|
Log-Analyse und Auswertung: VirtuMonde-Problem mit Log!Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
26.08.2007, 15:19 | #1 |
| VirtuMonde-Problem mit Log! Hallo, bin neu hier, deshalb bitte zu verzeihen, wenn ich einmal zuviel nachfrag. Problem: Hab mir offensichtlich VirtuMonde eingefangen. Virus/Trojaner ändert ständig seinen Namen + die Dateien, sodass jede Entfernung verhindert wird. Bisher gefunden und tlw. entfernt: * Trojan.Adclicker, ...\SYSTEM32\gebyx.dll (mit AVG entfernt) * Trojan.Vundo, ...\system32\ddcbbba.dll (Norton aut. gelöscht) * Dialer.Generic (Norton blockiert) * Downloader ...Dok .u. E.\xc23[1].exe (konnte Norton nicht reparieren) * Trojaner.Nebuler ...Dok. u. E.\xc29[1].exe (konnte Norton nicht rep.) * Trojan.Awax ...\system32\efcbabb.dll (Norton aut. gelöscht) Jedesmal, wenn ich mit AVG Anti-Spyware, Spybot oder Norton scanne, findet er wieder eine andere Datei, die infiziert ist. Zudem wird fast jedesmal nach Einwahl ins Netz irgendeine Seite geöffnet (hab jetzt mal versucht, die Seiten über den Explorer einfach zu sperren). Bisherige Programme, mit denen ich mehrfach versucht hab das Problem zu lösen (alle vergebens): * Norton Antivirus * AVG Anti-Spyware * Spybot * Ad-Aware 6.0 Bitte um dringende Hilfe inkl. möglichst genauer Anleitung, was ich manuell wo entfernen kann/muss (will System nicht neu aufsetzen)!! Logfile folgt ... thx so much, mexmarkus |
26.08.2007, 15:21 | #2 |
| Log: VirtuMonde-Problem Logfile of HijackThis v1.99.1
__________________Scan saved at 15:56:37, on 26.08.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Programme\AVG Anti-Spyware 7.5\guard.exe C:\Programme\Microsoft SQL Server\MSSQL$MARKETINGCD\Binn\sqlservr.exe C:\Programme\Microsoft SQL Server\MSSQL$MARKETINGCD\BINN\sqlservr.dll C:\Programme\Norton AntiVirus\navapsvc.exe C:\Programme\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\PROGRA~1\DAP\DAP.EXE C:\Programme\QuickTime\qttask.exe C:\PROGRA~1\aon\AONMES~1\aonMessageCenter.exe C:\Programme\Java\jre1.5.0_07\bin\jusched.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe C:\Programme\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\aon\aonUpdate\aonUpdate.exe C:\Programme\Messenger\msmsgs.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe C:\Programme\VIA\RAID\raid_tool.exe C:\Programme\Zone Labs\ZoneAlarm\zapro.exe C:\PROGRA~1\GEMEIN~1\SYMANT~1\SECURI~1\NSCSRVCE.EXE C:\WINDOWS\system32\wuauclt.exe C:\Dokumente und Einstellungen\Alle\Eigene Dateien\***\Programme\VirtuMonde_Problem\HijackThis\HijackThis.exe C:\Programme\Internet Explorer\IEXPLORE.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://search.aon.at R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.aon.at/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = h**p://intranet/ipc R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Telekom Austria O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Programme\DAP\DAPIEBar.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Programme\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM\..\Run: [HP Software Update] C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [DeviceDiscovery] C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [WorksFUD] C:\Programme\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [1aonmessagecenter] C:\PROGRA~1\aon\AONMES~1\aonMessageCenter.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_07\bin\jusched.exe O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programme\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [aonUpdate] C:\Programme\aon\aonUpdate\aonUpdate.exe /tray O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [updateMgr] C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - Startup: auto-bit.lnk = C:\SYSPREP\bit\bit.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Erinnerungen in Microsoft Works-Kalender.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: raid_tool.exe.lnk = C:\Programme\VIA\RAID\raid_tool.exe O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Programme\Zone Labs\ZoneAlarm\zapro.exe O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE O9 - Extra button: Recherche-Assistent - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Reference 2001\EROProj.dll O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O17 - HKLM\System\CCS\Services\Tcpip\..\{9EA73E60-1BE5-4F42-9AC8-15A92FF76CD0}: NameServer = 195.3.96.67,195.3.96.68 O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programme\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing) O23 - Service: MSSQL$MARKETINGCD - Unknown owner - C:\Programme\Microsoft SQL Server\MSSQL$MARKETINGCD\Binn\sqlservr.exe O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programme\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Programme\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe |
26.08.2007, 15:36 | #3 |
/// AVZ-Toolkit Guru | VirtuMonde-Problem mit Log! Moin Markus.
__________________Gehe wie folgt vor: -Deinstalliere Norton über die Systemsteuerung. Lasse danach das NortonRemovalTool laufen und starte den Rechner neu. Danach lässt du es noch einmal laufen. -Sauge dir die Freewarversion von AntiVir und konfiguriere es aggressiv. -Deaktiviere die Systemwiederherstellung auf allen Laufwerken. -Deinstalliere Java über die Systemsteuerung. -Lasse Blacklight sowie Silentrunners laufen und poste die logFiles.. -Folge dieser Anleitung. Lasse das Programm so oft arbeiten bis nichts mehr gefunden wird! -Räume mit cCleaner auf ( die Registry musst du mehrmals durchsuchen und bereinigen lassen). -Run Combofix. Poste den erscheinenden Text. -Durchsuche mit Lavasoft und Spybot-S&D sowie deinem AV (alle drei mit aktuellen Signaturen!) dein System jeweils 2x. Erst im normalen und dann im abgesicherten Modus (F8 beim Hochfahren). -Räume mit cCleaner auf ( die Registry musst du mehrmals durchsuchen und bereinigen lassen). -Poste ein frisches HijackThis log sowie einen iClean Bericht (Prog in eigenem Ordner öffnen->"Yes"->File->Report). -Danach machst du einen eScan und postes das Log. Gruß Undoreal
__________________ |
26.08.2007, 22:34 | #4 |
| VirtuMonde-Problem mit Log! Danke gleich mal Undoreal. Bin jetzt etwa bei der Hälfte deiner Anweisungen. Hab alles genauso gemacht. Hab jetzt mal Blacklight und Silentrunners drüberlaufen lassen. Der Hund liegt ziemlich sicher bei den von mir unten rot markierten .dll Dateien begraben. Außerdem findet AntiVir (wie zuvor Norton) allerhand Trojaner etc., kann sie aber nicht in Quarantäne verschieben oder ähnliches. Die Meldungen kommen immer wieder. Ich versuchs deshalb gleich mal mit dem VirtuMonde-Removal und weiter in der Liste. Blacklight hat nichts vermeldet: 08/26/07 22:46:13 [Info]: BlackLight Engine 1.0.64 initialized 08/26/07 22:46:13 [Info]: OS: 5.1 build 2600 (Service Pack 2) 08/26/07 22:46:14 [Note]: 7019 4 08/26/07 22:46:14 [Note]: 7005 0 08/26/07 22:46:20 [Note]: 7006 0 08/26/07 22:46:20 [Note]: 7011 1616 08/26/07 22:46:20 [Note]: 7026 0 08/26/07 22:46:20 [Note]: 7026 0 08/26/07 22:46:26 [Note]: FSRAW library version 1.7.1022 08/26/07 23:07:26 [Note]: 4013 19597 08/26/07 23:07:26 [Note]: 4020 11307 65536 08/26/07 23:07:26 [Note]: 4018 11307 65536 08/26/07 23:07:26 [Note]: 4013 19597 08/26/07 23:07:26 [Note]: 4020 11307 65536 08/26/07 23:07:26 [Note]: 4018 11307 65536 08/26/07 23:08:55 [Note]: 4013 19206 08/26/07 23:08:55 [Note]: 4020 11307 65536 08/26/07 23:08:55 [Note]: 4018 11307 65536 08/26/07 23:08:55 [Note]: 4013 19206 08/26/07 23:08:55 [Note]: 4020 11307 65536 08/26/07 23:08:55 [Note]: 4018 11307 65536 08/26/07 23:09:34 [Note]: 4013 19206 08/26/07 23:09:34 [Note]: 4020 11307 65536 08/26/07 23:09:34 [Note]: 4018 11307 65536 08/26/07 23:09:34 [Note]: 4013 19206 08/26/07 23:09:34 [Note]: 4020 11307 65536 08/26/07 23:09:34 [Note]: 4018 11307 65536 08/26/07 23:09:55 [Note]: 4013 19206 08/26/07 23:09:55 [Note]: 4020 11307 65536 08/26/07 23:09:55 [Note]: 4018 11307 65536 08/26/07 23:09:55 [Note]: 4013 19206 08/26/07 23:09:55 [Note]: 4020 11307 65536 08/26/07 23:09:55 [Note]: 4018 11307 65536 08/26/07 23:10:13 [Note]: 2000 1012 08/26/07 23:10:46 [Note]: 7007 0 Silentrunners sagt das dazu: "Silent Runners.vbs", revision 52, Silent Runners - Adware? Disinfect, don't reformat! Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "aonUpdate" = "C:\Programme\aon\aonUpdate\aonUpdate.exe /tray" ["mquadr.at software engineering und consulting GmbH"] "MSMSGS" = ""C:\Programme\Messenger\msmsgs.exe" /background" [MS] "updateMgr" = "C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9" ["Adobe Systems Incorporated"] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."] "Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS] "CM-SmWizard" = "C:\WINDOWS\System\SmWizard.exe" ["C-Media Electronics Inc."] "NeroCheck" = "C:\WINDOWS\System32\\NeroCheck.exe" ["Ahead Software Gmbh"] "HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" ["HP"] "HP Software Update" = "C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Development Company, L.P."] "DeviceDiscovery" = "C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"] "WorksFUD" = "C:\Programme\Microsoft Works\wkfud.exe" ["Microsoft® Corporation"] "Microsoft Works Portfolio" = "C:\Programme\Microsoft Works\WksSb.exe /AllUsers" ["Microsoft® Corporation"] "Microsoft Works Update Detection" = "C:\Programme\Microsoft Works\WkDetect.exe" ["Microsoft® Corporation"] "DownloadAccelerator" = "C:\PROGRA~1\DAP\DAP.EXE /STARTUP" ["SpeedBit Ltd."] "QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "1aonmessagecenter" = "C:\PROGRA~1\aon\AONMES~1\aonMessageCenter.exe" ["mquadr.at software engineering & consulting GmbH"] "SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_07\bin\jusched.exe" ["Sun Microsystems, Inc."] "!AVG Anti-Spyware" = ""C:\Programme\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."] "CTDrive" = "rundll32.exe C:\WINDOWS\system32\drvgug.dll,startup" [MS] "xcnopilm" = "rundll32.exe "C:\Programme\jkvujmxu\rwnezetu.dll",Init" [MS] "avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE}\(Default) = (no title provided) -> {HKLM...CLSID} = "DAPBHO Class" \InProcServer32\(Default) = "C:\Programme\DAP\DAPIEBar.dll" [empty string] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {14665344-D2FE-4E3F-866D-16C9E2D73D83}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\awvvt.dll" [file not found] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Programme\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."] {77980427-4405-44D8-BD6D-CA8AEFB26C0D}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\mlljj.dll" [null data] {857A461D-8D96-4996-A4A0-AEA0A2535B86}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\tuvtrsp.dll" [file not found] {8EF8A1A9-57BD-4882-81FA-1AED172838B9}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\gebyx.dll" [file not found] {938A8A03-A938-4019-B764-03FF8D167D79}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\bwdfgjrm.dll" [null data] {C84D8A0A-E708-42B6-90CA-9C30956A87C6}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\vtututs.dll" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung" \InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Dokumente und Einstellungen\Alle\Eigene Dateien\***\Programme\WinRAR\rarext.dll" [null data] "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <<!>> "{857A461D-8D96-4996-A4A0-AEA0A2535B86}" = "*b" (unwritable string) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\tuvtrsp.dll" [file not found] <<!>> "{C84D8A0A-E708-42B6-90CA-9C30956A87C6}" = "*b" (unwritable string) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\vtututs.dll" [null data] <<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5" -> {HKLM...CLSID} = "CShellExecuteHookImpl Object" \InProcServer32\(Default) = "C:\Programme\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> awvvt\DLLName = "C:\WINDOWS\system32\awvvt.dll" [file not found] <<!>> gebyx\DLLName = "C:\WINDOWS\system32\gebyx.dll" [file not found] <<!>> mlljj\DLLName = "C:\WINDOWS\system32\mlljj.dll" [null data] <<!>> tuvtrsp\DLLName = "tuvtrsp.dll" [file not found] <<!>> vtututs\DLLName = "vtututs.dll" [null data] <<!>> winbjv32\DLLName = "winbjv32.dll" [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Programme\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."] Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Dokumente und Einstellungen\Alle\Eigene Dateien\Markus\Programme\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Programme\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Dokumente und Einstellungen\Alle\Eigene Dateien\Markus\Programme\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Dokumente und Einstellungen\Alle\Eigene Dateien\Markus\Programme\WinRAR\rarext.dll" [null data] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "DisableRegistryTools" = (REG_DWORD) hex:0x00000000 {Prevent access to registry editing tools} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Dokumente und Einstellungen\Alle\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS] Startup items in "Alle" & "All Users" startup folders: ------------------------------------------------------ C:\Dokumente und Einstellungen\Alle\Startmenü\Programme\Autostart "auto-bit" -> shortcut to: "C:\SYSPREP\bit\bit.exe /r" [file not found] C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "Adobe Gamma Loader" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."] "Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] "Erinnerungen in Microsoft Works-Kalender" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe" ["Microsoft® Corporation"] "HP Digital Imaging Monitor" -> shortcut to: "C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Development Company, L.P."] "Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office10\OSA.EXE -b -l" [MS] "raid_tool.exe" -> shortcut to: "C:\Programme\VIA\RAID\raid_tool.exe" ["VIA"] "ZoneAlarm Pro" -> shortcut to: "C:\Programme\Zone Labs\ZoneAlarm\zapro.exe -nopopup" ["Zone Labs Inc."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{F2CF5485-4E02-4F68-819C-B92DE9277049}" -> {HKLM...CLSID} = "&Links" \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{62999427-33FC-4BAF-9C9C-BCE6BD127F08}" = "DAP Bar" -> {HKLM...CLSID} = "DAP Bar" \InProcServer32\(Default) = "C:\Programme\DAP\DAPIEBar.dll" [empty string] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {9455301C-CF6B-11D3-A266-00C04F689C50}\(Default) = (no title provided) -> {HKLM...CLSID} = "Encarta &Recherche-Assistent" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Reference 2001\EROProj.dll" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" {669695BC-A811-4A9D-8CDF-BA8C795F261C}\ "ButtonText" = "Run DAP" "Exec" = "C:\PROGRA~1\DAP\DAP.EXE" ["SpeedBit Ltd."] {9455301C-CF6B-11D3-A266-00C04F689C50}\ "ButtonText" = "Recherche-Assistent" {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\ "ButtonText" = "Yahoo! Messenger" "MenuText" = "Yahoo! Messenger" "Exec" = "C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe" ["Yahoo! Inc."] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir PersonalEdition Classic Planer, AntiVirScheduler, ""C:\Programme\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"] AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Programme\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."] MSSQL$MARKETINGCD, MSSQL$MARKETINGCD, "C:\Programme\Microsoft SQL Server\MSSQL$MARKETINGCD\Binn\sqlservr.exe -sMARKETINGCD" [null data] Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"] TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs Inc."] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" ["Hewlett Packard"] hpzsnt08\Driver = "hpzsnt08.dll" ["HP"] LIDIL hpzll054\Driver = "hpzll054.dll" ["Hewlett-Packard Company"] ---------- (launch time: 2007-08-26 23:11:17) <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 78 seconds, including 16 seconds for message boxes) Lg, mexmarkus |
28.08.2007, 09:42 | #5 |
| VirtuMonde-Problem mit Log! Yippie! Das Schlimmste ist glaub ich überstanden. VundoFix und Combofix haben glaub ich entscheidend zum Sieg über die Herrschaft des Vundo beigetragen AntiVir, Spybot, AdAware und CCleaner haben gestern Abend auch nicht mehr angeschlagen. Hier aktuelle Logs: Hijackthis: Logfile of HijackThis v1.99.1 Scan saved at 10:32:13, on 28.08.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\Ad-Aware 2007\aawservice.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe C:\Programme\AVG Anti-Spyware 7.5\guard.exe C:\Programme\Microsoft SQL Server\MSSQL$MARKETINGCD\Binn\sqlservr.exe C:\Programme\Microsoft SQL Server\MSSQL$MARKETINGCD\BINN\sqlservr.dll C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\PROGRA~1\DAP\DAP.EXE C:\Programme\QuickTime\qttask.exe C:\PROGRA~1\aon\AONMES~1\aonMessageCenter.exe C:\Programme\Java\jre1.5.0_07\bin\jusched.exe C:\Programme\AVG Anti-Spyware 7.5\avgas.exe C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\aon\aonUpdate\aonUpdate.exe C:\Programme\Messenger\msmsgs.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe C:\Programme\VIA\RAID\raid_tool.exe C:\Programme\Zone Labs\ZoneAlarm\zapro.exe C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe C:\Dokumente und Einstellungen\Alle\Eigene Dateien\***\Programme\VirtuMonde_Problem\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.aon.at/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = h**p://intranet/ipc R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=proxy.aon.at:8080;http=proxy.aon.at:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.aon.at;*.campus02.at;<local> O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Programme\DAP\DAPIEBar.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_07\bin\ssv.dll O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Programme\DAP\DAPIEBar.dll O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM\..\Run: [HP Software Update] C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [DeviceDiscovery] C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [WorksFUD] C:\Programme\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [1aonmessagecenter] C:\PROGRA~1\aon\AONMES~1\aonMessageCenter.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_07\bin\jusched.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programme\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [aonUpdate] C:\Programme\aon\aonUpdate\aonUpdate.exe /tray O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [updateMgr] C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - Startup: auto-bit.lnk = C:\SYSPREP\bit\bit.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Erinnerungen in Microsoft Works-Kalender.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: raid_tool.exe.lnk = C:\Programme\VIA\RAID\raid_tool.exe O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Programme\Zone Labs\ZoneAlarm\zapro.exe O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE O9 - Extra button: Recherche-Assistent - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Reference 2001\EROProj.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O17 - HKLM\System\CCS\Services\Tcpip\..\{3EF88FAE-4CED-40C8-B55B-11DC3E356EA7}: NameServer = 195.3.96.67 195.3.96.68 O17 - HKLM\System\CCS\Services\Tcpip\..\{9EA73E60-1BE5-4F42-9AC8-15A92FF76CD0}: NameServer = 195.3.96.67,195.3.96.68 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programme\Ad-Aware 2007\aawservice.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Automatisches LiveUpdate - Scheduler - Unknown owner - C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing) O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programme\AVG Anti-Spyware 7.5\guard.exe O23 - Service: MSSQL$MARKETINGCD - Unknown owner - C:\Programme\Microsoft SQL Server\MSSQL$MARKETINGCD\Binn\sqlservr.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Combofix (gestern abend): ComboFix 07-08-25.2 - "Alle" 2007-08-27 21:36:42.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.49.1031.18.78 [GMT 2:00] ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOKUME~1\Alle\ANWEND~1\microsoft\internet explorer\quick launch\intern~1.lnk C:\DOKUME~1\**\ANWEND~1\Hotbar C:\DOKUME~1\**\ANWEND~1\microsoft\internet explorer\quick launch\intern~1.lnk C:\DOKUME~1\**\ANWEND~1\microsoft\internet explorer\quick launch\intern~1.lnk C:\DOKUME~1\**\ANWEND~1\microsoft\internet explorer\quick launch\intern~1.lnk C:\DOKUME~1\**\ANWEND~1\microsoft\internet explorer\quick launch\intern~1.lnk C:\WINDOWS\cookies.ini C:\WINDOWS\system32\_000009_.tmp.dll C:\WINDOWS\system32\winbjv32.dll ((((((((((((((((((((((((( Files Created from 2007-07-27 to 2007-08-27 ))))))))))))))))))))))))))))))) 2007-08-27 21:35 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-27 21:12 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe 2007-08-27 18:59 <DIR> d-------- C:\Programme\Ad-Aware 2007 2007-08-27 18:59 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\Lavasoft 2007-08-27 18:54 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Wise Installation Wizard 2007-08-27 11:48 <DIR> d-------- C:\Programme\cCleaner 2007-08-26 23:36 <DIR> d-------- C:\VundoFix Backups 2007-08-26 18:14 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\AntiVir PersonalEdition Classic 2007-08-26 17:57 <DIR> d-------- C:\Programme\jkvujmxu 2007-08-26 16:55 <DIR> d-------- C:\Programme\AVPersonal 2007-08-15 13:09 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-08-15 13:08 <DIR> d-------- C:\Programme\AVG Anti-Spyware 7.5 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-27 20:40 --------- d-------- C:\Programme\DAP 2007-08-27 19:06 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys 2007-08-27 19:06 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys 2007-08-26 22:27 --------- d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\Symantec 2007-08-26 21:41 --------- d-------- C:\Programme\Gemeinsame Dateien\Symantec Shared 2007-08-26 21:30 --------- d-------- C:\DOKUME~1\Alle\ANWEND~1\Symantec 2007-08-26 21:30 --------- d-------- C:\DOKUME~1\Alle\ANWEND~1\Symantec 2007-08-26 21:07 --------- d-------- C:\DOKUME~1\David\ANWEND~1\Symantec 2007-08-26 12:36 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF 2007-08-26 12:36 8014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT 2007-08-17 10:51 --------- d-------- C:\DOKUME~1\Alle\ANWEND~1\AdobeUM 2007-08-17 10:51 --------- d-------- C:\DOKUME~1\Alle\ANWEND~1\AdobeUM 2007-08-15 15:59 --------- d-------- C:\Programme\hbinst 2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll 2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll 2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll 2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll 2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll 2007-07-25 07:23 885263 ---hs---- C:\WINDOWS\system32\rttss.ini2 2007-07-24 18:59 714527 ---hs---- C:\WINDOWS\system32\rttss.bak1 2007-07-24 18:58 715098 ---hs---- C:\WINDOWS\system32\rttss.bak2 2007-07-22 15:17 --------- d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\Spybot - Search & Destroy 2007-07-06 13:34 --------- d-------- C:\DOKUME~1\Alle\ANWEND~1\SlySoft 2007-07-06 13:34 --------- d-------- C:\DOKUME~1\Alle\ANWEND~1\SlySoft 2007-06-26 08:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll 2007-06-19 15:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll 2007-06-13 15:21 1036288 --a------ C:\WINDOWS\explorer.exe 2004-05-05 13:20 2715928 --a------ C:\Programme\WindowsXP-KB835732-x86-DEU.EXE 2003-11-15 17:46 808 --a------ C:\Programme\INSTALL.LOG 2003-11-03 12:43 1820 --a------ C:\Programme\uninstal.log ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14665344-D2FE-4E3F-866D-16C9E2D73D83}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77980427-4405-44D8-BD6D-CA8AEFB26C0D}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EF8A1A9-57BD-4882-81FA-1AED172838B9}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9844B7A3-1601-43FD-876F-37BAFA86CFF0}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 22:10] "Cmaudio"="cmicnfg.cpl" [2003-08-01 11:39 C:\WINDOWS\CmiCnfg.cpl] "CM-SmWizard"="C:\WINDOWS\System\SmWizard.exe" [2003-08-01 08:20] "NeroCheck"="C:\WINDOWS\System32\\NeroCheck.exe" [2001-07-09 12:50] "HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-11 12:08] "HP Software Update"="C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2006-02-19 03:41] "DeviceDiscovery"="C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 21:56] "WorksFUD"="C:\Programme\Microsoft Works\wkfud.exe" [2000-07-12 21:15] "Microsoft Works Portfolio"="C:\Programme\Microsoft Works\WksSb.exe" [2000-07-12 22:30] "Microsoft Works Update Detection"="C:\Programme\Microsoft Works\WkDetect.exe" [2000-07-22 00:55] "DownloadAccelerator"="C:\PROGRA~1\DAP\DAP.exe" [2004-09-01 12:36] "QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2004-09-10 20:55] "1aonmessagecenter"="C:\PROGRA~1\aon\AONMES~1\aonMessageCenter.exe" [2005-07-29 16:00] "SunJavaUpdateSched"="C:\Programme\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 02:56] "!AVG Anti-Spyware"="C:\Programme\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25] "avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:57] "aonUpdate"="C:\Programme\aon\aonUpdate\aonUpdate.exe" [2005-07-26 14:53] "MSMSGS"="C:\Programme\Messenger\msmsgs.exe" [2004-10-13 18:24] "updateMgr"="C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvvt] C:\WINDOWS\system32\awvvt.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebyx] C:\WINDOWS\system32\gebyx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvtrsp] tuvtrsp.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtututs] vtututs.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^InterVideo WinCinema Manager.lnk] path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\InterVideo WinCinema Manager.lnk backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^Alle^Startmenü^Programme^Autostart^Gangsters2Setup.lnk] path=C:\Dokumente und Einstellungen\Alle\Startmenü\Programme\Autostart\Gangsters2Setup.lnk backup=C:\WINDOWS\pss\Gangsters2Setup.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray] "C:\Dokumente und Einstellungen\Alle\Eigene Dateien\Markus\Programme\CloneCD Demo\CloneCD\CloneCDTray.exe" /s R0 nlemsql;NLEMSQL;C:\WINDOWS\system32\drivers\nlemsql.sys R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys R1 avgio;avgio;\??\C:\Programme\AntiVir PersonalEdition Classic\avgio.sys R1 avipbb;avipbb;C:\WINDOWS\system32\DRIVERS\avipbb.sys R1 hwinterface;hwinterface;C:\WINDOWS\system32\Drivers\hwinterface.sys R1 ssmdrv;ssmdrv;C:\WINDOWS\system32\DRIVERS\ssmdrv.sys R2 MSSQL$MARKETINGCD;MSSQL$MARKETINGCD;C:\Programme\Microsoft SQL Server\MSSQL$MARKETINGCD\Binn\sqlservr.exe -sMARKETINGCD R2 SetupNT;SetupNT;C:\WINDOWS\system32\SetupNT.sys R3 avgntflt;avgntflt;\??\C:\Programme\AntiVir PersonalEdition Classic\avgntflt.sys S2 Automatisches LiveUpdate - Scheduler;Automatisches LiveUpdate - Scheduler;"C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe" S3 DMSKSSRh;DMSKSSRh;\??\C:\DOKUME~1\Alle\LOKALE~1\Temp\DMSKSSRh.sys S3 SQLAgent$MARKETINGCD;SQLAgent$MARKETINGCD;C:\Programme\Microsoft SQL Server\MSSQL$MARKETINGCD\Binn\sqlagent.EXE -i MARKETINGCD ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-27 21:46:22 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-08-27 21:54:45 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-08-27 21:54 --- E O F --- Vielen Dank nochmal! |
28.08.2007, 12:47 | #6 |
/// AVZ-Toolkit Guru | VirtuMonde-Problem mit Log! Hi Markus. Das hört sich ja schon ganz prima an. Fixe nun noch folgenden Eintrag mit HJT: * O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Programme\DAP\DAPIEBar.dll * Danach CCleaner laufen lassen und dann solltest du sauber sein. Gruß Undoreal
__________________ --> VirtuMonde-Problem mit Log! |
Themen zu VirtuMonde-Problem mit Log! |
ad-aware, antivirus, aufsetzen, avg, blockiert, dateien, downloader, entfernen, explorer, gelöscht, infiziert, log, namen, neu, neu aufsetzen, norton, norton blockiert, programme, scan, seite, seiten, spybot, system, system32, trojan.vundo, virtumonde, virus/trojaner |