Vundo.Gen Virus startet sich immerwieder (ddaya.dll) und beendet explorer.exe |
||
---|---|---|
#0
| ||
21.06.2007, 09:54
...neu hier
Beiträge: 2 |
||
|
||
21.06.2007, 10:24
Member
Beiträge: 694 |
#2
Hi,
cleanen - Empty Recycle Bins - Delete Prefetch files - Cleanup! All Users stelle den CleanUp genauso ein, wie hier angegeben: http://virus-protect.org/cleanup.html Vundofix anwenden http://virus-protect.org/artikel/tools/vundofixx.html Danach combofix http://virus-protect.org/artikel/tools/combofix.html Danach bitte neues HJ-Log, poste die Logs... chris |
|
|
||
21.06.2007, 10:39
...neu hier
Themenstarter Beiträge: 2 |
#3
CleanUp! started on 06/21/07 10:32:06.
C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted. C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Temporary Internet Files\Content.MSO\ - deleted http://adicq.71i.de/images/prosieben_eigenwerbung/icqfreeflow/icq_180x150.swf?clicktag=http%3A//adserver.71i.de/event.ng/Type%3Dclick%26FlightID%3D38279%26AdID%3D63730%26TargetID%3D9443%26Segments%3D10%2C15%2C20%2C23%2C131%2C133%2C135%2C146%2C151%2C154%2C161%2C198%2C200%2C228%2C370%2C414%2C1365%2C1414%2C1651%2C1681%2C1950%2C2035%2C2392%2C2523%2C2561%2C2595%2C2602%2C2675%2C2723%2C2785%2C2878%2C3064%2C3083%2C3084%2C3212%2C3250%2C3502%2C3720%2C3741%2C3742%2C3884%2C4121%2C4127%2C4150%2C4214%2C4227%2C4327%2C4328%2C4345%2C4526%2C4530%2C4561%2C4567%2C4587%2C4589%2C4625%2C4682%2C4726%2C4743%2C4747%2C4796%2C4815%2C4816%26Targets%3D9%2C9619%2C5938%2C9829%2C9443%26Values%3D25%2C31%2C43%2C51%2C60%2C83%2C93%2C100%2C110%2C150%2C155%2C225%2C445%2C472%2C494%2C498%2C505%2C507%2C517%2C518%2C534%2C535%2C536%2C537%2C564%2C603%2C688%2C717%2C937%2C1151%2C1259%2C1445%2C1484%2C1598%2C1608%2C1638%2C1735%2C1849%2C1850%2C1851%2C2146%2C2207%2C2348%2C2351%2C2473%2C2662%2C2699%2C2706%2C2722%2C2729%2C2761%2C2762%2C2776%2C2878%2C3795%2C4193%2C4821%2C4822%2C4850%2C4851%2C4892%2C5065%2C5145%2C9420%26RawValues%3D%26Redirect%3Dhttp%3A//www.prosieben.de/club_community/community/icqspecial/sms/&clicktarget=clicktarget - deleted http://ad.71i.de/images/writemedia/070605_bloomstreet_maxisingle_650x600.swf?clicktag=http%3A//adserver.71i.de/event.ng/Type%3Dclick%26FlightID%3D40171%26AdID%3D67200%26TargetID%3D10112%26Segments%3D10%2C15%2C20%2C131%2C133%2C135%2C146%2C151%2C154%2C161%2C198%2C200%2C228%2C370%2C414%2C600%2C1000%2C1365%2C1414%2C1535%2C1651%2C1681%2C2035%2C2392%2C2523%2C2561%2C2602%2C2675%2C2723%2C2765%2C2785%2C2878%2C3083%2C3084%2C3221%2C3250%2C3502%2C3534%2C3720%2C3741%2C3742%2C3782%2C3884%2C3951%2C4121%2C4127%2C4150%2C4214%2C4227%2C4327%2C4328%2C4340%2C4345%2C4526%2C4561%2C4567%2C4587%2C4625%2C4682%2C4726%2C4743%2C4796%2C4815%2C4816%26Targets%3D9%2C10027%2C9872%2C10112%2C9307%2C9311%26Values%3D31%2C43%2C51%2C60%2C83%2C93%2C100%2C110%2C150%2C212%2C225%2C445%2C472%2C494%2C505%2C507%2C517%2C518%2C534%2C535%2C536%2C537%2C564%2C603%2C688%2C717%2C1138%2C1141%2C1151%2C1259%2C1445%2C1484%2C1598%2C1608%2C1735%2C1849%2C1850%2C1851%2C2146%2C2207%2C2348%2C2351%2C2473%2C2655%2C2699%2C2758%2C2761%2C2776%2C4794%2C4821%2C4822%2C4850%2C4851%2C4892%2C5145%2C9420%26RawValues%3D%26Redirect%3Dhttp%3A//www.etracker.de/lnkcnt.php%3Fet%3DPbb0hb%26url%3Dhttp%253A//www.bloomstreet.net/adland.php%253Fadsource%253Dicq%26lnkname%3Dbloomstreet_maxisingle_icq_jun18_pun_cl%26time%3DcaWhNbp%2CbdhqNKycvxR&clicktarget=clicktarget - deleted http://ad.71i.de/images/writemedia/070522_bloomstreet_muttermal_650x600.swf?clicktag=http%3A//adserver.71i.de/event.ng/Type%3Dclick%26FlightID%3D40171%26AdID%3D67201%26TargetID%3D10112%26Segments%3D10%2C15%2C20%2C131%2C133%2C135%2C146%2C151%2C154%2C161%2C198%2C200%2C228%2C370%2C414%2C600%2C1000%2C1365%2C1414%2C1535%2C1651%2C1681%2C1950%2C2035%2C2392%2C2523%2C2561%2C2602%2C2675%2C2723%2C2765%2C2785%2C2878%2C3083%2C3084%2C3221%2C3250%2C3502%2C3534%2C3720%2C3741%2C3742%2C3782%2C3884%2C3951%2C4121%2C4127%2C4150%2C4214%2C4227%2C4327%2C4328%2C4340%2C4345%2C4526%2C4561%2C4567%2C4587%2C4625%2C4682%2C4726%2C4743%2C4796%2C4815%2C4816%26Targets%3D9%2C10027%2C9872%2C10112%2C9307%2C9311%26Values%3D25%2C31%2C43%2C51%2C60%2C83%2C93%2C100%2C110%2C150%2C155%2C212%2C225%2C445%2C472%2C494%2C498%2C505%2C507%2C517%2C518%2C534%2C535%2C536%2C537%2C564%2C603%2C688%2C717%2C1138%2C1141%2C1151%2C1259%2C1445%2C1484%2C1598%2C1608%2C1638%2C1735%2C1849%2C1850%2C1851%2C2146%2C2207%2C2348%2C2351%2C2473%2C2655%2C2662%2C2699%2C2706%2C2722%2C2729%2C2758%2C2761%2C2776%2C2878%2C3795%2C4794%2C4821%2C4822%2C4850%2C4851%2C4892%2C5065%2C5145%2C9420%26RawValues%3D%26Redirect%3Dhttp%3A//www.etracker.de/lnkcnt.php%3Fet%3DPbb0hb%26url%3Dhttp%253A//www.bloomstreet.net/adland.php%253Fadsource%253Dicq%26lnkname%3Dbloomstreet_muttermal_icq_jun18_pun_cl%26time%3DclNghIs%2CbdhqNWWcwff&clicktarget=clicktarget - deleted C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted. C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006090420060905\index.dat - deleted C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006090420060905\ - deleted C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006112720061204\index.dat - deleted C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006112720061204\ - deleted C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006120420061211\index.dat - deleted C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006120420061211\ - deleted C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006121120061218\index.dat - deleted C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006121120061218\ - deleted C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006121820061219\index.dat - deleted C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006121820061219\ - deleted C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006121920061220\index.dat - deleted C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006121920061220\ - deleted C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006122020061221\index.dat - deleted C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006122020061221\ - deleted C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006122120061222\index.dat - deleted C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006122120061222\ - deleted C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012007052520070526\index.dat - deleted C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012007052520070526\ - deleted 'Typed URLs' (Internet Explorer) - removed from the registry. C:\Dokumente und Einstellungen\kdh\Cookies\index.dat currently in use. Will be deleted when Windows is restarted. C:\Dokumente und Einstellungen\kdh\Anwendungsdaten\Mozilla\Firefox\Profiles\rrl8g8sh.default\history.dat currently in use. Will be deleted when Windows is restarted. C:\Dokumente und Einstellungen\kdh\Anwendungsdaten\Mozilla\Firefox\Profiles\rrl8g8sh.default\cookies.txt.old - deleted C:\Dokumente und Einstellungen\kdh\Recent\hijackthis (2).lnk - deleted C:\Dokumente und Einstellungen\kdh\Recent\hijackthis.lnk - deleted C:\Dokumente und Einstellungen\kdh\Recent\Lokaler Datenträger (C).lnk - deleted C:\Dokumente und Einstellungen\kdh\Recent\Security Task Manager.lnk - deleted C:\Dokumente und Einstellungen\kdh\Recent\Sophos.Antivirus.v6.5.1.Multilingual.Win2kXP2k3Vista.Retail.READNFO-ARN.lnk - deleted C:\Dokumente und Einstellungen\kdh\Recent\taskman_de.lnk - deleted C:\Dokumente und Einstellungen\kdh\Recent\torrentleecht.lnk - deleted C:\Dokumente und Einstellungen\kdh\Recent\VundoFix.lnk - deleted C:\WINDOWS\temp\$_2341233.TMP currently in use. Will be deleted when Windows is restarted. C:\WINDOWS\temp\$_2341234.TMP currently in use. Will be deleted when Windows is restarted. C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted. C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted. C:\Dokumente und Einstellungen\kdh\Cookies\index.dat currently in use. Will be deleted when Windows is restarted. C:\Dokumente und Einstellungen\kdh\Cookies\index.dat currently in use. Will be deleted when Windows is restarted. C:\WINDOWS\Prefetch\CLEANUP.EXE-3438663A.pf - deleted C:\WINDOWS\Prefetch\CLEANUP452.EXE-1ED5EFE3.pf - deleted C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf - deleted C:\WINDOWS\Prefetch\GUARDGUI.EXE-1BD45C30.pf - deleted C:\WINDOWS\Prefetch\layout.ini - deleted C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf - deleted C:\WINDOWS\Prefetch\STINGER.EXE-1FB8EBEA.pf - deleted C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf - deleted C:\temp\TMPMariah Carey - Don't Forget About Us.dat - deleted C:\temp\TMPMariah Carey - Don't Forget About Us.dat.bak - deleted C:\temp\TMPMariah Carey - Don't Forget About Us.mp3 - deleted C:\temp\TMPMariah Carey - Don't Forget About Us.tiger - deleted C:\temp\TMPMariah Carey - Through The Rain.dat - deleted C:\temp\TMPMariah Carey - Through The Rain.dat.bak - deleted C:\temp\TMPMariah Carey - Through The Rain.mp3 - deleted C:\temp\TMPMariah Carey - Through The Rain.tiger - deleted C:\temp\TMPMariah Carey - Underneath the Stars.dat - deleted C:\temp\TMPMariah Carey - Underneath the Stars.dat.bak - deleted C:\temp\TMPMariah Carey - Underneath the Stars.mp3 - deleted C:\temp\TMPMariah Carey - Underneath the Stars.tiger - deleted C:\temp\TMPwhitney houston - Witney Huston Unbreak my heart.dat - deleted C:\temp\TMPwhitney houston - Witney Huston Unbreak my heart.dat.bak - deleted C:\temp\TMPwhitney houston - Witney Huston Unbreak my heart.mp3 - deleted C:\temp\TMPwhitney houston - Witney Huston Unbreak my heart.tiger - deleted C:\tmp\RarExt.dll currently in use. Will be deleted when Windows is restarted. C:\tmp\rarext.lng - deleted C:\tmp\RarExtLoader.exe - deleted C:\tmp\RarFiles.lst - deleted C:\tmp\rarreg.key - deleted C:\tmp\Uninstall.exe - deleted C:\tmp\uninstall.lng - deleted C:\tmp\Uninstall.lst - deleted C:\tmp\UnRAR.exe - deleted C:\tmp\UnrarSrc.txt - deleted C:\tmp\WhatsNew.txt - deleted C:\tmp\WinCon.SFX - deleted C:\tmp\WinRAR.cnt - deleted C:\tmp\WinRAR.exe - deleted C:\tmp\WinRAR.hlp - deleted C:\tmp\winrar.lng - deleted C:\tmp\WinRAR.v3.60.Final.German-NEON.exe - deleted C:\tmp\Zip.SFX - deleted 'Run MRU' list - removed from the registry. Search Assistant MRU list - removed from the registry. Explorer Open/Save MRU list - removed from the registry. Explorer Last Visited MRU list - removed from the registry. Paint Recent File List - removed from the registry. WordPad Recent File List - removed from the registry. Telnet's MRU list - removed from the registry. WinZip File MRU list - removed from the registry. CleanUp! 4.5.2 recovered 44.9 MB of disk space from 62 files. CleanUp! finished on 06/21/07 10:32:07. Listing files found while scanning.... C:\WINDOWS\System32\ayadd.ini C:\WINDOWS\System32\ddaya.dll Beginning removal... Attempting to delete C:\WINDOWS\System32\ayadd.ini C:\WINDOWS\System32\ayadd.ini Has been deleted! Attempting to delete C:\WINDOWS\System32\ddaya.dll C:\WINDOWS\System32\ddaya.dll Could not be deleted. Performing Repairs to the registry. Done! Beginning removal... Attempting to delete C:\WINDOWS\System32\ayadd.ini C:\WINDOWS\System32\ayadd.ini Has been deleted! Attempting to delete C:\WINDOWS\System32\ddaya.dll C:\WINDOWS\System32\ddaya.dll Could not be deleted. Performing Repairs to the registry. Done! ComboFix 07-06-18.2 - C:\Dokumente und Einstellungen\kdh\Desktop\torrentleecht\ComboFix.exe "kdh" - 2007-06-21 10:36:33 NTFS /wow section - STAGE #3 ((((((((((((((((((((((((( Files Created from 2007-05-21 to 2007-06-21 ))))))))))))))))))))))))))))))) 2007-06-21 10:06 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-20 23:09 <DIR> d-------- C:\Programme\XoftSpySE 2007-06-20 23:04 <DIR> d-------- C:\VundoFix Backups 2007-06-20 20:03 <DIR> d-------- C:\Programme\Security Task Manager 2007-06-20 20:03 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\SecTaskMan 2007-06-20 19:16 <DIR> d-------- C:\WINDOWS\sdrive 2007-06-20 19:15 96,760 --a------ C:\msecu.exe 2007-06-20 19:15 5,080 --a------ C:\msetus.exe 2007-06-20 18:20 23 --ahs---- C:\WINDOWS\system32\eacbd7_r.dll 2007-06-20 18:19 <DIR> d-------- C:\Programme\jv16 PowerTools 2007 2007-06-20 18:01 <DIR> d--h----- C:\WINDOWS\PIF 2007-06-20 18:00 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Symantec Shared 2007-06-20 08:36 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys 2007-06-20 08:36 298,104 --a------ C:\WINDOWS\system32\imon.dll 2007-06-20 08:36 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys 2007-06-20 02:50 266,336 --------- C:\WINDOWS\system32\ddaya.dll 2007-06-19 23:16 31,254 --------- C:\WINDOWS\system32\pmnopon.dll 2007-06-18 14:05 0 --ahs---- C:\WINDOWS\system32\.exe 2007-06-07 19:14 <DIR> d-------- C:\Programme\Rockstar Games 2007-06-03 20:16 <DIR> d-------- C:\DOKUME~1\kdh\ANWEND~1\FTPRush 2007-06-02 12:10 <DIR> d-------- C:\FTPRush.v1.0.0605.ANSI.Multilingual.WinALL.Cracked-BRD 2007-05-27 17:31 <DIR> d-------- C:\MAX.PAYNE.2.THE.FALL.OF.MAX.PAYNE-DEViANCE (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-20 00:57:34 -------- d-----w C:\DOKUME~1\kdh\ANWEND~1\uTorrent 2007-06-20 00:57:12 -------- d-----w C:\Programme\mIRC 2007-06-19 23:39:45 -------- d-----w C:\Programme\ICQToolbar 2007-06-19 23:29:08 -------- d-----w C:\Programme\FlashFXP 2007-06-18 12:40:57 0 --sha-w C:\WINDOWS\system32\.exe 2007-06-15 20:26:57 -------- d-----w C:\Programme\HLSW 2007-06-15 20:23:06 -------- d-----w C:\Programme\Steam 2007-06-11 12:43:47 -------- d-----w C:\Programme\PokerStars 2007-06-11 12:43:30 -------- d-----w C:\Programme\PokerStars.NET 2007-06-10 08:11:40 12,400 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-06-10 08:03:16 -------- d-----w C:\Programme\EA SPORTS 2007-06-07 17:14:58 -------- d--h--w C:\Programme\InstallShield Installation Information 2007-06-07 13:58:35 -------- d-----w C:\Programme\ICQLite 2007-05-14 10:51:53 -------- d-----w C:\DOKUME~1\kdh\ANWEND~1\ICQ 2007-05-11 10:01:53 -------- d-----w C:\Programme\ICQ6 2007-05-08 07:23:51 49,174 ----a-w C:\WINDOWS\system32\perfc007.dat 2007-05-08 07:23:51 320,094 ----a-w C:\WINDOWS\system32\perfh007.dat 2007-04-27 22:18:19 -------- d-----w C:\DOKUME~1\kdh\ANWEND~1\ICQ Toolbar 2007-04-02 09:35:26 10,724 ---ha-w C:\WINDOWS\system32\ixmcsqqj.exe 2007-04-02 09:29:44 10,144 ---ha-w C:\WINDOWS\system32\otlkof.exe 2007-04-02 09:26:33 13,824 ---ha-w C:\WINDOWS\system32\mipk.exe 2007-04-02 09:23:52 6,368 ----a-w C:\WINDOWS\system32\setup_56043.exe 2007-04-02 09:08:09 552 ----a-w C:\WINDOWS\system32\d3d8caps.dat ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {055FD26D-3A88-4e15-963D-DC8493744B1D}=C:\PROGRA~1\ICQTOO~1\toolbaru.dll [2006-12-25 10:40] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 19:38] {48764EFE-5AEF-4C6A-83BE-7AD258C023F2}=C:\WINDOWS\System32\ddaya.dll [2007-06-20 02:50] {53707962-6F74-2D53-2644-206D7942484F}=C:\Programme\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04] {9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 12:29] {DC192567-65F9-4AB6-ADB7-E13575F81726}=C:\WINDOWS\System32\pmnopon.dll [2007-06-19 23:16] {E5A1691B-D188-4419-AD02-90002030B8EE}=C:\Programme\FlashFXP\IEFlash.dll [2001-01-01 01:01] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-19 13:32] "ICQ Lite"="C:\Programme\ICQLite\ICQLite.exe" [2006-07-11 12:15] "nod32kui"="C:\Programme\Eset\nod32kui.exe" [2007-06-20 08:35] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="C:\Programme\MSN Messenger\msnmsgr.exe" [2006-07-29 19:33] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce] "VundoFix"="C:\Dokumente und Einstellungen\kdh\Desktop\torrentleecht\vundofix.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{DC192567-65F9-4AB6-ADB7-E13575F81726}"="C:\WINDOWS\System32\pmnopon.dll" [2007-06-19 23:16] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddaya] C:\WINDOWS\System32\ddaya.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnopon] pmnopon.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB] C:\Programme\AlienGUIse\fastload.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll,wbsys.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Reader - Schnellstart.lnk] path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader - Schnellstart.lnk backup=C:\WINDOWS\pss\Adobe Reader - Schnellstart.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^WinZip Quick Pick.lnk] path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\WinZip Quick Pick.lnk backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^kdh^Startmenü^Programme^Autostart^Alienware Dock.lnk] path=C:\Dokumente und Einstellungen\kdh\Startmenü\Programme\Autostart\Alienware Dock.lnk backup=C:\WINDOWS\pss\Alienware Dock.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] "C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare] "C:\Programme\BearShare\BearShare.exe" /pause [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Echo Control] C:\Programme\PCI Audio Applications\Bin\EchoCtrl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer] Mixer.exe /startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface] "C:\Programme\FileZilla Server\FileZilla Server Interface.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager] C:\Programme\Gemeinsame Dateien\AOL\1176462831\ee\AOLSoftware.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ] "C:\Programme\ICQ6\ICQ.exe" silent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend] C:\Programme\Gemeinsame Dateien\AOL\IPHSend\IPHSend.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility] Logi_MwX.Exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Internet Service] win32cmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray] "C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRaidService] C:\WINDOWS\System32\nvraidservice.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OutpostFeedBack] C:\Programme\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_08\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] C:\Programme\Winamp\winampa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Themes"=2 (0x2) "wuauserv"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] Usnsvc usnsvc HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs UxTuneUp NtmlSvc Contents of the 'Scheduled Tasks' folder 2007-06-15 16:22:56 C:\WINDOWS\tasks\1-Klick-Wartung.job 2007-06-21 07:31:18 C:\WINDOWS\tasks\XoftSpySE 2.job 2007-06-20 21:10:03 C:\WINDOWS\tasks\XoftSpySE.job ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-21 10:38:09 Windows 5.1.2600 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-21 10:38:34 C:\ComboFix-quarantined-files.txt ... 2007-06-21 10:38 C:\ComboFix2.txt ... 2007-06-21 10:11 --- E O F --- Logfile of HijackThis v1.99.1 Scan saved at 10:39:37, on 21.06.2007 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\AlienGUIse\wbload.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\FileZilla Server\FileZilla Server.exe C:\Programme\Eset\nod32krn.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Agnitum\Outpost Firewall\outpost.exe C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Programme\Mozilla Firefox\firefox.exe C:\PROGRA~1\CleanUp!\cleanup.exe C:\Dokumente und Einstellungen\kdh\Desktop\torrentleecht\VundoFix.exe C:\Programme\Windows NT\Zubehör\WORDPAD.EXE C:\WINDOWS\system32\notepad.exe C:\Dokumente und Einstellungen\kdh\Eigene Dateien\Unzipped\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/ R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O1 - Hosts: 66.98.148.65 auto.search.msn.com O1 - Hosts: 66.98.148.65 auto.search.msn.es O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize O4 - HKLM\..\Run: [nod32kui] "C:\Programme\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\RunOnce: [VundoFix] "C:\Dokumente und Einstellungen\kdh\Desktop\torrentleecht\vundofix.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~2\NTXcontext.htm O8 - Extra context menu item: Download All Links with IDM - C:\DOKUME~1\kdh\LOKALE~1\Temp\AutoRunPro0\IEGetAll.htm O8 - Extra context menu item: Download with IDM - C:\DOKUME~1\kdh\LOKALE~1\Temp\AutoRunPro0\IEExt.htm O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Programme\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~2\NTXtoolbar.htm (HKCU) O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156327562748 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - https://84.19.187.166:4643/vz/rdp/msrdp.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{498AED14-D6D4-4F24-9598-F55CF75BC609}: NameServer = 217.237.150.115 217.237.151.205 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll,wbsys.dll O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Programme\FileZilla Server\FileZilla Server.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NBService - Nero AG - C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programme\Eset\nod32krn.exe O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Programme\Agnitum\Outpost Firewall\outpost.exe O23 - Service: Remote Time Pluger - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing) O23 - Service: Security System Manager - Unknown owner - C:\WINDOWS\system32\spoolvc.exe (file missing) O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe |
|
|
||
21.06.2007, 11:01
Member
Beiträge: 694 |
#4
Hi,
Achtung, es kann sein das wir einiges Löschen, dass das System instabil wird... virustotal: (Achtung, ersten vier Files sind als "hidden" gekennzeichnet im Explorer die Anzeige von versteckten Dateien und Systemdateien zulassen) Zitat C:\WINDOWS\system32\ixmcsqqj.exehttp://www.virustotal.com/flash/index_en.html Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen (oder gleich die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf "Send"... jetzt abwarten - dann mit der rechten Maustaste den Text markieren -> kopieren - einfügen Ich richte Avenger so ein, dass sie gelöscht werden, d. .h wenn sie nicht erkannt werden, musst Du sie aus dem Script entfernen! Avenger http://virus-protect.org/artikel/tools/avenger.html Input script manually (anhaken) kopiere in: View/edit script Zitat Hijackthis, fixen: öffne das HijackThis -- Button "scan" -- vor diese Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten Zitat
Achtung, wenn die Files das sind für was ich sie halte, dann hast Du einige Backdoors auf Deinem Rechner, da liegt es nahe zu formatieren! Danach neues HJ-Log, benenne vorher die HJ-Exe auf test.com um; Scanne mit Cureit Zusaetzlich bitte noch Cureit nutzen Anleitung: http://virus-protect.org/cureit.html Aber bitte den Download von hier nutzen http://freedrweb.com/?lng=de Poste alle Logs... Chris |
|
|
||
mfg