Umleitung im IE

bob25 · 26.09.2006, 20:07

Guten Tag,

Seit einiger Zeit habe ich das Problem ständig umgeleitet zu werden wenn ich
einen Link im Internetexplorer( z.b. bei Google oder so) anklicke

Diverse Scanner (Spywaredoc, oder Virenscanner) haben bisher nicht fkt.
Drum dachte ich das vielleicht jemand mal diese logfile durchstöbern könnte,
wenn zeit und lust besteht, das wäre echt sehr nett. Denn bedauerlicherweise
hab ich von solchen Dingen nur wenig Ahnung.

Vielen Dank schon mal im Voraus

Logfile of HijackThis v1.99.1
Scan saved at 20:30:18, on 26.09.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\CA\eTrust Antivirus\InoRpc.exe
C:\Programme\CA\eTrust Antivirus\InoRT.exe
C:\Programme\CA\eTrust Antivirus\InoTask.exe
C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programme\Launch Manager\LaunchAp.exe
C:\Programme\Launch Manager\HotkeyApp.exe
C:\Programme\Launch Manager\OSD.exe
C:\Programme\Launch Manager\Wbutton.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Programme\Stardock\ObjectDock\ObjectDock.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
E:\zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.versatel.de/internet-cd/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.qsrch.com/
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
R3 - URLSearchHook: (no name) - {4F708013-1888-739C-8AD7-8011B5617983} - defect08.dll (file missing)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Programme\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Programme\GetRight\xx2gr.dll
O2 - BHO: Quick! - {4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2C} - C:\Programme\quickbar\quickbar.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Programme\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Quick! - {4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2C} - C:\Programme\quickbar\quickbar.dll
O4 - HKLM\..\Run: [LaunchAp] C:\Programme\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Programme\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Programme\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Programme\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Programme\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [xxtoolbar] lpt.exe
O4 - HKLM\..\Run: [Uint32] FLKPT.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [dmpzt.exe] C:\WINDOWS\system32\dmpzt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Programme\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ftbar] ActionScr.exe
O4 - HKCU\..\Run: [br0ken] gabber.exe
O4 - HKCU\..\Run: [slamm] gabber.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Startup: Stardock ObjectDock.lnk = C:\Programme\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Programme\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm
O8 - Extra context menu item: Easy-WebPrint Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: MedionShop - {09E5F659-139F-4022-9097-02E25F93F02A} - http://www.medionshop.de/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.versatel.de/internet-cd/
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA-Lizenz-Client (CA_LIC_CLNT) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA-Lizenzserver (CA_LIC_SRVR) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Ereignisprotokoll-Überwachung (LogWatch) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Spyware Doctor\sdhelp.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

myrtille · 26.09.2006, 23:02

Hi,
also da steht einiges an Arbeit an.

Lass bitte diese Dateien

Zitat:

R3 - URLSearchHook: (no name) - {4F708013-1888-739C-8AD7-8011B5617983} - defect08.dll (file missing)
O4 - HKLM\..\Run: [xxtoolbar] lpt.exe
O4 - HKLM\..\Run: [dmpzt.exe] C:\WINDOWS\system32\dmpzt.exe

mal bei virustotal auswerten.
Poste dann das Ergebnis hier; bitte komplett, auch die Angaben bei keinen Funden und die Angabe der Dateigröße sind wichtig.

Lade dir dann bitte SIlentrunners nach dieser Anleitung herunter und poste das Logfile anschliessend hier.

Dann sehen wir weiter.

Lg kathrin

felix1 · 26.09.2006, 23:08

Und das auch noch:
O4 - HKLM\..\Run: [Uint32] FLKPT.exe
O4 - HKLM\..\Run: [dmpzt.exe] C:\WINDOWS\system32\dmpzt.exe
O4 - HKCU\..\Run: [ftbar] ActionScr.exe
O4 - HKCU\..\Run: [br0ken] gabber.exe
O4 - HKCU\..\Run: [slamm] gabber.exe

myrtille · 26.09.2006, 23:28

Die

Zitat:

O4 - HKCU\..\Run: [ftbar] ActionScr.exe
O4 - HKCU\..\Run: [br0ken] gabber.exe
O4 - HKCU\..\Run: [slamm] gabber.exe
O4 - HKLM\..\Run: [Uint32] FLKPT.exe

dürften zu WareOut gehören, oder?

Lass sie aber bitte auch durchlaufen, dann haben wir diesbezüglich zumindest sicherheit.

lg kathrin

bob25 · 27.09.2006, 01:49

Hallo,

vielen Dank für die schnellen Antworten, wirklich sehr freundlich

also die meisten Dateien nach denen ich suchen sollte konnte ich nicht finden
ausser der dmpzt.exe:

STATUS: FINISHEDComplete scanning result of "dmpzt.exe", received in VirusTotal at 09.27.2006, 02:16:24 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.18 09.26.2006 HEUR/Malware
Authentium 4.93.8 09.26.2006 Possibly a new variant of W32/SecRisk-ProcessPatcher-based!Maximus
Avast 4.7.892.0 09.26.2006 Win32:Small-EK
AVG 386 09.26.2006 no virus found
BitDefender 7.2 09.27.2006 MemScan:Trojan.Small.AA
CAT-QuickHeal 8.00 09.26.2006 Trojan.DNSChanger
ClamAV devel- 20060426 09.26.2006 Trojan.Small-255
DrWeb 4.33 09.26.2006 T rojan.DownLoader.5401
eTrust-InoculateIT 23.73.5 09.26.2006 no virus found
eTrust-Vet 3 0.3.3102 09.26.2006 Win32/Alureon!generic
Ewido 4.0 09.26.2006 Trojan.Pakes
Fortinet 2.82.0.0 09.26.2006 suspicious
F-Prot 3.16f 09.26.2006 Possibly a new variant of W32/SecRisk-ProcessPatcher-based!Maximus
F-Prot4 4.2.1. 29 09.25.2006 W32/SecRisk-ProcessPatcher-based!Maximus
Ikarus 0.2.65.0 09.26.2006 no virus found
Kaspersky 4.0.2.24 09.27.2006 Trojan.Win32.Small.fb
McAfee 4860 09.26.2006 Downloader-ARR
Microsoft 1.1603 09.26.2006 no virus found
NOD32v2 1.1777 09.26.2006 Win32/Small.FB
Norman 5.90.23 09.26.2006 no virus found
Panda 9.0.0.4 09.26.2006 Trj/Ruins.MB
Sophos 4.10.0 09.26.2006 Mal/Packer
Symantec 8.0 09.27.2006 no virus found
TheHacker 6.0.1.081 09.26.2006 no virus found
UNA 1.83 09.26.2006 no virus found
VBA32 3.11.1 09.26.2006 Trojan-Downloader.Win32.Small.bwx
VirusBuster 4.3.7:9 09.26.2006 no virus found

Aditional Information
File size: 44032 bytes
MD5: d4509c5184f901298d24cf0b9321bfa6
--------------------------------------------------------------------------
der silentrunner hat folgendes ausgespuckt:

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Programme\Messenger\msmsgs.exe" /background" [MS]
"IncrediMail" = "C:\Programme\IncrediMail\bin\IncMail.exe /c" ["IncrediMail, Ltd."]
"ftbar" = "ActionScr.exe" [file not found]
"br0ken" = "gabber.exe" [file not found]
"slamm" = "gabber.exe" [file not found]
"updateMgr" = ""C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1" ["Adobe Systems Incorporated"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"LaunchAp" = "C:\Programme\Launch Manager\LaunchAp.exe" [empty string]
"HotkeyApp" = "C:\Programme\Launch Manager\HotkeyApp.exe" ["Wistron"]
"CtrlVol" = "C:\Programme\Launch Manager\CtrlVol.exe" ["Wistron"]
"LMgrOSD" = "C:\Programme\Launch Manager\OSD.exe" ["Wistron"]
"Wbutton" = ""C:\Programme\Launch Manager\Wbutton.exe"" [empty string]
"SynTPLpr" = "C:\Programme\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Programme\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"Realtime Monitor" = "C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s" ["Computer Associates International, Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"PCMService" = ""C:\Programme\Home Cinema\PowerCinema\PCMService.exe"" ["CyberLink Corp."]
"ATICCC" = ""C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime" [null data]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"xxtoolbar" = "lpt.exe" [file not found]
"Uint32" = "FLKPT.exe" [file not found]
"ICQ Lite" = ""C:\Programme\ICQLite\ICQLite.exe" -minimize" ["ICQ Ltd."]
"dmpzt.exe" = "C:\WINDOWS\system32\dmpzt.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{0494D0D1-F8E0-41ad-92A3-14154ECE70AC}\(Default) = "myBar BHO"
-> {HKLM...CLSID} = "myBar BHO"
\InProcServer32\(Default) = "C:\Programme\MyWay\myBar\1.bin\MYBAR.DLL" ["My Way"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{31FF080D-12A3-439A-A2EF-4BA95A3148E8}\(Default) = "*b" (unwritable string)
-> {HKLM...CLSID} = "bho2gr Class"
\InProcServer32\(Default) = "C:\Programme\GetRight\xx2gr.dll" ["Headlight Software, Inc."]
{4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2C}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Quick!"
\InProcServer32\(Default) = "C:\Programme\quickbar\quickbar.dll" [empty string]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = (no title provided)
-> {HKLM...CLSID} = "PCTools Site Guard"
\InProcServer32\(Default) = "C:\SPYWAR~1\tools\iesdsg.dll" ["PC Tools"]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = (no title provided)
-> {HKLM...CLSID} = "PCTools Browser Monitor"
\InProcServer32\(Default) = "C:\SPYWAR~1\tools\iesdpb.dll" ["PC Tools"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{DCED20BE-3645-11D4-BC95-00C04F0E0588}" = "InoShell"
-> {HKLM...CLSID} = "InoShell"
\InProcServer32\(Default) = "C:\Programme\CA\eTrust Antivirus\InoShell.dll" ["Computer Associates International, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universelle Plug & Play-Geräte"
-> {HKLM...CLSID} = "Universelle Plug & Play-Geräte"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Programme\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "C:\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csnqk.exe" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
IMMenuShellExt\(Default) = "{F8984111-38B6-11D5-8725-0050DA2761C4}"
-> {HKLM...CLSID} = "IMMenuShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\INCRED~1\bin\ImShExt.dll" ["IncrediMail, Ltd."]
InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588}"
-> {HKLM...CLSID} = "InoShell"
\InProcServer32\(Default) = "C:\Programme\CA\eTrust Antivirus\InoShell.dll" ["Computer Associates International, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588}"
-> {HKLM...CLSID} = "InoShell"
\InProcServer32\(Default) = "C:\Programme\CA\eTrust Antivirus\InoShell.dll" ["Computer Associates International, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\xx\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\scrnsave.scr" [MS]

Startup items in "xx" & "All Users" startup folders:
-----------------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"ATI CATALYST System Tray" -> shortcut to: "C:\Programme\ATI Technologies\ATI.ACE\CLI.exe SystemTray" [null data]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 22
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}"
-> {HKLM...CLSID} = "My &Search Bar"
\InProcServer32\(Default) = "C:\Programme\MyWay\myBar\1.bin\MYBAR.DLL" ["My Way"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2C}"
-> {HKLM...CLSID} = "Quick!"
\InProcServer32\(Default) = "C:\Programme\quickbar\quickbar.dll" [empty string]
"{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}"
-> {HKLM...CLSID} = "My &Search Bar"
\InProcServer32\(Default) = "C:\Programme\MyWay\myBar\1.bin\MYBAR.DLL" ["My Way"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{327C2873-E90D-4C37-AA9D-10AC9BABA46C}" = "Easy-WebPrint"
-> {HKLM...CLSID} = "Easy-WebPrint"
\InProcServer32\(Default) = "C:\Programme\Canon\Easy-WebPrint\Toolband.dll" [empty string]
"{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}" = (no title provided)
-> {HKLM...CLSID} = "My &Search Bar"
\InProcServer32\(Default) = "C:\Programme\MyWay\myBar\1.bin\MYBAR.DLL" ["My Way"]
"{4E7BD74F-2B8D-469E-C0FF-FD67B79CAF2C}" = (no title provided)
-> {HKLM...CLSID} = "Quick!"
\InProcServer32\(Default) = "C:\Programme\quickbar\quickbar.dll" [empty string]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{21569614-B795-46B1-85F4-E737A8DC09AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{03C1C47F-0538-4645-8372-D3109B9FC636}\(Default) = "Easy-WebPrint"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Programme\Canon\Easy-WebPrint\Toolband.dll" [empty string]

HKLM\Software\Classes\CLSID\{0494D0DE-F8E0-41AD-92A3-14154ECE70AC}\(Default) = "My Search Bar Quick View"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{09E5F659-139F-4022-9097-02E25F93F02A}\
"ButtonText" = "MedionShop"
"Exec" = "http://www.medionshop.de/" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\
"ButtonText" = "Spyware Doctor"
"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"
-> {HKLM...CLSID} = "PCTools Browser Monitor"
\InProcServer32\(Default) = "C:\SPYWAR~1\tools\iesdpb.dll" ["PC Tools"]

{B205A35E-1FC4-4CE3-818B-899DBBB3388C}\

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.versatel.de/internet-cd/

Missing lines (compared with English-language version):
[Strings]: 1 line

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
"{4F708013-1888-739C-8AD7-8011B5617983}" = "ssweeper"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "defect08.dll" [file not found]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Ereignisprotokoll-Überwachung, LogWatch, "C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe" ["Computer Associates"]
eTrust Antivirus Job Server, InoTask, ""C:\Programme\CA\eTrust Antivirus\InoTask.exe"" ["Computer Associates International, Inc."]
eTrust Antivirus Realtime Server, InoRT, ""C:\Programme\CA\eTrust Antivirus\InoRT.exe"" ["Computer Associates International, Inc."]
eTrust Antivirus RPC Server, InoRPC, ""C:\Programme\CA\eTrust Antivirus\InoRpc.exe"" ["Computer Associates International, Inc."]
PC Tools Spyware Doctor, SDhelper, "C:\Spyware Doctor\sdhelp.exe" ["PC Tools Research Pty Ltd"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
X10 Device Network Service, x10nets, "C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe" ["X10"]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor i560\Driver = "CNMLM58.DLL" ["CANON INC."]
hpzlnt04\Driver = "hpzlnt04.dll" ["HP"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 61 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 10 seconds.
---------- (total run time: 100 seconds)

BataAlexander · 27.09.2006, 06:12

Hallo,

scanne vorab auch die Datei

csnqk.exe (sollte in c:\windows\system32 liegen)

bei virustotal und poste das Ergebnis hier.

Gruß

Schrulli

bob25 · 27.09.2006, 10:34

Tut mir leid
aber eine "csnqk.exe" kann ich nicht finden.
Entweder ich suche irgendwie falsch (machs aber nach der gelinkten Anleitung) oder diese datei hat vielleicht schon irgend ein Viren- resp. Spywarescanner gelöscht. Kann sowas sein?

BataAlexander · 27.09.2006, 10:40

Hallo,

arbeite diese Anleitung ab und schaue ob Du die Datei dann findest.

Gruß

Schrulli

bob25 · 27.09.2006, 16:03

hi,
also ich tat wie mir geheißen und hab, wie in der Anleitung beschrieben, alles durchstöbert aber leider ohne Erfolg.
MFG Bob

BataAlexander · 27.09.2006, 16:10

Hallo,

ich greife myrtille jetzt mal vorraus und Du lädst Dir Fixwareout.
Den Inhalt der C:\fixwareout\report.txt postest Du dann hier.

Gruß

Schrulli

bob25 · 27.09.2006, 18:09

So, hier nun also der Report:
Ich wollte die letzten Dateien von Virustotal checken lassen, aber das dauert wohl noch ein bisschen.
UNd vielen dank fürs Interesse

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\dknmd
...

Random Runs removed from HKLM
"dmnkd.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...
C:\WINDOWS\SYSTEM32\DMNKD.EXE
C:\WINDOWS\SYSTEM32\DMVDO.EXE
* csr.exe C:\WINDOWS\System32\CSNOI.EXE
* csr.exe C:\WINDOWS\System32\CSUSP.EXE

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSNOI.EXE 51.200 2004-12-31
C:\WINDOWS\SYSTEM32\CSUSP.EXE 51.233 2006-03-18
C:\WINDOWS\SYSTEM32\DMNKD.EXE 44.032 2004-08-04
C:\WINDOWS\SYSTEM32\DMVDO.EXE 44.032 2004-08-04

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

bob25 · 27.09.2006, 23:38

Also hier jetzt die 4 Dateien mit virustotal gescannt, ich glaube das sieht nicht gut aus oder? Ich nehme an das jetzt alles löschen?

MFG
Bob

CSNOI. EXE

STATUS: FINISHEDComplete scanning result of "csnoi.exe", received in VirusTotal at 09.27.2006, 19:42:21 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.18 09.27.2006 TR/Dldr.Agent.UJ.12
Authentium 4.93.8 09.27.2006 Possibly a new variant of W32/SecRisk-ProcessPatcher-based!Maximus
Avast 4.7.892.0 09.27.2006 Win32:Agent-IU
AVG 386 09.27.2006 Downloader.Agent.BQI
BitDefender 7.2 09.27.2006 Trojan.Downloader.FFZ
CAT-QuickHeal 8.00 09.27.2006 Trojan.DNSChanger
ClamAV devel-20060426 09.27.2006 Trojan.Downloader.Agent-267
DrWeb 4.33 09.27.2006 Trojan.DownLoader.9145
eTrust-InoculateIT 23.73.6 09.27.2006 no virus found
eTrust-Vet 30.3.3103 09.27.2006 Win32/Alureon!generic
Ewido 4.0 09.27.2006 Downloader.Agent.uj
Fortinet 2.82.0.0 09.27.2006 suspicious
F-Prot 3.16f 09.27.2006 Possibly a new variant of W32/SecRisk-ProcessPatcher-based!Maximus
F-Prot4 4.2.1.29 09.27.2006 W32/SecRisk-ProcessPatcher-based!Maximus
Ikarus 0.2.65.0 09.27.2006 no virus found
Kaspersky 4.0.2.24 09.27.2006 Trojan-Downloader.Win32.Agent.uj
McAfee 4861 09.27.2006 Downloader-ASI
Microsoft 1.1603 09.27.2006 no virus found
NOD32v2 1.1779 09.27.2006 a variant of Win32/Small.FB
Norman 5.90.23 09.27.2006 no virus found
Panda 9.0.0.4 09.27.2006 Trj/Ruins.MB
Sophos 4.10.0 09.27.2006 Mal/Packer
Symantec 8.0 09.27.2006 Trojan Horse
TheHacker 6.0.1.084 09.27.2006 no virus found
UNA 1.83 09.27.2006 no virus found
VBA32 3.11.1 09.27.2006 Trojan.DownLoader.4316
VirusBuster 4.3.7:9 09.27.2006 no virus found

Aditional Information
File size: 51200 bytes
MD5: 5ba4296edb68e47be5828d0a84f96d5b
SHA1: d75afaf54be9d79038e59618cded67574578eaec

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity

CSUSP.EXE

STATUS: FINISHEDComplete scanning result of "csusp.exe", received in VirusTotal at 09.27.2006, 20:55:15 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.18 09.27.2006 TR/Dldr.Agent.UJ.147
Authentium 4.93.8 09.27.2006 Possibly a new variant of W32/SecRisk-ProcessPatcher-based!Maximus
Avast 4.7.892.0 09.27.2006 Win32:Agent-IU
AVG 386 09.27.2006 Downloader.Agent.13.AV
BitDefender 7.2 09.27.2006 Trojan.Downloader.FFZ
CAT-QuickHeal 8.00 09.27.2006 Trojan.DNSChanger
ClamAV devel-20060426 09.27.2006 Trojan.Downloader.Agent-267
DrWeb 4.33 09.27.2006 Trojan.DownLoader.9145
eTrust-InoculateIT 23.73.6 09.27.2006 no virus found
eTrust-Vet 30.3.3103 09.27.2006 Win32/Alureon!generic
Ewido 4.0 09.27.2006 Downloader.Agent.uj
Fortinet 2.82.0.0 09.27.2006 suspicious
F-Prot 3.16f 09.27.2006 Possibly a new variant of W32/SecRisk-ProcessPatcher-based!Maximus
F-Prot4 4.2.1.29 09.27.2006 W32/SecRisk-ProcessPatcher-based!Maximus
Ikarus 0.2.65.0 09.27.2006 no virus found
Kaspersky 4.0.2.24 09.27.2006 Trojan-Downloader.Win32.Agent.uj
McAfee 4861 09.27.2006 Downloader-ASI
Microsoft 1.1603 09.27.2006 no virus found
NOD32v2 1.1780 09.27.2006 a variant of Win32/Small.FB
Norman 5.90.23 09.27.2006 no virus found
Panda 9.0.0.4 09.27.2006 Trj/Vidro.A
Sophos 4.10.0 09.27.2006 Mal/Packer
Symantec 8.0 09.27.2006 Downloader
TheHacker 6.0.1.084 09.27.2006 no virus found
UNA 1.83 09.27.2006 no virus found
VBA32 3.11.1 09.27.2006 Trojan.DownLoader.4316
VirusBuster 4.3.7:9 09.27.2006 Trojan.DL.Agent.CDJ

Aditional Information
File size: 51233 bytes
MD5: 7f644e6d8cd28e1a14abbe65cb7c7064
SHA1: ca88340c7f77947f399e596926e49eb293fc085e

DMVDO.EXE

STATUS: FINISHEDComplete scanning result of "dmvdo.exe", received in VirusTotal at 09.27.2006, 22:33:01 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.18 09.27.2006 HEUR/Malware
Authentium 4.93.8 09.27.2006 Possibly a new variant of W32/SecRisk-ProcessPatcher-based!Maximus
Avast 4.7.892.0 09.27.2006 Win32:Small-EK
AVG 386 09.27.2006 no virus found
BitDefender 7.2 09.27.2006 MemScan:Trojan.Small.AA
CAT-QuickHeal 8.00 09.27.2006 Trojan.DNSChanger
ClamAV devel-20060426 09.27.2006 Trojan.Small-255
DrWeb n - no virus found
eTrust-InoculateIT 23.73.6 09.27.2006 no virus found
eTrust-Vet 30.3.3103 09.27.2006 Win32/Alureon!generic
Ewido 4.0 09.27.2006 Trojan.Pakes
Fortinet 2.82.0.0 09.27.2006 W32/ARR.FB!tr
F-Prot 3.16f 09.27.2006 Possibly a new variant of W32/SecRisk-ProcessPatcher-based!Maximus
F-Prot4 4.2.1.29 09.27.2006 W32/SecRisk-ProcessPatcher-based!Maximus
Ikarus 0.2.65.0 09.27.2006 no virus found
Kaspersky 4.0.2.24 09.27.2006 Trojan.Win32.Small.fb
McAfee 4861 09.27.2006 Downloader-ARR
Microsoft 1.1603 09.27.2006 no virus found
NOD32v2 1.1780 09.27.2006 Win32/Small.FB
Norman 5.90.23 09.27.2006 no virus found
Panda 9.0.0.4 09.27.2006 Trj/Ruins.MB
Sophos 4.10.0 09.27.2006 Mal/Packer
Symantec 8.0 09.27.2006 no virus found
TheHacker 6.0.1.084 09.27.2006 Trojan/Small.fb
UNA 1.83 09.27.2006 no virus found
VBA32 3.11.1 09.27.2006 Trojan-Downloader.Win32.Small.bwx
VirusBuster 4.3.7:9 09.27.2006 no virus found

Aditional Information
File size: 44032 bytes
MD5: d4509c5184f901298d24cf0b9321bfa6
SHA1: 81c88341484a31e6629138fe7b746c22c6353651

DMNKD.EXE

STATUS: FINISHEDComplete scanning result of "dmnkd.exe", received in VirusTotal at 09.27.2006, 21:43:20 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.18 09.27.2006 HEUR/Malware
Authentium 4.93.8 09.27.2006 Possibly a new variant of W32/SecRisk-ProcessPatcher-based!Maximus
Avast 4.7.892.0 09.27.2006 Win32:Small-EK
AVG 386 09.27.2006 no virus found
BitDefender 7.2 09.27.2006 MemScan:Trojan.Small.AA
CAT-QuickHeal 8.00 09.27.2006 Trojan.DNSChanger
ClamAV devel-20060426 09.27.2006 Trojan.Small-255
DrWeb 4.33 09.27.2006 Trojan.DownLoader.5401
eTrust-InoculateIT 23.73.6 09.27.2006 no virus found
eTrust-Vet 30.3.3103 09.27.2006 Win32/Alureon!generic
Ewido 4.0 09.27.2006 Trojan.Pakes
Fortinet 2.82.0.0 09.27.2006 W32/ARR.FB!tr
F-Prot 3.16f 09.27.2006 Possibly a new variant of W32/SecRisk-ProcessPatcher-based!Maximus
F-Prot4 4.2.1.29 09.27.2006 W32/SecRisk-ProcessPatcher-based!Maximus
Ikarus 0.2.65.0 09.27.2006 no virus found
Kaspersky 4.0.2.24 09.27.2006 Trojan.Win32.Small.fb
McAfee 4861 09.27.2006 Downloader-ARR
Microsoft 1.1603 09.27.2006 no virus found
NOD32v2 1.1780 09.27.2006 Win32/Small.FB
Norman 5.90.23 09.27.2006 no virus found
Panda 9.0.0.4 09.27.2006 Trj/Ruins.MB
Sophos 4.10.0 09.27.2006 Mal/Packer
Symantec 8.0 09.27.2006 no virus found
TheHacker 6.0.1.084 09.27.2006 Trojan/Small.fb
UNA 1.83 09.27.2006 no virus found
VBA32 3.11.1 09.27.2006 Trojan-Downloader.Win32.Small.bwx
VirusBuster 4.3.7:9 09.27.2006 no virus found

Aditional Information
File size: 44032 bytes

myrtille · 28.09.2006, 00:21

Hi,
die 4:

Zitat:

C:\WINDOWS\SYSTEM32\CSNOI.EXE
C:\WINDOWS\SYSTEM32\CSUSP.EXE
C:\WINDOWS\SYSTEM32\DMNKD.EXE
C:\WINDOWS\SYSTEM32\DMVDO.EXE

kannst du mit Killbox unter der gegebenen Anleitung entfernen, unbedingt "delete on reboot" anwählen.

Wegen der beiden Datein die du nicht gefunden hast:
Lasse bitte cleanup durchlaufen und führe dann die datfind.bat aus und setze die 4 Logs hier rein, die letzten 3 Monate sollten dabei jeweils reichen!

Die kriegen wir auch noch.

Lg myrtille

bob25 · 28.09.2006, 00:53

Ok also ich hab jetzt alle 4 bösewichte so wie beschrieben beseitigt, cleanup durchlaufenlassen und knapp 1 Gb Speicher freibekommen, das ist echt super
vielen Dank schonmal.

Gruß Bob

Hier sind jetzt diese 4 Dateien aus datfind:

SYSTEM 32

Verzeichnis von C:\WINDOWS\system32

28.09.2006 01:27 2.206 wpa.dbl
28.09.2006 01:26 236.539 kspydoc.log
28.09.2006 01:26 0 Sweeper.cfg
15.09.2006 22:01 43.520 CmdLineExt03.dll
11.09.2006 19:37 8.960.936 MRT.exe
21.08.2006 14:26 16.896 fltlib.dll
21.08.2006 11:14 23.040 fltmc.exe
18.08.2006 20:05 531.280 FNTCACHE.DAT
11.08.2006 19:31 352.401 DivXMedia.ax
09.08.2006 02:38 516.096 ac3filter.ax
09.08.2006 02:38 16.384 ac3config.exe
28.07.2006 13:28 3.075.072 mshtml.dll
27.07.2006 15:25 679.424 inetcomm.dll
25.07.2006 22:33 615.936 urlmon.dll
21.07.2006 10:29 72.704 hlink.dll
15.07.2006 10:14 376.350 perfh009.dat
15.07.2006 10:14 52.148 perfc009.dat
15.07.2006 10:14 386.912 perfh007.dat
15.07.2006 10:14 62.974 perfc007.dat
15.07.2006 10:14 886.992 PerfStringBackup.INI
14.07.2006 17:38 332.288 netapi32.dll
14.07.2006 17:25 546.304 hhctrl.ocx
13.07.2006 15:34 8.494.592 shell32.dll
07.07.2006 21:30 73.728 ts.dll
05.07.2006 12:55 1.057.792 kernel32.dll
26.06.2006 19:40 8.192 rasadhlp.dll
26.06.2006 19:40 148.480 dnsapi.dll
23.06.2006 13:10 664.576 wininet.dll
23.06.2006 13:10 474.624 shlwapi.dll
23.06.2006 13:10 146.432 msrating.dll
23.06.2006 13:10 39.424 pngfilt.dll
23.06.2006 13:10 1.494.016 shdocvw.dll
23.06.2006 13:10 448.512 mshtmled.dll
23.06.2006 13:10 532.480 mstime.dll
23.06.2006 13:10 152.064 cdfview.dll
23.06.2006 13:10 357.888 dxtmsft.dll
23.06.2006 13:10 96.768 inseng.dll
23.06.2006 13:10 16.384 jsproxy.dll
23.06.2006 13:10 205.312 dxtrans.dll
23.06.2006 13:10 251.392 iepeers.dll
23.06.2006 13:10 1.056.256 danim.dll
23.06.2006 13:10 1.022.976 browseui.dll
23.06.2006 13:10 55.808 extmgr.dll
23.06.2006 10:53 27.136 xpsp3res.dll
22.06.2006 07:06 1.441.792 query.dll
22.06.2006 07:06 69.120 ciodm.dll
19.06.2006 16:20 702.768 WgaLogon.dll
19.06.2006 16:19 571.184 LegitCheckControl.dll
19.06.2006 16:19 304.944 WgaTray.exe
02.06.2006 00:10 3.596.288 qt-dx331.dll
02.06.2006 00:09 53.248 dpuGUI10.dll
02.06.2006 00:09 90.112 dpl100.dll
02.06.2006 00:09 593.920 dpuGUI11.dll
02.06.2006 00:09 200.704 dtu100.dll
02.06.2006 00:09 344.064 dpus11.dll
02.06.2006 00:09 57.344 dpv11.dll
02.06.2006 00:09 294.912 dpu11.dll
02.06.2006 00:09 294.912 dpu10.dll
02.06.2006 00:08 700.416 divxdec.ax
02.06.2006 00:07 4.276 divxsm.tlb
02.06.2006 00:07 536.576 DivXsm.exe
02.06.2006 00:07 10.716 dsm_ja.qm
02.06.2006 00:07 15.331 dsm_de.qm
02.06.2006 00:07 15.172 dsm_fr.qm
02.06.2006 00:07 1.044.480 libdivx.dll
02.06.2006 00:07 200.704 ssldivx.dll
02.06.2006 00:07 245.408 unicows.dll
02.06.2006 00:06 778.240 divx_xx07.dll
02.06.2006 00:06 778.240 divx_xx0c.dll
02.06.2006 00:06 761.856 divx_xx11.dll
02.06.2006 00:06 619.156 DivX.dll
02.06.2006 00:06 12.288 DivXWMPExtType.dll
02.06.2006 00:06 118.784 DivXCodecUpdateChecker.exe
02.06.2006 00:06 8.523 dpude.qm
02.06.2006 00:06 3.136 dtu_de.qm
01.06.2006 20:47 163.840 jgdw400.dll
01.06.2006 20:47 27.648 jgpl400.dll

TEMP

Datentr„ger in Laufwerk C: ist Platte C
Volumeseriennummer: F418-7F23

Verzeichnis von C:\DOKUME~1\xx\LOKALE~1\Temp

28.09.2006 01:27 16.384 Perflib_Perfdata_19c.dat
28.09.2006 01:27 16.384 ~DF8083.tmp
28.09.2006 01:27 512 ~DF6E49.tmp
28.09.2006 01:27 16.384 ~DF6E25.tmp
28.09.2006 01:27 16.384 Perflib_Perfdata_4c4.dat
28.09.2006 01:26 16.384 Perflib_Perfdata_e8.dat
6 Datei(en) 82.432 Bytes
0 Verzeichnis(se), 3.081.687.040 Bytes frei

WINDOWS

Datentr„ger in Laufwerk C: ist Platte C
Volumeseriennummer: F418-7F23

Verzeichnis von C:\WINDOWS

28.09.2006 01:27 4.268 ModemLog_Intel(R) 537EA Modem.txt
28.09.2006 01:27 2.118 ModemLog_Kommunikationskabel zwischen zwei Computern.txt
28.09.2006 01:26 159 wiadebug.log
28.09.2006 01:26 1.630.392 WindowsUpdate.log
28.09.2006 01:26 50 wiaservc.log
28.09.2006 01:26 0 0.log
28.09.2006 01:26 2.048 bootstat.dat
28.09.2006 01:25 32.630 SchedLgU.Txt
27.09.2006 19:03 202 NeroDigital.ini
27.09.2006 10:25 6.679 KB925486.log
27.09.2006 02:56 155 winamp.ini
26.09.2006 19:12 106 drwatson.log
26.09.2006 14:40 737.280 iun6002.exe
26.09.2006 13:07 937 xpsp1hfm.log
26.09.2006 13:07 660 Q331958.log
26.09.2006 00:11 195.461 wmsetup.log
15.09.2006 21:57 375.780 setupapi.log
15.09.2006 03:02 170.817 comsetup.log
15.09.2006 03:02 103.866 ntdtcsetup.log
15.09.2006 03:02 77.882 iis6.log
15.09.2006 03:02 1.374 imsins.log
15.09.2006 03:02 27.279 ocmsn.log
15.09.2006 03:02 198.839 tsoc.log
15.09.2006 03:02 13.076 KB920685.log
15.09.2006 03:02 253.219 ocgen.log
15.09.2006 03:02 24.873 msgsocm.log
15.09.2006 03:02 497.807 FaxSetup.log
15.09.2006 03:02 1.374 imsins.BAK
15.09.2006 03:02 14.989 KB920872.log
15.09.2006 03:02 13.267 KB919007.log
15.09.2006 03:02 9.179 KB922582.log
15.09.2006 03:02 25.191 updspapi.log
13.09.2006 11:53 8.409 WgaNotify.log
11.09.2006 01:16 4.962 DirectX.log
05.09.2006 21:44 38 AviSplitter.INI
05.09.2006 19:42 249 cdplayer.ini
22.08.2006 17:52 222.533 setupact.log
10.08.2006 03:02 16.655 KB920214.log
10.08.2006 03:02 16.371 KB921883.log
10.08.2006 03:02 16.228 KB922616.log
10.08.2006 03:02 16.696 KB921398.log
10.08.2006 03:01 19.869 KB918899.log
10.08.2006 03:01 12.090 KB920670.log
10.08.2006 03:01 12.253 KB917422.log
10.08.2006 03:00 12.456 KB920683.log
03.08.2006 19:33 182.725 Bild 010-1.jpg
15.07.2006 03:01 11.826 KB917159.log
15.07.2006 03:01 12.339 KB914388.log
15.07.2006 03:01 10.408 KB916595.log
17.06.2006 11:19 1.830 spupdsvc.log
17.06.2006 10:06 12.705 KB917734.log
17.06.2006 10:05 14.727 KB918439.log
17.06.2006 10:05 15.087 KB917344.log
17.06.2006 10:04 14.863 KB917953.log
17.06.2006 10:04 14.838 KB911280.log
17.06.2006 10:04 18.102 KB916281.log
17.06.2006 10:04 11.702 KB914389.log
12.06.2006 00:56 2.362 mozver.dat
12.06.2006 00:49 332 wininit.ini
03.06.2006 14:54 34.420 KB899587.log
03.06.2006 14:54 33.529 KB896422.log
03.06.2006 14:53 33.567 KB911927.log
03.06.2006 14:53 33.065 KB901017.log
03.06.2006 14:52 33.374 KB899591.log
03.06.2006 14:52 33.588 KB896424.log
03.06.2006 14:51 33.569 KB893756.log
03.06.2006 14:50 32.497 KB911562.log
03.06.2006 14:50 30.338 KB896423.log
03.06.2006 14:49 32.319 KB900485.log
03.06.2006 14:48 31.115 KB887742.log
03.06.2006 14:46 31.784 KB896358.log
03.06.2006 14:45 25.974 KB910437.log
03.06.2006 14:45 22.062 KB898458.log
03.06.2006 14:44 26.245 KB911564.log
03.06.2006 14:39 34.794 KB912812.log
03.06.2006 14:37 30.989 KB902400.log
03.06.2006 14:35 22.578 KB890046.log
03.06.2006 14:34 21.841 KB905414.log
03.06.2006 14:34 21.208 KB901214.log
03.06.2006 14:33 21.943 KB900725.log
03.06.2006 14:32 19.452 KB912919.log
03.06.2006 14:32 18.993 KB904706.log
03.06.2006 14:31 18.726 KB908531.log
03.06.2006 14:29 18.221 KB905749.log
03.06.2006 14:28 18.484 KB913580.log
03.06.2006 14:27 12.333 KB911565.log
03.06.2006 14:23 16.447 KB896428.log
03.06.2006 14:23 17.211 KB911567.log
03.06.2006 14:21 17.205 KB894391.log
03.06.2006 14:20 14.812 KB908519.log
03.06.2006 14:20 10.971 KB913446.log
03.06.2006 14:20 17.226 KB890859.log
02.06.2006 21:22 9.969 WGA.log
02.06.2006 21:21 8.843 KB898461.log
02.06.2006 21:21 11.632 KB893803v2.log

C

Datentr„ger in Laufwerk C: ist Platte C
Volumeseriennummer: F418-7F23

Verzeichnis von C:\

28.09.2006 01:39 0 sys.txt
28.09.2006 01:38 12.468 system.txt
28.09.2006 01:38 573 systemtemp.txt
28.09.2006 01:37 107.081 system32.txt
28.09.2006 01:26 535.875.584 hiberfil.sys
28.09.2006 01:26 803.708.928 pagefile.sys
27.09.2006 17:27 456.823 Fixwareout.exe
27.09.2006 13:14 15.895.440 DivXCreate.exe
19.10.2004 15:53 211 boot.ini
05.09.2004 09:35 100 AUTOEXEC.BAT
17.08.2004 17:43 0 CONFIG.SYS
17.08.2004 17:43 0 IO.SYS
17.08.2004 17:43 0 MSDOS.SYS
04.08.2004 14:00 4.952 bootfont.bin
04.08.2004 14:00 47.564 NTDETECT.COM
04.08.2004 14:00 251.184 ntldr
16 Datei(en) 1.356.360.908 Bytes
0 Verzeichnis(se), 3.081.637.888 Bytes frei

myrtille · 28.09.2006, 01:08

Hmm,
also ich seh jetzt erstmal nix, vielleicht kann da aber nochmal jemand drüber schauen?

Poste bitte noch ein neues HijackthisLog!

lg myrtille

26.09.2006, 23:08	#3
felix1 /// Helfer-Team	Umleitung im IE Und das auch noch: O4 - HKLM\..\Run: [Uint32] FLKPT.exe O4 - HKLM\..\Run: [dmpzt.exe] C:\WINDOWS\system32\dmpzt.exe O4 - HKCU\..\Run: [ftbar] ActionScr.exe O4 - HKCU\..\Run: [br0ken] gabber.exe O4 - HKCU\..\Run: [slamm] gabber.exe __________________ __________________

27.09.2006, 06:12	#6
BataAlexander > MalwareDB	Umleitung im IE Hallo, scanne vorab auch die Datei csnqk.exe (sollte in c:\windows\system32 liegen) bei virustotal und poste das Ergebnis hier. Gruß Schrulli __________________ --> Umleitung im IE

27.09.2006, 10:40	#8
BataAlexander > MalwareDB	Umleitung im IE Hallo, arbeite diese Anleitung ab und schaue ob Du die Datei dann findest. Gruß Schrulli __________________ If every computer is running a diverse ecosystem, crackers will have no choice but to resort to small-scale, targetted attacks, and the days of mass-market malware will be over[...]. Stuart Udall

27.09.2006, 16:10	#10
BataAlexander > MalwareDB	Umleitung im IE Hallo, ich greife myrtille jetzt mal vorraus und Du lädst Dir Fixwareout. Den Inhalt der C:\fixwareout\report.txt postest Du dann hier. Gruß Schrulli __________________ If every computer is running a diverse ecosystem, crackers will have no choice but to resort to small-scale, targetted attacks, and the days of mass-market malware will be over[...]. Stuart Udall

28.09.2006, 01:08	#15
myrtille /// TB-Ausbilder	Umleitung im IE Hmm, also ich seh jetzt erstmal nix, vielleicht kann da aber nochmal jemand drüber schauen? Poste bitte noch ein neues HijackthisLog! lg myrtille

Umleitung im IE

Log-Analyse und Auswertung: Umleitung im IE

Umleitung im IE

Umleitung im IE

Umleitung im IE

Umleitung im IE

Umleitung im IE

Umleitung im IE

Umleitung im IE

Umleitung im IE

Umleitung im IE

Umleitung im IE

Umleitung im IE

Umleitung im IE

Umleitung im IE

Umleitung im IE

Umleitung im IE

Ähnliche Themen: Umleitung im IE

27.09.2006, 10:34	#7
bob25	Umleitung im IE Tut mir leid aber eine "csnqk.exe" kann ich nicht finden. Entweder ich suche irgendwie falsch (machs aber nach der gelinkten Anleitung) oder diese datei hat vielleicht schon irgend ein Viren- resp. Spywarescanner gelöscht. Kann sowas sein?

27.09.2006, 16:03	#9
bob25	Umleitung im IE hi, also ich tat wie mir geheißen und hab, wie in der Anleitung beschrieben, alles durchstöbert aber leider ohne Erfolg. MFG Bob