Killandclean & merkwürdige Toolbar hat sich unbemerkt installiert

#16 Antivirus-Free ist ein guter Viren-Schutz, sag deinem Bekannten
a) er soll mit Bedacht surfen, bestimmte Seiten sind tabu
b) er soll nicht auf alles klicken, was blinkt, nicht alles, was anbietet den Rechner von Malware zu saeubern , ist ein Virenscanner, sondern der Trojaner selbst....
siehe killandclean ..er selbst hat seinen Rechner zerschossen, als er das geladen hat....
__________
MfG Sabina

rund um die PC-Sicherheit

#17

Zitat

Sabina postete
Antivirus-Free ist ein guter Viren-Schutz, sag deinem Bekannten
a) er soll mit Bedacht surfen, bestimmte Seiten sind tabu
b) er soll nicht auf alles klicken, was blinkt, nicht alles, was anbietet den Rechner von Malware zu saeubern , ist ein Virenscanner, sondern der Trojaner selbst....
siehe killandclean ..er selbst hat seinen Rechner zerschossen, als er das geladen hat....

zu a) ok ich hoffe er beherzigt das

zu b) Ich glaube, dass killandclean sich durch das Ausnutzen einer Sicherheitslücke selbst installiert hat. Ich habe gelesen, dass es das gerne macht und er hat gesagt, dass es einfach auf einmal da war.

Ok, dann hoffen wir mal, dass wir Deine Hilfe nicht so bald wieder in Anspruch nehmen müssen Danke nochmals für die Reinigung!

#18 Hallo Sabina,

habe mir auch leider einen Kill&clean eingefangen.

Es wäre schön, wenn Du mir bei der Beseitigung helfen und mir die Sicherheitslücken aufzeigen könntest, wie das Vieh bei mir landen konnte.

Gemäß Deiner Beschreibung unten habe ich folgende Logs erstellt.
Es schein auch der Norton IT Security 2005 nicht ansprechbar zu sein.
Hier stimmt einges nicht...

Zitat

Sabina postete
aqua57

Information: killandclean
http://virus-protect.org/artikel/spyware/killandclean.html
http://virus-protect.org/artikel/spyware/killandclean_remove.html

-----------------------------------------------------------------------

ich brauche folgende Logs

Hijackthis
http://computercops.biz/zx/Merijn/hijackthis.zip
http://virus-protect.org/hjtkurz.html
Lade/entpacke HijackThis in einem Ordner
--> None of the above just start the program --> Save--> Savelog -->es öffnet sich der Editor
nun das KOMPLETTE Log mit rechtem Mausklick abkopieren und ins Forum mit rechtem Mausklick "einfügen"

------

fixwareout - poste den report
http://virus-protect.org/artikel/tools/fixwareout.html

------

poste den report
http://www.f-secure.com/blacklight/
starte die Datei, nimm die Lizenzbestimmung an und waehle scan, wenn es mit dem Scan fertig ist, druecke next und danach close. Nun befindet sich im selben Ordner von Blacklight eine FSB*.TXT Datei

-----

stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

-----

Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html

1.HijackThis Report:

Logfile of HijackThis v1.99.1
Scan saved at 01:19:36, on 19.09.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Norton Internet Security\ISSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programme\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programme\Gemeinsame Dateien\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Programme\Gemeinsame Dateien\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
C:\Programme\Gemeinsame Dateien\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Programme\Apoint\Apoint.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Sony\VAIO Power Management\SPMgr.exe
C:\Programme\Sony\ISB Utility\ISBMgr.exe
C:\Programme\Apoint\Apntex.exe
C:\Programme\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Programme\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Programme\Utimaco\SafeGuard PrivateDisk\pdservice.exe
C:\Programme\T-Mobile\Communication Center\AutoUpdateSrv.exe
C:\Programme\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Programme\Sony\SonicStage Mastering Studio\Audio Filter\SSMSFilter.exe
C:\Programme\Hewlett-Packard\hp deskjet 450 printer\ToolBox\mpm.exe
C:\Programme\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Programme\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Sony\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Programme\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Programme\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Programme\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Programme\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PDService.exe] C:\Programme\Utimaco\SafeGuard PrivateDisk\pdservice.exe
O4 - HKLM\..\Run: [ScheduleSync.Siemens.SmartSync.5.2.exe] C:\Programme\Mobile Phone Manager\SmartSync\ScheduleSync.exe
O4 - HKLM\..\Run: [PrepareYourVAIO] C:\Programme\sony\Prepare your VAIO\PYVAlert.exe
O4 - HKLM\..\Run: [Connect Update Agent] "C:\Programme\T-Mobile\Communication Center\AutoUpdateSrv.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Programme\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [bvfkx.exe] C:\WINDOWS\system32\bvfkx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Audio Filter.lnk = C:\Programme\Sony\SonicStage Mastering Studio\Audio Filter\SSMSFilter.exe
O4 - Global Startup: F-Secure 2006.lnk = C:\Programme\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: myPrintMileage.lnk = C:\Programme\Hewlett-Packard\hp deskjet 450 printer\ToolBox\mpm.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Programme\Altova\XMLSpy2005\spy.htm
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programme\Altova\XMLSpy2005\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programme\Altova\XMLSpy2005\spy.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.com/de/
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FC303FB-2EF4-4049-ACA1-94CC22121B62}: NameServer = 85.255.115.34,85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\..\{999619A7-6761-483B-80FF-AE073108D12E}: NameServer = 85.255.115.34,85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C46ABE3-A8D4-40D2-A721-86F1B660CC26}: NameServer = 85.255.115.34,85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0FA5A43-72E6-4F5E-90B8-97293BCA039C}: NameServer = 85.255.115.34,85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\..\{F15974B6-3775-43D9-8C30-49F4EAE6B568}: NameServer = 85.255.115.34,85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE1A9407-F9FB-455D-A5B1-B4F593C5E8C1}: NameServer = 85.255.115.34,85.255.112.63
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.34 85.255.112.63
O17 - HKLM\System\CS1\Services\Tcpip\..\{1FC303FB-2EF4-4049-ACA1-94CC22121B62}: NameServer = 85.255.115.34,85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.34 85.255.112.63
O18 - Protocol: t-mobile - {C6D89159-3467-4C2F-9918-3362DA57BCD2} - C:\PROGRA~1\T-Mobile\HOTSPO~1\TMOBIL~1.DLL
O20 - Winlogon Notify: ideusr50 - C:\WINDOWS\SYSTEM32\ideusr50.dll
O20 - Winlogon Notify: lanmui - C:\WINDOWS\SYSTEM32\lanmui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: F-Secure 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Programme\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programme\Norton Internet Security\ISSVC.exe
O23 - Service: MySql - Unknown owner - C:/wampp2/mysql/bin/mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Programme\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Programme\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Programme\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Programme\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--------------------------------------------------------------------
2. Fixwareout report


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AEF5792A43DA-2848-60A4-AFB2-7947D68F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}45A64A894626-8449-BDC4-4EE2-876DFDD5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AD1F4234ABE2-62C8-4DC4-9AB8-60AF7B57{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C56E4567AEB4-FFE9-1704-6F40-6C35E94C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3066DC7D3E9D-12CA-DC04-A32C-A788D8C3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C27F3E608054-F91B-F004-E62E-F05CEB80{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\hstmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\owt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Random Runs removed from HKLM
"dmtsh.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...
* csr.exe C:\WINDOWS\System32\CSAGQ.EXE

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSAGQ.EXE 51.216 2006-09-18
C:\WINDOWS\SYSTEM32\DMTSH.EXE 61.967 2004-08-04

Other suspects.
Directory of C:\WINDOWS\system32
{08BEC50F-E26E-400F-B19F-450806E3F72C}.exe
{3C8D887A-C23A-40CD-AC21-D9E3D7CD6603}.exe
{C49E53C6-04F6-4071-9EFF-4BEA7654E65C}.exe
{5DDFD678-2EE4-4CDB-9448-626498A46A54}.exe

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

------------------------------------------------------------------
3. Blacklight report:

09/18/06 23:27:28 [Info]: BlackLight Engine 1.0.46 initialized
09/18/06 23:27:28 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/18/06 23:27:28 [Note]: 7019 4
09/18/06 23:27:28 [Note]: 7005 0
09/18/06 23:27:33 [Note]: 7006 0
09/18/06 23:27:33 [Note]: 7027 1
09/18/06 23:27:33 [Note]: 7027 0
09/18/06 23:27:34 [Note]: 7026 0
09/18/06 23:27:34 [Note]: 7026 0
09/18/06 23:27:34 [Note]: 7024 3
09/18/06 23:27:34 [Info]: Hidden process: C:\WINDOWS\Explorer.EXE
09/18/06 23:27:34 [Note]: 7024 3
09/18/06 23:27:34 [Info]: Hidden process: \??\C:\WINDOWS\system32\winlogon.exe
09/18/06 23:27:34 [Note]: FSRAW library version 1.7.1019
09/18/06 23:31:37 [Info]: Hidden file: c:\WINDOWS\system32\klgcptini.dat
09/18/06 23:31:37 [Note]: 10002 1
09/18/06 23:31:45 [Info]: Hidden file: c:\WINDOWS\system32\stt82.ini
09/18/06 23:31:45 [Note]: 10002 1
09/18/06 23:31:46 [Info]: Hidden file: c:\WINDOWS\system32\lanmui.dll
09/18/06 23:31:46 [Note]: 10002 1
09/18/06 23:31:46 [Info]: Hidden file: c:\WINDOWS\system32\lannui.sys
09/18/06 23:31:46 [Note]: 10002 1
09/18/06 23:31:47 [Info]: Hidden file: c:\WINDOWS\system32\qz.dll
09/18/06 23:31:47 [Note]: 10002 1
09/18/06 23:31:48 [Info]: Hidden file: c:\WINDOWS\system32\qz.sys
09/18/06 23:31:48 [Note]: 10002 1
09/18/06 23:31:59 [Note]: 7002 0
09/18/06 23:31:59 [Note]: 7003 1
09/18/06 23:31:59 [Error]: 6023 5
09/18/06 23:43:16 [Note]: 7007 0

---------------------------------------------------------------
4. Einmal CleanUp durchlaufen lassen

---------------------------------------------------
5. Die Logs der letzten drei Monate von

a) Verzeichnis von C:\

19.09.2006 01:08 0 sys.txt
19.09.2006 00:48 536.203.264 hiberfil.sys
19.09.2006 00:48 805.306.368 pagefile.sys
26.01.2006 23:25 50 AUTOEXEC.BAT
14.08.2005 09:54 1.119 INSTALL.LOG
01.08.2005 20:49 6.657 w.exe
20.06.2005 18:31 17.790 SDSSetup.log
19.06.2005 13:10 0 winamp.ini
--------------------------------------------------------------------------
b) Verzeichnis von C:\WINDOWS

19.09.2006 00:54 324.801 WindowsUpdate.log
19.09.2006 00:48 0 0.log
19.09.2006 00:48 50 wiaservc.log
19.09.2006 00:48 159 wiadebug.log
19.09.2006 00:48 2.048 bootstat.dat
19.09.2006 00:47 32.430 SchedLgU.Txt
18.09.2006 22:15 1.714.482 FSSFM.log
18.09.2006 22:15 309.392 RunSetup.log
18.09.2006 22:15 28.503 FSISU.log
18.09.2006 22:15 386 fsavunin.log
18.09.2006 22:15 642 fsdginst.log
18.09.2006 22:15 1.040 FSSCINST.log
18.09.2006 22:15 115.695 FSPROD.log
18.09.2006 22:15 2.050 fsmainst.log
18.09.2006 22:15 305 FSSSINST.log
18.09.2006 22:15 359 FSASWSIN.log
18.09.2006 22:15 2.534 fwesinst.log
18.09.2006 22:15 3.516 fstnbins.LOG
18.09.2006 22:15 292.820 FSSETUP.log
18.09.2006 22:15 962 FSPCINST.LOG
18.09.2006 22:15 2.624 fwinst.log
18.09.2006 22:15 1.457 FSAVINST.LOG
18.09.2006 22:15 135.605 FSDEPH.log
18.09.2006 22:15 10.020 fsrif.log
18.09.2006 22:14 489.212 fssgpex.LOG
18.09.2006 22:11 4.712 fsbwinst.log
18.09.2006 22:11 2.438 FSPRODRM.LOG
18.09.2006 22:09 118.842 bwUnin-6.3.2.123-4476822L.exe
18.09.2006 22:06 3.142 Q-Klez.log
18.09.2006 11:45 195 ChssBase.ini
14.09.2006 01:03 10.240 gfo.exe
14.09.2006 01:03 56.219 4kj.exe
11.09.2006 09:16 293.110 setupapi.log
08.09.2006 13:43 10.366 ModemLog_Fusion UMTS GPRS - 3G Modem.txt
07.09.2006 16:08 55.465 wmsetup.log
29.07.2006 22:16 996 IE4 Error Log.txt
06.07.2006 20:30 392 nsw.log
26.06.2006 19:34 8.654 iis6.log
26.06.2006 19:34 16.007 ntdtcsetup.log
26.06.2006 19:34 27.759 comsetup.log
26.06.2006 19:34 30.290 tsoc.log
26.06.2006 19:34 4.696 imsins.log
26.06.2006 19:34 3.138 ocmsn.log
26.06.2006 19:34 43.556 ocgen.log
26.06.2006 19:34 3.293 msgsocm.log
26.06.2006 19:34 53.556 FaxSetup.log
---------------------------------------------------------------------------
c) Verzeichnis von C:\DOKUME~1\Sony\LOKALE~1\Temp

18.09.2006 22:10 71.687 BWInstall.log
18.09.2006 22:09 26.408 BWDump.log
18.09.2006 20:28 447 oih2.tmp
14.09.2006 01:03 4.608 321171.exe
14.09.2006 00:28 5 IVIApp.tmp
13.09.2006 14:57 25.475 bl4ck.com
11.09.2006 09:20 31.232 ~WRC0000.tmp
11.09.2006 09:20 512 ~DF6777.tmp
11.09.2006 09:15 512 ~DFF71B.tmp
08.09.2006 09:54 53.346 wlg3.tmp
07.09.2006 18:44 11.434 java_install_reg.log
07.09.2006 16:08 717 control.xml
06.09.2006 12:49 2.012 ~WRS0004.tmp
06.09.2006 12:49 65.536 ~WRF0005.tmp
06.09.2006 12:49 11.244 mso988A.wmf
06.09.2006 12:48 16.404 ~WRS0003.tmp
06.09.2006 12:48 65.536 ~WRF0004.tmp
06.09.2006 12:48 11.244 mso52582.wmf
06.09.2006 10:58 69 ~WRD0000.doc
07.08.2006 13:26 59.834 F58EE07.dmp
07.08.2006 13:26 8.616 e599_appcompat.txt
03.08.2006 11:50 512 ~DF8B95.tmp
03.08.2006 11:40 512 ~DFA988.tmp
03.08.2006 10:58 512 ~DF19B.tmp
03.08.2006 10:47 512 ~DFD0FA.tmp
03.08.2006 10:45 62.198 ~WRS0002.tmp
03.08.2006 10:45 512 ~DFE0CB.tmp
03.08.2006 10:43 512 ~DFA34A.tmp
28.07.2006 11:59 98.281 TWAIN.LOG
28.07.2006 11:59 326.976 CNQ1213.shd
28.07.2006 11:56 3 Twain001.Mtx
28.07.2006 11:56 156 Twunk001.MTX
28.06.2006 01:58 512 ~DF7ABC.tmp
28.06.2006 01:58 512 ~DF5E89.tmp
25.06.2006 20:11 8.616 266e_appcompat.txt
25.06.2006 20:11 8.616 265f_appcompat.txt


----------------------------------------------------------------------
d) Verzeichnis von C:\WINDOWS\system32

19.09.2006 00:49 693 ps.a3d
19.09.2006 00:47 0 ksl48.bin
18.09.2006 20:28 424.718 {08BEC50F-E26E-400F-B19F-450806E3F72C}.exe
18.09.2006 20:28 5.214 {3C8D887A-C23A-40CD-AC21-D9E3D7CD6603}.exe
18.09.2006 20:28 45.568 {C49E53C6-04F6-4071-9EFF-4BEA7654E65C}.exe
18.09.2006 20:28 3.117 {5DDFD678-2EE4-4CDB-9448-626498A46A54}.exe
18.09.2006 20:28 51.216 csagq.exe
13.09.2006 18:18 6 tick48.bin
13.09.2006 14:57 6.880 idersrvc.sys
13.09.2006 14:57 19.635 ideusr50.dll
10.09.2006 14:15 1.158 wpa.dbl
26.06.2006 19:34 40.326 perfc009.dat
26.06.2006 19:34 311.938 perfh009.dat
26.06.2006 19:34 317.168 perfh007.dat
26.06.2006 19:34 48.552 perfc007.dat
26.06.2006 19:34 722.932 PerfStringBackup.INI
22.04.2006 19:02 186.608 FNTCACHE.DAT
10.08.2005 00:14 692.224 divxdec.ax
10.08.2005 00:13 4.276 divxsm.tlb
10.08.2005 00:13 524.288 DivXsm.exe
10.08.2005 00:13 692.736 DivX.dll
10.08.2005 00:13 688.128 divx_xx07.dll
10.08.2005 00:13 10.775 dsm_ja.qm
10.08.2005 00:13 15.351 dsm_de.qm
10.08.2005 00:13 15.153 dsm_fr.qm
10.08.2005 00:13 688.128 divx_xx0c.dll
10.08.2005 00:13 671.744 divx_xx11.dll
10.08.2005 00:13 831.488 libeay32.dll
10.08.2005 00:13 245.408 unicows.dll
10.08.2005 00:13 159.744 ssleay32.dll
10.08.2005 00:12 3.596.288 qt-dx331.dll
10.08.2005 00:12 8.523 dpude.qm
10.08.2005 00:12 86.016 dpl100.dll
10.08.2005 00:12 581.632 dpuGUI11.dll
10.08.2005 00:12 200.704 dtu100.dll
10.08.2005 00:12 303.104 dpus11.dll
10.08.2005 00:12 57.344 dpv11.dll
10.08.2005 00:12 245.760 dpu11.dll
10.08.2005 00:12 3.136 dtu_de.qm
10.08.2005 00:12 356.436 DivXMedia.ax
02.07.2005 21:30 197 InstallFunk.txt
23.06.2005 22:17 352.256 CNQL1213.DLL
20.06.2005 18:30 1.415 mapisvc.inf
12.06.2005 20:07 4.833 setup.iwf

--------------------------------------------------------------
Könnt Ihr mir bitte helfen?

Grüsse
Antikörper

#19 Antikörper

1.
Download Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren)

lannui
idersrvc


in edit und klicke "Ok".
Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn.

--------------------------------------------------

2.
avenger
http://virus-protect.org/artikel/tools/avenger.html

Zitat

registry keys to delete:
HKEY_CURRENT_USER\Software\KillAndClean
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lannui
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ideusr50

Files to delete:
C:\w.exe
C:\WINDOWS\SYSTEM32\ideusr50.dll
C:\WINDOWS\System32\csagq.exe
C:\WINDOWS\System32\csr.exe
C:\WINDOWS\system32\bvfkx.exe
C:\WINDOWS\system32\dmtsh.exe
C:\WINDOWS\System32\ps.a3d
C:\WINDOWS\System32\ksl48.bin
C:\WINDOWS\System32\tick48.bin
C:\WINDOWS\System32\idersrvc.sys
c:\WINDOWS\system32\stt82.ini
c:\WINDOWS\system32\lanmui.dll
c:\WINDOWS\system32\lannui.sys
c:\WINDOWS\system32\qz.dll
c:\WINDOWS\system32\qz.sys
C:\WINDOWS\gfo.exe
C:\WINDOWS\4kj.exe
C:\Dokumente und Einstellungen\Sony\Anwendungsdaten\kc.tmp
C:\Dokumente und Einstellungen\Sony\Anwendungsdaten\wo.tmp
C:\WINDOWS\System32\{08BEC50F-E26E-400F-B19F-450806E3F72C}.exe
C:\WINDOWS\System32\{3C8D887A-C23A-40CD-AC21-D9E3D7CD6603}.exe
C:\WINDOWS\System32\{C49E53C6-04F6-4071-9EFF-4BEA7654E65C}.exe
C:\WINDOWS\System32\{5DDFD678-2EE4-4CDB-9448-626498A46A54}.exe
C:\Dokumente und Einstellungen\Sony\Lokale Einstellungen\Temp\oih2.tmp
C:\Dokumente und Einstellungen\Sony\Lokale Einstellungen\Temp\321171.exe
C:\Dokumente und Einstellungen\Sony\Lokale Einstellungen\Temp\IVIApp.tmp
C:\Dokumente und Einstellungen\Sony\Lokale Einstellungen\Temp\bl4ck.com
C:\Dokumente und Einstellungen\Sony\Favoriten\Download Free Spyware Remover.url
C:\Dokumente und Einstellungen\Sony\Favoriten\NEW VIAGRA at Half Price!.url
C:\Dokumente und Einstellungen\Sony\Favoriten\Online Chat With Nude Girls.url
C:\Dokumente und Einstellungen\Sony\Favoriten\Order CIALIS online without leaving home..url
C:\Dokumente und Einstellungen\Sony\Favoriten\PC protection in under 2 minutes!.url
C:\Dokumente und Einstellungen\Sony\Favoriten\SEX Dating - Real Girls For Real SEX.url
C:\Dokumente und Einstellungen\Sony\Favoriten\Stop PopUps On Your Computer.url
C:\Dokumente und Einstellungen\Sony\Favoriten\VIAGRA at incredible low price. Bonus Pills!.url
C:\Dokumente und Einstellungen\Sony\Favoriten\View ADULT photos of REAL GIRLS!.url

Folders to delete:
C:\Dokumente und Einstellungen\All Users\Favoriten\Online Pharmacy
C:\Dokumente und Einstellungen\All Users\Favoriten\Spyware Uninstall
C:\Dokumente und Einstellungen\All Users\Favoriten\Sex and Dating
C:\Programme\KillAndClean

Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

**
poste das log vom avenger, was nach neustart erscheint !

3.
öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

O4 - HKLM\..\Run: [bvfkx.exe] C:\WINDOWS\system32\bvfkx.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{1FC303FB-2EF4-4049-ACA1-94CC22121B62}: NameServer = 85.255.115.34,85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\..\{999619A7-6761-483B-80FF-AE073108D12E}: NameServer = 85.255.115.34,85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C46ABE3-A8D4-40D2-A721-86F1B660CC26}: NameServer = 85.255.115.34,85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0FA5A43-72E6-4F5E-90B8-97293BCA039C}: NameServer = 85.255.115.34,85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\..\{F15974B6-3775-43D9-8C30-49F4EAE6B568}: NameServer = 85.255.115.34,85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE1A9407-F9FB-455D-A5B1-B4F593C5E8C1}: NameServer = 85.255.115.34,85.255.112.63
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.34 85.255.112.63
O17 - HKLM\System\CS1\Services\Tcpip\..\{1FC303FB-2EF4-4049-ACA1-94CC22121B62}: NameServer = 85.255.115.34,85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.34 85.255.112.63

O20 - Winlogon Notify: ideusr50 - C:\WINDOWS\SYSTEM32\ideusr50.dll
O20 - Winlogon Notify: lanmui - C:\WINDOWS\SYSTEM32\lanmui.dll

PC neustarten

4.
erstelle eine neue Internetverbindung

Bei Netzwerk/Eigenschaften des Internetprotokolls steht denn auch IP und DNS automatisch beziehen - anhaken

1. Click Start > Control Panel
2. Double-click Network Connections.

muss raus !!! ->85.255.115.34 85.255.112.63

---------------------------------------------------------------------------

5.
scanne und poste den scanreport + das neue log vom hijackTis
http://virus-protect.org/cureit.html
__________
MfG Sabina

rund um die PC-Sicherheit

#20 Hallo Sabina!

Vielen Dank erst einmal:

------------------------------------------------------

1. Regsearch Report:

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 19.09.2006 11:25:41 for strings:
; 'lannui'
; 'idersrvc'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\lannui.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\lannui.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IDERSRVC]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IDERSRVC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IDERSRVC\0000]
"Service"="idersrvc"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IDERSRVC\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IDERSRVC\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IDERSRVC\0000\Control]
"ActiveService"="idersrvc"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LANNUI]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LANNUI\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LANNUI\0000]
"Service"="lannui"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LANNUI\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LANNUI\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LANNUI\0000\Control]
"ActiveService"="lannui"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\idersrvc]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\idersrvc]
; Contents of value:
; \??\c:\windows\system32\idersrvc.sys
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,\
6d,33,32,5c,69,64,65,72,73,72,76,63,2e,73,79,73,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\idersrvc\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\idersrvc\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\idersrvc\Enum]
"0"="Root\\LEGACY_IDERSRVC\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmui]
; Contents of value:
; \??\c:\windows\system32\lannui.sys
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,\
6d,33,32,5c,6c,61,6e,6e,75,69,2e,73,79,73,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lannui]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lannui]
; Contents of value:
; \??\c:\windows\system32\lannui.sys
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,\
6d,33,32,5c,6c,61,6e,6e,75,69,2e,73,79,73,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lannui\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lannui\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lannui\Enum]
"0"="Root\\LEGACY_LANNUI\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\lannui.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\lannui.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_IDERSRVC]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_IDERSRVC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_IDERSRVC\0000]
"Service"="idersrvc"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_IDERSRVC\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_LANNUI]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_LANNUI\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_LANNUI\0000]
"Service"="lannui"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_LANNUI\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\idersrvc]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\idersrvc]
; Contents of value:
; \??\c:\windows\system32\idersrvc.sys
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,\
6d,33,32,5c,69,64,65,72,73,72,76,63,2e,73,79,73,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\idersrvc\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\lanmui]
; Contents of value:
; \??\c:\windows\system32\lannui.sys
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,\
6d,33,32,5c,6c,61,6e,6e,75,69,2e,73,79,73,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\lannui]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\lannui]
; Contents of value:
; \??\c:\windows\system32\lannui.sys
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,\
6d,33,32,5c,6c,61,6e,6e,75,69,2e,73,79,73,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\lannui\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lannui.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\lannui.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IDERSRVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IDERSRVC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IDERSRVC\0000]
"Service"="idersrvc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IDERSRVC\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IDERSRVC\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IDERSRVC\0000\Control]
"ActiveService"="idersrvc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LANNUI]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LANNUI\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LANNUI\0000]
"Service"="lannui"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LANNUI\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LANNUI\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LANNUI\0000\Control]
"ActiveService"="lannui"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idersrvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idersrvc]
; Contents of value:
; \??\c:\windows\system32\idersrvc.sys
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,\
6d,33,32,5c,69,64,65,72,73,72,76,63,2e,73,79,73,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idersrvc\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idersrvc\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idersrvc\Enum]
"0"="Root\\LEGACY_IDERSRVC\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmui]
; Contents of value:
; \??\c:\windows\system32\lannui.sys
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,\
6d,33,32,5c,6c,61,6e,6e,75,69,2e,73,79,73,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lannui]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lannui]
; Contents of value:
; \??\c:\windows\system32\lannui.sys
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,\
6d,33,32,5c,6c,61,6e,6e,75,69,2e,73,79,73,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lannui\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lannui\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lannui\Enum]
"0"="Root\\LEGACY_LANNUI\\0000"

; End Of The Log...

-------------------------------------------------

2. avenger report:

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\Software\KillAndClean


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mehyujar

*******************

Script file located at: \??\C:\Program Files\oelclteu.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\w.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\ideusr50.dll deleted successfully.
File C:\WINDOWS\System32\csagq.exe deleted successfully.


File C:\WINDOWS\System32\csr.exe not found!
Deletion of file C:\WINDOWS\System32\csr.exe failed!

Could not process line:
C:\WINDOWS\System32\csr.exe
Status: 0xc0000034



File C:\WINDOWS\system32\bvfkx.exe not found!
Deletion of file C:\WINDOWS\system32\bvfkx.exe failed!

Could not process line:
C:\WINDOWS\system32\bvfkx.exe
Status: 0xc0000034

File C:\WINDOWS\system32\dmtsh.exe deleted successfully.
File C:\WINDOWS\System32\ps.a3d deleted successfully.
File C:\WINDOWS\System32\ksl48.bin deleted successfully.
File C:\WINDOWS\System32\tick48.bin deleted successfully.
File C:\WINDOWS\System32\idersrvc.sys deleted successfully.


File c:\WINDOWS\system32\stt82.ini not found!
Deletion of file c:\WINDOWS\system32\stt82.ini failed!

Could not process line:
c:\WINDOWS\system32\stt82.ini
Status: 0xc0000034



File c:\WINDOWS\system32\lanmui.dll not found!
Deletion of file c:\WINDOWS\system32\lanmui.dll failed!

Could not process line:
c:\WINDOWS\system32\lanmui.dll
Status: 0xc0000034



File c:\WINDOWS\system32\lannui.sys not found!
Deletion of file c:\WINDOWS\system32\lannui.sys failed!

Could not process line:
c:\WINDOWS\system32\lannui.sys
Status: 0xc0000034



File c:\WINDOWS\system32\qz.dll not found!
Deletion of file c:\WINDOWS\system32\qz.dll failed!

Could not process line:
c:\WINDOWS\system32\qz.dll
Status: 0xc0000034



File c:\WINDOWS\system32\qz.sys not found!
Deletion of file c:\WINDOWS\system32\qz.sys failed!

Could not process line:
c:\WINDOWS\system32\qz.sys
Status: 0xc0000034

File C:\WINDOWS\gfo.exe deleted successfully.
File C:\WINDOWS\4kj.exe deleted successfully.
File C:\Dokumente und Einstellungen\Sony\Anwendungsdaten\kc.tmp deleted successfully.


File C:\Dokumente und Einstellungen\Sony\Anwendungsdaten\wo.tmp not found!
Deletion of file C:\Dokumente und Einstellungen\Sony\Anwendungsdaten\wo.tmp failed!

Could not process line:
C:\Dokumente und Einstellungen\Sony\Anwendungsdaten\wo.tmp
Status: 0xc0000034

File C:\WINDOWS\System32\{08BEC50F-E26E-400F-B19F-450806E3F72C}.exe deleted successfully.
File C:\WINDOWS\System32\{3C8D887A-C23A-40CD-AC21-D9E3D7CD6603}.exe deleted successfully.
File C:\WINDOWS\System32\{C49E53C6-04F6-4071-9EFF-4BEA7654E65C}.exe deleted successfully.
File C:\WINDOWS\System32\{5DDFD678-2EE4-4CDB-9448-626498A46A54}.exe deleted successfully.


File C:\Dokumente und Einstellungen\Sony\Lokale Einstellungen\Temp\oih2.tmp not found!
Deletion of file C:\Dokumente und Einstellungen\Sony\Lokale Einstellungen\Temp\oih2.tmp failed!

Could not process line:
C:\Dokumente und Einstellungen\Sony\Lokale Einstellungen\Temp\oih2.tmp
Status: 0xc0000034



File C:\Dokumente und Einstellungen\Sony\Lokale Einstellungen\Temp\321171.exe not found!
Deletion of file C:\Dokumente und Einstellungen\Sony\Lokale Einstellungen\Temp\321171.exe failed!

Could not process line:
C:\Dokumente und Einstellungen\Sony\Lokale Einstellungen\Temp\321171.exe
Status: 0xc0000034



File C:\Dokumente und Einstellungen\Sony\Lokale Einstellungen\Temp\IVIApp.tmp not found!
Deletion of file C:\Dokumente und Einstellungen\Sony\Lokale Einstellungen\Temp\IVIApp.tmp failed!

Could not process line:
C:\Dokumente und Einstellungen\Sony\Lokale Einstellungen\Temp\IVIApp.tmp
Status: 0xc0000034



File C:\Dokumente und Einstellungen\Sony\Lokale Einstellungen\Temp\bl4ck.com not found!
Deletion of file C:\Dokumente und Einstellungen\Sony\Lokale Einstellungen\Temp\bl4ck.com failed!

Could not process line:
C:\Dokumente und Einstellungen\Sony\Lokale Einstellungen\Temp\bl4ck.com
Status: 0xc0000034

File C:\Dokumente und Einstellungen\Sony\Favoriten\Download Free Spyware Remover.url deleted successfully.
File C:\Dokumente und Einstellungen\Sony\Favoriten\NEW VIAGRA at Half Price!.url deleted successfully.
File C:\Dokumente und Einstellungen\Sony\Favoriten\Online Chat With Nude Girls.url deleted successfully.
File C:\Dokumente und Einstellungen\Sony\Favoriten\Order CIALIS online without leaving home..url deleted successfully.
File C:\Dokumente und Einstellungen\Sony\Favoriten\PC protection in under 2 minutes!.url deleted successfully.
File C:\Dokumente und Einstellungen\Sony\Favoriten\SEX Dating - Real Girls For Real SEX.url deleted successfully.
File C:\Dokumente und Einstellungen\Sony\Favoriten\Stop PopUps On Your Computer.url deleted successfully.


File C:\Dokumente und Einstellungen\Sony\Favoriten\VIAGRA at incredible low price. Bonus Pills!.url not found!
Deletion of file C:\Dokumente und Einstellungen\Sony\Favoriten\VIAGRA at incredible low price. Bonus Pills!.url failed!

Could not process line:
C:\Dokumente und Einstellungen\Sony\Favoriten\VIAGRA at incredible low price. Bonus Pills!.url
Status: 0xc0000034

File C:\Dokumente und Einstellungen\Sony\Favoriten\View ADULT photos of REAL GIRLS!.url deleted successfully.
Folder C:\Dokumente und Einstellungen\All Users\Favoriten\Online Pharmacy deleted successfully.
Folder C:\Dokumente und Einstellungen\All Users\Favoriten\Spyware Uninstall deleted successfully.
Folder C:\Dokumente und Einstellungen\All Users\Favoriten\Sex and Dating deleted successfully.


Folder C:\Programme\KillAndClean not found!
Deletion of folder C:\Programme\KillAndClean failed!

Could not process line:
C:\Programme\KillAndClean
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lannui not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lannui failed!
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ideusr50 deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

-----------------------------------------------------------

3. erledigt obwohl die O20 wurden nach dem Re-Naming von Blacklight nicht mehr gefunden für:

ideusr50.dll
lanmui.dll

-------------------------------------------------------------

4. Ist nicht ganz so einfach.

Meine Topologie ist:
(1) Splitter ADSL2-ISDN 18M+ mit den beiden IP's (keep alive)
(2) <-> ADSL- Modem
(3) <-> WLAN Switch/Router C-Netz IP ( 192.168.x.x) DHCP Server
[Seltsamerweise komme ich mit dem Browser z.Z. nicht auf die Adminplatform.
Ping funktioniert, nur der Browser meldet 404.]
(4) <-> Infizierter Laptop (WLAN) C-Netz IP

Ich weiß, da gehört ein Proxy Zwischen, aber ich habe im Moment kein Geld dafür!
Normalerweise müsste der Lap doch nur die IP vom Switch kennen. Oder?!
-------------------------------------------------------------

5.
a) cureit meldet:

Object UPnPFramework.exe
Path: c:\programme\sony\Vaio Medio Integrated Server\Platform
Status möglicherweise Backdoor.Trojan

Obwohl das Sony eine Backdoor hat ist mir bekannt.

b) Der neue HiJackThis Report:

Logfile of HijackThis v1.99.1
Scan saved at 14:39:39, on 19.09.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Norton Internet Security\ISSVC.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Programme\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
C:\Programme\Gemeinsame Dateien\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Programme\Gemeinsame Dateien\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Programme\Apoint\Apoint.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Sony\VAIO Power Management\SPMgr.exe
C:\Programme\Sony\ISB Utility\ISBMgr.exe
C:\Programme\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Programme\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\T-Mobile\Communication Center\AutoUpdateSrv.exe
C:\Programme\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Apoint\Apntex.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Programme\Sony\SonicStage Mastering Studio\Audio Filter\SSMSFilter.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Programme\Hewlett-Packard\hp deskjet 450 printer\ToolBox\mpm.exe
C:\Programme\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Programme\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Sony\Desktop\HijackThis.exe
C:\Programme\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kedtec.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Programme\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Programme\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Programme\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Programme\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PDService.exe] C:\Programme\Utimaco\SafeGuard PrivateDisk\pdservice.exe
O4 - HKLM\..\Run: [ScheduleSync.Siemens.SmartSync.5.2.exe] C:\Programme\Mobile Phone Manager\SmartSync\ScheduleSync.exe
O4 - HKLM\..\Run: [PrepareYourVAIO] C:\Programme\sony\Prepare your VAIO\PYVAlert.exe
O4 - HKLM\..\Run: [Connect Update Agent] "C:\Programme\T-Mobile\Communication Center\AutoUpdateSrv.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Programme\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Audio Filter.lnk = C:\Programme\Sony\SonicStage Mastering Studio\Audio Filter\SSMSFilter.exe
O4 - Global Startup: F-Secure 2006.lnk = C:\Programme\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: myPrintMileage.lnk = C:\Programme\Hewlett-Packard\hp deskjet 450 printer\ToolBox\mpm.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Programme\Altova\XMLSpy2005\spy.htm
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programme\Altova\XMLSpy2005\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Programme\Altova\XMLSpy2005\spy.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.com/de/
O18 - Protocol: t-mobile - {C6D89159-3467-4C2F-9918-3362DA57BCD2} - C:\PROGRA~1\T-Mobile\HOTSPO~1\TMOBIL~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: F-Secure 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Programme\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programme\Norton Internet Security\ISSVC.exe
O23 - Service: MySql - Unknown owner - C:/wampp2/mysql/bin/mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Programme\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Programme\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Programme\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Programme\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

Grüsse
Antikörper

#21 Antikörper

Avenger

Zitat

registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\lannui.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\lannui.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\lannui.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\lannui.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lannui.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\lannui.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IDERSRVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_IDERSRVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IDERSRVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LANNUI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_LANNUI
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LANNUI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\idersrvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\idersrvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idersrvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmui
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\lanmui
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmui

poste den report

**
scanne mit Panda (Online) und poste den report
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#22 Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\rjmflqgt

*******************

Script file located at: \??\C:\jrxocqpi.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\lannui.sys deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\lannui.sys deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\lannui.sys deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\lannui.sys deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lannui.sys not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lannui.sys failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lannui.sys
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\lannui.sys not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\lannui.sys failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\lannui.sys
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IDERSRVC deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_IDERSRVC deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IDERSRVC not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IDERSRVC failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IDERSRVC
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LANNUI deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_LANNUI deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LANNUI not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LANNUI failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LANNUI
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\idersrvc deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\idersrvc deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idersrvc not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idersrvc failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idersrvc
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmui deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\lanmui deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmui not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmui failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmui
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.
------------------------------------------------------------

Nix! - OnlineScan Panda ist nicht!

#23 scanne mit Sophos und mit Trendmicro und poste die scanreporte
http://virus-protect.org/multiavtool.html
__________
MfG Sabina

rund um die PC-Sicherheit