ADClickervirus, Hijackerlog schon gemacht.

#0
05.03.2008, 09:39
...neu hier

Themenstarter

Beiträge: 10
#16

Zitat

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.
Mittlerweile kommt dieViruswahrnung nurnoch, wenn ich den Ordner öffne wo die ganzen logs und HijckThis und so drin sind ;) der hat gerochen, dass es ihm an den Kragen geht.
Ab und zu meldet er sich auch noch, wenn der PC ne Zeitlang an ist oder man ins Internet geht.
Seitenanfang Seitenende
05.03.2008, 11:06
Ehrenmitglied
Avatar Pinguin

Beiträge: 1441
#17 0.
http://virus-protect.org/artikel/tools/aproposfix.html
lade aproposfix.exe --> klicke RunThis.bat
klicke "enter" und warte, bis sich das Fenster schliesst.
dann kopiere die log.txt ab.

1.
HijackThis
Klicke: "Do a system scan only"
Setze ein Häckchen in das Kästchen vor den genannten Eintrag
und wähle fix checked

Zitat

O2 - BHO: (no name) - {85B50F06-845B-4CD8-B8C9-15F77846BE1E} - c:\windows\system32\dmscriptw.dll

O2 - BHO: (no name) - {D8C54DF6-5982-4EEA-9967-AA227EC4A2EF} - C:\WINDOWS\System32\dmconfigb.dll

O20 - Winlogon Notify: djxsjqbh - C:\WINDOWS\SYSTEM32\dmscriptw.dll
______________________________________________________________

2.
Start -- Ausführen -- schreib rein: cmd - kopiere in das schwarze DOS-Fenster

sc stop yustfluh

[klicke "enter"]

und warte ein bisschen, dann kopiere rein:

sc delete yustfluh

[klicke "enter"]

____________________________________________________________

Avenger:
http://virus-protect.org/artikel/tools/avenger.html
kopiere in das weisse Feld:

Zitat

drivers to unload:
yustfluh
oreans32

registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\djxsjqbh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_YUSTFLUH
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\yustfluh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_YUSTFLUH
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\yustfluh
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_YUSTFLUH
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yustfluh
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_OREANS32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_OREANS32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\oreans32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oreans32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D8C54DF6-5982-4EEA-9967-AA227EC4A2EF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{85B50F06-845B-4CD8-B8C9-15F77846BE1E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ojzxqrkd
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85B50F06-845B-4CD8-B8C9-15F77846BE1E}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D8C54DF6-5982-4EEA-9967-AA227EC4A2EF}

Files to delete:
C:\WINDOWS\System32\dmconfigb.dll
C:\WINDOWS\system32\dmscriptw.dll
C:\WINDOWS\system32\drivers\oreans32.sys
C:\WINDOWS\system32\drivers\xogubdno.dat
schliesse alle offenen Programme (denn nach Anwendung des Avengers wird der Rechner neustarten)
Klicke: Execute
bestätige, dass der Rechner neu gestartet wird - klicke "yes"

nach dem Neustart erscheint automatisch ein Log vom Avenger - (C:\avenger.txt), kopiere es ab - mit rechtem Mausklick - kopieren - einfügen

+
poste auch das neue Log vom HijackTHis
__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/
Seitenanfang Seitenende
06.03.2008, 12:21
...neu hier

Themenstarter

Beiträge: 10
#18 Bei den Commands in der Konsole wollte er das erste nich ausführen, beim zweiten hat er dann aber gesagt Success ;)

Zitat

Log of AproposFix v1.1

************

Running from directory:
C:\Dokumente und Einstellungen\Tomke\Desktop\Antivirusoperation!\aproposfix

************

Warning: batch running in normal mode, not Safe Mode! In normal mode the fix WILL NOT WORK!


Registry entries found:


************

No service found!

Removing hidden folder:
No folder found!

Deleting files:


Backing up files:
Done!

Removing registry entries:

REGEDIT4


Done!

Finished!

Zitat

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 1)
Thu Mar 06 12:15:38 2008

12:15:32: Warning: Skipping potentially dangerous line:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yustfluh" (Registry key deletion mode)
12:15:38: Error: Execution aborted by user!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "yustfluh" deleted successfully.
Driver "oreans32" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_YUSTFLUH" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\yustfluh" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\yustfluh" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_YUSTFLUH" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\yustfluh" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_YUSTFLUH" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_YUSTFLUH" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yustfluh" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yustfluh" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_OREANS32" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_OREANS32" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\oreans32" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oreans32" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oreans32" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\System32\dmconfigb.dll" deleted successfully.
File "C:\WINDOWS\system32\dmscriptw.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\drivers\oreans32.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\oreans32.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\drivers\xogubdno.dat" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\djxsjqbh" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D8C54DF6-5982-4EEA-9967-AA227EC4A2EF}" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{85B50F06-845B-4CD8-B8C9-15F77846BE1E}" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ojzxqrkd" deleted successfully.
Registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85B50F06-845B-4CD8-B8C9-15F77846BE1E}" deleted successfully.
Registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D8C54DF6-5982-4EEA-9967-AA227EC4A2EF}" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Zitat

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Programme\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Canon\MyPrinter\BJMyPrt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Dokumente und Einstellungen\Tomke\Desktop\Antivirusoperation!\HiJackThis\HJT.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Programme\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Einstellungen (2).lnk = C:\Programme\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D5C8B47-72B1-47AB-BABF-CB12C698D4CD}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1D5C8B47-72B1-47AB-BABF-CB12C698D4CD}: NameServer = 192.168.0.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Programme\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programme\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\swdsvc.exe

--
End of file - 3160 bytes
Es scheint endlich vollbracht zu sein, zumindest hatte ich keine neue warnung und im HiJacklog sind die Lines endlich weg.
Seitenanfang Seitenende
06.03.2008, 12:52
Ehrenmitglied
Avatar Pinguin

Beiträge: 1441
#19 Hallo,

fein ;) gut gemacht !
scanne mit bitdefender + poste den scanreport
http://board.protecus.de/t8642.htm
__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/
Seitenanfang Seitenende