Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Spyware Problem!!!! (https://www.trojaner-board.de/52703-spyware-problem.html)

tech-checker 20.05.2008 12:06
Spyware Problem!!!!
 
Hallo,

ich hab seid einigen tagen ein problem mit meinem rechner.
alle paar minuten mach der Internet explorerauf,vorher wurde das hintergrundbild miteiner website überlagert.
ich hatte schon antivir und spybot drüber laufen lassen, haben auh recht viel gefunden, aber das beschriebeneproblem blieb.

hier mein hijackthis-logfile:
Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:55, on 20.05.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Programme\Java\jre1.6.0_02\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Programme\Visagesoft\eXPert PDF\vspdfprsrv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\jonas\hijack\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4F2194FF-4E9C-4948-A5FB-E5D7A05AAB9E} - C:\WINDOWS\system32\pmnlmkHX.dll (file missing)
O2 - BHO: (no name) - {5753B631-0FBA-4425-A481-8A9BAA143122} - C:\WINDOWS\system32\ljJCsqQg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {BED9844F-9E6B-4399-868F-941040738630} - C:\WINDOWS\system32\ljJAqOGV.dll (file missing)
O2 - BHO: QXK Rhythm - {D4E26A3A-80E0-4467-B116-4F0DC4441C4A} - C:\WINDOWS\fvowketqxfo.dll (file missing)
O2 - BHO: (no name) - {F24B1126-27A6-4FF4-B6FF-421DC14C31E2} - C:\WINDOWS\system32\nnnmjGvw.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: pvnsmfor - {755F70ED-8112-4AEA-B77B-E11296C79DA7} - C:\WINDOWS\pvnsmfor.dll (file missing)
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [LexwareInfoService] C:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe /autostart
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Programme\ASUS\AASP\1.00.17\AsRunHelp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [vspdfprsrv.exe] C:\Programme\Visagesoft\eXPert PDF\vspdfprsrv.exe --background
O4 - HKLM\..\Run: [1ca9684a] rundll32.exe "C:\WINDOWS\system32\rnaxtosn.dll",b
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Programme\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Zahlungserinnerung.lnk = C:\Programme\Profi cash\wzed.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = concepcion.concepcion
O17 - HKLM\Software\..\Telephony: DomainName = concepcion.concepcion
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = concepcion.concepcion
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = concepcion.concepcion
O18 - Protocol: haufereader - (no CLSID) - (no file)
O20 - Winlogon Notify: pmnlmkHX - C:\WINDOWS\
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\
O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\
O21 - SSODL: vbksrofa - {79692599-6B4E-4C05-8926-F592B74C09BD} - C:\WINDOWS\vbksrofa.dll (file missing)
O21 - SSODL: mpfanvqg - {1888CA45-200D-4EBF-BB1A-56F4C430BB3A} - C:\WINDOWS\mpfanvqg.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Haufe iDesk-Service in C:\Programme\Haufe\iDesk\iDeskService\Zope (HRService) - Unknown owner - C:\Programme\Haufe\iDesk\iDeskService\iDeskService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 7015 bytes
Bitte helft mir!!!

undoreal 20.05.2008 12:47
Halli hallo.

Du hast dir aber ganz schön was auf den rechner geschaufelt..


1) Deaktiviere die Systemwiederherstellung auf allen Laufwerken. Nachdem die Bereinigung KOMPLETT beendet ist kann sie wieder aktiviert werden.

2) Deinstalliere Java über die Systemsteuerung.

3) Blacklight bitte laufen lassen und das log posten..

4) Lasse Silentrunners laufen und poste das logFile

5) Folge dieser Anleitung.

6) Run Combofix. Poste den erscheinenden Text.

7) Überprüfe dein System mit SASW.

8) Mache einen letzten Maleware-Check mit Malewarebytes.

9) Checke dein System mit dem ESET Online Scanner. (Klicke nach dem Scan auf "Print this Page" oben rechts in der Ecke und kopiere das nachfolgende Fenster in deinen Post.)

10) Räume mit cCleaner auf. (Punkt 1 und 2)

11) Führe einen escan durch und poste das mit Hilfe der find.bat ausgewertete log.

12) Poste ein frisches Hijackthis log sowie einen iClean Bericht (Prog in eigenem Ordner öffnen->"Yes"->File->Report).
Hinweis zum iClean Bericht: Kürze im log bitte die 032 und 033 redirected Einträge. (Diese wurden von Spybot erstellt.)

tech-checker 20.05.2008 14:52
so...
erst mal ein ganz großes danke für deine hilfe!!!
ich hab nicht alle scans gemacht...hatte keinezeit dazu...
aber ich geb dir von jedem scan den ich gemacht hab.

blacklight
Code:
05/20/08 14:01:23 [Info]: BlackLight Engine 1.0.70 initialized
05/20/08 14:01:23 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/20/08 14:01:23 [Note]: 7019 4
05/20/08 14:01:23 [Note]: 7005 0
05/20/08 14:01:27 [Note]: 7006 0
05/20/08 14:01:27 [Note]: 7011 3824
05/20/08 14:01:27 [Note]: 7035 0
05/20/08 14:01:27 [Note]: 7026 0
05/20/08 14:01:27 [Note]: 7026 0
05/20/08 14:01:30 [Note]: FSRAW library version 1.7.1024
05/20/08 14:09:34 [Note]: 7007 0
combofix
Code:
ComboFix 08-05-19.4 - Administrator 2008-05-20 14:19:06.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1031.18.1444 [GMT 2:00]
ausgeführt von:: C:\jonas\ComboFix.exe
 * Neuer Wiederherstellungspunkt wurde erstellt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((  Weitere L”schungen  ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\dvsycbec.ini
C:\WINDOWS\system32\gQqsCJjl.ini
C:\WINDOWS\system32\gQqsCJjl.ini2
C:\WINDOWS\system32\gtornyhu.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nsotxanr.ini
C:\WINDOWS\system32\qavntlff.ini
C:\WINDOWS\system32\VGOqAJjl.ini
C:\WINDOWS\system32\VGOqAJjl.ini2
C:\WINDOWS\system32\wvGjmnnn.ini
C:\WINDOWS\system32\wvGjmnnn.ini2

.
(((((((((((((((((((((((  Dateien erstellt von 2008-04-20 bis 2008-05-20  ))))))))))))))))))))))))))))))
.

2008-05-20 14:05 . 2008-05-20 14:12        2,520        --a------        C:\WINDOWS\system32\tmp.reg
2008-05-20 13:57 . 2008-05-20 13:57        <DIR>        d--------        C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Lexware
2008-05-20 12:24 . 2008-05-20 12:24        <DIR>        d--------        C:\Dokumente und Einstellungen\Jonas\Anwendungsdaten\Lexware
2008-05-20 12:23 . 2008-01-28 12:49        <DIR>        d--h-----        C:\Dokumente und Einstellungen\Jonas\Vorlagen
2008-05-20 12:23 . 2008-01-28 12:19        <DIR>        dr-------        C:\Dokumente und Einstellungen\Jonas\Startmen
2008-05-20 12:23 . 2008-01-28 12:19        <DIR>        d--h-----        C:\Dokumente und Einstellungen\Jonas\Netzwerkumgebung
2008-05-20 12:23 . 2008-05-20 13:29        <DIR>        d--h-----        C:\Dokumente und Einstellungen\Jonas\Lokale Einstellungen
2008-05-20 12:23 . 2008-05-20 12:23        <DIR>        dr-------        C:\Dokumente und Einstellungen\Jonas\Favoriten
2008-05-20 12:23 . 2008-05-20 13:31        <DIR>        dr-------        C:\Dokumente und Einstellungen\Jonas\Eigene Dateien
2008-05-20 12:23 . 2008-01-28 12:19        <DIR>        d--h-----        C:\Dokumente und Einstellungen\Jonas\Druckumgebung
2008-05-20 12:23 . 2008-05-20 12:26        <DIR>        dr-h-----        C:\Dokumente und Einstellungen\Jonas\Anwendungsdaten
2008-05-20 12:23 . 2008-05-20 13:57        <DIR>        d--------        C:\Dokumente und Einstellungen\Jonas
2008-05-20 12:23 . 2008-05-20 14:18        1,024        --ah-----        C:\Dokumente und Einstellungen\Jonas\ntuser.dat.LOG
2008-05-20 09:34 . 2008-05-20 09:34        <DIR>        d--------        C:\A. SCHNEIDENBACH
2008-05-19 15:04 . 2008-05-19 15:04        <DIR>        d--------        C:\Dokumente und Einstellungen\LocalService\Eigene Dateien
2008-05-19 13:08 . 2008-05-19 13:08        <DIR>        d--------        C:\Programme\Avira
2008-05-19 13:08 . 2008-05-19 13:08        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avira
2008-05-19 07:57 . 2008-05-19 07:57        90,752        --a------        C:\WINDOWS\system32\rnaxtosn.dll
2008-05-16 13:47 . 2008-05-16 13:47        91,776        ---------        C:\WINDOWS\system32\ffltnvaq.dll
2008-05-16 12:39 . 2008-05-19 12:59        318        --a------        C:\WINDOWS\wininit.ini
2008-05-16 11:54 . 2008-05-16 11:54        <DIR>        d--------        C:\Programme\Spybot - Search & Destroy
2008-05-16 11:54 . 2008-05-16 12:40        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-05-16 10:54 . 2008-05-16 10:54        193        --a------        C:\WINDOWS\system32\bugsConfig.cfg
2008-05-16 10:36 . 2008-05-16 10:36        <DIR>        d--------        C:\!KillBox
2008-05-16 10:06 . 2008-05-20 14:17        <DIR>        d--------        C:\jonas
2008-05-16 07:30 . 2008-05-16 07:30        91,264        --a------        C:\WINDOWS\system32\cebcysvd.dll
2008-05-16 07:29 . 2008-05-16 07:29        <DIR>        d--------        C:\Dokumente und Einstellungen\Andreas\Anwendungsdaten\TmpRecentIcons
2008-05-16 07:29 . 2008-05-20 07:27        0        --ah-----        C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-15 15:26 . 2008-05-16 10:48        160,256        --a------        C:\WINDOWS\system32\blackster.scr
2008-05-15 15:26 . 2008-05-15 03:48        135,168        --a------        C:\WINDOWS\epfg.exe
2008-05-15 15:26 . 2008-05-15 03:49        81,920        --a------        C:\WINDOWS\oadkxrts.exe
2008-05-15 10:45 . 2008-05-15 10:49        <DIR>        d--------        C:\Temp
2008-05-08 11:30 . 2008-05-08 11:30        <DIR>        d--------        C:\Programme\IGC
2008-05-08 11:30 . 2008-05-08 11:48        <DIR>        d--------        C:\Dokumente und Einstellungen\Andreas\IGC
2008-05-08 11:30 . 2003-05-28 12:19        245,408        -r-------        C:\WINDOWS\system32\unicows.dll
2008-05-08 10:55 . 2008-05-08 10:55        1,115,704        --a------        C:\WINDOWS\system32\O2CPlayer.OCX
2008-05-08 10:52 . 2008-05-08 10:52        <DIR>        d--------        C:\WINDOWS\planTEK
2008-05-08 10:52 . 2008-05-08 10:55        <DIR>        d--------        C:\Programme\ArCon
2008-05-08 10:52 . 1996-01-12 01:00        722,192        --a------        C:\WINDOWS\system32\VB40032.DLL
2008-05-08 10:52 . 1998-06-24 01:00        525,352        --a------        C:\WINDOWS\system32\DBGRID32.OCX
2008-05-08 10:52 . 2001-04-06 12:42        323,584        --a------        C:\WINDOWS\system32\AcShlExt.dll
2008-05-08 10:52 . 2000-05-22 01:00        244,416        --a------        C:\WINDOWS\system32\MSFLXGRD.OCX
2008-05-08 10:52 . 1995-09-24 12:02        243,472        --a------        C:\WINDOWS\system32\vbar2232.dll
2008-05-08 10:52 . 1998-06-24 01:00        200,496        --a------        C:\WINDOWS\system32\DBLIST32.OCX
2008-05-08 10:52 . 1998-06-24 01:00        164,144        --a------        C:\WINDOWS\system32\COMCT232.OCX
2008-05-08 10:52 . 2000-05-22 01:00        140,488        --a------        C:\WINDOWS\system32\COMDLG32.OCX
2008-05-08 10:52 . 1997-02-26 01:00        99,134        --a------        C:\WINDOWS\system32\VB5DE.DLL
2008-05-06 14:54 . 2008-05-06 14:55        <DIR>        d--------        C:\Programme\Google
2008-05-06 14:54 . 2008-05-20 09:02        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Google Updater

.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 12:11        ---------        d-----w        C:\Programme\OPTIGEM1
2008-05-09 07:12        ---------        d-----w        C:\Programme\FreePDF_XP
2008-05-08 09:30        ---------        d--h--w        C:\Programme\InstallShield Installation Information
2008-05-06 14:03        ---------        d-----w        C:\Programme\Profi cash
2008-03-28 07:31        ---------        d-----w        C:\Programme\Grips
2008-03-25 04:51        621,344        ----a-w        C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51        187,168        ----a-w        C:\WINDOWS\system32\msjint40.dll
2008-03-20 09:20        ---------        d-----w        C:\Programme\SoftLevel
2008-03-20 09:15        ---------        d-----w        C:\Dokumente und Einstellungen\Andreas\Anwendungsdaten\SoftLevel
2008-03-20 08:03        1,845,376        ----a-w        C:\WINDOWS\system32\win32k.sys
2008-03-01 12:54        826,368        ----a-w        C:\WINDOWS\system32\wininet.dll
2008-02-20 06:50        282,624        ----a-w        C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:33        45,568        ----a-w        C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((  Autostart Punkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F2194FF-4E9C-4948-A5FB-E5D7A05AAB9E}]
                        C:\WINDOWS\system32\pmnlmkHX.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5753B631-0FBA-4425-A481-8A9BAA143122}]
                        C:\WINDOWS\system32\ljJCsqQg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BED9844F-9E6B-4399-868F-941040738630}]
                        C:\WINDOWS\system32\ljJAqOGV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4E26A3A-80E0-4467-B116-4F0DC4441C4A}]
                        C:\WINDOWS\fvowketqxfo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F24B1126-27A6-4FF4-B6FF-421DC14C31E2}]
                        C:\WINDOWS\system32\nnnmjGvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{755F70ED-8112-4AEA-B77B-E11296C79DA7}"= "C:\WINDOWS\pvnsmfor.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{755f70ed-8112-4aea-b77b-e11296c79da7}]
[HKEY_CLASSES_ROOT\pvnsmfor.1]
[HKEY_CLASSES_ROOT\TypeLib\{4DF01EBE-8007-450D-811C-2E1DD5923664}]
[HKEY_CLASSES_ROOT\pvnsmfor]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-04-29 14:55 90112]
"LexwareInfoService"="C:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe" [2007-09-25 14:59 532776]
"AsusStartupHelp"="C:\Programme\ASUS\AASP\1.00.17\AsRunHelp.exe" [2006-11-15 08:25 363008]
"VTTimer"="VTTimer.exe" [2006-08-04 01:53 53248 C:\WINDOWS\system32\VTTimer.exe]
"S3Trayp"="S3trayp.exe" [2006-07-11 13:33 176128 C:\WINDOWS\system32\S3Trayp.exe]
"FreePDF Assistant"="C:\Programme\FreePDF_XP\fpassist.exe" [2005-01-06 18:33 131584]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"vspdfprsrv.exe"="C:\Programme\Visagesoft\eXPert PDF\vspdfprsrv.exe" [2006-05-04 07:58 998912]
"1ca9684a"="C:\WINDOWS\system32\rnaxtosn.dll" [2008-05-19 07:57 90752]
"avgnt"="C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4F2194FF-4E9C-4948-A5FB-E5D7A05AAB9E}"= C:\WINDOWS\system32\pmnlmkHX.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vbksrofa"= {79692599-6B4E-4C05-8926-F592B74C09BD} - C:\WINDOWS\vbksrofa.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlmkHX]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Cwr85.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\jjJ62.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mhH88.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Mmc28.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ojo33.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\uaP33.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\yeT22.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Yyy14.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programme\\SoftLevel\\BonusWWS\\BonusWWS.exe"=
"C:\\Programme\\SoftLevel\\BonusWWS\\SIUS.EXE"=

R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2006-09-12 21:43]
S0 Cwr85;Cwr85;C:\WINDOWS\system32\Drivers\Cwr85.sys []
S0 jjJ62;jjJ62;C:\WINDOWS\system32\Drivers\jjJ62.sys []
S0 mhH88;mhH88;C:\WINDOWS\system32\Drivers\mhH88.sys []
S0 Mmc28;Mmc28;C:\WINDOWS\system32\Drivers\Mmc28.sys []
S0 Ojo33;Ojo33;C:\WINDOWS\system32\Drivers\Ojo33.sys []
S0 uaP33;uaP33;C:\WINDOWS\system32\Drivers\uaP33.sys []
S0 yeT22;yeT22;C:\WINDOWS\system32\Drivers\yeT22.sys []
S0 Yyy14;Yyy14;C:\WINDOWS\system32\Drivers\Yyy14.sys []
S3 HRService;Haufe iDesk-Service in C:\Programme\Haufe\iDesk\iDeskService\Zope;"C:\Programme\Haufe\iDesk\iDeskService\iDeskService.exe" [2007-11-08 04:20]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 14:22:53
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programme\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-05-20 14:27:36 - machine was rebooted
ComboFix-quarantined-files.txt  2008-05-20 12:27:32

              11 Verzeichnis(se), 151,085,846,528 Bytes frei
              13 Verzeichnis(se), 151,120,134,144 Bytes frei

196        --- E O F ---        2008-05-14 06:01:19

tech-checker 20.05.2008 14:53
silent runners
Code:
"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"vptray" = "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" ["Symantec Corporation"]
"LexwareInfoService" = "C:\Programme\Gemeinsame Dateien\Lexware\Update Manager\LxUpdateManager.exe /autostart" [null data]
"AsusStartupHelp" = "C:\Programme\ASUS\AASP\1.00.17\AsRunHelp.exe" [null data]
"VTTimer" = "VTTimer.exe" ["S3 Graphics, Inc."]
"S3Trayp" = "S3trayp.exe" ["S3 Graphics Co., Ltd."]
"FreePDF Assistant" = "C:\Programme\FreePDF_XP\fpassist.exe" [null data]
"Adobe Reader Speed Launcher" = ""C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"vspdfprsrv.exe" = "C:\Programme\Visagesoft\eXPert PDF\vspdfprsrv.exe --background" ["Visagesoft"]
"1ca9684a" = "rundll32.exe "C:\WINDOWS\system32\rnaxtosn.dll",b" [MS]
"avgnt" = ""C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF Reader"
                  \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{4F2194FF-4E9C-4948-A5FB-E5D7A05AAB9E}\(Default) = (no title provided)
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\pmnlmkHX.dll" [file not found]
{5753B631-0FBA-4425-A481-8A9BAA143122}\(Default) = (no title provided)
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\ljJCsqQg.dll" [file not found]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Google Toolbar Helper"
                  \InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Germany GmbH"]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
                  \InProcServer32\(Default) = "C:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll" ["Google Inc."]
{BED9844F-9E6B-4399-868F-941040738630}\(Default) = (no title provided)
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\ljJAqOGV.dll" [file not found]
{D4E26A3A-80E0-4467-B116-4F0DC4441C4A}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "QXK Rhythm"
                  \InProcServer32\(Default) = "C:\WINDOWS\fvowketqxfo.dll" [file not found]
{F24B1126-27A6-4FF4-B6FF-421DC14C31E2}\(Default) = (no title provided)
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\nnnmjGvw.dll" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
  -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
                  \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
  -> {HKLM...CLSID} = "VpshellEx Class"
                  \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
  -> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
                  \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\Programme\OPTIGEM\Office\soa800.dll" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                  \InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{4F2194FF-4E9C-4948-A5FB-E5D7A05AAB9E}" = "*b" (unwritable string)
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\pmnlmkHX.dll" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"vbksrofa" = "{79692599-6B4E-4C05-8926-F592B74C09BD}"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\WINDOWS\vbksrofa.dll" [file not found]
"mpfanvqg" = "{1888CA45-200D-4EBF-BB1A-56F4C430BB3A}"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\WINDOWS\mpfanvqg.dll" [null data]

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> "Authentication Packages" = "msv1_0"|"C:\WINDOWS\system32\ljJAqOGV"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
                  \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
  -> {HKLM...CLSID} = "VpshellEx Class"
                  \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                  \InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
  -> {HKLM...CLSID} = "VpshellEx Class"
                  \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                  \InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"DisableTaskMgr" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Grüne Idylle.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Grüne Idylle.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Google Updater" -> shortcut to: "C:\Programme\Google\Google Updater\GoogleUpdater.exe -systray -startup" ["Google"]
"Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Zahlungserinnerung" -> shortcut to: "C:\Programme\Profi cash\wzed.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
  -> {HKLM...CLSID} = "&Google"
                  \InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Germany GmbH"]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
  -> {HKLM...CLSID} = "&Google"
                  \InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Germany GmbH"]
"{755F70ED-8112-4AEA-B77B-E11296C79DA7}" = (no title provided)
  -> {HKLM...CLSID} = "pvnsmfor"
                  \InProcServer32\(Default) = "C:\WINDOWS\pvnsmfor.dll" [file not found]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Avira AntiVir Personal – Free Antivirus Guard, AntiVirService, ""C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"]
Avira AntiVir Personal – Free Antivirus Planer, AntiVirScheduler, ""C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"]
DefWatch, DefWatch, "C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe" ["Symantec Corporation"]
Google Updater Service, gusvc, ""C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"]
Symantec AntiVirus Client, Norton AntiVirus Server, "C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe" ["Symantec Corporation"]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
CPCA Language Monitor2\Driver = "AUCPLMNT.DLL" ["CANON INC."]
Redirected Port\Driver = "redmonnt.dll" [null data]
VSP1:\Driver = "vsmon1.dll" [null data]


---------- (launch time: 2008-05-20 14:03:48)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points, use the -supp parameter or answer "No" at the
  first message box and "Yes" at the second message box.
---------- (total run time: 53 seconds, including 11 seconds for message boxes)
smidfraudfix
Code:
SmitFraudFix v2.320

Scan done at 14:12:12,62, 20.05.2008
Run from C:\jonas\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1      localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
C:\WINDOWS\mpfanvqg.dll deleted.


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{C012F816-1EF2-4E17-8708-1ED8CC5C9E12}: DhcpNameServer=192.168.40.251
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C012F816-1EF2-4E17-8708-1ED8CC5C9E12}: DhcpNameServer=192.168.40.251
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C012F816-1EF2-4E17-8708-1ED8CC5C9E12}: DhcpNameServer=192.168.40.251
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.40.251
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.40.251
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.40.251


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
 
Registry Cleaning done.
 
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
der beschriebene fehler ist nicht mehr aufgetreten!!!

undoreal 20.05.2008 15:26
Nutzt du eigentlich zwei AntiViren Programme? Die behindern sich gegenseitig! Deinstalliere Symantec/Norton und lasse danach das removal Tool laufen.

Hast du ein Remote Administration Tool auf deinem Rechner am laufen??



Anleitung Avenger (by swandog46)

1.) Lade dir das Tool Avenger und speichere es auf dem Desktop:


http://saved.im/mjy0mthybjrp/avenger.bmp



2.) Das Programm so einstellen wie es auf dem Bild zu sehen ist.

Kopiere nun folgenden Text in das weiße Feld: (bei -> "input script here")


Code:
Files to delete:
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\ffltnvaq.dll
C:\WINDOWS\system32\bugsConfig.cfg
C:\WINDOWS\system32\cebcysvd.dll
C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\epfg.exe
C:\WINDOWS\oadkxrts.exe
C:\WINDOWS\system32\O2CPlayer.OCX
C:\WINDOWS\system32\unicows.dll
C:\WINDOWS\system32\pmnlmkHX.dll
C:\WINDOWS\system32\ljJCsqQg.dll
C:\WINDOWS\system32\ljJAqOGV.dll
C:\WINDOWS\fvowketqxfo.dll
C:\WINDOWS\system32\nnnmjGvw.dll
C:\WINDOWS\pvnsmfor.dll
C:\WINDOWS\system32\pmnlmkHX.dll
C:\WINDOWS\vbksrofa.dll
3.) Schliesse nun alle Programme (vorher notfalls abspeichern!) und Browser-Fenster, nach dem ausführen des Avengers wird das System neu gestartet.


4.) Um den Avenger zu starten klicke auf -> Execute
Dann bestätigen mit "Yes" das der Rechner neu startet!

5.) Nachdem das System neu gestartet ist, findest du hier einen Report vom Avenger -> C:\avenger.txt
Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.



Dateien Online überprüfen lassen:


* Lasse dir auch die versteckten Dateien anzeigen!

* Suche die Seite Virtustotal auf. Kopiere folgenden Dateipfad per copy and paste in das Eingabefeld neben dem "Durchsuchen"-Button. Klicke danach auf "Senden der Datei"!

* Alternativ kannst du dir die Datei natürlich auch über den "Durchsuchen"-Button selbst heraussuchen.

Zitat:

C:\WINDOWS\system32\rnaxtosn.dll
C:\WINDOWS\system32\VB40032.DLL
C:\WINDOWS\system32\DBLIST32.OCX
C:\WINDOWS\system32\VB5DE.DLL
C:\WINDOWS\system32\mswstr10.dll
C:\WINDOWS\system32\msjint40.dll
C:\Programme\Haufe\iDesk\iDeskService\iDeskService.exe
C:\Programme\Profi cash\wzed.exe
Lade nun nacheinander jede/alle Datei/Dateien hoch, und warte bis der Scan vorbei ist. (kann bis zu 2 Minuten dauern.)
* Poste im Anschluss das Ergebnis der Auswertung, alles abkopieren und in einen Beitrag einfügen.
(Wichtig: Auch die Größenangabe sowie den HASH mit kopieren!)


Durchsuche deinen Rechner bitte wie in meiner Sigantur beschrieben wird nach folgenden Dateien:
pmnlmkHX , Cwr85.sys , WinCtrl32 , jjJ62.sys , mhH88.sys , Mmc28.sys , Ojo33.sys , uaP33.sys , yeT22.sys , Yyy14.sys , sessmgr.exe , BonusWWS.exe , SIUS.EXE ,
Poste bitte was und wo gefunden wurd. Die kompletten Dateipfade sind wichtig.


Fahre danach mit den Schritten 7-12 fort.


Alle Zeitangaben in WEZ +1. Es ist jetzt 23:36 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131