TitanShield Antispyware

#0
23.06.2006, 15:34
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#1

Zitat

Hallo Sabina,
bitte helfen Sie mir. ich werd diesen virus nicht mehr los.
Bei Hijackthis kam das heraus:

Logfile of HijackThis v1.99.1
Scan saved at 11:46:06, on 23.06.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Programme\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\GEMEIN~1\PCSuite\Services\SERVIC~1.EXE
C:\Programme\WinZip\WZQKPICK.EXE
C:\Programme\T-COM\T-COM WLAN Manager T-Sinus 154data\Installer\WINXP\DTUSB11GMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\users32.exe
C:\PROGRA~1\Nokia\NOKIAP~1\VFSWRA~1.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\HijackThis.exe

R3 - URLSearchHook: _URLHandler - {7FF23285-DBBC-49B6-818C-34AC459D5BB3} - C:\WINDOWS\system32\pidd.dll (file missing)
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: adobepnl.ADOBE_PANEL - {2513A321-CB50-4C5F-91C5-80342AFACFB1} - C:\WINDOWS\system32\adobepnl.dll
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O2 - BHO: adobepnl.ADOBE_PANEL - {C3E7E8D3-0B97-4FF3-B1BD-DAB4B04CD697} - C:\WINDOWS\system32\adobepnl.dll
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Programme\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programme\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - Startup: titanshield.lnk = C:\Programme\TitanShield Antispyware\titanshield.exe
O4 - Global Startup: GStartup.lnk = C:\Programme\Gemeinsame Dateien\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: T-COM WLAN Manager T-Sinus 154data.lnk = C:\Programme\T-COM\T-COM WLAN Manager T-Sinus 154data\Installer\WINXP\DTUSB11GMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google-Suche - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://c:\programme\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: AVSKEYX - http://www.avskey.de/ocx/AVSKeyX.cab
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://212.9.72.84/Rawflow.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109281081263
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147505816671
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
23.06.2006, 15:36
Ehrenmitglied
Themenstarter
Avatar Sabina

Beiträge: 29434
#2 1.
Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein:

Zitat

Files to delete:
C:\WINDOWS\system32\susp.exe
C:\WINDOWS\SYSTEM32\winlogon.ini
C:\WINDOWS\SYSTEM32\bridge.dll
C:\WINDOWS\SYSTEM32\a.exe
C:\WINDOWS\SYSTEM32\runsrv32.exe
C:\WINDOWS\SYSTEM32\dailytoolbar.dll
C:\WINDOWS\SYSTEM32\alxres.dll
C:\WINDOWS\SYSTEM32\users32.exe
C:\WINDOWS\SYSTEM32\lrf.dat
C:\WINDOWS\SYSTEM32\lud.dat
C:\WINDOWS\SYSTEM32\scngcf.dat
C:\WINDOWS\SYSTEM32\wstart.dll
C:\WINDOWS\SYSTEM32\ikhcore.log
C:\WINDOWS\SYSTEM32\thlwin32.dll
C:\WINDOWS\SYSTEM32\qjrkvy.exe
C:\WINDOWS\SYSTEM32\winflash.dll
C:\WINDOWS\SYSTEM32\adobepnl.dll
C:\WINDOWS\SYSTEM32\udpmod.dll
C:\WINDOWS\SYSTEM32\questmod.dll
C:\WINDOWS\SYSTEM32\jao.dll
C:\WINDOWS\SYSTEM32\txfdb32.dll
C:\WINDOWS\SYSTEM32\runsrv32.dll
C:\WINDOWS\SYSTEM32\tcpservice2.exe
C:\WINDOWS\spacer.gif'
C:\WINDOWS\header_1.gif
C:\WINDOWS\footer_back.jpg
C:\WINDOWS\footer_back.gif
C:\WINDOWS\features.gif
C:\WINDOWS\download_box.gif
C:\WINDOWS\button_freescan.gif
C:\WINDOWS\button_buynow.gif
C:\WINDOWS\box_3.gif
C:\WINDOWS\box_2.gif
C:\WINDOWS\box_1.gif
C:\WINDOWS\bg.gif
C:\WINDOWS\as_header.gif
C:\WINDOWS\as.gif
C:\WINDOWS\about_spyware_bottom.gif
C:\WINDOWS\about_spyware_bg.gif
C:\WINDOWS\dlmax.dll
C:\WINDOWS\Pynix.dll
C:\WINDOWS\BTGrab.dll
C:\WINDOWS\alxtb1.dll
C:\WINDOWS\alxie328.dll
C:\WINDOWS\alexaie.dll
C:\WINDOWS\close-bar.gif
C:\WINDOWS\infected.gif
C:\WINDOWS\star.gif
C:\WINDOWS\susp.exe
C:\WINDOWS\warning-bar-ico.gif

Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

**
2.
poste das log vom Avenger, was erscheint

**
3.
öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

R3 - URLSearchHook: _URLHandler - {7FF23285-DBBC-49B6-818C-34AC459D5BB3} - C:\WINDOWS\system32\pidd.dll (file missing)
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: adobepnl.ADOBE_PANEL - {2513A321-CB50-4C5F-91C5-80342AFACFB1} - C:\WINDOWS\system32\adobepnl.dll
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)

O2 - BHO: adobepnl.ADOBE_PANEL - {C3E7E8D3-0B97-4FF3-B1BD-DAB4B04CD697} - C:\WINDOWS\system32\adobepnl.dll
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)

O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - Startup: titanshield.lnk = C:\Programme\TitanShield Antispyware\titanshield.exe
O4 - Global Startup: GStartup.lnk = C:\Programme\Gemeinsame Dateien\GMT\GMT.exe

PC neustarten


4.
arbeite smitfraud.fix ab (poste den scanreport)
http://virus-protect.org/artikel/tools/smitfrautfix.html

5.
stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

**
6.
Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html

**
7.
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als listen.bat mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden. --> die listen.bat doppelt klicken--> kopiere den Text, der erscheint

Zitat

cd\
dir "C:\Programme\Gemeinsame Dateien\GMT" >>files.txt
dir "C:\Programme\TitanShield Antispyware" >>files.txt
dir "dir "C:\Dokumente und Einstellungen\%UserName%\Lokale Einstellungen\Temp" >>files.txt
dir "C:\WINDOWS\Temp" >>files.txt
dir "C:\Temp" >>files.txt
dir "C:\Programme" >>files.txt
dir "C:\Dokumente und Einstellungen\%UserName%\Anwendungsdaten >>files.txt
dir "C:\Programme\Gemeinsame Dateien" >>files.txt
notepad files.txt

__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
23.06.2006, 16:01
...neu hier

Beiträge: 1
#3 Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\cylwlubn

*******************

Script file located at: \??\C:\WINDOWS\system32\tudphwgd.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\SYSTEM32\nwbxltxk.vld not found!
Deletion of file C:\WINDOWS\SYSTEM32\nwbxltxk.vld failed!

Could not process line:
C:\WINDOWS\SYSTEM32\nwbxltxk.vld
Status: 0xc0000034



File C:\WINDOWS\system32\susp.exe not found!
Deletion of file C:\WINDOWS\system32\susp.exe failed!

Could not process line:
C:\WINDOWS\system32\susp.exe
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\winlogon.ini deleted successfully.
File C:\WINDOWS\SYSTEM32\bridge.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\a.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\runsrv32.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\dailytoolbar.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\alxres.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\users32.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\lrf.dat deleted successfully.
File C:\WINDOWS\SYSTEM32\wstart.dll deleted successfully.


File C:\WINDOWS\SYSTEM32\ikhcore.log not found!
Deletion of file C:\WINDOWS\SYSTEM32\ikhcore.log failed!

Could not process line:
C:\WINDOWS\SYSTEM32\ikhcore.log
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\thlwin32.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\qjrkvy.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\winflash.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\adobepnl.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\udpmod.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\questmod.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\jao.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\txfdb32.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\runsrv32.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\tcpservice2.exe deleted successfully.


File C:\WINDOWS\SYSTEM32\hexicuer.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\hexicuer.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\hexicuer.exe
Status: 0xc0000034

File C:\WINDOWS\spacer.gif' deleted successfully.
File C:\WINDOWS\header_1.gif deleted successfully.
File C:\WINDOWS\footer_back.jpg deleted successfully.
File C:\WINDOWS\footer_back.gif deleted successfully.
File C:\WINDOWS\features.gif deleted successfully.
File C:\WINDOWS\download_box.gif deleted successfully.
File C:\WINDOWS\button_freescan.gif deleted successfully.
File C:\WINDOWS\button_buynow.gif deleted successfully.
File C:\WINDOWS\box_3.gif deleted successfully.
File C:\WINDOWS\box_2.gif deleted successfully.
File C:\WINDOWS\box_1.gif deleted successfully.
File C:\WINDOWS\bg.gif deleted successfully.
File C:\WINDOWS\as_header.gif deleted successfully.
File C:\WINDOWS\as.gif deleted successfully.
File C:\WINDOWS\about_spyware_bottom.gif deleted successfully.
File C:\WINDOWS\about_spyware_bg.gif deleted successfully.
File C:\WINDOWS\dlmax.dll deleted successfully.
File C:\WINDOWS\Pynix.dll deleted successfully.
File C:\WINDOWS\BTGrab.dll deleted successfully.
File C:\WINDOWS\alxtb1.dll deleted successfully.
File C:\WINDOWS\alxie328.dll deleted successfully.
File C:\WINDOWS\alexaie.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
Seitenanfang Seitenende
23.06.2006, 16:34
Ehrenmitglied
Themenstarter
Avatar Sabina

Beiträge: 29434
#4 nun arbeite alles weitere ab und poste die logs von datfindbat und listen.bat
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren: