Scvhost.exe vermutlich backdoor

#0
02.09.2006, 23:27
Member

Beiträge: 17
#1 Es kommen immer Popups allerdings nur wenn der Iexplorer gestartet ist.

Logfile of HijackThis v1.99.1
Scan saved at 5:26:00 PM, on 9/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\scvhost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnet.att.net/microsoft/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: DPCUpdater Object - {E291663A-2D6F-4B56-B9DF-AE239AEF6A5B} - C:\WINDOWS\system32\ddcca.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net/microsoft/index.html
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146185967962
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
O20 - Winlogon Notify: ddcca - C:\WINDOWS\system32\ddcca.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe

danke schoen, ist uebrigens ein PC in Amerika
Seitenanfang Seitenende
04.09.2006, 13:07
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#2 1.
poste dieses log
http://virus-protect.org/artikel/tools/combofix.html

2.
stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

3.
Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html

4.
ServiceFilter.zip
http://virus-protect.org/artikel/tools/ServiceFilter.zip

- entzippen
- doppelklick auf die datei ServiceFilter.vbs
- versions-nummer bestätigen
- scannen
- öffnen von wordpad oder editor erlauben
- POST_THIS.TXT abkopieren

5.
Download Registry Search by Bobbi Flekman
http://www.bleepingcomputer.com/files/regsearch.php
und doppelklicken, um zu starten. in: "Enter search strings" (reinkopieren)

Local Security Authority Subsystem Service

in edit und klicke "Ok".
Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn.
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
06.09.2006, 21:00
Member

Themenstarter

Beiträge: 17
#3 POST_THIS:
The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Professional
Version: 5.1.2600 Service Pack 2
Sep 6, 2006 2:44:50 PM


---> Begin Service Listing <---

Unknown Service # 1
Service Name: IDriverT
Display Name: InstallDriver Table Manager
Start Mode: Manual
Start Name: LocalSystem
Description: Provides support for the Running Object Table for InstallShield ...
Service Type: Own Process
Path: "c:\program files\common files\installshield\driver\11\intel 32\idrivert.exe"
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 2
Service Name: lsass
Display Name: Local Security Authority Subsystem Service
Start Mode: Auto
Start Name: LocalSystem
Description: Microsoft Path Finder Service Displays Internet Routing ...
Service Type: Own Process
Path: "c:\windows\scvhost.exe"
State: Running
Process ID: 1536
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service #3
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{b37d3a62-de60-43ca-83b4-7eb17076faef}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 4
Service Name: WinDefend
Display Name: Windows Defender Service
Start Mode: Auto
Start Name: LocalSystem
Description: Helps protect users from malicious software, spyware, and other potentially unwanted ...
Service Type: Own Process
Path: "c:\program files\windows defender\msmpeng.exe"
State: Running
Process ID: 756
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

---> End Service Listing <---

There are 85 Win32 services on this machine.
4 were unrecognized.

Script Execution Time: 8.410156 seconds.

COMBOFIX
JamesBond - 06-09-06 14:34:22.59
ComboFix 06.09.04BT - Running from: C:\Documents and Settings\JamesBond\Desktop

Microsoft Windows XP [Version 5.1.2600]

((((((((((((((((((((((((((((((( Files Created from 2006-08-06 to 2006-09-06 ))))))))))))))))))))))))))))))))))


2006-08-30 01:18 13,844 --a------ C:\WINDOWS\system32\sbdrgrvv.exe
2006-08-29 17:33 13,844 --a------ C:\WINDOWS\system32\wovwhwxs.exe
2006-08-28 21:43 13,844 --a------ C:\WINDOWS\system32\dgpsgvlt.exe
2006-08-28 19:55 13,844 --a------ C:\WINDOWS\system32\nyuhabbd.exe
2006-08-28 12:27 13,844 --a------ C:\WINDOWS\system32\mwlpcrfg.exe
2006-08-28 04:48 13,844 --a------ C:\WINDOWS\system32\mrhceeau.exe
2006-08-27 22:23 13,844 --a------ C:\WINDOWS\system32\lgtlsdxf.exe
2006-08-27 10:35 13,844 --a------ C:\WINDOWS\system32\piwrlovy.exe
2006-08-25 15:23 13,844 --a------ C:\WINDOWS\system32\ixuavffb.exe
2006-08-24 22:42 13,844 --a------ C:\WINDOWS\system32\ollqdugb.exe
2006-08-24 15:36 13,844 --a------ C:\WINDOWS\system32\balcjoog.exe
2006-08-24 06:06 13,844 --a------ C:\WINDOWS\system32\uioahkde.exe
2006-08-23 23:04 13,844 --a------ C:\WINDOWS\system32\ujsgspym.exe
2006-08-23 12:34 13,844 --a------ C:\WINDOWS\system32\skraorsl.exe
2006-08-22 12:57 13,844 --a------ C:\WINDOWS\system32\siryenmq.exe
2006-08-21 17:30 13,844 --a------ C:\WINDOWS\system32\fpeymbjp.exe
2006-08-21 14:54 13,844 --a------ C:\WINDOWS\system32\vcrwprlx.exe
2006-08-17 14:37 13,844 --a------ C:\WINDOWS\system32\jdjgcitd.exe
2006-08-16 21:17 12,820 --a------ C:\WINDOWS\system32\iphgapbn.exe
2006-08-16 21:17 12,308 --a------ C:\WINDOWS\system32\vdbkifuu.exe
2006-08-16 21:17 12,308 --a------ C:\WINDOWS\system32\etgdhior.exe
2006-08-16 12:50 12,308 --a------ C:\WINDOWS\system32\vcjudcbh.exe
2006-08-16 12:50 12,308 --a------ C:\WINDOWS\system32\pduiovlx.exe
2006-08-15 11:05 12,308 --a------ C:\WINDOWS\system32\glmjnexx.exe
2006-08-14 13:42 12,308 --a------ C:\WINDOWS\system32\momhxksi.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-06 14:36 1294232 ---hs---- C:\WINDOWS\system32\accdd.ini2
2006-09-06 14:33 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-06 13:27 1294959 ---hs---- C:\WINDOWS\system32\accdd.bak2
2006-09-04 20:51 14114 --a------ C:\Documents and Settings\JamesBond\Application Data\.googlewebacchosts
2006-09-02 17:26 5439 --a------ C:\Program Files\hijackthis.log
2006-09-02 17:26 -------- d-------- C:\Program Files\backups
2006-09-02 17:25 413 --a------ C:\Program Files\Shortcut to HijackThis.exe.lnk
2006-08-31 18:52 -------- d-------- C:\Program Files\LimeWire
2006-08-19 13:49 -------- d-------- C:\Documents and Settings\JamesBond\Application Data\Apple Computer
2006-08-19 13:48 -------- d-------- C:\Program Files\QuickTime
2006-08-19 13:42 -------- d-------- C:\Program Files\iTunes
2006-08-19 13:35 -------- d-------- C:\Program Files\iPod
2006-07-25 21:21 12464 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-07-25 21:06 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-07-25 17:29 65556 --a------ C:\WINDOWS\system32\jqhkawit.exe
2006-07-24 15:53 17750 --a------ C:\WINDOWS\system32\ckceeena.exe
2006-07-24 15:53 12288 --a------ C:\WINDOWS\system32\drivers\DP.sys
2006-07-23 23:12 17750 --a------ C:\WINDOWS\system32\arlahprg.exe
2006-07-22 17:28 17750 --a------ C:\WINDOWS\system32\lbrpmhtj.exe
2006-07-21 17:42 17750 --a------ C:\WINDOWS\system32\wsrdchfc.exe
2006-07-20 23:45 17750 --a------ C:\WINDOWS\system32\qdfrugiw.exe
2006-07-20 17:12 -------- d-------- C:\Documents and Settings\JamesBond\Application Data\Mozilla


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USRpdA"=""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"Creative Detector"="C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe /R"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://linbot.havenless.com/desktops/lotr/lotr-legolas-stone-800.jpg"
"SubscribedURL"="http://linbot.havenless.com/desktops/lotr/lotr-legolas-stone-800.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,03,ff,ff,ff,34,00,00,00,20,03,00,00,58,02,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,03,ff,ff,ff,34,00,00,00,20,03,00,00,58,02,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,fc,ff,ff,ff,25,00,00,00,20,03,00,00,58,02,\
00,00,01,00,00,40

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="http://i20.photobucket.com/albums/b237/punkerandrea/NINJA.gif"
"SubscribedURL"="http://i20.photobucket.com/albums/b237/punkerandrea/NINJA.gif"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,4c,02,00,00,b3,00,00,00,5a,00,00,00,5a,00,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,4c,02,00,00,b3,00,00,00,5a,00,00,00,5a,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,4c,02,00,00,b3,00,00,00,5a,00,00,00,5a,00,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="http://www.yourspacenow.com/img/animated103.gif"
"SubscribedURL"="http://www.yourspacenow.com/img/animated103.gif"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,55,02,00,00,5b,00,00,00,62,00,00,00,49,00,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,55,02,00,00,5b,00,00,00,62,00,00,00,49,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,55,02,00,00,5b,00,00,00,62,00,00,00,49,00,\
00,00,01,00,00,40

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\3]
"Source"="http://content24.bigoo.ws/content/image/animation_miscellaneous/miscellaneous_94.gif"
"SubscribedURL"="http://content24.bigoo.ws/content/image/animation_miscellaneous/miscellaneous_94.gif"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,f1,01,00,00,52,00,00,00,3e,00,00,00,55,00,00,00,ee,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,f1,01,00,00,52,00,00,00,3e,00,00,00,55,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:14,6d,1f,03,41,c0,b4,74,e0,ae,21,05,68,de,1f,03,20,6d,\
1f,03,0e,96,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\4]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,36,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,36,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,36,02,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcca


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Wed 09/06/2006 14:37:43.14
ComboFix.txt

DIE 4 LOGS
09/06/2006 02:42 PM 1,294,200 accdd.ini2
09/06/2006 01:27 PM 1,294,959 accdd.bak2
09/06/2006 01:26 PM 13,058 wpa.dbl
09/03/2006 02:04 AM 143 mcrh.tmp
08/30/2006 01:18 AM 13,844 sbdrgrvv.exe
08/29/2006 05:33 PM 13,844 wovwhwxs.exe
08/28/2006 09:43 PM 13,844 dgpsgvlt.exe
08/28/2006 07:55 PM 13,844 nyuhabbd.exe
08/28/2006 12:27 PM 13,844 mwlpcrfg.exe
08/28/2006 04:48 AM 13,844 mrhceeau.exe
08/27/2006 10:23 PM 13,844 lgtlsdxf.exe
08/27/2006 10:35 AM 13,844 piwrlovy.exe
08/25/2006 03:23 PM 13,844 ixuavffb.exe
08/24/2006 10:42 PM 13,844 ollqdugb.exe
08/24/2006 03:36 PM 13,844 balcjoog.exe
08/24/2006 06:06 AM 13,844 uioahkde.exe
08/23/2006 11:04 PM 13,844 ujsgspym.exe
08/23/2006 12:34 PM 13,844 skraorsl.exe
08/22/2006 12:57 PM 13,844 siryenmq.exe
08/21/2006 05:30 PM 13,844 fpeymbjp.exe
08/21/2006 02:54 PM 13,844 vcrwprlx.exe
08/17/2006 02:37 PM 13,844 jdjgcitd.exe
08/16/2006 09:17 PM 12,308 vdbkifuu.exe
08/16/2006 09:17 PM 12,820 iphgapbn.exe
08/16/2006 09:17 PM 12,308 etgdhior.exe
08/16/2006 12:50 PM 12,308 pduiovlx.exe
08/16/2006 12:50 PM 12,308 vcjudcbh.exe
08/15/2006 11:05 AM 12,308 glmjnexx.exe
08/14/2006 01:42 PM 12,308 momhxksi.exe
07/25/2006 05:29 PM 65,556 jqhkawit.exe
07/24/2006 03:53 PM 17,750 ckceeena.exe
07/23/2006 11:12 PM 17,750 arlahprg.exe
07/22/2006 05:28 PM 17,750 lbrpmhtj.exe
07/21/2006 05:42 PM 17,750 wsrdchfc.exe
07/20/2006 11:45 PM 17,750 qdfrugiw.exe
06/08/2006 09:19 PM 5,967,776 MRT.exe
06/06/2006 10:00 PM 1,043,240 accdd.ini
06/06/2006 03:19 PM 1,034,754 accdd.tmp
06/04/2006 06:46 PM 51,789 QuickTime.qtp
06/02/2006 01:39 PM 579,888 LegitCheckControl.dll
06/02/2006 01:39 PM 402,736 WgaLogon.dll
06/02/2006 01:39 PM 286,000 WgaTray.exe
06/01/2006 02:47 PM 27,648 jgpl400.dll
06/01/2006 02:47 PM 163,840 jgdw400.dll

Volume in drive C has no label.
Volume Seri*hier nicht!* Number is C038-608A

Directory of C:\WINDOWS

09/06/2006 02:41 PM 62,949,056 dp2_log.txt
09/06/2006 01:25 PM 0 0.log
09/06/2006 01:25 PM 157 wiadebug.log
09/06/2006 01:25 PM 1,705,615 WindowsUpdate.log
09/06/2006 01:25 PM 48 wiaservc.log
09/06/2006 01:24 PM 2,048 bootstat.dat
09/06/2006 03:53 AM 32,610 SchedLgU.Txt
09/06/2006 01:29 AM 562,013 setupapi.log
08/29/2006 03:37 AM 75,105 wmsetup.log
08/19/2006 08:25 PM 164,393 setupact.log
08/19/2006 01:43 PM 335 GEARInstall.log
07/25/2006 09:20 PM 1,615 eReg.dat
07/20/2006 11:49 PM 2,934 mozver.dat
07/20/2006 05:12 PM 0 nsreg.dat
06/27/2006 12:48 PM 33,762 spupdsvc.log
06/27/2006 12:39 PM 561,510 iis6.log
06/27/2006 12:39 PM 163,133 comsetup.log
06/27/2006 12:39 PM 98,270 ntdtcsetup.log
06/27/2006 12:39 PM 215,778 tsoc.log
06/27/2006 12:39 PM 25,500 ocmsn.log
06/27/2006 12:39 PM 21,587 tabletoc.log
06/27/2006 12:39 PM 1,374 imsins.log
06/27/2006 12:39 PM 17,377 KB917953.log
06/27/2006 12:39 PM 75,035 netfxocm.log
06/27/2006 12:39 PM 230,059 ocgen.log
06/27/2006 12:39 PM 30,517 medctroc.Log
06/27/2006 12:39 PM 23,322 msgsocm.log
06/27/2006 12:39 PM 458,566 FaxSetup.log
06/27/2006 12:39 PM 152,008 msmqinst.log
06/27/2006 12:38 PM 1,374 imsins.BAK
06/27/2006 12:38 PM 20,400 KB916281.log
06/27/2006 12:38 PM 33,899 updspapi.log
06/27/2006 12:37 PM 10,889 KB918439.log
06/27/2006 12:36 PM 11,522 KB917344.log
06/27/2006 12:36 PM 11,430 KB914389.log
06/27/2006 12:35 PM 6,501 KB917734.log
06/08/2006 07:49 PM 22,669 WgaNotify.log

Volume in drive C has no label.
Volume Seri*hier nicht!* Number is C038-608A

Directory of C:\DOCUME~1\JAMESB~1\LOCALS~1\Temp

09/06/2006 02:42 PM 240 datFind.zip
09/06/2006 02:42 PM 2,490,368 GoogleWebAcceleratorCache
09/06/2006 02:15 PM 166,447 googlewebaccclient.exe.log
09/06/2006 01:26 PM 841 GoogleWebAccelerator.pac
09/06/2006 01:26 PM 73,474 GoogleWebAccWarden.exe.log
5 File(s) 2,731,370 bytes
0 Dir(s) 6,847,877,120 bytes free

Volume in drive C has no label.
Volume Seri*hier nicht!* Number is C038-608A

Directory of C:\

09/06/2006 02:42 PM 0 sys.txt
09/06/2006 02:42 PM 10,025 system.txt
09/06/2006 02:42 PM 540 systemtemp.txt
09/06/2006 02:42 PM 113,861 system32.txt
09/06/2006 02:37 PM 9,345 ComboFix.txt
09/06/2006 01:24 PM 402,653,184 pagefile.sys

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 9/6/2006 2:49:51 PM for strings:
; 'local security authority subsystem service'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LSASS\0000]
"DeviceDesc"="Local Security Authority Subsystem Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lsass]
"DisplayName"="Local Security Authority Subsystem Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_LSASS\0000]
"DeviceDesc"="Local Security Authority Subsystem Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\lsass]
"DisplayName"="Local Security Authority Subsystem Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSASS\0000]
"DeviceDesc"="Local Security Authority Subsystem Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsass]
"DisplayName"="Local Security Authority Subsystem Service"

; End Of The Log...
Seitenanfang Seitenende
06.09.2006, 23:07
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#4 Renji

1.Vundofix anwenden
http://virus-protect.org/artikel/tools/vundofixx.html

2.Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein

Zitat

registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LSASS\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lsass
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_LSASS\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\lsass
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSASS\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsass
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcca

Files to delete:
C:\WINDOWS\system32\drivers\DP.sys
C:\WINDOWS\system32\ddcca.dll
C:\WINDOWS\system32\accdd.ini2
C:\WINDOWS\system32\accdd.bak2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\sbdrgrvv.exe
C:\WINDOWS\system32\wovwhwxs.exe
C:\WINDOWS\system32\dgpsgvlt.exe
C:\WINDOWS\system32\nyuhabbd.exe
C:\WINDOWS\system32\mwlpcrfg.exe
C:\WINDOWS\system32\mrhceeau.exe
C:\WINDOWS\system32\lgtlsdxf.exe
C:\WINDOWS\system32\piwrlovy.exe
C:\WINDOWS\system32\ixuavffb.exe
C:\WINDOWS\system32\ollqdugb.exe
C:\WINDOWS\system32\balcjoog.exe
C:\WINDOWS\system32\uioahkde.exe
C:\WINDOWS\system32\ujsgspym.exe
C:\WINDOWS\system32\skraorsl.exe
C:\WINDOWS\system32\siryenmq.exe
C:\WINDOWS\system32\fpeymbjp.exe
C:\WINDOWS\system32\vcrwprlx.exe
C:\WINDOWS\system32\jdjgcitd.exe
C:\WINDOWS\system32\vdbkifuu.exe
C:\WINDOWS\system32\iphgapbn.exe
C:\WINDOWS\system32\etgdhior.exe
C:\WINDOWS\system32\pduiovlx.exe
C:\WINDOWS\system32\vcjudcbh.exe
C:\WINDOWS\system32\glmjnexx.exe
C:\WINDOWS\system32\momhxksi.exe
C:\WINDOWS\system32\jqhkawit.exe
C:\WINDOWS\system32\ckceeena.exe
C:\WINDOWS\system32\arlahprg.exe
C:\WINDOWS\system32\lbrpmhtj.exe
C:\WINDOWS\system32\wsrdchfc.exe
C:\WINDOWS\system32\qdfrugiw.exe
C:\WINDOWS\system32\accdd.ini
C:\WINDOWS\system32\accdd.tmp
C:\WINDOWS\scvhost.exe

Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

**
poste daslog vom avenger, was erscheint

**
Start - Programme - Zubehör - Systemprogramme - Datenträgerbereinigung
- Click:Temporäre Internet Files/Temporäre Internet Dateien, o.k.
- Click:Temporäre Dateien, o.k

**
scanne mit sophos und trendmicro und poste die scanreporte
http://virus-protect.org/multiavtool.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
08.09.2006, 04:01
Member

Themenstarter

Beiträge: 17
#5 Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\uyoxbetk

*******************

Script file located at: \??\C:\Program Files\uaspy^dq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LSASS\0000 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lsass deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_LSASS\0000 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\lsass deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSASS\0000 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSASS\0000 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSASS\0000
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsass not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsass failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsass
Status: 0xc0000034



File C:\WINDOWS\system32\drivers\DP.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\DP.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\DP.sys
Status: 0xc0000034



File C:\WINDOWS\system32\ddcca.dll not found!
Deletion of file C:\WINDOWS\system32\ddcca.dll failed!

Could not process line:
C:\WINDOWS\system32\ddcca.dll
Status: 0xc0000034



File C:\WINDOWS\system32\accdd.ini2 not found!
Deletion of file C:\WINDOWS\system32\accdd.ini2 failed!

Could not process line:
C:\WINDOWS\system32\accdd.ini2
Status: 0xc0000034



File C:\WINDOWS\system32\accdd.bak2 not found!
Deletion of file C:\WINDOWS\system32\accdd.bak2 failed!

Could not process line:
C:\WINDOWS\system32\accdd.bak2
Status: 0xc0000034

File C:\WINDOWS\system32\mcrh.tmp deleted successfully.
File C:\WINDOWS\system32\sbdrgrvv.exe deleted successfully.
File C:\WINDOWS\system32\wovwhwxs.exe deleted successfully.
File C:\WINDOWS\system32\dgpsgvlt.exe deleted successfully.
File C:\WINDOWS\system32\nyuhabbd.exe deleted successfully.
File C:\WINDOWS\system32\mwlpcrfg.exe deleted successfully.
File C:\WINDOWS\system32\mrhceeau.exe deleted successfully.
File C:\WINDOWS\system32\lgtlsdxf.exe deleted successfully.
File C:\WINDOWS\system32\piwrlovy.exe deleted successfully.
File C:\WINDOWS\system32\ixuavffb.exe deleted successfully.
File C:\WINDOWS\system32\ollqdugb.exe deleted successfully.
File C:\WINDOWS\system32\balcjoog.exe deleted successfully.
File C:\WINDOWS\system32\uioahkde.exe deleted successfully.
File C:\WINDOWS\system32\ujsgspym.exe deleted successfully.
File C:\WINDOWS\system32\skraorsl.exe deleted successfully.
File C:\WINDOWS\system32\siryenmq.exe deleted successfully.
File C:\WINDOWS\system32\fpeymbjp.exe deleted successfully.
File C:\WINDOWS\system32\vcrwprlx.exe deleted successfully.


File C:\WINDOWS\system32\jdjgcitd.exe not found!
Deletion of file C:\WINDOWS\system32\jdjgcitd.exe failed!

Could not process line:
C:\WINDOWS\system32\jdjgcitd.exe
Status: 0xc0000034



File C:\WINDOWS\system32\vdbkifuu.exe not found!
Deletion of file C:\WINDOWS\system32\vdbkifuu.exe failed!

Could not process line:
C:\WINDOWS\system32\vdbkifuu.exe
Status: 0xc0000034



File C:\WINDOWS\system32\iphgapbn.exe not found!
Deletion of file C:\WINDOWS\system32\iphgapbn.exe failed!

Could not process line:
C:\WINDOWS\system32\iphgapbn.exe
Status: 0xc0000034



File C:\WINDOWS\system32\etgdhior.exe not found!
Deletion of file C:\WINDOWS\system32\etgdhior.exe failed!

Could not process line:
C:\WINDOWS\system32\etgdhior.exe
Status: 0xc0000034



File C:\WINDOWS\system32\pduiovlx.exe not found!
Deletion of file C:\WINDOWS\system32\pduiovlx.exe failed!

Could not process line:
C:\WINDOWS\system32\pduiovlx.exe
Status: 0xc0000034



File C:\WINDOWS\system32\vcjudcbh.exe not found!
Deletion of file C:\WINDOWS\system32\vcjudcbh.exe failed!

Could not process line:
C:\WINDOWS\system32\vcjudcbh.exe
Status: 0xc0000034

File C:\WINDOWS\system32\glmjnexx.exe deleted successfully.
File C:\WINDOWS\system32\momhxksi.exe deleted successfully.
File C:\WINDOWS\system32\jqhkawit.exe deleted successfully.
File C:\WINDOWS\system32\ckceeena.exe deleted successfully.
File C:\WINDOWS\system32\arlahprg.exe deleted successfully.
File C:\WINDOWS\system32\lbrpmhtj.exe deleted successfully.
File C:\WINDOWS\system32\wsrdchfc.exe deleted successfully.
File C:\WINDOWS\system32\qdfrugiw.exe deleted successfully.


File C:\WINDOWS\system32\accdd.ini not found!
Deletion of file C:\WINDOWS\system32\accdd.ini failed!

Could not process line:
C:\WINDOWS\system32\accdd.ini
Status: 0xc0000034



File C:\WINDOWS\system32\accdd.tmp not found!
Deletion of file C:\WINDOWS\system32\accdd.tmp failed!

Could not process line:
C:\WINDOWS\system32\accdd.tmp
Status: 0xc0000034

File C:\WINDOWS\scvhost.exe deleted successfully.


Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcca not found!
Deletion of registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcca failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

Die anderen 2 reich ich nach, ist schon spaet hier
Gruss aus Amerika
Renji
Seitenanfang Seitenende
08.09.2006, 15:07
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#6 **

Zitat

scanne mit sophos und trendmicro und poste die scanreporte
http://virus-protect.org/multiavtool.html
;)
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren: