Home » Viren, Trojaner & Malware Forum » Wie spyware quake 2.3 entfernen » Themenansicht

Wie spyware quake 2.3 entfernen

Thema ist geschlossen!
Thema ist geschlossen!
#0
17.08.2006, 09:59
Karel
...neu hier

Beiträge: 6
#1 Habe folgende Schritten gemacht. Wie weiter? Vielen vielen Dank!!!

1. Hijackthis logfile
Logfile of HijackThis v1.99.1
Scan saved at 09:15:34, on 17.08.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IntCodec\isamonitor.exe
C:\Program Files\IntCodec\pmsngr.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\IntCodec\pmmon.exe
C:\Program Files\IntCodec\isamini.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\SpyQuake2.com\Spy-Quake2.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpyQuake2.com\Spy-Quake2.exe
C:\Program Files\OpenOffice.org1.1.2\program\soffice.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\CleanUp!\cleanup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alexandra Bojcic\My Documents\KarelTRY\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.altavista.yellowpages.com.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smh.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bigpond.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Telstra Big Pond Home Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1da7dbe8-c51b-4ae4-bc6e-21863349b0b4} - C:\Program Files\IntCodec\isaddon.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Protection Bar - {a2595f37-48d0-46a1-9b51-478591a97764} - C:\Program Files\IntCodec\iesplugin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SpyQuake2.com] C:\Program Files\SpyQuake2.com\Spy-Quake2.exe /h
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 1.1.2.lnk = C:\Program Files\OpenOffice.org1.1.2\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155736424369
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - C:\WINDOWS\System32\viruxz.dll
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe




2. CleanUp eingestellt, laufen lassen, computer neugestartet
3. Combofix

Start Time= 17.08.2006 9:49:02.24
Running from: C:\Documents and Settings\Alexandra Bojcic\My Documents\KarelTRY

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-17 08:33:58 ( .D... ) "C:\Program Files\CleanUp!"
2006-08-17 07:59:10 ( .D... ) "C:\Program Files\Enigma Software Group"
2006-08-16 18:58:18 ( .D... ) "C:\Program Files\Windows Defender"
2006-08-16 17:28:44 47564 ( A.SHR ) "C:\NTDETECT.COM"
2006-08-16 14:49:40 ( .D... ) "C:\Program Files\SpyQuake2.com"
2006-08-16 14:49:26 176128 ( A.... ) "C:\WINDOWS\system32\viruxz.dll"
2006-08-16 14:49:16 ( .D... ) "C:\Program Files\IntCodec"
2006-07-27 15:24:46 679424 ( A.... ) "C:\WINDOWS\system32\inetcomm.dll"
2006-07-21 10:24:44 72704 ( A.... ) "C:\WINDOWS\system32\hlink.dll"
2006-07-14 17:31:40 332288 ( A.... ) "C:\WINDOWS\system32\netapi32.dll"
2006-07-13 15:33:28 8453632 ( A.... ) "C:\WINDOWS\system32\shell32.dll"
2006-07-05 12:55:02 984064 ( A.... ) "C:\WINDOWS\system32\kernel32.dll"
2006-06-26 19:37:10 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-06-26 19:37:10 8192 ( A.... ) "C:\WINDOWS\system32\rasadhlp.dll"
2006-06-19 16:20:42 702768 ( ..... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-18 17:22:16 25496 ( A.... ) "C:\Documents and Settings\Alexandra Bojcic\Application Data\GDIPFONTCACHEV1.DAT"
2006-05-19 14:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 14:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-17 09:40 127'208 C:\WINDOWS\system32\mucltui.dll
2006-08-16 16:21 1'082'368 C:\WINDOWS\system32\esent.dll
2006-08-16 15:47 384'000 C:\WINDOWS\system32\ipsmsnap.dll
2006-08-16 15:47 349'696 C:\WINDOWS\system32\ipsecsnp.dll
2006-08-16 15:47 32'768 C:\WINDOWS\system32\winipsec.dll
2006-08-16 15:47 266'752 C:\WINDOWS\system32\oakley.dll
2006-08-16 15:47 182'784 C:\WINDOWS\system32\ipsecsvc.dll
2006-08-16 15:47 105'472 C:\WINDOWS\system32\polstore.dll
2006-08-16 15:41 266'915'840 C:\hiberfil.sys
2006-08-16 14:49 176'128 C:\WINDOWS\system32\viruxz.dll
2006-07-14 17:53 332'288 C:\WINDOWS\system32\netapi32.dll
2006-07-13 15:46 8'453'632 C:\WINDOWS\system32\shell32.dll
2006-07-13 10:50 2'897'920 C:\WINDOWS\system32\xpsp2res.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /install"
"Mouse Suite 98 Daemon"="ICO.EXE"
"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"Nokia Tray Application"="C:\\Program Files\\Common Files\\Nokia\\NCLTools\\NclTray.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"PaperPort PTD"="C:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe"
"IndexSearch"="C:\\Program Files\\ScanSoft\\PaperPort\\IndexSearch.exe"
"SetDefPrt"="C:\\Program Files\\Brother\\Brmfl04a\\BrStDvPt.exe"
"ControlCenter2.0"="C:\\Program Files\\Brother\\ControlCenter2\\brctrcen.exe /autorun"
"SpyQuake2.com"="C:\\Program Files\\SpyQuake2.com\\Spy-Quake2.exe /h"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"SpyHunter"="C:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"homepage.monitor.exe"="C:\\Program Files\\IntCodec\\isamonitor.exe"
"pmsngr.exe"="C:\\Program Files\\IntCodec\\pmsngr.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,c0
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\
00,00,04,00,00,c0
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"bestreak"="{874443fe-aa33-4ebf-a6ac-73208787e62d}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WinDefend


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 17.08.2006 9:49:24.20
ComboFix ver 06.07.15/30 - This logfile is located at C:\ComboFix.txt


4. Logfiles from datfind.bat

Volume in drive C has no label.
Volume Seri*hier nicht!* Number is 54A5-8EF0

Directory of C:\WINDOWS\system32

17.08.2006 09:38 312'172 perfh009.dat
17.08.2006 09:38 40'394 perfc009.dat
17.08.2006 09:38 355'944 PerfStringBackup.INI
17.08.2006 09:36 1'158 wpa.dbl
16.08.2006 18:51 251 spupdwxp.log
16.08.2006 18:50 139'648 FNTCACHE.DAT
16.08.2006 14:49 176'128 viruxz.dll
09.08.2006 12:03 8'325'544 MRT.exe
28.07.2006 13:28 3'054'080 mshtml.dll
27.07.2006 15:24 679'424 inetcomm.dll
25.07.2006 22:33 613'888 urlmon.dll
21.07.2006 10:24 72'704 hlink.dll
14.07.2006 17:31 332'288 netapi32.dll
14.07.2006 17:25 546'304 hhctrl.ocx
13.07.2006 15:33 8'453'632 shell32.dll
05.07.2006 12:55 984'064 kernel32.dll
26.06.2006 19:37 148'480 dnsapi.dll
26.06.2006 19:37 8'192 rasadhlp.dll
23.06.2006 13:02 658'944 wininet.dll
23.06.2006 13:02 1'494'016 shdocvw.dll
23.06.2006 13:02 146'432 msrating.dll
23.06.2006 13:02 474'112 shlwapi.dll
23.06.2006 13:02 39'424 pngfilt.dll
23.06.2006 13:02 532'480 mstime.dll
23.06.2006 13:02 448'512 mshtmled.dll
23.06.2006 13:02 55'808 extmgr.dll
23.06.2006 13:02 205'312 dxtrans.dll
23.06.2006 13:02 1'054'208 danim.dll
23.06.2006 13:02 251'392 iepeers.dll
23.06.2006 13:02 96'256 inseng.dll
23.06.2006 13:02 16'384 jsproxy.dll
23.06.2006 13:02 357'888 dxtmsft.dll
23.06.2006 13:02 151'040 cdfview.dll
23.06.2006 13:02 1'022'976 browseui.dll
23.06.2006 10:34 24'576 xpsp3res.dll
22.06.2006 12:47 181'248 rasmans.dll
19.06.2006 16:20 702'768 WgaLogon.dll
19.06.2006 16:19 571'184 LegitCheckControl.dll
19.06.2006 16:19 304'944 WgaTray.exe
26.05.2006 22:19 163'840 JGDW400.DLL
19.05.2006 14:59 94'720 iphlpapi.dll
19.05.2006 14:59 111'616 dhcpcsvc.dll
18.05.2006 07:24 450'560 jscript.dll
24.04.2006 15:40 4'730'880 wmp.dll


Volume in drive C has no label.
Volume Seri*hier nicht!* Number is 54A5-8EF0

Directory of C:\WINDOWS

17.08.2006 09:49 212'695 setupact.log
17.08.2006 09:46 2'090'065 WindowsUpdate.log
17.08.2006 09:36 261 wiadebug.log
17.08.2006 09:36 0 0.log
17.08.2006 09:35 49 wiaservc.log
17.08.2006 09:35 2'048 bootstat.dat
17.08.2006 09:33 32'618 SchedLgU.Txt
17.08.2006 08:14 135'229 iis6.log
17.08.2006 08:14 207'020 comsetup.log
17.08.2006 08:14 126'923 ntdtcsetup.log
17.08.2006 08:14 344'220 tsoc.log
17.08.2006 08:14 1'374 imsins.log
17.08.2006 08:14 23'877 ocmsn.log
17.08.2006 08:14 17'146 KB920214.log
17.08.2006 08:14 461'504 ocgen.log
17.08.2006 08:14 44'165 msgsocm.log
17.08.2006 08:14 863'688 FaxSetup.log
17.08.2006 08:14 506'615 setupapi.log



Volume in drive C has no label.
Volume Seri*hier nicht!* Number is 54A5-8EF0

Directory of C:\DOCUME~1\ALEXAN~1\LOCALS~1\Temp



Volume in drive C has no label.
Volume Seri*hier nicht!* Number is 54A5-8EF0

Directory of C:\

17.08.2006 09:53 0 sys.txt
17.08.2006 09:53 11'609 system.txt
17.08.2006 09:53 124 systemtemp.txt
17.08.2006 09:53 97'682 system32.txt
17.08.2006 09:49 7'310 ComboFix.txt
17.08.2006 09:34 266'915'840 hiberfil.sys
17.08.2006 09:34 402'653'184 pagefile.sys
17.08.2006 08:49 11'658 windows1.txt
16.08.2006 17:41 211 boot.ini
16.08.2006 17:28 47'564 NTDETECT.COM
16.08.2006 17:28 250'032 ntldr
16.08.2006 15:04 6'042 avenger.txt
16.08.2006 15:00 443 remove.txt
01.07.2004 12:57 4'959'023 FirefoxSetup-0.9.1.exe
22.07.2003 12:39 0 COMLOG.txt
23.06.2003 11:11 628 TBPLOG.TXT
17.04.2003 23:32 0 IO.SYS
17.04.2003 23:32 0 MSDOS.SYS
17.04.2003 23:32 0 CONFIG.SYS
17.04.2003 23:32 0 AUTOEXEC.BAT
20 File(s) 674'961'350 bytes
0 Dir(s) 4'199'419'904 bytes free




Danke fuer die Hilfe!
Seitenanfang Seitenende
17.08.2006, 15:07
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#2 Karel

Information:
http://virus-protect.org/artikel/spyware/intcodec_remove.html

0.
gehe in die Registry
Start - Ausfuehren - regedit

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"bestreak"="{874443fe-aa33-4ebf-a6ac-73208787e62d}" -> loeschen


1.
spyfalcon.zip -> http://virus-protect.org/zip/spyfalcon.zip -> entpacken auf dem Desktop -> spyfalcon.reg ->doppeltklicken und der Registry mit "ja/yes" beifügen

2.
Avenger
http://virus-protect.org/artikel/tools/avenger.html

kopiere rein:

Zitat

Files to delete:

C:\WINDOWS\system32\viruxz.dll
C:\Program Files\IntCodec\isaddon.dll
C:\Program Files\IntCodec\isamini.exe
C:\Program Files\IntCodec\isamonitor.exe
C:\Program Files\IntCodec\iesplugin.dll
C:\Program Files\IntCodec\iesuninst.exe
C:\Program Files\IntCodec\isauninst.exe
C:\Program Files\IntCodec\pmmon.exe
C:\Program Files\IntCodec\pmsngr.exe
C:\Program Files\IntCodec\pmuninst.exe
C:\Program Files\IntCodec\ts.ico
C:\Program Files\IntCodec\ot.ico
Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

3.
Smitfraud.fix anwenden - lasse auch die Registry mitreinigen (option 1 und 2)
http://virus-protect.org/artikel/tools/smitfrautfix.html

4.
loesche das backup vom Avenger unter c:\Avenger

5.
Download Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren)

IntCodec

in edit und klicke "Ok".
Notepad wird sich oeffnen - poste den text
+
das neue Log vom HijackThis bitte posten
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
17.08.2006, 22:39
Karel
...neu hier

Themenstarter

Beiträge: 6
#3 Hi Sabine, habe die verschiedene Schritte gemacht. Unten finden Sie die Logfiles. Ich habe den Eindruck, dass das Problem geloest ist: koennen Sie das bestaetigen? Vielen Dank fuer die Hilfe!!
Gruss
Karel

**************************************************


SmitFraudFix v2.81

Scan done at 18:01:00.80, 17.08.2006
Run from C:\Documents and Settings\Alexandra Bojcic\My Documents\KarelTRY\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Alexandra Bojcic\Application Data

C:\Documents and Settings\Alexandra Bojcic\Application Data\Microsoft\Internet Explorer\Quick Launch\SpyQuake2.com 2.3.lnk FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALEXAN~1\STARTM~1\SpyQuake2.com 2.3.lnk FOUND !
C:\DOCUME~1\ALEXAN~1\STARTM~1\Programs\SpyQuake2.com FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ALEXAN~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\IntCodec\ FOUND !
C:\Program Files\SpyQuake2.com\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


*******************************************************


SmitFraudFix v2.81

Scan done at 18:05:30.53, 17.08.2006
Run from C:\Documents and Settings\Alexandra Bojcic\My Documents\KarelTRY\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\System32\viruxz.dll -> Missing File


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Documents and Settings\Alexandra Bojcic\Application Data\Microsoft\Internet Explorer\Quick Launch\SpyQuake2.com 2.3.lnk Deleted
C:\DOCUME~1\ALEXAN~1\STARTM~1\SpyQuake2.com 2.3.lnk Deleted
C:\DOCUME~1\ALEXAN~1\STARTM~1\Programs\SpyQuake2.com Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\Program Files\IntCodec\ Deleted
C:\Program Files\SpyQuake2.com\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

*******************************************************



REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 17.08.2006 22:32:40 for strings:
; 'intcodec
intcodec'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...


**************************************************

Logfile of HijackThis v1.99.1
Scan saved at 22:34:39, on 17.08.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\Program Files\OpenOffice.org1.1.2\program\soffice.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alexandra Bojcic\My Documents\KarelTRY\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Telstra Big Pond Home Internet Explorer
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 1.1.2.lnk = C:\Program Files\OpenOffice.org1.1.2\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155736424369
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

***************************************************
Seitenanfang Seitenende
17.08.2006, 22:41
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#4 Download Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren)

IntCodec

in edit und klicke "Ok".
Notepad wird sich oeffnen - poste den text
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
17.08.2006, 22:46
Karel
...neu hier

Themenstarter

Beiträge: 6
#5 Logfile vom Registry Search:

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 17.08.2006 22:44:13 for strings:
; 'intcodec'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...
Seitenanfang Seitenende
17.08.2006, 22:47
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#6 mache einen Onlinescan mit panda und poste den report
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
18.08.2006, 00:18
Karel
...neu hier

Themenstarter

Beiträge: 6
#7 Hoi Sabine

Panda gibt das folgende Resultat (Siehe Anhang)
Gruss
Karel

Anhang: ActivescanPanda.txt
Seitenanfang Seitenende
18.08.2006, 00:23
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#8 1.
leere den Papierkorb

2.
Avenger:

Zitat

Files to delete:

C:\WINDOWS\System32\MYDLL.dll
C:\Documents and Settings\Alexandra Bojcic\Local Settings\Temporary Internet Files\Content.IE5\5O4EUYHF\safetyhomepage[2].htm
C:\RECYCLER\S-1-5-21-2488099398-2712619165-4205801449-1005\Dc8\backup.zip

__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
18.08.2006, 00:33
Karel
...neu hier

Themenstarter

Beiträge: 6
#9 Hoi Sabina

log vom Avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mtewkhqo

*******************

Script file located at: \??\C:\lokdumbn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\System32\MYDLL.dll deleted successfully.
File C:\Documents and Settings\Alexandra Bojcic\Local Settings\Temporary Internet Files\Content.IE5\5O4EUYHF\safetyhomepage[2].htm deleted successfully.


Could not open file C:\RECYCLER\S-1-5-21-2488099398-2712619165-4205801449-1005\Dc8\backup.zip for deletion
Deletion of file C:\RECYCLER\S-1-5-21-2488099398-2712619165-4205801449-1005\Dc8\backup.zip failed!

Could not process line:
C:\RECYCLER\S-1-5-21-2488099398-2712619165-4205801449-1005\Dc8\backup.zip
Status: 0xc000003a


Completed script processing.

*******************

Finished! Terminate.
Seitenanfang Seitenende
18.08.2006, 13:52
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#10 es muesste wieder alles in Ordnung sein ;)
kommen noch popups ?
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
18.08.2006, 16:26
Karel
...neu hier

Themenstarter

Beiträge: 6
#11 Hallo Sabina

nein, keine popups mehr. Wow, ich weiss gar nicht wie ich mich bedanken soll! Wuensche Ihnen ein ganz ganz tolles wochenende!!
Lieber Gruss
Karel
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren:
Seite(n): 1