|
Win32/Adware.Virtumonde und Win32/PrivacyRemover.M64 hallo zusammen, hab nen kleines problem, bekomme seit gestern auf dem desktop die nachricht, das Win32/Adware.Virtumonde und Win32/PrivacyRemover.M64 auf meinem rechner sind, kann die nachricht nicht löschen und nix, ausserdem ist der desktop weiss. hier das hijackthis logfile: Logfile of HijackThis v1.99.1 Scan saved at 22:27:53, on 27.08.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Programme\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Programme\Netropa\Multimedia Keyboard\nhksrv.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Programme\Spyware Terminator\sp_rsser.exe C:\WINDOWS\system32\svchost.exe C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\evipojep\wtyrepkz.exe C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programme\A4Tech\Mouse\Amoumain.exe C:\Programme\Java\jre1.6.0_07\bin\jusched.exe C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe C:\Programme\iTunes\iTunesHelper.exe C:\Programme\Winamp\winampa.exe C:\Programme\Spyware Terminator\SpywareTerminatorShield.exe C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\lphcncgj0e155.exe C:\WINDOWS\system32\mtqrqncz.exe C:\Programme\Spybot - Search & Destroy\TeaTimer.exe C:\Programme\Arcor\Arcor Wlan-Monitor 1.0\ArcorWlanUtility.exe C:\Programme\Miranda IM\miranda32.exe C:\Dokumente und Einstellungen\xxxx\Desktop\mousometer.exe C:\Programme\Yahoo!\WidgetEngine\YahooWidgetEngine.exe C:\Programme\iPod\bin\iPodService.exe C:\Programme\Yahoo!\WidgetEngine\YahooWidgetEngine.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Programme\Malwarebytes' Anti-Malware\mbam.exe C:\downloads\virenschutz\HijackThis.exe C:\WINDOWS\system32\mtqrqncz.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://htw.www.pherrex.com/pub.php R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=134.106.148.1:3128 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\Programme\Crawler\ctbr.dll O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Programme\Winamp Toolbar\winamptb.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Programme\Winamp Toolbar\winamptb.dll O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\Programme\Crawler\ctbr.dll O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [WheelMouse] C:\Programme\A4Tech\Mouse\Amoumain.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe O4 - HKLM\..\Run: [SpywareTerminator] "C:\Programme\Spyware Terminator\SpywareTerminatorShield.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [lphcncgj0e155] C:\WINDOWS\system32\lphcncgj0e155.exe O4 - HKCU\..\Run: [actdb] C:\WINDOWS\system32\mtqrqncz.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [DscSmartCom] C:\WINDOWS\system32\edahahix.exe O4 - Startup: .security O4 - Startup: Miranda IM.lnk = C:\Programme\Miranda IM\miranda32.exe O4 - Startup: Mousometer.lnk = C:\Dokumente und Einstellungen\Frank\Desktop\mousometer.exe O4 - Startup: Yahoo! Widget Engine.lnk = C:\Programme\Yahoo!\WidgetEngine\YahooWidgetEngine.exe O4 - Global Startup: .security O4 - Global Startup: Arcor Wlan-Monitor 1.0.lnk = C:\Programme\Arcor\Arcor Wlan-Monitor 1.0\ArcorWlanUtility.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Winamp Search - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html O8 - Extra context menu item: Crawler Search - tbr:iemenu O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Programme\PokerStars\PokerStarsUpdate.exe O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB O17 - HKLM\System\CCS\Services\Tcpip\..\{A0AA0BE9-B014-4039-BCB5-718334205073}: NameServer = 134.106.148.205,134.106.168.1 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\Programme\Crawler\ctbr.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O21 - SSODL: dbstr - {40A5A3F3-51D4-A2C2-6999-0BDD7FE78860} - C:\Programme\ghgyctc\dbstr.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Programme\Netropa\Multimedia Keyboard\nhksrv.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programme\Spyware Terminator\sp_rsser.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe und hinten dran noch das malwatebytes log: Malwarebytes' Anti-Malware 1.25 Datenbank Version: 1087 Windows 5.1.2600 Service Pack 2 22:31:31 27.08.2008 mbam-log-08-27-2008 (22-31-31).txt Scan-Methode: Quick-Scan Durchsuchte Objekte: 44737 Laufzeit: 11 minute(s), 37 second(s) Infizierte Speicherprozesse: 1 Infizierte Speichermodule: 1 Infizierte Registrierungsschlüssel: 3 Infizierte Registrierungswerte: 5 Infizierte Dateiobjekte der Registrierung: 2 Infizierte Verzeichnisse: 0 Infizierte Dateien: 6 Infizierte Speicherprozesse: C:\WINDOWS\system32\lphcncgj0e155.exe (Trojan.FakeAlert) -> Unloaded process successfully. Infizierte Speichermodule: C:\WINDOWS\system32\blphcncgj0e155.scr (Trojan.FakeAlert) -> Delete on reboot. Infizierte Registrierungsschlüssel: HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully. Infizierte Registrierungswerte: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcncgj0e155 (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully. Infizierte Dateiobjekte der Registrierung: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: C:\WINDOWS\system32\blphcncgj0e155.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\lphcncgj0e155.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\phcncgj0e155.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Frank\Lokale Einstellungen\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Frank\Lokale Einstellungen\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Frank\Lokale Einstellungen\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. vielen dank schon mal für eure mühe und hilfe, gruss frank |
Hallo und :hallo: Acker diese Punkte für weitere Analysen ab: 1.) Poste ein Hijackthis Logfile, nimm dazu diese umbenannte hijackthis.exe (aktuelle Version!) 2.) Deaktiviere die Systemwiederherstellung, im Verlauf der Infektion wurden auch Malwaredateien in Wiederherstellungspunkten mitgesichert - die sind alle nun unbrauchbar, da ein Zurücksetzen des System durch einen Wiederherstellungspunkt das System wahrscheinlich wieder infizieren würde. 3.) Stell sicher, daß Dir auch alle Dateien angezeigt werden, danach folgende Dateien bei Virustotal.com auswerten lassen und alle Ergebnisse posten, und zwar so, daß man die der einzelnen Virenscanner sehen kann. Bitte mit Dateigrößen und Prüfsummen: Code: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\evipojep\wtyrepkz.exe5.) Blacklight ausführen und Logfile posten 6.) ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten. Poste alle Logfiles bitte mit Codetags umschlossen (#-Button) also so: HTML-Code: [code] Hier das Logfile rein! [/code]
Diese listing.txt z.B. bei File-Upload.net hochladen und hier verlinken, da dieses Logfile zu groß fürs Board ist. |
1.) hier das hijackfile: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:55:28, on 28.08.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Programme\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Programme\Netropa\Multimedia Keyboard\nhksrv.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Programme\Spyware Terminator\sp_rsser.exe C:\WINDOWS\system32\svchost.exe C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\evipojep\wtyrepkz.exe C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programme\A4Tech\Mouse\Amoumain.exe C:\Programme\Java\jre1.6.0_07\bin\jusched.exe C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe C:\Programme\iTunes\iTunesHelper.exe C:\Programme\Winamp\winampa.exe C:\Programme\Spyware Terminator\SpywareTerminatorShield.exe C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\mtqrqncz.exe C:\Programme\Spybot - Search & Destroy\TeaTimer.exe C:\Programme\Arcor\Arcor Wlan-Monitor 1.0\ArcorWlanUtility.exe C:\Programme\Miranda IM\miranda32.exe C:\Dokumente und Einstellungen\Frank\Desktop\mousometer.exe C:\Programme\Yahoo!\WidgetEngine\YahooWidgetEngine.exe C:\WINDOWS\system32\retojajo.exe C:\Programme\iPod\bin\iPodService.exe C:\Programme\Yahoo!\WidgetEngine\YahooWidgetEngine.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Dokumente und Einstellungen\Frank\Desktop\qlketzd.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://htw.www.pherrex.com/pub.php R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=134.106.148.1:3128 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\Programme\Crawler\ctbr.dll O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Programme\Winamp Toolbar\winamptb.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Programme\Winamp Toolbar\winamptb.dll O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\Programme\Crawler\ctbr.dll O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [WheelMouse] C:\Programme\A4Tech\Mouse\Amoumain.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe O4 - HKLM\..\Run: [SpywareTerminator] "C:\Programme\Spyware Terminator\SpywareTerminatorShield.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [actdb] C:\WINDOWS\system32\mtqrqncz.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [DscSmartCom] C:\WINDOWS\system32\edahahix.exe O4 - HKCU\..\Run: [mondsc] C:\WINDOWS\system32\pqnolorg.exe O4 - HKCU\..\Run: [SetCfg] C:\WINDOWS\system32\toxcvgzi.exe O4 - HKCU\..\Run: [infowinstr] C:\WINDOWS\system32\xgjqrgtc.exe O4 - HKLM\..\Policies\Explorer\Run: [s2jhJy1dxR] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\evipojep\wtyrepkz.exe O4 - Startup: .security O4 - Startup: Miranda IM.lnk = C:\Programme\Miranda IM\miranda32.exe O4 - Startup: Mousometer.lnk = C:\Dokumente und Einstellungen\Frank\Desktop\mousometer.exe O4 - Startup: Yahoo! Widget Engine.lnk = C:\Programme\Yahoo!\WidgetEngine\YahooWidgetEngine.exe O4 - Global Startup: .security O4 - Global Startup: Arcor Wlan-Monitor 1.0.lnk = C:\Programme\Arcor\Arcor Wlan-Monitor 1.0\ArcorWlanUtility.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Winamp Search - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html O8 - Extra context menu item: Crawler Search - tbr:iemenu O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Programme\PokerStars\PokerStarsUpdate.exe O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB O17 - HKLM\System\CCS\Services\Tcpip\..\{A0AA0BE9-B014-4039-BCB5-718334205073}: NameServer = 134.106.148.205,134.106.168.1 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\Programme\Crawler\ctbr.dll O21 - SSODL: dbstr - {40A5A3F3-51D4-A2C2-6999-0BDD7FE78860} - C:\Programme\ghgyctc\dbstr.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Programme\Netropa\Multimedia Keyboard\nhksrv.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programme\Spyware Terminator\sp_rsser.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 8713 bytes 2.) systemwiederherstellung ist aus 3.) Datei wtyrepkz.exe empfangen 2008.08.28 18:08:01 (CET) Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt Ergebnis: 2/36 (5.56%) Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.8.29.0 2008.08.28 - AntiVir 7.8.1.23 2008.08.28 - Authentium 5.1.0.4 2008.08.28 - Avast 4.8.1195.0 2008.08.28 - AVG 8.0.0.161 2008.08.28 - BitDefender 7.2 2008.08.28 - CAT-QuickHeal 9.50 2008.08.26 - ClamAV 0.93.1 2008.08.28 - DrWeb 4.44.0.09170 2008.08.28 - eSafe 7.0.17.0 2008.08.27 - eTrust-Vet 31.6.6054 2008.08.28 - Ewido 4.0 2008.08.28 - F-Prot 4.4.4.56 2008.08.28 - F-Secure 7.60.13501.0 2008.08.28 - Fortinet 3.14.0.0 2008.08.28 W32/PolySmall.BP!tr GData 19 2008.08.28 - Ikarus T3.1.1.34.0 2008.08.28 - K7AntiVirus 7.10.428 2008.08.25 - Kaspersky 7.0.0.125 2008.08.28 - McAfee 5371 2008.08.27 - Microsoft 1.3807 2008.08.25 Trojan:Win32/Busky.EH NOD32v2 3396 2008.08.28 - Norman 5.80.02 2008.08.28 - Panda 9.0.0.4 2008.08.27 - PCTools 4.4.2.0 2008.08.28 - Prevx1 V2 2008.08.28 - Rising 20.59.31.00 2008.08.28 - Sophos 4.33.0 2008.08.28 - Sunbelt 3.1.1582.1 2008.08.26 - Symantec 10 2008.08.28 - TheHacker 6.3.0.6.064 2008.08.27 - TrendMicro 8.700.0.1004 2008.08.28 - VBA32 3.12.8.4 2008.08.28 - ViRobot 2008.8.28.1353 2008.08.28 - VirusBuster 4.5.11.0 2008.08.28 - Webwasher-Gateway 6.6.2 2008.08.28 - weitere Informationen File size: 61440 bytes MD5...: 2c41c4b2fa88e4845987b7ee50630c64 SHA1..: 96c2a0364d8bc68befad3823475cee36d3af3c53 SHA256: ef3f64a7068d2afe70332db5cca14ea3b757c195229214571d9f917eedbd4998 SHA512: 710ea9263c21e1643b2b016b249e89d82865f571ccfa7a8bec1d0fd87f92ba28 8cfb9cdbc0484c5274b5921c52da8e921c3db84c58011a522f8393b6c7e6d3f3 PEiD..: - TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x40114b timedatestamp.....: 0x48ae906f (Fri Aug 22 10:09:51 2008) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0xb778 0xc000 6.66 a3eff97bd4c92cb152ef0fcf8e035bb5 .rdata 0xd000 0x60a 0x1000 2.42 1a1e3ec6a625ac52c21b6ba603e5272c .data 0xe000 0x3e4 0x1000 0.21 b377bba690485b15bfb8a5e040caedc3 ( 4 imports ) > KERNEL32.dll: LoadLibraryA, FindResourceW, GlobalAlloc, LoadResource, SetThreadPriority, CreateWaitableTimerW, GetLogicalDrives, GetCurrentThread, SuspendThread, DeleteFileW, FindFirstFileW, InterlockedIncrement, MoveFileW, GetFileAttributesW, SizeofResource, MulDiv, GetModuleFileNameW, WritePrivateProfileStringW, FileTimeToSystemTime, GetCurrentProcess, GetProcAddress > USER32.dll: LoadStringW, GetCursorPos, GetSysColor, SetDlgItemTextW, SetForegroundWindow, EnableWindow, GetWindowRect, ReleaseDC, UpdateWindow, DispatchMessageW, GetMessageW, SetCursor, IsWindow, TranslateMessage, SetLayeredWindowAttributes, RegisterHotKey, SendMessageW, PostQuitMessage > GDI32.dll: CreatePen, GetObjectW, SetBkColor, GetMapMode, BitBlt, CreateRoundRectRgn, CreateDCW, CreateFontIndirectW > ADVAPI32.dll: RegQueryValueExW, LookupAccountSidW, RegSetValueExW, RegCreateKeyExW, InitializeSecurityDescriptor, RegCloseKey ( 0 exports ) Datei lphcncgj0e155.exe empfangen 2008.08.28 18:12:55 (CET) Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt Ergebnis: 10/36 (27.78%) Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.8.29.0 2008.08.28 - AntiVir 7.8.1.23 2008.08.28 - Authentium 5.1.0.4 2008.08.28 - Avast 4.8.1195.0 2008.08.28 - AVG 8.0.0.161 2008.08.28 Downloader.FraudLoad.N BitDefender 7.2 2008.08.28 - CAT-QuickHeal 9.50 2008.08.26 (Suspicious) - DNAScan ClamAV 0.93.1 2008.08.28 - DrWeb 4.44.0.09170 2008.08.28 Trojan.Packed.619 eSafe 7.0.17.0 2008.08.27 Suspicious File eTrust-Vet 31.6.6054 2008.08.28 Win32/BugnrawCryptorB!generic Ewido 4.0 2008.08.28 - F-Prot 4.4.4.56 2008.08.28 - F-Secure 7.60.13501.0 2008.08.28 - Fortinet 3.14.0.0 2008.08.28 - GData 19 2008.08.28 - Ikarus T3.1.1.34.0 2008.08.28 - K7AntiVirus 7.10.428 2008.08.25 - Kaspersky 7.0.0.125 2008.08.28 - McAfee 5371 2008.08.27 Downloader-ASH.gen.b Microsoft 1.3807 2008.08.25 - NOD32v2 3396 2008.08.28 a variant of Win32/Kryptik.E Norman 5.80.02 2008.08.28 W32/Tibs.gen225 Panda 9.0.0.4 2008.08.27 - PCTools 4.4.2.0 2008.08.28 - Prevx1 V2 2008.08.28 Malicious Software Rising 20.59.31.00 2008.08.28 - Sophos 4.33.0 2008.08.28 Mal/EncPk-EU Sunbelt 3.1.1582.1 2008.08.26 - Symantec 10 2008.08.28 - TheHacker 6.3.0.6.064 2008.08.27 - TrendMicro 8.700.0.1004 2008.08.28 - VBA32 3.12.8.4 2008.08.28 - ViRobot 2008.8.28.1353 2008.08.28 - VirusBuster 4.5.11.0 2008.08.28 - Webwasher-Gateway 6.6.2 2008.08.28 - weitere Informationen File size: 203776 bytes MD5...: 03092083082983d49d9762aa53eefa7d SHA1..: 648d48ee066ea7c69bbe3faeb3c2608b25f7ab21 SHA256: baba4e8c4fb2d0bda562ca3bcadbea2d75a3bd2ffce9a6286aae14f99765c113 SHA512: 27366a530a0b3a9dde22432c33268d39592ee0f550932c796b9f602133fef703 a891ac90c3041d0cd84328d4eb4ff8af5dc368a505c0d090d910f5b109a3b7c3 PEiD..: - TrID..: File type identification Win32 Executable Generic (38.4%) Win32 Dynamic Link Library (generic) (34.2%) Clipper DOS Executable (9.1%) Generic Win/DOS Executable (9.0%) DOS Executable Generic (9.0%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x404118 timedatestamp.....: 0x48a5befd (Fri Aug 15 17:38:05 2008) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0xef3e 0x9800 7.99 8c2b97206f9fb076cc35f41ba98edc1e .rdata 0x10000 0x3d47 0x1a00 7.98 41a025ebdc58a79cc3a3038f62be18fc .data 0x14000 0xb69f2 0x23600 8.00 ff73e5f5eac06974f257113f0212da61 .rsrc 0xcb000 0xf000 0x3000 6.62 88f9b9e77403d6902430290a51088d5a ( 4 imports ) > wsock32.dll: bind, WSAStartup, listen > kernel32.dll: CreatePipe, TerminateProcess, VirtualProtect > gdi32.dll: SetRelAbs, StretchBlt, SetICMMode, ResetDCW, UpdateColors, SaveDC, TextOutW, SetDIBColorTable > shell32.dll: SHAppBarMessage, StrRChrIA, StrStrIA ( 0 exports ) Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=9480E766003456281CD803E2EED45A009E68E9DC Datei mtqrqncz.exe empfangen 2008.08.28 18:15:10 (CET) Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt Ergebnis: 4/34 (11.77%) Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.8.29.0 2008.08.28 - AntiVir 7.8.1.23 2008.08.28 - Authentium 5.1.0.4 2008.08.28 - Avast 4.8.1195.0 2008.08.28 - AVG 8.0.0.161 2008.08.28 - BitDefender 7.2 2008.08.28 - CAT-QuickHeal 9.50 2008.08.26 - ClamAV 0.93.1 2008.08.28 - DrWeb 4.44.0.09170 2008.08.28 - eSafe 7.0.17.0 2008.08.27 - eTrust-Vet 31.6.6054 2008.08.28 - Ewido 4.0 2008.08.28 - F-Prot 4.4.4.56 2008.08.28 - Fortinet 3.14.0.0 2008.08.28 W32/PolySmall.BP!tr GData 19 2008.08.28 - Ikarus T3.1.1.34.0 2008.08.28 - K7AntiVirus 7.10.428 2008.08.25 - Kaspersky 7.0.0.125 2008.08.28 - McAfee 5371 2008.08.27 - Microsoft 1.3807 2008.08.25 TrojanDownloader:Win32/FakeAlert.C NOD32v2 3396 2008.08.28 - Panda 9.0.0.4 2008.08.27 - PCTools 4.4.2.0 2008.08.28 - Prevx1 V2 2008.08.28 - Rising 20.59.31.00 2008.08.28 - Sophos 4.33.0 2008.08.28 Mal/EncPk-DG Sunbelt 3.1.1582.1 2008.08.26 - Symantec 10 2008.08.28 Packed.Generic.182 TheHacker 6.3.0.6.064 2008.08.27 - TrendMicro 8.700.0.1004 2008.08.28 - VBA32 3.12.8.4 2008.08.28 - ViRobot 2008.8.28.1353 2008.08.28 - VirusBuster 4.5.11.0 2008.08.28 - Webwasher-Gateway 6.6.2 2008.08.28 - weitere Informationen File size: 77824 bytes MD5...: d627f30fb31d49a5405fca70a8f90b03 SHA1..: 2f70a062b6d26b927f1c90aefac88ea4b0e8d01a SHA256: 0a75de40efc5ae08c046443d5198bbc51e73f3d3270a4766c8216743eb333c0f SHA512: 9fe8844001ab6eb6c8e6005522be605a7e3800cd32c61561fb3d8544ee2590ab 8a0435c1899ed3b3568429c3e5d4c20af9e92d4bd5b9d89b307a6d192c40f7f6 PEiD..: - TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x401cd1 timedatestamp.....: 0x48ae808d (Fri Aug 22 09:02:05 2008) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .qnud 0x1000 0xf774 0x10000 6.71 6a8e6016017a8d8e8a53ebbcfb91b065 .pvrqyc 0x11000 0x7a0 0x1000 3.15 8befbd001d991f1d817d920a348fdf6e .rlzkl 0x12000 0x59e4 0x1000 0.65 c4cc802085412877e3fcb4ec1d5bbaca ( 4 imports ) > KERNEL32.dll: FindClose, SetThreadPriority, GlobalAddAtomW, CreateProcessW, SetEvent, GetSystemTime, GetCurrentThreadId, GetProcAddress, FreeResource, GetModuleFileNameW, FindResourceW, VirtualFree, TerminateThread, GlobalLock, CreateThread, GetTickCount, GetFileAttributesExW, FindFirstFileW, DeleteFileW, SizeofResource, GetPrivateProfileStringW, GlobalFree, ReadFile, GlobalDeleteAtom, MultiByteToWideChar, LoadLibraryA, LoadResource, GetVersion, FileTimeToSystemTime > USER32.dll: SetLayeredWindowAttributes, PostQuitMessage, TranslateMessage, SetCursor, SetDlgItemTextW, GetParent, GetWindowThreadProcessId, RegisterWindowMessageW, IsDlgButtonChecked, SendMessageW, GetSysColor, SetWindowPos, LoadCursorW, LoadBitmapW, RegisterClassExW, GetMessageW, FillRect, SystemParametersInfoW, DrawTextW, EnableWindow, LoadStringW, GetDlgItem > GDI32.dll: BitBlt, CreateICW, StretchBlt, CreateFontIndirectW, CreateCompatibleDC, SetTextColor, GetObjectW, GetStockObject, CreateSolidBrush, LineTo, SetMapMode, GetMapMode, SetBkColor, SelectObject > ADVAPI32.dll: GetUserNameW, RegNotifyChangeKeyValue, LookupPrivilegeValueW, RegCloseKey, LookupAccountSidW ( 0 exports ) Datei edahahix.exe empfangen 2008.08.28 18:19:12 (CET) Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt Ergebnis: 4/36 (11.12%) Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.8.29.0 2008.08.28 - AntiVir 7.8.1.23 2008.08.28 - Authentium 5.1.0.4 2008.08.28 - Avast 4.8.1195.0 2008.08.28 - AVG 8.0.0.161 2008.08.28 - BitDefender 7.2 2008.08.28 - CAT-QuickHeal 9.50 2008.08.26 - ClamAV 0.93.1 2008.08.28 - DrWeb 4.44.0.09170 2008.08.28 - eSafe 7.0.17.0 2008.08.27 - eTrust-Vet 31.6.6054 2008.08.28 - Ewido 4.0 2008.08.28 - F-Prot 4.4.4.56 2008.08.28 - F-Secure 7.60.13501.0 2008.08.28 - Fortinet 3.14.0.0 2008.08.28 W32/PolySmall.BP!tr GData 19 2008.08.28 - Ikarus T3.1.1.34.0 2008.08.28 - K7AntiVirus 7.10.428 2008.08.25 - Kaspersky 7.0.0.125 2008.08.28 - McAfee 5371 2008.08.27 - Microsoft 1.3807 2008.08.25 TrojanDownloader:Win32/FakeAlert.C NOD32v2 3396 2008.08.28 - Norman 5.80.02 2008.08.28 - Panda 9.0.0.4 2008.08.27 - PCTools 4.4.2.0 2008.08.28 - Prevx1 V2 2008.08.28 Suspicious Rising 20.59.31.00 2008.08.28 - Sophos 4.33.0 2008.08.28 Mal/EncPk-DG Sunbelt 3.1.1582.1 2008.08.26 - Symantec 10 2008.08.28 - TheHacker 6.3.0.6.064 2008.08.27 - TrendMicro 8.700.0.1004 2008.08.28 - VBA32 3.12.8.4 2008.08.28 - ViRobot 2008.8.28.1353 2008.08.28 - VirusBuster 4.5.11.0 2008.08.28 - Webwasher-Gateway 6.6.2 2008.08.28 - weitere Informationen File size: 90112 bytes MD5...: bdfaf529506950fd777917223a5f92f7 SHA1..: 6c445fb8048d372534a4148490dcbbb3c7028afb SHA256: 3a64935f9fbba66ae6778b18810a2b5a13ab4d240b24be8ec8aff0a7ff594e90 SHA512: 69b93e7ed801f3008364c0b7871c443fb1d6bef98064bb07ef004f3ab9dc33a3 118ea0ffd980e1f4569f2f987df858dbf5a7f0487c8e175aa41f5a6fb6871f46 PEiD..: - TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x403a91 timedatestamp.....: 0x48b2bb5e (Mon Aug 25 14:02:06 2008) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .vhaztq 0x1000 0x12c4c 0x13000 6.85 84f1c493474eb320988274f81ab65411 .ajgfb 0x14000 0x67e 0x1000 2.72 97d6113c1b32686f25280d96cfbc9709 .viebqq 0x15000 0x5a44 0x1000 0.62 cd3d3c21f0dca890e7c180de41673b99 ( 4 imports ) > KERNEL32.dll: VirtualFree, SetWaitableTimer, GetCurrentThreadId, GetDriveTypeW, GetLastError, LockResource, WaitForSingleObject, GlobalDeleteAtom, MoveFileW, GetCurrentProcess, ResumeThread, MulDiv, WaitForMultipleObjects, ResetEvent, GetUserDefaultLangID, lstrlenW, GetFileSize, SetCurrentDirectoryW, FindResourceW, WritePrivateProfileStringW, LoadLibraryA, GlobalAlloc, GetLocalTime, GetProcAddress, GlobalFree > USER32.dll: DispatchMessageW, MessageBoxW, SendDlgItemMessageW, GetMessageW, SystemParametersInfoW, IsDlgButtonChecked, WindowFromPoint, OffsetRect, VkKeyScanW, GetSysColor, SendMessageW, PostMessageW, TrackPopupMenu, FillRect, GetWindowRect, SetDlgItemTextW, DestroyMenu, DestroyIcon, CreatePopupMenu, wsprintfW, LoadIconW, GetKeyState, SetCursor, CreateWindowExW, SetCursorPos, AppendMenuW > GDI32.dll: SetBkMode, DeleteDC, GetObjectW, GetStockObject, GetClipBox, CreateICW, CreatePen > ADVAPI32.dll: InitializeSecurityDescriptor, GetUserNameW ( 0 exports ) Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=2AE3FCA700897BA7604F01292BD53600520528FF |
Datei dbstr.dll empfangen 2008.08.28 18:21:32 (CET) Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt Ergebnis: 1/36 (2.78%) Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.8.29.0 2008.08.28 - AntiVir 7.8.1.23 2008.08.28 - Authentium 5.1.0.4 2008.08.28 - Avast 4.8.1195.0 2008.08.28 - AVG 8.0.0.161 2008.08.28 - BitDefender 7.2 2008.08.28 - CAT-QuickHeal 9.50 2008.08.26 - ClamAV 0.93.1 2008.08.28 - DrWeb 4.44.0.09170 2008.08.28 - eSafe 7.0.17.0 2008.08.27 - eTrust-Vet 31.6.6054 2008.08.28 - Ewido 4.0 2008.08.28 - F-Prot 4.4.4.56 2008.08.28 - F-Secure 7.60.13501.0 2008.08.28 - Fortinet 3.14.0.0 2008.08.28 - GData 19 2008.08.28 - Ikarus T3.1.1.34.0 2008.08.28 - K7AntiVirus 7.10.428 2008.08.25 - Kaspersky 7.0.0.125 2008.08.28 - McAfee 5371 2008.08.27 - Microsoft 1.3807 2008.08.25 - NOD32v2 3396 2008.08.28 - Norman 5.80.02 2008.08.28 - Panda 9.0.0.4 2008.08.27 - PCTools 4.4.2.0 2008.08.28 - Prevx1 V2 2008.08.28 - Rising 20.59.31.00 2008.08.28 - Sophos 4.33.0 2008.08.28 Mal/EncPk-DG Sunbelt 3.1.1582.1 2008.08.26 - Symantec 10 2008.08.28 - TheHacker 6.3.0.6.064 2008.08.27 - TrendMicro 8.700.0.1004 2008.08.28 - VBA32 3.12.8.4 2008.08.28 - ViRobot 2008.8.28.1353 2008.08.28 - VirusBuster 4.5.11.0 2008.08.28 - Webwasher-Gateway 6.6.2 2008.08.28 - weitere Informationen File size: 114688 bytes MD5...: 3eaa8a327acc1e5fe4a67b66382f6ea0 SHA1..: 70718e6e61248881416cb7f619e5db396837c9e3 SHA256: d74721eaa90ca4f31fc272f3a1a7219d8c813b31e85ca7bae650e646d0d4cc1f SHA512: cfafac4967b84df4ec2b4e0735546cc8ac309c351f488d82bafa674ee9af7972 66731ab4fae24eb1b405c584f862b0e8bf84645ee55822805860a34e86ffebca PEiD..: - TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x10006f57 timedatestamp.....: 0x48b2bb70 (Mon Aug 25 14:02:24 2008) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .dilnho 0x1000 0x16d54 0x17000 6.84 78271f903fd03f0794c0da025eacdf9b .kycauh 0x18000 0x802 0x1000 3.26 7b8fa1007d9fa74fe40c1faf4ed5982e .grrgu 0x19000 0x1fc4 0x1000 0.57 03142cd0ef5eb8e8921734fc5e2f7d55 .reloc 0x1b000 0x196a 0x2000 6.02 ba874b3d7fd00ee1a810fd158b8dc3d0 ( 4 imports ) > KERNEL32.dll: SetThreadPriority, GetLogicalDrives, DuplicateHandle, LockResource, GetCurrentProcessId, CloseHandle, DeleteFileW, GlobalAddAtomW, ReadProcessMemory, GetSystemTime, GetVersion, GlobalDeleteAtom, SetLastError, LoadLibraryA, lstrcpyW, GlobalFree, WritePrivateProfileStringW, GetFileSize, InterlockedDecrement, MoveFileW, GetModuleHandleW, ReadFile, GetLastError, GetDriveTypeW, Sleep, QueryDosDeviceW, GetProcAddress, CreateProcessW, FreeResource, SizeofResource, LoadResource > USER32.dll: TrackPopupMenu, GetKeyState, GetClassNameW, SendDlgItemMessageW, SetCursor, GetParent, LoadIconW, RegisterClassExW, OffsetRect, WindowFromPoint, SystemParametersInfoW, MessageBoxW, FillRect, IsWindow, SetCapture, GetWindowTextW, RegisterWindowMessageW, SetCursorPos, LoadCursorW, GetWindowDC, GetSysColor, SetForegroundWindow, DestroyMenu > GDI32.dll: Rectangle, SetMapMode, GetStockObject, LineTo, SetBkMode, CreatePen, DeleteObject, SetBkColor, CreateICW, SetTextColor, DeleteDC > ADVAPI32.dll: StartServiceW, LookupAccountSidW, RegCloseKey, InitializeSecurityDescriptor, RegCreateKeyExW ( 4 exports ) DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer 4.)Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK 5.) blacklight ausgeführt aber keine funde und auch kein log |
Nachschlag. :cool: Code: C:\WINDOWS\system32\retojajo.exe |
6.) Code: ComboFix 08-08-27.06 - Frank 2008-08-28 19:22:03.1 - NTFSx86 |
sooo...kommen wir zum rest ;) nachschlag.) C:\WINDOWS\system32\retojajo.exe - nicht mehr aufem rechenr gefunden! Datei pqnolorg.exe empfangen 2008.08.29 11:19:06 (CET) Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt Ergebnis: 3/36 (8.34%) Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.8.29.0 2008.08.29 - AntiVir 7.8.1.23 2008.08.29 - Authentium 5.1.0.4 2008.08.29 - Avast 4.8.1195.0 2008.08.28 - AVG 8.0.0.161 2008.08.29 - BitDefender 7.2 2008.08.29 - CAT-QuickHeal 9.50 2008.08.26 - ClamAV 0.93.1 2008.08.29 - DrWeb 4.44.0.09170 2008.08.29 - eSafe 7.0.17.0 2008.08.28 - eTrust-Vet 31.6.6055 2008.08.29 - Ewido 4.0 2008.08.28 - F-Prot 4.4.4.56 2008.08.29 - F-Secure 7.60.13501.0 2008.08.29 - Fortinet 3.14.0.0 2008.08.29 W32/PolySmall.BP!tr GData 19 2008.08.29 - Ikarus T3.1.1.34.0 2008.08.29 - K7AntiVirus 7.10.431 2008.08.29 - Kaspersky 7.0.0.125 2008.08.29 - McAfee 5372 2008.08.28 - Microsoft 1.3807 2008.08.25 TrojanDownloader:Win32/FakeAlert.C NOD32v2 3397 2008.08.28 - Norman 5.80.02 2008.08.28 - Panda 9.0.0.4 2008.08.29 - PCTools 4.4.2.0 2008.08.28 - Prevx1 V2 2008.08.29 - Rising 20.59.41.00 2008.08.29 - Sophos 4.33.0 2008.08.29 Mal/EncPk-DG Sunbelt 3.1.1592.1 2008.08.29 - Symantec 10 2008.08.29 - TheHacker 6.3.0.6.064 2008.08.27 - TrendMicro 8.700.0.1004 2008.08.29 - VBA32 3.12.8.4 2008.08.29 - ViRobot 2008.8.29.1355 2008.08.29 - VirusBuster 4.5.11.0 2008.08.28 - Webwasher-Gateway 6.6.2 2008.08.29 - weitere Informationen File size: 98304 bytes MD5...: ee77874cbb34d165127e2aa161778b7b SHA1..: cc0a138335844142b85bb8c93c7180c3e835d063 SHA256: d342875a0640d76d4cfc57ac6e2b0d0f7d82ec3a2babf2cee64721a3bb1be4b3 SHA512: e66df658b2a31dab79089ad06f9dc645013946a92b391fe919b262637ddddc7e 8782b162541b75eda1096e0002d785bb5db6cf32ad59b40e08bd53433f2eac83 PEiD..: - TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x404a3b timedatestamp.....: 0x48b63155 (Thu Aug 28 05:02:13 2008) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .fldi 0x1000 0x14a92 0x15000 6.85 7c3f73e38f84ec43da7e48e12c1ee1e1 .vefh 0x16000 0x6cc 0x1000 2.82 5a5cda55eb1a110aab00b16427c8af0f .jchf 0x17000 0x59f4 0x1000 0.55 6ddb3dfa7e3b38c8ee97c031149034e8 ( 4 imports ) > KERNEL32.dll: GetCurrentProcess, WideCharToMultiByte, MoveFileW, FindFirstChangeNotificationW, GlobalUnlock, GlobalDeleteAtom, SetLastError, GetUserDefaultLangID, GetModuleFileNameW, GetLastError, GetModuleHandleW, LoadLibraryA, SetThreadPriority, CreateEventW, FindNextChangeNotification, FindNextFileW, GetSystemTime, SetFilePointer, WriteFile, FreeLibrary, GlobalAlloc, FileTimeToSystemTime, GetLocalTime, GetProcAddress, VirtualFree, CreateFileW, GetTickCount, WaitForSingleObject, CloseHandle > USER32.dll: CreatePopupMenu, wsprintfW, RedrawWindow, ReleaseCapture, SetLayeredWindowAttributes, SendDlgItemMessageW, SetCursor, TrackPopupMenu, OffsetRect, GetWindowRect, SystemParametersInfoW, ReleaseDC, EnableWindow, PostThreadMessageW, VkKeyScanW, RegisterHotKey, LoadImageW, GetClassNameW, DialogBoxParamW, DefWindowProcW, GetParent, EndDialog > GDI32.dll: SetTextColor, SelectObject, GetClipBox, GetObjectW, DeleteObject, CreateDCW, Rectangle, CreateBitmap, SetDIBits > ADVAPI32.dll: RegSetValueExW, RegCloseKey ( 0 exports ) bei C:\WINDOWS\system32\toxcvgzi.exe kommt, dass die datei bereits geprüft wurde und dieser bericht: Datei pqnolorg.exe empfangen 2008.08.29 11:19:06 (CET) Status: Beendet Ergebnis: 3/36 (8.33%) Filter Filter Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.8.29.0 2008.08.29 - AntiVir 7.8.1.23 2008.08.29 - Authentium 5.1.0.4 2008.08.29 - Avast 4.8.1195.0 2008.08.28 - AVG 8.0.0.161 2008.08.29 - BitDefender 7.2 2008.08.29 - CAT-QuickHeal 9.50 2008.08.26 - ClamAV 0.93.1 2008.08.29 - DrWeb 4.44.0.09170 2008.08.29 - eSafe 7.0.17.0 2008.08.28 - eTrust-Vet 31.6.6055 2008.08.29 - Ewido 4.0 2008.08.28 - F-Prot 4.4.4.56 2008.08.29 - F-Secure 7.60.13501.0 2008.08.29 - Fortinet 3.14.0.0 2008.08.29 W32/PolySmall.BP!tr GData 19 2008.08.29 - Ikarus T3.1.1.34.0 2008.08.29 - K7AntiVirus 7.10.431 2008.08.29 - Kaspersky 7.0.0.125 2008.08.29 - McAfee 5372 2008.08.28 - Microsoft 1.3807 2008.08.25 TrojanDownloader:Win32/FakeAlert.C NOD32v2 3397 2008.08.28 - Norman 5.80.02 2008.08.28 - Panda 9.0.0.4 2008.08.29 - PCTools 4.4.2.0 2008.08.28 - Prevx1 V2 2008.08.29 - Rising 20.59.41.00 2008.08.29 - Sophos 4.33.0 2008.08.29 Mal/EncPk-DG Sunbelt 3.1.1592.1 2008.08.29 - Symantec 10 2008.08.29 - TheHacker 6.3.0.6.064 2008.08.27 - TrendMicro 8.700.0.1004 2008.08.29 - VBA32 3.12.8.4 2008.08.29 - ViRobot 2008.8.29.1355 2008.08.29 - VirusBuster 4.5.11.0 2008.08.28 - Webwasher-Gateway 6.6.2 2008.08.29 - weitere Informationen File size: 98304 bytes MD5...: ee77874cbb34d165127e2aa161778b7b SHA1..: cc0a138335844142b85bb8c93c7180c3e835d063 SHA256: d342875a0640d76d4cfc57ac6e2b0d0f7d82ec3a2babf2cee64721a3bb1be4b3 SHA512: e66df658b2a31dab79089ad06f9dc645013946a92b391fe919b262637ddddc7e 8782b162541b75eda1096e0002d785bb5db6cf32ad59b40e08bd53433f2eac83 PEiD..: - TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x404a3b timedatestamp.....: 0x48b63155 (Thu Aug 28 05:02:13 2008) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .fldi 0x1000 0x14a92 0x15000 6.85 7c3f73e38f84ec43da7e48e12c1ee1e1 .vefh 0x16000 0x6cc 0x1000 2.82 5a5cda55eb1a110aab00b16427c8af0f .jchf 0x17000 0x59f4 0x1000 0.55 6ddb3dfa7e3b38c8ee97c031149034e8 ( 4 imports ) > KERNEL32.dll: GetCurrentProcess, WideCharToMultiByte, MoveFileW, FindFirstChangeNotificationW, GlobalUnlock, GlobalDeleteAtom, SetLastError, GetUserDefaultLangID, GetModuleFileNameW, GetLastError, GetModuleHandleW, LoadLibraryA, SetThreadPriority, CreateEventW, FindNextChangeNotification, FindNextFileW, GetSystemTime, SetFilePointer, WriteFile, FreeLibrary, GlobalAlloc, FileTimeToSystemTime, GetLocalTime, GetProcAddress, VirtualFree, CreateFileW, GetTickCount, WaitForSingleObject, CloseHandle > USER32.dll: CreatePopupMenu, wsprintfW, RedrawWindow, ReleaseCapture, SetLayeredWindowAttributes, SendDlgItemMessageW, SetCursor, TrackPopupMenu, OffsetRect, GetWindowRect, SystemParametersInfoW, ReleaseDC, EnableWindow, PostThreadMessageW, VkKeyScanW, RegisterHotKey, LoadImageW, GetClassNameW, DialogBoxParamW, DefWindowProcW, GetParent, EndDialog > GDI32.dll: SetTextColor, SelectObject, GetClipBox, GetObjectW, DeleteObject, CreateDCW, Rectangle, CreateBitmap, SetDIBits > ADVAPI32.dll: RegSetValueExW, RegCloseKey ( 0 exports ) Datei xgjqrgtc.exe empfangen 2008.08.29 11:25:50 (CET) Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt Ergebnis: 3/36 (8.34%) Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.8.29.0 2008.08.29 - AntiVir 7.8.1.23 2008.08.29 - Authentium 5.1.0.4 2008.08.29 - Avast 4.8.1195.0 2008.08.28 - AVG 8.0.0.161 2008.08.29 - BitDefender 7.2 2008.08.29 - CAT-QuickHeal 9.50 2008.08.26 - ClamAV 0.93.1 2008.08.29 - DrWeb 4.44.0.09170 2008.08.29 - eSafe 7.0.17.0 2008.08.28 - eTrust-Vet 31.6.6055 2008.08.29 - Ewido 4.0 2008.08.28 - F-Prot 4.4.4.56 2008.08.29 - F-Secure 7.60.13501.0 2008.08.29 - Fortinet 3.14.0.0 2008.08.29 W32/PolySmall.BP!tr GData 19 2008.08.29 - Ikarus T3.1.1.34.0 2008.08.29 - K7AntiVirus 7.10.431 2008.08.29 - Kaspersky 7.0.0.125 2008.08.29 - McAfee 5372 2008.08.28 - Microsoft 1.3807 2008.08.25 TrojanDownloader:Win32/FakeAlert.C NOD32v2 3397 2008.08.28 - Norman 5.80.02 2008.08.28 - Panda 9.0.0.4 2008.08.29 - PCTools 4.4.2.0 2008.08.28 - Prevx1 V2 2008.08.29 - Rising 20.59.41.00 2008.08.29 - Sophos 4.33.0 2008.08.29 Mal/EncPk-DG Sunbelt 3.1.1592.1 2008.08.29 - Symantec 10 2008.08.29 - TheHacker 6.3.0.6.064 2008.08.27 - TrendMicro 8.700.0.1004 2008.08.29 - VBA32 3.12.8.4 2008.08.29 - ViRobot 2008.8.29.1355 2008.08.29 - VirusBuster 4.5.11.0 2008.08.28 - Webwasher-Gateway 6.6.2 2008.08.29 - weitere Informationen File size: 94208 bytes MD5...: 6bc76b5d70467fd161fe927e65819a80 SHA1..: 8e9ce09f0ff35b8c21f514f3e1a2a6dc13357a13 SHA256: eb51f6f8e921306f72cc27fa78fd04350b149773af7ddb0e1429bba1c61a2876 SHA512: fa2946acdfe93a840959c72fc16f2ef28ffe812a320868a6c67798dee593ffb2 d745b815d15e3daa8d9b90e4e745837d4f74b722815faae66095669e9ec488b3 PEiD..: - TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x40be40 timedatestamp.....: 0x48b6afeb (Thu Aug 28 14:02:19 2008) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .ypwrwx 0x1000 0x13cd6 0x14000 6.91 5363b54e27f4abd63f11f39edc228dce .alvkf 0x15000 0x5b8 0x1000 2.42 b8ee401881580a493f32748dd4c70106 .ydmoy 0x16000 0x59e8 0x1000 0.55 573b19e9ef242c8b4aab2eee6aa92c38 ( 4 imports ) > KERNEL32.dll: WritePrivateProfileStringW, LoadResource, ReadFile, GetLogicalDrives, GlobalUnlock, MulDiv, SetLastError, GetProcAddress, CreateWaitableTimerW, GetLastError, QueryDosDeviceW, GetTickCount, Sleep, InterlockedIncrement, GetFileAttributesExW, FileTimeToSystemTime, GetLocalTime, lstrcpyW, LoadLibraryA, SetWaitableTimer, SetFilePointer, CreateThread, VirtualAlloc, VirtualFree > USER32.dll: SetLayeredWindowAttributes, InvalidateRect, SetCursorPos, AppendMenuW, LoadIconW, GetDlgItem, LoadImageW, SetDlgItemTextW, PostMessageW, PostQuitMessage, RegisterWindowMessageW, DestroyMenu, SetForegroundWindow, SetWindowPos, SystemParametersInfoW, FillRect, ReleaseCapture, SendMessageW > GDI32.dll: Rectangle, LineTo, BitBlt, DeleteObject, SetBkColor, GetObjectW, GetStockObject, CreateCompatibleBitmap > ADVAPI32.dll: StartServiceW ( 0 exports ) 7.) http://www.file-upload.net/download-1075677/listing.txt.html soooo, hoffe das war so halbwegs richtig und alles gewünschte... nochmal danke, gruss frank |
So, da müssen einige Dateien weg: Anleitung Avenger (by swandog46) Lade dir das Tool Avenger und speichere es auf dem Desktop:
Code: folders to delete:
Mach auch ein neues Hijackthis-Logfile, nimm dazu diese umbenannte hijackthis.exe |
Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! Folder "C:\Programme\ghgyctc" deleted successfully. Folder "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\evipojep" deleted successfully. File "c:\windows\system32\xgjqrgtc.exe" deleted successfully. File "c:\windows\system32\vsconfig.xml" deleted successfully. File "c:\windows\system32\toxcvgzi.exe" deleted successfully. File "c:\windows\system32\zstcjqzg.exe" deleted successfully. File "c:\windows\system32\pqnolorg.exe" deleted successfully. File "c:\windows\system32\edahahix.exe" deleted successfully. Error: file "C:\WINDOWS\system32\retojajo.exe" not found! Deletion of file "C:\WINDOWS\system32\retojajo.exe" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist File "C:\WINDOWS\system32\lphcncgj0e155.exe" deleted successfully. File "C:\WINDOWS\system32\mtqrqncz.exe" deleted successfully. Error: file "C:\WINDOWS\system32\lphcncgj0e155.exe" not found! Deletion of file "C:\WINDOWS\system32\lphcncgj0e155.exe" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing. ******************* Finished! Terminate. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:22:17, on 29.08.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Programme\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Programme\Netropa\Multimedia Keyboard\nhksrv.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Programme\Spyware Terminator\sp_rsser.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programme\A4Tech\Mouse\Amoumain.exe C:\Programme\Java\jre1.6.0_07\bin\jusched.exe C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe C:\Programme\iTunes\iTunesHelper.exe C:\Programme\Winamp\winampa.exe C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Programme\rhcjcgj0e155\rhcjcgj0e155.exe C:\Programme\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\enyhinqb.exe C:\Programme\Arcor\Arcor Wlan-Monitor 1.0\ArcorWlanUtility.exe C:\Programme\Miranda IM\miranda32.exe C:\Programme\iPod\bin\iPodService.exe C:\Dokumente und Einstellungen\Frank\Desktop\mousometer.exe C:\Programme\Yahoo!\WidgetEngine\YahooWidgetEngine.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Programme\Yahoo!\WidgetEngine\YahooWidgetEngine.exe C:\WINDOWS\system32\pphcncgj0e155.exe C:\Dokumente und Einstellungen\Frank\Desktop\qlketzd(2).com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://htw.www.pherrex.com/pub.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=134.106.148.1:3128 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\Programme\Crawler\ctbr.dll O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Programme\Winamp Toolbar\winamptb.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programme\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Programme\Winamp Toolbar\winamptb.dll O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\Programme\Crawler\ctbr.dll O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [WheelMouse] C:\Programme\A4Tech\Mouse\Amoumain.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe O4 - HKLM\..\Run: [SpywareTerminator] "C:\Programme\Spyware Terminator\SpywareTerminatorShield.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [lphcncgj0e155] C:\WINDOWS\system32\lphcncgj0e155.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [SMrhcjcgj0e155] C:\Programme\rhcjcgj0e155\rhcjcgj0e155.exe O4 - HKCU\..\Run: [actdb] C:\WINDOWS\system32\mtqrqncz.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [DscSmartCom] C:\WINDOWS\system32\edahahix.exe O4 - HKCU\..\Run: [mondsc] C:\WINDOWS\system32\pqnolorg.exe O4 - HKCU\..\Run: [SetCfg] C:\WINDOWS\system32\toxcvgzi.exe O4 - HKCU\..\Run: [infowinstr] C:\WINDOWS\system32\xgjqrgtc.exe O4 - HKCU\..\Run: [procgen] C:\WINDOWS\system32\enyhinqb.exe O4 - HKLM\..\Policies\Explorer\Run: [s2jhJy1dxR] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\evipojep\wtyrepkz.exe O4 - Startup: .security O4 - Startup: Miranda IM.lnk = C:\Programme\Miranda IM\miranda32.exe O4 - Startup: Mousometer.lnk = C:\Dokumente und Einstellungen\Frank\Desktop\mousometer.exe O4 - Startup: Yahoo! Widget Engine.lnk = C:\Programme\Yahoo!\WidgetEngine\YahooWidgetEngine.exe O4 - Global Startup: .security O4 - Global Startup: Arcor Wlan-Monitor 1.0.lnk = C:\Programme\Arcor\Arcor Wlan-Monitor 1.0\ArcorWlanUtility.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Winamp Search - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html O8 - Extra context menu item: Crawler Search - tbr:iemenu O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Programme\PokerStars\PokerStarsUpdate.exe O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://utilities.pcpitstop.com/da/PCPitStop.CAB O17 - HKLM\System\CCS\Services\Tcpip\..\{A0AA0BE9-B014-4039-BCB5-718334205073}: NameServer = 134.106.148.205,134.106.168.1 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\Programme\Crawler\ctbr.dll O20 - AppInit_DLLs: avgrsstx.dll O21 - SSODL: dbstr - {40A5A3F3-51D4-A2C2-6999-0BDD7FE78860} - C:\Programme\ghgyctc\dbstr.dll (file missing) O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Programme\Netropa\Multimedia Keyboard\nhksrv.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programme\Spyware Terminator\sp_rsser.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 9765 bytes |
Da sind ein paar Objekte wieder aufgetaucht - fixe zuerst mal diese Einträge mit Hijackthis: Code: O4 - HKLM\..\Run: [lphcncgj0e155] C:\WINDOWS\system32\lphcncgj0e155.exeCode: folders to delete:Mach erneut für nen Abgleich ein neues Hijackthis-Logfile mit der umbenannten Datei und zusätzlich eins mit silentrunners (siehe Signatur). Poste die Logfiles bitte mit Codetags umschlossen (#-Button) also so: HTML-Code: [code] Hier das Logfile rein! [/code] |
Code: Logfile of The Avenger Version 2.0, (c) by Swandog46Code: Logfile of Trend Micro HijackThis v2.0.2 |
Code: "Silent Runners.vbs", revision 58, http://www.silentrunners.org/ |
Kurzer Einwurf, das letzte Avenger-Log scheint nicht vollständig zu sein... |
ups, sorry! geändert! |
Die Dateien dürften nun gelöscht sein, Hijackthis Log ist auch okay. Code: Platform: Windows XP SP2 (WinNT 5.01.2600)Mach zum Abschluss mal ein neues Filelisting... |
| Alle Zeitangaben in WEZ +1. Es ist jetzt 23:48 Uhr. |
Copyright ©2000-2025, Trojaner-Board