|
Plagegeister aller Art und deren Bekämpfung: W32.Myzor.FK@yfWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
13.01.2008, 11:37 | #1 |
| W32.Myzor.FK@yf hallo, ich habe genau das selbe problem wie hier beschrieben ist: http://www.trojaner-board.de/32867-b...zor-fk-yf.html ich bekomme das programm smitfraudfix nicht zum laufen, sehe auch nur immer den roten screen, den "ineedhelp" gepostet hat! es hat eh schon ein user in dem thread, geschrieben um das programm zum laufen zu bekommen, muss man etwas entzippen, nur ich komme nicht drauf wie das funktioniert.. könnte mir bitte wer helfen und erklären wie ich das entzippen kann, um diesen virus zu entfernen! Vielen Dank im Voraus!!! |
13.01.2008, 14:55 | #2 |
> MalwareDB | W32.Myzor.FK@yf Deckards System Scanner (DSS)
__________________Hier gibt es das Tool -> dss.exe * Schließe alle Anwendungen Was Deckards System Scanner macht: * Es Erstellt einen System Wiederherstellungspunkt |
14.01.2008, 15:08 | #3 |
| W32.Myzor.FK@yf danke, für deine antwort, es kann sein das ich tlw ein bisschen länger zum zurückschreiben brauche, da dies der laptop von einem bekannten ist!
__________________Code:
ATTFilter Deckard's System Scanner v20071014.68 Run by Thomas Rockenbauer on 2008-01-14 14:46:39 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 46: 2008-01-14 13:46:46 UTC - RP285 - Deckard's System Scanner Restore Point 45: 2008-01-13 11:57:48 UTC - RP284 - Systemprüfpunkt 44: 2008-01-12 08:58:46 UTC - RP283 - Wiederherstellungsvorgang 43: 2008-01-12 08:55:48 UTC - RP282 - Entfernt eBay Toolbar 42: 2008-01-12 08:54:28 UTC - RP281 - Wiederherstellungsvorgang -- First Restore Point -- 1: 2007-10-13 04:19:21 UTC - RP240 - Systemprüfpunkt Backed up registry hives. Performed disk cleanup. -- HijackThis (run as Thomas Rockenbauer.exe) ---------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:55:55, on 14.01.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLService.exe C:\Programme\McAfee\Common Framework\FrameworkService.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Programme\McAfee\VirusScan Enterprise\Mcshield.exe C:\Programme\McAfee\VirusScan Enterprise\VsTskMgr.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe C:\Programme\Video Add-on\icthis.exe C:\Programme\Video Add-on\isfmntr.exe C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programme\Synaptics\SynTP\SynTPLpr.exe C:\Programme\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\CyberLink\PowerCinema\PCMService.exe C:\Programme\CyberLink\PowerDVD\PDVDServ.exe C:\Programme\VIAudioi\SBADeck\ADeck.exe C:\Programme\Video Add-on\icmntr.exe C:\Programme\McAfee\Common Framework\UdaterUI.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\MESSEN~1\Msmsgs.exe C:\Programme\McAfee\Common Framework\McTray.exe C:\Programme\Video Add-on\isfmm.exe C:\Programme\Deckards System Scanner\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Thomas Rockenbauer.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/fuji/defaults/su/*http://www.yahoo.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Programme\McAfee\VirusScan Enterprise\Scriptcl.dll O2 - BHO: (no name) - {BA0BACB5-FC95-451E-94D2-4959AB0949D2} - C:\Programme\Video Add-on\isfmdl.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file) O3 - Toolbar: IE Custom Tools - {F2BADA0D-FD61-45EF-A994-64A073FD6613} - C:\Programme\Video Add-on\ictmdl.dll O4 - HKLM\..\Run: [ATIPTA] "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe" O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM\..\Run: [AudioDeck] C:\Programme\VIAudioi\SBADeck\ADeck.exe 1 O4 - HKLM\..\Run: [ShStatEXE] "C:\Programme\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programme\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "c:\PROGRA~1\MESSEN~1\Msmsgs.exe" /background O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Programme\Video Add-on\icthis.exe O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Programme\Video Add-on\isfmntr.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk846YYAT O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Suche - res://C:\Programme\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.updatesgate.com/redirect.php (file missing) O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.updatesgate.com/redirect.php (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: @c:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @c:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Programme\Messenger\msmsgs.exe O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{51796A57-6649-4001-A7DD-741A586311C8}: NameServer = 195.3.96.67 195.3.96.68 O17 - HKLM\System\CCS\Services\Tcpip\..\{CB86B094-B108-4D8B-8F2A-4C9E5735F6EE}: NameServer = 195.3.96.97,195.3.96.98 O22 - SharedTaskScheduler: hemoglobinometries - {c7cd9e83-3bf6-47f8-b2e2-b114c96c1888} - C:\WINDOWS\system32\qhcvdw.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Programme\McAfee\Common Framework\FrameworkService.exe O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Programme\McAfee\VirusScan Enterprise\Mcshield.exe O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Programme\McAfee\VirusScan Enterprise\VsTskMgr.exe -- End of file - 7506 bytes -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- S3 SYMIDSCO - c:\progra~1\gemein~1\symant~1\symcdata\idsdefs\20060410.080\symidsco.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 CLCapSvc (CyberLink Background Capture Service (CBCS)) - "c:\program files\cyberlink\powercinema\kernel\tv\clcapsvc.exe" <Not Verified; ; CLCapSvc Module> R2 CLSched (CyberLink Task Scheduler (CTS)) - "c:\program files\cyberlink\powercinema\kernel\tv\clsched.exe" <Not Verified; ; CLSched Module> R2 CyberLink Media Library Service - "c:\programme\cyberlink\shared files\clml_ntservice\clmlserver.exe" <Not Verified; Cyberlink; Cyberlink Media Library Server> -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Broadcom 802.11g Netzwerkadapter Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_000617F9&REV_02\3&267A616A&0&50 Manufacturer: Broadcom Name: Broadcom 802.11g Netzwerkadapter PNP Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_000617F9&REV_02\3&267A616A&0&50 Service: BCM43XX -- Files created between 2007-12-14 and 2008-01-14 ----------------------------- 2008-01-14 14:55:34 0 d-------- C:\Programme\Trend Micro 2008-01-14 14:45:33 0 d-------- C:\Programme\Deckards System Scanner 2008-01-13 12:21:52 0 d-------- C:\WINDOWS\Content.IE5 2008-01-13 12:11:15 0 d-------- C:\Programme\smitRem 2008-01-13 10:46:53 0 d-------- C:\Programme\Neuer Ordner 2008-01-12 09:27:05 0 d-------- C:\Programme\PestPatrol 2008-01-12 08:49:53 0 d-------- C:\QUARANTINE 2008-01-12 08:41:12 1495552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll <Not Verified; PGP Corporation; PGPsdk> 2008-01-12 08:40:24 0 d-------- C:\Programme\McAfee 2008-01-12 08:40:24 0 d-------- C:\Programme\Gemeinsame Dateien\McAfee 2008-01-12 06:16:52 0 d-------- C:\Programme\Video Add-on -- Find3M Report --------------------------------------------------------------- 2008-01-14 06:34:56 62520 --a------ C:\Dokumente und Einstellungen\Thomas Rockenbauer\Anwendungsdaten\wklnhst.dat 2008-01-13 12:33:37 417550 --a------ C:\WINDOWS\system32\perfh007.dat 2008-01-13 12:33:37 76270 --a------ C:\WINDOWS\system32\perfc007.dat 2008-01-12 09:57:27 0 d-------- C:\Programme\eBay 2008-01-12 08:40:24 0 d-------- C:\Programme\Gemeinsame Dateien 2008-01-12 06:12:43 13312 --a-s---- C:\WINDOWS\system32\qhcvdw.dll -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA0BACB5-FC95-451E-94D2-4959AB0949D2}] 14.01.2008 14:43 12800 --a------ C:\Programme\Video Add-on\isfmdl.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{F2BADA0D-FD61-45EF-A994-64A073FD6613}"= C:\Programme\Video Add-on\ictmdl.dll [12.01.2008 06:16 75264] [-HKEY_CLASSES_ROOT\CLSID\{F2BADA0D-FD61-45EF-A994-64A073FD6613}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" [13.10.2005 21:05] "SynTPLpr"="C:\Programme\Synaptics\SynTP\SynTPLpr.exe" [18.03.2005 14:35] "SynTPEnh"="C:\Programme\Synaptics\SynTP\SynTPEnh.exe" [18.03.2005 14:34] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09.07.2001 10:50] "PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [28.07.2005 20:02] "RemoteControl"="C:\Programme\CyberLink\PowerDVD\PDVDServ.exe" [15.04.2005 16:13] "Easy-PrintToolBox"="C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [14.01.2004 02:10] "AudioDeck"="C:\Programme\VIAudioi\SBADeck\ADeck.exe" [23.08.2005 15:47] "ShStatEXE"="C:\Programme\McAfee\VirusScan Enterprise\SHSTAT.exe" [29.11.2006 08:50] "McAfeeUpdaterUI"="C:\Programme\McAfee\Common Framework\UdaterUI.exe" [17.11.2006 13:39] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04.08.2004 13:00] "MSMSGS"="c:\PROGRA~1\MESSEN~1\Msmsgs.exe" [31.08.2005 20:27] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"=0 (0x0) "NoDispAppearancePage"=0 (0x0) "NoColorChoice"=0 (0x0) "NoSizeChoice"=0 (0x0) "NoDispBackgroundPage"=0 (0x0) "NoDispScrSavPage"=0 (0x0) "NoDispCPL"=0 (0x0) "NoVisualStyleChoice"=0 (0x0) "NoDispSettingsPage"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoActiveDesktopChanges"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] "some"=C:\Programme\Video Add-on\icthis.exe "start"=C:\Programme\Video Add-on\isfmntr.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoActiveDesktop"=0 (0x0) "NoSaveSettings"=0 (0x0) "NoThemesTab"=0 (0x0) "ForceActiveDesktopOn"=0 (0x0) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{c7cd9e83-3bf6-47f8-b2e2-b114c96c1888}"= C:\WINDOWS\system32\qhcvdw.dll [12.01.2008 06:12 13312] -- End of Deckard's System Scanner: finished at 2008-01-14 14:56:41 ------------ |
14.01.2008, 15:10 | #4 |
> MalwareDB | W32.Myzor.FK@yf Alles machbar Anleitung SmitfraudFix: Lade dir dieses Tool -> SmitfraudFix -Boote im abgesicherten Modus -Starte es dann und lass das System Reinigen. (Option 2) -Poste danach wie in der Anleitung beschrieben, das Ergebnis des Scans, die C:\rapport.txt |
14.01.2008, 15:15 | #5 |
| W32.Myzor.FK@yf die zweite "extra.txt" logfile, kann ich leider nicht posten, da diese aus zuvielen zeichen besteht (ca. 27500 und 25000 erlaubt). |
14.01.2008, 15:18 | #6 |
> MalwareDB | W32.Myzor.FK@yf Ist ok, wird wohl "nur" der eine Befall sein. |
14.01.2008, 15:34 | #7 |
| W32.Myzor.FK@yfCode:
ATTFilter SmitFraudFix v2.274 Scan done at 15:25:05,73, 14.01.2008 Run from C:\Programme\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{c7cd9e83-3bf6-47f8-b2e2-b114c96c1888}"="hemoglobinometries" [HKEY_CLASSES_ROOT\CLSID\{c7cd9e83-3bf6-47f8-b2e2-b114c96c1888}\InProcServer32] @="C:\WINDOWS\system32\qhcvdw.dll" [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{c7cd9e83-3bf6-47f8-b2e2-b114c96c1888}\InProcServer32] @="C:\WINDOWS\system32\qhcvdw.dll" »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri's WS2Fix: LSP not Found. »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri C:\WINDOWS\system32\qhcvdw.dll -> Hoax.Win32.Renos.gen.o C:\WINDOWS\system32\qhcvdw.dll -> Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\DOKUME~1\THOMAS~1\FAVORI~1\Online Security Test.url Deleted C:\Programme\Video Add-on\ Deleted »»»»»»»»»»»»»»»»»»»»»»»» IEDFix IEDFix.exe by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CCS\Services\Tcpip\..\{CB86B094-B108-4D8B-8F2A-4C9E5735F6EE}: NameServer=195.3.96.97,195.3.96.98 HKLM\SYSTEM\CS1\Services\Tcpip\..\{CB86B094-B108-4D8B-8F2A-4C9E5735F6EE}: NameServer=195.3.96.97,195.3.96.98 HKLM\SYSTEM\CS3\Services\Tcpip\..\{CB86B094-B108-4D8B-8F2A-4C9E5735F6EE}: NameServer=195.3.96.97,195.3.96.98 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End |
14.01.2008, 15:58 | #8 |
> MalwareDB | W32.Myzor.FK@yf Poste bitte ein neues HJT Log. |
16.01.2008, 15:23 | #9 |
| W32.Myzor.FK@yf hier ist die neue HijackThis logfile: Code:
ATTFilter Logfile of HijackThis v1.99.1 Scan saved at 15:21:31, on 16.01.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programme\Synaptics\SynTP\SynTPLpr.exe C:\Programme\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\CyberLink\PowerCinema\PCMService.exe C:\Programme\CyberLink\PowerDVD\PDVDServ.exe C:\Programme\VIAudioi\SBADeck\ADeck.exe C:\Programme\McAfee\Common Framework\UdaterUI.exe C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\MESSEN~1\Msmsgs.exe C:\Programme\McAfee\Common Framework\McTray.exe C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLService.exe C:\Programme\McAfee\Common Framework\FrameworkService.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe C:\Programme\Internet Explorer\iexplore.exe C:\DOKUME~1\THOMAS~1\LOKALE~1\Temp\Temporäres Verzeichnis 3 für hijackthis_199.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.at/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {BA0BACB5-FC95-451E-94D2-4959AB0949D2} - (no file) O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file) O4 - HKLM\..\Run: [ATIPTA] "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe" O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM\..\Run: [AudioDeck] C:\Programme\VIAudioi\SBADeck\ADeck.exe 1 O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programme\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [AVP] "C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "c:\PROGRA~1\MESSEN~1\Msmsgs.exe" /background O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk846YYAT O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Hinzufügen zu Kaspersky Anti-Banner - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Suche - res://C:\Programme\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O9 - Extra button: Statistik für Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: @c:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @c:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Programme\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{51796A57-6649-4001-A7DD-741A586311C8}: NameServer = 195.3.96.67 195.3.96.68 O17 - HKLM\System\CCS\Services\Tcpip\..\{CB86B094-B108-4D8B-8F2A-4C9E5735F6EE}: NameServer = 195.3.96.97,195.3.96.98 O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Unknown owner - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r (file missing) O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Programme\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing) |
16.01.2008, 16:27 | #10 |
> MalwareDB | W32.Myzor.FK@yf Gehe wiefolgt vor Bitte öffne Deine HijackThis nochmal und scanne. Check die klickboxen neben den Einträgen die untenstehend gelistet sind. O2 - BHO: (no name) - {BA0BACB5-FC95-451E-94D2-4959AB0949D2} - (no O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk846YYAT O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab dann Klicke Fix Checked. Schließe HiJackThis. |
16.01.2008, 16:45 | #11 |
| W32.Myzor.FK@yf ok, ich hab die zwei einträge gelöscht! ist denn jetzt alles ok? hab nochmal ein hjt logfile angehängt: Code:
ATTFilter Logfile of HijackThis v1.99.1 Scan saved at 16:43:42, on 16.01.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programme\Synaptics\SynTP\SynTPLpr.exe C:\Programme\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\CyberLink\PowerCinema\PCMService.exe C:\Programme\CyberLink\PowerDVD\PDVDServ.exe C:\Programme\VIAudioi\SBADeck\ADeck.exe C:\Programme\McAfee\Common Framework\UdaterUI.exe C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\MESSEN~1\Msmsgs.exe C:\Programme\McAfee\Common Framework\McTray.exe C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLService.exe C:\Programme\McAfee\Common Framework\FrameworkService.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe C:\DOKUME~1\THOMAS~1\LOKALE~1\Temp\Temporäres Verzeichnis 4 für hijackthis_199.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.at/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file) O4 - HKLM\..\Run: [ATIPTA] "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe" O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM\..\Run: [AudioDeck] C:\Programme\VIAudioi\SBADeck\ADeck.exe 1 O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programme\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [AVP] "C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "c:\PROGRA~1\MESSEN~1\Msmsgs.exe" /background O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk846YYAT O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Hinzufügen zu Kaspersky Anti-Banner - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Suche - res://C:\Programme\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O9 - Extra button: Statistik für Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: @c:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @c:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Programme\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O17 - HKLM\System\CCS\Services\Tcpip\..\{51796A57-6649-4001-A7DD-741A586311C8}: NameServer = 195.3.96.67 195.3.96.68 O17 - HKLM\System\CCS\Services\Tcpip\..\{CB86B094-B108-4D8B-8F2A-4C9E5735F6EE}: NameServer = 195.3.96.97,195.3.96.98 O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Unknown owner - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r (file missing) O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Programme\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing) |
Themen zu W32.Myzor.FK@yf |
entferne, entfernen, entzippen, erklären, funktionier, gepostet, helfen, laufe, laufen, problem, programm, screen, smitfraudfix, thread, virus, w32.myzor.fk@yf |