Vundo, Spy.VBStat.B.1 und Co.

Thema ist geschlossen!
Thema ist geschlossen!
#0
06.06.2007, 16:21
...neu hier

Beiträge: 2
#1 Hallo zusammen!

Bin der Neue und wie immer melden wir uns nur, wenn es brennt. ;-)

Antivir meldet bei mir derzeit gleich mehrfach Alarm. TR/Click.Small.MW, TR/Spy.VBStat.B.1, TR/Click.Small.MW, TR/Vundo.gen, TR/BHO.BD.4 werden gefunden, können aber nicht entfernt werden.

Symptome sind eigentlich nur die Meldung von Antivir und sich öffnende Popups von Windoctor und ähnlichem Kram.

Combofix sagt:
"user" - 2007-06-06 16:01:20 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\user\My Documents\Download\"


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ssttu.dll
C:\WINDOWS\system32\jkhhh.dll
C:\WINDOWS\system32\uttss.bak1
C:\WINDOWS\system32\uttss.ini
C:\WINDOWS\system32\hhhkj.ini
C:\WINDOWS\system32\uttss.bak1
C:\WINDOWS\system32\uttss.ini
C:\WINDOWS\system32\yycdd.bak1
C:\WINDOWS\system32\yycdd.bak2
C:\WINDOWS\system32\yycdd.ini
C:\WINDOWS\system32\pmnlm.dll
C:\WINDOWS\system32\mljghfc.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((( Files Created from 2007-05-06 to 2007-06-06 )))))))))))))))))))))))))))))))


2007-06-06 15:42 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-06-06 12:25 60,416 --a------ C:\WINDOWS\system32\drivers\kbaiuntf.sys
2007-06-06 12:25 126,976 --a------ C:\zip.exe
2007-06-06 12:25 1,080 --a------ C:\axbexsdp.bat
2007-06-06 12:25 <DIR> d-------- C:\Avenger
2007-06-06 11:50 3,956 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-06 11:46 <DIR> d-------- C:\Program Files\CCleaner
2007-06-06 11:19 <DIR> d-------- C:\Program Files\highjackthis
2007-06-05 11:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-04 16:21 <DIR> d-------- C:\Program Files\ElcomSoft
2007-06-04 11:12 73,216 --a------ C:\WINDOWS\cadkasdeinst01.exe
2007-06-04 11:12 <DIR> d-------- C:\Program Files\PDF Passwort Knacker 1
2007-06-04 09:54 131,124 --a------ C:\WINDOWS\system32\kwmikqoc.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-06 12:44:06 -------- d-----w C:\Program Files\lg_swupdate
2007-05-16 09:21:46 -------- d-----w C:\Program Files\Reelbox
2007-05-12 08:53:34 -------- d-----w C:\DOCUME~1\user\APPLIC~1\AdobeUM
2007-04-23 07:54:56 -------- d-----w C:\Program Files\QuickTime
2007-04-23 07:53:49 -------- d-----w C:\Program Files\Apple Software Update
2007-04-19 08:42:27 -------- d-----w C:\DOCUME~1\user\APPLIC~1\Thunderbird
2007-04-19 08:42:21 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:48:36 578,048 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:48:36 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:48:36 282,112 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:49:49 1,843,968 ----a-w C:\WINDOWS\system32\win32k.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{8FC91547-5CE6-498C-B141-E0715C8A8F43}=C:\WINDOWS\system32\ddcyy.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 14:00 C:\WINDOWS\system32\bthprops.cpl]
"LG Intelligent Update"="C:\Program Files\lg_swupdate\autoupdate.exe" [2006-12-21 16:12]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 03:07 C:\WINDOWS\system32\HdAShCut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-03 00:09]
"batterymiser"="C:\Program Files\LG Software\Battery Miser\batterymiser.exe" [2006-09-30 04:29]
"LG Direct Media Button Service"="LGDMEBTN.exe" [2006-02-03 02:59 C:\WINDOWS\system32\LGDMEBTN.exe]
"OmniPass"="C:\Program Files\Softex\OmniPass\scureapp.exe" [2006-01-08 17:35]
"KeybdUtility"="C:\Program Files\LG Software\On Screen Display\HotKey.exe" [2006-09-25 20:08]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 03:41]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-06 21:44 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-17 04:04 C:\WINDOWS\SkyTel.exe]
"Alcmtr"="ALCMTR.EXE" [2005-05-04 04:43 C:\WINDOWS\Alcmtr.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-06-29 07:32 C:\WINDOWS\AGRSMMSG.exe]
"IPO3"="C:\Program Files\LG Software\IP Operator\IP Operator.exe" [2006-04-25 02:22]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-19 09:57]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
"SRSTrayApp"="C:\Program Files\SRS Labs\WOWXT and TSXT Driver\SRSTrayApp.exe" [2006-02-09 21:17]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-09-05 06:18]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{26F5978F-6493-4ee3-B114-C0C3ACCF9D4D}"="C:\WINDOWS\system32\bmpsap.dll" [2006-09-30 04:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyy]
C:\WINDOWS\system32\ddcyy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

*Newly Created Service* - USERIO

Contents of the 'Scheduled Tasks' folder
2007-04-23 07:53:51 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-06 16:08:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001000-0000-1000-8000-00805f9b34fb}]


[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001115-0000-1000-8000-00805f9b34fb}]


Completion time: 2007-06-06 16:10:01 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-06 16:09

--- E O F ---

Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 16:12:46, on 06.06.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Infineon\Security Platform Software\PSDsrvc.EXE
C:\Program Files\SRS Labs\WOWXT and TSXT Driver\SRS_PostInstaller.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Infineon\Security Platform Software\PSDrt.exe
C:\Program Files\Infineon\Security Platform Software\SpTna.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\LG Software\Battery Miser\batterymiser.exe
C:\WINDOWS\system32\LGDMEBTN.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\LG Software\On Screen Display\HotKey.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\LG Software\IP Operator\IP Operator.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SRS Labs\WOWXT and TSXT Driver\SRSTrayApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\lg_swupdate\tmcheck.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\highjackthis\hjt.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8FC91547-5CE6-498C-B141-E0715C8A8F43} - C:\WINDOWS\system32\ddcyy.dll (file missing)
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LG Intelligent Update] "C:\Program Files\lg_swupdate\autoupdate.exe" Gilautouc
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [batterymiser] "C:\Program Files\LG Software\Battery Miser\batterymiser.exe"
O4 - HKLM\..\Run: [LG Direct Media Button Service] LGDMEBTN.exe
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [KeybdUtility] "C:\Program Files\LG Software\On Screen Display\HotKey.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IPO3] "C:\Program Files\LG Software\IP Operator\IP Operator.exe" -aUtOsTaRtFrOmReG
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SRSTrayApp] C:\Program Files\SRS Labs\WOWXT and TSXT Driver\SRSTrayApp.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Binuscan.bat
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D4D193B-CF3F-409A-B7FB-6108838938C7}: NameServer = 192.168.2.1
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: ddcyy - C:\WINDOWS\system32\ddcyy.dll (file missing)
O20 - Winlogon Notify: IfxWlxEN - C:\WINDOWS\SYSTEM32\IfxWlxEN.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\Infineon\Security Platform Software\PSDsrvc.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SRS PostInstaller Service (SRS_PostInstaller) - SRS Labs, Inc. - C:\Program Files\SRS Labs\WOWXT and TSXT Driver\SRS_PostInstaller.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe

Wäre echt toll wenn mir jemand weiterhelfen könnte.

Gruß Pepilton
Seitenanfang Seitenende
06.06.2007, 19:07
Moderator

Beiträge: 7805
#2 Loesche bitte noch folgende Dateien:

C:\WINDOWS\cadkasdeinst01.exe
C:\WINDOWS\system32\kwmikqoc.dll


Fixe zusaetzlich noch folgendes mit Hijackthis (anhaken und fix checked druecken:

O2 - BHO: (no name) - {8FC91547-5CE6-498C-B141-E0715C8A8F43} - C:\WINDOWS\system32\ddcyy.dll (file missing)
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O20 - Winlogon Notify: ddcyy - C:\WINDOWS\system32\ddcyy.dll (file missing)

Danach bitte neu starten und kontrollieren, ob alle Eintraege verschwunden sind und schaue, ob dein Problem beseitigt ist.
__________
MfG Ralf
SEO-Spam Hunter
Seitenanfang Seitenende
07.06.2007, 10:10
...neu hier

Themenstarter

Beiträge: 2
#3 Hmm, ich probiere da stundenlang rum und ihr löst das mit einer Antwort?! Spricht zwar nicht unbedingt für meine Intelligenz, aber auf jeden Fall: DANKE :-)

Gruß Pepilton
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren: