redirect von google suchresultaten

#1 Hallo!

Auch ich habe mir einen hijacker aufgeladen und kriege ihn nicht mehr los. alle tools von adaware bis spyboot - und wie sie alle heissen - haben leider nicht geholfen. könnte mir jemand helfen beim analysieren und reinigen des hijackthis-logs? herzlichen dank !

#2 psst

1.
stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html
PC neustarten

2.
Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html

3.
Download f-secure-Beta Trial
http://www.f-secure.com/blacklight/
doppelklick: blbeta.exe
nach dem Check klicke -- next
nun findet man eine Log-Datei (txt) auf dem Desktop --> bitte hier posten

Zitat

R3 - URLSearchHook: (no name) - {4FE6ECDA-89FF-CF6A-082F-DD7C20D4E5B8} - driver32.dll (file missing)
O4 - HKLM\..\Run: [systemdll] keybdll.exe
O4 - HKLM\..\Run: [trycrt] ___.exe
O4 - HKLM\..\Run: [dmlug.exe] C:\WINDOWS\system32\dmlug.exe
O4 - HKCU\..\Run: [34763] TRPT.exe
O4 - HKCU\..\Run: [borlandg] vxdman.exe
O4 - HKCU\..\Run: [AppMasterCenter] 34763.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{03B4845C-38EA-4A23-B3AF-462EC9BBC45B}: NameServer = 85.255.114.87,85.255.112.62
O17 - HKLM\System\CCS\Services\Tcpip\..\{23801EA1-60E9-4F8A-99AC-04EFD73906D0}: NameServer = 85.255.114.87,85.255.112.62
O17 - HKLM\System\CCS\Services\Tcpip\..\{49F5CE58-C801-4282-A2A9-5CA38B28BB71}: NameServer = 85.255.114.87,85.255.112.62
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A996242-9168-495D-BE38-7F426064EFC7}: NameServer = 85.255.114.87,85.255.112.62
O17 - HKLM\System\CCS\Services\Tcpip\..\{C55FF30B-A556-4DB2-9A36-5F519029C685}: NameServer = 85.255.114.87,85.255.112.62
O17 - HKLM\System\CS1\Services\Tcpip\..\{03B4845C-38EA-4A23-B3AF-462EC9BBC45B}: NameServer = 85.255.114.87,85.255.112.62

__________
MfG Sabina

rund um die PC-Sicherheit

#3 here we go:
Verzeichnis von C:\WINDOWS\system32
08.05.2006 08:10 1'158 wpa.dbl
06.04.2006 21:48 5'143'456 MRT.exe
06.04.2006 08:31 383'588 perfh009.dat
06.04.2006 08:31 53'942 perfc009.dat
06.04.2006 08:31 395'068 perfh007.dat
06.04.2006 08:31 65'000 perfc007.dat
06.04.2006 08:31 906'376 PerfStringBackup.INI
30.03.2006 11:26 1'492'480 shdocvw.dll
30.03.2006 03:16 18'944 xpsp3res.dll
23.03.2006 22:34 3'074'560 mshtml.dll
18.03.2006 13:09 615'424 urlmon.dll
17.03.2006 11:11 679'424 inetcomm.dll
17.03.2006 06:03 8'493'056 shell32.dll
17.03.2006 02:38 28'672 verclsid.exe
10.03.2006 06:09 5'533'696 wmp.dll
04.03.2006 05:34 664'064 wininet.dll
04.03.2006 05:34 474'624 shlwapi.dll
04.03.2006 05:34 39'424 pngfilt.dll
04.03.2006 05:34 448'512 mshtmled.dll
04.03.2006 05:34 532'480 mstime.dll
04.03.2006 05:34 146'432 msrating.dll
04.03.2006 05:34 205'312 dxtrans.dll
04.03.2006 05:34 96'768 inseng.dll
04.03.2006 05:34 55'808 extmgr.dll
04.03.2006 05:34 251'392 iepeers.dll
04.03.2006 05:34 1'056'256 danim.dll
04.03.2006 05:34 152'064 cdfview.dll
04.03.2006 05:34 1'022'976 browseui.dll

Verzeichnis von C:\DOKUME~1\PETERS~1.JAR\LOKALE~1\Temp

09.05.2006 11:57 240 datFind.zip
09.05.2006 11:54 512 ~DFF3AE.tmp
09.05.2006 11:54 28 ExchangePerflog_8484fa31a63073c4cfcccd43.dat
09.05.2006 11:53 464 WCESCOMM.LOG

Verzeichnis von C:\WINDOWS
09.05.2006 11:54 658'229 setupapi.log
09.05.2006 11:53 54'156 QTFont.qfn
09.05.2006 11:52 1'570'600 WindowsUpdate.log
09.05.2006 11:52 0 0.log
09.05.2006 11:52 2'048 bootstat.dat
09.05.2006 11:51 32'642 SchedLgU.Txt
09.05.2006 08:45 41 Filzip.ini
08.05.2006 16:28 49 wpd99.drv
08.05.2006 11:03 169'231 wmsetup.log
08.05.2006 08:47 1'409 QTFont.for
08.05.2006 08:18 727 win.ini
27.04.2006 18:12 4'517 rdt.ini
26.04.2006 12:18 620'232 iis6.log
26.04.2006 12:18 110'155 ntdtcsetup.log
26.04.2006 12:18 182'887 comsetup.log
26.04.2006 12:18 1'374 imsins.log
26.04.2006 12:18 243'830 tsoc.log
26.04.2006 12:18 26'704 tabletoc.log
26.04.2006 12:18 26'628 ocmsn.log
26.04.2006 12:18 11'155 KB900485.log
26.04.2006 12:18 263'249 ocgen.log
26.04.2006 12:18 90'508 netfxocm.log
26.04.2006 12:18 26'068 msgsocm.log
26.04.2006 12:18 29'227 medctroc.Log
26.04.2006 12:18 511'059 FaxSetup.log
26.04.2006 12:18 168'848 msmqinst.log
13.04.2006 08:16 31'436 spupdsvc.log
12.04.2006 18:13 1'374 imsins.BAK
12.04.2006 18:13 15'034 KB908531.log
12.04.2006 18:13 25'791 updspapi.log
12.04.2006 18:13 14'233 KB911562.log
12.04.2006 18:12 16'282 KB912812.log
12.04.2006 18:12 13'319 KB911565.log
12.04.2006 18:11 10'665 KB911567.log
17.02.2006 18:32 10'635 KB911927.log

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 24F1-7ADC

Verzeichnis von C:\

09.05.2006 12:07 0 sys.txt
09.05.2006 12:04 11'440 system.txt
09.05.2006 12:00 480 systemtemp.txt
09.05.2006 11:57 106'875 system32.txt
09.05.2006 11:52 72 Pollog.txt
09.05.2006 11:52 298'500 PollSt.txt
09.05.2006 11:51 536'268'800 hiberfil.sys
09.05.2006 11:51 805'306'368 pagefile.sys
08.05.2006 10:15 920 fsbl-20060508080746.log
26.01.2006 17:33 122 ss_udp.dat


etwa so

#4 3.
Download f-secure-Beta Trial
http://www.f-secure.com/blacklight/
doppelklick: blbeta.exe
nach dem Check klicke -- next
nun findet man eine Log-Datei (txt) auf dem Desktop --> bitte hier posten
__________
MfG Sabina

rund um die PC-Sicherheit

#5 das uploaden funktioniert nicht (verbotene endung ??)
hier der inhalt des logfiles:

05/09/06 15:18:38 [Info]: BlackLight Engine 1.0.36 initialized
05/09/06 15:18:38 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/09/06 15:18:39 [Note]: 7019 4
05/09/06 15:18:39 [Note]: 7005 0
05/09/06 15:18:41 [Note]: 7006 0
05/09/06 15:18:41 [Note]: 7011 916
05/09/06 15:18:42 [Note]: 7026 0
05/09/06 15:18:42 [Note]: 7026 0
05/09/06 15:19:23 [Note]: FSRAW library version 1.7.1015
05/09/06 15:22:47 [Note]: 2000 1006
05/09/06 15:22:47 [Note]: 2000 1006
05/09/06 15:26:19 [Note]: 7007 0

#6 psst

KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html

Options: Delete on Reboot --> anhaken
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"
reinkopieren: ............

C:\WINDOWS\system32\dmlug.exe
C:\WINDOWS\rdt.ini

PC neustarten

--------------------------------------------------------

öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

R3 - URLSearchHook: (no name) - {4FE6ECDA-89FF-CF6A-082F-DD7C20D4E5B8} - driver32.dll (file missing)
O4 - HKLM\..\Run: [systemdll] keybdll.exe
O4 - HKLM\..\Run: [trycrt] ___.exe
O4 - HKLM\..\Run: [dmlug.exe] C:\WINDOWS\system32\dmlug.exe
O4 - HKCU\..\Run: [34763] TRPT.exe
O4 - HKCU\..\Run: [borlandg] vxdman.exe
O4 - HKCU\..\Run: [AppMasterCenter] 34763.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{03B4845C-38EA-4A23-B3AF-462EC9BBC45B}: NameServer = 85.255.114.87,85.255.112.62
O17 - HKLM\System\CCS\Services\Tcpip\..\{23801EA1-60E9-4F8A-99AC-04EFD73906D0}: NameServer = 85.255.114.87,85.255.112.62
O17 - HKLM\System\CCS\Services\Tcpip\..\{49F5CE58-C801-4282-A2A9-5CA38B28BB71}: NameServer = 85.255.114.87,85.255.112.62
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A996242-9168-495D-BE38-7F426064EFC7}: NameServer = 85.255.114.87,85.255.112.62
O17 - HKLM\System\CCS\Services\Tcpip\..\{C55FF30B-A556-4DB2-9A36-5F519029C685}: NameServer = 85.255.114.87,85.255.112.62
O17 - HKLM\System\CS1\Services\Tcpip\..\{03B4845C-38EA-4A23-B3AF-462EC9BBC45B}: NameServer = 85.255.114.87,85.255.112.62

PC neustarten (es kann sein, dass du eine neue Internetverbindung erstellen musst)

**
Download FixWareout:
http://swandog46.geekstogo.com/Fixwareout.exe
Fixwareout.exe --> next --> Install --> Run fixit --> Finish / der PC wird neustarten --> C:\fixwareout\report.txt

**
scanne mit ewido und poste den scanreport
http://virus-protect.org/ewido.html

**
Log vom Silentrunner
http://virus-protect.org/silentrunner.html
+
das neue log vom HijacktHis
__________
MfG Sabina

rund um die PC-Sicherheit

#7 hi sabina

habe (fast) alles gemacht, wie geheissen :-) bis auf:
a) die datei O4 - HKLM\..\Run: [dmlug.exe] C:\WINDOWS\system32\dmlug.exe existierte nicht mehr, dafür gab es eine "dmuqp.exe" an diesem Ort. Habe diese gelöscht... allerdings besteht am gleichen ort schon wieder eine ähnliche datei....
b) der download von firewareout.exe funktioniert nicht:
Not Found
The requested URL /Fixwareout.exe was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
c) das log vom silentrunner finde ich einfach nicht, obwohl die bestätigungsmessage kam....

d) log von ewido:
---------------------------------------------------------
ewido anti-malware - Scan Report
---------------------------------------------------------

+ Erstellt am: 13:38:51, 10.05.2006
+ Report-Checksumme: 780F13DE

+ Scanergebnis:

:mozilla.18:C:\Dokumente und Einstellungen\xxxxxxxxxxx\Anwendungsdaten\Mozilla\Firefox\Profiles\xorluy2g.default\cookies.txt -
edit Sabina


::Report Ende


hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 11:23:33, on 10.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
C:\Programme\TightVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programme\Cisco Systems\VPN Client\vpngui.exe
C:\Programme\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Programme\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\peter.strassmann.JARONDIRECT\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blick.ch/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programme\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Programme\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Programme\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programme\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programme\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: &Google-Suche - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://c:\programme\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: PDF in Word öffnen (PDF Converter 2.0) - res://C:\Programme\ScanSoft\PDF Converter 2.0\IEShellExt.dll /500
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/bizzarini/us/win/QuickTimeInstaller.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jarondirect.de
O17 - HKLM\Software\..\Telephony: DomainName = jarondirect.de
O17 - HKLM\System\CCS\Services\Tcpip\..\{03B4845C-38EA-4A23-B3AF-462EC9BBC45B}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{B88D246B-76F1-46C3-9298-1814296C63E0}: Domain = jarondirect.de
O17 - HKLM\System\CCS\Services\Tcpip\..\{B88D246B-76F1-46C3-9298-1814296C63E0}: NameServer = 192.168.4.4
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jarondirect.de
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = jarondirect.de
O17 - HKLM\System\CS1\Services\Tcpip\..\{03B4845C-38EA-4A23-B3AF-462EC9BBC45B}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = jarondirect.de
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: APUpdService - cobra GmbH - C:\WINDOWS\System32\APUpdService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Programme\OpenVPN\bin\openvpnserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Programme\TightVNC\WinVNC.exe" -service (file missing)

liebe grüsse
peter

#8 psst

Trend Micro Anti-Spyware for the Web - scanne und poste den scanreport
http://virus-protect.org/onlinescan.html
+
poste das Log von Winpfind
http://virus-protect.org/winpfind.html
__________
MfG Sabina

rund um die PC-Sicherheit

#9 hallo sabina

trend micro habe ich laufen und cleanen lassen. der scanreport lässt sich allerdings nicht kopieren...

winpfind habe ich runtergeladen, erhalte aber nur eine fehlermeldung nach dem klick auf die .exe datei.

IEX bzw. die google suche läuft zur zeit wieder fehlerfrei!! es scheint fast so, als hätten wir gewonnen...??

was meinst du?
lg
peter

#10

Zitat

der scanreport lässt sich allerdings nicht kopieren..

wurde etwas gefunden ? z.B. url´s ?

versuche es noch mal mit dem silentrunner ...ist wichtig...
__________
MfG Sabina

rund um die PC-Sicherheit

#11 was mache ich falsch? das silent runner script wird ausgeführt und am schluss kommt das bestätigungs-fenster (s. beilage). aber diese datei finde ich auf meiner festplatte nicht mehr...

#12 ich kann keine *doc-Dokumente lesen...poste es bitte als txt-Datei
__________
MfG Sabina

rund um die PC-Sicherheit

#13 habe den silent runner geschafft!

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"H/PC Connection Agent" = ""C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"" [MS]
"MSMSGS" = ""C:\Programme\Messenger\msmsgs.exe" /background" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"Cpqset" = "C:\Programme\HPQ\Default Settings\cpqset.exe" [null data]
"PreloadApp" = "c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d" [null data]
"srmclean" = "C:\Cpqs\Scom\srmclean.exe" [null data]
"ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"HPWH myPrintMileage Agent" = "C:\Programme\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe" [null data]
"SSBkgdUpdate" = ""C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot" ["Scansoft, Inc."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"Mouse Suite 98 Daemon" = "ICO.EXE" ["Primax Electronics Ltd."]
"WinVNC" = ""C:\Programme\TightVNC\WinVNC.exe" -servicehelper" ["AT&T Research Labs Cambridge"]
"SynTPLpr" = "C:\Programme\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Programme\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"AdaptecDirectCD" = ""C:\Programme\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {HKLM...CLSID} = "Adaptec DirectCD Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{F880B6ED-582C-4750-BDEB-907CE61ABA64}" = "ScanSoft PDF Converter 2.0 Shell Extension"
-> {HKLM...CLSID} = "ScanSoft PDF Converter 2.0 Shell Extension"
\InProcServer32\(Default) = "C:\Programme\ScanSoft\PDF Converter 2.0\ShellExt20.dll" ["ScanSoft, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Programme\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Programme\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{B28C18DB-6816-4F31-9630-397683E3C2C3}" = "Filzip Shell Extension"
-> {HKLM...CLSID} = "Filzip Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Filzip\fzshext.dll" [empty string]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Programme\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Programme\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {HKLM...CLSID} = "Ctest Object"
\InProcServer32\(Default) = "C:\Programme\ewido anti-malware\context.dll" ["ewido networks"]
Filzip\(Default) = "{B28C18DB-6816-4F31-9630-397683E3C2C3}"
-> {HKLM...CLSID} = "Filzip Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Filzip\fzshext.dll" [empty string]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {HKLM...CLSID} = "Ctest Object"
\InProcServer32\(Default) = "C:\Programme\ewido anti-malware\context.dll" ["ewido networks"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Programme\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
Filzip\(Default) = "{B28C18DB-6816-4F31-9630-397683E3C2C3}"
-> {HKLM...CLSID} = "Filzip Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Filzip\fzshext.dll" [empty string]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\peter.strassmann.JARONDIRECT\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "Peter.Strassmann" & "All Users" startup folders:
------------------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Cisco Systems VPN Client" -> shortcut to: "C:\Programme\Cisco Systems\VPN Client\vpngui.exe "-user_logon"" ["Cisco Systems, Inc."]


Enabled Scheduled Tasks:
------------------------

"1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 22
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Mobilen Favoriten erstellen"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "C:\PROGRA~1\MI3AA1~1\inetrepl.dll" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Mobilen Favoriten erstellen..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "C:\PROGRA~1\MI3AA1~1\inetrepl.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [file not found]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.hp.com

Missing lines (compared with English-language version):
[Strings]: 1 line

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
HIJACK WARNING! "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found]


HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 6 domain names to IP addresses,
5 of the IP addresses are *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir Update, AVWUpSrv, ""C:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
Cisco Systems, Inc. VPN Service, CVPND, ""C:\Programme\Cisco Systems\VPN Client\cvpnd.exe"" ["Cisco Systems, Inc."]
ewido security suite control, ewido security suite control, "C:\Programme\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Programme\ewido anti-malware\ewidoguard.exe" ["ewido networks"]
Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Programme\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
VNC Server, winvnc, ""C:\Programme\TightVNC\WinVNC.exe" -service" ["AT&T Research Labs Cambridge"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
HP Master Monitor\Driver = "HPBMMON.DLL" ["Hewlett-Packard"]
HPWHLMN\Driver = "hpwhlmn.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
NetGear Print Server\Driver = "ngprtserv.dll" [null data]
PDF995 Monitor\Driver = "pdfmon.dll" [null data]
pdfinst\Driver = "pdfmont.dll" ["PDF Bean Inc."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 28 seconds, including 3 seconds for message boxes)

#14 soweit ist alles in Ordnung...

ein neuer link:
Download FixWareout:
http://downloads.subratam.org/Fixwareout.exe
Fixwareout.exe --> next --> Install --> Run fixit --> Finish / der PC wird neustarten --> C:\fixwareout\report.txt
__________
MfG Sabina

rund um die PC-Sicherheit

#15 noch etwas? :-)


Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal