TR/Vundo.Gen Hartnäckig!

#0
25.09.2006, 12:51
...neu hier

Beiträge: 9
#1 Hallo! Muss den PC einer Freundin wieder Flott bekommen... nach ~460 beseitigten Viren hänge ich nun bei einem Trojana fest. Den TR/Vundo.Gen!
Hier wäre mein HiJackThis File:
Logfile of HijackThis v1.99.1
Scan saved at 12:46:32, on 25.09.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Gemeinsame Dateien\{391615E2-0574-1031-0903-03040720002b}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Inge\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.at/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Programme\Outlook Express\msimn.exe"
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Programme\Deskbar\deskbar.dll
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Audio System] Sound.exe
O4 - HKLM\..\RunServices: [Asus MotherBoard Utility] asus.exe
O4 - HKLM\..\RunServices: [Win Tasks 32] wintasks32.exe
O4 - HKLM\..\RunServices: [Microsoft FixUp] stpowrbj.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [Asus MotherBoard Utility] asus.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Microsoft Explorer AutoRun (Explorer) - Unknown owner - C:\WINDOWS\System32\C:\WINDOWS\System32\C:\WINDOWS\System32\winsprm.exe" -netsvcs (file missing)
O23 - Service: Performance True Type Fonts (PerfFont) - Unknown owner - C:\WINDOWS\System32\perfont.exe (file missing)
O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINDOWS\win32host.exe (file missing)


Die 4 Textdateien von datFind:
system32:
Datentr„ger in Laufwerk C: ist ACER
Volumeseriennummer: 3916-15E2

Verzeichnis von C:\WINDOWS\system32

25.09.2006 12:47 3.334 ybcfe.ini2
25.09.2006 12:35 3.235 ybcfe.tmp
25.09.2006 12:02 234.185 guard.tmp
25.09.2006 11:57 234.185 d40m0ed1eh0.dll
25.09.2006 11:45 234.185 fhclient.dll
25.09.2006 11:40 516 ysstqnpt.txt
25.09.2006 11:35 234.185 mv06l9ds1.dll
25.09.2006 11:34 234.185 metext40.dll
25.09.2006 10:58 234.065 ktl0l73m1.dll
25.09.2006 10:57 236.018 nptui2.dll
25.09.2006 10:48 237.257 ir80l5lm1.dll
25.09.2006 10:46 235.614 f0j2la1o1d.dll
25.09.2006 10:34 863.232 ybcfe.bak2
25.09.2006 10:33 235.614 ibfgnt5.dll
25.09.2006 10:21 143 mcrh.tmp
25.09.2006 10:04 234.869 ttpmon.dll
25.09.2006 09:44 235.196 ssbcsp.dll

25.09.2006 08:11 1.158 wpa.dbl
23.09.2006 16:36 234.869 i6lolg3316.dll
23.09.2006 16:17 234.869 guard.tmp_tobedeleted
23.09.2006 16:15 234.869 enl8l13u1.dll
23.09.2006 15:45 234.869 HBODStormEncoder.dll
23.09.2006 15:45 196.160 FNTCACHE.DAT
23.09.2006 15:28 236.470 en06l1ds1.dll
23.09.2006 14:40 234.869 ctyptsvc.dll
23.09.2006 14:30 234.122 vhs_ps.dll
23.09.2006 14:24 234.303 EfnClass.Dll

23.09.2006 14:14 911.074 PerfStringBackup.INI
23.09.2006 14:14 54.614 perfc009.dat
23.09.2006 14:14 396.586 perfh007.dat
23.09.2006 14:14 65.866 perfc007.dat
23.09.2006 14:14 384.930 perfh009.dat
23.09.2006 14:09 235.744 mrwebdvd.dll
23.09.2006 14:08 90 spupdwxp.log
23.09.2006 13:30 45.525 obscdnbi.dll
23.09.2006 13:30 863.139 ybcfe.bak1
23.09.2006 13:29 234.303 ogbccr32.dll
23.09.2006 13:16 235.355 gp80l3lm1.dll
22.09.2006 17:50 4.814 kps001.sys
22.09.2006 17:45 320 lps.dat
22.09.2006 17:40 1.233 hag44209.sys
22.09.2006 17:40 17.408 tftp.exe
22.09.2006 17:39 235.963 enr6l19s1.dll
09.09.2006 20:47 0 kgctini.dat
09.09.2006 20:47 0 inistone.ini
07.09.2006 12:54 57.384 avsda.dll
03.09.2006 18:05 40.973 xxyvspn.dll
31.08.2006 14:24 573.492 efcby.dll
03.08.2006 12:54 233.778 o6rolg9316.dll
29.07.2006 21:18 236.725 mtw3prt.dll
03.07.2006 21:23 233.778 hgetcfg.dll
27.06.2006 15:49 0 eraseme_13123.exe
26.06.2006 19:40 148.480 dnsapi.dll
26.06.2006 19:40 8.192 rasadhlp.dll
25.06.2006 16:59 234.031 hrl6053se.dll
20.06.2006 13:09 235.679 s6rslg9716.dll
17.06.2006 12:27 235.790 sumpapi.dll
17.06.2006 12:14 236.935 sbardssp.dll
16.06.2006 20:15 235.790 ptdgen.dll
11.06.2006 13:06 234.975 mkgsvc.dll
11.06.2006 12:46 233.973 irn0l55m1.dll
11.06.2006 09:00 233.973 prfmgr.dll
09.06.2006 15:12 234.896 wknstrm.dll
06.06.2006 20:47 235.978 nstui1.dll
06.06.2006 08:12 2 wnstssu.exe
06.06.2006 08:12 81.920 dexplore.dll
06.06.2006 08:09 0 TFTP5432


systemtemp:

Datentr„ger in Laufwerk C: ist ACER
Volumeseriennummer: 3916-15E2

Verzeichnis von C:\DOKUME~1\Inge\LOKALE~1\Temp

25.09.2006 12:28 0 kb.log


system:
Datentr„ger in Laufwerk C: ist ACER
Volumeseriennummer: 3916-15E2

Verzeichnis von C:\WINDOWS

25.09.2006 12:34 3.832 ModemLog_Agere Systems AC'97 Modem.txt
25.09.2006 12:34 157 wiadebug.log
25.09.2006 12:34 0 0.log
25.09.2006 12:34 2.048 bootstat.dat
25.09.2006 12:33 32.626 SchedLgU.Txt
25.09.2006 12:33 1.149.842 WindowsUpdate.log
25.09.2006 12:33 50 wiaservc.log
25.09.2006 08:27 42.736 icont.exe
25.09.2006 08:08 11.030 updspapi.log
25.09.2006 08:08 48.398 KB912919.log
25.09.2006 08:08 39.287 KB886185.log
25.09.2006 08:08 50.701 KB908531.log
25.09.2006 08:08 46.978 KB905749.log
23.09.2006 16:15 198.320 ntbtlog.txt
23.09.2006 15:40 8.400 ocmsn.log
23.09.2006 15:40 26.611 netfxocm.log
23.09.2006 15:40 57.478 msmqinst.log
23.09.2006 15:40 76.650 tsoc.log
23.09.2006 15:40 88.670 ocgen.log
23.09.2006 15:40 167.753 FaxSetup.log
23.09.2006 15:40 36.380 ntdtcsetup.log
23.09.2006 15:40 8.355 tabletoc.log
23.09.2006 15:40 61.094 comsetup.log
23.09.2006 15:40 7.920 msgsocm.log
23.09.2006 15:40 16.384 $NtUninstallKB888302$
23.09.2006 15:40 217.539 iis6.log
23.09.2006 15:40 16.384 $NtUninstallKB900725$
23.09.2006 15:40 9.701 medctroc.Log
23.09.2006 15:40 1.374 imsins.log
23.09.2006 15:40 16.384 $NtUninstallKB912919$
23.09.2006 15:40 16.384 $NtUninstallKB886185$
23.09.2006 15:40 23.882 KB916595.log
23.09.2006 15:40 16.384 $NtUninstallKB916595$
23.09.2006 15:40 23.774 KB904706.log
23.09.2006 15:40 16.384 $NtUninstallKB904706$
23.09.2006 15:39 16.384 $NtUninstallKB908531$
23.09.2006 15:39 16.384 $NtUninstallKB905749$
23.09.2006 15:39 23.844 KB913580.log
23.09.2006 15:39 19.650 KB896428.log
23.09.2006 15:38 22.768 KB911567.log
23.09.2006 15:38 22.893 KB894391.log
23.09.2006 15:38 18.226 KB908519.log
23.09.2006 15:38 21.053 KB920683.log
23.09.2006 15:37 20.480 KB914389.log
23.09.2006 14:45 1.864 OEWABLog.txt
23.09.2006 14:44 662 wmsetup.log
23.09.2006 14:12 29.116 spupdsvc.log
23.09.2006 14:11 731 DtcInstall.log
23.09.2006 14:11 638 win.ini
23.09.2006 14:10 316.640 WMSysPr9.prx
23.09.2006 14:08 926.053 setuplog.txt
23.09.2006 14:06 807.623 svcpack.log
23.09.2006 14:00 200 cmsetacl.log
23.09.2006 13:59 3.085 sessmgr.setup.log
22.09.2006 17:41 0 keyboard1.dat
30.07.2006 10:40 227.000 setupact.log

sys

Datentr„ger in Laufwerk C: ist ACER
Volumeseriennummer: 3916-15E2

Verzeichnis von C:\

25.09.2006 12:50 0 sys.txt
25.09.2006 12:49 9.270 system.txt
25.09.2006 12:48 277 systemtemp.txt
25.09.2006 12:47 104.079 system32.txt
25.09.2006 12:34 518.508.544 hiberfil.sys
25.09.2006 12:34 780.140.544 pagefile.sys
25.09.2006 12:12 186 VundoFix.txt
25.09.2006 12:00 2.402 avenger.txt
25.09.2006 10:32 1.080 ldcnqoou.bat
23.09.2006 14:00 211 BOOT.INI
23.09.2006 13:49 251.184 ntldr
23.09.2006 13:49 47.564 NTDETECT.COM
22.09.2006 17:41 676.081 deskbar_e11.exe
20.09.2006 22:09 676.081 deskbar_e9.exe
19.09.2006 20:26 251.262 deskbar8.exe
19.09.2006 11:00 251.352 deskbar.exe
15.09.2006 13:58 251.262 deskbar4.exe
03.09.2006 18:04 251.262 deskbar3.exe
31.08.2006 14:19 251.262 deskbar2.exe



Danke für eure Hilfe

MfG Johiii
Seitenanfang Seitenende
25.09.2006, 12:56
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#2 Johiii

viel Sinn macht eine Reinigung nicht..............Formatieren waere schneller und sicherer
--------------------------------------------------------------------------
««
Arbeitsplatz-->Rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.

««
scanne und poste den report
Look2Me-Destroyer V1.0.5
http://virus-protect.org/l2mfix.html

««
scanne und poste den report
http://virus-protect.org/artikel/tools/vundofixx.html

««
scanne und poste den report
http://virus-protect.org/artikel/tools/combofix.html

««
ServiceFilter.zip
http://virus-protect.org/artikel/tools/ServiceFilter.zip

- entzippen
- doppelklick auf die datei ServiceFilter.vbs
- versions-nummer bestätigen
- scannen
- öffnen von wordpad oder editor erlauben
- POST_THIS.TXT abkopieren

---------------------------
««
dann ist der look2me raus und ich brauche noch mal die 4 logs von datfindbat (bitte bis April 2006)
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
25.09.2006, 13:30
...neu hier

Themenstarter

Beiträge: 9
#3 Look2Me:
Inge - 06-09-25 13:06:53,46 Service Pack 2
ComboFix 06.09.25 - Running from: "C:\Dokumente und Einstellungen\Inge\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\EfnClass.Dll
C:\WINDOWS\system32\guard.tmp_tobedeleted


Granting sedebugprivilege to Administratoren ... successful


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Dokumente und Einstellungen\Inge\Anwendungsdaten\Sskdmns.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\deskbar2.exe
C:\deskbar3.exe
C:\deskbar4.exe
C:\deskbar8.exe
C:\Dokumente und Einstellungen\Inge\Anwendungsdaten\Install.dat
C:\WINDOWS\system32\dexplore.dll
C:\WINDOWS\system32\wnstssu.exe
C:\Programme\Deskbar
C:\Programme\windows
C:\Programme\Gemeinsame Dateien\{391615E2-0573-1031-0903-03040720002b}
C:\Programme\Gemeinsame Dateien\{391615E2-0574-1031-0903-03040720002b}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\system32\WNSXS~1
C:\QooBox\Purity\WINDOWS\system32\WNSXS~1\l?gonui.exe
C:\QooBox\Purity\Programme\STEM32~1
C:\QooBox\Purity\Programme\STEM32~1\STEM32~1


((((((((((((((((((((((((((((((( Files Created from 2006-08-25 to 2006-09-25 ))))))))))))))))))))))))))))))))))


2006-09-25 10:32 1,080 --a------ C:\ldcnqoou.bat
2006-09-25 10:11 3,749 ---hs---- C:\WINDOWS\system32\ybcfe.ini2
2006-09-23 14:55 57,384 --a------ C:\WINDOWS\system32\avsda.dll
2006-09-23 13:57 9,728 --------- C:\WINDOWS\system32\comsdupd.exe
2006-09-23 13:56 896,512 --------- C:\WINDOWS\system32\wmspdmoe.dll
2006-09-23 13:56 88,064 --------- C:\WINDOWS\system32\p2pnetsh.dll
2006-09-23 13:56 870,784 --------- C:\WINDOWS\system32\ati3d1ag.dll
2006-09-23 13:56 86,016 --------- C:\WINDOWS\system32\p2pgasvc.dll
2006-09-23 13:56 86,016 --------- C:\WINDOWS\system32\mdmxsdk.dll
2006-09-23 13:56 81,920 --------- C:\WINDOWS\system32\ieencode.dll
2006-09-23 13:56 81,408 --------- C:\WINDOWS\system32\wscsvc.dll
2006-09-23 13:56 8,192 --------- C:\WINDOWS\system32\smbinst.exe
2006-09-23 13:56 755,200 --------- C:\WINDOWS\system32\ir50_32.dll
2006-09-23 13:56 75,776 --------- C:\WINDOWS\system32\strmfilt.dll
2006-09-23 13:56 73,832 --------- C:\WINDOWS\system32\slcoinst.dll
2006-09-23 13:56 73,796 --------- C:\WINDOWS\system32\slserv.exe
2006-09-23 13:56 71,680 --------- C:\WINDOWS\system32\blastcln.exe
2006-09-23 13:56 7,680 --------- C:\WINDOWS\system32\kbdsmsno.dll
2006-09-23 13:56 7,680 --------- C:\WINDOWS\system32\kbdsmsfi.dll
2006-09-23 13:56 7,168 --------- C:\WINDOWS\system32\kbdukx.dll
2006-09-23 13:56 7,168 --------- C:\WINDOWS\system32\kbdno1.dll
2006-09-23 13:56 7,168 --------- C:\WINDOWS\system32\kbdfi1.dll
2006-09-23 13:56 60,416 --------- C:\WINDOWS\system32\fwcfg.dll
2006-09-23 13:56 6,656 --------- C:\WINDOWS\system32\kbdinmal.dll
2006-09-23 13:56 6,656 --------- C:\WINDOWS\system32\kbdinben.dll
2006-09-23 13:56 6,144 --------- C:\WINDOWS\system32\kbdmlt48.dll
2006-09-23 13:56 6,144 --------- C:\WINDOWS\system32\kbdmlt47.dll
2006-09-23 13:56 6,144 --------- C:\WINDOWS\system32\kbdinbe1.dll
2006-09-23 13:56 526,848 --------- C:\WINDOWS\system32\p2psvc.dll
2006-09-23 13:56 52,736 --------- C:\WINDOWS\system32\mspmsnsv.dll
2006-09-23 13:56 516,768 --------- C:\WINDOWS\system32\ativvaxx.dll
2006-09-23 13:56 50,688 --------- C:\WINDOWS\system32\btpanui.dll
2006-09-23 13:56 50,176 --------- C:\WINDOWS\system32\xmlprovi.dll
2006-09-23 13:56 5,632 --------- C:\WINDOWS\system32\kbdmaori.dll
2006-09-23 13:56 49,152 --------- C:\WINDOWS\system32\powercfg.exe
2006-09-23 13:56 484,864 --------- C:\WINDOWS\system32\wmspdmod.dll
2006-09-23 13:56 48,640 --------- C:\WINDOWS\system32\pnrpnsp.dll
2006-09-23 13:56 44,032 --------- C:\WINDOWS\system32\twext.dll
2006-09-23 13:56 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2006-09-23 13:56 397,056 --------- C:\WINDOWS\system32\s3gnb.dll
2006-09-23 13:56 384,512 --------- C:\WINDOWS\system32\mp4sdmod.dll
2006-09-23 13:56 377,984 --------- C:\WINDOWS\system32\ati2dvaa.dll
2006-09-23 13:56 338,432 --------- C:\WINDOWS\system32\ir41_qcx.dll
2006-09-23 13:56 32,866 --------- C:\WINDOWS\system32\slrundll.exe
2006-09-23 13:56 32,866 --------- C:\WINDOWS\slrundll.exe
2006-09-23 13:56 32,768 --------- C:\WINDOWS\system32\ativtmxx.dll
2006-09-23 13:56 32,285 --------- C:\WINDOWS\system32\hsfcisp2.dll
2006-09-23 13:56 312,320 --------- C:\WINDOWS\system32\p2pgraph.dll
2006-09-23 13:56 310,272 --------- C:\WINDOWS\system32\mp43dmod.dll
2006-09-23 13:56 30,208 --------- C:\WINDOWS\system32\bthserv.dll
2006-09-23 13:56 29,184 --------- C:\WINDOWS\system32\sdhcinst.dll
2006-09-23 13:56 286,792 --------- C:\WINDOWS\system32\slextspk.dll
2006-09-23 13:56 24,576 --------- C:\WINDOWS\system32\httpapi.dll
2006-09-23 13:56 233,472 --------- C:\WINDOWS\system32\wmpdxm.dll
2006-09-23 13:56 229,376 --------- C:\WINDOWS\system32\ati2cqag.dll
2006-09-23 13:56 22,528 --------- C:\WINDOWS\system32\fltmc.exe
2006-09-23 13:56 202,752 --------- C:\WINDOWS\system32\wmerror.dll
2006-09-23 13:56 201,728 --------- C:\WINDOWS\system32\ati2dvag.dll
2006-09-23 13:56 200,192 --------- C:\WINDOWS\system32\ir50_qc.dll
2006-09-23 13:56 20,992 --------- C:\WINDOWS\system32\bthci.dll
2006-09-23 13:56 2,981,888 --------- C:\WINDOWS\system32\xpsp2res.dll
2006-09-23 13:56 193,024 --------- C:\WINDOWS\system32\fsquirt.exe
2006-09-23 13:56 188,508 --------- C:\WINDOWS\system32\slgen.dll
2006-09-23 13:56 183,808 --------- C:\WINDOWS\system32\ir50_qcx.dll
2006-09-23 13:56 17,408 --------- C:\WINDOWS\system32\winshfhc.dll
2006-09-23 13:56 16,896 --------- C:\WINDOWS\system32\fltlib.dll
2006-09-23 13:56 151,552 --------- C:\WINDOWS\system32\wmidx.dll
2006-09-23 13:56 15,872 --------- C:\WINDOWS\system32\w3ssl.dll
2006-09-23 13:56 14,336 --------- C:\WINDOWS\system32\auditusr.exe
2006-09-23 13:56 13,824 --------- C:\WINDOWS\system32\wscntfy.exe
2006-09-23 13:56 13,824 --------- C:\WINDOWS\system32\cmsetacl.dll
2006-09-23 13:56 129,536 --------- C:\WINDOWS\system32\xmlprov.dll
2006-09-23 13:56 120,320 --------- C:\WINDOWS\system32\ir41_qc.dll
2006-09-23 13:56 118,784 --------- C:\WINDOWS\system32\msdadiag.dll
2006-09-23 13:56 116,224 --------- C:\WINDOWS\system32\p2p.dll
2006-09-23 13:56 114,688 --------- C:\WINDOWS\system32\wmpasf.dll
2006-09-23 13:56 108,032 --------- C:\WINDOWS\system32\wshbth.dll
2006-09-23 13:56 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2006-09-23 13:56 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2006-09-23 13:56 1,119,744 --------- C:\WINDOWS\system32\wmsdmoe2.dll
2006-09-23 13:56 1,001,472 --------- C:\WINDOWS\system32\wmvdmoe2.dll
2006-09-23 13:30 45,525 --a------ C:\WINDOWS\system32\obscdnbi.dll
2006-09-22 17:41 676,081 --a------ C:\deskbar_e11.exe
2006-09-20 22:09 676,081 --a------ C:\deskbar_e9.exe
2006-09-09 20:47 4,814 --a------ C:\WINDOWS\system32\kps001.sys
2006-09-03 18:06 863,232 ---hs---- C:\WINDOWS\system32\ybcfe.bak2
2006-09-03 18:05 40,973 --------- C:\WINDOWS\system32\xxyvspn.dll
2006-08-31 14:24 863,139 ---hs---- C:\WINDOWS\system32\ybcfe.bak1
2006-08-31 14:24 573,492 --------- C:\WINDOWS\system32\efcby.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

[COLOR=RED]Rootkit driver pe386 is present. A rootkit scan is required[/COLOR]

2006-09-25 11:40 60416 --a------ C:\WINDOWS\system32\drivers\jnkuywcq.sys
2006-09-25 10:32 60416 --a------ C:\WINDOWS\system32\drivers\koouovvi.sys
2006-09-25 10:22 -------- d-------- C:\Programme\CleanUp!
2006-09-25 08:27 42736 --a------ C:\WINDOWS\icont.exe
2006-09-22 17:40 17408 --a------ C:\WINDOWS\system32\tftp.exe
2006-09-22 17:40 1233 --a------ C:\WINDOWS\system32\hag44209.sys
2006-09-19 11:00 251352 --a------ C:\deskbar.exe
2006-06-27 15:49 0 --a------ C:\WINDOWS\system32\eraseme_13123.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Programme\\Messenger\\msmsgs.exe\" /background"
"SpybotSD TeaTimer"="C:\\Programme\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Asus MotherBoard Utility"="asus.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="\"C:\\Programme\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Audio System"="Sound.exe"
"Asus MotherBoard Utility"="asus.exe"
"stonedrv"=""
"Win Tasks 32"="wintasks32.exe"
"Microsoft FixUp"="stpowrbj.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000002

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"Microsoft Explorer AutoRun"=""

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Asus MotherBoard Utility"="asus.exe"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"Microsoft Explorer AutoRun"=""

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Asus MotherBoard Utility"="asus.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{D6EC03D8-438B-4C5C-AC83-1B73C429041A}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcby

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\ycsrgb.sys

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job

Completion time: 25.09.2006 13:10:52.36
ComboFix.txt


Combofix:

Inge - 06-09-25 13:06:53,46 Service Pack 2
ComboFix 06.09.25 - Running from: "C:\Dokumente und Einstellungen\Inge\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\EfnClass.Dll
C:\WINDOWS\system32\guard.tmp_tobedeleted


Granting sedebugprivilege to Administratoren ... successful


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Dokumente und Einstellungen\Inge\Anwendungsdaten\Sskdmns.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\deskbar2.exe
C:\deskbar3.exe
C:\deskbar4.exe
C:\deskbar8.exe
C:\Dokumente und Einstellungen\Inge\Anwendungsdaten\Install.dat
C:\WINDOWS\system32\dexplore.dll
C:\WINDOWS\system32\wnstssu.exe
C:\Programme\Deskbar
C:\Programme\windows
C:\Programme\Gemeinsame Dateien\{391615E2-0573-1031-0903-03040720002b}
C:\Programme\Gemeinsame Dateien\{391615E2-0574-1031-0903-03040720002b}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\WINDOWS\system32\WNSXS~1
C:\QooBox\Purity\WINDOWS\system32\WNSXS~1\l?gonui.exe
C:\QooBox\Purity\Programme\STEM32~1
C:\QooBox\Purity\Programme\STEM32~1\STEM32~1


((((((((((((((((((((((((((((((( Files Created from 2006-08-25 to 2006-09-25 ))))))))))))))))))))))))))))))))))


2006-09-25 10:32 1,080 --a------ C:\ldcnqoou.bat
2006-09-25 10:11 3,749 ---hs---- C:\WINDOWS\system32\ybcfe.ini2
2006-09-23 14:55 57,384 --a------ C:\WINDOWS\system32\avsda.dll
2006-09-23 13:57 9,728 --------- C:\WINDOWS\system32\comsdupd.exe
2006-09-23 13:56 896,512 --------- C:\WINDOWS\system32\wmspdmoe.dll
2006-09-23 13:56 88,064 --------- C:\WINDOWS\system32\p2pnetsh.dll
2006-09-23 13:56 870,784 --------- C:\WINDOWS\system32\ati3d1ag.dll
2006-09-23 13:56 86,016 --------- C:\WINDOWS\system32\p2pgasvc.dll
2006-09-23 13:56 86,016 --------- C:\WINDOWS\system32\mdmxsdk.dll
2006-09-23 13:56 81,920 --------- C:\WINDOWS\system32\ieencode.dll
2006-09-23 13:56 81,408 --------- C:\WINDOWS\system32\wscsvc.dll
2006-09-23 13:56 8,192 --------- C:\WINDOWS\system32\smbinst.exe
2006-09-23 13:56 755,200 --------- C:\WINDOWS\system32\ir50_32.dll
2006-09-23 13:56 75,776 --------- C:\WINDOWS\system32\strmfilt.dll
2006-09-23 13:56 73,832 --------- C:\WINDOWS\system32\slcoinst.dll
2006-09-23 13:56 73,796 --------- C:\WINDOWS\system32\slserv.exe
2006-09-23 13:56 71,680 --------- C:\WINDOWS\system32\blastcln.exe
2006-09-23 13:56 7,680 --------- C:\WINDOWS\system32\kbdsmsno.dll
2006-09-23 13:56 7,680 --------- C:\WINDOWS\system32\kbdsmsfi.dll
2006-09-23 13:56 7,168 --------- C:\WINDOWS\system32\kbdukx.dll
2006-09-23 13:56 7,168 --------- C:\WINDOWS\system32\kbdno1.dll
2006-09-23 13:56 7,168 --------- C:\WINDOWS\system32\kbdfi1.dll
2006-09-23 13:56 60,416 --------- C:\WINDOWS\system32\fwcfg.dll
2006-09-23 13:56 6,656 --------- C:\WINDOWS\system32\kbdinmal.dll
2006-09-23 13:56 6,656 --------- C:\WINDOWS\system32\kbdinben.dll
2006-09-23 13:56 6,144 --------- C:\WINDOWS\system32\kbdmlt48.dll
2006-09-23 13:56 6,144 --------- C:\WINDOWS\system32\kbdmlt47.dll
2006-09-23 13:56 6,144 --------- C:\WINDOWS\system32\kbdinbe1.dll
2006-09-23 13:56 526,848 --------- C:\WINDOWS\system32\p2psvc.dll
2006-09-23 13:56 52,736 --------- C:\WINDOWS\system32\mspmsnsv.dll
2006-09-23 13:56 516,768 --------- C:\WINDOWS\system32\ativvaxx.dll
2006-09-23 13:56 50,688 --------- C:\WINDOWS\system32\btpanui.dll
2006-09-23 13:56 50,176 --------- C:\WINDOWS\system32\xmlprovi.dll
2006-09-23 13:56 5,632 --------- C:\WINDOWS\system32\kbdmaori.dll
2006-09-23 13:56 49,152 --------- C:\WINDOWS\system32\powercfg.exe
2006-09-23 13:56 484,864 --------- C:\WINDOWS\system32\wmspdmod.dll
2006-09-23 13:56 48,640 --------- C:\WINDOWS\system32\pnrpnsp.dll
2006-09-23 13:56 44,032 --------- C:\WINDOWS\system32\twext.dll
2006-09-23 13:56 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2006-09-23 13:56 397,056 --------- C:\WINDOWS\system32\s3gnb.dll
2006-09-23 13:56 384,512 --------- C:\WINDOWS\system32\mp4sdmod.dll
2006-09-23 13:56 377,984 --------- C:\WINDOWS\system32\ati2dvaa.dll
2006-09-23 13:56 338,432 --------- C:\WINDOWS\system32\ir41_qcx.dll
2006-09-23 13:56 32,866 --------- C:\WINDOWS\system32\slrundll.exe
2006-09-23 13:56 32,866 --------- C:\WINDOWS\slrundll.exe
2006-09-23 13:56 32,768 --------- C:\WINDOWS\system32\ativtmxx.dll
2006-09-23 13:56 32,285 --------- C:\WINDOWS\system32\hsfcisp2.dll
2006-09-23 13:56 312,320 --------- C:\WINDOWS\system32\p2pgraph.dll
2006-09-23 13:56 310,272 --------- C:\WINDOWS\system32\mp43dmod.dll
2006-09-23 13:56 30,208 --------- C:\WINDOWS\system32\bthserv.dll
2006-09-23 13:56 29,184 --------- C:\WINDOWS\system32\sdhcinst.dll
2006-09-23 13:56 286,792 --------- C:\WINDOWS\system32\slextspk.dll
2006-09-23 13:56 24,576 --------- C:\WINDOWS\system32\httpapi.dll
2006-09-23 13:56 233,472 --------- C:\WINDOWS\system32\wmpdxm.dll
2006-09-23 13:56 229,376 --------- C:\WINDOWS\system32\ati2cqag.dll
2006-09-23 13:56 22,528 --------- C:\WINDOWS\system32\fltmc.exe
2006-09-23 13:56 202,752 --------- C:\WINDOWS\system32\wmerror.dll
2006-09-23 13:56 201,728 --------- C:\WINDOWS\system32\ati2dvag.dll
2006-09-23 13:56 200,192 --------- C:\WINDOWS\system32\ir50_qc.dll
2006-09-23 13:56 20,992 --------- C:\WINDOWS\system32\bthci.dll
2006-09-23 13:56 2,981,888 --------- C:\WINDOWS\system32\xpsp2res.dll
2006-09-23 13:56 193,024 --------- C:\WINDOWS\system32\fsquirt.exe
2006-09-23 13:56 188,508 --------- C:\WINDOWS\system32\slgen.dll
2006-09-23 13:56 183,808 --------- C:\WINDOWS\system32\ir50_qcx.dll
2006-09-23 13:56 17,408 --------- C:\WINDOWS\system32\winshfhc.dll
2006-09-23 13:56 16,896 --------- C:\WINDOWS\system32\fltlib.dll
2006-09-23 13:56 151,552 --------- C:\WINDOWS\system32\wmidx.dll
2006-09-23 13:56 15,872 --------- C:\WINDOWS\system32\w3ssl.dll
2006-09-23 13:56 14,336 --------- C:\WINDOWS\system32\auditusr.exe
2006-09-23 13:56 13,824 --------- C:\WINDOWS\system32\wscntfy.exe
2006-09-23 13:56 13,824 --------- C:\WINDOWS\system32\cmsetacl.dll
2006-09-23 13:56 129,536 --------- C:\WINDOWS\system32\xmlprov.dll
2006-09-23 13:56 120,320 --------- C:\WINDOWS\system32\ir41_qc.dll
2006-09-23 13:56 118,784 --------- C:\WINDOWS\system32\msdadiag.dll
2006-09-23 13:56 116,224 --------- C:\WINDOWS\system32\p2p.dll
2006-09-23 13:56 114,688 --------- C:\WINDOWS\system32\wmpasf.dll
2006-09-23 13:56 108,032 --------- C:\WINDOWS\system32\wshbth.dll
2006-09-23 13:56 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2006-09-23 13:56 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2006-09-23 13:56 1,119,744 --------- C:\WINDOWS\system32\wmsdmoe2.dll
2006-09-23 13:56 1,001,472 --------- C:\WINDOWS\system32\wmvdmoe2.dll
2006-09-23 13:30 45,525 --a------ C:\WINDOWS\system32\obscdnbi.dll
2006-09-22 17:41 676,081 --a------ C:\deskbar_e11.exe
2006-09-20 22:09 676,081 --a------ C:\deskbar_e9.exe
2006-09-09 20:47 4,814 --a------ C:\WINDOWS\system32\kps001.sys
2006-09-03 18:06 863,232 ---hs---- C:\WINDOWS\system32\ybcfe.bak2
2006-09-03 18:05 40,973 --------- C:\WINDOWS\system32\xxyvspn.dll
2006-08-31 14:24 863,139 ---hs---- C:\WINDOWS\system32\ybcfe.bak1
2006-08-31 14:24 573,492 --------- C:\WINDOWS\system32\efcby.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

[COLOR=RED]Rootkit driver pe386 is present. A rootkit scan is required[/COLOR]

2006-09-25 11:40 60416 --a------ C:\WINDOWS\system32\drivers\jnkuywcq.sys
2006-09-25 10:32 60416 --a------ C:\WINDOWS\system32\drivers\koouovvi.sys
2006-09-25 10:22 -------- d-------- C:\Programme\CleanUp!
2006-09-25 08:27 42736 --a------ C:\WINDOWS\icont.exe
2006-09-22 17:40 17408 --a------ C:\WINDOWS\system32\tftp.exe
2006-09-22 17:40 1233 --a------ C:\WINDOWS\system32\hag44209.sys
2006-09-19 11:00 251352 --a------ C:\deskbar.exe
2006-06-27 15:49 0 --a------ C:\WINDOWS\system32\eraseme_13123.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Programme\\Messenger\\msmsgs.exe\" /background"
"SpybotSD TeaTimer"="C:\\Programme\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Asus MotherBoard Utility"="asus.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="\"C:\\Programme\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Audio System"="Sound.exe"
"Asus MotherBoard Utility"="asus.exe"
"stonedrv"=""
"Win Tasks 32"="wintasks32.exe"
"Microsoft FixUp"="stpowrbj.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000002

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"Microsoft Explorer AutoRun"=""

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Asus MotherBoard Utility"="asus.exe"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"Microsoft Explorer AutoRun"=""

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Asus MotherBoard Utility"="asus.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{D6EC03D8-438B-4C5C-AC83-1B73C429041A}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcby

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\ycsrgb.sys

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job

Completion time: 25.09.2006 13:10:52.36
ComboFix.txt

Post_this

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Professional
Version: 5.1.2600 Service Pack 2
Sep 25, 2006 13:29:34


---> Begin Service Listing <---

Unknown Service # 1
Service Name: AntiVirScheduler
Display Name: AntiVir PersonalEdition Classic Planer
Start Mode: Auto
Start Name: LocalSystem
Description: Dienst zur Steuerung von AntiVir Prüfaufträgen und ...
Service Type: Own Process
Path: c:\programme\antivir personaledition classic\sched.exe
State: Running
Process ID: 1776
Started: Wahr
Exit Code: 0
Accept Pause: Wahr
Accept Stop: Wahr

Unknown Service # 2
Service Name: AntiVirService
Display Name: AntiVir PersonalEdition Classic Guard
Start Mode: Auto
Start Name: LocalSystem
Description: Bietet permanenten Schutz vor Viren und Malware mit der AntiVir ...
Service Type: Own Process
Path: c:\programme\antivir personaledition classic\avguard.exe
State: Running
Process ID: 1828
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 3
Service Name: Explorer
Display Name: Microsoft Explorer AutoRun
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: "c:\windows\system32\c:\windows\system32\c:\windows\system32\winsprm.exe" -netsvcs
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #4
Service Name: ose
Display Name: Office Source Engine
Start Mode: Manual
Start Name: LocalSystem
Description: Speichert Installationsdateien, die für Updates und Reparieren verwendet werden, und ist für den ...
Service Type: Own Process
Path: c:\programme\gemeinsame dateien\microsoft shared\source engine\ose.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 5
Service Name: PerfFont
Display Name: Performance True Type Fonts
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\perfont.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 6
Service Name: sqldps
Display Name: sqldps
Start Mode: Disabled
Start Name: LocalSystem
Description: SQL digital Precision ...
Service Type: Own Process
Path: "c:\windows\sqldps.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #7
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Verwaltet Software-basierte Schattenkopien des Volumeschattenkopie-Dienstes. Software-basierte ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{2d8366dc-3dc0-4f09-b7d6-222ee1db0fc9}
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 8
Service Name: Win32Kernel
Display Name: Win32 Kernel Update
Start Mode: Auto
Start Name: LocalSystem
Description: Win32 OS ...
Service Type: Own Process
Path: "c:\windows\win32host.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 9
Service Name: Win32Sr
Display Name: Win32Sr
Start Mode: Disabled
Start Name: LocalSystem
Description: Platform SDK ...
Service Type: Own Process
Path: "c:\windows\win32ssr.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 10
Service Name: winupd
Display Name: winupd
Start Mode: Disabled
Start Name: LocalSystem
Description: winupd...
Service Type: Own Process
Path: "c:\windows\winupd.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

---> End Service Listing <---

There are 92 Win32 services on this machine.
10 were unrecognized.

Script Execution Time: 0,3710938 seconds.
Seitenanfang Seitenende
25.09.2006, 13:32
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#4 ich brauche noch mal die 4 logs von datfindbat (bitte bis April 2006)
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
25.09.2006, 13:38
...neu hier

Themenstarter

Beiträge: 9
#5 Datentr„ger in Laufwerk C: ist ACER
Volumeseriennummer: 3916-15E2

Verzeichnis von C:\WINDOWS\system32

25.09.2006 13:35 4.102 ybcfe.ini2
25.09.2006 13:01 3.434 ybcfe.ini
25.09.2006 12:35 3.235 ybcfe.tmp
25.09.2006 11:40 516 ysstqnpt.txt
25.09.2006 10:34 863.232 ybcfe.bak2
25.09.2006 10:21 143 mcrh.tmp

25.09.2006 08:11 1.158 wpa.dbl
23.09.2006 15:45 196.160 FNTCACHE.DAT
23.09.2006 14:14 65.866 perfc007.dat
23.09.2006 14:14 384.930 perfh009.dat
23.09.2006 14:14 54.614 perfc009.dat
23.09.2006 14:14 911.074 PerfStringBackup.INI
23.09.2006 14:14 396.586 perfh007.dat
23.09.2006 14:08 90 spupdwxp.log
23.09.2006 13:30 45.525 obscdnbi.dll
23.09.2006 13:30 863.139 ybcfe.bak1
22.09.2006 17:50 4.814 kps001.sys
22.09.2006 17:45 320 lps.dat
22.09.2006 17:40 1.233 hag44209.sys
22.09.2006 17:40 17.408 tftp.exe
09.09.2006 20:47 0 kgctini.dat
09.09.2006 20:47 0 inistone.ini

07.09.2006 12:54 57.384 avsda.dll
03.09.2006 18:05 40.973 xxyvspn.dll
31.08.2006 14:24 573.492 efcby.dll
27.06.2006 15:49 0 eraseme_13123.exe
26.06.2006 19:40 148.480 dnsapi.dll
26.06.2006 19:40 8.192 rasadhlp.dll
06.06.2006 08:09 0 TFTP5432
31.05.2006 15:42 139.264 sbos.dll
05.05.2006 19:54 0 laordewusa.exe
18.04.2006 11:51 0 TFTP4976
17.04.2006 09:51 0 TFTP6116


Datentr„ger in Laufwerk C: ist ACER
Volumeseriennummer: 3916-15E2

Verzeichnis von C:\DOKUME~1\Inge\LOKALE~1\Temp

25.09.2006 13:31 32.768 ~DF91AC.tmp

Datentr„ger in Laufwerk C: ist ACER
Volumeseriennummer: 3916-15E2

Verzeichnis von C:\WINDOWS

25.09.2006 13:10 1.351.919 WindowsUpdate.log
25.09.2006 13:09 3.832 ModemLog_Agere Systems AC'97 Modem.txt
25.09.2006 13:09 159 wiadebug.log
25.09.2006 13:09 0 0.log
25.09.2006 13:09 2.048 bootstat.dat
25.09.2006 13:00 19.858 KB899587.log
25.09.2006 12:59 774.454 setupapi.log
25.09.2006 12:33 32.626 SchedLgU.Txt
25.09.2006 12:33 50 wiaservc.log
25.09.2006 08:27 42.736 icont.exe
25.09.2006 08:08 11.030 updspapi.log
25.09.2006 08:08 48.398 KB912919.log
25.09.2006 08:08 39.287 KB886185.log
25.09.2006 08:08 50.701 KB908531.log
25.09.2006 08:08 46.978 KB905749.log
23.09.2006 16:15 198.320 ntbtlog.txt
23.09.2006 15:40 7.920 msgsocm.log
23.09.2006 15:40 8.355 tabletoc.log
23.09.2006 15:40 57.478 msmqinst.log
23.09.2006 15:40 76.650 tsoc.log
23.09.2006 15:40 88.670 ocgen.log
23.09.2006 15:40 167.753 FaxSetup.log
23.09.2006 15:40 36.380 ntdtcsetup.log
23.09.2006 15:40 8.400 ocmsn.log
23.09.2006 15:40 61.094 comsetup.log
23.09.2006 15:40 26.611 netfxocm.log
23.09.2006 15:40 16.384 $NtUninstallKB888302$
23.09.2006 15:40 217.539 iis6.log
23.09.2006 15:40 16.384 $NtUninstallKB900725$
23.09.2006 15:40 9.701 medctroc.Log
23.09.2006 15:40 1.374 imsins.log
23.09.2006 15:40 16.384 $NtUninstallKB912919$
23.09.2006 15:40 16.384 $NtUninstallKB886185$
23.09.2006 15:40 23.882 KB916595.log
23.09.2006 15:40 16.384 $NtUninstallKB916595$
23.09.2006 15:40 23.774 KB904706.log
23.09.2006 15:40 16.384 $NtUninstallKB904706$
23.09.2006 15:39 16.384 $NtUninstallKB908531$
23.09.2006 15:39 16.384 $NtUninstallKB905749$
23.09.2006 15:39 23.844 KB913580.log
23.09.2006 15:39 19.650 KB896428.log
23.09.2006 15:38 22.768 KB911567.log
23.09.2006 15:38 22.893 KB894391.log
23.09.2006 15:38 18.226 KB908519.log
23.09.2006 15:38 21.053 KB920683.log
23.09.2006 15:37 20.480 KB914389.log
23.09.2006 14:45 1.864 OEWABLog.txt
23.09.2006 14:44 662 wmsetup.log
23.09.2006 14:12 29.116 spupdsvc.log
23.09.2006 14:11 731 DtcInstall.log
23.09.2006 14:11 638 win.ini
23.09.2006 14:10 316.640 WMSysPr9.prx
23.09.2006 14:08 926.053 setuplog.txt
23.09.2006 14:06 807.623 svcpack.log
23.09.2006 14:00 200 cmsetacl.log
23.09.2006 13:59 3.085 sessmgr.setup.log
22.09.2006 17:41 0 keyboard1.dat
30.07.2006 10:40 227.000 setupact.log
24.02.2006 15:44 85.523 DirectX.log
22.02.2006 18:07 28.710 hpoins03.dat
01.02.2006 09:10 7.031 KB898461.log
31.01.2006 10:13 6.098 Windows Update.log
31.01.2006 10:09 1.442 COM+.log
04.08.2004 00:58 288.768 winhlp32.exe
04.08.2004 00:58 32.866 slrundll.exe
04.08.2004 00:58 153.600 regedit.exe
04.08.2004 00:58 70.144 notepad.exe
04.08.2004 00:57 10.752 hh.exe
04.08.2004 00:57 1.035.264 explorer.exe
04.08.2004 00:57 50.688 twain_32.dll


Datentr„ger in Laufwerk C: ist ACER
Volumeseriennummer: 3916-15E2

Verzeichnis von C:\

25.09.2006 13:37 0 sys.txt
25.09.2006 13:36 9.270 system.txt
25.09.2006 13:36 282 systemtemp.txt
25.09.2006 13:35 102.164 system32.txt
25.09.2006 13:31 339 VundoFix.txt
25.09.2006 13:10 12.185 ComboFix.txt
25.09.2006 13:09 518.508.544 hiberfil.sys
25.09.2006 13:09 780.140.544 pagefile.sys
25.09.2006 12:00 2.402 avenger.txt
25.09.2006 10:32 1.080 ldcnqoou.bat
23.09.2006 14:00 211 BOOT.INI
23.09.2006 13:49 251.184 ntldr
23.09.2006 13:49 47.564 NTDETECT.COM
22.09.2006 17:41 676.081 deskbar_e11.exe
20.09.2006 22:09 676.081 deskbar_e9.exe
19.09.2006 11:00 251.352 deskbar.exe




Verzeihung xD" und VundoFix hat nichts gefunden! T_T
Seitenanfang Seitenende
25.09.2006, 13:47
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#6 Download Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten. in: "Enter search strings" ( reinkopieren)

Win32Kernel
Win32 Kernel Update
winupd
Win32Sr
PerfFont
Microsoft Explorer AutoRun
winsprm.exe


in edit und klicke "Ok".
Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn.
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
25.09.2006, 13:56
...neu hier

Themenstarter

Beiträge: 9
#7 Kann es sein das ich den Scann von Vundofix keine Chance gebe, weil ich mit Antivir die ganze zeit die Prozesse von Vundofix blockiere?

Win32Kernel

Zitat

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "Win32Kernel" 25.09.2006 13:49:55

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WIN32KERNEL]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WIN32KERNEL\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WIN32KERNEL\0000]
"Service"="Win32Kernel"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win32Kernel]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win32Kernel\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win32Kernel\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win32Kernel\Enum]
"0"="Root\\LEGACY_WIN32KERNEL\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WIN32KERNEL]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WIN32KERNEL\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WIN32KERNEL\0000]
"Service"="Win32Kernel"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Win32Kernel]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Win32Kernel\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIN32KERNEL]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIN32KERNEL\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIN32KERNEL\0000]
"Service"="Win32Kernel"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win32Kernel]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win32Kernel\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win32Kernel\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win32Kernel\Enum]
"0"="Root\\LEGACY_WIN32KERNEL\\0000"
Win32 Kernel Update

Zitat

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "Win32 Kernel Update" 25.09.2006 13:51:11

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WIN32KERNEL\0000]
"DeviceDesc"="Win32 Kernel Update"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win32Kernel]
"DisplayName"="Win32 Kernel Update"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WIN32KERNEL\0000]
"DeviceDesc"="Win32 Kernel Update"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Win32Kernel]
"DisplayName"="Win32 Kernel Update"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIN32KERNEL\0000]
"DeviceDesc"="Win32 Kernel Update"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win32Kernel]
"DisplayName"="Win32 Kernel Update"
winupd

Zitat

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "winupd" 25.09.2006 13:52:09

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINUPD]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINUPD\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINUPD\0000]
"Service"="winupd"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINUPD\0000]
"DeviceDesc"="winupd"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winupd]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winupd]
"DisplayName"="winupd"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winupd]
"Description"="winupd"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winupd\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winupd\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winupd\Enum]
"0"="Root\\LEGACY_WINUPD\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINUPD]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINUPD\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINUPD\0000]
"Service"="winupd"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINUPD\0000]
"DeviceDesc"="winupd"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\winupd]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\winupd]
"DisplayName"="winupd"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\winupd]
"Description"="winupd"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\winupd\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINUPD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINUPD\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINUPD\0000]
"Service"="winupd"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINUPD\0000]
"DeviceDesc"="winupd"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winupd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winupd]
"DisplayName"="winupd"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winupd]
"Description"="winupd"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winupd\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winupd\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winupd\Enum]
"0"="Root\\LEGACY_WINUPD\\0000"
Win32Sr

Zitat

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "Win32Sr" 25.09.2006 13:53:10

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WIN32SR]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WIN32SR\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WIN32SR\0000]
"Service"="Win32Sr"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WIN32SR\0000]
"DeviceDesc"="Win32Sr"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win32Sr]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win32Sr]
"DisplayName"="Win32Sr"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win32Sr\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win32Sr\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win32Sr\Enum]
"0"="Root\\LEGACY_WIN32SR\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WIN32SR]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WIN32SR\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WIN32SR\0000]
"Service"="Win32Sr"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WIN32SR\0000]
"DeviceDesc"="Win32Sr"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Win32Sr]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Win32Sr]
"DisplayName"="Win32Sr"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Win32Sr\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIN32SR]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIN32SR\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIN32SR\0000]
"Service"="Win32Sr"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIN32SR\0000]
"DeviceDesc"="Win32Sr"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win32Sr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win32Sr]
"DisplayName"="Win32Sr"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win32Sr\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win32Sr\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win32Sr\Enum]
"0"="Root\\LEGACY_WIN32SR\\0000"
PerfFont

Zitat

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "PerfFont" 25.09.2006 13:54:11

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PERFFONT]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PERFFONT\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PERFFONT\0000]
"Service"="PerfFont"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfFont]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfFont\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfFont\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfFont\Enum]
"0"="Root\\LEGACY_PERFFONT\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PERFFONT]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PERFFONT\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PERFFONT\0000]
"Service"="PerfFont"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PerfFont]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PerfFont\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PERFFONT]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PERFFONT\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PERFFONT\0000]
"Service"="PerfFont"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PerfFont]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PerfFont\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PerfFont\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PerfFont\Enum]
"0"="Root\\LEGACY_PERFFONT\\0000"
Microsoft Explorer AutoRun

Zitat

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "Microsoft Explorer AutoRun" 25.09.2006 13:55:04

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_EXPLORER\0000]
"DeviceDesc"="Microsoft Explorer AutoRun"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Explorer]
"DisplayName"="Microsoft Explorer AutoRun"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_EXPLORER\0000]
"DeviceDesc"="Microsoft Explorer AutoRun"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Explorer]
"DisplayName"="Microsoft Explorer AutoRun"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EXPLORER\0000]
"DeviceDesc"="Microsoft Explorer AutoRun"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Explorer]
"DisplayName"="Microsoft Explorer AutoRun"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Microsoft Explorer AutoRun"=""

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Microsoft Explorer AutoRun"=""
Seitenanfang Seitenende
25.09.2006, 14:01
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#8 ««
poste das log
http://www.f-secure.com/blacklight/
starte die Datei, nimm die Lizenzbestimmung an und waehle scan, wenn es mit dem Scan fertig ist, druecke next und danach close. Nun befindet sich im selben Ordner von Blacklight eine FSB*.TXT Datei

««
poste noch mal das erste log von datfindbat - bis Januar 2006 ;)
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
25.09.2006, 14:02
...neu hier

Themenstarter

Beiträge: 9
#9 FSB:
09/25/06 13:58:59 [Info]: BlackLight Engine 1.0.46 initialized
09/25/06 13:58:59 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/25/06 13:58:59 [Note]: 7019 4
09/25/06 13:58:59 [Note]: 7005 0
09/25/06 13:59:02 [Note]: 7006 0
09/25/06 13:59:02 [Note]: 7011 2036
09/25/06 13:59:02 [Note]: 7026 0
09/25/06 13:59:02 [Note]: 7026 0
09/25/06 13:59:06 [Note]: FSRAW library version 1.7.1019

System32: (mehr war leider nicht vor Jänner... 2005 kannich dir schicken ~.~ tut mir leid das ich dich so quälen muss)
Datentr„ger in Laufwerk C: ist ACER
Volumeseriennummer: 3916-15E2

Verzeichnis von C:\WINDOWS\system32

25.09.2006 13:35 4.102 ybcfe.ini2
25.09.2006 13:01 3.434 ybcfe.ini
25.09.2006 12:35 3.235 ybcfe.tmp
25.09.2006 11:40 516 ysstqnpt.txt
25.09.2006 10:45 4.212 zllictbl.dat
25.09.2006 10:34 863.232 ybcfe.bak2
25.09.2006 10:21 143 mcrh.tmp
25.09.2006 08:11 1.158 wpa.dbl
23.09.2006 15:45 196.160 FNTCACHE.DAT
23.09.2006 14:14 65.866 perfc007.dat
23.09.2006 14:14 384.930 perfh009.dat
23.09.2006 14:14 54.614 perfc009.dat
23.09.2006 14:14 911.074 PerfStringBackup.INI
23.09.2006 14:14 396.586 perfh007.dat
23.09.2006 14:08 90 spupdwxp.log
23.09.2006 13:30 45.525 obscdnbi.dll
23.09.2006 13:30 863.139 ybcfe.bak1
22.09.2006 17:50 4.814 kps001.sys
22.09.2006 17:45 320 lps.dat
22.09.2006 17:40 1.233 hag44209.sys
22.09.2006 17:40 17.408 tftp.exe
09.09.2006 20:47 0 kgctini.dat
09.09.2006 20:47 0 inistone.ini
07.09.2006 12:54 57.384 avsda.dll
03.09.2006 18:05 40.973 xxyvspn.dll
31.08.2006 14:24 573.492 efcby.dll
27.06.2006 15:49 0 eraseme_13123.exe
26.06.2006 19:40 148.480 dnsapi.dll
26.06.2006 19:40 8.192 rasadhlp.dll
06.06.2006 08:09 0 TFTP5432
31.05.2006 15:42 139.264 sbos.dll
05.05.2006 19:54 0 laordewusa.exe
18.04.2006 11:51 0 TFTP4976
17.04.2006 09:51 0 TFTP6116
30.03.2006 20:18 0 plscd.exe
17.03.2006 11:11 679.424 inetcomm.dll
17.03.2006 06:03 8.493.056 shell32.dll
17.03.2006 02:38 28.672 verclsid.exe
01.03.2006 21:43 91.136 mtxoci.dll
01.03.2006 21:43 11.776 xolehlp.dll
01.03.2006 21:43 66.560 mtxclu.dll
01.03.2006 21:43 161.280 msdtcuiu.dll
01.03.2006 21:43 956.416 msdtctm.dll
01.03.2006 21:43 426.496 msdtcprx.dll
Seitenanfang Seitenende
25.09.2006, 14:03
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#10 o.k. in ca.30 Minuten schicke ich dir die komplette Reinigung, jetzt muss ich erst mal weg
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
25.09.2006, 14:09
...neu hier

Themenstarter

Beiträge: 9
#11 Ich danke dir Vielmals!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
du bist mein/e Lebesretter/in ^^
Seitenanfang Seitenende
25.09.2006, 14:46
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#12 Avenger
http://virus-protect.org/artikel/tools/avenger.html

kopiere rein

Zitat

registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcby
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ycsvgd.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ycsvgd
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\ycsrgb.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WIN32KERNEL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win32Kernel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WIN32KERNEL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Win32Kernel
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIN32KERNEL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win32Kernel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINUPD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winupd
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINUPD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\winupd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINUPD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winupd
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WIN32SR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win32Sr
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WIN32SR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Win32Sr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIN32SR
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win32Sr
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PERFFONT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfFont
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PERFFONT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PerfFont
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PERFFONT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PerfFont
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_EXPLORER\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Explorer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_EXPLORER\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Explorer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EXPLORER\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Explorer

Files to delete:
C:\WINDOWS\system32\drivers\jnkuywcq.sys
C:\WINDOWS\system32\drivers\koouovvi.sys
C:\WINDOWS\system32\kps001.sys
C:\WINDOWS\system32\hag44209.sys
C:\WINDOWS\system32\ycsrgb.sys
C:\WINDOWS\system32\ybcfe.ini2
C:\WINDOWS\system32\ybcfe.ini
C:\WINDOWS\system32\ybcfe.tmp
C:\WINDOWS\system32\ysstqnpt.txt
C:\WINDOWS\system32\ybcfe.bak2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\obscdnbi.dll
C:\WINDOWS\system32\ybcfe.bak1
C:\WINDOWS\system32\lps.dat
C:\WINDOWS\system32\tftp.exe
C:\WINDOWS\system32\kgctini.dat
C:\WINDOWS\system32\inistone.ini
C:\WINDOWS\system32\xxyvspn.dll
C:\WINDOWS\system32\efcby.dll
C:\WINDOWS\system32\eraseme_13123.exe
C:\WINDOWS\system32\TFTP5432
C:\WINDOWS\system32\sbos.dll
C:\WINDOWS\system32\laordewusa.exe
C:\WINDOWS\system32\TFTP4976
C:\WINDOWS\system32\TFTP6116
C:\WINDOWS\system32\plscd.exe
C:\WINDOWS\system32\perfont.exe
C:\WINDOWS\system32\winsprm.exe
C:\WINDOWS\win32ssr.exe
C:\WINDOWS\win32host.exe
C:\WINDOWS\icont.exe
C:\WINDOWS\winupd.exe
C:\WINDOWS\keyboard1.dat
C:\ldcnqoou.bat
C:\deskbar_e11.exe
C:\deskbar_e9.exe
C:\deskbar.exe

Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

**
poste das log vom avenger, was nach neustart erscheint

**

öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Programme\Deskbar\deskbar.dll

O4 - HKLM\..\RunServices: [Audio System] Sound.exe
O4 - HKLM\..\RunServices: [Asus MotherBoard Utility] asus.exe
O4 - HKLM\..\RunServices: [Win Tasks 32] wintasks32.exe
O4 - HKLM\..\RunServices: [Microsoft FixUp] stpowrbj.exe
O4 - HKCU\..\RunServices: [Asus MotherBoard Utility] asus.exe

1.
scanne und poste den scanreport
http://virus-protect.org/artikel/tools/fprot.html

2.
scanne mit kaspersky und sophos und poste die scanreporte
http://virus-protect.org/multiavtool.html

3.
poste noch mal das log von combofix + die 4 logs von datfindbat
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
25.09.2006, 15:04
...neu hier

Themenstarter

Beiträge: 9
#13 //////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: could not create zip file.
Error code: 0


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ngbjysba

*******************

Script file located at: \??\C:\bxyqtwgp.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ycsvgd not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ycsvgd failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ycsvgd
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ycsvgd.sys not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ycsvgd.sys failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ycsvgd.sys
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\ycsrgb.sys deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WIN32KERNEL deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win32Kernel deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WIN32KERNEL deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Win32Kernel deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIN32KERNEL not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIN32KERNEL failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIN32KERNEL
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win32Kernel not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win32Kernel failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win32Kernel
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINUPD deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winupd deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINUPD deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\winupd deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINUPD not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINUPD failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINUPD
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winupd not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winupd failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winupd
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WIN32SR deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Win32Sr deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WIN32SR deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Win32Sr deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIN32SR not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIN32SR failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WIN32SR
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win32Sr not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win32Sr failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win32Sr
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PERFFONT deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfFont deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PERFFONT deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PerfFont deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PERFFONT not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PERFFONT failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PERFFONT
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PerfFont not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PerfFont failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PerfFont
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_EXPLORER\0000 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Explorer deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_EXPLORER\0000 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Explorer deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EXPLORER\0000 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EXPLORER\0000 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EXPLORER\0000
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Explorer not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Explorer failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Explorer
Status: 0xc0000034

File C:\WINDOWS\system32\drivers\jnkuywcq.sys deleted successfully.
File C:\WINDOWS\system32\drivers\koouovvi.sys deleted successfully.
File C:\WINDOWS\system32\kps001.sys deleted successfully.
File C:\WINDOWS\system32\hag44209.sys deleted successfully.


File C:\WINDOWS\system32\ycsrgb.sys not found!
Deletion of file C:\WINDOWS\system32\ycsrgb.sys failed!

Could not process line:
C:\WINDOWS\system32\ycsrgb.sys
Status: 0xc0000034

File C:\WINDOWS\system32\ybcfe.ini2 deleted successfully.
File C:\WINDOWS\system32\ybcfe.ini deleted successfully.
File C:\WINDOWS\system32\ybcfe.tmp deleted successfully.
File C:\WINDOWS\system32\ysstqnpt.txt deleted successfully.
File C:\WINDOWS\system32\ybcfe.bak2 deleted successfully.
File C:\WINDOWS\system32\mcrh.tmp deleted successfully.
File C:\WINDOWS\system32\obscdnbi.dll deleted successfully.
File C:\WINDOWS\system32\ybcfe.bak1 deleted successfully.
File C:\WINDOWS\system32\lps.dat deleted successfully.
File C:\WINDOWS\system32\tftp.exe deleted successfully.
File C:\WINDOWS\system32\kgctini.dat deleted successfully.
File C:\WINDOWS\system32\inistone.ini deleted successfully.
File C:\WINDOWS\system32\xxyvspn.dll deleted successfully.
File C:\WINDOWS\system32\efcby.dll deleted successfully.
File C:\WINDOWS\system32\eraseme_13123.exe deleted successfully.
File C:\WINDOWS\system32\TFTP5432 deleted successfully.
File C:\WINDOWS\system32\sbos.dll deleted successfully.
File C:\WINDOWS\system32\laordewusa.exe deleted successfully.
File C:\WINDOWS\system32\TFTP4976 deleted successfully.
File C:\WINDOWS\system32\TFTP6116 deleted successfully.
File C:\WINDOWS\system32\plscd.exe deleted successfully.


File C:\WINDOWS\system32\perfont.exe not found!
Deletion of file C:\WINDOWS\system32\perfont.exe failed!

Could not process line:
C:\WINDOWS\system32\perfont.exe
Status: 0xc0000034



File C:\WINDOWS\system32\winsprm.exe not found!
Deletion of file C:\WINDOWS\system32\winsprm.exe failed!

Could not process line:
C:\WINDOWS\system32\winsprm.exe
Status: 0xc0000034



File C:\WINDOWS\win32ssr.exe not found!
Deletion of file C:\WINDOWS\win32ssr.exe failed!

Could not process line:
C:\WINDOWS\win32ssr.exe
Status: 0xc0000034



File C:\WINDOWS\win32host.exe not found!
Deletion of file C:\WINDOWS\win32host.exe failed!

Could not process line:
C:\WINDOWS\win32host.exe
Status: 0xc0000034

File C:\WINDOWS\icont.exe deleted successfully.


File C:\WINDOWS\winupd.exe not found!
Deletion of file C:\WINDOWS\winupd.exe failed!

Could not process line:
C:\WINDOWS\winupd.exe
Status: 0xc0000034

File C:\WINDOWS\keyboard1.dat deleted successfully.
File C:\ldcnqoou.bat deleted successfully.


File C:\deskbar_e11.exe not found!
Deletion of file C:\deskbar_e11.exe failed!

Could not process line:
C:\deskbar_e11.exe
Status: 0xc0000034



File C:\deskbar_e9.exe not found!
Deletion of file C:\deskbar_e9.exe failed!

Could not process line:
C:\deskbar_e9.exe
Status: 0xc0000034



File C:\deskbar.exe not found!
Deletion of file C:\deskbar.exe failed!

Could not process line:
C:\deskbar.exe
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcby deleted successfully.

Completed script processing.

*******************

Finished! Terminate.//////////////////////////////////////////


-----------------------------------------------
Hi Jack This (hab ich bei HiJackthis nicht gesehen R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Programme\Deskbar\deskbar.dll)


Logfile of HijackThis v1.99.1
Scan saved at 14:57:48, on 25.09.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Inge\Desktop\AntiVundo\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.at/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Programme\Outlook Express\msimn.exe"
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O2 - BHO: (no name) - {59892B21-9ACE-4466-A13A-6465D3A0ADE9} - C:\WINDOWS\System32\efcby.dll (file missing)
O2 - BHO: (no name) - {D6EC03D8-438B-4C5C-AC83-1B73C429041A} - C:\WINDOWS\System32\xxyvspn.dll (file missing)
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [evvlnohc] C:\kjcqgdkf.bat
O4 - HKLM\..\Run: [nckerhup] C:\eyhgnsmi.bat
O4 - HKLM\..\RunServices: [Audio System] Sound.exe
O4 - HKLM\..\RunServices: [Asus MotherBoard Utility] asus.exe
O4 - HKLM\..\RunServices: [Win Tasks 32] wintasks32.exe
O4 - HKLM\..\RunServices: [Microsoft FixUp] stpowrbj.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [Asus MotherBoard Utility] asus.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe

Das waren mal die ersten 2 ich Poste die nächsten sobald sie fertig sind
Seitenanfang Seitenende
25.09.2006, 15:07
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#14 fixe mit HijackThis:

Zitat

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O2 - BHO: (no name) - {59892B21-9ACE-4466-A13A-6465D3A0ADE9} - C:\WINDOWS\System32\efcby.dll (file missing)
O2 - BHO: (no name) - {D6EC03D8-438B-4C5C-AC83-1B73C429041A} - C:\WINDOWS\System32\xxyvspn.dll (file missing)

O4 - HKLM\..\Run: [evvlnohc] C:\kjcqgdkf.bat
O4 - HKLM\..\Run: [nckerhup] C:\eyhgnsmi.bat
O4 - HKLM\..\RunServices: [Audio System] Sound.exe
O4 - HKLM\..\RunServices: [Asus MotherBoard Utility] asus.exe
O4 - HKLM\..\RunServices: [Win Tasks 32] wintasks32.exe
O4 - HKLM\..\RunServices: [Microsoft FixUp] stpowrbj.exe
O4 - HKCU\..\RunServices: [Asus MotherBoard Utility] asus.exe

fixe, damit es aus dem autostart kommt, denn es stoert:

Zitat

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
PC neustarten

««
dann arbeite den rest ab und poste die logs, vor allem noch mal die logs von datfindbat und combofix und auch die scannlogs
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
25.09.2006, 15:20
...neu hier

Themenstarter

Beiträge: 9
#15 Logfile of HijackThis v1.99.1
Scan saved at 15:18:32, on 25.09.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Dokumente und Einstellungen\Inge\Desktop\AntiVundo\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.at/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Programme\Outlook Express\msimn.exe"
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe



Wieder HiJackThis Logfile

Hab ne Frage! und zwar... wie Funktioniert das mit f-prot ... hab keine Floppy und soll da in ne Commandozeile /NOFLOPPY eintragen nur wo ist die
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren:
  • »
  • »
  • »
  • »
  • »