Kann bitte jemand meine Log-Datei auswerten? Problem mit Zlob.Downloader.vcd

Sabina · 14.03.2008, 14:45

1.
ja, poste bitte auch das 2.Log von smitraudfix

2.
C:\WINDOWS\wininit.ini - mit rechter Maus anklicken - mit Texteditor öffnen - poste, was da steht, bitte

3.
rvaxo anwenden + poste den report
RVAXO

4.
falls es nicht schon von rvaxo gelöscht wurde - manuell löschen: C:\WINDOWS\fmsxwqs.exe

sushi14 · 14.03.2008, 18:25

Hallo Sabina,

hier ist noch die 2. Datei:

SmitFraudFix v2.301

Scan done at 13:24:40,68, 14.03.2008
Run from
C:\Dokumente und Einstellungen\Nicole & Žndy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

Das sind zu viele Daten habe alle rausgelöscht ?!?!?

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
C:\WINDOWS\bokpkov.dll deleted.
C:\WINDOWS\altvxvm.dll deleted.

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOKUME~1\xxx\Desktop\Error Cleaner.url Deleted
C:\DOKUME~1\xxx\Desktop\Privacy Protector.url Deleted
C:\DOKUME~1\xxx\Desktop\Spyware?Malware Protection.url Deleted
C:\DOKUME~1\xxx\FAVORI~1\Error Cleaner.url Deleted
C:\DOKUME~1\xxx\FAVORI~1\Privacy Protector.url Deleted
C:\DOKUME~1\xxx\FAVORI~1\Spyware?Malware Protection.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A90BBF38-4812-4910-813C-DB435338C8B3}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A90BBF38-4812-4910-813C-DB435338C8B3}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{A90BBF38-4812-4910-813C-DB435338C8B3}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Hier der Inhalt der wininit.ini:

[rename]
c:\tempjunk5020.tmp=C:\WINDOWS\etlrlws.dll_old
nul=c:\tempjunk5020.tmp

Report von RVAXO:

---RVAXO.exe Updated: 2008-03-14---first run---
Uninstallers:

Files found:
C:\WINDOWS\fmsxwqs.exe

Folders Found:

Hosts-file was reset, If you use a custom hosts file please replace it...

--------------RVAXO.exe last run---------------
Not deleted items:

--------------RVAXO.exe finished----------------

Sabina · 15.03.2008, 01:04

Hallo,

1.
lösche die C:\WINDOWS\wininit.ini + leere den Papierkorb

2.
wende sdfix an - funktioniert nur im abgesicherten Modus
SDFix

poste dann bitte den scanreport hier

sushi14 · 15.03.2008, 11:21

Hallo Sabina,

hier ist der Report SDFix (Habe nur die Runthis.bat im Abgesicherten Modus gestartet und mit Y bestätigt, die anderen Sachen gingen bei mir nicht ?!?)

SDFix: Version 1.157

Run by XXX

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 11:06:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Programme\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Programme\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Programme\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Programme\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Programme\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Programme\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Programme\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Programme\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Programme\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Programme\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 13 May 2005 217,073 A.SHR --- "C:\WINDOWS\meta4.exe"
Mon 24 Oct 2005 66,560 A.SHR --- "C:\WINDOWS\MOTA113.exe"
Thu 13 Oct 2005 422,400 A.SHR --- "C:\WINDOWS\x2.64.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Programme\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Programme\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe"
Fri 7 Oct 2005 308,224 A.SHR --- "C:\WINDOWS\system32\avisynth.dll"
Thu 14 Jul 2005 27,648 A.SHR --- "C:\WINDOWS\system32\AVSredirect.dll"
Sun 26 Jun 2005 616,448 A.SHR --- "C:\WINDOWS\system32\cygwin1.dll"
Tue 21 Jun 2005 45,568 A.SHR --- "C:\WINDOWS\system32\cygz.dll"
Sun 25 Jan 2004 70,656 A.SHR --- "C:\WINDOWS\system32\i420vfw.dll"
Thu 27 Apr 2006 2,945,024 A.SHR --- "C:\WINDOWS\system32\Smab.dll"
Mon 28 Feb 2005 240,128 A.SHR --- "C:\WINDOWS\system32\x.264.exe"
Sun 25 Jan 2004 70,656 A.SHR --- "C:\WINDOWS\system32\yv12vfw.dll"
Sun 23 Jan 2000 4,348 A.SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\DRMv1.bak"
Tue 15 Aug 2006 72,192 ..SHR --- "C:\Programme\eRightSoft\SUPER\Setup.exe"
Wed 11 Jan 2006 16,896 A.SHR --- "C:\Programme\eRightSoft\SUPER\_Setup.dll"
Sun 3 Feb 2008 0 A.SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\Cache\Indiv02.tmp"
Tue 4 Jun 2002 84,992 ...HR --- "C:\Programme\eRightSoft\SUPER\mencoder\14_43260.dll"
Tue 4 Jun 2002 44,032 ...HR --- "C:\Programme\eRightSoft\SUPER\mencoder\28_83260.dll"
Tue 10 Dec 2002 73,766 ...HR --- "C:\Programme\eRightSoft\SUPER\mencoder\atrc3260.dll"
Tue 10 Dec 2002 65,575 ...HR --- "C:\Programme\eRightSoft\SUPER\mencoder\cook3260.dll"
Tue 4 Jun 2002 20,480 ...HR --- "C:\Programme\eRightSoft\SUPER\mencoder\dnet3260.dll"
Tue 10 Dec 2002 176,165 ...HR --- "C:\Programme\eRightSoft\SUPER\mencoder\drv23260.dll"
Tue 10 Dec 2002 94,208 ...HR --- "C:\Programme\eRightSoft\SUPER\mencoder\drv33260.dll"
Tue 10 Dec 2002 217,127 ...HR --- "C:\Programme\eRightSoft\SUPER\mencoder\drv43260.dll"
Sat 3 Nov 2001 225,280 ...HR --- "C:\Programme\eRightSoft\SUPER\mencoder\ivvideo.dll"
Tue 10 Apr 2001 225,280 ...HR --- "C:\Programme\eRightSoft\SUPER\mencoder\qtmlClient.dll"
Fri 20 Feb 2004 548,940 ...HR --- "C:\Programme\eRightSoft\SUPER\mencoder\raac.dll"
Tue 10 Dec 2002 102,439 ...HR --- "C:\Programme\eRightSoft\SUPER\mencoder\sipr3260.dll"
Tue 11 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\650f5ea5083460568825c45eed584817\BIT1.tmp"

Finished!

Sabina · 15.03.2008, 12:57

lade
scanne
poste den report
SUPERAntiSpyware

sushi14 · 15.03.2008, 14:26

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/15/2008 at 02:15 PM

Application Version : 4.0.1154

Core Rules Database Version : 3420
Trace Rules Database Version: 1412

Scan type : Complete Scan
Total Scan Time : 00:30:10

Memory items scanned : 353
Memory threats detected : 0
Registry items scanned : 4483
Registry threats detected : 2
File items scanned : 14436
File threats detected : 2

Trojan.DNSChanger-Codec
HKCR\etlrlws.ToolBar.1
HKCR\etlrlws.ToolBar.1\CLSID

Trojan.Unclassified/GTS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64E3046C-45DE-4AC4-839F-135DA69ED7EB}\RP227\A0020410.DLL

Adware.180solutions/ZangoSearch
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64E3046C-45DE-4AC4-839F-135DA69ED7EB}\RP228\A0020470.EXE

Sabina · 15.03.2008, 14:46

es müsste wieder alles i.o sein

wenn es noch Probleme geben sollte...melde dich.

Kann bitte jemand meine Log-Datei auswerten? Problem mit Zlob.Downloader.vcd

Log-Analyse und Auswertung: Kann bitte jemand meine Log-Datei auswerten? Problem mit Zlob.Downloader.vcd