Virusburst eingefangen !!!

#1 Hab nun also auch diesen sche.. virusburst aufen rechner hier meine log:


Logfile of HijackThis v1.99.1
Scan saved at 17:43:32, on 14.10.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Programme\HQVideoCodec\isamonitor.exe
E:\Programme\HQVideoCodec\pmsngr.exe
E:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
E:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Programme\iTunes\iTunesHelper.exe
E:\Programme\Java\jre1.5.0_06\bin\jusched.exe
E:\Programme\D-Tools\daemon.exe
E:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe
E:\WINDOWS\system32\ctfmon.exe
D:\Programme\ICQPlus\vplus.exe
E:\Programme\HQVideoCodec\pmmon.exe
E:\Programme\AntiVir PersonalEdition Classic\sched.exe
E:\Programme\AntiVir PersonalEdition Classic\avguard.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Programme\HQVideoCodec\isamini.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Programme\iPod\bin\iPodService.exe
E:\Programme\Mozilla Firefox\firefox.exe
E:\Dokumente und Einstellungen\g1ml1\Desktop\virus\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {d869742a-e5d2-4624-96c7-aae26170665e} - E:\Programme\HQVideoCodec\isaddon.dll
O4 - HKLM\..\Run: [avgnt] "E:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Zone Labs Client] E:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "E:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "E:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ISUSPM Startup] E:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "E:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ICQ Lite] "E:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ICQ Plus] "D:\Programme\ICQPlus\vplus.exe"
O4 - HKCU\..\Run: [Skype] "E:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "e:\programme\steam\steam.exe" -silent
O4 - HKCU\..\RunOnce: [ICQ Lite] E:\Programme\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programme\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{108A9A00-A89C-458C-A4CB-1257E7BC0FC7}: NameServer = 192.168.178.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{108A9A00-A89C-458C-A4CB-1257E7BC0FC7}: NameServer = 192.168.178.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{108A9A00-A89C-458C-A4CB-1257E7BC0FC7}: NameServer = 192.168.178.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: gaonic - {f31aee4a-1530-4fef-8537-79c6973bff9a} - E:\WINDOWS\system32\tazth.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - E:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - E:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Programme\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - E:\Programme\TGTSoft\StyleXP\StyleXPService.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe

#2 christian199

Download Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten. in: "Enter search strings" (reinkopieren)

HQVideoCodec

in edit und klicke "Ok".
Notepad wird sich oeffnen

in: "Enter search strings" (reinkopieren)

VirusBurster

in edit und klicke "Ok".
Notepad wird sich oeffnen

________

poste bitte dieses log
http://virus-protect.org/artikel/tools/combofix.html
__________
MfG Sabina

rund um die PC-Sicherheit

#3 ich wuste jetz nich wirklich weiter deswegen poste ich einfach mal alles



g1ml1 - 06-10-14 21:34:08.01 Service Pack 2
ComboFix 06.10.14.1 - Running from: "E:\Dokumente und Einstellungen\g1ml1\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-14 to 2006-10-14 ))))))))))))))))))))))))))))))))))


2006-10-14 16:50 106,496 --a------ E:\WINDOWS\system32\tazth.dll
2006-09-29 15:52 231,936 --a------ E:\WINDOWS\system32\SNWValid.dll
2006-09-29 15:52 1,022,976 --a------ E:\WINDOWS\system32\SierraNW.dll
2006-09-22 12:24 21,840 --a----t- E:\WINDOWS\system32\SIntfNT.dll
2006-09-22 12:24 17,212 --a----t- E:\WINDOWS\system32\SIntf32.dll
2006-09-22 12:24 12,067 --a----t- E:\WINDOWS\system32\SIntf16.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-14 21:33 -------- d-------- E:\Programme\Mozilla Firefox
2006-10-14 21:28 -------- d-------- E:\Programme\Steam
2006-10-14 21:28 -------- d-------- E:\Dokumente und Einstellungen\g1ml1\Anwendungsdaten\Skype
2006-10-14 21:21 -------- d-------- E:\Programme\VirusBurster
2006-10-14 17:18 -------- d-------- E:\Programme\HQVideoCodec
2006-10-14 14:26 -------- d-------- E:\Programme\Mozilla Thunderbird
2006-09-29 15:52 -------- d-------- E:\Programme\Sierra On-Line
2006-09-29 15:34 -------- d-------- E:\Programme\Project64 v1.5
2006-09-27 14:24 -------- d-------- E:\Programme\Windows Media Player
2006-09-27 14:20 -------- d-------- E:\Programme\Windows NT
2006-09-26 14:57 -------- d-------- E:\Programme\Electronic Arts
2006-09-24 00:59 -------- d--h----- E:\Programme\InstallShield Installation Information
2006-09-20 21:38 98304 --a------ E:\WINDOWS\system32\CmdLineExt.dll
2006-09-19 21:01 -------- d-------- E:\Dokumente und Einstellungen\g1ml1\Anwendungsdaten\Xfire
2006-09-19 15:47 -------- d-------- E:\Programme\ICQLite
2006-09-09 21:47 -------- d-------- E:\Programme\MSN Messenger
2006-09-08 13:19 -------- d-------- E:\Programme\RenegadePublicTools
2006-09-03 12:38 -------- d-------- E:\Dokumente und Einstellungen\g1ml1\Anwendungsdaten\InstallShield
2006-08-18 14:59 -------- d-------- E:\Dokumente und Einstellungen\g1ml1\Anwendungsdaten\Atari
2006-08-15 15:22 -------- d-------- E:\Dokumente und Einstellungen\g1ml1\Anwendungsdaten\vlc
2006-08-15 15:02 -------- d-------- E:\Dokumente und Einstellungen\g1ml1\Anwendungsdaten\dvdcss
2006-08-08 11:49 2194176 --a------ E:\WINDOWS\system32\kernel1.exe
2006-07-29 19:32 48936 --a------ E:\WINDOWS\system32\sirenacm.dll
2006-07-19 22:25 73216 --a------ E:\WINDOWS\cadkasdeinst01.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="E:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"E:\\Programme\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ICQ Plus"="\"D:\\Programme\\ICQPlus\\vplus.exe\""
"Skype"="\"E:\\Programme\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"Steam"="\"e:\\programme\\steam\\steam.exe\" -silent"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avgnt"="\"E:\\Programme\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"Zone Labs Client"="E:\\Programme\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"NvCplDaemon"="RUNDLL32.EXE E:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE E:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"iTunesHelper"="\"E:\\Programme\\iTunes\\iTunesHelper.exe\""
"SunJavaUpdateSched"="E:\\Programme\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"DAEMON Tools-1033"="\"E:\\Programme\\D-Tools\\daemon.exe\" -lang 1033"
"ISUSPM Startup"="E:\\PROGRA~1\\GEMEIN~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"E:\\Programme\\Gemeinsame Dateien\\InstallShield\\UpdateService\\issch.exe\" -start"
"ICQ Lite"="\"E:\\Programme\\ICQLite\\ICQLite.exe\" -minimize"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="E:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="E:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{f31aee4a-1530-4fef-8537-79c6973bff9a}"="gaonic"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:ff,00,00,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"isamonitor.exe"="E:\\Programme\\HQVideoCodec\\isamonitor.exe"
"pmsngr.exe"="E:\\Programme\\HQVideoCodec\\pmsngr.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"gaonic"="{f31aee4a-1530-4fef-8537-79c6973bff9a}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-14 21:34:50.51
E:\ComboFix.txt ... 06-10-14 21:34











REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 14.10.2006 20:30:01 for strings:
; 'hqvideocodec'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{479fd0cf-5be9-4c63-8cda-b6d371c67bd5}\InprocServer32]
@="E:\\Programme\\HQVideoCodec\\iesplugin.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d869742a-e5d2-4624-96c7-aae26170665e}\InprocServer32]
@="E:\\Programme\\HQVideoCodec\\isaddon.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"isamonitor.exe"="E:\\Programme\\HQVideoCodec\\isamonitor.exe"
"pmsngr.exe"="E:\\Programme\\HQVideoCodec\\pmsngr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006]
"UninstallString"="\"E:\\Programme\\HQVideoCodec\\iesuninst.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03]
"UninstallString"="\"E:\\Programme\\HQVideoCodec\\pmuninst.exe\""

[HKEY_USERS\S-1-5-21-842925246-73586283-725345543-1003\Software\Internet Security]
"Path"="E:\\Programme\\HQVideoCodec"

[HKEY_USERS\S-1-5-21-842925246-73586283-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"E:\\Programme\\HQVideoCodec\\isamonitor.exe"="isamonitor"
"E:\\Programme\\HQVideoCodec\\pmsngr.exe"="pmsngr"

; End Of The Log...

#4 christian199

Gehe in die Registry
Start - Ausfuehren - regedit

bearbeiten - suchen - gaonic

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{f31aee4a-1530-4fef-8537-79c6973bff9a}"="gaonic" - loeschen

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"gaonic"="{f31aee4a-1530-4fef-8537-79c6973bff9a}" - loeschen

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"isamonitor.exe
"pmsngr.exe" loeschen

[HKEY_USERS\S-1-5-21-842925246-73586283-725345543-1003\Software\Internet Security] loeschen
"Path"="E:\\Programme\\HQVideoCodec"

_______________________________________________________________

Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein:

Zitat

registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f31aee4a-1530-4fef-8537-79c6973bff9a}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{479fd0cf-5be9-4c63-8cda-b6d371c67bd5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d869742a-e5d2-4624-96c7-aae26170665e}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d869742a-e5d2-4624-96c7-aae26170665e}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03

Files to delete:
E:\WINDOWS\system32\tazth.dll

E:\Programme\VirusBurster
E:\Programme\HQVideoCodec

Klicke die grüne Ampel das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

**
scanne mit smitfraudfix (option 1 und 2 )
http://virus-protect.org/artikel/tools/smitfrautfix.html

**
loesche das backup vom Avenger unter E:\Avenger\backup.zip
__________
MfG Sabina

rund um die PC-Sicherheit

#5 danke hat alles geklappt