Probleme mit Trojaner/ Malware II |
||
---|---|---|
#0
| ||
18.06.2008, 08:50
Member
Beiträge: 14 |
||
|
||
18.06.2008, 09:20
Ehrenmitglied
Beiträge: 6028 |
#2
RVAXO
Download: RVAXO by Smeenk,zum Desktop RVAXO.zip entpacken Starte dein Recher in abgesicherten Modus Öffne die Datei RVAXO und doppelklick RunMe.cmd Moeglich startet der Uninstaller von ein Roquescanner schliesse es nicht ab aber lass es seine Arbeit tun Dein Rechner wird neu gestartet, das cmd-fenster von RVAXO oeffnet sich von neuem Und warte bis ein logfile sich oeffnet:C:\RVAXO-results.log Poste dessen inhalt hier ins Forum Wenn dein Rechner nicht neu startet mach es manuel sowie auch RunMe.cmd __________ MfG Argus |
|
|
||
18.06.2008, 11:24
Ehrenmitglied
Beiträge: 29434 |
#3
Hallo
bevor du rvaxo anwendest, mache bitte folgendes: mit dem HijackThis löschen ("fixen") Klicke: "Do a system scan only" Setze ein Häckchen in das Kästchen vor den genannten Eintrag und wähle fix checked. + starte den Rechner neu. Zitat O2 - BHO: (no name) - {9C0A6DF1-4AC3-452B-9412-FA9E30F6D29A} - C:\WINDOWS\system32\ddcyy.dll (file missing)Ğ dann wende rvaxo an. Ğ danach: scanne mit Malwarebytes , lasse alles entfernen, was gefunden wird + poste hier den report http://virus-protect.org/artikel/tools/malwarebytes.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
18.06.2008, 20:27
Member
Themenstarter Beiträge: 14 |
#4
Hallo,
alles wie beschrieben gemacht... Resultat Report RVAXO: ---RVAXO.exe Updated: 2008-05-29---first run--- Uninstallers: Files found: C:\WINDOWS\BM9787ab1f.txt C:\WINDOWS\system32\clkcnt.txt Folders Found: Hosts-file was reset, If you use a custom hosts file please replace it... --------------RVAXO.exe last run--------------- Not deleted items: --------------RVAXO.exe finished---------------- Resultat Malwarebytes: Malwarebytes' Anti-Malware 1.17 Version de la base de données: 846 20:19:17 18/06/2008 mbam-log-6-18-2008 (20-18-55).txt Type de recherche: Examen complet (C:\|) Eléments examinés: 99233 Temps écoulé: 46 minute(s), 13 second(s) Processus mémoire infecté(s): 0 Module(s) mémoire infecté(s): 0 Clé(s) du Registre infectée(s): 5 Valeur(s) du Registre infectée(s): 1 Elément(s) de données du Registre infecté(s): 0 Dossier(s) infecté(s): 3 Fichier(s) infecté(s): 53 Processus mémoire infecté(s): (Aucun élément nuisible détecté) Module(s) mémoire infecté(s): (Aucun élément nuisible détecté) Clé(s) du Registre infectée(s): HKEY_CLASSES_ROOT\pbfrv2.pbfrv2 (Adware.2020Search) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{4e7bd74f-2b8d-469e-a0e8-ed6ab685fa7d} (Adware.2020Search) -> No action taken. HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken. Valeur(s) du Registre infectée(s): HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{4e7bd74f-2b8d-469e-a0e8-ed6ab685fa7d} (Adware.2020Search) -> No action taken. Elément(s) de données du Registre infecté(s): (Aucun élément nuisible détecté) Dossier(s) infecté(s): C:\Program Files\dynamic toolbar (Adware.2020search) -> No action taken. C:\Program Files\dynamic toolbar\PBFRV2 (Adware.2020search) -> No action taken. C:\Program Files\dynamic toolbar\PBFRV2\Cache (Adware.2020search) -> No action taken. Fichier(s) infecté(s): C:\QooBox\Quarantine\C\WINDOWS\system32\bbrsbcda.dll.vir (Trojan.Vundo) -> No action taken. C:\QooBox\Quarantine\C\WINDOWS\system32\bhypwfcg.dll.vir (Trojan.Vundo) -> No action taken. C:\QooBox\Quarantine\C\WINDOWS\system32\eibfxtea.dll.vir (Trojan.Vundo) -> No action taken. C:\QooBox\Quarantine\C\WINDOWS\system32\ffksvuoj.dll.vir (Trojan.Vundo) -> No action taken. C:\QooBox\Quarantine\C\WINDOWS\system32\hdbmccwp.dll.vir (Trojan.Vundo) -> No action taken. C:\QooBox\Quarantine\C\WINDOWS\system32\hjkyxhnx.dll.vir (Trojan.Vundo) -> No action taken. C:\QooBox\Quarantine\C\WINDOWS\system32\jevxewko.dll.vir (Trojan.Vundo) -> No action taken. C:\QooBox\Quarantine\C\WINDOWS\system32\lfivsiwl.dll.vir (Trojan.Vundo) -> No action taken. C:\QooBox\Quarantine\C\WINDOWS\system32\nerqmnlk.dll.vir (Trojan.Vundo) -> No action taken. C:\QooBox\Quarantine\C\WINDOWS\system32\nsibvhwu.dll.vir (Trojan.Vundo) -> No action taken. C:\QooBox\Quarantine\C\WINDOWS\system32\oppoidgy.dll.vir (Trojan.Vundo) -> No action taken. C:\QooBox\Quarantine\C\WINDOWS\system32\tkdelygw.dll.vir (Trojan.Vundo) -> No action taken. C:\QooBox\Quarantine\C\WINDOWS\system32\tovaombv.dll.vir (Trojan.Vundo) -> No action taken. C:\QooBox\Quarantine\C\WINDOWS\system32\vgxvrfgi.dll.vir (Trojan.Vundo) -> No action taken. C:\QooBox\Quarantine\C\WINDOWS\system32\yfpadmne.dll.vir (Trojan.Vundo) -> No action taken. C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP304\A0045860.dll (Trojan.Vundo) -> No action taken. C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP304\A0045861.dll (Trojan.Vundo) -> No action taken. C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP304\A0045862.dll (Trojan.Vundo) -> No action taken. C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP304\A0045863.dll (Trojan.Vundo) -> No action taken. C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP304\A0045864.dll (Trojan.Vundo) -> No action taken. C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP304\A0045865.dll (Trojan.Vundo) -> No action taken. C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP304\A0045866.dll (Trojan.Vundo) -> No action taken. C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP304\A0045869.dll (Trojan.Vundo) -> No action taken. C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP304\A0045872.dll (Trojan.Vundo) -> No action taken. C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP304\A0045873.dll (Trojan.Vundo) -> No action taken. C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP304\A0045874.dll (Trojan.Vundo) -> No action taken. C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP304\A0045877.dll (Trojan.Vundo) -> No action taken. C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP304\A0045878.dll (Trojan.Vundo) -> No action taken. C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP304\A0046861.dll (Trojan.Vundo) -> No action taken. C:\System Volume Information\_restore{751238CC-FEB5-4605-9EA9-B441EBD3D66D}\RP304\A0046864.dll (Trojan.Vundo) -> No action taken. C:\Program Files\dynamic toolbar\PBFRV2\Cache\ErrorLog.txt (Adware.2020search) -> No action taken. C:\Program Files\dynamic toolbar\PBFRV2\Cache\go.bmp (Adware.2020search) -> No action taken. C:\Program Files\dynamic toolbar\PBFRV2\Cache\home.bmp (Adware.2020search) -> No action taken. C:\Program Files\dynamic toolbar\PBFRV2\Cache\logo_pb.bmp (Adware.2020search) -> No action taken. C:\Program Files\dynamic toolbar\PBFRV2\Cache\parent_off.bmp (Adware.2020search) -> No action taken. C:\Program Files\dynamic toolbar\PBFRV2\Cache\parent_on.bmp (Adware.2020search) -> No action taken. C:\Program Files\dynamic toolbar\PBFRV2\Cache\pbfrv2tb0200.cfg (Adware.2020search) -> No action taken. C:\Program Files\dynamic toolbar\PBFRV2\Cache\popup_off.bmp (Adware.2020search) -> No action taken. C:\Program Files\dynamic toolbar\PBFRV2\Cache\popup_on.bmp (Adware.2020search) -> No action taken. C:\Program Files\dynamic toolbar\PBFRV2\Cache\search.bmp (Adware.2020search) -> No action taken. C:\Program Files\dynamic toolbar\PBFRV2\Cache\services.bmp (Adware.2020search) -> No action taken. C:\Program Files\dynamic toolbar\PBFRV2\Cache\skin.bmp (Adware.2020search) -> No action taken. C:\Program Files\dynamic toolbar\PBFRV2\Cache\skin1.bmp (Adware.2020search) -> No action taken. C:\Program Files\dynamic toolbar\PBFRV2\Cache\skin2.bmp (Adware.2020search) -> No action taken. C:\Program Files\dynamic toolbar\PBFRV2\Cache\skin3.bmp (Adware.2020search) -> No action taken. C:\Program Files\dynamic toolbar\PBFRV2\Cache\skin4.bmp (Adware.2020search) -> No action taken. C:\Program Files\dynamic toolbar\PBFRV2\Cache\skin5.bmp (Adware.2020search) -> No action taken. C:\Program Files\dynamic toolbar\PBFRV2\Cache\store.bmp (Adware.2020search) -> No action taken. C:\Program Files\dynamic toolbar\PBFRV2\Cache\style.css (Adware.2020search) -> No action taken. C:\Program Files\dynamic toolbar\PBFRV2\Cache\support.bmp (Adware.2020search) -> No action taken. C:\Program Files\dynamic toolbar\PBFRV2\Cache\T15515.tmp (Adware.2020search) -> No action taken. C:\Program Files\dynamic toolbar\PBFRV2\Cache\ticker.xml (Adware.2020search) -> No action taken. C:\Program Files\dynamic toolbar\PBFRV2\Cache\_Ticker_ticker.txt (Adware.2020search) -> No action taken. Gruss Zizou |
|
|
||
18.06.2008, 23:32
Ehrenmitglied
Beiträge: 29434 |
#5
Hallo, Zizou
nun lasse alles löschen, was Malwarebytes gefunden hat, dann scanne noch mal, aber im abgesicherten modus + poste den report ĞĞ dann scanne mit a-squared Web Malware Scanner + poste den report http://virus-protect.org/onlinescan.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
19.06.2008, 09:59
Member
Themenstarter Beiträge: 14 |
#6
Hallo Sabina,
gelöscht hatte ich schon alles, dann gleich im abgesicherten Modus scannen? Oder nochmal normal scannen u. löschen, und anschließend im abgesicherten Modus scannen und Report posten?? Mfg Zizou |
|
|
||
19.06.2008, 11:21
Ehrenmitglied
Beiträge: 29434 |
#7
Hallo
ich will nur sicher sein, dass Malwarebytes nix mehr anzeigt, nicht im Normalmodus und nicht im abgesicherten Modus. Brauchst keinen Report zu posten, nur die Info dann scanne mit a-squared Web Malware Scanner (Online) + poste den Report __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
03.07.2008, 18:09
Member
Themenstarter Beiträge: 14 |
#8
Hallo,
also Malewarebytes zeigt definitiv nichts mehr an. Resultat Scanner , als Text und im Anhang, leider ohne die entfernten Objekte.. a-squared Free - Version 2 Scan settings: Objects: Memory, Traces, Cookies, C:\ Scan archives: On Heuristics: Off ADS Scan: On Scan start: 03/07/2008 10:51:13 Scanned Files: 140435 Traces: 187402 Cookies: 344 Processes: 30 Found Files: 7 Traces: 16 Cookies: 22 Processes: 0 Scan end: 03/07/2008 11:39:08 Scan time: 00:47:55 Anhang: oli.png
|
|
|
||
03.07.2008, 22:42
Ehrenmitglied
Beiträge: 29434 |
#9
Hallo,
a-squared Web Malware Scanner - lasse alles gefundene entfernen poste bitte ein neues log von HijackTHis __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
So jetzt zickt auch noch der Laptop....
1. Temporäre dateien wurden beseitigt.
2. Combofix:
ComboFix 08-06-10.5 - BRENCKLE Joëlle 2008-06-14 16:06:55.6 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.133 [GMT 2:00]
Endroit: C:\Documents and Settings\BRENCKLE Joëlle\Mes documents\oli\ComboFix.exe
.
((((((((((((((((((((((((((((( Fichiers créés 2008-05-14 to 2008-06-14 ))))))))))))))))))))))))))))))))))))
.
2008-06-12 21:25 . 2008-06-12 21:25 <REP> d-------- C:\Documents and Settings\BRENCKLE JoÙlle
2008-06-12 21:22 . 2008-06-12 21:27 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-06-11 20:38 . 2008-06-11 20:38 <REP> d-------- C:\Program Files\CCleaner
2008-05-24 16:09 . 2004-08-04 00:54 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-05-24 16:09 . 2001-08-23 17:47 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-14 14:10 2,822,432 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-14 14:10 135,712 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-14 14:02 --------- d-----w C:\Program Files\free-downloads.net
2008-06-14 14:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-14 13:59 39,488 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-14 13:59 14,672 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-14 13:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-14 13:44 --------- d-----w C:\Program Files\Creative
2008-06-14 10:32 --------- d-----w C:\Program Files\SDLL
2008-06-14 10:32 --------- d-----w C:\Program Files\Micro Application
2008-06-13 17:25 --------- d-----w C:\Program Files\Wanadoo
2008-05-16 19:17 --------- d-----w C:\Documents and Settings\BRENCKLE Joëlle\Application Data\U3
2008-05-02 15:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-02 14:38 --------- d-----w C:\Program Files\Microsoft Works
2008-05-02 14:37 --------- d-----w C:\Program Files\MSBuild
2008-05-02 14:33 --------- d-----w C:\Program Files\Microsoft.NET
2008-05-02 13:35 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-04-26 19:06 96,645 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-04-26 19:06 87,941 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-04-26 17:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-04-26 17:57 --------- d-----w C:\Program Files\DesignPro
2008-04-26 16:18 --------- d-----w C:\Program Files\Kaspersky Lab
2008-04-26 16:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-04-26 16:12 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-26 16:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-20 08:09 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-20 08:09 1,845,376 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2005-07-17 10:39 56 --sh--r C:\WINDOWS\system32\D070F10FBD.sys
.
((((((((((((((((((((((((((((( snapshot_2008-06-13_19.44.34,82 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-13 17:33:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-14 14:02:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C0A6DF1-4AC3-452B-9412-FA9E30F6D29A}]
C:\WINDOWS\system32\ddcyy.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6A2C7B3-C514-42CC-84E1-9B230B67C41D}]
C:\WINDOWS\system32\iifcawww.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 15:00 15360]
"WOOKIT"="C:\Program Files\Wanadoo\Shell.exe" [ ]
"AlcoholAutomount"="C:\Documents and Settings\BRENCKLE Joëlle\Bureau\Alcohol 120\axcmd.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-05 15:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 15:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 15:00 455168]
"SoundMan"="SOUNDMAN.EXE" [2004-09-16 21:39 69632 C:\WINDOWS\SOUNDMAN.EXE]
"AVFX Engine"="C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 02:11 24576]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-17 18:00 98304]
"BM9787ab1f"="C:\WINDOWS\system32\xbkdseaq.dll" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 15:00 15360]
C:\Documents and Settings\All Users\Menu Dmarrer\Programmes\Dmarrage\
Dmarrage rapide du logiciel HP Image Zone.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 01:49:24 73728]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26 282624]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggfgda]
hggfgda.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomnonom]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Kaspersky Lab\Kaspersky Internet Security 7.0\adialhk.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\APPS\\Inventime\\my.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 DCamUSBPremier;USB Video Camera;C:\WINDOWS\system32\Drivers\mpixvid.sys [2004-07-01 02:03]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys []
S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 23:58]
S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
S3 ZDCndis5;ZDCndis5 Protocol Driver;C:\WINDOWS\system32\ZDCndis5.SYS []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5995dc00-b4a1-11dc-9638-0060b35f31f8}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2007-10-06 13:19:31 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 16:10:51
Windows 5.1.2600 Service Pack 2 NTFS
Balayage processus cachés ...
Balayage caché autostart entries ...
Balayage des fichiers cachés ...
Scan terminé avec succès
Les fichiers cachés: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySqlInventime]
"ImagePath"="c:\mysql\bin\mysqld-max-nt MySqlInventime"
.
Temps d'accomplissement: 2008-06-14 16:13:28
ComboFix-quarantined-files.txt 2008-06-14 14:12:58
ComboFix2.txt 2008-06-12 19:25:16
Pre-Run: 20,181,852,160 octets libres
Post-Run: 20,181,934,080 octets libres
138 --- E O F --- 2008-06-12 19:27:25
3. Hijackthis-Logfile
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:31:06, on 14/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\BRENCKLE Joëlle\Mes documents\oli\HJT.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.fr/search?sourceid=navclient&hl=fr&ie=UTF-8&oe=UTF-8&q=MSN
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {9C0A6DF1-4AC3-452B-9412-FA9E30F6D29A} - C:\WINDOWS\system32\ddcyy.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O2 - BHO: (no name) - {F6A2C7B3-C514-42CC-84E1-9B230B67C41D} - C:\WINDOWS\system32\iifcawww.dll (file missing)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: PBFRV2 - {4E7BD74F-2B8D-469E-A0E8-ED6AB685FA7D} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BM9787ab1f] Rundll32.exe "C:\WINDOWS\system32\xbkdseaq.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WOOKIT] C:\Program Files\Wanadoo\Shell.exe appLaunchClientZone.shl|PARAM= cnx
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Documents and Settings\BRENCKLE Joëlle\Bureau\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Démarrage rapide du logiciel HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Ajouter à Kaspersky Anti-Bannière - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Statistiques dAnti-Virus Internet - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\fr.htm
O20 - AppInit_DLLs: C:\PROGRA~1\Kaspersky Lab\Kaspersky Internet Security 7.0\adialhk.dll
O20 - Winlogon Notify: hggfgda - hggfgda.dll (file missing)
O20 - Winlogon Notify: qomnonom - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - F:\bin\btwdins.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - C:\Documents and Settings\BRENCKLE Joëlle\Bureau\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 7337 bytes
4. Logfile datfind
.
.
Bitte nur die Eintraege der letzten 3 Monate pro Ordner posten
.
.
Le volume dans le lecteur C n'a pas de nom.
Le numro de srie du volume est 94B4-982C
Rpertoire de C:\WINDOWS\system32
12/06/2008 21:36 405˙512 FNTCACHE.DAT
11/06/2008 20:32 1˙158 wpa.dbl
26/04/2008 21:43 0 clkcnt.txt
26/04/2008 16:46 3˙072 CONFIG.NT
30/03/2008 18:53 448˙428 perfh00C.dat
30/03/2008 18:53 64˙930 perfc00C.dat
30/03/2008 18:53 383˙588 perfh009.dat
30/03/2008 18:53 53˙942 perfc009.dat
30/03/2008 18:52 959˙484 PerfStringBackup.INI
20/03/2008 10:09 1˙845˙376 win32k.sys
16/03/2008 21:12 63 94b48a0d
01/03/2008 18:28 3˙591˙680 mshtml.dll
01/03/2008 14:58 826˙368 wininet.dll
01/03/2008 14:58 233˙472 webcheck.dll
01/03/2008 14:58 1˙159˙680 urlmon.dll
01/03/2008 14:58 105˙984 url.dll
01/03/2008 14:58 193˙024 msrating.dll
01/03/2008 14:58 44˙544 pngfilt.dll
01/03/2008 14:58 102˙912 occache.dll
01/03/2008 14:58 671˙232 mstime.dll
01/03/2008 14:58 478˙208 mshtmled.dll
01/03/2008 14:58 44˙544 iernonce.dll
01/03/2008 14:58 1˙831˙424 inetcpl.cpl
01/03/2008 14:58 6˙066˙176 ieframe.dll
01/03/2008 14:58 267˙776 iertutil.dll
01/03/2008 14:58 27˙648 jsproxy.dll
01/03/2008 14:58 459˙264 msfeeds.dll
01/03/2008 14:58 52˙224 msfeedsbs.dll
01/03/2008 14:58 384˙512 iedkcs32.dll
01/03/2008 14:58 383˙488 ieapfltr.dll
01/03/2008 14:58 63˙488 icardie.dll
01/03/2008 14:58 153˙088 ieakeng.dll
01/03/2008 14:58 133˙120 extmgr.dll
01/03/2008 14:58 124˙928 advpack.dll
01/03/2008 14:58 347˙136 dxtmsft.dll
01/03/2008 14:58 214˙528 dxtrans.dll
01/03/2008 14:58 230˙400 ieaksie.dll
29/02/2008 10:56 70˙656 ie4uinit.exe
22/02/2008 12:00 13˙824 ieudinit.exe
20/02/2008 08:51 282˙624 gdi32.dll
20/02/2008 07:35 45˙568 dnsrslvr.dll
20/02/2008 07:35 148˙992 dnsapi.dll
15/02/2008 07:44 161˙792 ieakui.dll
08/02/2008 18:37 219˙664 klogon.dll
5. Problembeschreibung
Ähnlich wie beim anderen Thread:
- Kapersky meldet Trojaner ohne diese beseitigen zu können
- Virenprogramm davor ebenfalls Avast
- Laptop extrem langsam, nachdem ich einige unnötige Programme deinstalliert habe und die ersten 5 Punkte abgearbeitet habe gehts ein wenig besser. Allein für das Kombofixlog 4 Versuche gebraucht, ist zwischendrin immer wieder abgeschmiert. Internet ging auch die ganze Zeit nicht, läuft aber mittlerweile wieder.
Vielen Dank schonmal.
Gruss Zizou