Home » Spyware & Browser Hijacker Support Forum » WARNING!Win32/Adware.Virtumonde detected on you computer-brauche Hilfe! » Themenansicht
WARNING!Win32/Adware.Virtumonde detected on you computer-brauche Hilfe!Thema ist geschlossen! |
||
|---|---|---|
Thema ist geschlossen! |
||
| #0
| ||
|
06.09.2008, 14:26
Ehrenmitglied
 Beiträge: 6028 |
||
 
|
|
|
|
15.09.2008, 20:58
Member
Themenstarter Beiträge: 12 |
#17
Hallo Arnold!
Wollt mich schon viel früher melden und mich bei dir bedanken wollen,bei mir hat alles super geklappt-Virus komplett weg und es funktioniert wieder alles!!!Hab jetzt aber noch bei mir im Geschäft ein Problem mit unserem freien Rechner.Der hat sich auch ein Virus eingefangen-bin jetzt mal gleich vorgegangen wie bei dem Virus von mir.Da heist es auch das ein Virus den Computer attakiert und es kommt ständig Warningmelung. Hab jetzt mal auchhijackthis und mbam runtergladen drüberlaufen gelassen und die infizierten Dateien entfernt.hier das Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:42:46, on 15.09.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Hier ist das Log von Combofix ComboFix 08-09-15.02 - KutzsSFB 2008-09-16 12:58:30.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.250 [GMT 2:00] Running from: C:\Documents and Settings\KutzsSFB\Desktop\ComboFix.exe * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Kiely\Cookies\kiely@ehg-kodak.hitbox[2].txt C:\WINDOWS\Downloaded Program Files\UDC6U_0001_D19M0709NetInstaller.exe C:\WINDOWS\system32\AutoRun.inf C:\WINDOWS\system32\BSPECIAL.DLL C:\WINDOWS\system32\sp2.exe . ((((((((((((((((((((((((( Files Created from 2008-08-16 to 2008-09-16 ))))))))))))))))))))))))))))))) . 2008-09-16 13:04 . 2008-09-16 13:04 53,248 --a------ C:\temp\catchme.dll 2008-09-15 19:41 . 2008-09-15 19:41 396,288 --a------ C:\HijackThis.exe 2008-09-15 19:18 . 2008-09-15 19:19 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-09-15 19:18 . 2008-09-15 19:18 <DIR> d-------- C:\Documents and Settings\KutzsSFB\Application Data\Malwarebytes 2008-09-15 19:18 . 2008-09-15 19:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-09-15 19:18 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-09-15 19:18 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-09-15 19:17 . 2008-09-15 19:17 <DIR> d-------- C:\temp\is-DPM1P.tmp 2008-09-15 19:16 . 2008-09-16 13:03 <DIR> d-------- C:\temp\is-JG1B5.tmp 2008-08-27 11:49 . 2008-08-27 11:49 <DIR> d-------- C:\temp\nai265 2008-08-27 10:50 . 2008-08-27 10:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TomTom 2008-08-27 10:49 . 2008-08-27 10:49 <DIR> d-------- C:\Documents and Settings\KutzsSFB\Application Data\TomTom . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-07 12:34 --------- d-----w C:\Program Files\Common Files\Borland 2008-08-07 12:34 --------- d-----w C:\Program Files\Buildsoft Pty. Ltd 2007-08-22 17:07 80,795,262 ----a-w C:\Documents and Settings\Rau\saturn_download_2007-71-22_19-3.zip 2006-01-27 13:06 18,008 ----a-w C:\Documents and Settings\Kiely\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "McAfeeUpdaterUI"="c:\program files\EPOAgent\Common Framework\UpdaterUI.exe" [2005-08-31 139320] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-10-02 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-10-02 118784] "CCM User Profile Manager"="c:\_integra\upm\bin\CCM_User.exe" [2003-12-16 438272] "Printkey_reg"="c:\Program Files\printkey\printkey.cmd" [2004-06-14 49] "ProxyHostTrayIcon"="C:\Program Files\ON Technology\ON Command Remote Host\phtray.exe" [2003-01-07 103664] "ProxyeinstellungIE"="C:\_Integra\Util\Proxy.bat" [2005-03-15 1165] "ShStatEXE"="c:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-25 94208] "NDPS"="C:\WINDOWS\system32\dpmw32.exe" [2004-05-17 32859] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152] "NWTRAY"="NWTRAY.EXE" [2002-03-12 C:\WINDOWS\system32\nwtray.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Sender Link.lnk - C:\Program Files\HP DS9100C\Link\hpnsjtr.exe [2005-12-06 245251] HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "CompatibleRUPSecurity"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoMSAppLogo5ChannelNotify"= 1 (0x1) "NoBandCustomize"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoDesktopCleanupWizard"= 1 (0x1) "Btn_Back"= 0 (0x0) "Btn_Forward"= 0 (0x0) "Btn_Stop"= 0 (0x0) "Btn_Refresh"= 0 (0x0) "Btn_Home"= 0 (0x0) "Btn_Search"= 0 (0x0) "Btn_History"= 0 (0x0) "Btn_Favorites"= 0 (0x0) "Btn_Media"= 0 (0x0) "Btn_Folders"= 0 (0x0) "Btn_Fullscreen"= 0 (0x0) "Btn_Tools"= 0 (0x0) "Btn_MailNews"= 0 (0x0) "Btn_Size"= 0 (0x0) "Btn_Print"= 0 (0x0) "Btn_Edit"= 0 (0x0) "Btn_Discussions"= 0 (0x0) "Btn_Cut"= 0 (0x0) "Btn_Copy"= 0 (0x0) "Btn_Paste"= 0 (0x0) "Btn_Encoding"= 0 (0x0) "Btn_PrintPreview"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.divxa32"= divxa32.acm "VIDC.HFYU"= huffyuv.dll "VIDC.VP31"= vp31vfw.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0 [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\_INTEGRA\\BIN\\CCMAGENT.EXE"= "C:\\Program Files\\HP DS9100C\\Link\\hpnsjtr.exe"= "C:\\WINDOWS\\system32\\dpmw32.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "139:TCP"= 139:TCP:10.0.0.0/255.0.0.0:Enabled:@xpsp2res.dll,-22004 "445:TCP"= 445:TCP:10.0.0.0/255.0.0.0:Enabled:@xpsp2res.dll,-22005 "137:UDP"= 137:UDP:10.0.0.0/255.0.0.0:Enabled:@xpsp2res.dll,-22001 "138:UDP"= 138:UDP:10.0.0.0/255.0.0.0:Enabled:@xpsp2res.dll,-22002 "3389:TCP"= 3389:TCP:*  isabled:@xpsp2res.dll,-22009"1505:UDP"= 1505:UDP:On Command Remote "5003:TCP"= 5003:TCP:On Command Discovery R2 smefs;SMEFileSystem;C:\WINDOWS\system32\drivers\smefs.sys [2002-04-23 10752] R3 smedrv;SMEDriver;C:\WINDOWS\system32\drivers\smedrv.sys [2001-11-09 5760] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a599fe8-5493-11dc-9303-000e7f6b6bd5}] \Shell\AutoRun\command - E:\LaunchU3.exe *Newly Created Service* - ENTDRV51 . - - - - ORPHANS REMOVED - - - - HKCU-Run-TomTomHOME.exe - C:\Program Files\TomTom HOME 2\HOMERunner.exe . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.google.de/ R0 -: HKLM-Main,Start Page = hxxp://eduardo.stgt.zueblin.de O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} O15 -: Trusted Zone: *.baulogis.com O15 -: Trusted Zone: *.weilgut.de O15 -: Trusted Zone: *.stgt.zueblin.de O15 -: Trusted Zone: *.baulogis.com O15 -: Trusted Zone: *.weilgut.de O15 -: Trusted Zone: *.stgt.zueblin.de O17 -: HKLM\CCS\Interface\{03B28F17-BB4D-4788-9C14-BBC0FBFCD58A}: NameServer = 192.168.1.254,213.94.190.194 O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd O16 -: {7527E129-A524-434A-A337-8C19F6F25C91} - hxxps://shop.aldisued-fotos-druck.de/shop/activex/aldi_sued_express_upload.cab C:\WINDOWS\Downloaded Program Files\aldi_sued_express_upload.ocx . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-16 13:04:08 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\EPOAgent\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\PROGRA~1\EPOAgent\COMMON~1\naPrdMgr.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\lotus\notes\ntmulti.exe C:\_INTEGRA\BIN\CCMAGENT.EXE C:\Program Files\ON Technology\ON Command Remote Host\Ph32Svc.exe C:\Program Files\Citrix\ICA Client\ssonsvr.exe C:\_INTEGRA\BIN\SHSTART.EXE C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe C:\WINDOWS\system32\imapi.exe . ************************************************************************** . Completion time: 2008-09-16 13:07:12 - machine was rebooted ComboFix-quarantined-files.txt 2008-09-16 11:07:05 Pre-Run: 70,239,711,744 bytes free Post-Run: 70,355,971,584 bytes free Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe c:\program files\EPOAgent\Common Framework\FrameworkService.exe c:\Program Files\Network Associates\VirusScan\Mcshield.exe c:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\lotus\notes\ntmulti.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe c:\_integra\bin\ccmagent.exe c:\Program Files\ON Technology\ON Command Remote Host\ph32svc.exe c:\_integra\bin\shstart.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe c:\program files\EPOAgent\Common Framework\UpdaterUI.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe C:\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://eduardo.stgt.zueblin.de R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://eduardo.stgt.zueblin.de R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://eduardo.stgt.zueblin.de R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://eduardo.stgt.zueblin.de R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://eduardo.stgt.zueblin.de F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,c:\_integra\bin\shstart.exe, O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [McAfeeUpdaterUI] "c:\program files\EPOAgent\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [CCM User Profile Manager] "c:\_integra\upm\bin\CCM_User.exe" O4 - HKLM\..\Run: [Printkey_reg] c:\Program Files\printkey\printkey.cmd O4 - HKLM\..\Run: [ProxyHostTrayIcon] "C:\Program Files\ON Technology\ON Command Remote Host\phtray.exe" O4 - HKLM\..\Run: [ProxyeinstellungIE] C:\_Integra\Util\Proxy.bat O4 - HKLM\..\Run: [ShStatEXE] "c:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Digital Sender Link.lnk = C:\Program Files\HP DS9100C\Link\hpnsjtr.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O14 - IERESET.INF: START_PAGE_URL=http://eduardo.stgt.zueblin.de O15 - Trusted Zone: *.baulogis.com O15 - Trusted Zone: *.weilgut.de O15 - Trusted Zone: *.stgt.zueblin.de O15 - Trusted Zone: *.baulogis.com (HKLM) O15 - Trusted Zone: *.weilgut.de (HKLM) O15 - Trusted Zone: *.stgt.zueblin.de (HKLM) O15 - Trusted IP range: 10.*.*.* O15 - Trusted IP range: 10.*.*.* (HKLM) O16 - DPF: {7527E129-A524-434A-A337-8C19F6F25C91} (AldiSuedActiveFormX Element) - https://shop.aldisued-fotos-druck.de/shop/activex/aldi_sued_express_upload.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = zueblin.de O17 - HKLM\Software\..\Telephony: DomainName = zueblin.de O17 - HKLM\System\CCS\Services\Tcpip\..\{03B28F17-BB4D-4788-9C14-BBC0FBFCD58A}: NameServer = 192.168.1.254,213.94.190.194 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = zueblin.de O17 - HKLM\System\CS1\Services\Tcpip\..\{03B28F17-BB4D-4788-9C14-BBC0FBFCD58A}: NameServer = 192.168.1.254,213.94.190.194 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = zueblin.de O17 - HKLM\System\CS2\Services\Tcpip\..\{03B28F17-BB4D-4788-9C14-BBC0FBFCD58A}: NameServer = 192.168.1.254,213.94.190.194 O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - c:\program files\EPOAgent\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - c:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - c:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe O23 - Service: ON Command Remote Control Host Service (ProxyHostService) - Funk Software, Inc. - c:\Program Files\ON Technology\ON Command Remote Host\ph32svc.exe O23 - Service: CCM Windows Agent (WControl) - Symantec Corporation - c:\_integra\bin\ccmagent.exe -- End of file - 7299 bytes Malwarebytes' Anti-Malware 1.28 Datenbank Version: 1156 Windows 5.1.2600 Service Pack 2 15.09.2008 19:27:43 mbam-log-2008-09-15 (19-27-43).txt Scan-Methode: Quick-Scan Durchsuchte Objekte: 59508 Laufzeit: 7 minute(s), 27 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 13 Infizierte Registrierungswerte: 26 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 3 Infizierte Dateien: 34 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: HKEY_CLASSES_ROOT\TypeLib\{1d35dad7-5b12-41e4-be92-fde2af90b3da} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{88545524-97b4-4b1b-88c2-9d83727d6f4c} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{ecb4205a-169f-4ea4-99f3-597a5643ea5f} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{1794c793-0b3f-4447-a6f7-b0a42ceb69e0} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1794c793-0b3f-4447-a6f7-b0a42ceb69e0} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{65dd1a70-4022-42b4-bd7c-6e24420d57ca} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\AppID\CodecBHO.DLL (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\codecbho.codecplugin (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\codecbho.codecplugin.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\codecbho.xmldomdocumenteventssink (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\codecbho.xmldomdocumenteventssink.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\RichVideoCodec (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully. Infizierte Registrierungswerte: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus (Rogue.MicroAntivirus) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus (Rogue.MicroAntivirus) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur27.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur28.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur29.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur2a.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur2f.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur3.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur4.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur5.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur6.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1f.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur21.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur24.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur27.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur28.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur29.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur2a.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur2f.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur3.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur4.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur5.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur6.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur1f.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur21.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur24.exe (Trojan.Agent) -> Quarantined and deleted successfully. Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: C:\Program Files\RichVideoCodec (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\MicroAntivirus (Rogue.MicroAntivirus) -> Quarantined and deleted successfully. Infizierte Dateien: C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\Program Files\RichVideoCodec\5378.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\0.exe (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\1.exe (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\1.ico (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\2.exe (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\3.exe (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\4.exe (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\5.exe (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\7.exe (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> Quarantined and deleted successfully. C:\Program Files\MicroAntivirus\microAV.cpl (Rogue.MicroAntivirus) -> Quarantined and deleted successfully. C:\Program Files\MicroAntivirus\microAV.exe (Rogue.MicroAntivirus) -> Quarantined and deleted successfully. C:\Program Files\MicroAntivirus\microAV.ooo (Rogue.MicroAntivirus) -> Quarantined and deleted successfully. C:\Program Files\MicroAntivirus\microAV0.dat (Rogue.MicroAntivirus) -> Quarantined and deleted successfully. C:\Program Files\MicroAntivirus\microAV1.dat (Rogue.MicroAntivirus) -> Quarantined and deleted successfully. C:\WINDOWS\system32\1.ico (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\2.ico (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\YUR27.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\YUR2A.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\YUR3.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\YUR21.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\YUR24.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\CodecBHO.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\x (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\0000005378.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\MicroAV.cpl (Rogue.MicroAntivirus) -> Quarantined and deleted successfully. C:\Documents and Settings\KutzsSFB\Desktop\MicroAntivirus.lnk (Rogue.XPertAntivirus) -> Quarantined and deleted successfully. C:\WINDOWS\system32\Explorer.ICO (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully. Dieser Beitrag wurde am 16.09.2008 um 14:35 Uhr von andi841 editiert.
|
|
|
|
|
|
|
19.09.2008, 23:55
Member
Beiträge: 50 |
#18
hallo,
ich brauchte mal dringend hilfe, kenne mich überhaupt nicht mit pc's aus und bei mir kam vor ein paar stunden auch die meldung : warnung! win327adware virtuum (siehe thema)...usw. und zwar war diese meldung dann mein desktophintergrund. so dann hab ich meine antivirclassikedition activieren wollen, da kam dann aber ne meldung dass ich nach der installation odre so schauen soll, unter systemsteuerung konnte ich dann bei add or remove programmes antivir noch vinden allerdings weder remove noch change hat funktioniert dann kam die meldung dass die crc summe verändert wurde und dass dies durch einen Virus passiert sein kann. In panik hab ich dann versucht ne neue antivir version (free ware) runterzuladen doch das ausführen hat ebenfalls nicht geklappt - kam auch wieder die meldung mit der crc summe??!! so dann habe ich adaware runtergeladen und scannen lassen der haut auch zwei sachen gefunden die ich dann unter quarantäne gesetzt hab(war das richtig?) dann habe ich noch clamwin runtergeladen und scannen lassen und ebenfalls die gefundenen in quarantäne gesteckt. leider war bei beiden danach der desktop immernoch unverändert. dann habe ich noch malewarebytes geholt und scannen lassen und alle selectierten (es waren 53) entfernt. so und jetzt ist mein desktop wieder schön blau....hat also funktioniert nehm ich an, oder? naja was jetzt aber immernoch nicht geht ist weder die classic version von antivir noch wenn ich ne neue runterlade....es kommt wie vorher die meldung mit der crc- summe.....heisst dass jetzt es gibt immernoch irgendwelche viren=??? oder wie bekomme ich denn antivir endlich wieder zum laufen oder deinstalliert? und kennt ihr viell ne kostenlose spyware ...die mir schon bevor ein virus ect auf meinen rechner kommt mir bescheid gibt? naja vorrangig würde ich eigentl einfach gerne wissen ob soweit wieder alles palleti ist und ich das einigermassen richtig gemacht habe  ich habe in früheren antworten von euch immer so komische "logfiles" gesehen....woher bekommt man die denn? und was kann man dadraus lesen...für mich sieht das sehr verwirrend aus;o oke jedenfalls vielen dank für jede schnelle Hilfe!!! |
|
|
|
|
|
|
20.09.2008, 00:22
Member
Beiträge: 325 |
#19
Hallo debbbbbi !
Sei doch einmal so frei und poste uns ein "komisches" Logfile. Aber davor benutze den CCleaner und lösche die temporären Dateien, damit sozusagen die Nachschub-Ordner sauber sind.(siehe Bild im Anhang für die Einstellungen --->dann Analysieren und danach Starte Cleaner) CCLeaner: http://www.ccleaner.de/?protecus.de Danach lade Hijackthis, -->do a Systemscan &Save a Logfile--> diesen postest Du erstmal, und dann sehen wir weiter http://www.trendsecure.com/portal/en-US/threat_analytics/HiJackThis.zip Anhang: Ccleaner.jpg Dieser Beitrag wurde am 20.09.2008 um 00:39 Uhr von Provisitor editiert.
|
|
|
|
|
|
|
20.09.2008, 11:55
Member
Beiträge: 50 |
#20
Hi Provistitor,
vielen Dank für die schnelle Antwort...oh man jetzt hab ich aber langsam echt unmengen von antivir prgrammen drauf aber wenns hilft!Hier das logfile: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:50:33, on 20.10.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\SYSTEM32\WISPTIS.EXE C:\WINDOWS\System32\tabbtnu.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe C:\Program Files\TOSHIBA\TME3\TMETEMNU.EXE C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\TEMP\RO7529.EXE C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\ClamWin\bin\ClamTray.exe C:\PROGRA~1\ICQ6\ICQ.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\CCleaner\CCleaner.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.t-online.de/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon O4 - HKCU\..\Run: [ICQ] "C:\PROGRA~1\ICQ6\ICQ.exe" silent O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETVÆRKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'Default user') O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169464580803 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing) O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe -- End of file - 7317 bytes grüssle und vielen dank |
|
|
|
|
|
|
20.09.2008, 12:03
Ehrenmitglied
Beiträge: 6028 |
#21
@debbbbbbi
Virustotal Prüfe mal diese Datei(en) bei Virustotal http://www.virustotal.com/flash/index_en.html Zitat C:\WINDOWS\TEMP\RO7529.EXENote: Wenn bei ViruTotal die Meldung kommt ” Die Datei wurde bereits analysiert “wähle „Analysiere die Datei“ Und Berichte Malwarebytes Anti-Malware fuer Windows 2000,XP und Vista Download MBAM Doppelklick mbam-setup und waehle Deutsch ,das Program wird jetzt ge-updatet Klicke “Einstellungen“ haacke an “ Beende Inter Explorer während des Löschvorgangs “ Waehle bei Reiter “Scanner”> "Quick Scan durchfuehren" . Auch wenn man die Updates runter geladen hat ,sollte vor den Scan nochmal nach Updates gesucht werden ! Waehle alle Laufwerke>Scan laufen lassen Wenn am Ende infizierungen gefunden werden,anhaacken und entfernen lassen Starte dein Rechner neu Unter Scanberichte stet das log (mbam-log-XX-XX-XXXX.txt) Poste dessen inhalt hier ins Forum Note: Wenn MBAM Schwierigkeiten damit hat Daten zu entfernen wird es gemeldet und klicke OK Danach wird gefragt den Rechner neu zu starten,lass es zu Malwarebytes Anti-Malware kann man nachher behalten ! Später kann man noch ein "Vollständiger Suchlauf“durchführen __________ MfG Argus |
|
|
|
|
|
|
20.09.2008, 12:21
Member
Beiträge: 50 |
#22
ach was mir grad noch einfällt,
ich hatte spyware doctor drauf und wenn ich auf den button klicke dann kommt dass nach dem programm gesucht wird, und dann sucht er ewig und find das programm nicht. bei add and remove programmes stehts noch in der liste , aber wenn ich auch change/remove klicke dann kommt genau das gleiche, dass er ewig danach sucht....weiss nicht wie hilfreich diese info für euch ist.,..aber ich hab dann bei dem programm praktisch das selbe problem wie bei antivir oder? und dann wollt eich noch sagen dass ich gestern also so ein paar studen bevor ich die viruswarnmeldung bekommen hab ( also dieses win32...) hab ich meinen laptop mit nem neuen arbeitsspeicher aufgerüstet es war bereits ein 512 mb drin und dazu hab ich jetzt noch auf den zweiten steckplatz ein 1gb modul gesetzt...so weit so gut laptop läuft schneller...aber ich farge mich ob der virus oder was es auch immer war von dem arbeitsspeicher oder so kommen kann, denn davor hatte ich nie probleme mit irgendwelchen viren ect...naja nur so ne vermutung, eventuell auch völliger quatsch in euren profiaugen
|
|
|
|
|
|
|
20.09.2008, 12:31
Ehrenmitglied
Beiträge: 6028 |
#23
Bis jetzt sind eins von tausend Internet Seiten infiziert
Die Chanche das du dein Rechner infiziert wird also immer groesser Und dazu gibt es auch noch die P2P netzwerke wo man sich infizieren kann __________ MfG Argus |
|
|
|
|
|
|
20.09.2008, 14:03
Member
Beiträge: 50 |
#24
@arnold,
oke hab s geschafft...das kam beim analysieren der datei raus: Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.9.19.2 2008.09.19 - AntiVir 7.8.1.34 2008.09.19 - Authentium 5.1.0.4 2008.09.19 - Avast 4.8.1195.0 2008.09.19 - AVG 8.0.0.161 2008.09.19 - BitDefender 7.2 2008.09.19 - CAT-QuickHeal 9.50 2008.09.20 - ClamAV 0.93.1 2008.09.19 - DrWeb 4.44.0.09170 2008.09.20 - eSafe 7.0.17.0 2008.09.18 - eTrust-Vet 31.6.6095 2008.09.19 - Ewido 4.0 2008.09.19 - F-Prot 4.4.4.56 2008.09.19 - F-Secure 8.0.14332.0 2008.09.20 Type_Win32 Fortinet 3.113.0.0 2008.09.20 - GData 19 2008.09.20 - Ikarus T3.1.1.34.0 2008.09.19 - K7AntiVirus 7.10.464 2008.09.19 - Kaspersky 7.0.0.125 2008.09.20 Type_Win32 McAfee 5388 2008.09.19 New Win32 Microsoft 1.3903 2008.09.20 Trojan:Win32/Anomaly.gen!D NOD32v2 3457 2008.09.19 - Norman 5.80.02 2008.09.19 - Panda 9.0.0.4 2008.09.19 - PCTools 4.4.2.0 2008.09.19 - Prevx1 V2 2008.09.20 Suspicious Rising 20.62.52.00 2008.09.20 - Sophos 4.33.0 2008.09.20 Sus/UnkPacker Sunbelt 3.1.1651.1 2008.09.19 - Symantec 10 2008.09.19 - TheHacker 6.3.0.9.089 2008.09.20 - TrendMicro 8.700.0.1004 2008.09.20 Possible_Virut-3 VBA32 3.12.8.5 2008.09.19 suspected of Virus.Win32.Virut.1 ViRobot 2008.9.20.1385 2008.09.20 - VirusBuster 4.5.11.0 2008.09.19 - Webwasher-Gateway 6.6.2 2008.09.19 Virus.Win32.FileInfector.gen (suspicious) weitere Informationen File size: 180291 bytes MD5...: 0aaf9be8d73679b7c265489038e2db6c SHA1..: 232a0246cc37209fc534a35ffe2b8f5473b5e230 SHA256: 8c04d7527c2a4bceb9d1e88ba6721f11860a9941b270bdab4e4630e1d6cbf864 SHA512: bd8645c181c43ca2e2967f842f8ac190e7fefaf5e1cceaf9ad5cd75acd85efcf 546335fad6707a3c9c9182afdad5d595867f2e12028daaba7e6d01670f2503e7 PEiD..: - TrID..: File type identification Generic Win/DOS Executable (49.9%) DOS Executable Generic (49.8%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x42e000 timedatestamp.....: 0x4236b06d (Tue Mar 15 09:52:45 2005) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x1cd5a 0x1d000 6.61 f333c922391cf692b6fc195a5bcf3f9b .rdata 0x1e000 0x54d3 0x6000 4.62 3e8e5ee924a53499dc64dbfc8258c165 .data 0x24000 0x8cbc 0x5000 2.95 40b2356d6df20d2e82ac79c31d0c3c34 .rsrc 0x2d000 0x8000 0x3000 5.88 70e7d7f713caf4b6abd2a23cda4ee80d ( 7 imports ) > WSOCK32.dll: -, -, - > KERNEL32.dll: GetOEMCP, GetCurrentProcess, WriteFile, FlushFileBuffers, SetFilePointer, GetFileAttributesA, RtlUnwind, CreateThread, ExitThread, GetTimeZoneInformation, GetSystemTime, GetLocalTime, GetStartupInfoA, GetCommandLineA, GetCPInfo, GlobalFindAtomA, HeapSize, HeapReAlloc, GetACP, UnhandledExceptionFilter, LCMapStringA, LCMapStringW, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, IsBadWritePtr, GetStringTypeA, GetStringTypeW, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadCodePtr, SetStdHandle, CompareStringA, CompareStringW, SetEnvironmentVariableA, GetProcessVersion, GlobalFlags, TlsGetValue, ResumeThread, GlobalAlloc, LocalReAlloc, TlsSetValue, GlobalReAlloc, GlobalLock, GlobalFree, GlobalHandle, GlobalUnlock, SetLastError, TlsAlloc, lstrcpynA, GlobalAddAtomA, GetCurrentThreadId, GlobalGetAtomNameA, ExitProcess, HeapAlloc, GlobalDeleteAtom, InterlockedExchange, LeaveCriticalSection, lstrcmpA, MultiByteToWideChar, WideCharToMultiByte, InterlockedDecrement, InterlockedIncrement, WaitForMultipleObjects, lstrlenA, FreeLibrary, LocalAlloc, LocalFree, GetModuleFileNameA, TerminateProcess, MoveFileExA, GetVersion, VirtualAlloc, DeleteFileA, GetTickCount, GetPrivateProfileIntA, CopyFileA, CreateProcessA, Sleep, GetVersionExA, GetComputerNameA, GetTempPathA, GetTempFileNameA, DeleteCriticalSection, CreateEventA, InitializeCriticalSection, GetCurrentDirectoryA, lstrcmpiA, OpenFile, FindFirstFileA, FindNextFileA, FindClose, EnterCriticalSection, _lclose, RaiseException, HeapFree, SetEvent, GetProcAddress, LoadLibraryA, GetCurrentProcessId, lstrcatA, lstrcpyA, WriteProcessMemory, ReadProcessMemory, CloseHandle, OpenProcess, GetExitCodeThread, WaitForSingleObject, GetModuleHandleA, CreateMutexA, GetLastError, GetSystemDirectoryA, ResetEvent > USER32.dll: LoadStringA, GetNextDlgTabItem, EnableMenuItem, CheckMenuItem, SetMenuItemBitmaps, ModifyMenuA, GetMenuState, LoadBitmapA, GetMenuCheckMarkDimensions, SetWindowTextA, IsWindowEnabled, GetClassNameA, PtInRect, ClientToScreen, GetSysColorBrush, ReleaseDC, GetDC, DestroyMenu, TabbedTextOutA, DrawTextA, GrayStringA, GetTopWindow, MessageBoxA, GetSysColor, MapWindowPoints, WinHelpA, GetClassInfoA, RegisterClassA, GetMenu, GetMenuItemCount, GetSubMenu, GetMenuItemID, GetDlgItem, GetWindowTextA, GetDlgCtrlID, GetKeyState, SetWindowsHookExA, CallNextHookEx, GetClassLongA, SetPropA, UnhookWindowsHookEx, CallWindowProcA, RemovePropA, GetMessageTime, PeekMessageA, GetLastActivePopup, GetForegroundWindow, SetForegroundWindow, GetWindow, SetWindowPos, SystemParametersInfoA, IsIconic, GetWindowPlacement, GetWindowRect, GetSystemMetrics, SendMessageA, PostMessageA, FindWindowA, KillTimer, DestroyWindow, SetTimer, PostQuitMessage, DefWindowProcA, CreateWindowExA, ShowWindow, UpdateWindow, LoadIconA, LoadCursorA, RegisterClassExA, GetMessageA, DispatchMessageA, TranslateMessage, RegisterWindowMessageA, GetFocus, SetFocus, AdjustWindowRectEx, GetClientRect, CopyRect, EnableWindow, GetParent, GetCapture, GetPropA, SetWindowLongA, GetWindowLongA, GetMessagePos > GDI32.dll: GetClipBox, SetTextColor, SetBkColor, GetObjectA, CreateBitmap, DeleteObject, GetDeviceCaps, DeleteDC, SaveDC, RestoreDC, SelectObject, GetStockObject, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, PtVisible, RectVisible, ExtTextOutA, Escape, TextOutA > WINSPOOL.DRV: OpenPrinterA, DocumentPropertiesA, ClosePrinter > ADVAPI32.dll: CreateServiceA, QueryServiceStatus, DeleteService, RegCreateKeyExA, StartServiceA, OpenSCManagerA, OpenServiceA, CloseServiceHandle, QueryServiceConfigA, RegDeleteValueA, RegSetValueExA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, RegNotifyChangeKeyValue > COMCTL32.dll: - ( 59 exports ) __0TmProcessGuard@@QAE@KHH@Z, __0TmProcessGuard@@QAE@PBD0HH@Z, __0TmProcessGuard@@QAE@XZ, __0TmServiceGuard@@QAE@PBD00HH@Z, __0TmServiceGuard@@QAE@PBDKHH@Z, __0TmServiceGuard@@QAE@XZ, __1TmProcessGuard@@UAE@XZ, __1TmServiceGuard@@UAE@XZ, __4TmProcessGuard@@QAEXAAV0@@Z, __4TmServiceGuard@@QAEXAAV0@@Z, ___7TmProcessGuard@@6B@, ___7TmServiceGuard@@6B@, _BackupService@TmServiceGuard@@IAEXXZ, _CheckProcess@TmProcessGuard@@QAE_NAAVCStringArray@@@Z, _GetGuardInfo@TmProcessGuard@@QBEXAAKAAVCString@@1AAH2@Z, _IsIPChanged@@YA_NPBDPADH@Z, _IsMonitor@TmProcessGuard@@IBE_NXZ, _IsNTPlatform@@YA_NXZ, _IsProcessAlive@TmProcessGuard@@MAE_NXZ, _IsProcessAlive@TmServiceGuard@@MAE_NXZ, _IsRetryNow@TmProcessGuard@@IBE_NXZ, _IsTheSame@TmProcessGuard@@QBE_NABVCString@@0@Z, _IsTheSame@TmProcessGuard@@QBE_NK@Z, _IsTheSame@TmProcessGuard@@QBE_NPBV1@@Z, _IsValidProcess@TmProcessGuard@@QBE_NXZ, _QueryAllLog@TmProcessGuard@@QBEXAAVCStringArray@@@Z, _RegWatchDog_Ofc@@YA_NXZ, _RegWatchDog_Ofc_95@@YA_NXZ, _RegWatchDog_Ofc_NTRT@@YA_NXZ, _RegWatchDog_Ofc_OFCPFWSVC@@YA_NXZ, _RegWatchDog_Ofc_PCCNTMON@@YA_NXZ, _RegWatchDog_Ofc_TMLISTEN@@YA_NXZ, _ResetMonitor@TmProcessGuard@@IAEXXZ, _ResetRetryCount@TmProcessGuard@@QAEXXZ, _ResetRetryTick@TmProcessGuard@@QAEXXZ, _ResetRetryVar@TmProcessGuard@@QAEXXZ, _RetryWakeupProcess@TmProcessGuard@@MAE_NXZ, _RetryWakeupProcess@TmServiceGuard@@MAE_NXZ, _SetMonitor@TmProcessGuard@@IAEXXZ, _SetProcessID@TmProcessGuard@@QAEXK@Z, _SetRetryCountLimit@TmProcessGuard@@QAEXH@Z, _SetRetryTickLimit@TmProcessGuard@@QAEXH@Z, _StepMonitor@TmProcessGuard@@IAEXXZ, _StepRetry@TmProcessGuard@@IAEXXZ, _UnRegWatchDog_Ofc@@YA_NXZ, _UnRegWatchDog_Ofc_95@@YA_NXZ, _UnRegWatchDog_Ofc_NTRT@@YA_NXZ, _UnRegWatchDog_Ofc_OFCPFWSVC@@YA_NXZ, _UnRegWatchDog_Ofc_PCCNTMON@@YA_NXZ, _UnRegWatchDog_Ofc_TMLISTEN@@YA_NXZ, C_IsIPChanged, C_RegWatchDog_Ofc, C_RegWatchDog_Ofc_OFCPFWSVC, C_RegWatchDog_Ofc_PCCNTMON, C_RegWatchDog_Ofc_TMLISTEN, C_UnRegWatchDog_Ofc, C_UnRegWatchDog_Ofc_OFCPFWSVC, C_UnRegWatchDog_Ofc_PCCNTMON, C_UnRegWatchDog_Ofc_TMLISTEN Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=83104D1D43862764C02502C7321A4D003610DDB2 oke das maleware hab ich gestern bereits runtergeladen und auch schon scannen und 53 objecte entfernen lassen....werds aber jetzt nochmal machen, und davor schön updaten zu deiner letzten antwort mit dne infizierten sieten....sorry aber ich versteh null davon was sind den P2P netzwerke ??? ahhhh ich hoffe bald wieder viren feri und danach endlich sicher zu seinDieser Beitrag wurde am 20.09.2008 um 14:32 Uhr von debbbbbbi editiert.
|
|
|
|
|
|
|
20.09.2008, 14:32
Ehrenmitglied
Beiträge: 6028 |
#25
Poste mal das Log von MBAM
Und wieviele Virenscanner sind eigenlich auf dein Rechner? Es muss nur einer sein __________ MfG Argus |
|
|
|
|
|
|
20.09.2008, 14:41
Member
Beiträge: 50 |
#26
Hi also malwar ehat keine infizierten dateien gefunden,
das ist das logfile: Malwarebytes' Anti-Malware 1.28 Datenbank Version: 1180 Windows 5.1.2600 Service Pack 2 20.10.2008 14:38:28 mbam-log-2008-10-20 (14-38-28).txt Scan-Methode: Quick-Scan Durchsuchte Objekte: 46438 Laufzeit: 8 minute(s), 22 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 0 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) soll ich jetzt noch den ausführlichen scann machen? ich habjetzt das Hijackthis, maleware, adaware, und die zwei versionen antivir die nicht functionieren grüsse&dankeschöön |
|
|
|
|
|
|
20.09.2008, 14:47
Ehrenmitglied
Beiträge: 6028 |
#27
Neben Antivir sehe ich auch ClamWin und OfficeScan von TrendMicro
Starte Malwarebytes’Anti-Malware wähle Reiter " Weitere Programme " Klicke "Programm ausführen " unter FileASSASSIN Suche C:\WINDOWS\TEMP\RO7529.EXE und klicke OK Jetzt wird C:\WINDOWS\TEMP\RO7529.EXE entgültig entfernt ComboFix(by sUBs) Download ComboFix und speichert es auf den Desktop! Alle Fenster schließen und combofix.exe starten Folge den Instruktionen in das Fenster Während Combofix lauft NICHT ins Fenster klicken sonst erfriert dein Rechner Wenn das Tool fertig ist,oeffnet sich ein logfile (C:\ combofix.txt) nun das KOMPLETTE Log mit rechtem Mausklick ab kopieren und ins Forum mit rechtem Mausklick "einfügen" Wenn dein Virenscanner meckert, ignorieren ! zusammen mit ein neuen log von HijackThis __________ MfG Argus |
|
|
|
|
|
|
20.09.2008, 15:04
Member
Beiträge: 50 |
#28
Oke, stimmt die sind ja auch noch drauf, also wie gesagt jede menge...welche sind denn wirklich nötig?
hier das combfix logfile: ComboFix 08-09-19.09 - RAK 2008-10-20 14:57:56.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.45.1033.18.1103 [GMT 2:00] Running from: C:\Documents and Settings\RAK\Desktop\ComboFix.exe * Created a new restore point [color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color] . - REDUCED FUNCTIONALITY MODE - . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\info.bat C:\Temp\1cb\syscheck.log C:\WINDOWS\system32\info.txt . ((((((((((((((((((((((((( Files Created from 2008-09-20 to 2008-10-20 ))))))))))))))))))))))))))))))) . 2008-10-20 11:39 . 2008-10-20 11:39 <DIR> d-------- C:\Program Files\CCleaner 2008-10-19 21:58 . 2008-10-19 21:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-10-19 21:58 . 2008-10-19 21:58 <DIR> d-------- C:\Documents and Settings\RAK\Application Data\Malwarebytes 2008-10-19 21:58 . 2008-10-19 21:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-10-19 21:58 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-19 21:58 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-10-19 20:22 . 2008-10-19 20:22 <DIR> d-------- C:\Documents and Settings\RAK\Application Data\.clamwin 2008-10-19 20:21 . 2008-10-19 20:21 <DIR> d-------- C:\Program Files\ClamWin 2008-10-19 20:21 . 2008-10-19 20:21 <DIR> d-------- C:\Documents and Settings\All Users\.clamwin 2008-10-19 19:11 . 2008-10-19 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-10-19 19:09 . 2008-10-19 19:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-10-19 18:23 . 2008-10-19 18:23 <DIR> d-------- C:\WINDOWS\system32\sog1 2008-10-19 18:23 . 2008-10-19 19:45 <DIR> d-------- C:\WINDOWS\system32\nysl 2008-10-19 18:23 . 2008-10-19 18:23 <DIR> d-------- C:\WINDOWS\system32\kbe 2008-10-19 18:23 . 2008-10-19 18:23 <DIR> d-------- C:\WINDOWS\system32\901 2008-10-19 18:23 . 2008-10-19 18:23 <DIR> d-------- C:\Temp\mtc2 2008-10-19 18:23 . 2008-10-20 14:58 <DIR> d-------- C:\Temp\1cb 2008-10-17 23:14 . 2008-10-17 23:14 268 --ah----- C:\sqmdata01.sqm 2008-10-17 23:14 . 2008-10-17 23:14 244 --ah----- C:\sqmnoopt01.sqm . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-20 09:50 --------- d-----w C:\Program Files\Trend Micro 2008-10-19 18:03 --------- d-----w C:\Program Files\Spyware Doctor 2008-10-19 17:11 --------- d-----w C:\Program Files\Lavasoft 2008-09-12 19:35 --------- d-----w C:\Documents and Settings\RAK\Application Data\Skype 2008-09-12 14:09 --------- d-----w C:\Documents and Settings\RAK\Application Data\skypePM 2008-09-12 12:29 --------- d-----w C:\Documents and Settings\RAK\Application Data\MSNInstaller 2008-09-12 12:11 --------- d-----w C:\Program Files\Windows Live 2008-09-12 12:10 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-09-12 11:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-09-12 11:34 --------- d-----w C:\Program Files\Skype 2008-09-12 11:34 --------- d-----w C:\Program Files\Common Files\Skype 2008-09-12 11:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype 2008-09-12 10:57 --------- d-----w C:\Program Files\iTunes 2008-09-12 10:57 --------- d-----w C:\Program Files\iPod 2008-09-12 10:57 --------- d-----w C:\Documents and Settings\RAK\Application Data\Apple Computer 2008-09-12 10:56 --------- d-----w C:\Program Files\QuickTime 2008-09-12 10:56 --------- d-----w C:\Program Files\Bonjour 2008-09-12 10:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-09-12 10:55 --------- d-----w C:\Program Files\Apple Software Update 2008-09-12 10:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple 2008-09-12 10:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-09-09 14:41 --------- d-----w C:\Program Files\ICQ6 2008-09-09 14:41 --------- d-----w C:\Documents and Settings\RAK\Application Data\ICQ 2008-09-09 14:40 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-09-09 14:35 --------- d-----w C:\Documents and Settings\RAK\Application Data\vlc 2008-09-09 14:34 --------- d-----w C:\Program Files\VideoLAN . ------- Sigcheck ------- 2004-08-04 14:00 1039872 c7afa0d8c704de1ff569e08f5905eee0 C:\WINDOWS\explorer.exe 2008-04-14 02:12 1041408 c93ff630f758fd3fefc224e3f332eb86 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe 2008-04-14 02:12 23040 6db539e61429a696826c1e2a67887892 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ctfmon.exe 2004-08-04 14:00 23040 c77a29024309359026e1bde524ed273d C:\WINDOWS\system32\ctfmon.exe 2005-06-11 02:17 65536 8624ff86c4fc8664b7ab56f1677787a2 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe 2004-08-04 14:00 65536 65e752cc224a5b13b1e6c8abe529219c C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe 2008-04-14 02:12 65536 73e9d073cbcc08b39623b547fa7f8a9c C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\spoolsv.exe 2005-06-11 01:53 65536 8aa12067537d7cf4b6102b8822f9ed8a C:\WINDOWS\system32\spoolsv.exe 2008-04-14 02:12 33792 425ec2431f7a6f35a49ae5573d234933 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\userinit.exe 2004-08-04 14:00 32256 95ae3572f48fce4e1697d18b4c59ec0a C:\WINDOWS\system32\userinit.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ICQ"="C:\PROGRA~1\ICQ6\ICQ.exe" [2008-08-24 173304] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23040] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-03-15 344064] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 421888] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064] "ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2008-09-05 94208] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 23040] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey] 2004-08-04 14:00 47104 C:\Program Files\Common Files\Microsoft Shared\Ink\LoginKey.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL] 2002-08-29 04:41 11776 C:\WINDOWS\system32\tabbtnwl.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify] 2004-08-04 14:00 30208 C:\WINDOWS\system32\tpgwlnot.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader - Schnellstart.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader - Schnellstart.lnk backup=C:\WINDOWS\pss\Adobe Reader - Schnellstart.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^RAK^Start Menu^Programs^Startup^Hurtig start af Microsoft Office OneNote 2003.lnk] path=C:\Documents and Settings\RAK\Start Menu\Programs\Startup\Hurtig start af Microsoft Office OneNote 2003.lnk backup=C:\WINDOWS\pss\Hurtig start af Microsoft Office OneNote 2003.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey] --a------ 2004-08-23 09:55 262144 C:\WINDOWS\system32\00THotkey.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint] --a------ 2003-07-17 18:38 167936 C:\Program Files\Apoint2K\Apoint.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt] --a------ 2007-03-01 11:24 270376 C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CrossMenu] --a------ 2004-03-09 15:18 806912 C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-04 14:00 23040 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2004-04-15 16:05 4866048 C:\WINDOWS\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor] --a------ 2005-03-15 17:55 344064 C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView] --a------ 2003-12-16 12:11 126976 C:\Program Files\Toshiba\TOSHIBA-zoomfunktion\SmoothView.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX] --a------ 2004-08-06 09:27 868352 C:\Program Files\Analog Devices\SoundMAX\SMax4.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP] --a------ 2004-04-01 11:52 1376256 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TabletTip] --a------ 2004-08-04 14:00 279552 C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TAcelMgr] --a------ 2004-08-26 11:54 94208 C:\Program Files\Toshiba\Accelerationsværktøjer\TAcelMgr\TAcelMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TapButt] --a------ 2004-03-09 15:21 184320 C:\Program Files\Toshiba\TapButton\TapButt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TAudEffect] --a------ 2004-03-08 12:22 278592 C:\Program Files\Toshiba\TAudEffect\TAudEff.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TMERzCtl.EXE] --a------ 2004-08-19 17:18 94208 C:\Program Files\Toshiba\TME3\TMERzCtl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TMESRV.EXE] --a------ 2004-04-13 12:58 135168 C:\Program Files\Toshiba\TME3\TMESRV31.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosHKCW.exe] --a------ 2002-09-09 16:07 57344 C:\Program Files\Toshiba\Wireless Hotkey\TosHKCW.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosRotation] --a------ 2004-03-05 11:45 77824 C:\Program Files\Toshiba\TOSHIBA Rotationshjælpeprogram\TRot.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED] --a------ 2003-03-11 14:50 131072 C:\Program Files\Toshiba\TouchED\TouchED.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TSkrMain] --a------ 2004-08-26 11:55 53248 C:\Program Files\Toshiba\Accelerationsværktøjer\Shaker\TSkrMain.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] -ra------ 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK] --a------ 2001-06-23 21:28 32768 C:\WINDOWS\system32\000StTHK.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG] --a------ 2004-02-20 16:00 88363 C:\WINDOWS\agrsmmsg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent] --a------ 2004-08-04 14:00 110592 C:\WINDOWS\system32\bthprops.cpl [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2004-04-15 16:05 331776 C:\WINDOWS\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5] --a------ 2003-12-02 15:15 81920 C:\WINDOWS\system32\TFNF5.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain] --a------ 2004-06-28 14:42 274432 C:\WINDOWS\system32\TPSMain.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\WINDOWS\\system32\\ftp.exe"= "C:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"= "C:\\WINDOWS\\explorer.exe"= "C:\\Program Files\\ICQ6\\ICQ.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "4899:TCP"= 4899:TCP:Radmin "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 RCFOX;SonicWALL IPsec Driver;C:\WINDOWS\system32\Drivers\RCFOX.sys [2004-04-05 81200] R1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS [2004-06-16 5888] R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;C:\WINDOWS\system32\DRIVERS\TBtnKey.sys [2002-09-12 8832] R3 TEchoCan;Toshiba Audio Effect;C:\WINDOWS\system32\DRIVERS\TEchoCan.sys [2004-02-04 30720] R3 TMicAry;Toshiba Audio Effect with MicArray;C:\WINDOWS\system32\DRIVERS\TMicAry.sys [2004-02-04 138240] R3 WacomPen;Wacom Serial Pen HID Driver;C:\WINDOWS\system32\DRIVERS\wacompen.sys [2004-08-04 13568] S2 MsaSvc;Microsoft authenticate service;C:\WINDOWS\system32\msasvc.exe [ ] S3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2003-08-20 23180] S3 TS154_CB;T-Sinus 154card Driver;C:\WINDOWS\system32\DRIVERS\TS154ICB.sys [ ] S3 w32n5223;w32n5223 Protocol Driver;C:\PROGRA~1\T-COM\T-COMW~1\INSTAL~1\WINXP\w32n5223.SYS [ ] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8784980-66f7-11dd-845e-000e7b32456b}] \Shell\AutoRun\command - D:\SETUP.EXE /AUTORUN \Shell\configure\command - D:\SETUP.EXE \Shell\install\command - D:\SETUP.EXE *Newly Created Service* - CATCHME *Newly Created Service* - PROCEXP90 . - - - - ORPHANS REMOVED - - - - HKU-Default-Run-TabletWizard - C:\WINDOWS\help\wizard.hta HKU-Default-Run-Spyware Doctor - C:\Program Files\Spyware Doctor\swdoctor.exe MSConfigStartUp-Spyware Doctor - C:\Program Files\Spyware Doctor\swdoctor.exe MSConfigStartUp-TabletWizard - C:\WINDOWS\help\SplshWrp.exe MSConfigStartUp-NDSTray - NDSTray.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\RAK\Application Data\Mozilla\Firefox\Profiles\5ghayvx5.default\ FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - C:\Program Files\Java\j2re1.4.2_05\bin\NPJava11.dll FF -: plugin - C:\Program Files\Java\j2re1.4.2_05\bin\NPJava12.dll FF -: plugin - C:\Program Files\Java\j2re1.4.2_05\bin\NPJava13.dll FF -: plugin - C:\Program Files\Java\j2re1.4.2_05\bin\NPJava14.dll FF -: plugin - C:\Program Files\Java\j2re1.4.2_05\bin\NPJava32.dll FF -: plugin - C:\Program Files\Java\j2re1.4.2_05\bin\NPJPI142_05.dll FF -: plugin - C:\Program Files\Java\j2re1.4.2_05\bin\NPOJI610.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-20 14:59:34 Windows 5.1.2600 Service Pack 2 NTFS detected NTDLL code modification: ZwOpenFile scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-10-20 15:01:33 ComboFix-quarantined-files.txt 2008-10-20 13:01:28 Pre-Run: 46.677.729.280 bytes free Post-Run: 46,994,087,936 bytes free 233 --- E O F --- 2008-10-19 21:23:10 hijackthis logfile: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:05:22, on 20.10.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\SYSTEM32\WISPTIS.EXE C:\WINDOWS\System32\tabbtnu.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\ClamWin\bin\ClamTray.exe C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe C:\Program Files\TOSHIBA\TME3\TMETEMNU.EXE C:\PROGRA~1\ICQ6\ICQ.exe C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe C:\WINDOWS\TEMP\SWEA47.EXE C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.t-online.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon O4 - HKCU\..\Run: [ICQ] "C:\PROGRA~1\ICQ6\ICQ.exe" silent O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETVÆRKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169464580803 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing) O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe -- End of file - 7336 bytes |
|
|
|
|
|
|
20.09.2008, 15:08
Member
Beiträge: 3716 |
#29
gehe mal auf start ausführen schreibe combofix /u lad dir combofix erneut und lass es laufen, dann malwarebytes dann hijackthis
|
|
|
|
|
|
|
20.09.2008, 15:14
Member
Beiträge: 50 |
#30
meinst du mit laden nochmal neu runterladen? hab jetzt nur auf ausführen gedrückt und das nochmal laufen lassen...
das kam bei rum: ComboFix 08-09-19.09 - RAK 2008-10-20 15:11:10.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.45.1033.18.1081 [GMT 2:00] Running from: C:\Documents and Settings\RAK\Desktop\ComboFix.exe [color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color] . - REDUCED FUNCTIONALITY MODE - . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Temp\1cb . ((((((((((((((((((((((((( Files Created from 2008-09-20 to 2008-10-20 ))))))))))))))))))))))))))))))) . 2008-10-20 11:39 . 2008-10-20 11:39 <DIR> d-------- C:\Program Files\CCleaner 2008-10-19 21:58 . 2008-10-19 21:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-10-19 21:58 . 2008-10-19 21:58 <DIR> d-------- C:\Documents and Settings\RAK\Application Data\Malwarebytes 2008-10-19 21:58 . 2008-10-19 21:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-10-19 21:58 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-19 21:58 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-10-19 20:22 . 2008-10-19 20:22 <DIR> d-------- C:\Documents and Settings\RAK\Application Data\.clamwin 2008-10-19 20:21 . 2008-10-19 20:21 <DIR> d-------- C:\Program Files\ClamWin 2008-10-19 20:21 . 2008-10-19 20:21 <DIR> d-------- C:\Documents and Settings\All Users\.clamwin 2008-10-19 19:11 . 2008-10-19 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-10-19 19:09 . 2008-10-19 19:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-10-19 18:23 . 2008-10-19 18:23 <DIR> d-------- C:\WINDOWS\system32\sog1 2008-10-19 18:23 . 2008-10-19 19:45 <DIR> d-------- C:\WINDOWS\system32\nysl 2008-10-19 18:23 . 2008-10-19 18:23 <DIR> d-------- C:\WINDOWS\system32\kbe 2008-10-19 18:23 . 2008-10-19 18:23 <DIR> d-------- C:\WINDOWS\system32\901 2008-10-19 18:23 . 2008-10-19 18:23 <DIR> d-------- C:\Temp\mtc2 2008-10-17 23:14 . 2008-10-17 23:14 268 --ah----- C:\sqmdata01.sqm 2008-10-17 23:14 . 2008-10-17 23:14 244 --ah----- C:\sqmnoopt01.sqm . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-20 09:50 --------- d-----w C:\Program Files\Trend Micro 2008-10-19 18:03 --------- d-----w C:\Program Files\Spyware Doctor 2008-10-19 17:11 --------- d-----w C:\Program Files\Lavasoft 2008-09-12 19:35 --------- d-----w C:\Documents and Settings\RAK\Application Data\Skype 2008-09-12 14:09 --------- d-----w C:\Documents and Settings\RAK\Application Data\skypePM 2008-09-12 12:29 --------- d-----w C:\Documents and Settings\RAK\Application Data\MSNInstaller 2008-09-12 12:11 --------- d-----w C:\Program Files\Windows Live 2008-09-12 12:10 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-09-12 11:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-09-12 11:34 --------- d-----w C:\Program Files\Skype 2008-09-12 11:34 --------- d-----w C:\Program Files\Common Files\Skype 2008-09-12 11:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype 2008-09-12 10:57 --------- d-----w C:\Program Files\iTunes 2008-09-12 10:57 --------- d-----w C:\Program Files\iPod 2008-09-12 10:57 --------- d-----w C:\Documents and Settings\RAK\Application Data\Apple Computer 2008-09-12 10:56 --------- d-----w C:\Program Files\QuickTime 2008-09-12 10:56 --------- d-----w C:\Program Files\Bonjour 2008-09-12 10:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-09-12 10:55 --------- d-----w C:\Program Files\Apple Software Update 2008-09-12 10:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple 2008-09-12 10:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-09-09 14:41 --------- d-----w C:\Program Files\ICQ6 2008-09-09 14:41 --------- d-----w C:\Documents and Settings\RAK\Application Data\ICQ 2008-09-09 14:40 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-09-09 14:35 --------- d-----w C:\Documents and Settings\RAK\Application Data\vlc 2008-09-09 14:34 --------- d-----w C:\Program Files\VideoLAN . ------- Sigcheck ------- 2004-08-04 14:00 1039872 c7afa0d8c704de1ff569e08f5905eee0 C:\WINDOWS\explorer.exe 2008-04-14 02:12 1041408 c93ff630f758fd3fefc224e3f332eb86 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe 2008-04-14 02:12 23040 6db539e61429a696826c1e2a67887892 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ctfmon.exe 2004-08-04 14:00 23040 c77a29024309359026e1bde524ed273d C:\WINDOWS\system32\ctfmon.exe 2005-06-11 02:17 65536 8624ff86c4fc8664b7ab56f1677787a2 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe 2004-08-04 14:00 65536 65e752cc224a5b13b1e6c8abe529219c C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe 2008-04-14 02:12 65536 73e9d073cbcc08b39623b547fa7f8a9c C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\spoolsv.exe 2005-06-11 01:53 65536 8aa12067537d7cf4b6102b8822f9ed8a C:\WINDOWS\system32\spoolsv.exe 2008-04-14 02:12 33792 425ec2431f7a6f35a49ae5573d234933 C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\userinit.exe 2004-08-04 14:00 32256 95ae3572f48fce4e1697d18b4c59ec0a C:\WINDOWS\system32\userinit.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ICQ"="C:\PROGRA~1\ICQ6\ICQ.exe" [2008-08-24 173304] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23040] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-03-15 344064] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 421888] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064] "ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2008-09-05 94208] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 23040] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey] 2004-08-04 14:00 47104 C:\Program Files\Common Files\Microsoft Shared\Ink\LoginKey.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL] 2002-08-29 04:41 11776 C:\WINDOWS\system32\tabbtnwl.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify] 2004-08-04 14:00 30208 C:\WINDOWS\system32\tpgwlnot.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader - Schnellstart.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader - Schnellstart.lnk backup=C:\WINDOWS\pss\Adobe Reader - Schnellstart.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^RAK^Start Menu^Programs^Startup^Hurtig start af Microsoft Office OneNote 2003.lnk] path=C:\Documents and Settings\RAK\Start Menu\Programs\Startup\Hurtig start af Microsoft Office OneNote 2003.lnk backup=C:\WINDOWS\pss\Hurtig start af Microsoft Office OneNote 2003.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey] --a------ 2004-08-23 09:55 262144 C:\WINDOWS\system32\00THotkey.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint] --a------ 2003-07-17 18:38 167936 C:\Program Files\Apoint2K\Apoint.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt] --a------ 2007-03-01 11:24 270376 C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CrossMenu] --a------ 2004-03-09 15:18 806912 C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-04 14:00 23040 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2004-04-15 16:05 4866048 C:\WINDOWS\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor] --a------ 2005-03-15 17:55 344064 C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView] --a------ 2003-12-16 12:11 126976 C:\Program Files\Toshiba\TOSHIBA-zoomfunktion\SmoothView.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX] --a------ 2004-08-06 09:27 868352 C:\Program Files\Analog Devices\SoundMAX\SMax4.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP] --a------ 2004-04-01 11:52 1376256 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TabletTip] --a------ 2004-08-04 14:00 279552 C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TAcelMgr] --a------ 2004-08-26 11:54 94208 C:\Program Files\Toshiba\Accelerationsværktøjer\TAcelMgr\TAcelMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TapButt] --a------ 2004-03-09 15:21 184320 C:\Program Files\Toshiba\TapButton\TapButt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TAudEffect] --a------ 2004-03-08 12:22 278592 C:\Program Files\Toshiba\TAudEffect\TAudEff.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TMERzCtl.EXE] --a------ 2004-08-19 17:18 94208 C:\Program Files\Toshiba\TME3\TMERzCtl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TMESRV.EXE] --a------ 2004-04-13 12:58 135168 C:\Program Files\Toshiba\TME3\TMESRV31.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosHKCW.exe] --a------ 2002-09-09 16:07 57344 C:\Program Files\Toshiba\Wireless Hotkey\TosHKCW.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosRotation] --a------ 2004-03-05 11:45 77824 C:\Program Files\Toshiba\TOSHIBA Rotationshjælpeprogram\TRot.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED] --a------ 2003-03-11 14:50 131072 C:\Program Files\Toshiba\TouchED\TouchED.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TSkrMain] --a------ 2004-08-26 11:55 53248 C:\Program Files\Toshiba\Accelerationsværktøjer\Shaker\TSkrMain.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] -ra------ 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK] --a------ 2001-06-23 21:28 32768 C:\WINDOWS\system32\000StTHK.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG] --a------ 2004-02-20 16:00 88363 C:\WINDOWS\agrsmmsg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent] --a------ 2004-08-04 14:00 110592 C:\WINDOWS\system32\bthprops.cpl [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2004-04-15 16:05 331776 C:\WINDOWS\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5] --a------ 2003-12-02 15:15 81920 C:\WINDOWS\system32\TFNF5.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain] --a------ 2004-06-28 14:42 274432 C:\WINDOWS\system32\TPSMain.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\WINDOWS\\system32\\ftp.exe"= "C:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"= "C:\\WINDOWS\\explorer.exe"= "C:\\Program Files\\ICQ6\\ICQ.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "4899:TCP"= 4899:TCP:Radmin "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 RCFOX;SonicWALL IPsec Driver;C:\WINDOWS\system32\Drivers\RCFOX.sys [2004-04-05 81200] R1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS [2004-06-16 5888] R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;C:\WINDOWS\system32\DRIVERS\TBtnKey.sys [2002-09-12 8832] R3 TEchoCan;Toshiba Audio Effect;C:\WINDOWS\system32\DRIVERS\TEchoCan.sys [2004-02-04 30720] R3 TMicAry;Toshiba Audio Effect with MicArray;C:\WINDOWS\system32\DRIVERS\TMicAry.sys [2004-02-04 138240] R3 WacomPen;Wacom Serial Pen HID Driver;C:\WINDOWS\system32\DRIVERS\wacompen.sys [2004-08-04 13568] S2 MsaSvc;Microsoft authenticate service;C:\WINDOWS\system32\msasvc.exe [ ] S3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2003-08-20 23180] S3 TS154_CB;T-Sinus 154card Driver;C:\WINDOWS\system32\DRIVERS\TS154ICB.sys [ ] S3 w32n5223;w32n5223 Protocol Driver;C:\PROGRA~1\T-COM\T-COMW~1\INSTAL~1\WINXP\w32n5223.SYS [ ] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8784980-66f7-11dd-845e-000e7b32456b}] \Shell\AutoRun\command - D:\SETUP.EXE /AUTORUN \Shell\configure\command - D:\SETUP.EXE \Shell\install\command - D:\SETUP.EXE *Newly Created Service* - CATCHME *Newly Created Service* - PROCEXP90 . . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\RAK\Application Data\Mozilla\Firefox\Profiles\5ghayvx5.default\ FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - C:\Program Files\Java\j2re1.4.2_05\bin\NPJava11.dll FF -: plugin - C:\Program Files\Java\j2re1.4.2_05\bin\NPJava12.dll FF -: plugin - C:\Program Files\Java\j2re1.4.2_05\bin\NPJava13.dll FF -: plugin - C:\Program Files\Java\j2re1.4.2_05\bin\NPJava14.dll FF -: plugin - C:\Program Files\Java\j2re1.4.2_05\bin\NPJava32.dll FF -: plugin - C:\Program Files\Java\j2re1.4.2_05\bin\NPJPI142_05.dll FF -: plugin - C:\Program Files\Java\j2re1.4.2_05\bin\NPOJI610.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-20 15:11:28 Windows 5.1.2600 Service Pack 2 NTFS detected NTDLL code modification: ZwOpenFile scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-10-20 15:12:42 ComboFix-quarantined-files.txt 2008-10-20 13:12:31 ComboFix2.txt 2008-10-20 13:01:34 Pre-Run: 47.058.489.344 bytes free Post-Run: 47,041,994,752 bytes free 224 --- E O F --- 2008-10-19 21:23:10 malware hat zwei datein gefunden die habe ich entfernt und danach den pc neugestartet. das ist das logfile: Malwarebytes' Anti-Malware 1.28 Datenbank Version: 1180 Windows 5.1.2600 Service Pack 2 20.10.2008 15:48:55 mbam-log-2008-10-20 (15-48-55).txt Scan-Methode: Vollständiger Scan (C:\|) Durchsuchte Objekte: 91442 Laufzeit: 34 minute(s), 2 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 2 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: C:\System Volume Information\_restore{9767A1A3-9CC5-4270-9776-7A195A503763}\RP1\A0001403.exe (Adware.Adrotator) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{9767A1A3-9CC5-4270-9776-7A195A503763}\RP1\A0001457.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully. Hijackthis logfile: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:54:41, on 20.10.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\SYSTEM32\WISPTIS.EXE C:\WINDOWS\System32\tabbtnu.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\ClamWin\bin\ClamTray.exe C:\PROGRA~1\ICQ6\ICQ.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe C:\Program Files\TOSHIBA\TME3\TMETEMNU.EXE C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\TEMP\MODD5A.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.t-online.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon O4 - HKCU\..\Run: [ICQ] "C:\PROGRA~1\ICQ6\ICQ.exe" silent O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'NETVÆRKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169464580803 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing) O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe -- End of file - 7435 bytes dankeschöön&grüsse schade dass niemand mehr antwortet gerade...oder heisst das ich bin jetzt alle vieren los? jedenfalls wollte ich mich schonmal für die viele Hilfe bedanken. aber ich brauch eure hilfe glaube ich nochmal ich hab nämlich glaube ich ein neues problem...denn ich bekomme jetzt die ganze zeit ne windows meldung von einer sogenannten sched.exe datei ....und ob ich das problem senden will....und jetzt hat sich schon zwiemal mein pc einfach so ausgeschaltet.......HILFEEEEEEEEE!!!! ich hab diese sched.exe (war unter c:/program files/antivr personaledition classic) datei mal bei www.virustotal.com analysiren lassen , das kam bei raus: Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.9.19.2 2008.09.19 - AntiVir 7.8.1.34 2008.09.19 - Authentium 5.1.0.4 2008.09.20 - Avast 4.8.1195.0 2008.09.19 - AVG 8.0.0.161 2008.09.20 - BitDefender 7.2 2008.09.20 - CAT-QuickHeal 9.50 2008.09.20 - ClamAV 0.93.1 2008.09.20 - DrWeb 4.44.0.09170 2008.09.20 - eSafe 7.0.17.0 2008.09.18 - eTrust-Vet 31.6.6096 2008.09.20 - Ewido 4.0 2008.09.20 - F-Prot 4.4.4.56 2008.09.19 - F-Secure 8.0.14332.0 2008.09.20 Type_Win32 Fortinet 3.113.0.0 2008.09.20 - GData 19 2008.09.20 - Ikarus T3.1.1.34.0 2008.09.19 - K7AntiVirus 7.10.466 2008.09.20 - Kaspersky 7.0.0.125 2008.09.20 Type_Win32 McAfee 5388 2008.09.19 New Win32 Microsoft 1.3903 2008.09.20 Trojan:Win32/Anomaly.gen!D NOD32v2 3457 2008.09.19 - Norman 5.80.02 2008.09.19 - Panda 9.0.0.4 2008.09.20 Suspicious file PCTools 4.4.2.0 2008.09.20 - Prevx1 V2 2008.09.20 - Rising 20.62.52.00 2008.09.20 - Sophos 4.33.0 2008.09.20 - Sunbelt 3.1.1653.1 2008.09.20 - Symantec 10 2008.09.20 W32.Virut!gen TheHacker 6.3.0.9.089 2008.09.20 - TrendMicro 8.700.0.1004 2008.09.20 Possible_Virut-3 VBA32 3.12.8.5 2008.09.20 - ViRobot 2008.9.20.1385 2008.09.20 - VirusBuster 4.5.11.0 2008.09.19 - Webwasher-Gateway 6.6.2 2008.07.21 Virus.Win32.FileInfector.gen (suspicious) weitere Informationen File size: 55336 bytes MD5...: ebdcb1180b8d446800e858fa236b85d7 SHA1..: 4267ec31e247dc5938edac934039826db4b14f56 SHA256: 20a4758544e771b6e22d21285a37174ef57d90be8bbf21edd8b7e126ed506e4b SHA512: 1c0cbdbdc882fcbaa882f5478582955e1c27bdc13d991b9b4e2e708438c41de6 1a810e40abb2ca5e67bffd75a07e7335d7e505d2a67613a923914da32fadd489 PEiD..: - TrID..: File type identification Generic Win/DOS Executable (49.9%) DOS Executable Generic (49.8%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x40f600 timedatestamp.....: 0x45530410 (Thu Nov 09 10:33:52 2006) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x7e82 0x8000 6.50 4decd0b9b702ec467f45039afeee682c .rdata 0x9000 0x243c 0x2600 4.76 fa9cdd703bf9b5be085eb18c13bda4c4 .data 0xc000 0x206c 0xa00 7.32 7db3da9c98350b7a97746ec56046342f .rsrc 0xf000 0x7600 0x2400 7.25 4302f88114dce41dc8a7b17953d36ab2 ( 9 imports ) > RPCRT4.dll: UuidFromStringW > VERSION.dll: GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW > KERNEL32.dll: GetVersionExW, InitializeCriticalSection, lstrcpyW, LeaveCriticalSection, EnterCriticalSection, GetTimeFormatW, GetDateFormatW, DeleteCriticalSection, GetPrivateProfileIntW, Sleep, GetComputerNameW, GetStartupInfoW, CreateProcessW, CreateDirectoryW, lstrcatW, WritePrivateProfileStringW, GetPrivateProfileStringW, ReadFile, GetFileSize, GetCurrentProcessId, OpenProcess, SetProcessWorkingSetSize, FindFirstFileW, FindNextFileW, GetSystemTimeAsFileTime, FindClose, DeleteFileW, OpenEventW, FileTimeToSystemTime, DeviceIoControl, CreateFileW, CreateEventW, lstrlenW, GetLastError, CloseHandle, SetEvent, ResumeThread, SuspendThread, ResetEvent, WaitForMultipleObjects, WaitForSingleObject, GetLocalTime, SystemTimeToFileTime, GetModuleFileNameW, lstrcpynW, LoadLibraryW, GetProcAddress, FreeLibrary, ExitProcess, GetModuleHandleA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId > USER32.dll: LoadStringW > ADVAPI32.dll: RegConnectRegistryW, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, OpenSCManagerW, OpenServiceW, CloseServiceHandle, QueryServiceStatus, SetTokenInformation, CreateProcessAsUserW, OpenProcessToken, RegDeleteValueW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegCloseKey, StartServiceCtrlDispatcherW, RegisterServiceCtrlHandlerW, SetServiceStatus > ole32.dll: CoCreateInstance, StringFromGUID2, CoUninitialize > OLEAUT32.dll: -, -, - > MSVCR71.dll: __setusermatherr, vswprintf, _controlfp, _terminate@@YAXXZ, __set_app_type, __p__fmode, __p__commode, _initterm, __getmainargs, _amsg_exit, __p___initenv, wcslen, _waccess, _except_handler3, swscanf, wcsrchr, _beginthreadex, _snwprintf, wcsncpy, __1exception@@UAE@XZ, __0exception@@QAE@XZ, __CxxFrameHandler, __3@YAXPAX@Z, memcpy, malloc, _CxxThrowException, __0exception@@QAE@ABV0@@Z, __2@YAPAXI@Z, memmove, memset, free, memcmp, _wcsicmp, wcschr, wcscpy, wcsncat, wcstok, wcscmp, strlen, swprintf, fclose, fprintf, _wfopen, fflush, fwprintf, fseek, exit, _close, _errno, _read, _eof, _lseek, _filelength, _wsopen, wcsstr, _wcsupr, time, mktime, wcstombs, _wtoi, strcat, strcpy, __security_error_handler, __1type_info@@UAE@XZ, __dllonexit, _onexit, _c_exit, _exit, _XcptFilter, _cexit, _adjust_fdiv > MSVCP71.dll: __1_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@XZ, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@PBD@Z, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@ABV01@@Z ( 0 exports ) Hilft euch das was??? grüsse und danke schonmal ohoh ich glaub jetzt hab ich echtes problem..zu dem oberen, kam jetzt noch die meldung von einer 43repinS.exe....und dauernd popen vom internetexplorer von alleine seiten auf, obwohl mozilla mein standartbrowser ist......was kann ich tun??? Dieser Beitrag wurde am 20.09.2008 um 18:22 Uhr von debbbbbbi editiert.
|
|
|
|
|
|
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!
bitte erst » hier kostenlos registrieren!!
Folgende Themen könnten Dich auch interessieren:
Copyright © 2024, Protecus.de - Protecus Team - Impressum / Mediadaten
OTCleanIt
Download OTCleanIt. by OldTimer zum Desktop
Schliesse alle Fenster
Doppelklick: OTCleanIt.
Klicke: CleanUp
Wenn gefragt wird “Do you want to reboot now?”klicke “Yes”
Dein Rechner wird neu gestartet
Vista benutzer: rechtermausklick auf OTCleanIt.exe und waehle "Run as an Administrator"
__________
MfG Argus