Computer Hijacked....keine Admin Rechte mehr |
||
---|---|---|
#0
| ||
08.11.2008, 12:59
...neu hier
Beiträge: 2 |
||
|
||
08.11.2008, 14:25
Moderator
Beiträge: 5694 |
#2
Das sieht nicht gut aus. Ich würde Dir empfehlen das System neu aufzusetzen, und alle Passwörter zu ändern.
Ich denke nicht, dass eine Reinigung sinnvoll ist. Gruss Swiss |
|
|
||
08.11.2008, 20:54
...neu hier
Themenstarter Beiträge: 2 |
#3
Danke Swiss, ja das mache ich, ist mir zu gefährlich...hatte nicht so viele Passwörter oder heikle dokumente auf dem System, noch nicht....deshalb nicht so schlimm.....meine Doks konnte ich mit einer Disk Recover Utility noch speichern....
Das passiert mir so schnell nicht wieder. Gruss Anja Zitat Tonstudio postete |
|
|
||
09.11.2008, 10:22
Member
Beiträge: 3716 |
#4
hallo,
spiele unbedingt einen virenscanner auf nach dem du neu insaliert hast. danach spiele alle sicherheitsupdates von windows auf. Jeden 2 dienstag im monat kommen neue. und man sollte sie zeitnah instalieren, da einige sicherheitslücken sehr schnell verwendet werden. dein antivirenprogramm solltest du vor dem ersten gang ins internet aktualisieren, da jeden tag hunderte neue schädlinge rauskommen. auch solltest du den secunia software inspector 1 mal pro monat die software auf deinem pc aktualisieren lassen! http://secunia.com/vulnerability_scanning/personal/ und wichtig, nicht als admin sondern als eingeschrenkter nutzer surfen. das adminkonto nur für instalationen verwenden... |
|
|
||
Was kann ich sonst tun? vielen Dank.
Nera
Mein Log von Hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:27 AM, on 11/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\TAMSvr.exe
C:\WINDOWS\system32\FpLogonServ.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\VMWareVPN\cvpnd.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\snmp.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TrueSuite Access Manager\FpNotifier.exe
C:\Program Files\TrueSuite Access Manager\usbnotify.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TrueSuite Access Manager\PwdBank.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Documents and Settings\Anja Kilian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Anja Kilian\Application Data\gadcom\gadcom.exe
E:\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: {c0143de6-53cf-6488-0054-5116d8907470} - {0747098d-6115-4500-8846-fc356ed3410c} - C:\WINDOWS\system32\kewukd.dll (file missing)
O2 - BHO: testCPV6 - {15421b84-3488-49a7-ad18-cbf84a3efaf6} - C:\Program Files\Webtools\webtools.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {a2359465-3a5e-4f8b-9b99-42c84a966228} - C:\WINDOWS\system32\geBqPGXp.dll (file missing)
O2 - BHO: (no name) - {c31c05b4-0a01-4dc2-8e5e-0315459f508e} - C:\WINDOWS\system32\vtUlJCUN.dll (file missing)
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [ThpSrv] C:\WINDOWS\system32\thpsrv /logon
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe /run
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TosAutLk] C:\Program Files\TOSHIBA\WirelessKeyLogon\TosAutLk.exe -s
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [FingerPrintNotifer] "C:\Program Files\TrueSuite Access Manager\FpNotifier.exe"
O4 - HKLM\..\Run: [UsbMonitor] "C:\Program Files\TrueSuite Access Manager\usbnotify.exe"
O4 - HKLM\..\Run: [PwdBank] "C:\Program Files\TrueSuite Access Manager\PwdBank.exe"
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\....\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKCU\..\Run: [winlogon] C:\Documents and Settings\ Name geändert\svchost.exe
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\..... \Application Data\gadcom\gadcom.exe" 61A847B5BBF7281337983D466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKUS\S-1-5-21-3287435372-1454363663-3216503010-1008\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User '?')
O4 - HKUS\S-1-5-21-3287435372-1454363663-3216503010-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-3287435372-1454363663-3216503010-1008\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (User '?')
O4 - HKUS\S-1-5-21-3287435372-1454363663-3216503010-1008\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User '?')
O4 - HKUS\S-1-5-21-3287435372-1454363663-3216503010-1008\..\Run: [Google Update] "C:\Documents and Settings\...\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User '?')
O4 - HKUS\S-1-5-21-3287435372-1454363663-3216503010-1008\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe (User '?')
O4 - HKUS\S-1-5-21-3287435372-1454363663-3216503010-1008\..\Run: [winlogon] C:\Documents and Settings\......\svchost.exe (User '?')
O4 - HKUS\S-1-5-21-3287435372-1454363663-3216503010-1008\..\Run: [gadcom] "C:\Documents and Settings\.......\Application Data\gadcom\gadcom.exe" 61A847B5BBF7281337983D466188719AB689201522886B092CBD44BD8689220221DD3257 (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://vmware.webex.com/client/T26L/webex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sslvpn.vmware.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: kewukd.dll
O20 - Winlogon Notify: ATFUS - C:\WINDOWS\system32\FpWinLogonNp.dll
O20 - Winlogon Notify: crypt - C:\WINDOWS\
O20 - Winlogon Notify: vtUlJCUN - vtUlJCUN.dll (file missing)
O20 - Winlogon Notify: winrkq32 - C:\WINDOWS\
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Application Management (AppMgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Windows Audio (AudioSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Authentec memory manager service (Authentec memory manager) - Unknown owner - C:\WINDOWS\system32\TAMSvr.exe
O23 - Service: AVG Anti-Spyware Guard (avg anti-spyware guard) - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Cryptographic Services (CryptSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\VMWareVPN\cvpnd.exe
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Error Reporting Service (ERSvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: COM+ Event System (EventSystem) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Fingerprint Server (FingerprintServer) - AuthenTec,Inc - C:\WINDOWS\system32\FpLogonServ.exe
O23 - Service: Help and Support (helpsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Server (lanmanserver) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Network Connections (Netman) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Network Location Awareness (NLA) (Nla) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Removable Storage (NtmsSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Registry (RemoteRegistry) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Secondary Logon (seclogon) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: System Event Notification (SENS) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: System Restore Service (srservice) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: SSDP Discovery Service (SSDPSRV) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Telephony (TapiSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Terminal Services (TermService) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Themes - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Universal Plug and Play Device Host (upnphost) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Windows Time (W32Time) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: WebClient - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Windows Management Instrumentation (winmgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Wireless Zero Configuration (WZCSVC) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Network Provisioning Service (xmlprov) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
--
End of file - 18031 bytes
und noch von einem Kaspersky Tool, dass ich online runterladen konnte mit einem anderen PC und gestern Abend einen Check gemacht habe...inkl. Quarantäne der infizieren Files:
<AVZ_CollectSysInfo>
--------------------
Start time: 11/7/2008 10:35:16 PM
Duration: 00:03:17
Finish time: 11/7/2008 10:38:33 PM
<AVZ_CollectSysInfo>
--------------------
Time Event
---- -----
11/7/2008 10:35:17 PM Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 2"
11/7/2008 10:35:17 PM System Restore: enabled
11/7/2008 10:35:21 PM 1.1 Searching for user-mode API hooks
11/7/2008 10:35:21 PM Analysis: kernel32.dll, export table found in section .text
11/7/2008 10:35:21 PM Function kernel32.dll:CreateProcessA (99) intercepted, method ProcAddressHijack.GetProcAddress ->7C802367->61F03F42
11/7/2008 10:35:21 PM Hook kernel32.dll:CreateProcessA (99) blocked
11/7/2008 10:35:21 PM Function kernel32.dll:CreateProcessW (103) intercepted, method ProcAddressHijack.GetProcAddress ->7C802332->61F04040
11/7/2008 10:35:21 PM Hook kernel32.dll:CreateProcessW (103) blocked
11/7/2008 10:35:21 PM Function kernel32.dll:CreateRemoteThread (104) intercepted, method APICodeHijack.JmpTo[00972D2E]
11/7/2008 10:35:21 PM >>> Rootkit code in function CreateRemoteThread blocked
11/7/2008 10:35:21 PM Function kernel32.dllebugActiveProcess (117) intercepted, method APICodeHijack.JmpTo[00972D06]
11/7/2008 10:35:21 PM >>> Rootkit code in function DebugActiveProcess blocked
11/7/2008 10:35:21 PM Function kernel32.dll:FreeLibrary (241) intercepted, method ProcAddressHijack.GetProcAddress ->7C80ABDE->61F041FC
11/7/2008 10:35:21 PM Hook kernel32.dll:FreeLibrary (241) blocked
11/7/2008 10:35:21 PM Function kernel32.dll:GetModuleFileNameA (372) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B4CF->61F040FB
11/7/2008 10:35:21 PM Hook kernel32.dll:GetModuleFileNameA (372) blocked
11/7/2008 10:35:21 PM Function kernel32.dll:GetModuleFileNameW (373) intercepted, method ProcAddressHijack.GetProcAddress ->7C80B3D5->61F041A0
11/7/2008 10:35:21 PM Hook kernel32.dll:GetModuleFileNameW (373) blocked
11/7/2008 10:35:21 PM Function kernel32.dll:GetProcAddress (408) intercepted, method ProcAddressHijack.GetProcAddress ->7C80ADA0->61F04648
11/7/2008 10:35:21 PM Hook kernel32.dll:GetProcAddress (408) blocked
11/7/2008 10:35:21 PM Function kernel32.dll:LoadLibraryA (578) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D77->61F03C6F
11/7/2008 10:35:21 PM Hook kernel32.dll:LoadLibraryA (578) blocked
11/7/2008 10:35:21 PM >>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
11/7/2008 10:35:21 PM Function kernel32.dll:LoadLibraryExA (579) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D4F->61F03DAF
11/7/2008 10:35:21 PM Hook kernel32.dll:LoadLibraryExA (579) blocked
11/7/2008 10:35:21 PM >>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
11/7/2008 10:35:21 PM Function kernel32.dll:LoadLibraryExW (580) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF1->61F03E5A
11/7/2008 10:35:21 PM Hook kernel32.dll:LoadLibraryExW (580) blocked
11/7/2008 10:35:21 PM Function kernel32.dll:LoadLibraryW (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE4B->61F03D0C
11/7/2008 10:35:21 PM Hook kernel32.dll:LoadLibraryW (581) blocked
11/7/2008 10:35:21 PM Function kernel32.dll:WinExec (896) intercepted, method APICodeHijack.JmpTo[00972992]
11/7/2008 10:35:21 PM >>> Rootkit code in function WinExec blocked
11/7/2008 10:35:21 PM IAT modification detected: GetModuleFileNameW - 00C30010<>7C80B3D5
11/7/2008 10:35:21 PM Analysis: ntdll.dll, export table found in section .text
11/7/2008 10:35:21 PM Function ntdll.dll:LdrLoadDll (70) intercepted, method APICodeHijack.JmpTo[00972CDE]
11/7/2008 10:35:21 PM >>> Rootkit code in function LdrLoadDll blocked
11/7/2008 10:35:21 PM Function ntdll.dll:LdrUnloadDll (80) intercepted, method APICodeHijack.JmpTo[00972CB6]
11/7/2008 10:35:21 PM >>> Rootkit code in function LdrUnloadDll blocked
11/7/2008 10:35:21 PM Function ntdll.dll:NtConnectPort (117) intercepted, method APICodeHijack.JmpTo[00972A32]
11/7/2008 10:35:21 PM >>> Rootkit code in function NtConnectPort blocked
11/7/2008 10:35:21 PM Function ntdll.dll:NtCreateThread (140) intercepted, method APICodeHijack.JmpTo[00972AD2]
11/7/2008 10:35:21 PM >>> Rootkit code in function NtCreateThread blocked
11/7/2008 10:35:21 PM Function ntdll.dll:NtProtectVirtualMemory (226) intercepted, method APICodeHijack.JmpTo[00972B22]
11/7/2008 10:35:21 PM >>> Rootkit code in function NtProtectVirtualMemory blocked
11/7/2008 10:35:21 PM Function ntdll.dll:NtSecureConnectPort (301) intercepted, method APICodeHijack.JmpTo[00972A0A]
11/7/2008 10:35:21 PM >>> Rootkit code in function NtSecureConnectPort blocked
11/7/2008 10:35:21 PM Function ntdll.dll:NtSetContextThread (304) intercepted, method APICodeHijack.JmpTo[00972AFA]
11/7/2008 10:35:21 PM >>> Rootkit code in function NtSetContextThread blocked
11/7/2008 10:35:21 PM Function ntdll.dll:NtSetValueKey (338) intercepted, method APICodeHijack.JmpTo[00972C8E]
11/7/2008 10:35:21 PM >>> Rootkit code in function NtSetValueKey blocked
11/7/2008 10:35:21 PM Function ntdll.dll:NtSuspendProcess (344) intercepted, method APICodeHijack.JmpTo[00972BEA]
11/7/2008 10:35:21 PM >>> Rootkit code in function NtSuspendProcess blocked
11/7/2008 10:35:21 PM Function ntdll.dll:NtSuspendThread (345) intercepted, method APICodeHijack.JmpTo[00972BC2]
11/7/2008 10:35:21 PM >>> Rootkit code in function NtSuspendThread blocked
11/7/2008 10:35:21 PM Function ntdll.dll:NtTerminateProcess (348) intercepted, method APICodeHijack.JmpTo[00972C3A]
11/7/2008 10:35:21 PM >>> Rootkit code in function NtTerminateProcess blocked
11/7/2008 10:35:21 PM Function ntdll.dll:NtWriteVirtualMemory (369) intercepted, method APICodeHijack.JmpTo[00972C66]
11/7/2008 10:35:21 PM >>> Rootkit code in function NtWriteVirtualMemory blocked
11/7/2008 10:35:21 PM Analysis: user32.dll, export table found in section .text
11/7/2008 10:35:21 PM Function user32.dll:CallNextHookEx (27) intercepted, method APICodeHijack.JmpTo[009730EE]
11/7/2008 10:35:21 PM >>> Rootkit code in function CallNextHookEx blocked
11/7/2008 10:35:21 PM Function user32.dll:ChangeDisplaySettingsExA (34) intercepted, method APICodeHijack.JmpTo[00972852]
11/7/2008 10:35:21 PM >>> Rootkit code in function ChangeDisplaySettingsExA blocked
11/7/2008 10:35:21 PM Function user32.dll:ChangeDisplaySettingsExW (35) intercepted, method APICodeHijack.JmpTo[0097282A]
11/7/2008 10:35:21 PM >>> Rootkit code in function ChangeDisplaySettingsExW blocked
11/7/2008 10:35:21 PM Function user32.dlldeConnect (108) intercepted, method APICodeHijack.JmpTo[009730C6]
11/7/2008 10:35:21 PM >>> Rootkit code in function DdeConnect blocked
11/7/2008 10:35:21 PM Function user32.dlldeConnectList (109) intercepted, method APICodeHijack.JmpTo[0097309E]
11/7/2008 10:35:21 PM >>> Rootkit code in function DdeConnectList blocked
11/7/2008 10:35:21 PM Function user32.dlldeInitializeA (122) intercepted, method APICodeHijack.JmpTo[00973076]
11/7/2008 10:35:21 PM >>> Rootkit code in function DdeInitializeA blocked
11/7/2008 10:35:21 PM Function user32.dlldeInitializeW (123) intercepted, method APICodeHijack.JmpTo[0097304E]
11/7/2008 10:35:21 PM >>> Rootkit code in function DdeInitializeW blocked
11/7/2008 10:35:21 PM Function user32.dll:EndTask (202) intercepted, method APICodeHijack.JmpTo[00972D7E]
11/7/2008 10:35:21 PM >>> Rootkit code in function EndTask blocked
11/7/2008 10:35:21 PM Function user32.dll:ExitWindowsEx (226) intercepted, method APICodeHijack.JmpTo[00972E1E]
11/7/2008 10:35:21 PM >>> Rootkit code in function ExitWindowsEx blocked
11/7/2008 10:35:21 PM Function user32.dll:FindWindowExA (229) intercepted, method APICodeHijack.JmpTo[00972E96]
11/7/2008 10:35:21 PM >>> Rootkit code in function FindWindowExA blocked
11/7/2008 10:35:21 PM Function user32.dll:FindWindowExW (230) intercepted, method APICodeHijack.JmpTo[00972E6E]
11/7/2008 10:35:21 PM >>> Rootkit code in function FindWindowExW blocked
11/7/2008 10:35:21 PM Function user32.dllostMessageA (512) intercepted, method APICodeHijack.JmpTo[00972F86]
11/7/2008 10:35:21 PM >>> Rootkit code in function PostMessageA blocked
11/7/2008 10:35:21 PM Function user32.dllostMessageW (513) intercepted, method APICodeHijack.JmpTo[00972F5E]
11/7/2008 10:35:21 PM >>> Rootkit code in function PostMessageW blocked
11/7/2008 10:35:21 PM Function user32.dll:SendInput (571) intercepted, method APICodeHijack.JmpTo[00972E46]
11/7/2008 10:35:21 PM >>> Rootkit code in function SendInput blocked
11/7/2008 10:35:21 PM Function user32.dll:SendMessageA (572) intercepted, method APICodeHijack.JmpTo[00973026]
11/7/2008 10:35:21 PM >>> Rootkit code in function SendMessageA blocked
11/7/2008 10:35:21 PM Function user32.dll:SendMessageCallbackA (573) intercepted, method APICodeHijack.JmpTo[00972EE6]
11/7/2008 10:35:21 PM >>> Rootkit code in function SendMessageCallbackA blocked
11/7/2008 10:35:21 PM Function user32.dll:SendMessageCallbackW (574) intercepted, method APICodeHijack.JmpTo[00972EBE]
11/7/2008 10:35:21 PM >>> Rootkit code in function SendMessageCallbackW blocked
11/7/2008 10:35:21 PM Function user32.dll:SendMessageTimeoutA (575) intercepted, method APICodeHijack.JmpTo[00972F36]
11/7/2008 10:35:21 PM >>> Rootkit code in function SendMessageTimeoutA blocked
11/7/2008 10:35:21 PM Function user32.dll:SendMessageTimeoutW (576) intercepted, method APICodeHijack.JmpTo[00972F0E]
11/7/2008 10:35:21 PM >>> Rootkit code in function SendMessageTimeoutW blocked
11/7/2008 10:35:21 PM Function user32.dll:SendMessageW (577) intercepted, method APICodeHijack.JmpTo[00972FFE]
11/7/2008 10:35:21 PM >>> Rootkit code in function SendMessageW blocked
11/7/2008 10:35:21 PM Function user32.dll:SendNotifyMessageA (578) intercepted, method APICodeHijack.JmpTo[00972FD6]
11/7/2008 10:35:21 PM >>> Rootkit code in function SendNotifyMessageA blocked
11/7/2008 10:35:21 PM Function user32.dll:SendNotifyMessageW (579) intercepted, method APICodeHijack.JmpTo[00972FAE]
11/7/2008 10:35:21 PM >>> Rootkit code in function SendNotifyMessageW blocked
11/7/2008 10:35:21 PM Function user32.dll:SetForegroundWindow (600) intercepted, method APICodeHijack.JmpTo[00972DF6]
11/7/2008 10:35:21 PM >>> Rootkit code in function SetForegroundWindow blocked
11/7/2008 10:35:21 PM Function user32.dll:SetWinEventHook (639) intercepted, method APICodeHijack.JmpTo[00972D56]
11/7/2008 10:35:21 PM >>> Rootkit code in function SetWinEventHook blocked
11/7/2008 10:35:21 PM Function user32.dll:SetWindowPos (644) intercepted, method APICodeHijack.JmpTo[00972DA6]
11/7/2008 10:35:21 PM >>> Rootkit code in function SetWindowPos blocked
11/7/2008 10:35:21 PM Function user32.dll:SetWindowsHookExA (651) intercepted, method APICodeHijack.JmpTo[0097313E]
11/7/2008 10:35:21 PM >>> Rootkit code in function SetWindowsHookExA blocked
11/7/2008 10:35:21 PM Function user32.dll:SetWindowsHookExW (652) intercepted, method APICodeHijack.JmpTo[00973116]
11/7/2008 10:35:21 PM >>> Rootkit code in function SetWindowsHookExW blocked
11/7/2008 10:35:21 PM Analysis: advapi32.dll, export table found in section .text
11/7/2008 10:35:21 PM Analysis: ws2_32.dll, export table found in section .text
11/7/2008 10:35:21 PM Analysis: wininet.dll, export table found in section .text
11/7/2008 10:35:21 PM Analysis: rasapi32.dll, export table found in section .text
11/7/2008 10:35:21 PM Analysis: urlmon.dll, export table found in section .text
11/7/2008 10:35:21 PM Analysis: netapi32.dll, export table found in section .text
11/7/2008 10:35:24 PM 1.2 Searching for kernel-mode API hooks
11/7/2008 10:35:24 PM Anti-Rootkit error [Failed to set data for 'DisplayName'], step [14]
11/7/2008 10:35:25 PM C:\Program Files\Lavasoft\Personal Firewall\wl_hook.dll --> Suspicion for Keylogger or Trojan DLL
11/7/2008 10:35:25 PM C:\Program Files\Lavasoft\Personal Firewall\wl_hook.dll>>> Behavioral analysis
11/7/2008 10:35:25 PM Behaviour typical for keyloggers not detected
11/7/2008 10:35:25 PM C:\WINDOWS\system32\iertutil.dll --> Suspicion for Keylogger or Trojan DLL
11/7/2008 10:35:25 PM C:\WINDOWS\system32\iertutil.dll>>> Behavioral analysis
11/7/2008 10:35:25 PM Behaviour typical for keyloggers not detected
11/7/2008 10:35:26 PM C:\Program Files\TrueSuite Access Manager\IconOvrly.dll --> Suspicion for Keylogger or Trojan DLL
11/7/2008 10:35:26 PM C:\Program Files\TrueSuite Access Manager\IconOvrly.dll>>> Behavioral analysis
11/7/2008 10:35:26 PM Behaviour typical for keyloggers not detected
11/7/2008 10:35:26 PM C:\Program Files\SmartFTP Client\sfShellTools.dll --> Suspicion for Keylogger or Trojan DLL
11/7/2008 10:35:26 PM C:\Program Files\SmartFTP Client\sfShellTools.dll>>> Behavioral analysis
11/7/2008 10:35:26 PM Behaviour typical for keyloggers not detected
11/7/2008 10:35:26 PM Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
11/7/2008 10:35:37 PM >>> C:\WINDOWS\Downloaded Program Files\ieatgpc.dll HSC: suspicion for AdvWare.Toolbar.WebEx (high degree of probability)
11/7/2008 10:35:45 PM Latent loading of libraries through AppInit_DLLs suspected: "kewukd.dll"
11/7/2008 10:35:46 PM >> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
11/7/2008 10:35:46 PM >> Services: potentially dangerous service allowed: TermService (Terminal Services)
11/7/2008 10:35:46 PM >> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
11/7/2008 10:35:46 PM >> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
11/7/2008 10:35:46 PM >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
11/7/2008 10:35:46 PM >> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
11/7/2008 10:35:46 PM > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
11/7/2008 10:35:46 PM >> Security: disk drives' autorun is enabled
11/7/2008 10:35:46 PM >> Security: administrative shares (C$, D$ ...) are enabled
11/7/2008 10:35:46 PM >> Security: anonymous user access is enabled
11/7/2008 10:35:47 PM >>> Security: Internet Explorer allows ActiveX, not marked as safe
11/7/2008 10:35:47 PM >>> Security: Internet Explorer allows unsigned ActiveX elements
11/7/2008 10:35:47 PM >>> Security: Internet Explorer allows automatic queries of ActiveX administrative elements
11/7/2008 10:35:49 PM >> Microsoft Internet Explorer - ActiveX, not marked as safe, are allowed
11/7/2008 10:35:49 PM >> Microsoft Internet Explorer -unsigned ActiveX elements are allowed
11/7/2008 10:35:49 PM >> Microsoft Internet Explorer - automatic queries of ActiveX operating elements are allowed
11/7/2008 10:35:53 PM >> Disable HDD autorun
11/7/2008 10:35:53 PM >> Disable autorun from network drives
11/7/2008 10:35:53 PM >> Disable CD/DVD autorun
11/7/2008 10:35:53 PM >> Disable removable media autorun
11/7/2008 10:35:54 PM System Analysis in progress
11/7/2008 10:38:33 PM System Analysis - complete
11/7/2008 10:38:33 PM Delete file:C:\Documents and Settings\.....\Desktop\Kaspersky Lab Tool\is-2PCOG\LOG\avptool_syscheck.htm
11/7/2008 10:38:33 PM Delete file:C:\Documents and Settings\........\Desktop\Kaspersky Lab Tool\is-2PCOG\LOG\avptool_syscheck.xml
11/7/2008 10:38:33 PM Deleting service/driver: utmxndky
11/7/2008 10:38:33 PM Deleting service/driver: ujmxndky
11/7/2008 10:38:33 PM Script executed without errors