| |
| |||||||
Log-Analyse und Auswertung: Goode olde pop-upsWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
11.08.2007, 12:25
| #1 |
| |  Goode olde pop-ups Hallo Forum! Bekomme staendig nervige Popups! Oeffnet sich sowohl IE (obowhl ich den nicht benutze) als auch manchmal tabs im firefox (hab ich schon neu installiert - nix geholfen) Hab mal die main.txt log von dem DSS tool beigefuegt, die auch eine HijackThis log beinhaltet. Besonders Sorgen macht mir Code:
ATTFilter backup-20070811-124506-496 O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\gyccqtwj.dll",forkonce
Auch die kuerzlich erstellen files Code:
ATTFilter 2007-08-10 09:55:49 0 d-------- C:\WINDOWS\system32\iieldknh
2007-08-08 13:07:22 66112 --a------ C:\WINDOWS\system32\yfkrbnjy.exe
2007-08-07 13:05:09 66112 --a------ C:\WINDOWS\system32\gtkqvgom.exe
2007-08-06 18:48:30 66112 --a------ C:\WINDOWS\system32\pabmuijn.exe
Findet mir bitte raus was ich da hab und wie ich's wegkriegt! Gruss Stefan Code:
ATTFilter Deckard's System Scanner v20070809.63 Run by Stefan on 2007-08-11 at 12:44:26 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- System Restore is disabled; attempting to re-enable...success. -- Last 1 Restore Point(s) -- 1: 2007-08-11 10:44:28 UTC - RP1 - Systemprüfpunkt Backed up registry hives. Performed disk cleanup. -- HijackThis (run as Stefan.exe) ---------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:46:21, on 11.08.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Programme\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\System32\svchost.exe C:\Programme\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\Explorer.EXE C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programme\DAEMON Tools\daemon.exe C:\Programme\Siemens\Gigaset USB Stick 54\Gcc.exe C:\Programme\Siemens\Gigaset USB Stick 54\OdHost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Home\Downloads\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Stefan.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: (no name) - {066A2CDC-319E-4460-BA45-C24562CD51AA} - C:\WINDOWS\system32\pmnkjgh.dll (file missing) O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {6D55F78D-57E0-7A56-9975-02E12506D1B4} - C:\Programme\Vdlfmove\buzhcbto.dll (file missing) O2 - BHO: H - {70C872E5-69F5-456f-B809-484106881B7B} - q24m.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {77D4E341-7688-4379-ABAC-4634EB882C9A} - C:\WINDOWS\system32\geebc.dll O2 - BHO: (no name) - {7989EDF5-1179-481F-8C47-897C3653EDE8} - C:\WINDOWS\system32\jkkli.dll (file missing) O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\oyotdmjb.dll (file missing) O2 - BHO: (no name) - {FD2A7D3A-3DA1-4CA5-AD39-B4C3A72B567F} - C:\WINDOWS\system32\hggdcbx.dll (file missing) O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKCU\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Gigaset WLAN Adapter Monitor.lnk = C:\Programme\Siemens\Gigaset USB Stick 54\Gcc.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_02\bin\npjpi160_02.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_02\bin\npjpi160_02.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O20 - Winlogon Notify: geebc - C:\WINDOWS\system32\geebc.dll O20 - Winlogon Notify: winzdn32 - C:\WINDOWS\SYSTEM32\winzdn32.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing) O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Programme\RealVNC\VNC4\WinVNC4.exe -- End of file - 3778 bytes -- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) ----------- backup-20070811-121253-444 O23 - Service: DomainService - - C:\WINDOWS\system32\urtqkqyr.exe backup-20070811-122821-845 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll backup-20070811-124506-496 O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\gyccqtwj.dll",forkonce -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R3 CBTNDIS5 (CBTNDIS5 NDIS Protocol Driver) - c:\windows\system32\cbtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- S2 Ati HotKey Poller - c:\windows\system32\ati2evxx.exe (file missing) S4 DomainService - c:\windows\system32\urtqkqyr.exe /service (file missing) -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318} Description: Audiocontroller für Multimedia Device ID: PCI\VEN_8086&DEV_24C5&SUBSYS_102A1734&REV_02\3&267A616A&0&FD Manufacturer: Name: Audiocontroller für Multimedia PNP Device ID: PCI\VEN_8086&DEV_24C5&SUBSYS_102A1734&REV_02\3&267A616A&0&FD Service: Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318} Description: PCI-Modem Device ID: PCI\VEN_8086&DEV_24C6&SUBSYS_102A1734&REV_02\3&267A616A&0&FE Manufacturer: Name: PCI-Modem PNP Device ID: PCI\VEN_8086&DEV_24C6&SUBSYS_102A1734&REV_02\3&267A616A&0&FE Service: Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Cisco Systems VPN Adapter Device ID: ROOT\NET\0000 Manufacturer: Cisco Systems Name: Cisco Systems VPN Adapter PNP Device ID: ROOT\NET\0000 Service: CVirtA -- Files created between 2007-07-11 and 2007-08-11 ----------------------------- 2007-08-11 12:22:27 125504 --a------ C:\WINDOWS\system32\gyccqtwj.dll 2007-08-11 12:16:48 75328 --a------ C:\WINDOWS\system32\wcrlkefc.exe <Not Verified; ; DDC> 2007-08-11 12:12:16 0 d-------- C:\Programme\Trend Micro 2007-08-11 11:53:24 0 d-------- C:\Programme\Enigma Software Group 2007-08-11 11:44:47 125504 --a------ C:\WINDOWS\system32\eoqciimw.dll 2007-08-11 11:39:17 75328 --a------ C:\WINDOWS\system32\nrhcyqkf.exe <Not Verified; ; DDC> 2007-08-11 11:10:56 75328 --a------ C:\WINDOWS\system32\xmnfnxrk.exe <Not Verified; ; DDC> 2007-08-10 13:55:42 666619 ---hs---- C:\WINDOWS\system32\cbeeg.ini2 2007-08-10 09:55:49 0 d-------- C:\WINDOWS\system32\iieldknh 2007-08-08 13:07:22 66112 --a------ C:\WINDOWS\system32\yfkrbnjy.exe 2007-08-07 13:05:09 66112 --a------ C:\WINDOWS\system32\gtkqvgom.exe 2007-08-06 18:48:30 66112 --a------ C:\WINDOWS\system32\pabmuijn.exe 2007-08-05 23:43:24 0 d-------- C:\Programme\Comical 2007-08-05 18:45:40 66112 --a------ C:\WINDOWS\system32\ttdfmrct.exe 2007-08-05 15:28:03 125504 --a------ C:\WINDOWS\system32\dioyfidv.dll 2007-08-05 15:25:03 66112 --a------ C:\WINDOWS\system32\gnbrfmpb.exe 2007-08-05 04:57:56 31254 --a------ C:\WINDOWS\system32\ssqqnmm.dll 2007-08-04 17:02:31 0 d-------- C:\Programme\Miranda IM 2007-08-04 15:52:41 105 --a------ C:\WINDOWS\system32\mit.bat 2007-08-04 15:52:34 31254 --a------ C:\WINDOWS\system32\tuvurpq.dll 2007-08-04 15:25:21 66112 --a------ C:\WINDOWS\system32\uocbpngc.exe 2007-08-04 15:24:15 653849 ---hs---- C:\WINDOWS\system32\cbeeg.bak2 2007-07-29 19:44:05 0 d-------- C:\Programme\MyPlayCity.com 2007-07-29 14:49:15 0 d-------- C:\Programme\Lionhead Studios 2007-07-28 21:33:19 0 d-------- C:\Programme\LimeWire 2007-07-23 23:33:18 0 d-------- C:\Programme\nethack -- Find3M Report --------------------------------------------------------------- 2007-08-11 12:35:03 0 d-------- C:\Programme\Java 2007-08-11 01:04:33 0 d-------- C:\Dokumente und Einstellungen\Stefan\Anwendungsdaten\uTorrent 2007-08-06 09:58:08 0 d-------- C:\Dokumente und Einstellungen\Stefan\Anwendungsdaten\??mbols 2007-08-06 09:42:19 0 d-------- C:\Dokumente und Einstellungen\Stefan\Anwendungsdaten\Grisoft 2007-08-05 04:58:05 0 d-------- C:\Programme\Gemeinsame Dateien 2007-08-04 16:18:05 0 d--h----- C:\Programme\InstallShield Installation Information 2007-08-04 06:47:13 0 d-------- C:\Dokumente und Einstellungen\Stefan\Anwendungsdaten\FinalBurner Audio CD 2007-08-01 20:39:19 0 d-------- C:\Dokumente und Einstellungen\Stefan\Anwendungsdaten\LimeWire 2007-07-29 14:48:02 0 d-------- C:\Programme\Gemeinsame Dateien\InstallShield 2007-07-07 12:14:01 6369 ---hs---- C:\WINDOWS\system32\cbeeg.bak1 2007-07-07 12:13:50 266336 --a------ C:\WINDOWS\system32\geebc.dll 2007-07-06 18:48:36 0 d-------- C:\Dokumente und Einstellungen\Stefan\Anwendungsdaten\vlc 2007-07-06 18:24:13 0 d-------- C:\Programme\VideoLAN 2007-07-02 22:49:48 0 d-------- C:\Dokumente und Einstellungen\Stefan\Anwendungsdaten\dvdcss 2007-07-01 22:26:11 0 d-------- C:\Programme\Vim 2007-06-30 19:36:29 27 --a------ C:\Dokumente und Einstellungen\Stefan\Anwendungsdaten\gnuplot_history 2007-06-30 19:35:17 0 d-------- C:\Programme\gnuplot 2007-06-24 17:59:42 0 d-------- C:\Programme\Manhunt 2007-06-21 22:01:01 0 d-------- C:\Programme\Gemeinsame Dateien\Deterministic Networks 2007-06-21 22:00:56 0 d-------- C:\Programme\Cisco Systems 2007-06-19 22:16:56 1 --a------ C:\WINDOWS\system32\boa.dat 2007-06-19 22:16:55 1 --a------ C:\WINDOWS\system32\ps.dat 2007-06-19 22:09:52 22016 --a------ C:\WINDOWS\system32\winzdn32.dll 2007-06-18 13:44:52 0 d-------- C:\Dokumente und Einstellungen\Stefan\Anwendungsdaten\ACD Systems 2007-06-06 21:22:37 801 --a------ C:\WINDOWS\mozver.dat 2007-05-27 00:55:59 10985 --a------ C:\WINDOWS\scunin.dat 2007-05-27 00:55:57 967 --a------ C:\WINDOWS\ScUnin.pif 2007-05-27 00:55:57 67584 --a------ C:\WINDOWS\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller> 2007-05-26 17:16:40 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll 2007-05-26 17:16:18 21840 --a-----t C:\WINDOWS\system32\SIntfNT.dll 2007-05-26 17:16:18 17212 --a-----t C:\WINDOWS\system32\SIntf32.dll 2007-05-26 17:16:18 12067 --a-----t C:\WINDOWS\system32\SIntf16.dll -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{066A2CDC-319E-4460-BA45-C24562CD51AA}] C:\WINDOWS\system32\pmnkjgh.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D55F78D-57E0-7A56-9975-02E12506D1B4}] C:\Programme\Vdlfmove\buzhcbto.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70C872E5-69F5-456f-B809-484106881B7B}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77D4E341-7688-4379-ABAC-4634EB882C9A}] 07.07.2007 12:13 266336 --a------ C:\WINDOWS\system32\geebc.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7989EDF5-1179-481F-8C47-897C3653EDE8}] C:\WINDOWS\system32\jkkli.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6039E6C-BDE9-4de5-BB40-768CAA584FDC}] C:\WINDOWS\system32\oyotdmjb.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD2A7D3A-3DA1-4CA5-AD39-B4C3A72B567F}] C:\WINDOWS\system32\hggdcbx.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIModeChange"="Ati2mdxx.exe" [04.09.2001 16:24 C:\WINDOWS\system32\Ati2mdxx.exe] "ATIPTA"="C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" [28.02.2003 21:00] "SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_02\bin\jusched.exe" [12.07.2007 04:00] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DAEMON Tools"="C:\Programme\DAEMON Tools\daemon.exe" [04.04.2007 00:29] C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\ Gigaset WLAN Adapter Monitor.lnk - C:\Programme\Siemens\Gigaset USB Stick 54\Gcc.exe [28.04.2007 22:12:40] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{066A2CDC-319E-4460-BA45-C24562CD51AA}"= C:\WINDOWS\system32\pmnkjgh.dll [ ] "{FD2A7D3A-3DA1-4CA5-AD39-B4C3A72B567F}"= C:\WINDOWS\system32\hggdcbx.dll [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geebc] C:\WINDOWS\system32\geebc.dll 07.07.2007 12:13 266336 C:\WINDOWS\system32\geebc.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzdn32] winzdn32.dll 19.06.2007 22:09 22016 C:\WINDOWS\system32\winzdn32.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiTrayTools] -- End of Deckard's System Scanner: finished at 2007-08-11 at 12:48:23 --------- Code:
ATTFilter O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
Code:
ATTFilter O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Programme\RealVNC\VNC4\WinVNC4.exe
|
| Themen zu Goode olde pop-ups |
| 4d36e972-e325-11ce-bfc1-08002be10318, adobe, avg, bho, browser, ctfmon.exe, drivers, einstellungen, enigma, firefox, hijack, hijackthis, hijackthis log, hkus\s-1-5-18, home, installation, internet, internet explorer, jusched.exe, mozilla, mozilla firefox, pop-up, popups, registry, rundll, s-1-5-18, scan, server, software, stick, system restore, temp, trend micro, unknown file in winsock lsp, usb, windows, windows xp, wlan |
Baum-Darstellung