MediaTickets - werdes nicht los

#1 Hi,

kann einen muehsamen MediaTickets installer einfach nicht entfernen:

- Virus Scanner:Avast 4.6
- Firewall: MS Sp2 one
- Spyware: MS AntiSpyware
- Spyware: Spybot latest version
- Spyware: Spysubtract latest version
- Spyware: Lavasoft Ad-Aware latest version

Diese Programme entfernen die Infizierung, koennen aber nicht verhindern, dass es immer wieder nach einem Reboot or zu bestimmten Zeiten wieder reinkommt. Der default Browser oeffnet und sucht Adresse 66.45.237.213 und dann URL mediatickets.t35.com/main.html. Habe auch die IE Security settings auf High gestellt, aber die Software versucht es zu verstellen, MS AntiSpyware verhindert das nun erfolgreich. Trotzdem kommt neues Zeugs rein :-).

SpSubtract findet dann:

Windows Registry
Found '' in 'SOFTWARE\Classes\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0'
Found '' in 'SOFTWARE\Classes\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}'
Found '' in 'SOFTWARE\Classes\MediaAccX.Installer'
Found '' in 'SOFTWARE\Classes\MediaAccess.Installer'
Found '' in 'SOFTWARE\Classes\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}'
Found '' in 'SOFTWARE\Classes\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0\HELPDIR'
Found '' in 'SOFTWARE\Classes\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0\0'
Found '' in 'SOFTWARE\Classes\MediaAccess.Installer\CurVer'
Found '' in 'SOFTWARE\Classes\MediaAccess.Installer\CLSID'
Found '' in 'SOFTWARE\Classes\AppID\LoaderX.EXE'
Found '' in 'SOFTWARE\Classes\AppID\{735C5A0C-F79F-47A1-8CA1-2A2E482662A8}'
Found 'AppID' in 'SOFTWARE\Classes\AppID\LoaderX.EXE'
Found '' in 'AppID\{735C5A0C-F79F-47A1-8CA1-2A2E482662A8}'
Found '' in 'AppID\LoaderX.EXE'
Found '' in 'TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}'
Found '' in 'Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}'

Der HijackThis log sieht so aus:

Logfile of HijackThis v1.99.1
Scan saved at 11:36:34, on 08/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Philipp Huber\My Documents\My Data\5 Intelligence & Archive\Software\Security Stuff\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows DLL Services] C:\svchost.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://roylinedirect.rbos.co.uk
O15 - Trusted Zone: http://roylinedirect.rbs.co.uk
O16 - DPF: {1096842F-FEE8-11D2-965E-0010E3622565} (IFS_Lib00) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_RYD.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {1E89A357-CF86-11D1-8CAE-00805F93E2D7} (IFS_Wizard1 Control) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz01.cab
O16 - DPF: {219CF65A-B13C-11D2-8D4A-0004ACF74B57} (IFS_Lib04) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb04.cab
O16 - DPF: {29166FB6-2AD6-11D2-8DB7-0001FAF8D270} (IFS_Wizard6 Control) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz06.cab
O16 - DPF: {498439C0-0921-11D3-9484-0001FAF8503C} (IFS_Lib10) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb10.cab
O16 - DPF: {4DE7E614-E69B-11D2-947C-0001FAF8503C} (IFS_Lib07) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb07.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,84/mcinsctl.cab
O16 - DPF: {5915C16A-F555-11D1-8E31-08005AAA630C} (IFS_Wizard5 Control) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz05.cab
O16 - DPF: {5B2FD039-D08C-11D2-9FFD-0004ACF74B57} (IFS_Lib08) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb08.cab
O16 - DPF: {5DD1BBF5-E4B2-11D1-9211-0004ACF75CFC} (IFS_Wizard2 Control) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz02.cab
O16 - DPF: {6A863F66-CA4A-11D2-9FF9-0004ACF74B57} (IFS_Lib05) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb05.cab
O16 - DPF: {6CAE02B8-EB30-11D1-8CE5-0004ACF74B57} (IFS_List Control) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_List.cab
O16 - DPF: {74545298-2152-11D2-8D16-0004ACF74B57} (IFS_Wizard3 Control) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz03.cab
O16 - DPF: {8F78C964-B20B-11D2-8D4A-0004ACF74B57} (IFS_Lib01) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb01.cab
O16 - DPF: {9D24756B-CBFC-11D2-9FFB-0004ACF74B57} (IFS_Lib13) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb13.cab
O16 - DPF: {9E2D89BB-D888-11D2-A002-0004ACF74B57} (IFS_Lib12) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb12.cab
O16 - DPF: {B37DB118-5623-11D3-8769-0010E36241AE} (IFS_Wizard9 Control) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz09.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {BBAE9E7E-3F7D-11D3-94B7-0001FAF8503C} (IFS_Lib16) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb16.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,21/mcgdmgr.cab
O16 - DPF: {C0E10B5C-DA42-11D3-9FED-0004ACF74B57} (IFS_Lib02) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb02.cab
O16 - DPF: {C1BA9623-F27F-11D2-947D-0001FAF8503C} (IFS_Lib11) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb11.cab
O16 - DPF: {C6726AD0-E1E0-11D2-929E-0004ACF75CFC} (IFS_Lib03) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb03.cab
O16 - DPF: {C6C07D4E-3911-11D2-8708-0001FAF8D5C4} (IFS_Wizard7 Control) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz07.cab
O16 - DPF: {D71A2028-D578-11D2-9FFF-0004ACF74B57} (IFS_Lib14) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb14.cab
O16 - DPF: {DF3AA904-233E-11D3-9495-0001FAF8503C} (IFS_Lib17) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb17.cab
O16 - DPF: {F0FB4064-2940-11D3-92B1-0004ACF75CFC} (IFS_Lib06) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb06.cab
O16 - DPF: {F3DAE1EA-01DA-11D2-8E33-08005AAA630C} (IFS_Wizard4 Control) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz04.cab
O16 - DPF: {F49159DA-E0C6-11D1-8E28-08005AAA630C} (IFS_Service Control) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Serv.cab
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\System32\btxppanel.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe



Wie werde ich das Ding los?????????

Vielen Dank fuer Hilfe.

Gruss,
Philipp Huber - in Schottland lebend (sorry fuer mein Deutsch, bin etwas aus der Uebung).

#2 Hallo@Pipo99

?????????????????????????????????????????????????????????????????????
WORM_KINES.C, TrojanDownloader.Win32.Apher.gen, Trojan.BAT.Noshare.n
http://www.internet-magazin.de/internet/cm/virenecke/show_sophos.php?id=2
Zum jetzigen Zeitpunkt hat Sophos keine Meldungen von Anwendern erhalten, die von diesem wurm betroffen sind. Dieser Hinweis wird aufgrund von Kundenanfragen an unsere Supportabteilung herausgegeben.
Erläuterung

W32/Randon-AB ist ein Netzwerkwurm, der aus mehreren Komponenten besteht. Er versucht sich zu verbreiten, indem er Komponenten von sich auf remote ADMIN$-Freigaben mit einfachen Kennwörtern kopiert und sie dort ausführt. Eine Komponente des Wurms, B4AK.EXE, versucht daraufhin, eine Kopie des Wurms von einer remoten URL als Datei namens C:SVCHOST.EXE herunterzuladen.

Die wesentliche Datei ist SFX EXE, die einen Ordner namens AL im Windows-Systemordner erstellt und mehrere Dateien ablegt und ausführt. Einige dieser Dateien sind legale Dienstprogramme oder harmlose Dateien, z. B.:

* B4AK.EXE lädt Kopien des Wurms aus dem Internet herunter und führt sie aus.
* CC.CDE ist eine harmlose TXT-Datei.
* CED.TS ist eine TXT-Datei mit einer Liste Kennwörtern.
* FAVER.EXE ist ein legales Netzwerk-Dienstprogramm namens PSEXEC.
* TAR.EXE ist ein legales Dienstprogramm namens HIDEWINDOW.
* VER.EXE ist legales Dienstprogramm namens PROCVIEW.
* CEVE.BAT versucht, den Wurm auf Netzwerkfreigaben zu kopieren und die Kopien mit Hilfe von PSEXEC zu starten.
* CEZE.BAT wird erkannt als Troj/Delshare-G Hinweis: Bei Klick auf diesen Link verlassen Sie unsere Seiten.
* FOLDER.CPR ist eine INI-Datei, mit der IRC-Kanäle überflutet werden können.
* H00D.CDE ist eine Konfigurations-INI-Datei.
* H00D.EXE ist ein legaler mIRC-Client.
* SHR.BAT wird verwendet, um bestimmten Dateien die Attribute "Versteckt", "System" und "Lesen" zuzuweisen.


Der Wurm fügt einen Eintrag zum Run Key in der Registrierung hinzu, so dass H00D.EXE beim Systemneustart ausgeführt wird.

----------------------------------------------------------------------------

?????????????????????????????????????????????????????????????????????
http://www.bitdefender.com/html/virusinfo.php?menu_id=1&v_id=32
Name: CodeBlue
Aliases: CodeBlue
Type: Script Worm
Size: 14336 bytes (compressed with UPX)
Discovered: 01.01.2000
Detected: 01.01.2000
Spreading: Very low
Damage: Medium
In The Wild: Unknown

Symptoms:
- The presence of the svchost.exe file in the root directory;
- The following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Domain Manager with the value c:\svchost.exe;

Technical description:
This is an IIS Worm that uses the IIS directory traversal exploit for spreading. The Worm sends a malformed GET request to the target server. This allows it to download an IIS extension named httpex.dll to that server. After that it sends a GET command on the same server in this way allowing the already downloaded extension to execute and take control. The installed extension will drop the virus in c:\svchost.exe and it will execute it.

The svchost.exe file will create a registry key in:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
named Domain Manager with the value c:\svchost.exe. In this way it will be executed at every startup.

The exe file creates 100 threads that open 100 different ports for UDP connections. After that drops a vbs file named c:\d.vbs that disables the .ida, .idc, .printer services. The virus will search for the inetinfo.exe process, and if it founds it will try to terminate it.

Every thread it will check for current system time and if it is between 10AM and 11AM it will try to make a DoS attack on the host 211.99.196.135 (www.nsfocus.com). If the current time is not in this period it will try to spread itself searching for vulnerable servers. The IP for searching servers is randomly generated. The way of infecting servers is the same as it came on already infected computer.

Removal instructions:
1. Make sure that you have the latest updates using BitDefender Live!;

2. Make the following changes in the windows registry;

Please make sure to modify only the values that are specified. It is also recommended to backup the Windows Registry before proceeding with these changes.
a) Select Run... from the Start menu, then type regedit and press Enter;
b) Delete following key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Domain Manager

3. Perform a full scan of your system (selecting, from the Action tab, the option "Prompt
user for action"). Choose to delete all the files infected with CodeBlue

4. Reboot the computer or manually restart all the processes killed by the virus.

?????????????????????????????????????????????????????????????????????
-----------------------------------------------------------------------------------

Zitat

btxppanel.dll

BTXPPanel Module
Product Name: Bluetooth Software 1.4.2 Build 10
Copyright: Copyright WIDCOMM, Inc. 2000-2003.
Company Name: WIDCOMM, Inc.

einzelne "exe" ueberpruefen
http://www.virustotal.com/flash/index_en.html

C:\WINDOWS\System32\btxppanel.dll
C:\WINDOWS\system32\LgNotify.dll
C:\svchost.exe

Oben auf der Seite auf Durchsuchen klicken --> Datei aussuchen --> Doppelklick auf die zu prüfende Datei --> klick auf Submit...
jetzt abwarten und danach das Ergebnis abkopieren und hier im Beitrag posten


Start--Ausfuehren-- regedit

loesche mit rechtsklick:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\LoaderX.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{735C5A0C-F79F-47A1-8CA1-2A2E482662A8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaAccess.Installer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaAccess.Installer\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MediaAccess.Installer\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Media Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager

HKEY_CLASSES_ROOT\mediaaccess.installer\curver\mediaaccess.installer
HKEY_CLASSES_ROOT\mediaaccess.installer\installer class

PC neustarten

•Deinstallieren:
"Start - Einstellungen - Systemsteuerung - Software" MediaAccess

•KillBox
http://bilder.informationsarchiv.net/Nikitas_Tools/KillBox.zip
Anleitung: (bebildert)
http://virus-protect.org/killbox.html

•Delete File on Reboot <--anhaken

und klicke auf das rote Kreuz,
wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes"

C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAcess.exe
C:\Program Files\Media Access\Info.txt
C:\Program Files\Media Access\MediaAccC.dll
C:\svchost.exe
c:\WINDOWS\System32\LgNotify.dll

PC neustarten

#öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten

O4 - HKLM\..\Run: [Windows DLL Services] C:\svchost.exe
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll

PC neustarten

mache Onlinescans und berichte, was geloescht und nicht geloescht wurde
http://virus-protect.org/onlinescan.html


Lade: rkfiles.zip
http://bilder.informationsarchiv.net/Nikitas_Tools/rkfiles.zip
-->entpacken-->
gehe in den abgesicherten Modus
http://www.tu-berlin.de/www/software/virus/savemode.shtml
-->Doppelklick(Ausfuehren)-->rkfiles.bat--> warten bis sich
das DOS-Fenster schliesst--->poste C:\log.txt

Start--> Ausfuehren--> cmd--> kopiere nur die Eintraege der 20 letzten Tage raus

einzeln reinkopieren:

cd\
cd %windir%\system32
dir /a:-d /o:-d > %systemdrive%\system32.txt
start %systemdrive%\system32.txt
cls
exit

cd\
cd %temp%\
dir /a:-d /o:-d > %systemdrive%\systemtemp.txt
start %systemdrive%\systemtemp.txt
cls
exit

cd\
cd %windir%
dir /a:-d /o:-d > %systemdrive%\system.txt
start %systemdrive%\system.txt
cls
exit

cd\
dir /a:-d /o:-d > %systemdrive%\sys.txt
start %systemdrive%\sys.txt
cls
exit
__________
MfG Sabina

rund um die PC-Sicherheit

#3 Hi,

followed the instruction bye the letter and have a very good feeling. IE doesn't start automatically after the reboot.

Please find all the necesasry logs below. What do u think? Am i 'clean' now?

Ran all my antivirus & spyware progs as well. Nothing comes up anymore.

Thanks very much for your help!!!!

Cheers,
Phil

Here the requested details:

HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 00:29:01, on 10/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\1XConfig.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Philipp Huber\My Documents\My Data\5 Intelligence & Archive\Software\Security Stuff\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://board.protecus.de/board.php?boardid=7
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://roylinedirect.rbos.co.uk
O15 - Trusted Zone: http://roylinedirect.rbs.co.uk
O16 - DPF: {1096842F-FEE8-11D2-965E-0010E3622565} (IFS_Lib00) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_RYD.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {1E89A357-CF86-11D1-8CAE-00805F93E2D7} (IFS_Wizard1 Control) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz01.cab
O16 - DPF: {219CF65A-B13C-11D2-8D4A-0004ACF74B57} (IFS_Lib04) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb04.cab
O16 - DPF: {29166FB6-2AD6-11D2-8DB7-0001FAF8D270} (IFS_Wizard6 Control) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz06.cab
O16 - DPF: {498439C0-0921-11D3-9484-0001FAF8503C} (IFS_Lib10) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb10.cab
O16 - DPF: {4DE7E614-E69B-11D2-947C-0001FAF8503C} (IFS_Lib07) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb07.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,84/mcinsctl.cab
O16 - DPF: {5915C16A-F555-11D1-8E31-08005AAA630C} (IFS_Wizard5 Control) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz05.cab
O16 - DPF: {5B2FD039-D08C-11D2-9FFD-0004ACF74B57} (IFS_Lib08) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb08.cab
O16 - DPF: {5DD1BBF5-E4B2-11D1-9211-0004ACF75CFC} (IFS_Wizard2 Control) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz02.cab
O16 - DPF: {6A863F66-CA4A-11D2-9FF9-0004ACF74B57} (IFS_Lib05) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb05.cab
O16 - DPF: {6CAE02B8-EB30-11D1-8CE5-0004ACF74B57} (IFS_List Control) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_List.cab
O16 - DPF: {74545298-2152-11D2-8D16-0004ACF74B57} (IFS_Wizard3 Control) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz03.cab
O16 - DPF: {8F78C964-B20B-11D2-8D4A-0004ACF74B57} (IFS_Lib01) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb01.cab
O16 - DPF: {9D24756B-CBFC-11D2-9FFB-0004ACF74B57} (IFS_Lib13) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb13.cab
O16 - DPF: {9E2D89BB-D888-11D2-A002-0004ACF74B57} (IFS_Lib12) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb12.cab
O16 - DPF: {B37DB118-5623-11D3-8769-0010E36241AE} (IFS_Wizard9 Control) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz09.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {BBAE9E7E-3F7D-11D3-94B7-0001FAF8503C} (IFS_Lib16) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb16.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,21/mcgdmgr.cab
O16 - DPF: {C0E10B5C-DA42-11D3-9FED-0004ACF74B57} (IFS_Lib02) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb02.cab
O16 - DPF: {C1BA9623-F27F-11D2-947D-0001FAF8503C} (IFS_Lib11) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb11.cab
O16 - DPF: {C6726AD0-E1E0-11D2-929E-0004ACF75CFC} (IFS_Lib03) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb03.cab
O16 - DPF: {C6C07D4E-3911-11D2-8708-0001FAF8D5C4} (IFS_Wizard7 Control) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz07.cab
O16 - DPF: {D71A2028-D578-11D2-9FFF-0004ACF74B57} (IFS_Lib14) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb14.cab
O16 - DPF: {DF3AA904-233E-11D3-9495-0001FAF8503C} (IFS_Lib17) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb17.cab
O16 - DPF: {F0FB4064-2940-11D3-92B1-0004ACF75CFC} (IFS_Lib06) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb06.cab
O16 - DPF: {F3DAE1EA-01DA-11D2-8E33-08005AAA630C} (IFS_Wizard4 Control) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz04.cab
O16 - DPF: {F49159DA-E0C6-11D1-8E28-08005AAA630C} (IFS_Service Control) - http://roylinedirect.rbos.co.uk/dbpc2/controls/2.6.11.0/IFS_Serv.cab
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\System32\btxppanel.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

Log.txt:

C:\Documents and Settings\Philipp Huber\Desktop

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye


system32.txt

09/06/2005 08:58 2,930 jupdate-1.5.0_02-b09.log
09/06/2005 00:31 3,090 jupdate-1.4.2_07-b05.log
04/06/2005 20:12 10,752 gcmd5query.dll
04/06/2005 19:57 2,626 CONFIG.NT
04/06/2005 19:32 75,680 Status.MPF
04/06/2005 00:43 2,158 ssmute.ini
20/05/2005 22:50 372,736 aswBoot.exe
20/05/2005 22:44 90,112 AVASTSS.scr
17/05/2005 22:02 41,066 perfc009.dat
17/05/2005 22:02 313,514 perfh009.dat
17/05/2005 22:02 358,528 PerfStringBackup.INI
07/05/2005 10:51 1,043,800 MRT.exe

system.txt

Volume in drive C has no label.
Volume Seri*hier nicht!* Number is 1036-290A

Directory of C:\WINDOWS

09/06/2005 23:36 0 0.log
09/06/2005 23:35 648,962 ntbtlog.txt
09/06/2005 23:35 2,048 bootstat.dat
09/06/2005 23:35 408,166 WindowsUpdate.log
09/06/2005 23:35 32,652 SchedLgU.Txt
09/06/2005 23:35 216 wiadebug.log
09/06/2005 23:30 5,266 ModemLog_Bluetooth Modem.txt
09/06/2005 23:30 3,642 ModemLog_BCM V.92 56K Modem.txt
09/06/2005 23:30 48 wiaservc.log
08/06/2005 23:34 837,789 setupapi.log
07/06/2005 15:51 12,268 wmsetup.log
04/06/2005 19:57 146 TBPlugin.INI
04/06/2005 19:57 95 avconfig.ini
04/06/2005 19:52 693 ODBC.INI
04/06/2005 17:03 4,680 RYDnsvd.sf1
03/06/2005 23:13 5,178 mozver.dat
25/05/2005 17:38 2,616 RYDunsvd1.sf
18/05/2005 21:56 3,840 DellBIOS.Sys
18/05/2005 21:09 564,264 iis6.log
18/05/2005 21:09 106,480 comsetup.log
18/05/2005 21:09 72,902 ntdtcsetup.log
18/05/2005 21:09 160,477 tsoc.log
18/05/2005 21:09 1,374 imsins.log
18/05/2005 21:09 12,709 tabletoc.log
18/05/2005 21:09 18,372 ocmsn.log
18/05/2005 21:09 8,569 KB893803v2.log
18/05/2005 21:09 51,864 netfxocm.log
18/05/2005 21:09 24,672 MedCtrOC.log
18/05/2005 21:09 223,450 ocgen.log
18/05/2005 21:09 16,489 msgsocm.log
18/05/2005 21:09 299,939 FaxSetup.log
18/05/2005 21:09 135,426 msmqinst.log
17/05/2005 22:03 4,566 imsins.BAK
17/05/2005 22:00 305 nsw.log

sys.txt

10/06/2005 00:07 106,216 system32.txt
09/06/2005 23:44 0 windows.txt
09/06/2005 23:44 0 start.txt
09/06/2005 23:43 108 win.txt
09/06/2005 23:35 1,610,612,736 pagefile.sys
09/06/2005 23:08 488 hpfr5550.xml
07/06/2005 21:52 35,479 ZB20050607214549001.xml
07/06/2005 16:51 8,995 ZB20050607164958001.xml
28/01/2005 02:14 211 boot.ini
28/01/2005 02:09 47,564 NTDETECT.COM
28/01/2005 02:09 250,032 ntldr
28/01/2005 01:06 0 AUTOEXEC.BAT
28/01/2005 01:06 0 CONFIG.SYS
28/01/2005 01:06 0 IO.SYS
28/01/2005 01:06 0 MSDOS.SYS
05/01/2002 05:48 974,848 mfc70.dll
05/01/2002 05:36 964,608 mfc70u.dll

#4 Hallo@Pipo99

einzelne "exe" ueberpruefen
http://www.virustotal.com/flash/index_en.html

C:\WINDOWS\System32\btxppanel.dll

C:\WINDOWS\imsins.BAK

C:\WINDOWS\iis6.log

Oben auf der Seite auf Durchsuchen klicken --> Datei aussuchen --> Doppelklick auf die zu prüfende Datei --> klick auf Submit...
jetzt abwarten und danach das Ergebnis abkopieren und hier im Beitrag posten

Mache bitte einen Onlinescan mit panda und berichte, was angezeigt wird
http://virus-protect.org/onlinescan.html

----------------------------------------

4. ) Unnötige Dienste deaktivieren

Windows-Dienste abschalten!
http://www.dingens.org

Windows Worms Doors Cleaner erlaubt Ihnen die Dienste auf die die Würmer angewiesen sind, zu schließen
Windows Worms Doors Cleaner
http://virus-protect.org/windsdoorcleaner.html

Die meisten der Würmer, nutzen bekannte Verwundbarkeiten bei Windowsdiensten die standardmäßig eingestellt sind und nicht ohne weiteres über die Betriebssystemeinstellungen deaktiviert werden können. Selbst wenn diese Dienste durch Microsoft Sicherheitskorrekturen behoben werden, im Allgemeinen sind sie trotzdem dem Internet ausgesetzt, bereit um vom nächsten exploit ausgenutzt zu werden.
---------------------

INFO:

File: C:\WINDOWS\iis6.log->ADS:wktif
Virus: TrojanDownloader:Win32/WinShow.AK Status: Infected
File: C:\WINDOWS\imsins.BAK->ADS:vycvk
Virus: TrojanDownloader:Win32/WinShow.AK Status: Infected
File: C:\WINDOWS\imsins.log->ADS:qqxif
Virus: TrojanDownloader:Win32/Agent.CD Status: Infected
__________
MfG Sabina

rund um die PC-Sicherheit

#5 Habe die drei files
- C:\WINDOWS\System32\btxppanel.dll
- C:\WINDOWS\imsins.BAK
- C:\WINDOWS\iis6.log
... mit Virustotal ueberprueft, sauber.

Kann den Panda nicht runterladen, mein AVAST findet waehrend des Downloads einen Win32:Kuang2 Virus/Worm???? Ich bin verwirrt!!! Heeelp?

Dienste & Port issues - gemacht.

INFO Section - weiss nicht so genau was ich damit anfangen soll?? Sind das nur Beispiele was Virustotal reporten wuerde?

Phil

#6 Mache bitte einen Onlinescan mit panda und berichte, was angezeigt wird
http://virus-protect.org/onlinescan.html

lade den Panda dennoch, uebersehe die Virusmeldung und dann berichte
(Avast + Antivirus sehen die geladene dll als Virus an...ich verstehe auch nicht warum )
__________
MfG Sabina

rund um die PC-Sicherheit

#7 Here we go:

- Virustotal: zeigt nix mehr an
- Panda: zeigt nixt mehr an

Sieht gut aus!!!!!

Vielen Dank, werde vom Paypal Knopf gebrauch machen.

Cheers,
PHil