Französische Pop-ups und Antispy-Fenster

#1 Hallo,
aufgrund meines Studiums bin ich öfter auf französischen Seiten und ich muss mir da irgendwas eingefangen haben. Avast und AdAware zeigen zwar Fehler an, aber selbst nach verschieben in die Quarantäne habe ich immer wieder Werbe-Fenster und diese Pseudo-Nachrichten, das mein System von Spyware und ähnlichem bedroht wäre.
Hier der Hijack-Log, ich hoffe ihr werdet schlau daraus. Ich weiss nicht, was ich noch machen soll... Vielen Dank im Voraus!

Logfile of HijackThis v1.99.1
Scan saved at 15:11:12, on 31/05/2001
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\LAUNCH~1\QtaET2S.EXE
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Philips ToUcam Camera\GameCam SE\Program\RFTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Documents and Settings\...\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = h**p://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h*p://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtaET2S.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Ad-Aware Pro\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Fichiers communs\BOONTY Shared\Service\Boonty.exe

#2 Gedankenfede

poste dieses log
http://virus-protect.org/artikel/tools/combofix.html
__________
MfG Sabina

rund um die PC-Sicherheit

#3 Hi, hier das Ergebnis:

Start Time= 13/03/2007 19:57:53,09

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-09 08:16:24 ( .D... ) "C:\Program Files\Ad-Aware Pro"
2007-02-26 20:56:16 ( .D... ) "C:\Program Files\7-Zip"
2007-02-26 18:41:24 ( .D... ) "C:\Program Files\BFG"
2007-02-26 14:44:22 ( .D... ) "C:\Program Files\Mystery Case Files - Prime Suspects"
2007-02-23 12:37:24 ( .D... ) "C:\Program Files\Windows Media Connect 2"
2007-02-21 09:31:02 ( .D... ) "C:\Program Files\ReflexiveArcade"
2007-02-19 11:17:10 ( .D... ) "C:\Program Files\Avast4"
2007-02-19 09:53:46 ( .D... ) "C:\Program Files\Fichiers communs\BOONTY Shared"
2007-02-07 16:34:04 ( .D... ) "C:\Program Files\Lavalys"
2007-02-07 14:01:46 12293536 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2007-02-02 15:32:46 ( .D... ) "C:\Documents and Settings\paul\Application Data\Talkback"
2007-02-02 14:53:10 ( .D... ) "C:\Program Files\Fichiers communs\xing shared"
2007-02-02 14:52:58 185952 ( A.... ) "C:\WINDOWS\system32\rmoc3260.dll"
2007-02-02 14:52:14 6656 ( A.... ) "C:\WINDOWS\system32\pndx5016.dll"
2007-02-02 14:52:14 5632 ( A.... ) "C:\WINDOWS\system32\pndx5032.dll"
2007-02-02 14:52:10 ( .D... ) "C:\Documents and Settings\paul\Application Data\Mozilla"
2007-02-02 14:52:08 278528 ( A.... ) "C:\WINDOWS\system32\pncrt.dll"
2007-02-02 14:52:04 ( .D... ) "C:\Program Files\Mozilla Firefox"
2007-02-02 14:51:08 ( .D... ) "C:\Documents and Settings\paul\Application Data\Real"
2007-01-29 09:58:06 60416 ( ..... ) "C:\WINDOWS\system32\tzchange.exe"
2007-01-19 12:53:04 51056 ( A.... ) "C:\WINDOWS\system32\sirenacm.dll"
2007-01-18 00:06:24 47564 ( A.SHR ) "C:\NTDETECT.COM"
2007-01-15 18:32:08 689280 ( A.... ) "C:\WINDOWS\system32\aswBoot.exe"
2007-01-15 18:23:20 90112 ( A.... ) "C:\WINDOWS\system32\AVASTSS.scr"
2007-01-14 09:58:08 ( .D... ) "C:\Documents and Settings\paul\Application Data\ICQ Toolbar"
2007-01-12 09:27:42 6054400 ( A.... ) "C:\WINDOWS\system32\ieframe.dll"
2007-01-12 09:27:42 3580416 ( A.... ) "C:\WINDOWS\system32\mshtml.dll"
2007-01-12 09:27:42 1149952 ( A.... ) "C:\WINDOWS\system32\urlmon.dll"
2007-01-12 09:27:42 822784 ( A.... ) "C:\WINDOWS\system32\wininet.dll"
2007-01-12 09:27:42 670720 ( A.... ) "C:\WINDOWS\system32\mstime.dll"
2007-01-12 09:27:42 477696 ( A.... ) "C:\WINDOWS\system32\mshtmled.dll"
2007-01-12 09:27:42 458752 ( ..... ) "C:\WINDOWS\system32\msfeeds.dll"
2007-01-12 09:27:42 232960 ( A.... ) "C:\WINDOWS\system32\webcheck.dll"
2007-01-12 09:27:42 132608 ( A.... ) "C:\WINDOWS\system32\extmgr.dll"
2007-01-12 09:27:42 51712 ( ..... ) "C:\WINDOWS\system32\msfeedsbs.dll"
2007-01-12 09:27:42 27136 ( A.... ) "C:\WINDOWS\system32\jsproxy.dll"
2007-01-08 19:04:54 105984 ( A.... ) "C:\WINDOWS\system32\url.dll"
2007-01-08 19:04:08 102400 ( A.... ) "C:\WINDOWS\system32\occache.dll"
2007-01-08 19:03:02 193024 ( A.... ) "C:\WINDOWS\system32\msrating.dll"
2007-01-08 19:02:04 266752 ( A.... ) "C:\WINDOWS\system32\iertutil.dll"
2007-01-08 19:02:04 44544 ( A.... ) "C:\WINDOWS\system32\iernonce.dll"
2007-01-08 19:02:02 384000 ( A.... ) "C:\WINDOWS\system32\iedkcs32.dll"
2007-01-08 19:02:02 383488 ( ..... ) "C:\WINDOWS\system32\ieapfltr.dll"
2007-01-08 19:02:02 230400 ( A.... ) "C:\WINDOWS\system32\ieaksie.dll"
2007-01-08 19:02:02 161792 ( A.... ) "C:\WINDOWS\system32\ieakui.dll"
2007-01-08 19:02:02 153088 ( A.... ) "C:\WINDOWS\system32\ieakeng.dll"
2007-01-08 19:00:48 124928 ( A.... ) "C:\WINDOWS\system32\advpack.dll"
2007-01-08 18:08:14 56832 ( A.... ) "C:\WINDOWS\system32\ie4uinit.exe"
2007-01-08 18:08:10 13824 ( A.... ) "C:\WINDOWS\system32\ieudinit.exe"
2006-12-19 22:49:48 8509952 ( A.... ) "C:\WINDOWS\system32\shell32.dll"
2006-12-19 22:49:48 135168 ( A.... ) "C:\WINDOWS\system32\shsvcs.dll"
2006-12-19 19:17:50 334336 ( A.... ) "C:\WINDOWS\system32\wiaservc.dll"
2006-12-15 03:09:14 127078 ( A.... ) "C:\WINDOWS\system32\javaws.exe"
2006-12-15 01:31:06 53346 ( A.... ) "C:\WINDOWS\system32\javaw.exe"
2006-12-15 01:30:58 49248 ( A.... ) "C:\WINDOWS\system32\java.exe"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"LManager"="C:\\PROGRA~1\\LAUNCH~1\\QtaET2S.EXE"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"ICQ Lite"="\"C:\\Program Files\\ICQLite\\ICQLite.exe\" -minimize"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"TkBellExe"="\"C:\\Program Files\\Fichiers communs\\Real\\Update_OB\\realsched.exe\" -osboot"
"avast!"="C:\\PROGRA~1\\Avast4\\ashDisp.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"zmylflxkdq"="c:\\windows\\system32\\zmylflxkdq.exe zmylflxkdq"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"ICQ Lite"="C:\\Program Files\\ICQLite\\ICQLite.exe -trayboot"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Pré-chargeur Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Démon de cache des catégories de composant"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 13/03/2007 19:59:04,38
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt

#4 Gedankenfede

««
http://www.f-secure.com/blacklight/
starte die Datei, nimm die Lizenzbestimmung an und waehle scan, wenn es mit dem Scan fertig ist, druecke next und danach close. Nun befindet sich im selben Ordner von Blacklight eine FSB*.TXT Datei - poste den report

««
Avenger
http://virus-protect.org/artikel/tools/avenger.html

Input script manually (anhaken)
kopiere in: View/edit script

Zitat

Registry values to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|zmylflxkdq

Files to delete:
c:\windows\system32\zmylflxkdq.exe

Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

»»
scanne, stelle nach dem scan alles auf remove und poste den scanreport
http://virus-protect.org/counterspy.html
__________
MfG Sabina

rund um die PC-Sicherheit