Wieder mal Browser öffnet sich von selbst..:-/ |
||
---|---|---|
#0
| ||
03.12.2008, 11:33
...neu hier
Beiträge: 4 |
||
|
||
03.12.2008, 11:45
Moderator
Beiträge: 7805 |
#2
Hallo MariaKim,
Arbeite bitte noch die Punkte 2-4 aus http://board.protecus.de/t23188.htm ab und pooste die Ergebnisse dazu __________ MfG Ralf SEO-Spam Hunter |
|
|
||
03.12.2008, 13:20
...neu hier
Themenstarter Beiträge: 4 |
#3
Upss,
ja hab die Logs vergessen :-) also: MALWARE SAGT: ============ Malwarebytes' Anti-Malware 1.30 Datenbank Version: 1454 Windows 5.1.2600 Service Pack 3 03.12.2008 13:11:14 mbam-log-2008-12-03 (13-11-14).txt Scan-Methode: Quick-Scan Durchsuchte Objekte: 49358 Laufzeit: 2 minute(s), 52 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 0 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: (Keine bösartigen Objekte gefunden) =============================== COMBOFIX sagt: ComboFix 08-12-01.03 - Maria 2008-12-03 13:12:05.3 - [color=red]FAT32[/color]x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1031.18.694 [GMT 1:00] ausgeführt von:: c:\dokumente und einstellungen\Maria\Desktop\ComboFix.exe . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\lTAHknmp.ini c:\windows\system32\lTAHknmp.ini2 . ((((((((((((((((((((((( Dateien erstellt von 2008-11-03 bis 2008-12-03 )))))))))))))))))))))))))))))) . 2009-11-06 17:27 . 2009-11-06 17:27 <DIR> d-------- c:\windows\system32\AGEIA 2009-11-06 17:27 . 2009-11-06 17:27 <DIR> d-------- c:\programme\AGEIA Technologies 2009-11-06 17:26 . 2009-11-06 17:26 <DIR> d-------- c:\windows\nview 2009-11-06 17:26 . 2009-11-06 17:26 <DIR> d-------- C:\NVIDIA 2009-11-06 17:26 . 2008-10-07 13:33 453,152 --a------ c:\windows\system32\nvudisp.exe 2009-11-06 17:26 . 2008-12-02 15:50 200,819 --a------ c:\windows\system32\nvapps.xm~ 2009-11-06 17:26 . 2008-10-07 13:33 18,477 --a------ c:\windows\system32\nvdisp.nvu 2009-11-06 17:26 . 2008-12-03 13:16 104 --a------ c:\windows\system32\nvapps.xml 2008-12-03 12:07 . 2008-12-03 12:07 <DIR> d-------- c:\programme\Malwarebytes' Anti-Malware 2008-12-03 12:07 . 2008-12-03 12:07 <DIR> d-------- c:\dokumente und einstellungen\Maria\Anwendungsdaten\Malwarebytes 2008-12-03 12:07 . 2008-12-03 12:07 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes 2008-12-03 12:07 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-03 12:07 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-12-03 11:19 . 2008-12-03 11:19 <DIR> d-------- c:\programme\Trend Micro 2008-12-03 11:07 . 2008-12-03 11:07 <DIR> d-------- C:\VundoFix Backups 2008-12-03 10:39 . 2008-12-03 10:39 <DIR> d-------- c:\programme\CCleaner 2008-12-02 17:46 . 2008-12-02 17:46 7 --a------ c:\windows\system32\mwavscan.com 2008-12-02 15:55 . 2008-12-02 15:55 6,627,328 --a------ c:\windows\system32\MNXGAFGOP 2008-12-02 15:53 . 2008-12-02 15:54 <DIR> d-------- C:\rr 2008-12-02 15:48 . 2001-06-29 19:40 29,696 --a------ c:\windows\system32\flcss.exe 2008-12-02 13:04 . 2008-12-02 13:04 282,634 --a------ c:\windows\system32\dwwnw64r.ex~ 2008-12-02 13:04 . 2008-12-02 13:04 171 --a------ c:\windows\system32\msnav32.a~ 2008-11-12 04:41 . 2008-10-24 12:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-12 04:40 . 2008-09-04 18:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll 2008-11-03 10:55 . 2008-11-03 10:55 <DIR> d-------- c:\programme\Roland . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-06 16:27 --------- d-----w c:\programme\Gemeinsame Dateien\Wise Installation Wizard 2008-10-31 09:35 --------- d-----w c:\programme\SAMSUNG 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-24 10:00 --------- d-----w c:\dokumente und einstellungen\Maria\Anwendungsdaten\LEAPS 2008-10-24 09:58 --------- d-----w c:\dokumente und einstellungen\Maria\Anwendungsdaten\Pegasys Inc 2008-10-24 09:53 59,488 ----a-w c:\windows\system32\GenSvcInst.exe 2008-10-24 09:53 33,408 ----a-w c:\windows\system32\drivers\CDRBSDRV.SYS 2008-10-24 09:53 145,504 ----a-w c:\windows\system32\bgsvcgen.exe 2008-10-24 09:53 --------- d-----w c:\programme\Pegasys Inc 2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 13:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll 2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll 2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 13:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll 2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 13:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll 2008-10-16 13:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll 2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 13:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe 2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 13:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll 2008-10-16 13:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 13:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-10-15 17:35 337,408 ------w c:\windows\system32\dllcache\netapi32.dll 2008-10-15 13:25 --------- d-----w c:\dokumente und einstellungen\Maria\Anwendungsdaten\Broken Sword 2.5 2008-10-15 13:01 --------- d-----w c:\programme\Broken Sword 2.5 2008-10-07 09:12 --------- d-----w c:\dokumente und einstellungen\Maria\Anwendungsdaten\Yahoo! 2008-10-07 09:12 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Yahoo! Companion 2008-10-06 10:20 --------- d-----w c:\programme\Yahoo! 2008-10-06 10:20 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Yahoo! 2008-10-03 17:58 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll 2008-10-02 09:07 453,152 ----a-w c:\windows\system32\NVUNINST.EXE 2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-15 16:24 1,846,528 ----a-w c:\windows\system32\win32k.sys 2008-09-15 16:24 1,846,528 ------w c:\windows\system32\dllcache\win32k.sys 2008-09-10 01:13 1,307,648 ----a-w c:\windows\system32\msxml6.dll 2008-09-10 01:13 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll 2008-09-08 11:41 333,824 ------w c:\windows\system32\dllcache\srv.sys 2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll 2008-09-04 08:31 288,024 ----a-w c:\windows\system32\PhysXCplUI.exe 2007-01-19 14:43 5,120 --sha-w c:\programme\Thumbs.db 2006-07-18 14:04 1,252,018 ----a-w c:\programme\index0.jpg 2004-10-16 11:38 299,008 ----a-w c:\dokumente und einstellungen\Maria\Anwendungsdaten\DESINSTALADOR_AVCINEEDSP.exe 2008-06-03 11:21 32,768 --sha-w c:\windows\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\MSHist012008060320080604\index.dat . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "P2kAutostart"="d:\v3i\pck2\P2kAutostart.exe" [2005-11-01 24064] "H/PC Connection Agent"="c:\programme\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avgnt"="c:\programme\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-18 266497] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016] "F-Secure Anti-FunLove"="c:\windows\system32\flcss.exe" [2001-06-29 29696] "QuickTime Task"="c:\programme\QuickTime\qttask.exe" [2008-05-27 413696] "SoundMan"="SOUNDMAN.EXE" [2005-09-22 c:\windows\soundman.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=bebhum.dll,wyxlfo.dll [HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Reader Speed Launch.lnk] path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Audible Download Manager.lnk] path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Audible Download Manager.lnk backup=c:\windows\pss\Audible Download Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^GetRight - Tray Icon.lnk] path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\GetRight - Tray Icon.lnk backup=c:\windows\pss\GetRight - Tray Icon.lnkCommon Startup [HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Microsoft Office.lnk] path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Maria^Startmenü^Programme^Autostart^DW_Start.lnk] path=c:\dokumente und einstellungen\Maria\Startmenü\Programme\Autostart\DW_Start.lnk backup=c:\windows\pss\DW_Start.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp] Alaunch [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-01-11 22:16 39792 c:\programme\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AspireService] --a------ 2005-09-29 16:07 114688 c:\programme\Acer\Acer eMode Management\AspireService.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] --a------ 2007-06-27 19:03 152872 c:\programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boss Key] --a------ 2001-07-18 20:17 283136 c:\programme\Boss Key\BOSSKEY.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EfreeSoft Boss Key] --a------ 2005-08-03 16:03 261632 c:\programme\Mgboss\mgboss.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService] --a------ 2005-10-31 16:21 393216 c:\acer\Empowering Technology\eRecovery\Monitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent] --a------ 2006-11-13 13:50 1289000 c:\programme\Microsoft ActiveSync\wcescomm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite] --a------ 2006-07-11 11:15 3144800 c:\programme\ICQLite\ICQLite.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] --a------ 2004-08-04 05:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaSync] --a------ 2005-09-21 13:48 425984 c:\programme\Acer\Acer eConsole\MediaSync.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)] --a------ 2008-09-19 17:34 4347120 c:\programme\Yahoo!\Messenger\YahooMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-01-19 12:55 5674352 c:\programme\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] --a------ 2004-08-04 05:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Name of App] --a------ 2008-07-07 13:12 675935 c:\programme\SAMSUNG\FW LiveUpdate\FWManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2007-03-01 15:57 153136 c:\programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI] --a------ 2005-05-11 18:15 45056 c:\programme\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Personal ID] --a------ 2008-03-20 12:47 1440256 c:\coolsp~1\PERSON~1\pid.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] --a------ 2004-08-04 05:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] --a------ 2004-08-04 05:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] --a------ 2007-04-09 14:23 200704 c:\programme\PowerISO\PWRISOVM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-05-27 10:50 413696 c:\programme\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] --a------ 2004-11-02 20:24 32768 c:\programme\CyberLink\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2005-11-10 13:03 36975 c:\programme\Java\jre1.5.0_06\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2008-10-07 13:33 1630208 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Acer Media Server"=2 (0x2) "IDriverT"=3 (0x3) "FLEXnet Licensing Service"=3 (0x3) "ATI Smart"=2 (0x2) "iPodService"=3 (0x3) "Bonjour Service"=2 (0x2) "Ati HotKey Poller"=2 (0x2) "winvnc"=2 (0x2) "usnjsvc"=3 (0x3) "NMIndexingService"=3 (0x3) "NBService"=3 (0x3) "idsvc"=3 (0x3) "gusvc"=3 (0x3) "WMPNetworkSvc"=3 (0x3) "LtcyCfgSvc"=2 (0x2) "bgsvcgen"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Programme\\ABC\\ABC.exe"= "c:\\Programme\\AntiVir PersonalEdition Classic\\avcenter.exe"= "c:\\Programme\\eMule\\emule.exe"= "c:\\Programme\\Google\\Google Earth\\googleearth.exe"= "c:\\Programme\\ICQLite\\ICQLite.exe"= "c:\\Programme\\Mozilla Firefox\\firefox.exe"= "c:\\Programme\\Trillian\\trillian.exe"= "c:\\Programme\\Microsoft ActiveSync\\rapimgr.exe"= "c:\\Programme\\mIRC\\mirc.exe"= "c:\\Program Files\\WS_FTP\\WS_FTP95.exe"= "c:\\Programme\\Acer\\Acer eConsole\\eConsole.exe"= "c:\\Programme\\Bonjour\\mDNSResponder.exe"= "c:\\Programme\\Adobe\\Adobe Flash CS3\\Flash.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Programme\\Yahoo!\\Messenger\\YahooMessenger.exe"= R1 atitray;atitray;\??\c:\programme\Radeon Omega Drivers\v3.8.291\ATI Tray Tools\atitray.sys [2005-11-14 13952] R3 LtcyCfgWDM;PCI Latency Tool Driver Service;c:\windows\system32\DRIVERS\LtcyCfgWDM.sys [2005-12-26 6656] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3A0.tmp [] S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-06-13 17920] S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-06-13 7680] S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-06-13 42112] S3 zlportio;zlportio;\??\c:\dokumente und einstellungen\Maria\Desktop\ustar\zlportio.sys [] S4 LtcyCfgSvc;PCI Latency Tool Service;c:\programme\PCI Latency Tool 3\LtcyCfgSvc.exe [2005-12-26 5120] S4 ORWVWEQB;ORWVWEQB;c:\dokume~1\Maria\LOKALE~1\Temp\ORWVWEQB.exe [] S4 XJF;XJF;c:\dokume~1\Maria\LOKALE~1\Temp\XJF.exe [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99509135-d787-11db-b2f5-8000600fe800}] \Shell\AutoRun\command - J:\LaunchU3.exe -a . - - - - Entfernte verwaiste Registrierungseinträge - - - - BHO-{2D17CE7F-3C39-4F50-B498-044616F90584} - c:\windows\system32\pmnkHATl.dll . ------- Zusätzlicher Suchlauf ------- . FireFox -: Profile - c:\dokumente und einstellungen\Maria\Anwendungsdaten\Mozilla\Firefox\Profiles\yxl0h9y6.default\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://de.search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p= FF -: plugin - c:\programme\Java\jre1.5.0_06\bin\NPJava11.dll FF -: plugin - c:\programme\Java\jre1.5.0_06\bin\NPJava12.dll FF -: plugin - c:\programme\Java\jre1.5.0_06\bin\NPJava13.dll FF -: plugin - c:\programme\Java\jre1.5.0_06\bin\NPJava14.dll FF -: plugin - c:\programme\Java\jre1.5.0_06\bin\NPJava32.dll FF -: plugin - c:\programme\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF -: plugin - c:\programme\Java\jre1.5.0_06\bin\NPOJI610.dll FF -: plugin - c:\programme\Yahoo!\Shared\npYState.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-03 13:16:00 Windows 5.1.2600 Service Pack 3 FAT NTAPI Scanne versteckte Prozesse... Scanne versteckte Autostarteinträge... Scanne versteckte Dateien... Scan erfolgreich abgeschlossen versteckte Dateien: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\3A0.tmp" . ------------------------ Weitere laufende Prozesse ------------------------ . c:\programme\ANTIVIR PERSONALEDITION CLASSIC\AVGUARD.EXE c:\programme\ANTIVIR PERSONALEDITION CLASSIC\SCHED.EXE c:\windows\system32\rundll32.exe c:\progra~1\MICROS~4\rapimgr.exe c:\windows\system32\taskmgr.exe . ************************************************************************** . Zeit der Fertigstellung: 2008-12-03 13:18:32 - PC wurde neu gestartet ComboFix-quarantined-files.txt 2008-12-03 12:18:32 ComboFix3.txt 2008-01-16 12:38:08 ComboFix2.txt 2008-12-03 10:06:04 Vor Suchlauf: 34 Verzeichnis(se), 61.684.678.656 Bytes frei Nach Suchlauf: 34 Verzeichnis(se), 61,678,682,112 Bytes frei 266 --- E O F --- 2008-11-13 02:02:53 ========================================================= HIJACKTHIS SAGT: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:19:21, on 03.12.2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\SOUNDMAN.EXE C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\flcss.exe C:\Programme\QuickTime\qttask.exe D:\v3i\pck2\P2kAutostart.exe C:\Programme\Microsoft ActiveSync\wcescomm.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\MICROS~4\rapimgr.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Programme\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [F-Secure Anti-FunLove] C:\WINDOWS\system32\flcss.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [P2kAutostart] D:\v3i\pck2\P2kAutostart.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &Search - http://speedbar.myway.com/menusearch.html?p=- O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm O8 - Extra context menu item: Download with Xilisoft YouTube Video Converter - C:\Programme\Xilisoft\YouTube Video Converter\upod_link.HTM O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm O8 - Extra context menu item: Save Flash - res://C:\Programme\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210 O8 - Extra context menu item: SWF Capture tool - C:\Programme\Eltima Software\Flash Decompiler\iebt.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Programme\Bonjour\ExplorerPlugin.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Programme\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU) O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Programme\Eltima Software\Flash Decompiler\iebt.dll (HKCU) O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Programme\Eltima Software\Flash Decompiler\iebt.dll (HKCU) O15 - Trusted Zone: *.amaena.com O15 - Trusted Zone: *.avsystemcare.com O15 - Trusted Zone: *.onerateld.com O15 - Trusted Zone: *.safetydownload.com O15 - Trusted Zone: *.trustedantivirus.com O15 - Trusted Zone: *.virusschlacht.com O15 - Trusted Zone: *.amaena.com (HKLM) O15 - Trusted Zone: *.avsystemcare.com (HKLM) O15 - Trusted Zone: *.onerateld.com (HKLM) O15 - Trusted Zone: *.safetydownload.com (HKLM) O15 - Trusted Zone: *.trustedantivirus.com (HKLM) O15 - Trusted Zone: *.virusschlacht.com (HKLM) O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{2B019AEE-7A08-45C8-B8A5-BA8F72C8778B}: NameServer = 192.168.2.1 O20 - AppInit_DLLs: bebhum.dll,wyxlfo.dll O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe -- End of file - 6904 bytes |
|
|
||
03.12.2008, 19:57
Moderator
Beiträge: 7805 |
#4
Hake bitte folgendes bei Hijackthis an und druecke fix checked:
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file) O4 - HKLM\..\Run: [F-Secure Anti-FunLove] C:\WINDOWS\system32\flcss.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" - O15 - Trusted Zone: *.amaena.com O15 - Trusted Zone: *.avsystemcare.com O15 - Trusted Zone: *.onerateld.com O15 - Trusted Zone: *.safetydownload.com O15 - Trusted Zone: *.trustedantivirus.com O15 - Trusted Zone: *.virusschlacht.com O15 - Trusted Zone: *.amaena.com (HKLM) O15 - Trusted Zone: *.avsystemcare.com (HKLM) O15 - Trusted Zone: *.onerateld.com (HKLM) O15 - Trusted Zone: *.safetydownload.com (HKLM) O15 - Trusted Zone: *.trustedantivirus.com (HKLM) O15 - Trusted Zone: *.virusschlacht.com (HKLM) O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab Starte neu und schaue, ob obige Eintraege nun verschwunden sind. Mache bitte einen Scan mit Gmer: http://forum.hijackthis.de/showthread.php?t=16868 __________ MfG Ralf SEO-Spam Hunter |
|
|
||
05.12.2008, 13:23
...neu hier
Themenstarter Beiträge: 4 |
#5
Hallo,
anbei das neue Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:23:10, on 05.12.2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\SOUNDMAN.EXE C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\RUNDLL32.EXE D:\v3i\pck2\P2kAutostart.exe C:\Programme\Microsoft ActiveSync\wcescomm.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\MICROS~4\rapimgr.exe C:\WINDOWS\explorer.exe C:\Programme\Internet Explorer\iexplore.exe C:\WINDOWS\system32\notepad.exe C:\Programme\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [P2kAutostart] D:\v3i\pck2\P2kAutostart.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &Search - http://speedbar.myway.com/menusearch.html?p=- O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm O8 - Extra context menu item: Download with Xilisoft YouTube Video Converter - C:\Programme\Xilisoft\YouTube Video Converter\upod_link.HTM O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm O8 - Extra context menu item: Save Flash - res://C:\Programme\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210 O8 - Extra context menu item: SWF Capture tool - C:\Programme\Eltima Software\Flash Decompiler\iebt.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Programme\Bonjour\ExplorerPlugin.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Programme\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU) O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Programme\Eltima Software\Flash Decompiler\iebt.dll (HKCU) O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Programme\Eltima Software\Flash Decompiler\iebt.dll (HKCU) O17 - HKLM\System\CCS\Services\Tcpip\..\{2B019AEE-7A08-45C8-B8A5-BA8F72C8778B}: NameServer = 192.168.2.1 O20 - AppInit_DLLs: bebhum.dll,wyxlfo.dll O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe -- End of file - 5980 bytes |
|
|
||
05.12.2008, 13:39
Moderator
Beiträge: 7805 |
#6
Entschuldige, du muss diesen Eintrag auch "fixen" ud kontrollieren, ob er nach neustart noch vorhanden ist
O20 - AppInit_DLLs: bebhum.dll,wyxlfo.dll Was ist mit dem Gmer report? __________ MfG Ralf SEO-Spam Hunter |
|
|
||
05.12.2008, 13:49
...neu hier
Themenstarter Beiträge: 4 |
#7
Hier mal das neue Log nach Reboot:
HijackThis: ======== Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:45:14, on 05.12.2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\Explorer.EXE C:\Programme\AntiVir PersonalEdition Classic\sched.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\SOUNDMAN.EXE C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\RUNDLL32.EXE D:\v3i\pck2\P2kAutostart.exe C:\Programme\Microsoft ActiveSync\wcescomm.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\MICROS~4\rapimgr.exe C:\Programme\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [P2kAutostart] D:\v3i\pck2\P2kAutostart.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &Search - http://speedbar.myway.com/menusearch.html?p=- O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm O8 - Extra context menu item: Download with Xilisoft YouTube Video Converter - C:\Programme\Xilisoft\YouTube Video Converter\upod_link.HTM O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm O8 - Extra context menu item: Save Flash - res://C:\Programme\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210 O8 - Extra context menu item: SWF Capture tool - C:\Programme\Eltima Software\Flash Decompiler\iebt.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Programme\Bonjour\ExplorerPlugin.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Programme\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU) O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Programme\Eltima Software\Flash Decompiler\iebt.dll (HKCU) O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Programme\Eltima Software\Flash Decompiler\iebt.dll (HKCU) O17 - HKLM\System\CCS\Services\Tcpip\..\{2B019AEE-7A08-45C8-B8A5-BA8F72C8778B}: NameServer = 192.168.2.1 O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe -- End of file - 5859 bytes und das hat Gmer ausgespuckt: Gmer ====== GMER 1.0.14.14536 - http://www.gmer.net Rootkit scan 2008-12-05 13:49:16 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.14 ---- SSDT F7D1564C ZwCreateThread SSDT F7D15638 ZwOpenProcess SSDT F7D1563D ZwOpenThread SSDT F7D15647 ZwTerminateProcess SSDT F7D15642 ZwWriteVirtualMemory ---- Devices - GMER 1.0.14 ---- AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Registry - GMER 1.0.14 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C70361A2-BAA3-1CEC-7230-4D433813EF4C} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C70361A2-BAA3-1CEC-7230-4D433813EF4C}@paanddjanmnhafelhfgkkkmllbghfihg 0x61 0x62 0x62 0x6C ... ---- EOF - GMER 1.0.14 ---- |
|
|
||
05.12.2008, 15:17
Moderator
Beiträge: 7805 |
#8
Hm, dann fix noch das:
O8 - Extra context menu item: &Search - http://speedbar.myway.com/menusearch.html?p=- Dann bitte Mbam aktualisieren, neu scannen, falls es etwas findet, bitte melden, sowie bitte ein neues Combofix Log. Mache auch einen Kontrollscan mit F-secure: http://support.f-secure.de/ger/home/ols.shtml __________ MfG Ralf SEO-Spam Hunter |
|
|
||
ich habe mir wohl irgend eine art von Malware eingefangen die folgendes erzeugt:
- öffnen des Default Browsers mit unsinnigen Seiten
- Deaktivieren der "automatischen Windows Updates"
- Bei den Interneteinstellungen immer wieder auf "alle Cookies akzeptieren" zurück gesetzt
Ich habe hier alle Anleitungen (hoffentlich) gelesen und auch ausgeführt.
Zum Schluss habe ich noch combofix drüber laufen lassen. Bin aber immer noch unsicher, ob ich nun "Sauber" bin. Von daher poste ich nun nochmals mein Hijack Log....
hoffe ich habe nichts übersehen...
Lg,
Maria
_______________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:49, on 03.12.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\flcss.exe
C:\Programme\QuickTime\qttask.exe
D:\v3i\pck2\P2kAutostart.exe
C:\Programme\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Programme\AVG\AVG8\avgrsx.exe
C:\Programme\AVG\AVG8\avgrsx.exe
C:\Programme\AVG\AVG8\avgrsx.exe
C:\Programme\AVG\AVG8\avgrsx.exe
C:\Programme\AVG\AVG8\avgrsx.exe
C:\WINDOWS\explorer.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Programme\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\opnnmKCr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [F-Secure Anti-FunLove] C:\WINDOWS\system32\flcss.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [P2kAutostart] D:\v3i\pck2\P2kAutostart.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Search - http://speedbar.myway.com/menusearch.html?p=-
O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm
O8 - Extra context menu item: Download with Xilisoft YouTube Video Converter - C:\Programme\Xilisoft\YouTube Video Converter\upod_link.HTM
O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm
O8 - Extra context menu item: Save Flash - res://C:\Programme\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: SWF Capture tool - C:\Programme\Eltima Software\Flash Decompiler\iebt.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Programme\Bonjour\ExplorerPlugin.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Programme\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Programme\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Programme\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B019AEE-7A08-45C8-B8A5-BA8F72C8778B}: NameServer = 192.168.2.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll bebhum.dll
O20 - Winlogon Notify: opnnmKCr - C:\WINDOWS\SYSTEM32\opnnmKCr.dll
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
--
End of file - 7505 bytes