|
bekomme virtumonde nicht entfernt Hallo liebe Leute, laut Spybot habe ich mir das Biest Virtumonde eingefangen. Jedesmal wenn ich Ihn entfernen will ist er beim Neustart wieder da. Desweiteren komme ich zwar in mein Windows Sicherheitscenter rein aber ich kann die automatischen Updates nicht aktivieren. Scheint blockiert zu sein. Die WIndows Vorschläge habe ich schon abgearbeitet. Hat aber nichts genutzt. Dankle für Eure Hilfe. Anbei das Logfile. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:08:12, on 06.11.2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe c:\APPS\HIDSERVICE\HIDSERVICE.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Microsoft SQL Server\MSSQL$DATEV_CL_DE01\Binn\sqlservr.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\system32\svchost.exe C:\Programme\TwonkyMedia\TwonkyMedia.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\Programme\TwonkyMedia\TwonkyMediaServer.exe C:\WINDOWS\system32\wscntfy.exe C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programme\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\RunDll32.exe C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\svchost.exe C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Programme\Internet Explorer\iexplore.exe C:\Programme\Internet Explorer\iexplore.exe C:\Programme\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.packardbell.de/services/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor O4 - HKLM\..\Run: [StartCCC] "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Policies\Explorer\Run: [NT Printing Services] ftps.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: bmnet.dll O10 - Unknown file in Winsock LSP: bmnet.dll O10 - Unknown file in Winsock LSP: bmnet.dll O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\ger.htm O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab O16 - DPF: {3B36B017-7E49-426B-95B0-B5CECD83C2E2} (IfolorUploader Control) - http://chkr-web.ifolor.net/ORDERINGGENERAL/LowRes/app_support/ActiveX/IfolorUploader_chkr.cab O18 - Filter hijack: text/html - (no CLSID) - (no file) O20 - AppInit_DLLs: luptms.dll O21 - SSODL: SKOEfobjU - {48F32FD0-E259-857A-11BC-D8A06E0F9ABA} - C:\WINDOWS\system32\qdlply.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Programme\Norton Internet Security\ISSVC.exe O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: TwonkyVision MediaServer (TwonkyVision_Media_Server) - PacketVideo - C:\Programme\TwonkyMedia\TwonkyMedia.exe -- End of file - 5871 bytes |
Hi, Bitte folgende Files prüfen: Dateien Online überprüfen lassen:
Code: C:\WINDOWS\system32\qdlply.dll
Also: Anleitung Avenger (by swandog46) 1.) Lade dir das Tool Avenger und speichere es auf dem Desktop: http://saved.im/mzi3ndg3nta0/aven.jpg 2.) Das Programm so einstellen wie es auf dem Bild zu sehen ist. Kopiere nun folgenden Text in das weiße Feld: (bei -> "input script here") Code: Registry values to replace with dummy: 4.) Um den Avenger zu starten klicke auf -> Execute Dann bestätigen mit "Yes" das der Rechner neu startet! 5.) Nachdem das System neu gestartet ist, findest du hier einen Report vom Avenger -> C:\avenger.txt Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board. Hijackthis, fixen: öffne das HijackThis -- Button "scan" -- vor den nachfolgenden Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten Beim fixen müssen alle Programme geschlossen sein! Code: O20 - AppInit_DLLs: luptms.dllMalwarebytes Antimalware (MAM). Anleitung&Download hier: http://www.trojaner-board.de/51187-malwarebytes-anti-malware.html Fullscan und alles bereinigen lassen! Log posten. Chris |
Danke für die schnelle Antwort. Virusscan sagt bei Datei C:\WINDOWS\system32\ftps.exe 0 bytes size received Bei dieser Datei hat Virusscan nach 30 Min immer noch nicht übertragen C:\WINDOWS\system32\qdlply.dll Mit dieser Datei geht es C:\WINDOWS\system32\luptms.dll Ergebnis: Datei luptms.dll empfangen 2008.11.07 09:04:44 (CET) Status: Beendet Ergebnis: 4/36 (11.11%) Filter Filter Drucken der Ergebnisse Drucken der Ergebnisse Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.11.7.1 2008.11.06 - AntiVir 7.9.0.26 2008.11.07 - Authentium 5.1.0.4 2008.11.06 - Avast 4.8.1248.0 2008.11.06 - AVG 8.0.0.161 2008.11.07 - BitDefender 7.2 2008.11.07 - CAT-QuickHeal 9.50 2008.11.07 - ClamAV 0.94.1 2008.11.07 - DrWeb 4.44.0.09170 2008.11.07 - eSafe 7.0.17.0 2008.11.06 Suspicious File eTrust-Vet 31.6.6195 2008.11.06 - Ewido 4.0 2008.11.06 - F-Prot 4.4.4.56 2008.11.06 - F-Secure 8.0.14332.0 2008.11.07 - Fortinet 3.117.0.0 2008.11.07 - GData 19 2008.11.07 - Ikarus T3.1.1.45.0 2008.11.07 - K7AntiVirus 7.10.518 2008.11.06 - Kaspersky 7.0.0.125 2008.11.07 - McAfee 5426 2008.11.06 - Microsoft 1.4104 2008.11.07 Trojan:Win32/Conhook.D NOD32 3593 2008.11.07 - Norman 5.80.02 2008.11.06 - Panda 9.0.0.4 2008.11.06 - PCTools 4.4.2.0 2008.11.06 - Prevx1 V2 2008.11.07 Cloaked Malware Rising 21.02.41.00 2008.11.07 - SecureWeb-Gateway 6.7.6 2008.11.06 - Sophos 4.35.0 2008.11.07 - Sunbelt 3.1.1783.2 2008.11.05 - Symantec 10 2008.11.07 Trojan.Vundo TheHacker 6.3.1.1.143 2008.11.07 - TrendMicro 8.700.0.1004 2008.11.07 - VBA32 3.12.8.9 2008.11.06 - ViRobot 2008.11.6.1456 2008.11.07 - VirusBuster 4.5.11.0 2008.11.06 - weitere Informationen File size: 113664 bytes MD5...: a2c392888077453983ad673d8339aa78 SHA1..: b6776d459feb3cc3a5ad89cef99b5fbc73093bb7 SHA256: 1cad949fb51d7b04155d3e747de0e78129108d83d82713f1d612d0543025a270 SHA512: 6f3e47747258d399551e6732ee61080fa366e6a080ffd061ab6b7d98ca63736e f9b96f55a71bce38615fb33430fc7993ed3372c07457d641e41b3fc8b357e0fc PEiD..: - TrID..: File type identification Win32 Executable Generic (58.6%) Clipper DOS Executable (13.8%) Generic Win/DOS Executable (13.7%) DOS Executable Generic (13.7%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x10001cb0 timedatestamp.....: 0x491288a7 (Thu Nov 06 06:03:19 2008) machinetype.......: 0x14c (I386) ( 7 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x2e53 0x2800 6.09 0af7bafa4c1740e0a41d9079ef139a63 .data 0x4000 0x15a74 0x1200 5.63 f8913069c7af35cf9ab3b86630bef2ca .bdata 0x1a000 0x20d 0x400 3.28 7a9323c9e13b7a72c9c04228a4419e42 .jdata 0x1b000 0xb825 0x1400 7.71 b9cce4047139f8d0b71ca1067d3e4ef5 .edata 0x27000 0x1fcfa 0x15a00 7.99 c2b20169e18616b53ded68439122836f .rsrc 0x47000 0x314 0x400 2.93 f412b105e3760a88e523a13ceb056f56 .reloc 0x48000 0x71c 0x800 5.43 851a8e724354ffdcdd4c94ce3f1540a0 ( 5 imports ) > kernel32.dll: CallNamedPipeW, CancelWaitableTimer, ContinueDebugEvent, CreateEventW, CreateToolhelp32Snapshot, CreateWaitableTimerW, DebugActiveProcess, ExitProcess, FoldStringW, GetCPInfoExA, GetCPInfoExW, GetCommMask, GetCommState, GetCommandLineW, GetConsoleFontSize, GetConsoleTitleA, GetCurrentProcess, GetFileSize, GetMailslotInfo, GetModuleFileNameA, GetModuleHandleW, GetProcessPriorityBoost, GetProfileSectionA, GetStringTypeW, GetTempPathA, GetUserDefaultLCID, GlobalLock, Heap32ListFirst, InitializeCriticalSectionAndSpinCount, InterlockedExchange, IsBadWritePtr, LoadResource, OpenEventA, QueryDosDeviceA, RemoveDirectoryA, RtlFillMemory, RtlMoveMemory, RtlZeroMemory, SetFileAttributesA, SetHandleCount, SetLocaleInfoW, SetThreadAffinityMask, Sleep, SwitchToThread, VDMOperationStarted, VirtualProtect, WriteConsoleOutputW, _lclose, _lread, lstrcmpA, lstrcmpiA > user32.dll: AnimateWindow, CloseWindow, DdeCreateDataHandle, DialogBoxIndirectParamW, DlgDirSelectExW, DrawIconEx, EndPaint, EnumClipboardFormats, EnumDisplaySettingsA, ExitWindowsEx, FrameRect, GetCaretBlinkTime, GetClassInfoW, GetClassWord, GetClientRect, GetMenuInfo, GetMenuStringA, GetMenuStringW, GetParent, GetSystemMenu, IsCharLowerA, LoadAcceleratorsA, LoadCursorFromFileW, MonitorFromPoint, OemKeyScan, RealGetWindowClassW, SetLastErrorEx, SetMenu, SetWindowLongA, SetWindowPlacement, ShowWindow, UnregisterClassA, WinHelpW, mouse_event > gdi32.dll: CreateDIBPatternBrush, CreateRectRgn, CreateSolidBrush, EnumFontsW, GdiComment, GetBrushOrgEx, GetClipBox, GetClipRgn, GetColorSpace, GetDIBits, GetEnhMetaFileDescriptionA, GetMetaFileBitsEx, GetPath, GetPixelFormat, GetTextColor, GetTextFaceA, GetTextFaceW, GetTextMetricsW, GetWindowExtEx, PaintRgn, PathToRegion, PolyTextOutW, SetFontEnumeration, SetGraphicsMode, UpdateColors > comdlg32.dll: FindTextW, GetOpenFileNameW > msvcrt.dll: _execlp, _execvpe, _expand, _snwprintf, _strlwr, _strnicmp, _wcsicmp, _wexecve, fgetws, mblen, pow, remove, strlen, towupper ( 22 exports ) BdtqCyfMymA, BjrpynpdNnX, GMcErqlqbhy, Hrnbqjlmxejt, IkvhexzmgsLjuo, MkfegevrtGsqle, NmthpyjpszRK, QflGqgaVdKhz, QqXansevufx, RhgdhhBZzqnkyp, RyqxgxGgwKu, SAcxbvafi, SHsiMz, SZikflq, TdSsWucmgxvju, UcsrxWuphK, UwnmRka, ViysZpqdxq, VlfxzvizIPoO, VxdylbRa, YSGnWun, ZghjqgACih Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=0C1D4EA6007EBBCFBCCB01E7236AE400E76A60B2 |
Hier das Ergebnis vom Avenger: Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! File "C:\WINDOWS\system32\qdlply.dll" deleted successfully. File "C:\WINDOWS\system32\luptms.dll" deleted successfully. File "C:\WINDOWS\system32\ftps.exe" deleted successfully. Error: folder "C:\Programme\Save" not found! Deletion of folder "C:\Programme\Save" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: folder "C:\Programme\BearShare" not found! Deletion of folder "C:\Programme\BearShare" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Registry value "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs" replaced with dummy successfully. Completed script processing. ******************* Finished! Terminate. |
Hi, bitte noch HJ-fixen und dann MAM und als letztes ein neues HJ-Log... Es sieht so aus (bei der Erkennungsrate), dass da eine neue Welle noch nicht bekannter Varianten anrollt... chris |
Vielen Dank das scheint geholfen zu haben. Hier meine Hausaufgaben :-) Sieht glaube ich ganz gut aus oder versteckt sich da noch etwas? Gruß Jan Malwarebytes' Anti-Malware 1.30 Datenbank Version: 1371 Windows 5.1.2600 Service Pack 3 07.11.2008 10:49:20 mbam-log-2008-11-07 (10-49-20).txt Scan-Methode: Vollständiger Scan (C:\|D:\|) Durchsuchte Objekte: 94771 Laufzeit: 42 minute(s), 8 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 2 Infizierte Registrierungsschlüssel: 17 Infizierte Registrierungswerte: 2 Infizierte Dateiobjekte der Registrierung: 2 Infizierte Verzeichnisse: 3 Infizierte Dateien: 29 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: C:\WINDOWS\system32\ilaqlton.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\khfgETKc.dll (Trojan.Vundo.H) -> Delete on reboot. Infizierte Registrierungsschlüssel: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{40e94113-4007-4d40-bed7-ee18399c57bf} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{40e94113-4007-4d40-bed7-ee18399c57bf} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0a25cb9d-24b5-4147-995d-4ce85ed0cbb0} (Trojan.BHO.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{0a25cb9d-24b5-4147-995d-4ce85ed0cbb0} (Trojan.BHO.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{28972e74-24b5-4147-995d-4ce85ed0cbb0} (Trojan.BHO.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{28972e74-24b5-4147-995d-4ce85ed0cbb0} (Trojan.BHO.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{75abcf92-9764-4dfa-a83f-5142c3905052} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4d1c4e81-a32a-416b-bcdb-33b3ef3617d3} (Adware.Need2Find) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{75abcf92-9764-4dfa-a83f-5142c3905052} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\antiviruspro2009 (Rogue.Antivirus2008) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. Infizierte Registrierungswerte: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\48f32f60 (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{75abcf92-9764-4dfa-a83f-5142c3905052} (Trojan.Vundo) -> Quarantined and deleted successfully. Infizierte Dateiobjekte der Registrierung: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\khfgetkc -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\khfgetkc -> Delete on reboot. Infizierte Verzeichnisse: C:\Programme\AntivirusPro2009 (Rogue.Antivirus2008) -> Quarantined and deleted successfully. C:\Programme\AntivirusPro2009\data (Rogue.Antivirus2008) -> Quarantined and deleted successfully. C:\Programme\AntivirusPro2009\Microsoft.VC80.CRT (Rogue.Antivirus2008) -> Quarantined and deleted successfully. Infizierte Dateien: C:\WINDOWS\system32\khfgETKc.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\cKTEgfhk.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\cKTEgfhk.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ilaqlton.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\notlqali.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\jwmjqfhi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ihfqjmwj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\nonjuxht.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\thxujnon.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\xbvtpecq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\qceptvbx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\qinhjxkh.dll (Trojan.BHO.H) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Guenter\Lokale Einstellungen\Temporary Internet Files\Content.IE5\UFXA8BB8\upd105320[2] (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Programme\AntivirusPro2009\AntivirusPro2009.cfg (Rogue.Antivirus2008) -> Quarantined and deleted successfully. C:\Programme\AntivirusPro2009\AntivirusPro2009.exe (Rogue.Antivirus2008) -> Quarantined and deleted successfully. C:\Programme\AntivirusPro2009\AVEngn.dll (Rogue.Antivirus2008) -> Quarantined and deleted successfully. C:\Programme\AntivirusPro2009\htmlayout.dll (Rogue.Antivirus2008) -> Quarantined and deleted successfully. C:\Programme\AntivirusPro2009\pthreadVC2.dll (Rogue.Antivirus2008) -> Quarantined and deleted successfully. C:\Programme\AntivirusPro2009\wscui.cpl (Rogue.Antivirus2008) -> Quarantined and deleted successfully. C:\Programme\AntivirusPro2009\data\daily.cvd (Rogue.Antivirus2008) -> Quarantined and deleted successfully. C:\Programme\AntivirusPro2009\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.Antivirus2008) -> Quarantined and deleted successfully. C:\Programme\AntivirusPro2009\Microsoft.VC80.CRT\msvcm80.dll (Rogue.Antivirus2008) -> Quarantined and deleted successfully. C:\Programme\AntivirusPro2009\Microsoft.VC80.CRT\msvcp80.dll (Rogue.Antivirus2008) -> Quarantined and deleted successfully. C:\Programme\AntivirusPro2009\Microsoft.VC80.CRT\msvcr80.dll (Rogue.Antivirus2008) -> Quarantined and deleted successfully. C:\WINDOWS\system32\winpfz33.sys (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\services.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\U.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Guenter\Anwendungsdaten\Microsoft\Internet Explorer\Quick Launch\AntivirusPro2009.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Guenter\delself.bat (Malware.Trace) -> Quarantined and deleted successfully. ______________________________________________________________ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:53:53, on 07.11.2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe c:\APPS\HIDSERVICE\HIDSERVICE.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Microsoft SQL Server\MSSQL$DATEV_CL_DE01\Binn\sqlservr.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\system32\svchost.exe C:\Programme\TwonkyMedia\TwonkyMedia.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\Programme\TwonkyMedia\TwonkyMediaServer.exe C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programme\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\RunDll32.exe C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Programme\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.packardbell.de/services/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell O2 - BHO: {25fc5c79-bccc-66ba-b334-8bc49fa1f91e} - {e19f1af9-4cb8-433b-ab66-cccb97c5cf52} - C:\WINDOWS\system32\vqxsmf.dll O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor O4 - HKLM\..\Run: [StartCCC] "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: bmnet.dll O10 - Unknown file in Winsock LSP: bmnet.dll O10 - Unknown file in Winsock LSP: bmnet.dll O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\ger.htm O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab O16 - DPF: {3B36B017-7E49-426B-95B0-B5CECD83C2E2} (IfolorUploader Control) - http://chkr-web.ifolor.net/ORDERINGGENERAL/LowRes/app_support/ActiveX/IfolorUploader_chkr.cab O18 - Filter hijack: text/html - (no CLSID) - (no file) O20 - Winlogon Notify: qoMfeBTm - qoMfeBTm.dll (file missing) O20 - Winlogon Notify: reset5e - C:\WINDOWS\SYSTEM32\reset5e.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Programme\Norton Internet Security\ISSVC.exe O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: Twonky Vision MediaServer (TwonkyVision_Media_Server) - PacketVideo - C:\Programme\TwonkyMedia\TwonkyMedia.exe -- End of file - 5855 bytes |
Hi, ja: O2 - BHO: {25fc5c79-bccc-66ba-b334-8bc49fa1f91e} - {e19f1af9-4cb8-433b-ab66-cccb97c5cf52} - C:\WINDOWS\system32\vqxsmf.dll O20 - Winlogon Notify: reset5e - C:\WINDOWS\SYSTEM32\reset5e.dll Bitte online prüfen lassen (kannst Du ja jetzt schon ;o)... Falls erkannt: Avenger: Anleitung Avenger (by swandog46) 1.) Lade dir das Tool Avenger und speichere es auf dem Desktop: http://saved.im/mzi3ndg3nta0/aven.jpg 2.) Das Programm so einstellen wie es auf dem Bild zu sehen ist. Kopiere nun folgenden Text in das weiße Feld: (bei -> "input script here") Code: registry keys to delete:4.) Um den Avenger zu starten klicke auf -> Execute Dann bestätigen mit "Yes" das der Rechner neu startet! 5.) Nachdem das System neu gestartet ist, findest du hier einen Report vom Avenger -> C:\avenger.txt Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board. Hijackthis, fixen: öffne das HijackThis -- Button "scan" -- vor den nachfolgenden Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten Beim fixen müssen alle Programme geschlossen sein! Code: O2 - BHO: {25fc5c79-bccc-66ba-b334-8bc49fa1f91e} - {e19f1af9-4cb8-433b-ab66-cccb97c5cf52} - C:\WINDOWS\system32\vqxsmf.dllPrevx: (Log posten bei Fund, ohne cookies) http://www.prevx.com/freescan.asp RSIT Random's System Information Tool (RSIT) von random/random liest Systemdetails aus und erstellt ein aussagekräftiges Logfile. Lade Random's System Information Tool (RSIT) herunter (http://filepony.de/download-rsit/) speichere es auf Deinem Desktop. Starte mit Doppelklick die RSIT.exe. Klicke auf Continue, um die Nutzungsbedingungen zu akzeptieren. Wenn Du HijackThis nicht installiert hast, wird RSIT das für Dich herunterladen und installieren. In dem Fall bitte auch die Nutzungsbedingungen von Trend Micro (http://de.trendmicro.com/de/home) für HJT akzeptieren "I accept". Wenn Deine Firewall fragt, bitte RSIT erlauben, ins Netz zu gehen. Der Scan startet automatisch, RSIT checkt nun einige wichtige System-Bereiche und produziert Logfiles als Analyse-Grundlage. Wenn der Scan beendet ist, werden zwei Logfiles erstellt und in Deinem Editor geöffnet. Bitte poste den Inhalt von C:\rsit\log.txt und C:\rsit\info.txt (<= minimiert) hier in den Thread. chris Ps.: Da einige Trojan-Downloader aktiv waren besteht die akute Gefahr, das neue Trojaner etc. nachgeladen wurden die in den "alten" Logs nicht auftauchten... Das Spiel lässt sich so lange fortsetzten bis es gelingt auf einen Schlag alles zu erwischen... Daher möglichst wenig Online gehen ... |
Hi hier meine Hausaufgaben 2. Teil. in 4 Teilen:-) ist wohl zu lang. Ganz schön hartnäckig die Biester. Gruß Jan reset5e.dll Datei reset5e.dll empfangen 2008.11.04 21:03:19 (CET) Status: Beendet Ergebnis: 14/36 (38.89%) Filter Filter Drucken der Ergebnisse Drucken der Ergebnisse Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 - - - AntiVir - - - Authentium - - - Avast - - Win32:FakeAlert-AJ AVG - - Dropper.Bravix.K BitDefender - - Packer.Malware.Lighty.O CAT-QuickHeal - - - ClamAV - - - DrWeb - - Trojan.Packed.1208 eSafe - - - eTrust-Vet - - - Ewido - - - F-Prot - - - F-Secure - - - Fortinet - - - GData - - Packer.Malware.Lighty.O Ikarus - - Packer.Malware.Lighty.O K7AntiVirus - - - Kaspersky - - - McAfee - - - Microsoft - - VirTool:Win32/Obfuscator.DF NOD32 - - Win32/Packed.Lighty.Gen Norman - - W32/Smalltroj.HZVD Panda - - Spyware/Virtumonde PCTools - - Trojan.Virantix!sd6 Prevx1 - - - Rising - - - SecureWeb-Gateway - - - Sophos - - Troj/FakeAle-JL Sunbelt - - - Symantec - - Trojan.Virantix.C TheHacker - - - TrendMicro - - - VBA32 - - - ViRobot - - Backdoor.Win32.UltimateDefender.10240.E VirusBuster - - - weitere Informationen MD5: f2d023d8248d40433e441093be017491 SHA1: 868600ff3d9347dae94f7c9be7790be722c5d520 SHA256: 367bcdbe4a115e6daf6b92e32301caa7d5e5de9cf6e7a4bc176461e726c898bc SHA512: f16e116e7919942aa6d36d9ca878f3ee9c4f61d6f0509cb53c1fb3ac5b6dbaa61dea9462d73d32265f195519e6bc9dcdd6eefb974a5d4a2016da795fb78baf5e Datei vqxsmf.dll empfangen 2008.11.07 12:17:54 (CET) Status: Beendet Ergebnis: 2/36 (5.56%) Filter Filter Drucken der Ergebnisse Drucken der Ergebnisse Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.11.7.1 2008.11.07 - AntiVir 7.9.0.26 2008.11.07 - Authentium 5.1.0.4 2008.11.07 - Avast 4.8.1248.0 2008.11.06 - AVG 8.0.0.161 2008.11.07 - BitDefender 7.2 2008.11.07 - CAT-QuickHeal 9.50 2008.11.07 - ClamAV 0.94.1 2008.11.07 - DrWeb 4.44.0.09170 2008.11.07 - eSafe 7.0.17.0 2008.11.06 Suspicious File eTrust-Vet 31.6.6195 2008.11.06 - Ewido 4.0 2008.11.06 - F-Prot 4.4.4.56 2008.11.07 - F-Secure 8.0.14332.0 2008.11.07 - Fortinet 3.117.0.0 2008.11.07 - GData 19 2008.11.07 - Ikarus T3.1.1.45.0 2008.11.07 - K7AntiVirus 7.10.518 2008.11.06 - Kaspersky 7.0.0.125 2008.11.07 - McAfee 5426 2008.11.06 - Microsoft 1.4104 2008.11.07 Trojan:Win32/Conhook.D NOD32 3593 2008.11.07 - Norman 5.80.02 2008.11.06 - Panda 9.0.0.4 2008.11.06 - PCTools 4.4.2.0 2008.11.06 - Prevx1 V2 2008.11.07 - Rising 21.02.42.00 2008.11.07 - SecureWeb-Gateway 6.7.6 2008.11.07 - Sophos 4.35.0 2008.11.07 - Sunbelt 3.1.1783.2 2008.11.05 - Symantec 10 2008.11.07 - TheHacker 6.3.1.1.143 2008.11.07 - TrendMicro 8.700.0.1004 2008.11.07 - VBA32 3.12.8.9 2008.11.06 - ViRobot 2008.11.7.1457 2008.11.07 - VirusBuster 4.5.11.0 2008.11.06 - weitere Informationen File size: 116736 bytes MD5...: ee91fa41516bfc4d1facee5b5c306a52 SHA1..: b7abe0bd36269dc31508c90da45d8c2f20bc0091 SHA256: 4a4d9cf1c71c9de203b533958b2cee9dba4e8eadcb363e701fe5f1f2c6fb10d6 SHA512: 92b9f57fa9cdf82294b779328f14e2bbd83196f0908705ba85013df7cb79bbb1 ad563b51984ccd759fee70c4f3c8d6462d6120a7895cd4550b82bbbdd183ba6f PEiD..: - TrID..: File type identification Win32 Executable Generic (58.4%) Clipper DOS Executable (13.8%) Generic Win/DOS Executable (13.7%) DOS Executable Generic (13.7%) VXD Driver (0.2%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x10001ec0 timedatestamp.....: 0x4913da25 (Fri Nov 07 06:03:17 2008) machinetype.......: 0x14c (I386) ( 7 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x3392 0x2e00 6.06 0de0597919f940ef52c9d4e6d5c20436 .data 0x5000 0x15cae 0x1400 5.19 e867a6d5b25753f3efb741945d1c0433 .kdata 0x1b000 0x2ca 0x400 4.30 338bcf581b5f2310f697f1b6da0ccf23 .idata 0x1c000 0x12ba3 0x8800 7.92 77e01cf6a32850025bef8c77b41b6039 .wdata 0x2f000 0x18cab 0xe800 7.99 76eba8cfb4fe01728e5fbbe6fdc4fe16 .rsrc 0x48000 0x330 0x400 3.04 41ae01fb45527161e7854282de4b0efe .reloc 0x49000 0x824 0xa00 5.27 cc08567dc53ec3156f273e7600d61029 ( 5 imports ) > kernel32.dll: BackupSeek, BeginUpdateResourceW, CreateSemaphoreW, ExitProcess, ExitThread, FindFirstFileW, FormatMessageW, GetCommMask, GetCommState, GetConsoleInputWaitHandle, GetEnvironmentVariableW, GetFileAttributesW, GetFileSize, GetFullPathNameW, GetHandleInformation, GetModuleFileNameA, GetNamedPipeInfo, GetNumberOfConsoleMouseButtons, GetPrivateProfileIntA, GetProcessPriorityBoost, GetProfileIntW, GetTempPathA, GetThreadTimes, HeapSummary, InterlockedExchangeAdd, IsBadStringPtrW, LocalFlags, ReadConsoleOutputA, ResetEvent, RtlFillMemory, RtlMoveMemory, RtlZeroMemory, SetCommConfig, SetConsoleIcon, SetConsoleNumberOfCommandsA, SetConsoleNumberOfCommandsW, Sleep, VirtualProtect, WritePrivateProfileSectionW, WriteProfileSectionA, lstrcmpA, lstrcmpiA > user32.dll: BroadcastSystemMessageA, CascadeChildWindows, CharNextA, CloseWindowStation, CountClipboardFormats, CreateDialogIndirectParamW, CreateWindowStationA, DdeInitializeA, DdePostAdvise, DefDlgProcW, DestroyIcon, DestroyMenu, EndDialog, EndPaint, GetCaretPos, GetClassWord, IsCharAlphaNumericA, MessageBoxIndirectA, MonitorFromWindow, OemToCharW, OffsetRect, ReleaseCapture, ReplyMessage, SendDlgItemMessageW, SendMessageTimeoutW, SetClipboardViewer, SetMenu, SetScrollRange, ToAscii, ToUnicode, UnhookWindowsHookEx, ValidateRect, WinHelpW > gdi32.dll: CreateBitmapIndirect, CreateEllipticRgnIndirect, CreateICA, CreateRectRgn, CreateScalableFontResourceA, DeleteMetaFile, DeleteObject, EnumFontFamiliesExW, FixBrushOrgEx, GdiComment, GetCharacterPlacementA, GetClipBox, GetClipRgn, GetColorSpace, GetDeviceCaps, GetEnhMetaFileDescriptionA, GetICMProfileW, GetMetaRgn, GetNearestColor, GetObjectA, GetPath, GetPixel, GetPixelFormat, GetTextFaceA, GetTextFaceW, OffsetClipRgn, ScaleViewportExtEx, SetDeviceGammaRamp, SetTextJustification, TranslateCharsetInfo > advapi32.dll: AccessCheckAndAuditAlarmA, AccessCheckAndAuditAlarmW, AllocateLocallyUniqueId, AreAnyAccessesGranted, ConvertToAutoInheritPrivateObjectSecurity, CryptGetDefaultProviderW, ElfOpenBackupEventLogW, ElfRegisterEventSourceW, LsaQuerySecret, ObjectCloseAuditAlarmW, OpenBackupEventLogW, OpenThreadToken, RegCreateKeyW, RegEnumKeyExA, RegGetKeySecurity, ReportEventW, StartServiceW > msvcrt.dll: _Getmonths, _execve, _fpclass, _heapmin, _setsystime, _sleep, _wcslwr, _wfopen, _wspawnl, islower, iswctype, iswgraph, strrchr, strtok, system, wcsncmp ( 30 exports ) AdslmquKn, AkeazuXlNpbp, AyZhFHlIDr, BzKhmx, CNngmKuxqgvfg, CccoqoORigDj, DObZaQmb, EfesiTxo, FJkfeVuL, HazDtxxogwly, HibeZMAZNtcha, HxktkitlgI, KgqpdfqDxbig, KqqbjENtPosam, NLDRghxygS, NbtUtIker, PsgsjlYEzmCzYj, PuevGihnKkbTXR, REhmhnactff, RjGtvpkThCfqro, RrraUKnlkGltvv, RthJzltjtpDr, SdajrvgGKphk, TNMxcmfxOCKdt, TUjnQwEqr, UMcgnsDyM, UqcjxnayAKym, VstiCb, ZhZygWzgNt, ZmyrsopxdqWPrj Avanger Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! File "C:\WINDOWS\system32\vqxsmf.dll" deleted successfully. File "C:\WINDOWS\SYSTEM32\reset5e.dll" deleted successfully. Registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\reset5e" deleted successfully. Completed script processing. ******************* Finished! Terminate. Previx Prevx Scan Log - Version v3.0.0.136 Log Generated: 7/11/2008 12:57, Type: 0,0 Some non-malicious files are not included in this log. Last Scan: Thu 1970-01-01 01:00:00 Westeuropäische Normalzeit. Number of Scans: 0 [R<R00000010>] (ACTIVE) \\.\PhysicalDrive0\MBR [PX5: 0000000000000000000000000000000000000002] Malware Group: Rootkit.MBR [G] C:\WINDOWS\system32\rundll32.exe [PX5: 044EF60A00BCA32984A2003396ABA600BF975B81] [G] C:\WINDOWS\system32\notepad.exe [PX5: 0BE996480094FF11128201400A0F9A00E19129AE] [G] C:\WINDOWS\system32\usmt\migwiz.exe [PX5: D7AD192700D631AFDAA3039B3B684F001FA1007A] [G] C:\WINDOWS\system32\mobsync.exe [PX5: BA095FAB00CB46B7340C020A24EABF00D3A2EFFD] [G] C:\WINDOWS\system32\tourstart.exe [PX5: DD750B42007AE77D4C8205932D0D340053859E99] [G] C:\Programme\Windows Media Player\wmplayer.exe [PX5: 3F8CE510004F3C32FA0B00EFD191E50011C1D21D] [G] C:\Programme\Outlook Express\msimn.exe [PX5: 29170BA300B66EAEEC1A0098F080220057F60706] [G] C:\WINDOWS\system32\magnify.exe [PX5: 5607FC590076E05F1E9601635E5A0100FEA92D97] [G] C:\WINDOWS\system32\cleanmgr.exe [PX5: 1DFB49E000389E7F00100105A3F022009EA097BD] [G] C:\WINDOWS\system32\utilman.exe [PX5: B9D56641005C0FE1C43100A2BB056500AEACD58E] [G] C:\WINDOWS\system32\cmd.exe [PX5: 45DE8E210057067422080606F4B6C60031C3C64C] [G] C:\Programme\Real\RealPlayer\realplay.exe [PX5: E906D9D52D53A42B209603E34D33AE00710609FE] [G] C:\WINDOWS\system32\mspaint.exe [PX5: 4681FADB00DE6E434A4605477AA9580065AB6E3B] [G] C:\Programme\Internet Explorer\IEXPLORE.EXE [PX5: FD54413BC8C3C667B393099C90D97A001ADCA6AF] [G] C:\WINDOWS\explorer.exe [PX5: CD746763002B8BEED2F00FDC583A42003E38EFDB] [G] C:\Programme\Outlook Express\wab.exe [PX5: 0F0E376900814DFFB49D004825D9CA00F5D3B1D8] [G] C:\WINDOWS\system32\rcimlby.exe [PX5: D799DE4F00C4E8218CF9005304D1CF0044C5E5FA] [G] C:\WINDOWS\system32\osk.exe [PX5: CBB8A2A8003F814F4E8B03D4BA13D200C687D5AF] [G] C:\WINDOWS\system32\restore\rstrui.exe [PX5: 9C282F9A000EC472E2A60574F928F500637193E2] End of Prevx Scan Log - http://www.prevx.com |
RSIT SCAN: Logfile of random's system information tool 1.04 (written by random/random) Run by Guenter at 2008-11-07 13:06:10 Microsoft Windows XP Home Edition Service Pack 3 System drive C: has 26 GB (37%) free of 70 GB Total RAM: 1919 MB (76% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:06:12, on 07.11.2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe c:\APPS\HIDSERVICE\HIDSERVICE.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Microsoft SQL Server\MSSQL$DATEV_CL_DE01\Binn\sqlservr.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\system32\svchost.exe C:\Programme\TwonkyMedia\TwonkyMedia.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\Programme\TwonkyMedia\TwonkyMediaServer.exe C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programme\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Programme\PrevxCSI\prevxcsi.exe C:\Programme\PrevxCSI\prevxcsi.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Dokumente und Einstellungen\Guenter\Desktop\RSIT.exe C:\Programme\Trend Micro\HijackThis\Guenter.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = eXtra R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor O4 - HKLM\..\Run: [StartCCC] "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: bmnet.dll O10 - Unknown file in Winsock LSP: bmnet.dll O10 - Unknown file in Winsock LSP: bmnet.dll O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\ger.htm O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {3B36B017-7E49-426B-95B0-B5CECD83C2E2} (IfolorUploader Control) - http://chkr-web.ifolor.net/ORDERINGG...oader_chkr.cab O18 - Filter hijack: text/html - (no CLSID) - (no file) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: CSIScanner (csiscanner) - Prevx - C:\Programme\PrevxCSI\prevxcsi.exe O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Programme\Norton Internet Security\ISSVC.exe O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: TwonkyVision MediaServer (TwonkyVision_Media_Server) - PacketVideo - C:\Programme\TwonkyMedia\TwonkyMedia.exe -- End of file - 5835 bytes ======Scheduled tasks folder====== C:\WINDOWS\tasks\Registrierungserinnerung 1.job C:\WINDOWS\tasks\Registrierungserinnerung 2.job C:\WINDOWS\tasks\Registrierungserinnerung 3.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - Norton Internet Security - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll [2004-11-18 103552] {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Norton AntiVirus - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll [2004-11-15 218240] {2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\programme\google\googletoolbar2.dll [2007-08-24 2427968] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952] "PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168] "PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168] "ATIPTA"=C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-03-22 339968] "SunJavaUpdateSched"=C:\Programme\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784] "SbUsb AudCtrl"=RunDll32 sbusbdll.dll [] "StartCCC"=C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2008-01-21 61440] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360] "updateMgr"=C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2004-11-22 307200] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alcmtr] C:\WINDOWS\ALCMTR.EXE [2005-04-12 65536] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antivirus pro 2009] C:\Programme\AntivirusPro2009\AntivirusPro2009.exe /hide [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt] C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-06-12 266497] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\brastk] brastk.exe [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe [2004-09-03 58488] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol] C:\Programme\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe [2003-09-17 57344] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz] C:\Programme\Norton Internet Security\cfgwiz.exe [2004-09-17 132248] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kernelfaultcheck] C:\WINDOWS\system32\dumprep 0 -k [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService] c:\Apps\Powercinema\PCMService.exe [2005-05-11 127118] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rmc] C:\WINDOWS\system32\drivers\RMC.exe [2005-03-28 24576] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rthdcpl] C:\WINDOWS\RTHDCPL.EXE [2005-04-12 14156800] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spybotsd teatimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe [2004-10-06 218240] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StarMoneyRunEntry] C:\Programme\StarMoney Business 3.0 Deutsche Bank Edition\oflagent.exe [2008-05-08 53248] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\syntpenh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe [2005-03-04 708698] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\syntplpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe [2005-03-04 102490] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe [2005-09-23 180269] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ulead autodetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe [2005-05-23 90112] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updreg] C:\WINDOWS\UpdReg.EXE [2000-05-11 90112] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\verknüpfung mit der high definition audio-eigenschaftenseite] C:\WINDOWS\SYSTEM32\HDAShCut.exe [2005-01-07 61952] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wvdhfgpspqawi] C:\WINDOWS\System32\regsvr32.exe [2008-04-14 12288] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^dokumente und einstellungen^guenter^startmenü^programme^autostart^deewoo.lnk] C:\WINDOWS\system32\ocntmtdl.exe DWAM01 [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^dokumente und einstellungen^guenter^startmenü^programme^autostart^dw_start.lnk] C:\WINDOWS\system32\dwwnw64r.exe DWAM01 [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^dokumente und einstellungen^guenter^startmenü^programme^autostart^userinit.exe] C:\Dokumente und Einstellungen\Guenter\Startmenü\Programme\Autostart\userinit.exe [] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "DatevPrintService"=2 "CyberLink Media Library Service"=2 "Creative Service for CDROM Access"=2 "CLSched"=2 "CLCapSvc"=2 "ccSetMgr"=2 "ccPwdSvc"=3 "ccProxy"=2 "ccEvtMgr"=2 "AOL ACS"=2 "TapiSrv"=3 "SPBBCSvc"=3 "SNDSrvc"=3 "SCardSvr"=3 "RDSessMgr"=3 "navapsvc"=2 "helpsvc"=2 "bmwebcfg"=2 "AntiVirScheduler"=2 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart Adobe Reader - Schnellstart.lnk - C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent] C:\WINDOWS\SYSTEM32\Ati2evxx.dll [2008-03-29 126976] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 |
Die RSIT Dateien scheinen zu groß zu sein:-( Aber vielleicht hilft ja schon das was ich gesendet habe. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:30:27, on 07.11.2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe c:\APPS\HIDSERVICE\HIDSERVICE.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Microsoft SQL Server\MSSQL$DATEV_CL_DE01\Binn\sqlservr.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\system32\svchost.exe C:\Programme\TwonkyMedia\TwonkyMedia.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\Programme\TwonkyMedia\TwonkyMediaServer.exe C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programme\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Programme\PrevxCSI\prevxcsi.exe C:\Programme\PrevxCSI\prevxcsi.exe C:\Programme\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.packardbell.de/services/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor O4 - HKLM\..\Run: [StartCCC] "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: bmnet.dll O10 - Unknown file in Winsock LSP: bmnet.dll O10 - Unknown file in Winsock LSP: bmnet.dll O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\ger.htm O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab O16 - DPF: {3B36B017-7E49-426B-95B0-B5CECD83C2E2} (IfolorUploader Control) - http://chkr-web.ifolor.net/ORDERINGGENERAL/LowRes/app_support/ActiveX/IfolorUploader_chkr.cab O18 - Filter hijack: text/html - (no CLSID) - (no file) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: CSIScanner (csiscanner) - Prevx - C:\Programme\PrevxCSI\prevxcsi.exe O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Programme\Norton Internet Security\ISSVC.exe O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: TwonkyVision MediaServer (TwonkyVision_Media_Server) - PacketVideo - C:\Programme\TwonkyMedia\TwonkyMedia.exe -- End of file - 5748 bytes |
Hi, bitte noch aus dem INet bleiben, so wie es aussieht ist ein MBR-Rootkit drauf und auch schon wieder einige Trojaner... Achtung!: Alle Tools runterladen, ggf. updaten und dann offline gehen: Logs sammeln kurz online gehen und posten. Danach bitte wieder offline gehen (Stecker ziehen). Antwort von mir frühestens am Montag Vormittag abholen! Avira-Antirootkit Downloade Avira Antirootkit und Scanne dein system, poste das logfile. http://dl.antivir.de/down/windows/antivir_rootkit.zip MBR-Rootkit Lade den MBR-Rootkitscanner von Gmer auf Deine Bootplatte: http://www2.gmer.net/mbr/mbr.exe Merke Dir das Verzeichnis wo Du ihn runtergeladen hast; Start->Ausführen->cmd Wechsle in das Verzeichnis des Downloads und starte durch Eingabe von mbr das Programm... Das Ergebnis sollte so aussehen: Zitat:
poste es im Thread; Combofix Lade ComboFix von http://download.bleepingcomputer.com/sUBs/ComboFix.exe und speichert es auf den Desktop. Alle Fenster schliessen und combofix.exe starten und bestätige die folgende Abfrage mit 1 und drücke Enter. Der Scan mit Combofix kann einige Zeit in Anspruch nehmen, also habe etwas Geduld. Während des Scans bitte nichts am Rechner unternehmen Es kann möglich sein, dass der Rechner zwischendurch neu gestartet wird. Nach Scanende wird ein Report angezeigt, den bitte kopieren und in deinem Thread einfuegen. Weitere Anleitung unter:http://www.bleepingcomputer.com/combofix/de/wie-combofix-benutzt-wird CCleaner: Anleitung & Download: http://www.trojaner-board.de/51464-anleitung-ccleaner.html Die Registry (blaues Würfel-Symbol linke Seite) musst du mehrmals durchsuchen und bereinigen lassen, bis nichts mehr gefunden wird. Installation des cCleaners ohne die Toolbar! Benutzerdefinierte Installation wählen. Dann startest du den Rechner im normalen Modus neu. Nur Download über: http://www.ccleaner.com/ccleaner-20 Danach ein neues RSIT-Log und ein Scan mit Prevx! (Beides posten).. Code: Folgende Files mit Avenger (Files to delete) entfernen lassen: |
| Alle Zeitangaben in WEZ +1. Es ist jetzt 07:08 Uhr. |
Copyright ©2000-2025, Trojaner-Board