Hallo.

Ich habe seit kurzem das Problem, das sowohl beim Internet Explorer als auch beim Mozilla Firefox popup fenster erscheinen sobald ich eine Internetseite aufrufen. Diese verweisen auf Spiele wie "Gladiatoren" oder "Bitewar" oder auch auf Anti-Viren Programme.
Mein Norton Internet Security und auch ein Test auf Malware kann nichts finden.
Als Anlage habe ich den hijack this log file gepostet.
Wer kann mir bei meinem Problem weiterhelfen?
danke im voraus.

Logfile of HijackThis v1.99.1
Scan saved at 11:54:02, on 19.05.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\AppCore\AppSvc32.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
J:\Programme\a-squared Free\a2service.exe
J:\Programme\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\programme\gemeinsame dateien\gnab\service\servicecontroller.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Medion\MEDIONbox\Program\GCS.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Programme\VIAudioi\HDADeck\HDeck.exe
C:\Programme\Gemeinsame Dateien\Gnab\Service\GnabTray.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Java\jre1.6.0_02\bin\jusched.exe
J:\Programme\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Programme\TomTom HOME 2\HOMERunner.exe
C:\Programme\Windows Media Player\WMPNSCFG.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programme\palmOne\HOTSYNC.EXE
C:\Programme\HP\Digital Imaging\bin\hpqgalry.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\ISW\netcol.dsl\signup\Tray.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\***\LOKALE~1\Temp\Rar$EX00.078\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://aol/
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - J:\Programme\ICQToolbar\toolbaru.dll
O3 - Toolbar: Norton-Symbolleiste anzeigen - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HDAudDeck] C:\Programme\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [BullGuard] "C:\Programme\BullGuard Software\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [GnabTray] C:\Programme\Gemeinsame Dateien\Gnab\Service\GnabTray.exe -checkstart
O4 - HKLM\..\Run: [Adobe] "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe"
O4 - HKLM\..\Run: [WinDSL MTU-Adjust] WinDSL_MTU.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Programme\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ICQ Lite] "J:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "J:\Programme\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [1c71a8a0] rundll32.exe "C:\WINDOWS\system32\mjdanugi.dll",b
O4 - HKLM\..\Run: [BM1f429b3c] Rundll32.exe "C:\WINDOWS\system32\xenjrbjf.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Programme\Octoshape Streaming Services\Notti\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Programme\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Programme\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\WMPNSCFG.exe
O4 - Startup: HotSync Manager.lnk = C:\Programme\palmOne\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Schnellstart.lnk = C:\Programme\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - J:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - J:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163425403687
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163425396078
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://static.pe.studivz.net/photouploader/ImageUploader4.cab?nocache=1202655075
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB345726-3165-46FE-810E-A8325C05B869}: NameServer = 81.173.194.68 213.168.112.60
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - J:\Programme\a-squared Free\a2service.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - J:\Programme\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: GnabService - Empolis GmbH - c:\programme\gemeinsame dateien\gnab\service\servicecontroller.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Kennwortprüfung (ISPwdSvc) - Symantec Corporation - C:\Programme\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - J:\Downloads\Downloads\Cyberlink.PowerDVD.Deluxe.v7.0.Multilingual.Incl.Keymaker-CORE\setup\RichVideo\RichVideo.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\AppCore\AppSvc32.exe

Hi,

bitte Online prüfen lassen:
C:\WINDOWS\system32\mjdanugi.dll

Zitat:

C:\WINDOWS\system32\mjdanugi.dll

VirusTotal - Free Online Virus and Malware Scan
Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen (oder gleich die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf "Send"... jetzt abwarten - dann mit der rechten Maustaste den Text markieren -> kopieren - einfügen

Führe Smithfraudfix aus:
SmitFraudFix
(Download und Anweisung (unter "Reinigung")
Poste auch dieses Log;

Poste dann noch ein neues HJ-Log;

chris

Hi,

danke das du dich meinem Problem annimmst.

Das Ergebnis von Virus Total:

Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.5.16.0 2008.05.19 -
AntiVir 7.8.0.19 2008.05.18 TR/Vundo.Gen
Authentium 5.1.0.4 2008.05.18 -
Avast 4.8.1195.0 2008.05.18 -
AVG 7.5.0.516 2008.05.18 -
BitDefender 7.2 2008.05.19 -
CAT-QuickHeal 9.50 2008.05.17 -
ClamAV 0.92.1 2008.05.19 -
DrWeb 4.44.0.09170 2008.05.19 -
eSafe 7.0.15.0 2008.05.18 -
eTrust-Vet 31.4.5796 2008.05.16 -
Ewido 4.0 2008.05.18 -
F-Prot 4.4.2.54 2008.05.16 -
F-Secure 6.70.13260.0 2008.05.19 Vundo.gen179
Fortinet 3.14.0.0 2008.05.19 -
GData 2.0.7306.1023 2008.05.19 -
Ikarus T3.1.1.26.0 2008.05.19 -
Kaspersky 7.0.0.125 2008.05.19 not-a-virus:AdWare.Win32.Virtumonde.sca
McAfee 5297 2008.05.17 -
Microsoft 1.3408 2008.05.13 -
NOD32v2 3107 2008.05.18 -
Norman 5.80.02 2008.05.16 Vundo.gen179
Panda 9.0.0.4 2008.05.18 Suspicious file
Prevx1 V2 2008.05.19 Malicious Software
Rising 20.45.01.00 2008.05.19 -
Sophos 4.29.0 2008.05.19 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.19 -
TheHacker 6.2.92.313 2008.05.19 -
VBA32 3.12.6.6 2008.05.18 -
VirusBuster 4.3.26:9 2008.05.18 -
Webwasher-Gateway 6.6.2 2008.05.19 Ad-Spyware.Virtumonde.sca
weitere Informationen
File size: 117312 bytes
MD5...: 2bea6d21fac14f96fad53ed2e7dff96f
SHA1..: 373bd8f9612ab6e5ffa8edcdab54bf3372689f1a
SHA256: 5f968da28f19b7f0701d2e32b8f02adc022b85a77502a628cdbf976f2ec6594d
SHA512: 2a19243fdf7eb0dd9a9daae9aabcd9269a2a03e9dbe8fc9118408e7d3ce825c9
2f5fdc4e64a29aceda17029c8261eb53627da32268d914f13dc0826f0f7f6144
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10001111
timedatestamp.....: 0x478a2fee (Sun Jan 13 15:36:14 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8e41 0x9000 7.17 755edd5ce76c0563552e991e0d43cfd8
.rdata 0xa000 0x3e26 0x4000 7.85 3df97645099f558d864a0c5ee08d266d
.data 0xe000 0x18347 0xf600 7.98 ac9583415d3605e9c874ad19c4fe815e

( 2 imports )
> user32.dll: DrawIcon, DrawCaption, EnableMenuItem, DialogBoxParamA, DestroyIcon, DestroyCursor, DestroyCaret, DeleteMenu, DefDlgProcA, CreateMDIWindowA, CreateDesktopA, CreateCursor, CreateAcceleratorTableA, CharUpperBuffA, CharToOemBuffA, CharNextA, ChangeMenuA, EmptyClipboard, BeginPaint
> kernel32.dll: lstrcmpiA, Sleep, SetEndOfFile, LocalAlloc, LeaveCriticalSection, InitializeCriticalSection, GetSystemTimeAsFileTime, GetSystemTime, GetStartupInfoA, GetModuleHandleA, GetLocalTime, ExitThread, ExitProcess, CompareStringA, lstrlenA

( 0 exports )
Prevx info: 43913275.DLL - Prevx

das Ergebnis von SmitfraudFix:

SmitFraudFix v2.320

Scan done at 13:29:19,93, 19.05.2008
Run from C:\Dokumente und Einstellungen\Notti\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



der neue HijackThis log-file:

Logfile of HijackThis v1.99.1
Scan saved at 13:41:44, on 19.05.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
J:\Programme\a-squared Free\a2service.exe
J:\Programme\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\programme\gemeinsame dateien\gnab\service\servicecontroller.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Medion\MEDIONbox\Program\GCS.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Programme\VIAudioi\HDADeck\HDeck.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Programme\Gemeinsame Dateien\Gnab\Service\GnabTray.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Java\jre1.6.0_02\bin\jusched.exe
J:\Programme\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Programme\TomTom HOME 2\HOMERunner.exe
C:\Programme\Windows Media Player\WMPNSCFG.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programme\palmOne\HOTSYNC.EXE
C:\Programme\HP\Digital Imaging\bin\hpqgalry.exe
C:\Programme\Outlook Express\msimn.exe
C:\WINDOWS\ISW\netcol.dsl\signup\Tray.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\Notti\LOKALE~1\Temp\Rar$EX00.265\HijackThis.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Programme\Symantec\LiveUpdate\AUPDATE.EXE
C:\Programme\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Programme\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Programme\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Programme\Symantec\LiveUpdate\LuCallbackProxy.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://aol/
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - J:\Programme\ICQToolbar\toolbaru.dll
O3 - Toolbar: Norton-Symbolleiste anzeigen - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HDAudDeck] C:\Programme\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [BullGuard] "C:\Programme\BullGuard Software\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [GnabTray] C:\Programme\Gemeinsame Dateien\Gnab\Service\GnabTray.exe -checkstart
O4 - HKLM\..\Run: [Adobe] "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe"
O4 - HKLM\..\Run: [WinDSL MTU-Adjust] WinDSL_MTU.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Programme\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ICQ Lite] "J:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "J:\Programme\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [1c71a8a0] rundll32.exe "C:\WINDOWS\system32\mqlrllpw.dll",b
O4 - HKLM\..\Run: [BM1f429b3c] Rundll32.exe "C:\WINDOWS\system32\qdnbykcg.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Programme\Octoshape Streaming Services\Notti\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Programme\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Programme\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\WMPNSCFG.exe
O4 - Startup: HotSync Manager.lnk = C:\Programme\palmOne\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Schnellstart.lnk = C:\Programme\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - J:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - J:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1163425403687
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1163425396078
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://static.pe.studivz.net/photoup...che=1202655075
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB345726-3165-46FE-810E-A8325C05B869}: NameServer = 81.173.194.68 213.168.112.60
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - J:\Programme\a-squared Free\a2service.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - J:\Programme\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: GnabService - Empolis GmbH - c:\programme\gemeinsame dateien\gnab\service\servicecontroller.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Kennwortprüfung (ISPwdSvc) - Symantec Corporation - C:\Programme\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - J:\Downloads\Downloads\Cyberlink.PowerDVD.Deluxe.v7.0.Multilingual.Incl.Keymaker-CORE\setup\RichVideo\RichVideo.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\AppCore\AppSvc32.exe

Mit freundlichen Grüßen

menelvagor

Hi,

die alten Virtumundo-Files wurden gelöscht, dafür sind neue da...
Zäh....

Alle Tools&Anweisung vorher runterladen, die Beseitigung bitte möglichst "Offline" durchführen (damit Reste sich nicht wieder als "Downloader" betätigen). Erst nach dem letzten Schritt wieder Online gehen...

Also:
Vundo
Folge dem Link und den dort angegebenen Anleitungen
Vundofix

danach VirtmundoToBeGone
http://secured2k.home.comcast.net/to...undoBeGone.exe
Downloaden und im abgesicherten Modus ausführen...!
Nach dem Lauf von VTG bitte das Log (findest Du auf dem Desktop) posten!

Zusätzliche, Silentrunner:
Ziparchive in ein Verzeichnis auspacken, mit Doppelklick starten, "ja" auswählen.
Die erstellte Datei findet sich im gleichen Verzeichnis wo das Script hinkopiert wurde, bitte in Editor laden und posten.
http://www.silentrunners.org/Silent%20Runners.zip

chris

Hi.

Hier der neue Stand der Dinge, in zwei Antworten:

1. Vundo hat keine infizierten Dateien gefunden

2. der log-file von VirtmundoToBeGone


[05/19/2008, 21:58:15] - VirtumundoBeGone v1.5 ( "C:\Dokumente und Einstellungen\Notti\Desktop\VirtumundoBeGone.exe" )
[05/19/2008, 21:58:24] - Detected System Information:
[05/19/2008, 21:58:24] - Windows Version: 5.1.2600, Service Pack 2
[05/19/2008, 21:58:24] - Current Username: Notti (Admin)
[05/19/2008, 21:58:24] - Windows is in SAFE mode with Networking.
[05/19/2008, 21:58:24] - Searching for Browser Helper Objects:
[05/19/2008, 21:58:24] - BHO 1: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} ()
[05/19/2008, 21:58:24] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2008, 21:58:24] - Checking for HKLM\...\Winlogon\Notify\NppBho
[05/19/2008, 21:58:24] - Key not found: HKLM\...\Winlogon\Notify\NppBho, continuing.
[05/19/2008, 21:58:24] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/19/2008, 21:58:24] - BHO 3: {7d490141-1042-4989-8e60-12e3b0d3abbd} ()
[05/19/2008, 21:58:24] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2008, 21:58:24] - Checking for HKLM\...\Winlogon\Notify\jqisxtqa
[05/19/2008, 21:58:24] - Key not found: HKLM\...\Winlogon\Notify\jqisxtqa, continuing.
[05/19/2008, 21:58:24] - BHO 4: {CB912875-E6EF-4576-95DC-A565A26F18B5} ()
[05/19/2008, 21:58:24] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2008, 21:58:24] - Checking for HKLM\...\Winlogon\Notify\dDSMFUOE
[05/19/2008, 21:58:24] - Key not found: HKLM\...\Winlogon\Notify\dDSMFUOE, continuing.
[05/19/2008, 21:58:24] - BHO 5: {CF98AC93-9852-4AE9-9C71-DDCC6DEA8A2F} ()
[05/19/2008, 21:58:24] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2008, 21:58:24] - Checking for HKLM\...\Winlogon\Notify\winiptec
[05/19/2008, 21:58:24] - Key not found: HKLM\...\Winlogon\Notify\winiptec, continuing.
[05/19/2008, 21:58:24] - BHO 6: {F1B2B165-FBF2-4EB3-98FF-9CF5506062B5} ()
[05/19/2008, 21:58:24] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2008, 21:58:24] - Checking for HKLM\...\Winlogon\Notify\mlJAtULD
[05/19/2008, 21:58:24] - Found: HKLM\...\Winlogon\Notify\mlJAtULD - This is probably Virtumundo.
[05/19/2008, 21:58:24] - Assigning {F1B2B165-FBF2-4EB3-98FF-9CF5506062B5} MSEvents Object
[05/19/2008, 21:58:24] - BHO list has been changed! Starting over...
[05/19/2008, 21:58:24] - BHO 1: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} ()
[05/19/2008, 21:58:24] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2008, 21:58:24] - Checking for HKLM\...\Winlogon\Notify\NppBho
[05/19/2008, 21:58:24] - Key not found: HKLM\...\Winlogon\Notify\NppBho, continuing.
[05/19/2008, 21:58:24] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/19/2008, 21:58:24] - BHO 3: {7d490141-1042-4989-8e60-12e3b0d3abbd} ()
[05/19/2008, 21:58:24] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2008, 21:58:24] - Checking for HKLM\...\Winlogon\Notify\jqisxtqa
[05/19/2008, 21:58:24] - Key not found: HKLM\...\Winlogon\Notify\jqisxtqa, continuing.
[05/19/2008, 21:58:24] - BHO 4: {CB912875-E6EF-4576-95DC-A565A26F18B5} ()
[05/19/2008, 21:58:24] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2008, 21:58:24] - Checking for HKLM\...\Winlogon\Notify\dDSMFUOE
[05/19/2008, 21:58:24] - Key not found: HKLM\...\Winlogon\Notify\dDSMFUOE, continuing.
[05/19/2008, 21:58:24] - BHO 5: {CF98AC93-9852-4AE9-9C71-DDCC6DEA8A2F} ()
[05/19/2008, 21:58:24] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2008, 21:58:24] - Checking for HKLM\...\Winlogon\Notify\winiptec
[05/19/2008, 21:58:24] - Key not found: HKLM\...\Winlogon\Notify\winiptec, continuing.
[05/19/2008, 21:58:24] - BHO 6: {F1B2B165-FBF2-4EB3-98FF-9CF5506062B5} (MSEvents Object)
[05/19/2008, 21:58:24] - ALERT: Found MSEvents Object!
[05/19/2008, 21:58:24] - Finished Searching Browser Helper Objects
[05/19/2008, 21:58:24] - *** Detected MSEvents Object
[05/19/2008, 21:58:24] - Trying to remove MSEvents Object...
[05/19/2008, 21:58:25] - Terminating Process: IEXPLORE.EXE
[05/19/2008, 21:58:25] - Terminating Process: RUNDLL32.EXE
[05/19/2008, 21:58:25] - Disabling Automatic Shell Restart
[05/19/2008, 21:58:25] - Terminating Process: EXPLORER.EXE
[05/19/2008, 21:58:26] - Suspending the NT Session Manager System Service
[05/19/2008, 21:58:26] - Terminating Windows NT Logon/Logoff Manager
[05/19/2008, 21:58:26] - Re-enabling Automatic Shell Restart
[05/19/2008, 21:58:26] - File to disable: C:\WINDOWS\system32\mlJAtULD.dll
[05/19/2008, 21:58:26] - Renaming C:\WINDOWS\system32\mlJAtULD.dll -> C:\WINDOWS\system32\mlJAtULD.dll.vir
[05/19/2008, 21:58:26] - File successfully renamed!
[05/19/2008, 21:58:26] - Removing HKLM\...\Browser Helper Objects\{F1B2B165-FBF2-4EB3-98FF-9CF5506062B5}
[05/19/2008, 21:58:26] - Removing HKCR\CLSID\{F1B2B165-FBF2-4EB3-98FF-9CF5506062B5}
[05/19/2008, 21:58:26] - Adding Kill Bit for ActiveX for GUID: {F1B2B165-FBF2-4EB3-98FF-9CF5506062B5}
[05/19/2008, 21:58:26] - Deleting ATLEvents/MSEvents Registry entries
[05/19/2008, 21:58:26] - Removing HKLM\...\Winlogon\Notify\mlJAtULD
[05/19/2008, 21:58:26] - Searching for Browser Helper Objects:
[05/19/2008, 21:58:26] - BHO 1: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} ()
[05/19/2008, 21:58:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2008, 21:58:26] - Checking for HKLM\...\Winlogon\Notify\NppBho
[05/19/2008, 21:58:26] - Key not found: HKLM\...\Winlogon\Notify\NppBho, continuing.
[05/19/2008, 21:58:26] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/19/2008, 21:58:26] - BHO 3: {7d490141-1042-4989-8e60-12e3b0d3abbd} ()
[05/19/2008, 21:58:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2008, 21:58:26] - Checking for HKLM\...\Winlogon\Notify\jqisxtqa
[05/19/2008, 21:58:26] - Key not found: HKLM\...\Winlogon\Notify\jqisxtqa, continuing.
[05/19/2008, 21:58:26] - BHO 4: {CB912875-E6EF-4576-95DC-A565A26F18B5} ()
[05/19/2008, 21:58:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2008, 21:58:26] - Checking for HKLM\...\Winlogon\Notify\dDSMFUOE
[05/19/2008, 21:58:26] - Key not found: HKLM\...\Winlogon\Notify\dDSMFUOE, continuing.
[05/19/2008, 21:58:26] - BHO 5: {CF98AC93-9852-4AE9-9C71-DDCC6DEA8A2F} ()
[05/19/2008, 21:58:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2008, 21:58:26] - Checking for HKLM\...\Winlogon\Notify\winiptec
[05/19/2008, 21:58:26] - Key not found: HKLM\...\Winlogon\Notify\winiptec, continuing.
[05/19/2008, 21:58:26] - Finished Searching Browser Helper Objects
[05/19/2008, 21:58:26] - Finishing up...
[05/19/2008, 21:58:26] - A restart is needed.
[05/19/2008, 21:58:46] - Attempting to Restart via STOP error (Blue Screen!)

[05/19/2008, 22:01:53] - VirtumundoBeGone v1.5 ( "C:\Dokumente und Einstellungen\Notti\Desktop\VirtumundoBeGone.exe" )
[05/19/2008, 22:01:59] - Detected System Information:
[05/19/2008, 22:01:59] - Windows Version: 5.1.2600, Service Pack 2
[05/19/2008, 22:01:59] - Current Username: Notti (Admin)
[05/19/2008, 22:01:59] - Windows is in SAFE mode with Networking.
[05/19/2008, 22:01:59] - Searching for Browser Helper Objects:
[05/19/2008, 22:01:59] - BHO 1: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} ()
[05/19/2008, 22:01:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2008, 22:01:59] - Checking for HKLM\...\Winlogon\Notify\NppBho
[05/19/2008, 22:01:59] - Key not found: HKLM\...\Winlogon\Notify\NppBho, continuing.
[05/19/2008, 22:01:59] - BHO 2: {31EEB5B8-A57A-4604-820D-DAB6499B2747} ()
[05/19/2008, 22:01:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2008, 22:01:59] - Checking for HKLM\...\Winlogon\Notify\dDSMFUOE
[05/19/2008, 22:01:59] - Key not found: HKLM\...\Winlogon\Notify\dDSMFUOE, continuing.
[05/19/2008, 22:01:59] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/19/2008, 22:01:59] - BHO 4: {7d490141-1042-4989-8e60-12e3b0d3abbd} ()
[05/19/2008, 22:01:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2008, 22:01:59] - Checking for HKLM\...\Winlogon\Notify\jqisxtqa
[05/19/2008, 22:01:59] - Key not found: HKLM\...\Winlogon\Notify\jqisxtqa, continuing.
[05/19/2008, 22:01:59] - BHO 5: {CF98AC93-9852-4AE9-9C71-DDCC6DEA8A2F} ()
[05/19/2008, 22:01:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/19/2008, 22:01:59] - Checking for HKLM\...\Winlogon\Notify\winiptec
[05/19/2008, 22:01:59] - Key not found: HKLM\...\Winlogon\Notify\winiptec, continuing.
[05/19/2008, 22:01:59] - Finished Searching Browser Helper Objects
[05/19/2008, 22:01:59] - Finishing up...
[05/19/2008, 22:01:59] - Nothing found! Exiting...



Mit freundlichen Grüßen

menelvagor

Hi.

Hier noch die Auswertung vom Silentrunner Teil 1:

"Silent Runners.vbs", revision 58, Silent Runners - Adware? Disinfect, don't reformat!
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Octoshape Streaming Services" = ""C:\Programme\Octoshape Streaming Services\Notti\OctoshapeClient.exe" -inv:bootrun" [file not found]
"CTSyncU.exe" = ""C:\Programme\Creative\Sync Manager Unicode\CTSyncU.exe"" [empty string]
"TomTomHOME.exe" = ""C:\Programme\TomTom HOME 2\HOMERunner.exe"" ["TomTom"]
"WMPNSCFG" = "C:\Programme\Windows Media Player\WMPNSCFG.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"HDAudDeck" = "C:\Programme\VIAudioi\HDADeck\HDeck.exe 1" ["VIA Technologies, Inc."]
"BullGuard" = ""C:\Programme\BullGuard Software\BullGuard\bullguard.exe" -boot" [file not found]
"GnabTray" = "C:\Programme\Gemeinsame Dateien\Gnab\Service\GnabTray.exe -checkstart" [null data]
"Adobe" = ""C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe"" [file not found]
"WinDSL MTU-Adjust" = "WinDSL_MTU.exe" ["Engel Technologieberatung, Entwicklung/Verkauf von Soft- und Hardware KG"]
"ccApp" = ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"osCheck" = ""C:\Programme\Norton Internet Security\osCheck.exe"" ["Symantec Corporation"]
"HP Software Update" = "C:\Programme\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Nero AG"]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"ICQ Lite" = ""J:\Programme\ICQLite\ICQLite.exe" -minimize" ["ICQ Ltd."]
"SunJavaUpdateSched" = ""C:\Programme\Java\jre1.6.0_02\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"Adobe Photo Downloader" = ""J:\Programme\Adobe\Photoshop Elements 5.0\apdproxy.exe"" ["Adobe Systems Incorporated"]
"Symantec PIF AlertEng" = ""C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"" ["Symantec Corporation"]
"Adobe Reader Speed Launcher" = ""C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"1c71a8a0" = "rundll32.exe "C:\WINDOWS\system32\mqlrllpw.dll",b" [MS]
"BM1f429b3c" = "Rundll32.exe "C:\WINDOWS\system32\qdnbykcg.dll",s" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{1E8A6170-7264-4D0F-BEAE-D42A53123C75}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.0\NppBho.dll" ["Symantec Corporation"]
{31EEB5B8-A57A-4604-820D-DAB6499B2747}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\dDSMFUOE.dll" [null data]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
{7d490141-1042-4989-8e60-12e3b0d3abbd}\(Default) = "{dbba3d0b-3e21-06e8-9894-2401141094d7}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\jqisxtqa.dll" [null data]
{CF98AC93-9852-4AE9-9C71-DDCC6DEA8A2F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\winiptec.dll" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" [file not found]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" [file not found]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "J:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
"{24849E2F-0A86-40CD-A62A-B12F161882DB}" = "ZEN V Series Media Explorer"
-> {HKLM...CLSID} = "ZEN V Series Media Explorer"
\InProcServer32\(Default) = "C:\Programme\Creative\Creative ZEN V Series (R2)\ZEN V Series Media Explorer\SHCTMTP.dll" ["Creative Technology Ltd"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> "Authentication Packages" = "msv1_0"|"C:\WINDOWS\system32\dDSMFUOE"

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" [file not found]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
CTMTPMediaExplorer\(Default) = "{7895F317-A125-42CC-BD3E-5830765CE577}"
-> {HKLM...CLSID} = "CtMtpContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Creative\SHARED~1\CtCmeCtx.dll" ["Creative Technology Ltd"]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "J:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "J:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
CTMTPMediaExplorer\(Default) = "{7895F317-A125-42CC-BD3E-5830765CE577}"
-> {HKLM...CLSID} = "CtMtpContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Creative\SHARED~1\CtCmeCtx.dll" ["Creative Technology Ltd"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"ClearRecentDocsOnExit" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
{unrecognized setting}

"InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

AdobePhotoshopElements5ShowPicturesOnArrival\
"Provider" = "Adobe Photoshop Elements 5.0"
"InvokeProgID" = "PhotoshopElements.Application.5"
"InvokeVerb" = "launch"
HKLM\SOFTWARE\Classes\PhotoshopElements.Application.5\shell\launch\command\(Default) = ""J:\Programme\Adobe\Photoshop Elements 5.0\PseProxy.exe" -v "%1"" ["Adobe Systems Incorporated"]

CTMTPHandler\
"Provider" = "Creative Media Explorer"
"ProgID" = "CTMtpAut.CTMtpEventHandler"
"InitCmdLine" = "OrganizeUsingZME"
HKLM\SOFTWARE\Classes\CTMtpAut.CTMtpEventHandler\CLSID\(Default) = "{9F40AC21-F4D1-477C-AC95-7A935224220F}"
-> {HKLM...CLSID} = "CTMtpEventHandler Class"
\LocalServer32\(Default) = "C:\PROGRA~1\Creative\SHARED~1\CTMtpAut.exe" ["Creative Technology Ltd."]

CTPlayAudioOnArrivalu\
"Provider" = "Creative MediaSource 5 Player"
"InvokeProgID" = "CTAutoPLu.AudioCDPlayer.1"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\CTAutoPLu.AudioCDPlayer.1\shell\open\command\(Default) = ""C:\Programme\Creative\MediaSource5\CTCMSu.exe" /T=CLASSKEY_AudioCD IN %L PlayNow" ["Creative Technology Ltd"]

CTPlayMusicFilesOnArrivalu\
"Provider" = "Creative MediaSource 5 Player"
"InvokeProgID" = "CTAutoPLu.MusicFilesPlayer.1"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\CTAutoPLu.MusicFilesPlayer.1\shell\open\command\(Default) = ""C:\Programme\Creative\MediaSource5\CTCMSu.exe" /Organizer" ["Creative Technology Ltd"]

DVDFabPlatinumOnDVDArrival\
"Provider" = "DVDFab Platinum"
"InvokeProgID" = "DVDFabPlatinumOpen"
"InvokeVerb" = "Open"
HKLM\SOFTWARE\Classes\DVDFabPlatinumOpen\shell\Open\command\(Default) = "J:\PROGRA~1\DVDFAB~1\DVDFAB~1.EXE" ["Fengtao Software Inc."]

EHomeMusicDropTarget\
"Provider" = "Media Center"
"InvokeProgID" = "EHomeDropTarget.EHomeMusicDropTarget"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomeMusicDropTarget\shell\play\DropTarget\CLSID = "{ED87EFF3-FF22-404E-B2BD-BC3841BDCB2C}"
-> {HKLM...CLSID} = "EHomeMusicDropTarget Class"
\InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll"

der 2. Teil vom Silentrunner:

[MS]

EHomePhotosHandler\
"Provider" = "Media Center"
"InvokeProgID" = "EHomeDropTarget.EHomePhotosHandler"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomePhotosHandler\shell\play\DropTarget\CLSID = "{4b7601c1-d292-4902-89f4-583a5ce0c535}"
-> {HKLM...CLSID} = "EHomePhotosHandler Class"
\InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS]

EHomeVideoDropTarget\
"Provider" = "Media Center"
"InvokeProgID" = "EHomeDropTarget.EHomeVideoDropTarget"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomeVideoDropTarget\shell\play\DropTarget\CLSID = "{A48E70A4-8E15-4465-9D85-CCE9E63F8AAB}"
-> {HKLM...CLSID} = "EHomeVideoDropTarget Class"
\InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS]

EHomeVideosHandler\
"Provider" = "Media Center"
"InvokeProgID" = "EHomeDropTarget.EHomeVideosHandler"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomeVideosHandler\shell\play\DropTarget\CLSID = "{4f61ec50-acef-4ae7-b4c6-b19bddc0f745}"
-> {HKLM...CLSID} = "EHomeVideosHandler Class"
\InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS]

FunMultiMediaHandler\
"Provider" = "MultiMedia Manager"
"ProgID" = "FUNBOX.Autoplay"
HKLM\SOFTWARE\Classes\FUNBOX.Autoplay\CLSID\(Default) = "{DF866F1F-10DF-4694-94A9-7F526FC8800A}"
-> {HKLM...CLSID} = "FUNBOX Autoplay Sample 2"
\LocalServer32\(Default) = "C:\Program Files\Samsung\Samsung PC Studio 3\Share_autoplay.exe" [file not found]

HPUnloadAutoplay\
"Provider" = "HP Image Zone"
"InvokeProgID" = "HpqUnApl.Autoplay"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\HpqUnApl.Autoplay\shell\Play\DropTarget\CLSID = "{E1A1C814-FD09-4c9d-BB4A-0394B836A1F0}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = "C:\Programme\HP\Digital Imaging\Unload\HpqUnApl.exe" ["Hewlett-Packard"]

MedionboxCDBurning\
"Provider" = "Medionbox"
"InvokeProgID" = "Medionbox.BurnCD"
"InvokeVerb" = "Burn"
HKLM\SOFTWARE\Classes\Medionbox.BurnCD\shell\Burn\command\(Default) = ""C:\Programme\Medion\MEDIONbox\Program\GnabClient.exe" -device %L -burn" [null data]

MedionboxPlayCDAudio\
"Provider" = "Medionbox"
"InvokeProgID" = "Medionbox.AudioCD"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Medionbox.AudioCD\shell\Play\command\(Default) = ""C:\Programme\Medion\MEDIONbox\Program\GnabClient.exe" -device %L -play" [null data]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

NeroAutoPlay7VideoCapture\
"Provider" = "Nero Vision Essentials"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "/New:VideoCapture"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

RPCDBurningOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.CDBurn.6"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /burn "%1"" ["RealNetworks, Inc."]

RPDeviceOnArrival\
"Provider" = "RealPlayer"
"ProgID" = "RealPlayer.HWEventHandler"
HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
-> {HKLM...CLSID} = "RealNetworks Scheduler"
\LocalServer32\(Default) = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]

RPPlayCDAudioOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AudioCD.6"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /play %1 " ["RealNetworks, Inc."]

RPPlayDVDMovieOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.DVD.6"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /dvd %1 " ["RealNetworks, Inc."]

RPPlayMediaOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AutoPlay.6"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /autoplay "%1"" ["RealNetworks, Inc."]

WinampMTPHandler\
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Programme\Winamp\winamp.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

WinampPlayMediaOnArrival\
"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Programme\Winamp\winamp.exe" "%1"" ["Nullsoft"]
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = ""C:\Programme\Winamp\winamp.exe"" ["Nullsoft"]


Startup items in "Notti" & "All Users" startup folders:
-------------------------------------------------------

C:\Dokumente und Einstellungen\Notti\Startmenü\Programme\Autostart
"HotSync Manager" -> shortcut to: "C:\Programme\palmOne\HOTSYNC.EXE" ["Palm, Inc."]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"HP Digital Imaging Monitor" -> shortcut to: "C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]
"HP Image Zone Schnellstart" -> shortcut to: "C:\Programme\HP\Digital Imaging\bin\hpqthb08.exe -s" [null data]


Enabled Scheduled Tasks:
------------------------

"HPpromotions journeysoftware" -> launches: "C:\Programme\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe /N "journeysoftware" -r" ["hp"]
"Norton Internet Security - Vollständige Systemprüfung ausführen - Notti" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /TASK:"C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}"
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "J:\Programme\ICQToolbar\toolbaru.dll" ["IE Toolbar"]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{90222687-F593-4738-B738-FBEE9C7B26DF}" = "NCO Toolbar"
-> {HKLM...CLSID} = "Norton-Symbolleiste anzeigen"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.0\UIBHO.dll" ["Symantec Corporation"]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_02\bin\npjpi160_02.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "J:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{855F3B16-6D32-4fe6-8A56-BBB695989046}" = (no title provided)
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "J:\Programme\ICQToolbar\toolbaru.dll" ["IE Toolbar"]


All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

.NET Runtime Optimization Service v2.0.50727_X86, clr_optimization_v2.0.50727_32, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" [MS]
a-squared Free Service, a2free, ""J:\Programme\a-squared Free\a2service.exe"" ["Emsi Software GmbH"]
Adobe Active File Monitor V5, AdobeActiveFileMonitor5.0, "J:\Programme\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe" [null data]
ASP.NET-Zustandsdienst, aspnet_state, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe" [MS]
Automatisches LiveUpdate - Scheduler, Automatisches LiveUpdate - Scheduler, ""C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
COM Host, comHost, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\VAScanner\comHost.exe"" ["Symantec Corporation"]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\system32\CTsvcCDA.exe" ["Creative Technology Ltd"]
Cyberlink RichVideo Service(CRVS), RichVideo, ""J:\Downloads\Downloads\Cyberlink.PowerDVD.Deluxe.v7.0.Multilingual.Incl.Keymaker-CORE\setup\RichVideo\RichVideo.exe"" [file not found]
Dienst für Seriennummern der tragbaren Medien, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\MsPMSNSv.dll" [MS]}
GnabService, GnabService, "c:\programme\gemeinsame dateien\gnab\service\servicecontroller.exe" [null data]
InstallDriver Table Manager, IDriverT, ""C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe"" ["Macrovision Corporation"]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
LiveUpdate, LiveUpdate, ""C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE"" ["Symantec Corporation"]
LiveUpdate Notice Service, LiveUpdate Notice Service, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll"" ["Symantec Corporation"]
LiveUpdate Notice Service Ex, LiveUpdate Notice Ex, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Media Center Extender Service, McrdSvc, "C:\WINDOWS\ehome\mcrdsvc.exe" [MS]
Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]
Media Center-Planerdienst, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS]
MHN, MHN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\mhn.dll" [MS]}
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Office Source Engine, ose, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE"" [MS]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"]
Symantec AppCore Service, SymAppCore, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\AppCore\AppSvc32.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec IS Kennwortprüfung, ISPwdSvc, ""C:\Programme\Norton Internet Security\isPwdSvc.exe"" ["Symantec Corporation"]
Symantec Lic NetConnect service, CLTNetCnService, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Verwaltungsdienst für die Verwaltung logischer Datenträger, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]}
Windows Media Player-Netzwerkfreigabedienst, WMPNetworkSvc, ""C:\Programme\Windows Media Player\WMPNetwk.exe"" [MS]
WMI-Leistungsadapter, WmiApSrv, "C:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
hpzlnt12\Driver = "hpzlnt12.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


---------- (launch time: 2008-05-19 22:04:17)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 45 seconds, including 13 seconds for message boxes)

Mit freundlichen Grüßen

menelvagor

Hi,

Silentrunner hat noch einiges zu Tage gefördert...


Bitte folgende Files prüfen:

Zitat:

C:\WINDOWS\system32\mqlrllpw.dll
C:\WINDOWS\system32\qdnbykcg.dll
C:\WINDOWS\system32\dDSMFUOE.dll
C:\WINDOWS\system32\jqisxtqa.dll

VirusTotal - Free Online Virus and Malware Scan
Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen (oder gleich die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf "Send"... jetzt abwarten - dann mit der rechten Maustaste den Text markieren -> kopieren - einfügen.

Poste das Ergebnis jeweils mit Filename.

Achtung, falls ein File nicht eindeutig erkannt wurden, aus dem Avenger-Script rausnehmen! (einige der Files sind angeblich von Microsoft signiert?):

Also:
Anleitung Avenger (by swandog46)

1.) Lade dir das Tool Avenger und speichere es auf dem Desktop:



2.) Das Programm so einstellen wie es auf dem Bild zu sehen ist.

Kopiere nun folgenden Text in das weiße Feld:
(bei -> "input script here")

Code: Alles auswählenAufklappen

ATTFilter

Registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run|1c71a8a0
HKLM\Software\Microsoft\Windows\CurrentVersion\Run|BM1f429b3c
 
Files to delete:
C:\WINDOWS\system32\mqlrllpw.dll
C:\WINDOWS\system32\qdnbykcg.dll
C:\WINDOWS\system32\dDSMFUOE.dll
C:\WINDOWS\system32\jqisxtqa.dll
         

3.) Schliesse nun alle Programme (vorher notfalls abspeichern!) und Browser-Fenster, nach dem Ausführen des Avengers wird das System neu gestartet.


4.) Um den Avenger zu starten klicke auf -> Execute
Dann bestätigen mit "Yes" das der Rechner neu startet!

5.) Nachdem das System neu gestartet ist, findest du hier einen Report vom Avenger -> C:\avenger.txt
Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.

So, jetzt bitte noch mit Antimaleware scannen&beseitigen:
http://www.trojaner-board.de/51187-a...i-malware.html

Bitte poste das Log von Avenger, Antimaleware und ein neues HJ-Log...

chris

Hi,

hier die Ergebnisse von Virus Total, Datei 1 und 2:

C:\WINDOWS\system32\mqlrllpw.dll

Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.5.20.0 2008.05.20 -
AntiVir 7.8.0.19 2008.05.20 TR/Vundo.Gen
Authentium 5.1.0.4 2008.05.19 -
Avast 4.8.1195.0 2008.05.19 Win32:Vundo@dll
AVG 7.5.0.516 2008.05.19 -
BitDefender 7.2 2008.05.20 -
CAT-QuickHeal 9.50 2008.05.19 -
ClamAV 0.92.1 2008.05.20 -
DrWeb 4.44.0.09170 2008.05.20 -
eSafe 7.0.15.0 2008.05.19 -
eTrust-Vet 31.4.5805 2008.05.20 -
Ewido 4.0 2008.05.19 -
F-Prot 4.4.2.54 2008.05.16 -
F-Secure 6.70.13260.0 2008.05.20 Vundo.gen179
Fortinet 3.14.0.0 2008.05.20 -
GData 2.0.7306.1023 2008.05.20 Win32:Vundo
Ikarus T3.1.1.26.0 2008.05.20 -
Kaspersky 7.0.0.125 2008.05.20 -
McAfee 5298 2008.05.19 -
Microsoft 1.3520 2008.05.20 Trojan:Win32/Vundo.gen!H
NOD32v2 3113 2008.05.20 -
Norman 5.80.02 2008.05.19 Vundo.gen179
Panda 9.0.0.4 2008.05.20 Suspicious file
Prevx1 V2 2008.05.20 Malicious Software
Rising 20.45.11.00 2008.05.20 -
Sophos 4.29.0 2008.05.20 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.20 -
TheHacker 6.2.92.314 2008.05.20 -
VBA32 3.12.6.6 2008.05.19 -
VirusBuster 4.3.26:9 2008.05.19 -
Webwasher-Gateway 6.6.2 2008.05.20 Trojan.Vundo.Gen
weitere Informationen
File size: 114752 bytes
MD5...: 8e759c50e2a7b4c822c44b00e63193d3
SHA1..: 0f708d20dc4b972823b8906c825b1cf9aa588626
SHA256: 1f63324a247ed4458c622f5eed3a67864416b9b2c1102ec20e3925ffcf85e915
SHA512: e5e75bd9c9112ad4a445d1805a91e013494ec92ccf65b3e3363839021706fe2e
321703261d514b4d817c67a74149206a1b5def18dfbbb85dae340cfadc4c4981
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10001046
timedatestamp.....: 0x478a2fee (Sun Jan 13 15:36:14 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x86a4 0x8800 7.18 19ddb2e1244d95d2baa97a1a53e1f4ec
.rdata 0xa000 0x9948 0x9a00 7.98 51797593e92025e6038f36a2e3c50b54
.data 0x14000 0x12f61 0x9a00 7.98 ddcb131e94e3b3d0e45b4eff880f717a

( 2 imports )
> user32.dll: DialogBoxParamA, DestroyIcon, DestroyCursor, DestroyCaret, DeleteMenu, CreateMenu, CreateIconFromResourceEx, CreateIconFromResource, CreateCursor, CreateAcceleratorTableA, CloseWindow, ChangeMenuA, BeginPaint
> kernel32.dll: GetLastError, lstrlenA, lstrcpynA, lstrcpyA, WriteFile, VirtualFree, TlsSetValue, TlsGetValue, TlsAlloc, SleepEx, SetLastError, SetEndOfFile, ReadFile, MapViewOfFile, EnumResourceLanguagesA, EnumResourceTypesA, GetCommandLineA, GetFileSize, GetStartupInfoA, GetTimeFormatA, GetVersion, LoadLibraryA

( 0 exports )
Prevx info: 46830691.DLL - Prevx

C:\WINDOWS\system32\qdnbykcg.dll

Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.5.20.0 2008.05.20 -
AntiVir 7.8.0.19 2008.05.20 TR/Vundo.Gen
Authentium 5.1.0.4 2008.05.19 -
Avast 4.8.1195.0 2008.05.19 Win32:Vundo@dll
AVG 7.5.0.516 2008.05.19 -
BitDefender 7.2 2008.05.20 -
CAT-QuickHeal 9.50 2008.05.19 -
ClamAV 0.92.1 2008.05.20 -
DrWeb 4.44.0.09170 2008.05.20 -
eSafe 7.0.15.0 2008.05.19 -
eTrust-Vet 31.4.5805 2008.05.20 -
Ewido 4.0 2008.05.19 -
F-Prot 4.4.2.54 2008.05.16 -
F-Secure 6.70.13260.0 2008.05.20 Vundo.gen179
Fortinet 3.14.0.0 2008.05.20 -
GData 2.0.7306.1023 2008.05.20 Win32:Vundo
Ikarus T3.1.1.26.0 2008.05.20 -
Kaspersky 7.0.0.125 2008.05.20 -
McAfee 5298 2008.05.19 -
Microsoft 1.3520 2008.05.20 Trojan:Win32/Vundo.gen!H
NOD32v2 3113 2008.05.20 -
Norman 5.80.02 2008.05.19 Vundo.gen179
Panda 9.0.0.4 2008.05.20 -
Prevx1 V2 2008.05.20 Malicious Software
Rising 20.45.11.00 2008.05.20 -
Sophos 4.29.0 2008.05.20 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.20 -
TheHacker 6.2.92.314 2008.05.20 -
VBA32 3.12.6.6 2008.05.19 -
VirusBuster 4.3.26:9 2008.05.19 -
Webwasher-Gateway 6.6.2 2008.05.20 Trojan.Vundo.Gen
weitere Informationen
File size: 124992 bytes
MD5...: 75729879e7850aa4e0f392fab5825a7c
SHA1..: a09e15123a8f453e76e6b32ca7abab0138f16108
SHA256: 676e900ae9c63edcd49c708abe0f542fbb5e3e30cbe40193fe4e3da487fd948c
SHA512: 2630fae70811e0b131ae395f3fe267afb311630425782a56871f8f4565d162ad
4179b830c1ec4e8bfe1ad9b832f5b6ff2dc14b0c91edbcd6f502861bfd21c90e
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x100010e4
timedatestamp.....: 0x478a2fee (Sun Jan 13 15:36:14 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8595 0x8600 7.23 d7dc01ca88ff2b5d763cdfb86ecb1a48
.rdata 0xa000 0xbb43 0xbc00 7.98 45ed7020c4817e65d4ffabbe2884bbb0
.data 0x16000 0x148d9 0xa200 7.96 4f27c70ee8255c1fbdb3ca53cc37ad9b

( 2 imports )
> user32.dll: EnableMenuItem, EmptyClipboard, DrawTextA, DestroyIcon, DestroyCursor, CreateMDIWindowA, CreateDialogParamA, CreateDesktopW, CreateAcceleratorTableA, CopyImage, CloseWindow, CharLowerA, ChangeMenuA, BeginPaint
> kernel32.dll: TlsFree, TlsAlloc, ReadFile, OpenFile, LeaveCriticalSection, GetCommandLineA, FindResourceA, ExitProcess, EnumResourceNamesA, EnumResourceLanguagesW, EnterCriticalSection, CloseHandle, lstrcatA

( 0 exports )
Prevx info: 21174205.DLL - Prevx

und nun die Ergebnisse von Virus Total, Datei 3 und 4.

C:\WINDOWS\system32\dDSMFUOE.dll

Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.5.20.0 2008.05.20 -
AntiVir 7.8.0.19 2008.05.20 TR/Crypt.XPACK.Gen
Authentium 5.1.0.4 2008.05.19 -
Avast 4.8.1195.0 2008.05.19 Win32:Vundo@dll
AVG 7.5.0.516 2008.05.19 Generic10.YPT
BitDefender 7.2 2008.05.20 -
CAT-QuickHeal 9.50 2008.05.19 -
ClamAV 0.92.1 2008.05.20 -
DrWeb 4.44.0.09170 2008.05.20 -
eSafe 7.0.15.0 2008.05.19 -
eTrust-Vet 31.4.5805 2008.05.20 -
Ewido 4.0 2008.05.19 -
F-Prot 4.4.2.54 2008.05.16 -
F-Secure 6.70.13260.0 2008.05.20 Vundo.gen179
Fortinet 3.14.0.0 2008.05.20 -
GData 2.0.7306.1023 2008.05.20 Win32:Vundo
Ikarus T3.1.1.26.0 2008.05.20 -
Kaspersky 7.0.0.125 2008.05.20 -
McAfee 5298 2008.05.19 -
Microsoft 1.3520 2008.05.20 Trojan:Win32/Vundo.gen!H
NOD32v2 3113 2008.05.20 -
Norman 5.80.02 2008.05.19 Vundo.gen179
Panda 9.0.0.4 2008.05.20 -
Prevx1 V2 2008.05.20 Malicious Software
Rising 20.45.11.00 2008.05.20 -
Sophos 4.29.0 2008.05.20 Troj/Virtum-Gen
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.20 -
TheHacker 6.2.92.314 2008.05.20 -
VBA32 3.12.6.6 2008.05.19 -
VirusBuster 4.3.26:9 2008.05.19 -
Webwasher-Gateway 6.6.2 2008.05.20 Trojan.Crypt.XPACK.Gen
weitere Informationen
File size: 371200 bytes
MD5...: acbc8661585af8344d30d9cc9970a932
SHA1..: c7762507497220bd0ef62c2abc3347c968e4d6cb
SHA256: e52b18b960779b0f3b3b46601154508708a35834bcf54c7587019686e0173b3b
SHA512: 3574bf399834a9c25eef0faba3f065d5b22efce8112e216336c0e75563b16fb1
a5527da5612950bcc222889a65a1e6bbb391fd2d9878daff72aadfbd503a4575
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10001154
timedatestamp.....: 0x478a2fee (Sun Jan 13 15:36:14 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x88b6 0x8a00 7.19 7b63bfccad111b3a928072e6a07cb942
.rdata 0xa000 0x11997 0x11a00 7.99 7f6a99951fa8ae49fdcb7040c21866d0
.data 0x1c000 0x814d5 0x40200 8.00 92b32769a35ebaec85b4981489eafedb

( 2 imports )
> user32.dll: DrawStateA, DrawIcon, DestroyIcon, DestroyCursor, DeleteMenu, DefDlgProcA, CreateMenu, CreateIconFromResourceEx, CreateIconFromResource, CreateIcon, CopyRect, CopyImage, CharUpperA, CharToOemA, CharPrevA, CharNextA
> kernel32.dll: EnumResourceTypesA, lstrlenA, lstrcpyA, lstrcmpiA, lstrcmpA, lstrcatA, WriteFile, TlsSetValue, SleepEx, OpenFileMappingA, LeaveCriticalSection, InitializeCriticalSection, GetSystemTimeAsFileTime, GetSystemTime, GetLocalTime, GetLastError, FreeResource, CloseHandle, EnumResourceNamesA, FindResourceA

( 0 exports )
Prevx info: 28252322.DLL - Prevx

C:\WINDOWS\system32\jqisxtqa.dll

Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.5.20.0 2008.05.20 -
AntiVir 7.8.0.19 2008.05.20 TR/Vundo.Gen
Authentium 5.1.0.4 2008.05.19 -
Avast 4.8.1195.0 2008.05.19 Win32:Vundo@dll
AVG 7.5.0.516 2008.05.19 -
BitDefender 7.2 2008.05.20 -
CAT-QuickHeal 9.50 2008.05.19 -
ClamAV 0.92.1 2008.05.20 -
DrWeb 4.44.0.09170 2008.05.20 -
eSafe 7.0.15.0 2008.05.19 -
eTrust-Vet 31.4.5805 2008.05.20 -
Ewido 4.0 2008.05.19 -
F-Prot 4.4.2.54 2008.05.16 -
F-Secure 6.70.13260.0 2008.05.20 Vundo.gen179
Fortinet 3.14.0.0 2008.05.20 -
GData 2.0.7306.1023 2008.05.20 Win32:Vundo
Ikarus T3.1.1.26.0 2008.05.20 -
Kaspersky 7.0.0.125 2008.05.20 -
McAfee 5298 2008.05.19 -
Microsoft 1.3520 2008.05.20 Trojan:Win32/Vundo.gen!H
NOD32v2 3113 2008.05.20 -
Norman 5.80.02 2008.05.19 Vundo.gen179
Panda 9.0.0.4 2008.05.20 -
Prevx1 V2 2008.05.20 Malicious Software
Rising 20.45.11.00 2008.05.20 -
Sophos 4.29.0 2008.05.20 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.20 -
TheHacker 6.2.92.314 2008.05.20 -
VBA32 3.12.6.6 2008.05.19 -
VirusBuster 4.3.26:9 2008.05.19 -
Webwasher-Gateway 6.6.2 2008.05.20 Trojan.Vundo.Gen
weitere Informationen
File size: 132672 bytes
MD5...: 994bf6ed66629a59e0b36867ec1f9b9d
SHA1..: bba30aba33b1e3f001c524bf3bd20e32de006ac1
SHA256: 5c5f529ced4fa833f6d32d12a5ec2768dddff0b54ac3e4e3762a09245a79a8fb
SHA512: 83e812718d564147098ead9b01869b2ad4cb16ddb3c4e44032251b2582c6b303
5ee4fbb14ec03b8dc6bf00c4888d03a181630a7682ddfe92ec562543c9c52b4b
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x100010e4
timedatestamp.....: 0x478a2fee (Sun Jan 13 15:36:14 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8533 0x8600 7.21 a81e6c8452f0a8a567516b5e0438d2ca
.rdata 0xa000 0x6fa8 0x7000 7.97 c65b1c78cee5c0e67c4c244e793bf9ad
.data 0x11000 0x209f9 0x10c00 7.98 bebd91d40bb6bd174c74c9e35a07514d

( 2 imports )
> user32.dll: DestroyIcon, DestroyCaret, CreateMenu, CreateMDIWindowA, CreateIcon, CreateDialogParamA, CreateDialogIndirectParamA, CreateDesktopW, CreateDesktopA, CreateAcceleratorTableA, CopyImage, CloseWindow, CharToOemBuffA, CharToOemA, EnableScrollBar, CharPrevA
> kernel32.dll: lstrcmpiA, lstrcatA, VirtualAlloc, TlsSetValue, Sleep, LoadLibraryA, LeaveCriticalSection, GetVersion, GetLastError, EnumResourceLanguagesA, EnterCriticalSection, CompareStringA, CloseHandle, lstrcpynA

( 0 exports )
Prevx info: 42723526.DLL - Prevx

der avenger log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
Swandog46's Public Anti-Malware Tools

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\mqlrllpw.dll" deleted successfully.
File "C:\WINDOWS\system32\qdnbykcg.dll" deleted successfully.
File "C:\WINDOWS\system32\dDSMFUOE.dll" deleted successfully.
File "C:\WINDOWS\system32\jqisxtqa.dll" deleted successfully.
Registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|1c71a8a0" deleted successfully.
Registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|BM1f429b3c" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

der antimaleware log:

Malwarebytes' Anti-Malware 1.12
Datenbank Version: 768

Scan Art: Komplett Scan (C:\|D:\|F:\|J:\|)
Objekte gescannt: 162653
Scan Dauer: 27 minute(s), 52 second(s)

Infizierte Speicher Prozesse: 0
Infizierte Speicher Module: 0
Infizierte Registrierungsschlüssel: 7
Infizierte Registrierungswerte: 0
Infizierte Datei Objekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1

Infizierte Speicher Prozesse:
(Keine Malware Objekte gefunden)

Infizierte Speicher Module:
(Keine Malware Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
(Keine Malware Objekte gefunden)

Infizierte Datei Objekte der Registrierung:
(Keine Malware Objekte gefunden)

Infizierte Verzeichnisse:
(Keine Malware Objekte gefunden)

Infizierte Dateien:
C:\WINDOWS\system32\hgGaBqNh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

und zum Schluß der neue hijackthis-log:

Logfile of HijackThis v1.99.1

[edit]
bitte editiere zukünftig deine links, wie es dir u.a. hier angezeigt wird:
http://www.trojaner-board.de/22771-a...tml#post171958

danke
GUA
[/edit]

Hi,

das sieht jetzt besser aus, bemühen wir jetzt noch einen zweiten Scanner, Prevx: Prevx CSI - FREE Malware Scanner
Poste das Log, falls er noch was findet (außer Cookies)...


chris

Hi.

Er hat 5 Dateien gefunden

C:\WINDOWS\system32\mUAtULD.dll.vir Cloaked Malware
C:\WINDOWS\system32\sdpvaqvl.dll Cloaked Malware
C:\WINDOWS\system32\spwxxkia.dll Cloaked Malware
C:\WINDOWS\system32\xenjrbjf.dll Cloaked Malware
C:\Dokumente und Einstellungen\Notti\Desktop\SmitfraudFix..
Malicious Software

Die Dateien konnten nicht entfernt werden, da es nur eine Testversion ist.

Mit freundlichen Grüßen

menelvagor

Hi,

lösche die Dateien bitte mit Avenger (bei Punkt 2 in dem vorangegangen Mails zu Avenger weitermachen):

Zitat:

Files to delete:
C:\WINDOWS\system32\mUAtULD.dll.vir Cloaked Malware
C:\WINDOWS\system32\sdpvaqvl.dll Cloaked Malware
C:\WINDOWS\system32\spwxxkia.dll Cloaked Malware
C:\WINDOWS\system32\xenjrbjf.dll Cloaked Malware

Diese Files sind weder im HJ-Log noch im Silentrunner sichtbar...
Da braut sich was zusammen...

Will wissen wo sie ggf. gestartet werden;
Download Registry Search by Bobbi Flekman
<http://virus-protect.org/artikel/tools/regsearch.html>
und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren)

sdpvaqvl.dll

in edit und klicke "Ok".
Notepad wird sich oeffnen - poste den text

Suche die restlichen Files und poste ebenfalls das Ergebnis!
Danke!

Danach nochmal mit PrevX scannen!
(Ich hoffe nicht, das sich die Dinger als Downloader betätigen und schon wieder neue "Ungemach" nach sich gezogen haben!)

chris