Scvhost.exe vermutlich backdoor |
||
|---|---|---|
| #0
| ||
|
02.09.2006, 23:27
Member
Beiträge: 17 |
||
 
|
|
|
|
04.09.2006, 13:07
Ehrenmitglied
 Beiträge: 29434 |
#2
1.
poste dieses log http://virus-protect.org/artikel/tools/combofix.html 2. stelle den CleanUp genauso ein, wie hier angegeben: http://virus-protect.org/cleanup.html 3. Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab) http://virus-protect.org/datfindbat.html 4. ServiceFilter.zip http://virus-protect.org/artikel/tools/ServiceFilter.zip - entzippen - doppelklick auf die datei ServiceFilter.vbs - versions-nummer bestätigen - scannen - öffnen von wordpad oder editor erlauben - POST_THIS.TXT abkopieren 5. Download Registry Search by Bobbi Flekman http://www.bleepingcomputer.com/files/regsearch.php und doppelklicken, um zu starten. in: "Enter search strings" (reinkopieren) Local Security Authority Subsystem Service in edit und klicke "Ok". Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn. __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
06.09.2006, 21:00
Member
Themenstarter Beiträge: 17 |
#3
POST_THIS:
The script did not recognize the services listed below. This does not mean that they are a problem. To copy the entire contents of this document for posting: At the top of this window click "Edit" then "Select All" Next click "Edit" again then "Copy" Now right click in the forum post box then click "Paste" ######################################## ServiceFilter 1.1 by rand1038 Microsoft Windows XP Professional Version: 5.1.2600 Service Pack 2 Sep 6, 2006 2:44:50 PM ---> Begin Service Listing <--- Unknown Service # 1 Service Name: IDriverT Display Name: InstallDriver Table Manager Start Mode: Manual Start Name: LocalSystem Description: Provides support for the Running Object Table for InstallShield ... Service Type: Own Process Path: "c:\program files\common files\installshield\driver\11\intel 32\idrivert.exe" State: Stopped Process ID: 0 Started: False Exit Code: 1077 Accept Pause: False Accept Stop: False Unknown Service # 2 Service Name: lsass Display Name: Local Security Authority Subsystem Service Start Mode: Auto Start Name: LocalSystem Description: Microsoft Path Finder Service Displays Internet Routing ... Service Type: Own Process Path: "c:\windows\scvhost.exe" State: Running Process ID: 1536 Started: True Exit Code: 0 Accept Pause: False Accept Stop: False Unknown Service #3 Service Name: SwPrv Display Name: MS Software Shadow Copy Provider Start Mode: Manual Start Name: LocalSystem Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ... Service Type: Own Process Path: c:\windows\system32\dllhost.exe /processid:{b37d3a62-de60-43ca-83b4-7eb17076faef} State: Stopped Process ID: 0 Started: False Exit Code: 1077 Accept Pause: False Accept Stop: False Unknown Service # 4 Service Name: WinDefend Display Name: Windows Defender Service Start Mode: Auto Start Name: LocalSystem Description: Helps protect users from malicious software, spyware, and other potentially unwanted ... Service Type: Own Process Path: "c:\program files\windows defender\msmpeng.exe" State: Running Process ID: 756 Started: True Exit Code: 0 Accept Pause: False Accept Stop: True ---> End Service Listing <--- There are 85 Win32 services on this machine. 4 were unrecognized. Script Execution Time: 8.410156 seconds. COMBOFIX JamesBond - 06-09-06 14:34:22.59 ComboFix 06.09.04BT - Running from: C:\Documents and Settings\JamesBond\Desktop Microsoft Windows XP [Version 5.1.2600] ((((((((((((((((((((((((((((((( Files Created from 2006-08-06 to 2006-09-06 )))))))))))))))))))))))))))))))))) 2006-08-30 01:18 13,844 --a------ C:\WINDOWS\system32\sbdrgrvv.exe 2006-08-29 17:33 13,844 --a------ C:\WINDOWS\system32\wovwhwxs.exe 2006-08-28 21:43 13,844 --a------ C:\WINDOWS\system32\dgpsgvlt.exe 2006-08-28 19:55 13,844 --a------ C:\WINDOWS\system32\nyuhabbd.exe 2006-08-28 12:27 13,844 --a------ C:\WINDOWS\system32\mwlpcrfg.exe 2006-08-28 04:48 13,844 --a------ C:\WINDOWS\system32\mrhceeau.exe 2006-08-27 22:23 13,844 --a------ C:\WINDOWS\system32\lgtlsdxf.exe 2006-08-27 10:35 13,844 --a------ C:\WINDOWS\system32\piwrlovy.exe 2006-08-25 15:23 13,844 --a------ C:\WINDOWS\system32\ixuavffb.exe 2006-08-24 22:42 13,844 --a------ C:\WINDOWS\system32\ollqdugb.exe 2006-08-24 15:36 13,844 --a------ C:\WINDOWS\system32\balcjoog.exe 2006-08-24 06:06 13,844 --a------ C:\WINDOWS\system32\uioahkde.exe 2006-08-23 23:04 13,844 --a------ C:\WINDOWS\system32\ujsgspym.exe 2006-08-23 12:34 13,844 --a------ C:\WINDOWS\system32\skraorsl.exe 2006-08-22 12:57 13,844 --a------ C:\WINDOWS\system32\siryenmq.exe 2006-08-21 17:30 13,844 --a------ C:\WINDOWS\system32\fpeymbjp.exe 2006-08-21 14:54 13,844 --a------ C:\WINDOWS\system32\vcrwprlx.exe 2006-08-17 14:37 13,844 --a------ C:\WINDOWS\system32\jdjgcitd.exe 2006-08-16 21:17 12,820 --a------ C:\WINDOWS\system32\iphgapbn.exe 2006-08-16 21:17 12,308 --a------ C:\WINDOWS\system32\vdbkifuu.exe 2006-08-16 21:17 12,308 --a------ C:\WINDOWS\system32\etgdhior.exe 2006-08-16 12:50 12,308 --a------ C:\WINDOWS\system32\vcjudcbh.exe 2006-08-16 12:50 12,308 --a------ C:\WINDOWS\system32\pduiovlx.exe 2006-08-15 11:05 12,308 --a------ C:\WINDOWS\system32\glmjnexx.exe 2006-08-14 13:42 12,308 --a------ C:\WINDOWS\system32\momhxksi.exe (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-09-06 14:36 1294232 ---hs---- C:\WINDOWS\system32\accdd.ini2 2006-09-06 14:33 -------- d-------- C:\Program Files\Mozilla Firefox 2006-09-06 13:27 1294959 ---hs---- C:\WINDOWS\system32\accdd.bak2 2006-09-04 20:51 14114 --a------ C:\Documents and Settings\JamesBond\Application Data\.googlewebacchosts 2006-09-02 17:26 5439 --a------ C:\Program Files\hijackthis.log 2006-09-02 17:26 -------- d-------- C:\Program Files\backups 2006-09-02 17:25 413 --a------ C:\Program Files\Shortcut to HijackThis.exe.lnk 2006-08-31 18:52 -------- d-------- C:\Program Files\LimeWire 2006-08-19 13:49 -------- d-------- C:\Documents and Settings\JamesBond\Application Data\Apple Computer 2006-08-19 13:48 -------- d-------- C:\Program Files\QuickTime 2006-08-19 13:42 -------- d-------- C:\Program Files\iTunes 2006-08-19 13:35 -------- d-------- C:\Program Files\iPod 2006-07-25 21:21 12464 --a------ C:\WINDOWS\system32\drivers\secdrv.sys 2006-07-25 21:06 -------- d--h----- C:\Program Files\InstallShield Installation Information 2006-07-25 17:29 65556 --a------ C:\WINDOWS\system32\jqhkawit.exe 2006-07-24 15:53 17750 --a------ C:\WINDOWS\system32\ckceeena.exe 2006-07-24 15:53 12288 --a------ C:\WINDOWS\system32\drivers\DP.sys 2006-07-23 23:12 17750 --a------ C:\WINDOWS\system32\arlahprg.exe 2006-07-22 17:28 17750 --a------ C:\WINDOWS\system32\lbrpmhtj.exe 2006-07-21 17:42 17750 --a------ C:\WINDOWS\system32\wsrdchfc.exe 2006-07-20 23:45 17750 --a------ C:\WINDOWS\system32\qdfrugiw.exe 2006-07-20 17:12 -------- d-------- C:\Documents and Settings\JamesBond\Application Data\Mozilla (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "USRpdA"="" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe" "Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\ 65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl" "Creative Detector"="C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe /R" "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000005 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="http://linbot.havenless.com/desktops/lotr/lotr-legolas-stone-800.jpg" "SubscribedURL"="http://linbot.havenless.com/desktops/lotr/lotr-legolas-stone-800.jpg" "FriendlyName"="" "Flags"=dword:00000001 "Position"=hex:2c,00,00,00,03,ff,ff,ff,34,00,00,00,20,03,00,00,58,02,00,00,e8,\ 03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:01,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,03,ff,ff,ff,34,00,00,00,20,03,00,00,58,02,\ 00,00,01,00,00,40 "RestoredStateInfo"=hex:18,00,00,00,fc,ff,ff,ff,25,00,00,00,20,03,00,00,58,02,\ 00,00,01,00,00,40 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1] "Source"="http://i20.photobucket.com/albums/b237/punkerandrea/NINJA.gif" "SubscribedURL"="http://i20.photobucket.com/albums/b237/punkerandrea/NINJA.gif" "FriendlyName"="" "Flags"=dword:00000001 "Position"=hex:2c,00,00,00,4c,02,00,00,b3,00,00,00,5a,00,00,00,5a,00,00,00,ea,\ 03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:01,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,4c,02,00,00,b3,00,00,00,5a,00,00,00,5a,00,\ 00,00,01,00,00,40 "RestoredStateInfo"=hex:18,00,00,00,4c,02,00,00,b3,00,00,00,5a,00,00,00,5a,00,\ 00,00,01,00,00,00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2] "Source"="http://www.yourspacenow.com/img/animated103.gif" "SubscribedURL"="http://www.yourspacenow.com/img/animated103.gif" "FriendlyName"="" "Flags"=dword:00000001 "Position"=hex:2c,00,00,00,55,02,00,00,5b,00,00,00,62,00,00,00,49,00,00,00,ec,\ 03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:01,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,55,02,00,00,5b,00,00,00,62,00,00,00,49,00,\ 00,00,01,00,00,40 "RestoredStateInfo"=hex:18,00,00,00,55,02,00,00,5b,00,00,00,62,00,00,00,49,00,\ 00,00,01,00,00,40 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\3] "Source"="http://content24.bigoo.ws/content/image/animation_miscellaneous/miscellaneous_94.gif" "SubscribedURL"="http://content24.bigoo.ws/content/image/animation_miscellaneous/miscellaneous_94.gif" "FriendlyName"="" "Flags"=dword:00000001 "Position"=hex:2c,00,00,00,f1,01,00,00,52,00,00,00,3e,00,00,00,55,00,00,00,ee,\ 03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:01,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,f1,01,00,00,52,00,00,00,3e,00,00,00,55,00,\ 00,00,01,00,00,40 "RestoredStateInfo"=hex:14,6d,1f,03,41,c0,b4,74,e0,ae,21,05,68,de,1f,03,20,6d,\ 1f,03,0e,96,00,00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\4] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,36,02,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,36,02,\ 00,00,04,00,00,40 "RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,36,02,\ 00,00,01,00,00,00 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcca Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\MP Scheduled Scan.job Completion time: Wed 09/06/2006 14:37:43.14 ComboFix.txt DIE 4 LOGS 09/06/2006 02:42 PM 1,294,200 accdd.ini2 09/06/2006 01:27 PM 1,294,959 accdd.bak2 09/06/2006 01:26 PM 13,058 wpa.dbl 09/03/2006 02:04 AM 143 mcrh.tmp 08/30/2006 01:18 AM 13,844 sbdrgrvv.exe 08/29/2006 05:33 PM 13,844 wovwhwxs.exe 08/28/2006 09:43 PM 13,844 dgpsgvlt.exe 08/28/2006 07:55 PM 13,844 nyuhabbd.exe 08/28/2006 12:27 PM 13,844 mwlpcrfg.exe 08/28/2006 04:48 AM 13,844 mrhceeau.exe 08/27/2006 10:23 PM 13,844 lgtlsdxf.exe 08/27/2006 10:35 AM 13,844 piwrlovy.exe 08/25/2006 03:23 PM 13,844 ixuavffb.exe 08/24/2006 10:42 PM 13,844 ollqdugb.exe 08/24/2006 03:36 PM 13,844 balcjoog.exe 08/24/2006 06:06 AM 13,844 uioahkde.exe 08/23/2006 11:04 PM 13,844 ujsgspym.exe 08/23/2006 12:34 PM 13,844 skraorsl.exe 08/22/2006 12:57 PM 13,844 siryenmq.exe 08/21/2006 05:30 PM 13,844 fpeymbjp.exe 08/21/2006 02:54 PM 13,844 vcrwprlx.exe 08/17/2006 02:37 PM 13,844 jdjgcitd.exe 08/16/2006 09:17 PM 12,308 vdbkifuu.exe 08/16/2006 09:17 PM 12,820 iphgapbn.exe 08/16/2006 09:17 PM 12,308 etgdhior.exe 08/16/2006 12:50 PM 12,308 pduiovlx.exe 08/16/2006 12:50 PM 12,308 vcjudcbh.exe 08/15/2006 11:05 AM 12,308 glmjnexx.exe 08/14/2006 01:42 PM 12,308 momhxksi.exe 07/25/2006 05:29 PM 65,556 jqhkawit.exe 07/24/2006 03:53 PM 17,750 ckceeena.exe 07/23/2006 11:12 PM 17,750 arlahprg.exe 07/22/2006 05:28 PM 17,750 lbrpmhtj.exe 07/21/2006 05:42 PM 17,750 wsrdchfc.exe 07/20/2006 11:45 PM 17,750 qdfrugiw.exe 06/08/2006 09:19 PM 5,967,776 MRT.exe 06/06/2006 10:00 PM 1,043,240 accdd.ini 06/06/2006 03:19 PM 1,034,754 accdd.tmp 06/04/2006 06:46 PM 51,789 QuickTime.qtp 06/02/2006 01:39 PM 579,888 LegitCheckControl.dll 06/02/2006 01:39 PM 402,736 WgaLogon.dll 06/02/2006 01:39 PM 286,000 WgaTray.exe 06/01/2006 02:47 PM 27,648 jgpl400.dll 06/01/2006 02:47 PM 163,840 jgdw400.dll Volume in drive C has no label. Volume Seri*hier nicht!* Number is C038-608A Directory of C:\WINDOWS 09/06/2006 02:41 PM 62,949,056 dp2_log.txt 09/06/2006 01:25 PM 0 0.log 09/06/2006 01:25 PM 157 wiadebug.log 09/06/2006 01:25 PM 1,705,615 WindowsUpdate.log 09/06/2006 01:25 PM 48 wiaservc.log 09/06/2006 01:24 PM 2,048 bootstat.dat 09/06/2006 03:53 AM 32,610 SchedLgU.Txt 09/06/2006 01:29 AM 562,013 setupapi.log 08/29/2006 03:37 AM 75,105 wmsetup.log 08/19/2006 08:25 PM 164,393 setupact.log 08/19/2006 01:43 PM 335 GEARInstall.log 07/25/2006 09:20 PM 1,615 eReg.dat 07/20/2006 11:49 PM 2,934 mozver.dat 07/20/2006 05:12 PM 0 nsreg.dat 06/27/2006 12:48 PM 33,762 spupdsvc.log 06/27/2006 12:39 PM 561,510 iis6.log 06/27/2006 12:39 PM 163,133 comsetup.log 06/27/2006 12:39 PM 98,270 ntdtcsetup.log 06/27/2006 12:39 PM 215,778 tsoc.log 06/27/2006 12:39 PM 25,500 ocmsn.log 06/27/2006 12:39 PM 21,587 tabletoc.log 06/27/2006 12:39 PM 1,374 imsins.log 06/27/2006 12:39 PM 17,377 KB917953.log 06/27/2006 12:39 PM 75,035 netfxocm.log 06/27/2006 12:39 PM 230,059 ocgen.log 06/27/2006 12:39 PM 30,517 medctroc.Log 06/27/2006 12:39 PM 23,322 msgsocm.log 06/27/2006 12:39 PM 458,566 FaxSetup.log 06/27/2006 12:39 PM 152,008 msmqinst.log 06/27/2006 12:38 PM 1,374 imsins.BAK 06/27/2006 12:38 PM 20,400 KB916281.log 06/27/2006 12:38 PM 33,899 updspapi.log 06/27/2006 12:37 PM 10,889 KB918439.log 06/27/2006 12:36 PM 11,522 KB917344.log 06/27/2006 12:36 PM 11,430 KB914389.log 06/27/2006 12:35 PM 6,501 KB917734.log 06/08/2006 07:49 PM 22,669 WgaNotify.log Volume in drive C has no label. Volume Seri*hier nicht!* Number is C038-608A Directory of C:\DOCUME~1\JAMESB~1\LOCALS~1\Temp 09/06/2006 02:42 PM 240 datFind.zip 09/06/2006 02:42 PM 2,490,368 GoogleWebAcceleratorCache 09/06/2006 02:15 PM 166,447 googlewebaccclient.exe.log 09/06/2006 01:26 PM 841 GoogleWebAccelerator.pac 09/06/2006 01:26 PM 73,474 GoogleWebAccWarden.exe.log 5 File(s) 2,731,370 bytes 0 Dir(s) 6,847,877,120 bytes free Volume in drive C has no label. Volume Seri*hier nicht!* Number is C038-608A Directory of C:\ 09/06/2006 02:42 PM 0 sys.txt 09/06/2006 02:42 PM 10,025 system.txt 09/06/2006 02:42 PM 540 systemtemp.txt 09/06/2006 02:42 PM 113,861 system32.txt 09/06/2006 02:37 PM 9,345 ComboFix.txt 09/06/2006 01:24 PM 402,653,184 pagefile.sys REGEDIT4 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.1.0 ; Results at 9/6/2006 2:49:51 PM for strings: ; 'local security authority subsystem service' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LSASS\0000] "DeviceDesc"="Local Security Authority Subsystem Service" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lsass] "DisplayName"="Local Security Authority Subsystem Service" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_LSASS\0000] "DeviceDesc"="Local Security Authority Subsystem Service" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\lsass] "DisplayName"="Local Security Authority Subsystem Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSASS\0000] "DeviceDesc"="Local Security Authority Subsystem Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsass] "DisplayName"="Local Security Authority Subsystem Service" ; End Of The Log... |
|
|
|
|
|
|
06.09.2006, 23:07
Ehrenmitglied
Beiträge: 29434 |
#4
Renji
1.Vundofix anwenden http://virus-protect.org/artikel/tools/vundofixx.html 2.Avenger http://virus-protect.org/artikel/tools/avenger.html kopiere rein Zitat registry keys to delete:Klicke die gruene Ampel das Script wird nun ausgeführt, dann wird der PC automatisch neustarten ** poste daslog vom avenger, was erscheint ** Start - Programme - Zubehör - Systemprogramme - Datenträgerbereinigung - Click:Temporäre Internet Files/Temporäre Internet Dateien, o.k. - Click:Temporäre Dateien, o.k ** scanne mit sophos und trendmicro und poste die scanreporte http://virus-protect.org/multiavtool.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
08.09.2006, 04:01
Member
Themenstarter Beiträge: 17 |
#5
Logfile of The Avenger version 1, by Swandog46
Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\uyoxbetk ******************* Script file located at: \??\C:\Program Files\uaspy^dq.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LSASS\0000 deleted successfully. Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lsass deleted successfully. Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_LSASS\0000 deleted successfully. Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\lsass deleted successfully. Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSASS\0000 not found! Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSASS\0000 failed! Could not process line: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSASS\0000 Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsass not found! Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsass failed! Could not process line: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsass Status: 0xc0000034 File C:\WINDOWS\system32\drivers\DP.sys not found! Deletion of file C:\WINDOWS\system32\drivers\DP.sys failed! Could not process line: C:\WINDOWS\system32\drivers\DP.sys Status: 0xc0000034 File C:\WINDOWS\system32\ddcca.dll not found! Deletion of file C:\WINDOWS\system32\ddcca.dll failed! Could not process line: C:\WINDOWS\system32\ddcca.dll Status: 0xc0000034 File C:\WINDOWS\system32\accdd.ini2 not found! Deletion of file C:\WINDOWS\system32\accdd.ini2 failed! Could not process line: C:\WINDOWS\system32\accdd.ini2 Status: 0xc0000034 File C:\WINDOWS\system32\accdd.bak2 not found! Deletion of file C:\WINDOWS\system32\accdd.bak2 failed! Could not process line: C:\WINDOWS\system32\accdd.bak2 Status: 0xc0000034 File C:\WINDOWS\system32\mcrh.tmp deleted successfully. File C:\WINDOWS\system32\sbdrgrvv.exe deleted successfully. File C:\WINDOWS\system32\wovwhwxs.exe deleted successfully. File C:\WINDOWS\system32\dgpsgvlt.exe deleted successfully. File C:\WINDOWS\system32\nyuhabbd.exe deleted successfully. File C:\WINDOWS\system32\mwlpcrfg.exe deleted successfully. File C:\WINDOWS\system32\mrhceeau.exe deleted successfully. File C:\WINDOWS\system32\lgtlsdxf.exe deleted successfully. File C:\WINDOWS\system32\piwrlovy.exe deleted successfully. File C:\WINDOWS\system32\ixuavffb.exe deleted successfully. File C:\WINDOWS\system32\ollqdugb.exe deleted successfully. File C:\WINDOWS\system32\balcjoog.exe deleted successfully. File C:\WINDOWS\system32\uioahkde.exe deleted successfully. File C:\WINDOWS\system32\ujsgspym.exe deleted successfully. File C:\WINDOWS\system32\skraorsl.exe deleted successfully. File C:\WINDOWS\system32\siryenmq.exe deleted successfully. File C:\WINDOWS\system32\fpeymbjp.exe deleted successfully. File C:\WINDOWS\system32\vcrwprlx.exe deleted successfully. File C:\WINDOWS\system32\jdjgcitd.exe not found! Deletion of file C:\WINDOWS\system32\jdjgcitd.exe failed! Could not process line: C:\WINDOWS\system32\jdjgcitd.exe Status: 0xc0000034 File C:\WINDOWS\system32\vdbkifuu.exe not found! Deletion of file C:\WINDOWS\system32\vdbkifuu.exe failed! Could not process line: C:\WINDOWS\system32\vdbkifuu.exe Status: 0xc0000034 File C:\WINDOWS\system32\iphgapbn.exe not found! Deletion of file C:\WINDOWS\system32\iphgapbn.exe failed! Could not process line: C:\WINDOWS\system32\iphgapbn.exe Status: 0xc0000034 File C:\WINDOWS\system32\etgdhior.exe not found! Deletion of file C:\WINDOWS\system32\etgdhior.exe failed! Could not process line: C:\WINDOWS\system32\etgdhior.exe Status: 0xc0000034 File C:\WINDOWS\system32\pduiovlx.exe not found! Deletion of file C:\WINDOWS\system32\pduiovlx.exe failed! Could not process line: C:\WINDOWS\system32\pduiovlx.exe Status: 0xc0000034 File C:\WINDOWS\system32\vcjudcbh.exe not found! Deletion of file C:\WINDOWS\system32\vcjudcbh.exe failed! Could not process line: C:\WINDOWS\system32\vcjudcbh.exe Status: 0xc0000034 File C:\WINDOWS\system32\glmjnexx.exe deleted successfully. File C:\WINDOWS\system32\momhxksi.exe deleted successfully. File C:\WINDOWS\system32\jqhkawit.exe deleted successfully. File C:\WINDOWS\system32\ckceeena.exe deleted successfully. File C:\WINDOWS\system32\arlahprg.exe deleted successfully. File C:\WINDOWS\system32\lbrpmhtj.exe deleted successfully. File C:\WINDOWS\system32\wsrdchfc.exe deleted successfully. File C:\WINDOWS\system32\qdfrugiw.exe deleted successfully. File C:\WINDOWS\system32\accdd.ini not found! Deletion of file C:\WINDOWS\system32\accdd.ini failed! Could not process line: C:\WINDOWS\system32\accdd.ini Status: 0xc0000034 File C:\WINDOWS\system32\accdd.tmp not found! Deletion of file C:\WINDOWS\system32\accdd.tmp failed! Could not process line: C:\WINDOWS\system32\accdd.tmp Status: 0xc0000034 File C:\WINDOWS\scvhost.exe deleted successfully. Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcca not found! Deletion of registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcca failed! Status: 0xc0000034 Completed script processing. ******************* Finished! Terminate. Die anderen 2 reich ich nach, ist schon spaet hier Gruss aus Amerika Renji |
|
|
|
|
|
|
08.09.2006, 15:07
Ehrenmitglied
Beiträge: 29434 |
#6
**
Zitat scanne mit sophos und trendmicro und poste die scanreporte  __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!
bitte erst » hier kostenlos registrieren!!
Folgende Themen könnten Dich auch interessieren:
Seite(n): 1
Copyright © 2024, Protecus.de - Protecus Team - Impressum / Mediadaten
Logfile of HijackThis v1.99.1
Scan saved at 5:26:00 PM, on 9/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\scvhost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnet.att.net/microsoft/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: DPCUpdater Object - {E291663A-2D6F-4B56-B9DF-AE239AEF6A5B} - C:\WINDOWS\system32\ddcca.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net/microsoft/index.html
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146185967962
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
O20 - Winlogon Notify: ddcca - C:\WINDOWS\system32\ddcca.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe
danke schoen, ist uebrigens ein PC in Amerika