdviseHolder, OleRegGetMiscStatus, OleRegGetUserType, OleRegEnumVerbs, CoTaskMemRealloc, CoTaskMemAlloc, CoTaskMemFree, CoCreateInstance, StringFromGUID2, CoFreeUnusedLibraries, CoMarshalInterThreadInterfaceInStream > OLEAUT32.dll: -, -, -, -, -, -, -, -, -, - > USER32.dll: GetAsyncKeyState, GetIconInfo, CreateIcon, DestroyIcon, GetWindow, GetClassNameA, BeginPaint, GetClientRect, EndPaint, InvalidateRect, IntersectRect, EqualRect, OffsetRect, SetWindowRgn, SetWindowPos, IsWindow, DestroyWindow, SetFocus, GetFocus, IsChild, GetClassInfoExA, LoadCursorA, CreateWindowExA, ShowWindow, UnionRect, PtInRect, GetKeyState, CharNextA, LoadStringA, MessageBoxA, CallWindowProcA, GetWindowLongA, DefWindowProcA, SetWindowLongA, SetForegroundWindow, PostMessageA, GetParent, GetWindowRect, MapWindowPoints, GetSysColor, SendMessageA, SetTimer, PostQuitMessage, KillTimer, wsprintfA, GetMessageA, TranslateMessage, DispatchMessageA, GetWindowLongW, IsWindowUnicode, SetWindowLongW, CallWindowProcW, DefWindowProcW, MoveWindow, RegisterClassExA, UpdateWindow, ReleaseCapture, DrawIconEx, TrackPopupMenuEx, GetUpdateRgn, ClientToScreen, ScreenToClient, SetCapture, GetForegroundWindow, ValidateRect, DrawEdge, GetActiveWindow, IsRectEmpty, GetMessagePos, GetMessageTime, CallNextHookEx, SetWindowsHookExA, EnumWindows, PeekMessageA, GetWindowThreadProcessId, GetKeyboardType, SystemParametersInfoA, ReleaseDC, GetDC, IsWindowVisible, LoadImageA, SetWindowTextA, GetWindowTextLengthA, SetRectEmpty, EnableMenuItem, GetMenuItemInfoA, CheckMenuItem, GetWindowDC, GetDesktopWindow, SetMenuItemInfoA, InflateRect, CreatePopupMenu, DrawTextW, DrawTextA, CreateWindowExW, GetWindowTextA, GetWindowTextW, SetWindowTextW, AppendMenuW, AppendMenuA, DestroyMenu, IsMenu, CopyRect, SetRect, UnregisterClassA, WindowFromPoint, GetCursorPos, GetCapture, SubtractRect, FindWindowA, AdjustWindowRectEx, UnhookWindowsHookEx, CreateIconIndirect > VERSION.dll: GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA ( 6 exports ) DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer, O, Update für C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL: Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.7.17.0 2008.07.18 - AntiVir 7.8.0.68 2008.07.18 - Authentium 5.1.0.4 2008.07.18 W32/HackTool.BAC Avast 4.8.1195.0 2008.07.18 - AVG 8.0.0.130 2008.07.18 - BitDefender 7.2 2008.07.18 - CAT-QuickHeal 9.50 2008.07.17 AdTool.MyWebSearch.az (Not a Virus) ClamAV 0.93.1 2008.07.18 - DrWeb 4.44.0.09170 2008.07.18 - eSafe 7.0.17.0 2008.07.17 - eTrust-Vet 31.6.5965 2008.07.18 - Ewido 4.0 2008.07.18 - F-Prot 4.4.4.56 2008.07.18 W32/HackTool.BAC F-Secure 7.60.13501.0 2008.07.18 AdTool.Win32.MyWebSearch.az Fortinet 3.14.0.0 2008.07.18 W32/MyWebSearch GData 2.0.7306.1023 2008.07.18 - Ikarus T3.1.1.34.0 2008.07.18 not-a-virus:AdTool.Win32.MyWebSearch.az Kaspersky 7.0.0.125 2008.07.18 not-a-virus:AdTool.Win32.MyWebSearch.az McAfee 5341 2008.07.18 potentially unwanted program MWS Microsoft 1.3704 2008.07.18 - NOD32v2 3278 2008.07.18 Win32/Toolbar.MyWebSearch Norman 5.80.02 2008.07.18 - Panda 9.0.0.4 2008.07.17 Application/MyWebSearch Prevx1 V2 2008.07.18 - Rising 20.53.42.00 2008.07.18 - Sophos 4.31.0 2008.07.18 - Sunbelt 3.1.1536.1 2008.07.17 - Symantec 10 2008.07.18 - TheHacker 6.2.96.381 2008.07.16 Adware/MyWebSearch.az TrendMicro 8.700.0.1004 2008.07.18 - VBA32 3.12.8.0 2008.07.17 - VirusBuster 4.5.11.0 2008.07.17 - Webwasher-Gateway 6.6.2 2008.07.18 - weitere Informationen File size: 57344 bytes MD5...: 30e4c0a012ae80e8479523a8d9a3217f SHA1..: f5e602af05e25de625fd401f9492a66659ea20b7 SHA256: 23b4fd1592eed3c2d06877fa909ed13985e0d3ca76db856cb216a1ec6af4c5cd SHA512: cd9e775e448c78bc370d4d208a6383308f596d01409d0909c0cbfb34fe9adf2b 410764d3e9c245001d013581f97335edc70c1fb7c090c5e1c011d4e6342e52ca PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x1000565a timedatestamp.....: 0x455b32f7 (Wed Nov 15 15:32:07 2006) machinetype.......: 0x14c (I386) ( 6 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x6dc2 0x7000 6.36 cb8bd9828556612bf1f2369de628aeae .rdata 0x8000 0x1855 0x2000 4.45 0c3ab818e61c3548d8d150cba105b8bc .data 0xa000 0xc4e 0x1000 3.12 d5514a93e0115940557f6d76d9e5fb53 AskTBar_ 0xb000 0x18 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110 .rsrc 0xc000 0xb38 0x1000 3.79 b50d55c755368358e903e7a4850d4f54 .reloc 0xd000 0x960 0x1000 3.83 e9cde1bc5a3a8bd46e028f1c65563641 ( 6 imports ) > ADVAPI32.dll: RegDeleteKeyA, RegCreateKeyExA, RegDeleteValueA, RegCloseKey, RegOpenKeyExA, RegEnumKeyExA, RegSetValueExA, RegQueryInfoKeyA, RegEnumValueA, RegFlushKey, RegQueryValueExA > KERNEL32.dll: DeleteCriticalSection, lstrlenW, lstrcatA, lstrlenA, lstrcpyA, LeaveCriticalSection, EnterCriticalSection, SystemTimeToFileTime, GetLocalTime, CompareFileTime, lstrcmpA, lstrcpynA, InitializeCriticalSection, DisableThreadLibraryCalls, HeapAlloc, GetSystemInfo, GetVersionExA, HeapCreate, InterlockedIncrement, InterlockedDecrement, FlushInstructionCache, GetCurrentProcess, MultiByteToWideChar, GetShortPathNameA, GetModuleHandleA, GetModuleFileNameA, WideCharToMultiByte, CreateThread, SizeofResource, LoadResource, FindResourceA, GetLastError, LoadLibraryExA, lstrcmpiA, IsDBCSLeadByte, HeapDestroy, GetProcAddress, LoadLibraryA, DebugBreak, HeapReAlloc, HeapFree, GetSystemDirectoryA, GetUserDefaultLangID, CloseHandle, ReleaseMutex, WaitForSingleObject, CreateMutexA, GetDriveTypeA, GetFileAttributesA, UnmapViewOfFile, CreateFileMappingA, MapViewOfFile, SetLastError, WaitForMultipleObjects, SetEvent, ResetEvent, SetThreadPriority, ResumeThread, CreateEventA, GetCurrentThreadId, GetCurrentProcessId, FreeLibrary > ole32.dll: CoCreateGuid, StringFromGUID2, CoCreateInstance, CoTaskMemRealloc, CoTaskMemAlloc, CoTaskMemFree > OLEAUT32.dll: -, -, -, -, -, -, - > USER32.dll: CharNextA, wsprintfA, GetWindowLongA, SetWindowLongA, GetClassNameA, CallWindowProcA, CreateWindowExA, RegisterClassExA, LoadCursorA, GetClassInfoExA, GetKeyboardType, UnregisterClassA, GetWindowThreadProcessId, DestroyWindow, EnumWindows, DefWindowProcA, PostMessageA, IsWindow, PeekMessageA > VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA ( 4 exports ) DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer |
|
18.07.2008, 14:51
| #8 |
| | Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows Vista ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! Error: file "C:\Users\Matze\AppData\Local\Temp\efcaWoPi.dll" not found! Deletion of file "C:\Users\Matze\AppData\Local\Temp\efcaWoPi.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing. ******************* Finished! Terminate. Geändert von MatzeHRo (18.07.2008 um 15:42 Uhr) |
|
18.07.2008, 15:46
| #9 |
| | Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! und hier noch das Logfile: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:22:14, on 15.07.2008 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\RtHDVCpl.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Steganos Safe Home\SteganosHotKeyService.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Windows\System32\rundll32.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\System32\rundll32.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\ICQ6\ICQ.exe C:\Windows\ehome\ehmsas.exe C:\Windows\System32\rundll32.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\CCleaner\CCleaner.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Windows\system32\SearchFilterHost.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://alice.aol.de R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://alice.aol.de R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://alice.aol.de R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O1 - Hosts: ::1 localhost O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: (no name) - {C4EA560F-5247-463E-BD72-4CF1C25590D5} - C:\Users\Matze\AppData\Local\Temp\wvUnOEuV.dll (file missing) O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE" O4 - HKLM\..\Run: [recinfo4] c:\RecInfo\RecInfo.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [SAFEHOME HotKeys] "C:\Program Files\Steganos Safe Home\SteganosHotKeyService.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorun O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent O4 - HKCU\..\Run: [7485d71c] rundll32.exe "C:\Users\Matze\AppData\Local\Temp\labqaass.dll",b O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Matze\AppData\Local\Temp\iiffExvV.dll,#1 O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user') O4 - Global Startup: VPN Client.lnk = ? O8 - Extra context menu item: &Winamp Toolbar Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: Öffnen mit WordPerfect - c:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: In Windows Live Writer in &Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.dwnldietool.com/redirect.php (file missing) O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.dwnldietool.com/redirect.php (file missing) O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O13 - Gopher Prefix: O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{FC0A3CCA-F4BC-4BA4-8A5D-AF93824B59B0}: NameServer = 213.191.74.19 62.109.123.197 O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: ProtexisLicensing - Unknown owner - c:\Windows\system32\PSIService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe -- End of file - 10680 bytes |
|
18.07.2008, 16:21
| #10 | ||
| | Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! Ok bitte starte nochmals The Avenger und gib folgendes im weissen Feld ein: Zitat:
Dasselbe mit SmitfraudFix Und zum Schluss nochmals ein frisches HijackThis Logfile.
__________________ Kein Support per PN Zitat:
|
|
18.07.2008, 18:56
| #11 |
| | Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! Ok hier erstmal das Logfile von The Avenger: Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows Vista ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! File "C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL" deleted successfully. File "C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL" deleted successfully. Error: could not open file "C:\RecInfo\RecInfo.exe" Deletion of file "C:\RecInfo\RecInfo.exe" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: file "C:\Users\Matze\AppData\Local\Temp\labqaass.dll" not found! Deletion of file "C:\Users\Matze\AppData\Local\Temp\labqaass.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\Users\Matze\AppData\Local\Temp\iiffExvV.dll" not found! Deletion of file "C:\Users\Matze\AppData\Local\Temp\iiffExvV.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: could not open file "C:\Program Files\NetProject\sbmntr.exe" Deletion of file "C:\Program Files\NetProject\sbmntr.exe" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: folder "C:\RecInfo" not found! Deletion of folder "C:\RecInfo" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: folder "C:\Program Files\NetProject" not found! Deletion of folder "C:\Program Files\NetProject" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Folder "C:\Program Files\AskTBar" deleted successfully. Completed script processing. ******************* Finished! Terminate. Nach dem Neustart zeigt er mir allerdings das an: Windows - Kein Datenträger Exception Processing Message 0xc0000013 Parameters 0x75E192A0 0x00000004 0x75E192A0 0x75E192A0  |
|
18.07.2008, 19:27
| #12 |
| | Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! So bei Blacklight hat er nichts gefunden, daher hat er mir wohl auch kein Logfile angezeigt... Hier ist das von SmitFraudFix: SmitFraudFix v2.329 Scan done at 20:15:20,08, 18.07.2008 Run from C:\Users\Matze\Desktop\SmitfraudFix OS: Microsoft Windows [Version 6.0.6001] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost ::1 localhost »»»»»»»»»»»»»»»»»»»»»»»» VACFix VACFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri's WS2Fix: LSP not Found. »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» IEDFix IEDFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» 404Fix 404Fix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CS2\Services\Tcpip\..\{FC0A3CCA-F4BC-4BA4-8A5D-AF93824B59B0}: NameServer=213.191.74.19 62.109.123.197 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End |
|
18.07.2008, 19:31
| #13 |
| | Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! Und hier noch das Logfile von Hijackthis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:28:10, on 18.07.2008 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\RtHDVCpl.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Steganos Safe Home\SteganosHotKeyService.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\ICQ6\ICQ.exe C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Internet Explorer\ieuser.exe c:\program files\winamp toolbar\WinampTbServer.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL (file missing) R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O1 - Hosts: ::1 localhost O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL (file missing) O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: (no name) - {C4EA560F-5247-463E-BD72-4CF1C25590D5} - C:\Users\Matze\AppData\Local\Temp\wvUnOEuV.dll (file missing) O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (file missing) O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (file missing) O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE" O4 - HKLM\..\Run: [recinfo4] c:\RecInfo\RecInfo.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [SAFEHOME HotKeys] "C:\Program Files\Steganos Safe Home\SteganosHotKeyService.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe" -autorun O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user') O4 - Global Startup: VPN Client.lnk = ? O8 - Extra context menu item: &Winamp Toolbar Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: Öffnen mit WordPerfect - c:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: In Windows Live Writer in &Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O13 - Gopher Prefix: O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{FC0A3CCA-F4BC-4BA4-8A5D-AF93824B59B0}: NameServer = 213.191.74.19 62.109.123.197 O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: ProtexisLicensing - Unknown owner - c:\Windows\system32\PSIService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe -- End of file - 9089 bytes Und kannst du mir schon sagen wie ob es jetzt besser aussieht???:aplaus: |
|
19.07.2008, 11:09
| #14 | |||
| | Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! Ok Ja sieht schon besser aus, aber dieses RecInfo will wohl einfach nicht verschwinden  Kannnst du bitte mal selbst nachschauen ob du C:\RecInfo und dementsprechenden C:\Recinfo\Recinfo.exe findest? Dasselbe bitte mit C:\Program Files\NetProject Nun fixe mit HijackThis folgende Einträge: Zitat:
Zitat:
__________________ Kein Support per PN Zitat:
|
|
| Themen zu Benötige Hilfe beim Bekämpfen von TR/Monder.alx, TR/Vundo.Gen, TR/Crypt.XPACK.Gen!!! |
| adobe, antivir, ask toolbar, avg, avira, bho, cpu, defender, dringend, firefox, gservice, helper, hijack, hijackthis, hkus\s-1-5-18, home, internet, internet explorer, local\temp, magix, mozilla, mozilla firefox, pop-up-blocker, poweriso, programdata, quara, rundll, software, solution, system, temp, tr/crypt.xpack.ge, tr/crypt.xpack.gen, tr/vundo.gen, urlsearchhook, vista, warnmeldungen, windows, windows defender, windows sidebar, xpack.gen |
Linear-Darstellung
