Trojaner adware.w32.EXPBwnldr |
||
---|---|---|
#0
| ||
09.07.2007, 19:36
...neu hier
Beiträge: 2 |
||
|
||
11.07.2007, 17:25
Ehrenmitglied
Beiträge: 6028 |
#2
Entferne auf C:\Qoobox Papierkorb leeren
Und jetzt noch ein neuer log von Hijack This __________ MfG Argus |
|
|
||
12.07.2007, 17:36
...neu hier
Themenstarter Beiträge: 2 |
#3
Hallo Arnold,
vielen Dank für den Tipp. Es scheint alles wieder so zu laufen, (keine Aufrufe des IE mehr, keine Anzeigen für Malware usw. nur der Desktop lässt sich immer noch nicht wieder einstellen. Hier der neue scan von Hijack This Logfile of HijackThis v1.99.1 Scan saved at 17:32:38, on 12.07.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe C:\Programme\Norton Personal Firewall\NISUM.EXE C:\WINDOWS\system32\spoolsv.exe C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe C:\Programme\Gemeinsame Dateien\AccSys\AccWLSvc.exe C:\Programme\Java\jre1.5.0_10\bin\jusched.exe C:\Programme\Microsoft ActiveSync\wcescomm.exe C:\Programme\Spamihilator\spamihilator.exe C:\Programme\Messenger\msmsgs.exe C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\WINDOWS\twain_32\ScanWiz5\SDII.exe C:\Programme\Norton Personal Firewall\ccPxySvc.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SCARDS32.EXE C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\wuauclt.exe C:\Programme\Java\jre1.5.0_10\bin\jucheck.exe C:\Dokumente und Einstellungen\Gert\Eigene Dateien\Eigene Downloads\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/homepage/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.arcor.de R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.arcor.de R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.arcor.de O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {100B21CD-3B97-44FB-B1C0-EA6249E482E8} - (no file) O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.5\NppBho.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll O3 - Toolbar: Norton-Symbolleiste anzeigen - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.5\UIBHO.dll O4 - HKLM\..\Run: [WLAN Quick-Starter] "C:\Programme\WLAN Quick-Starter\WLAN Quick-Starter.exe" -update O4 - HKLM\..\Run: [wlconfig] C:\Programme\WLAN Monitor\wlconfig.exe -autostart O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.5.0_10\bin\jusched.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe" O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [Spamihilator] "C:\Programme\Spamihilator\spamihilator.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\twain_32\ScanWiz5\SDII.exe O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O21 - SSODL: msole - {700C0A24-BAE8-4B33-B027-B9C638E8EAEB} - (no file) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AccSys WiFi Server (AccWLSvc) - AccSys GmbH - C:\Programme\Gemeinsame Dateien\AccSys\AccWLSvc.exe O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Programme\Norton Personal Firewall\ccPxySvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\VAScanner\comHost.exe O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\MAGIX\Common\Database\bin\fbserver.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Programme\Norton Personal Firewall\NISUM.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe O23 - Service: CHIPDRIVE SCARD Service (TWKSCARDSRV) - TOWITOKO - German Technology - C:\WINDOWS\SCARDS32.EXE |
|
|
||
12.07.2007, 20:43
Ehrenmitglied
Beiträge: 6028 |
#4
Schliesse alle Fenster und starte Hijack This
Klicke: Do a Systemscan only Setze ein Häckchen in das Kästchen vor den genannten Eintrag bei R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/homepage/ O2 - BHO: (no name) - {100B21CD-3B97-44FB-B1C0-EA6249E482E8} - (no file) O21 - SSODL: msole - {700C0A24-BAE8-4B33-B027-B9C638E8EAEB} - (no file) klicke:Fix checked Dein Internet Explorer muss geschlossen wenn Du Fix Checked klickst Download Smitfraudfix by S!Ri zum Desktop Starte dein Recher in abgesicherten Modus Doppelklick Smitfraudfix.exe. Schreibe: 1 (es wird ein Report von den infizierten Dateien erstellt) drücke auf Enter,um einen Bericht der infizierten Dateien zu bekommen. Kopiere den Inhalt des Berichts in diesen Thread (C:\rapport.txt) Download SDFix zum Desktop Starte im abgesicherten Modus: http://www.bsi.bund.de/av/texte/wiederher.htm SDFix.zip entpacken unter C:\ findet man nun den SDFix-Ordner Doppelklick RunThis.bat Schreibe: Y folge allen Anweisungen Dann wird der Rechner neustarten SDFix entfernt jetzt die gefundene Objekte Kopiere den Inhalt des Berichts “SophosReport.txt” der jetzt auf dein Desktop steht in diesen Thread Hintergrundbild Start - > Ausführen kopiere da hinein rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,0 - >OK Wähle Desktop anpassen und Reiter Web aufrufen,schau mal ob da was steht wenn ja entfernen(z.b ein häckchen wie im Anhang) __________ MfG Argus Dieser Beitrag wurde am 12.07.2007 um 21:03 Uhr von Arnold editiert.
|
|
|
||
Kann mir jemand helfen?
Schon mal vielen Dank im voraus
hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 19:17:51, on 09.07.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
C:\Programme\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programme\Gemeinsame Dateien\AccSys\AccWLSvc.exe
C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Norton Personal Firewall\ccPxySvc.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Java\jre1.5.0_10\bin\jusched.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\SCARDS32.EXE
C:\Programme\Spamihilator\spamihilator.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\twain_32\ScanWiz5\SDII.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
C:\Programme\Java\jre1.5.0_10\bin\jucheck.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Dokumente und Einstellungen\Gert\Eigene Dateien\Eigene Downloads\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.arcor.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.arcor.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.arcor.de
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O3 - Toolbar: Norton-Symbolleiste anzeigen - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [WLAN Quick-Starter] "C:\Programme\WLAN Quick-Starter\WLAN Quick-Starter.exe" -update
O4 - HKLM\..\Run: [wlconfig] C:\Programme\WLAN Monitor\wlconfig.exe -autostart
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programme\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programme\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Programme\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Spamihilator] "C:\Programme\Spamihilator\spamihilator.exe"
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\WINDOWS\twain_32\ScanWiz5\SDII.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: msole - {700C0A24-BAE8-4B33-B027-B9C638E8EAEB} - C:\WINDOWS\msole.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AccSys WiFi Server (AccWLSvc) - AccSys GmbH - C:\Programme\Gemeinsame Dateien\AccSys\AccWLSvc.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Programme\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Programme\Norton Personal Firewall\NISUM.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: CHIPDRIVE SCARD Service (TWKSCARDSRV) - TOWITOKO - German Technology - C:\WINDOWS\SCARDS32.EXE
combofix:
"Gert" - 2007-07-09 19:08:24 - ComboFix 07-07-09.3 - Service Pack 2
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOKUME~1\Gert\ANWEND~1.\Ultimate Cleaner
C:\DOKUME~1\Gert\ANWEND~1.\Ultimate Cleaner\settings.dat
C:\DOKUME~1\Gert\Desktop.\Error Cleaner.url
C:\DOKUME~1\Gert\Desktop.\Privacy Protector.url
C:\DOKUME~1\Gert\Desktop.\Spyware&Malware Protection.url
C:\DOKUME~1\Gert\FAVORI~1.\Error Cleaner.url
C:\DOKUME~1\Gert\FAVORI~1.\Privacy Protector.url
C:\DOKUME~1\Gert\FAVORI~1.\Spyware&Malware Protection.url
C:\Programme\NewMediaCodec
C:\Programme\Ultimate Cleaner
C:\WINDOWS\dat.txt
C:\WINDOWS\main_uninstaller.exe
C:\WINDOWS\msdde.dll
C:\WINDOWS\msole.dll
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\rs.txt
((((((((((((((((((((((((( Files Created from 2007-06-09 to 2007-07-09 )))))))))))))))))))))))))))))))
2007-07-09 19:08 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-09 16:09 <DIR> d-------- C:\DOKUME~1\Gert\ANWEND~1\Webroot
2007-07-09 09:36 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-07-09 09:10 <DIR> d-------- C:\DOKUME~1\ADMINI~1\ANWEND~1\Talkback
2007-07-06 23:48 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-07-06 22:35 <DIR> d-------- C:\Programme\Norton 360
2007-07-06 21:55 <DIR> dr------- C:\DOKUME~1\ADMINI~1\Eigene Dateien
2007-07-06 20:10 1,572,864 --ah----- C:\DOKUME~1\ADMINI~1\NTUSER.DAT
2007-07-06 20:10 <DIR> dr-h----- C:\DOKUME~1\ADMINI~1\Anwendungsdaten
2007-07-06 20:10 <DIR> dr------- C:\DOKUME~1\ADMINI~1\Startmen
2007-07-06 20:10 <DIR> d--h----- C:\DOKUME~1\ADMINI~1\Vorlagen
2007-07-06 20:10 <DIR> d--h----- C:\DOKUME~1\ADMINI~1\Netzwerkumgebung
2007-07-06 20:10 <DIR> d--h----- C:\DOKUME~1\ADMINI~1\Lokale Einstellungen
2007-07-06 20:10 <DIR> d--h----- C:\DOKUME~1\ADMINI~1\Druckumgebung
2007-07-06 20:10 <DIR> d-------- C:\DOKUME~1\ADMINI~1\Favoriten
2007-07-06 19:18 <DIR> d-------- C:\Programme\MSXML 4.0
2007-07-06 17:42 <DIR> d-------- C:\Programme\Lavasoft
2007-07-06 17:42 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\Lavasoft
2007-07-06 17:39 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2007-07-05 21:51 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\Spybot - Search & Destroy
2007-06-21 18:19 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\Google
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-09 15:50:51 -------- d-----w C:\Programme\Gemeinsame Dateien\Symantec Shared
2007-07-09 15:50:14 -------- d-----w C:\Programme\Gemeinsame Dateien\AccSys
2007-07-09 15:50:13 -------- d-----w C:\Programme\WLAN Quick-Starter
2007-07-09 11:31:57 -------- d-----w C:\DOKUME~1\Gert\ANWEND~1\Symantec
2007-07-09 08:14:53 48,156 ----a-w C:\WINDOWS\system32\perfc007.dat
2007-07-09 08:14:53 316,594 ----a-w C:\WINDOWS\system32\perfh007.dat
2007-07-09 06:53:05 -------- d-----w C:\Programme\StarMoney 3.0 Landesbank direkt
2007-07-06 20:37:43 -------- d-----w C:\Programme\Symantec
2007-07-06 20:37:42 48,776 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-07-06 20:37:42 115,000 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-07-06 20:29:03 -------- d-----w C:\Programme\Spamihilator
2007-07-06 20:28:54 -------- d-----w C:\Programme\F-Secure Internet Security
2007-06-04 13:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 13:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 13:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-17 11:38:53 63,352 ----a-w C:\DOKUME~1\Gert\ANWEND~1\GDIPFONTCACHEV1.DAT
2007-05-16 15:11:44 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:22:27 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:13:24 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-13 13:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
2004-09-29 11:02 292947 --a------ C:\Programme\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 05:16 59032 --a------ C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E8A6170-7264-4D0F-BEAE-D42A53123C75}]
2007-02-19 05:22 97960 -ra------ C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.5\NppBho.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2006-11-09 16:21 440056 --a------ C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WLAN Quick-Starter"="C:\Programme\WLAN Quick-Starter\WLAN Quick-Starter.exe" [2005-03-30 11:22]
"wlconfig"="C:\Programme\WLAN Monitor\wlconfig.exe" [2005-03-30 11:43]
"ccApp"="C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" [2007-01-09 23:59]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2006-05-17 20:59]
"ccRegVfy"="C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe" [2003-10-09 10:27]
"F-Secure Manager"="C:\Programme\F-Secure Internet Security\Common\FSM32.exe" []
"F-Secure TNB"="C:\Programme\F-Secure Internet Security\TNB\TNBUtil.exe" []
"F-Secure Startup Wizard"="C:\Programme\F-Secure Internet Security\FSGUI\FSSW.exe" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:57]
"H/PC Connection Agent"="C:\Programme\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 21:14]
"Spamihilator"="C:\Programme\Spamihilator\spamihilator.exe" [2007-01-24 15:49]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"FoFileAssociate"=0 (0x0)
"StartMenuLogoff"=0 (0x0)
"NoShellSearchButton"=1 (0x1)
"NoLowDiskSpaceChecks"=0 (0x0)
"HideClock"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoUserNameInStartMenu"=0 (0x0)
"NoRecentDocsNetHood"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{700C0A24-BAE8-4B33-B027-B9C638E8EAEB}"="C:\WINDOWS\msole.dll" []
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Programme\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"F-Secure Manager"="C:\Programme\F-Secure Internet Security\Common\FSM32.EXE" /splash
"F-Secure Startup Wizard"="C:\Programme\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
"F-Secure TNB"="C:\Programme\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
"News Service"="C:\Programme\F-Secure Internet Security\FSGUI\ispnews.exe"
*Newly Created Service* - COMHOST
**************************************************************************
catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-09 19:11:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
Completion time: 2007-07-09 19:12:26
C:\ComboFix-quarantined-files.txt ... 2007-07-09 19:11
--- E O F ---
datfind:
.
Datentr„ger in Laufwerk C: ist Festplatte C: 1.Platte
Volumeseriennummer: 4C24-0E6A
Verzeichnis von C:\WINDOWS\system32
09.07.2007 17:50 2.206 wpa.dbl
09.07.2007 10:14 311.604 perfh009.dat
09.07.2007 10:14 39.992 perfc009.dat
09.07.2007 10:14 316.594 perfh007.dat
09.07.2007 10:14 48.156 perfc007.dat
09.07.2007 10:14 723.744 PerfStringBackup.INI
06.07.2007 22:52 16 coh.cache
06.07.2007 22:37 48.776 S32EVNT1.DLL
06.07.2007 20:02 212.880 FNTCACHE.DAT
06.07.2007 19:56 122.062 TZLog.log
05.06.2007 23:38 15.747.032 MRT.exe
16.05.2007 17:11 683.520 inetcomm.dll
04.05.2007 14:27 3.079.680 mshtml.dll