Vundo.Gen Virus startet sich immerwieder (ddaya.dll) und beendet explorer.exe

#0
21.06.2007, 09:54
...neu hier

Beiträge: 2
#1 Ich hab seit 2 tagen das Problem, dass mein AntiVir immer 2 trojaner findet, die er aber nicht löschen kann. Einmal: ddaya.dll, dieser trojaner beendet explorer.exe bzw bringt den pc nach einigen minuten zum einfrieren, wenn man bei der Fundmeldung von Antivir auf "Ignorieren" geht, dieser trojaner wird als Vundo.Gen erkannt. Der andere Trojaner macht eigtl. keine Probleme aber er lässt sich auch nicht entfernen: pmnopon.dll, dieser kommt meistens nur, wenn ich irgendein Programm starte. Und die Meldungen von Antivir kommen alle 2 Minunten, was schon ziemlich nervt. Ich hoffe, dass ich mein Problem gut geschildert habe und hoffe auf schnelle Hilfe.

mfg

Anhang: logfile.txt
Dieser Beitrag wurde am 21.06.2007 um 10:03 Uhr von loved editiert.
Seitenanfang Seitenende
21.06.2007, 10:24
Member
Avatar Chris4You

Beiträge: 694
#2 Hi,

cleanen
- Empty Recycle Bins
- Delete Prefetch files
- Cleanup! All Users
stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

Vundofix anwenden
http://virus-protect.org/artikel/tools/vundofixx.html

Danach combofix
http://virus-protect.org/artikel/tools/combofix.html

Danach bitte neues HJ-Log, poste die Logs...

chris
Seitenanfang Seitenende
21.06.2007, 10:39
...neu hier

Themenstarter

Beiträge: 2
#3 CleanUp! started on 06/21/07 10:32:06.
C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Temporary Internet Files\Content.MSO\ - deleted
http://adicq.71i.de/images/prosieben_eigenwerbung/icqfreeflow/icq_180x150.swf?clicktag=http%3A//adserver.71i.de/event.ng/Type%3Dclick%26FlightID%3D38279%26AdID%3D63730%26TargetID%3D9443%26Segments%3D10%2C15%2C20%2C23%2C131%2C133%2C135%2C146%2C151%2C154%2C161%2C198%2C200%2C228%2C370%2C414%2C1365%2C1414%2C1651%2C1681%2C1950%2C2035%2C2392%2C2523%2C2561%2C2595%2C2602%2C2675%2C2723%2C2785%2C2878%2C3064%2C3083%2C3084%2C3212%2C3250%2C3502%2C3720%2C3741%2C3742%2C3884%2C4121%2C4127%2C4150%2C4214%2C4227%2C4327%2C4328%2C4345%2C4526%2C4530%2C4561%2C4567%2C4587%2C4589%2C4625%2C4682%2C4726%2C4743%2C4747%2C4796%2C4815%2C4816%26Targets%3D9%2C9619%2C5938%2C9829%2C9443%26Values%3D25%2C31%2C43%2C51%2C60%2C83%2C93%2C100%2C110%2C150%2C155%2C225%2C445%2C472%2C494%2C498%2C505%2C507%2C517%2C518%2C534%2C535%2C536%2C537%2C564%2C603%2C688%2C717%2C937%2C1151%2C1259%2C1445%2C1484%2C1598%2C1608%2C1638%2C1735%2C1849%2C1850%2C1851%2C2146%2C2207%2C2348%2C2351%2C2473%2C2662%2C2699%2C2706%2C2722%2C2729%2C2761%2C2762%2C2776%2C2878%2C3795%2C4193%2C4821%2C4822%2C4850%2C4851%2C4892%2C5065%2C5145%2C9420%26RawValues%3D%26Redirect%3Dhttp%3A//www.prosieben.de/club_community/community/icqspecial/sms/&clicktarget=clicktarget - deleted
http://ad.71i.de/images/writemedia/070605_bloomstreet_maxisingle_650x600.swf?clicktag=http%3A//adserver.71i.de/event.ng/Type%3Dclick%26FlightID%3D40171%26AdID%3D67200%26TargetID%3D10112%26Segments%3D10%2C15%2C20%2C131%2C133%2C135%2C146%2C151%2C154%2C161%2C198%2C200%2C228%2C370%2C414%2C600%2C1000%2C1365%2C1414%2C1535%2C1651%2C1681%2C2035%2C2392%2C2523%2C2561%2C2602%2C2675%2C2723%2C2765%2C2785%2C2878%2C3083%2C3084%2C3221%2C3250%2C3502%2C3534%2C3720%2C3741%2C3742%2C3782%2C3884%2C3951%2C4121%2C4127%2C4150%2C4214%2C4227%2C4327%2C4328%2C4340%2C4345%2C4526%2C4561%2C4567%2C4587%2C4625%2C4682%2C4726%2C4743%2C4796%2C4815%2C4816%26Targets%3D9%2C10027%2C9872%2C10112%2C9307%2C9311%26Values%3D31%2C43%2C51%2C60%2C83%2C93%2C100%2C110%2C150%2C212%2C225%2C445%2C472%2C494%2C505%2C507%2C517%2C518%2C534%2C535%2C536%2C537%2C564%2C603%2C688%2C717%2C1138%2C1141%2C1151%2C1259%2C1445%2C1484%2C1598%2C1608%2C1735%2C1849%2C1850%2C1851%2C2146%2C2207%2C2348%2C2351%2C2473%2C2655%2C2699%2C2758%2C2761%2C2776%2C4794%2C4821%2C4822%2C4850%2C4851%2C4892%2C5145%2C9420%26RawValues%3D%26Redirect%3Dhttp%3A//www.etracker.de/lnkcnt.php%3Fet%3DPbb0hb%26url%3Dhttp%253A//www.bloomstreet.net/adland.php%253Fadsource%253Dicq%26lnkname%3Dbloomstreet_maxisingle_icq_jun18_pun_cl%26time%3DcaWhNbp%2CbdhqNKycvxR&clicktarget=clicktarget - deleted
http://ad.71i.de/images/writemedia/070522_bloomstreet_muttermal_650x600.swf?clicktag=http%3A//adserver.71i.de/event.ng/Type%3Dclick%26FlightID%3D40171%26AdID%3D67201%26TargetID%3D10112%26Segments%3D10%2C15%2C20%2C131%2C133%2C135%2C146%2C151%2C154%2C161%2C198%2C200%2C228%2C370%2C414%2C600%2C1000%2C1365%2C1414%2C1535%2C1651%2C1681%2C1950%2C2035%2C2392%2C2523%2C2561%2C2602%2C2675%2C2723%2C2765%2C2785%2C2878%2C3083%2C3084%2C3221%2C3250%2C3502%2C3534%2C3720%2C3741%2C3742%2C3782%2C3884%2C3951%2C4121%2C4127%2C4150%2C4214%2C4227%2C4327%2C4328%2C4340%2C4345%2C4526%2C4561%2C4567%2C4587%2C4625%2C4682%2C4726%2C4743%2C4796%2C4815%2C4816%26Targets%3D9%2C10027%2C9872%2C10112%2C9307%2C9311%26Values%3D25%2C31%2C43%2C51%2C60%2C83%2C93%2C100%2C110%2C150%2C155%2C212%2C225%2C445%2C472%2C494%2C498%2C505%2C507%2C517%2C518%2C534%2C535%2C536%2C537%2C564%2C603%2C688%2C717%2C1138%2C1141%2C1151%2C1259%2C1445%2C1484%2C1598%2C1608%2C1638%2C1735%2C1849%2C1850%2C1851%2C2146%2C2207%2C2348%2C2351%2C2473%2C2655%2C2662%2C2699%2C2706%2C2722%2C2729%2C2758%2C2761%2C2776%2C2878%2C3795%2C4794%2C4821%2C4822%2C4850%2C4851%2C4892%2C5065%2C5145%2C9420%26RawValues%3D%26Redirect%3Dhttp%3A//www.etracker.de/lnkcnt.php%3Fet%3DPbb0hb%26url%3Dhttp%253A//www.bloomstreet.net/adland.php%253Fadsource%253Dicq%26lnkname%3Dbloomstreet_muttermal_icq_jun18_pun_cl%26time%3DclNghIs%2CbdhqNWWcwff&clicktarget=clicktarget - deleted
C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006090420060905\index.dat - deleted
C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006090420060905\ - deleted
C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006112720061204\index.dat - deleted
C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006112720061204\ - deleted
C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006120420061211\index.dat - deleted
C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006120420061211\ - deleted
C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006121120061218\index.dat - deleted
C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006121120061218\ - deleted
C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006121820061219\index.dat - deleted
C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006121820061219\ - deleted
C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006121920061220\index.dat - deleted
C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006121920061220\ - deleted
C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006122020061221\index.dat - deleted
C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006122020061221\ - deleted
C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006122120061222\index.dat - deleted
C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012006122120061222\ - deleted
C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012007052520070526\index.dat - deleted
C:\Dokumente und Einstellungen\kdh\Lokale Einstellungen\Verlauf\History.IE5\MSHist012007052520070526\ - deleted
'Typed URLs' (Internet Explorer) - removed from the registry.
C:\Dokumente und Einstellungen\kdh\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\kdh\Anwendungsdaten\Mozilla\Firefox\Profiles\rrl8g8sh.default\history.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\kdh\Anwendungsdaten\Mozilla\Firefox\Profiles\rrl8g8sh.default\cookies.txt.old - deleted
C:\Dokumente und Einstellungen\kdh\Recent\hijackthis (2).lnk - deleted
C:\Dokumente und Einstellungen\kdh\Recent\hijackthis.lnk - deleted
C:\Dokumente und Einstellungen\kdh\Recent\Lokaler Datenträger (C).lnk - deleted
C:\Dokumente und Einstellungen\kdh\Recent\Security Task Manager.lnk - deleted
C:\Dokumente und Einstellungen\kdh\Recent\Sophos.Antivirus.v6.5.1.Multilingual.Win2kXP2k3Vista.Retail.READNFO-ARN.lnk - deleted
C:\Dokumente und Einstellungen\kdh\Recent\taskman_de.lnk - deleted
C:\Dokumente und Einstellungen\kdh\Recent\torrentleecht.lnk - deleted
C:\Dokumente und Einstellungen\kdh\Recent\VundoFix.lnk - deleted
C:\WINDOWS\temp\$_2341233.TMP currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\$_2341234.TMP currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\kdh\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\kdh\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Prefetch\CLEANUP.EXE-3438663A.pf - deleted
C:\WINDOWS\Prefetch\CLEANUP452.EXE-1ED5EFE3.pf - deleted
C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf - deleted
C:\WINDOWS\Prefetch\GUARDGUI.EXE-1BD45C30.pf - deleted
C:\WINDOWS\Prefetch\layout.ini - deleted
C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf - deleted
C:\WINDOWS\Prefetch\STINGER.EXE-1FB8EBEA.pf - deleted
C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf - deleted
C:\temp\TMPMariah Carey - Don't Forget About Us.dat - deleted
C:\temp\TMPMariah Carey - Don't Forget About Us.dat.bak - deleted
C:\temp\TMPMariah Carey - Don't Forget About Us.mp3 - deleted
C:\temp\TMPMariah Carey - Don't Forget About Us.tiger - deleted
C:\temp\TMPMariah Carey - Through The Rain.dat - deleted
C:\temp\TMPMariah Carey - Through The Rain.dat.bak - deleted
C:\temp\TMPMariah Carey - Through The Rain.mp3 - deleted
C:\temp\TMPMariah Carey - Through The Rain.tiger - deleted
C:\temp\TMPMariah Carey - Underneath the Stars.dat - deleted
C:\temp\TMPMariah Carey - Underneath the Stars.dat.bak - deleted
C:\temp\TMPMariah Carey - Underneath the Stars.mp3 - deleted
C:\temp\TMPMariah Carey - Underneath the Stars.tiger - deleted
C:\temp\TMPwhitney houston - Witney Huston Unbreak my heart.dat - deleted
C:\temp\TMPwhitney houston - Witney Huston Unbreak my heart.dat.bak - deleted
C:\temp\TMPwhitney houston - Witney Huston Unbreak my heart.mp3 - deleted
C:\temp\TMPwhitney houston - Witney Huston Unbreak my heart.tiger - deleted
C:\tmp\RarExt.dll currently in use. Will be deleted when Windows is restarted.
C:\tmp\rarext.lng - deleted
C:\tmp\RarExtLoader.exe - deleted
C:\tmp\RarFiles.lst - deleted
C:\tmp\rarreg.key - deleted
C:\tmp\Uninstall.exe - deleted
C:\tmp\uninstall.lng - deleted
C:\tmp\Uninstall.lst - deleted
C:\tmp\UnRAR.exe - deleted
C:\tmp\UnrarSrc.txt - deleted
C:\tmp\WhatsNew.txt - deleted
C:\tmp\WinCon.SFX - deleted
C:\tmp\WinRAR.cnt - deleted
C:\tmp\WinRAR.exe - deleted
C:\tmp\WinRAR.hlp - deleted
C:\tmp\winrar.lng - deleted
C:\tmp\WinRAR.v3.60.Final.German-NEON.exe - deleted
C:\tmp\Zip.SFX - deleted
'Run MRU' list - removed from the registry.
Search Assistant MRU list - removed from the registry.
Explorer Open/Save MRU list - removed from the registry.
Explorer Last Visited MRU list - removed from the registry.
Paint Recent File List - removed from the registry.
WordPad Recent File List - removed from the registry.
Telnet's MRU list - removed from the registry.
WinZip File MRU list - removed from the registry.
CleanUp! 4.5.2 recovered 44.9 MB of disk space from 62 files.
CleanUp! finished on 06/21/07 10:32:07.

Listing files found while scanning....

C:\WINDOWS\System32\ayadd.ini
C:\WINDOWS\System32\ddaya.dll

Beginning removal...

Attempting to delete C:\WINDOWS\System32\ayadd.ini
C:\WINDOWS\System32\ayadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\ddaya.dll
C:\WINDOWS\System32\ddaya.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\System32\ayadd.ini
C:\WINDOWS\System32\ayadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\ddaya.dll
C:\WINDOWS\System32\ddaya.dll Could not be deleted.

Performing Repairs to the registry.
Done!

ComboFix 07-06-18.2 - C:\Dokumente und Einstellungen\kdh\Desktop\torrentleecht\ComboFix.exe
"kdh" - 2007-06-21 10:36:33 NTFS

/wow section - STAGE #3

((((((((((((((((((((((((( Files Created from 2007-05-21 to 2007-06-21 )))))))))))))))))))))))))))))))


2007-06-21 10:06 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-20 23:09 <DIR> d-------- C:\Programme\XoftSpySE
2007-06-20 23:04 <DIR> d-------- C:\VundoFix Backups
2007-06-20 20:03 <DIR> d-------- C:\Programme\Security Task Manager
2007-06-20 20:03 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\SecTaskMan
2007-06-20 19:16 <DIR> d-------- C:\WINDOWS\sdrive
2007-06-20 19:15 96,760 --a------ C:\msecu.exe
2007-06-20 19:15 5,080 --a------ C:\msetus.exe
2007-06-20 18:20 23 --ahs---- C:\WINDOWS\system32\eacbd7_r.dll
2007-06-20 18:19 <DIR> d-------- C:\Programme\jv16 PowerTools 2007
2007-06-20 18:01 <DIR> d--h----- C:\WINDOWS\PIF
2007-06-20 18:00 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Symantec Shared
2007-06-20 08:36 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-06-20 08:36 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-06-20 08:36 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-06-20 02:50 266,336 --------- C:\WINDOWS\system32\ddaya.dll
2007-06-19 23:16 31,254 --------- C:\WINDOWS\system32\pmnopon.dll
2007-06-18 14:05 0 --ahs---- C:\WINDOWS\system32\.exe
2007-06-07 19:14 <DIR> d-------- C:\Programme\Rockstar Games
2007-06-03 20:16 <DIR> d-------- C:\DOKUME~1\kdh\ANWEND~1\FTPRush
2007-06-02 12:10 <DIR> d-------- C:\FTPRush.v1.0.0605.ANSI.Multilingual.WinALL.Cracked-BRD
2007-05-27 17:31 <DIR> d-------- C:\MAX.PAYNE.2.THE.FALL.OF.MAX.PAYNE-DEViANCE


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-20 00:57:34 -------- d-----w C:\DOKUME~1\kdh\ANWEND~1\uTorrent
2007-06-20 00:57:12 -------- d-----w C:\Programme\mIRC
2007-06-19 23:39:45 -------- d-----w C:\Programme\ICQToolbar
2007-06-19 23:29:08 -------- d-----w C:\Programme\FlashFXP
2007-06-18 12:40:57 0 --sha-w C:\WINDOWS\system32\.exe
2007-06-15 20:26:57 -------- d-----w C:\Programme\HLSW
2007-06-15 20:23:06 -------- d-----w C:\Programme\Steam
2007-06-11 12:43:47 -------- d-----w C:\Programme\PokerStars
2007-06-11 12:43:30 -------- d-----w C:\Programme\PokerStars.NET
2007-06-10 08:11:40 12,400 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-06-10 08:03:16 -------- d-----w C:\Programme\EA SPORTS
2007-06-07 17:14:58 -------- d--h--w C:\Programme\InstallShield Installation Information
2007-06-07 13:58:35 -------- d-----w C:\Programme\ICQLite
2007-05-14 10:51:53 -------- d-----w C:\DOKUME~1\kdh\ANWEND~1\ICQ
2007-05-11 10:01:53 -------- d-----w C:\Programme\ICQ6
2007-05-08 07:23:51 49,174 ----a-w C:\WINDOWS\system32\perfc007.dat
2007-05-08 07:23:51 320,094 ----a-w C:\WINDOWS\system32\perfh007.dat
2007-04-27 22:18:19 -------- d-----w C:\DOKUME~1\kdh\ANWEND~1\ICQ Toolbar
2007-04-02 09:35:26 10,724 ---ha-w C:\WINDOWS\system32\ixmcsqqj.exe
2007-04-02 09:29:44 10,144 ---ha-w C:\WINDOWS\system32\otlkof.exe
2007-04-02 09:26:33 13,824 ---ha-w C:\WINDOWS\system32\mipk.exe
2007-04-02 09:23:52 6,368 ----a-w C:\WINDOWS\system32\setup_56043.exe
2007-04-02 09:08:09 552 ----a-w C:\WINDOWS\system32\d3d8caps.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{055FD26D-3A88-4e15-963D-DC8493744B1D}=C:\PROGRA~1\ICQTOO~1\toolbaru.dll [2006-12-25 10:40]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 19:38]
{48764EFE-5AEF-4C6A-83BE-7AD258C023F2}=C:\WINDOWS\System32\ddaya.dll [2007-06-20 02:50]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Programme\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 12:29]
{DC192567-65F9-4AB6-ADB7-E13575F81726}=C:\WINDOWS\System32\pmnopon.dll [2007-06-19 23:16]
{E5A1691B-D188-4419-AD02-90002030B8EE}=C:\Programme\FlashFXP\IEFlash.dll [2001-01-01 01:01]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-19 13:32]
"ICQ Lite"="C:\Programme\ICQLite\ICQLite.exe" [2006-07-11 12:15]
"nod32kui"="C:\Programme\Eset\nod32kui.exe" [2007-06-20 08:35]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Programme\MSN Messenger\msnmsgr.exe" [2006-07-29 19:33]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"VundoFix"="C:\Dokumente und Einstellungen\kdh\Desktop\torrentleecht\vundofix.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{DC192567-65F9-4AB6-ADB7-E13575F81726}"="C:\WINDOWS\System32\pmnopon.dll" [2007-06-19 23:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddaya]
C:\WINDOWS\System32\ddaya.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnopon]
pmnopon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Programme\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll,wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Reader - Schnellstart.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader - Schnellstart.lnk
backup=C:\WINDOWS\pss\Adobe Reader - Schnellstart.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^WinZip Quick Pick.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^kdh^Startmenü^Programme^Autostart^Alienware Dock.lnk]
path=C:\Dokumente und Einstellungen\kdh\Startmenü\Programme\Autostart\Alienware Dock.lnk
backup=C:\WINDOWS\pss\Alienware Dock.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Programme\BearShare\BearShare.exe" /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Echo Control]
C:\Programme\PCI Audio Applications\Bin\EchoCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
Mixer.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Programme\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]
"C:\Programme\FileZilla Server\FileZilla Server Interface.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Programme\Gemeinsame Dateien\AOL\1176462831\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
"C:\Programme\ICQ6\ICQ.exe" silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"C:\Programme\ICQLite\ICQLite.exe" -minimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Programme\Gemeinsame Dateien\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Internet Service]
win32cmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Programme\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Programme\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
"C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRaidService]
C:\WINDOWS\System32\nvraidservice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outpost Firewall]
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OutpostFeedBack]
C:\Programme\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Programme\Java\jre1.5.0_08\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Programme\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Themes"=2 (0x2)
"wuauserv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
UxTuneUp
NtmlSvc


Contents of the 'Scheduled Tasks' folder
2007-06-15 16:22:56 C:\WINDOWS\tasks\1-Klick-Wartung.job
2007-06-21 07:31:18 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-06-20 21:10:03 C:\WINDOWS\tasks\XoftSpySE.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-21 10:38:09
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-21 10:38:34
C:\ComboFix-quarantined-files.txt ... 2007-06-21 10:38
C:\ComboFix2.txt ... 2007-06-21 10:11

--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 10:39:37, on 21.06.2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\AlienGUIse\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\FileZilla Server\FileZilla Server.exe
C:\Programme\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Agnitum\Outpost Firewall\outpost.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\PROGRA~1\CleanUp!\cleanup.exe
C:\Dokumente und Einstellungen\kdh\Desktop\torrentleecht\VundoFix.exe
C:\Programme\Windows NT\Zubehör\WORDPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Dokumente und Einstellungen\kdh\Eigene Dateien\Unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [nod32kui] "C:\Programme\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\RunOnce: [VundoFix] "C:\Dokumente und Einstellungen\kdh\Desktop\torrentleecht\vundofix.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~2\NTXcontext.htm
O8 - Extra context menu item: Download All Links with IDM - C:\DOKUME~1\kdh\LOKALE~1\Temp\AutoRunPro0\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\DOKUME~1\kdh\LOKALE~1\Temp\AutoRunPro0\IEExt.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Programme\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~2\NTXtoolbar.htm (HKCU)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156327562748
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - https://84.19.187.166:4643/vz/rdp/msrdp.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{498AED14-D6D4-4F24-9598-F55CF75BC609}: NameServer = 217.237.150.115 217.237.151.205
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll,wbsys.dll
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Programme\FileZilla Server\FileZilla Server.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programme\Eset\nod32krn.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Programme\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: Remote Time Pluger - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
O23 - Service: Security System Manager - Unknown owner - C:\WINDOWS\system32\spoolvc.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
Seitenanfang Seitenende
21.06.2007, 11:01
Member
Avatar Chris4You

Beiträge: 694
#4 Hi,

Achtung, es kann sein das wir einiges Löschen,
dass das System instabil wird...

virustotal:

(Achtung, ersten vier Files sind als "hidden" gekennzeichnet im Explorer die
Anzeige von versteckten Dateien und Systemdateien zulassen)

Zitat

C:\WINDOWS\system32\ixmcsqqj.exe
C:\WINDOWS\system32\otlkof.exe
C:\WINDOWS\system32\mipk.exe
C:\WINDOWS\system32\eacbd7_r.dll
C:\WINDOWS\system32\pmnopon.dll
C:\msecu.exe
C:\msetus.exe
C:\WINDOWS\system32\svshost.exe
C:\WINDOWS\system32\spoolvc.exe
http://www.virustotal.com/flash/index_en.html
Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen (oder gleich die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf "Send"... jetzt abwarten - dann mit der rechten Maustaste den Text markieren -> kopieren - einfügen

Ich richte Avenger so ein, dass sie gelöscht werden,
d. .h wenn sie nicht erkannt werden, musst Du sie aus dem Script entfernen!

Avenger
http://virus-protect.org/artikel/tools/avenger.html
Input script manually (anhaken)
kopiere in: View/edit script

Zitat


registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddaya
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnopon *** nur wenn erkannt (wenn erkannt Kommentar ab Stern löschen, falls nicht erkannt ganze Zeile löschen)!


Files to delete:

C:\WINDOWS\system32\ixmcsqqj.exe
C:\WINDOWS\system32\otlkof.exe
C:\WINDOWS\system32\mipk.exe
C:\msecu.exe
C:\msetus.exe
C:\WINDOWS\system32\ddaya.dll
C:\WINDOWS\system32\pmnopon.dll
C:\WINDOWS\system32\eacbd7_r.dll
C:\WINDOWS\system32\svshost.exe
C:\WINDOWS\system32\spoolvc.exe

Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten
Hijackthis, fixen:
öffne das HijackThis -- Button "scan" -- vor diese Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat


O1 - Hosts: 66.98.148.65 auto.search.msn.es
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O23 - Service: Remote Time Pluger - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
O23 - Service: Security System Manager - Unknown owner - C:\WINDOWS\system32\spoolvc.exe (file missing)


Achtung, wenn die Files das sind für was ich sie halte, dann hast Du einige
Backdoors auf Deinem Rechner, da liegt es nahe zu formatieren!

Danach neues HJ-Log, benenne vorher die HJ-Exe auf test.com um;

Scanne mit Cureit
Zusaetzlich bitte noch Cureit nutzen Anleitung: http://virus-protect.org/cureit.html
Aber bitte den Download von hier nutzen http://freedrweb.com/?lng=de

Poste alle Logs...

Chris
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren: