Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Virus gefunden -> Quarantäne -> Neustart -> startet nicht mehr... (https://www.trojaner-board.de/59990-virus-gefunden-quarantaene-neustart-startet-mehr.html)

psrr 15.09.2008 22:33
Virus gefunden -> Quarantäne -> Neustart -> startet nicht mehr...
 
Hallo erstmal...

...und ich habe Mist gebaut! Ich habe eine .exe-Datei ausgeführt, der ich vornerein nicht getraut habe. Allerdings habe ich zuvor AntiVir drüberlaufen lassen und es gab keine Meldungen... danach gab es allerdings Warnungen ("You have a security problem.") und zwar in Form eines roten Schildes mit einem weisen 'x', wie man es von Windows her kennt. Hinzu kamen noch Fake-Meldungen vom Virus, dass mein PC gefährdet wäre etc...

Danach habe ich eine vollständige Systemprüfung mit AntiVir gemacht und er fand auch einen Virus, wobei ich nicht genau sagen kann, ob es auch der Virus war... :( Ich habe diesen erstmal in Quarantäne gestellt und noch eine hijackthis-logfile erstellt und einen Neustart gemacht, was nicht gut war...

Nach dem Neustart machte meine Festplatte auf einmal laute Geräusche und der PC hing sich auf. Erneuter Bootversuch half nix...

Ich versuchte dann mit einer Knoppix und einer Ubuntu Live-CD zu booten, was auch nicht ging... die Geräusche blieben und der Bootvorgang brach ab! Dann veruscht ich es nochmal im Abgesicherten Modus von Windows und das klappte dann auch... die Geräusche blieben aus und seit dem bin ich im abgesicherten Mode und trau mich auch nicht mehr raus!! :heulen:

Kann mir jemand helfen?? Bitte...

Viele Dank schonmal im Voraus!

hijackthis-file:

Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:50:21, on 15.09.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\xampp\apache\bin\apache.exe
C:\xampp\mysql\bin\mysqld-nt.exe
C:\xampp\apache\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Dokumente und Einstellungen\XXX\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe
C:\Programme\Pidgin\pidgin.exe
C:\DOKUME~1\XXX\LOKALE~1\Temp\video207.cfg
C:\DOKUME~1\XXX\LOKALE~1\Temp\c.exe
C:\WINDOWS\system32\dqzexwdi.exe
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\gtkhizut\yrelqhof.exe
c:\programme\avira\antivir personaledition classic\avcenter.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: HTML module - {74EBCFFB-AF2D-4dd4-A9BC-2AC12864B3EC} - C:\WINDOWS\system32\mshtml90.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Dokumente und Einstellungen\XXX\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Somefox] C:\DOKUME~1\XXX\LOKALE~1\Temp\video207.cfg.exe
O4 - HKCU\..\Run: [smartadmapl] C:\WINDOWS\system32\dqzexwdi.exe
O4 - HKLM\..\Policies\Explorer\Run: [28rnZUKy11] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\gtkhizut\yrelqhof.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-21-1844237615-838170752-1801674531-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'postgres')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\xampp\apache\bin\apache.exe
O23 - Service: mysql - Unknown owner - C:\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Programme\PostgreSQL\8.3\bin\pg_ctl.exe

--
End of file - 4946 bytes

Mellosun 15.09.2008 23:21
Hallo und :hallo:

also, du bist jetzt im Abgesicherten Modus? Vielleicht sogar mit Netzwerkverbindung?

Weißt du noch, wie die entsprechende exe heißt oder wo du sie her hast?

Einiges ist im Log zu erkennen aber ohne eine Inet verbindung bzw. einen anderen Rechner wo es eine solche gibt wird es schwierig!

Gruß

psrr 15.09.2008 23:39
Hi!

Also ich habe hier noch einen zweiten Desktop von dem ich auch gerade schreibe... und mein betroffener Laptop ist im abgesicherten Mode, allerdings ohne Inet-Verbindung.

Die Datei hieß irgendwas mit "code" und einer Zahl... genau weiß ich es jetzt nicht mehr! Mit der Suchfunktion finde ich auch nix!

Gruß

Mellosun 15.09.2008 23:56
OK, es gibt jetzt zwei möglichkeiten:

1.) Du versuchst den Läppi im normalen Modus zu starten und führst unten stehende Schritte aus!

2.) Du Startest im Abgesicherten Modus mit Netzwerktreibern (Weiß nicht genau ob da auch der Wlan geht ansonsten musst ein Lan Kabel nehmen) und erledigst das im Abgesicherten Modus!

Folgende Dateien Online bei Virustotal oder Jotti Prüfen lassen:

Code:
C:\DOKUME~1\XXX\LOKALE~1\Temp\video207.cfg
C:\DOKUME~1\XXX\LOKALE~1\Temp\c.exe
C:\WINDOWS\system32\dqzexwdi.exe
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\gtkhizut\yrelqhof.exe
Links zu den beiden Seiten in meiner Signatur unter dem Post! Poste bitte die kompletten Ergebnisse auch wenn nichts gefunden wird!
Wie man Dateien sichtbar macht steht ebenfalls in meiner Signatur!

Lade Dir Malwarebytes, Installiere es und Update es! Mache einen Scan gemäß der Anleitung! Poste das Log und lasse natürlich alles gefundene Löschen!

Neues Hijackthis Log nach der Bereinigung!



Gruß

psrr 16.09.2008 01:20
Ich habe Virustotal benutzt...

video207.cfg:
Code:
Datei video207.cfg empfangen 2008.09.16 01:08:09 (CET)
Antivirus        Version        letzte aktualisierung        Ergebnis
AhnLab-V3        2008.9.13.0        2008.09.15        -
AntiVir        7.8.1.28        2008.09.15        -
Authentium        5.1.0.4        2008.09.15        -
Avast        4.8.1195.0        2008.09.15        -
AVG        8.0.0.161        2008.09.15        SHeur.CJAY
BitDefender        7.2        2008.09.15        -
CAT-QuickHeal        9.50        2008.09.15        -
ClamAV        0.93.1        2008.09.15        -
DrWeb        4.44.0.09170        2008.09.15        -
eSafe        7.0.17.0        2008.09.15        -
eTrust-Vet        31.6.6090        2008.09.15        -
Ewido        4.0        2008.09.15        -
F-Prot        4.4.4.56        2008.09.14        -
F-Secure        8.0.14332.0        2008.09.16        -
Fortinet        3.113.0.0        2008.09.15        -
GData        19        2008.09.16        Trojan.Win32.FraudPack.nf
Ikarus        T3.1.1.34.0        2008.09.15        -
K7AntiVirus        7.10.457        2008.09.15        -
Kaspersky        7.0.0.125        2008.09.16        Trojan.Win32.FraudPack.nf
McAfee        5383        2008.09.12        -
Microsoft        1.3903        2008.09.16        TrojanDownloader:Win32/Renos.AY
NOD32v2        3443        2008.09.15        -
Norman        5.80.02        2008.09.15        -
Panda        9.0.0.4        2008.09.15        Suspicious file
PCTools        4.4.2.0        2008.09.15        -
Prevx1        V2        2008.09.16        Malware Dropper
Rising        20.61.42.00        2008.09.12        -
Sophos        4.33.0        2008.09.15        -
Sunbelt        3.1.1633.1        2008.09.13        -
Symantec        10        2008.09.16        -
TheHacker        6.3.0.9.084        2008.09.15        -
TrendMicro        8.700.0.1004        2008.09.15        -
VBA32        3.12.8.5        2008.09.15        -
ViRobot        2008.9.12.1375        2008.09.12        -
VirusBuster        4.5.11.0        2008.09.15        -
Webwasher-Gateway        6.6.2        2008.09.16        -
weitere Informationen
File size: 53252 bytes
MD5...: 61fa73679b82bb222626cedbd127fa1f
SHA1..: 3462f1587f1ef6a74f54d36d0830c1fc137a9983
SHA256: d0a317e0e446ae848046b8d9aaf32793f179be497f86c899b8582f4fff73abcc
SHA512: a96d50861f02a30d0fe6950b11b53afe39b3806ed28947867e9c2c84992bdb31<br>921b87f427f75fe64030d83b7dcd55948470e58630f9a4fc5403673c880e66c7
PEiD..: -
TrID..: File type identification<br>Win32 Executable Generic (42.3%)<br>Win32 Dynamic Link Library (generic) (37.6%)<br>Generic Win/DOS Executable (9.9%)<br>DOS Executable Generic (9.9%)<br>VXD Driver (0.1%)
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x4011ea<br>timedatestamp.....: 0x47c9c29e (Sat Mar 01 20:54:54 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 3 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0xb77 0xc00 3.77 ec1b05a117b7f7ba59940d1c3d899d2a<br>.rdata 0x2000 0x5ad 0x600 4.97 657361317567c62b5eda09f8d366de2b<br>.data 0x3000 0x10acd26 0xba00 7.49 3a07a464a51c3490ca6044f342552d4d<br><br>( 3 imports ) <br>&gt; kernel32.dll: GetOEMCP, lstrcpynW, lstrcpynA, MultiByteToWideChar, GetCPInfo, GetModuleFileNameA, GetStringTypeW, LCMapStringA, WriteFile, SetFilePointer, lstrcatA, LCMapStringW, SetHandleCount, GetVersion, GetCommandLineA, GetFileType, GetStdHandle, CreateFileA, GetStartupInfoA, GetACP, lstrcpyA, GetCurrentProcess, TerminateProcess<br>&gt; user32.dll: CopyImage, GetMenu, DrawTextW, GetDlgItem, IsWindow, GetFocus, DrawIcon, GetCursor, CopyIcon, GetWindowTextLengthA, DrawIconEx, EndDialog, DialogBoxParamW, LoadMenuA, DialogBoxParamA, LoadCursorA, CloseWindow, DrawTextA, GetDC, CopyRect, InsertMenuA<br>&gt; comctl32.dll: ImageList_DragEnter, CreateToolbar, ImageList_Copy, ImageList_AddIcon, ImageList_Create, CreateToolbarEx, MenuHelp, ImageList_Add, ImageList_DrawEx, DllGetVersion, ImageList_LoadImageW<br><br>( 0 exports ) <br>
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=9EFBA5D004CD76BFD04F009FA8B77D00549DC366
gxkbklwv.exe:
Code:
Datei gxkbklwv.exe empfangen 2008.09.15 17:03:32 (CET)
Antivirus        Version        letzte aktualisierung        Ergebnis
AhnLab-V3        -        -        -
AntiVir        -        -        -
Authentium        -        -        -
Avast        -        -        Win32:PureMorph
AVG        -        -        -
BitDefender        -        -        -
CAT-QuickHeal        -        -        -
ClamAV        -        -        -
DrWeb        -        -        -
eSafe        -        -        -
eTrust-Vet        -        -        -
Ewido        -        -        -
F-Prot        -        -        -
F-Secure        -        -        Trojan.Win32.Obfuscated.gx
Fortinet        -        -        W32/PolySmall.BP!tr
GData        -        -        Trojan.Win32.Obfuscated.gx
Ikarus        -        -        -
K7AntiVirus        -        -        -
Kaspersky        -        -        Trojan.Win32.Obfuscated.gx
McAfee        -        -        -
Microsoft        -        -        TrojanDownloader:Win32/FakeAlert.C
NOD32v2        -        -        a variant of Win32/TrojanDownloader.FakeAlert.IQ
Norman        -        -        -
Panda        -        -        -
PCTools        -        -        -
Prevx1        -        -        Cloaked Malware
Rising        -        -        -
Sophos        -        -        Mal/EncPk-DG
Sunbelt        -        -        -
Symantec        -        -        -
TheHacker        -        -        -
TrendMicro        -        -        -
VBA32        -        -        -
ViRobot        -        -        -
VirusBuster        -        -        -
Webwasher-Gateway        -        -        -
weitere Informationen
MD5: 5985de6c0306cd48daeaa055bc98965d
SHA1: e9824286177a0b389d892c439686b6a92188ff19
SHA256: eccd351ed525d36995a7e071414d18f0705691d497aaee2e9c350310b7a6946d
SHA512: 8f0be7d57fe6f5dca13c704a47aa089c41dba0da122b045b007d223677581c0d3c8edd107700fb15d3cccd2262a5bbd6b977b87f4ddb38c6105f5a983cf41678
yrelqhof.exe:
Code:
Datei yrelqhof.exe empfangen 2008.09.16 01:19:02 (CET)
Antivirus        Version        letzte aktualisierung        Ergebnis
AhnLab-V3        2008.9.13.0        2008.09.15        -
AntiVir        7.8.1.28        2008.09.15        -
Authentium        5.1.0.4        2008.09.15        -
Avast        4.8.1195.0        2008.09.15        Win32:PureMorph
AVG        8.0.0.161        2008.09.15        Generic11.YJH
BitDefender        7.2        2008.09.15        -
CAT-QuickHeal        9.50        2008.09.15        -
ClamAV        0.93.1        2008.09.15        -
DrWeb        4.44.0.09170        2008.09.15        -
eSafe        7.0.17.0        2008.09.15        -
eTrust-Vet        31.6.6090        2008.09.15        -
Ewido        4.0        2008.09.15        -
F-Prot        4.4.4.56        2008.09.14        -
F-Secure        8.0.14332.0        2008.09.16        Trojan.Win32.Obfuscated.gx
Fortinet        3.113.0.0        2008.09.15        W32/PolySmall.BP!tr
GData        19        2008.09.16        Trojan.Win32.Obfuscated.gx
Ikarus        T3.1.1.34.0        2008.09.15        -
K7AntiVirus        7.10.457        2008.09.15        -
Kaspersky        7.0.0.125        2008.09.16        Trojan.Win32.Obfuscated.gx
McAfee        5383        2008.09.12        -
Microsoft        1.3903        2008.09.16        -
NOD32v2        3443        2008.09.15        -
Norman        5.80.02        2008.09.15        -
Panda        9.0.0.4        2008.09.15        -
PCTools        4.4.2.0        2008.09.15        -
Prevx1        V2        2008.09.16        Fraudulent Security Program
Rising        20.61.42.00        2008.09.12        -
Sophos        4.33.0        2008.09.15        -
Sunbelt        3.1.1633.1        2008.09.13        -
Symantec        10        2008.09.16        -
TheHacker        6.3.0.9.084        2008.09.15        -
TrendMicro        8.700.0.1004        2008.09.15        -
VBA32        3.12.8.5        2008.09.15        -
ViRobot        2008.9.12.1375        2008.09.12        -
VirusBuster        4.5.11.0        2008.09.15        -
Webwasher-Gateway        6.6.2        2008.09.16        -
weitere Informationen
File size: 65536 bytes
MD5...: f03c10a6c69362a7350b04cc385caecd
SHA1..: 1684016f93d2885b738b84289a8aabd49327711d
SHA256: 8bf40d474a48a310faed3ec44cfe67d27597cf2b3ea45ef0fd2e99b205c4acce
SHA512: ab976b41f9c3c887669336f1af3f98cbe44bc8c903b8d0bae6dd74d97302f463<br>dbb98a57092552a5e9d0d07e0ce6749b0084bddd5700b30011026efc5c02c772
PEiD..: -
TrID..: File type identification<br>Win32 Executable Generic (68.0%)<br>Generic Win/DOS Executable (15.9%)<br>DOS Executable Generic (15.9%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x404d7b<br>timedatestamp.....: 0x48ce5cca (Mon Sep 15 13:02:02 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 3 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0xc9e6 0xd000 6.75 9b6bf6d795d7e48ba1276d6d92690c67<br>.rdata 0xe000 0x628 0x1000 2.46 0d622d8d1090c20e011f7d1b12eaeabf<br>.data 0xf000 0x400 0x1000 0.34 1a8f0a9e6ff8438e2dd23d960c067de1<br><br>( 4 imports ) <br>&gt; KERNEL32.dll: ReadFile, WriteFile, GlobalDeleteAtom, FindFirstFileW, GetProcAddress, SetCurrentDirectoryW, FindResourceW, WritePrivateProfileStringW, GetDriveTypeW, SetWaitableTimer, GetLastError, TerminateThread, CreateFileW, LoadResource, LoadLibraryA, GetLogicalDrives, CreateProcessW, FreeResource, CreateEventW, GetFileAttributesW, GetCurrentThread, CreateThread, QueryDosDeviceW, CancelWaitableTimer<br>&gt; USER32.dll: SendDlgItemMessageW, EnableWindow, SetWindowTextW, LoadIconW, CreateWindowExW, PostQuitMessage, SetCapture, SetCursor, DispatchMessageW, RegisterWindowMessageW, SendMessageW, SystemParametersInfoW, DestroyIcon, SetCursorPos, GetClassNameW, ReleaseDC, GetKeyState, SetDlgItemTextW<br>&gt; GDI32.dll: CreateRoundRectRgn, GetStockObject, DPtoLP, SelectObject, SetMapMode, MoveToEx, GetObjectW, SetBkMode<br>&gt; ADVAPI32.dll: RegDeleteValueW, RegNotifyChangeKeyValue, StartServiceW, RegOpenKeyExW, RegQueryValueExW<br><br>( 0 exports ) <br>
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=210DC126009DB9A0001801F3702B090070014DB8
c.exe:
Code:
Datei c.exe empfangen 2008.09.16 01:14:00 (CET)
Antivirus        Version        letzte aktualisierung        Ergebnis
AhnLab-V3        2008.9.13.0        2008.09.15        -
AntiVir        7.8.1.28        2008.09.15        -
Authentium        5.1.0.4        2008.09.15        -
Avast        4.8.1195.0        2008.09.15        -
AVG        8.0.0.161        2008.09.15        -
BitDefender        7.2        2008.09.15        -
CAT-QuickHeal        9.50        2008.09.15        -
ClamAV        0.93.1        2008.09.15        -
DrWeb        4.44.0.09170        2008.09.15        -
eSafe        7.0.17.0        2008.09.15        -
eTrust-Vet        31.6.6090        2008.09.15        -
Ewido        4.0        2008.09.15        -
F-Prot        4.4.4.56        2008.09.14        -
F-Secure        8.0.14332.0        2008.09.16        -
Fortinet        3.113.0.0        2008.09.15        -
GData        19        2008.09.16        Trojan.Win32.FraudPack.mx
Ikarus        T3.1.1.34.0        2008.09.15        -
K7AntiVirus        7.10.457        2008.09.15        -
Kaspersky        7.0.0.125        2008.09.16        Trojan.Win32.FraudPack.mx
McAfee        5383        2008.09.12        -
Microsoft        1.3903        2008.09.16        -
NOD32v2        3443        2008.09.15        -
Norman        5.80.02        2008.09.15        -
Panda        9.0.0.4        2008.09.15        -
PCTools        4.4.2.0        2008.09.15        -
Prevx1        V2        2008.09.16        Hijacker
Rising        20.61.42.00        2008.09.12        -
Sophos        4.33.0        2008.09.15        Mal/EncPk-CZ
Sunbelt        3.1.1633.1        2008.09.13        -
Symantec        10        2008.09.16        -
TheHacker        6.3.0.9.084        2008.09.15        -
TrendMicro        8.700.0.1004        2008.09.15        -
VBA32        3.12.8.5        2008.09.15        -
ViRobot        2008.9.12.1375        2008.09.12        -
VirusBuster        4.5.11.0        2008.09.15        -
Webwasher-Gateway        6.6.2        2008.09.16        -
weitere Informationen
File size: 58880 bytes
MD5...: 387e740352d99688312417bf073b0f6f
SHA1..: 2f7a216cec62197ef5d89ca72262b8c85200ce21
SHA256: 635c68ff66af411cf5a996e6d0be8b8792c6f34e2b9699733a5b979c706fa93a
SHA512: b7c3f1c61d92a223fee068357228e374ba4ff7c043df7bd5a2c916b6ceb6d0b5<br>8c268fe34e3473cd50af8a9ca2e2dffc7ee955bc776f5ba933d916e3bcc23242
PEiD..: -
TrID..: File type identification<br>Win32 Executable Generic (42.3%)<br>Win32 Dynamic Link Library (generic) (37.6%)<br>Generic Win/DOS Executable (9.9%)<br>DOS Executable Generic (9.9%)<br>VXD Driver (0.1%)
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x4010db<br>timedatestamp.....: 0x47a87c8a (Tue Feb 05 15:11:06 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 3 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0xf4f 0x1000 2.94 197998d2ca9456afe5bafb6c2082ac06<br>.rdata 0x2000 0x72d 0x800 4.86 49c78d5b94f50faafea7b985d90c56f0<br>.data 0x3000 0x10675e6 0xca00 7.54 6373fd72b078fd1b67ace69ca86e07cf<br><br>( 4 imports ) <br>&gt; user32.dll: LoadMenuA, IsWindow, DrawTextA, DialogBoxParamA, DialogBoxParamW, EndDialog, CopyIcon, GetMenu, CopyImage, GetWindowTextLengthA, DrawIcon, CreateIcon, InsertMenuA, CopyRect, GetWindowTextA, GetCursor, DrawTextW, IsMenu, GetDC, GetDlgItem, CloseWindow, DrawIconEx<br>&gt; kernel32.dll: GetACP, GetVersion, LCMapStringW, SetFilePointer, lstrcpynA, lstrcpyA, SetHandleCount, MultiByteToWideChar, GetModuleFileNameA, GetFileType, GetStdHandle, lstrcatA, lstrcpynW, GetStartupInfoA, CreateFileA, TerminateProcess, GetStringTypeA, WriteFile, GetStringTypeW, LCMapStringA, GetOEMCP<br>&gt; comctl32.dll: ImageList_DragEnter, MenuHelp, ImageList_Copy, ImageList_GetIcon, ImageList_Add, ImageList_GetIconSize, ImageList_LoadImageW, ImageList_Create, DrawStatusTextW, CreateStatusWindow, DllGetVersion, ImageList_Destroy, CreateToolbar<br>&gt; advapi32.dll: RegCreateKeyW, RegQueryValueA, RegDeleteKeyA, RegQueryValueExW, RegEnumKeyExW, RegOpenKeyW, RegQueryValueExA, RegQueryValueW, RegEnumValueA, RegCreateKeyA, RegCreateKeyExA, RegOpenKeyA<br><br>( 0 exports ) <br>
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=A60D387900486CD5E67F002DDDE82A00800AD6E7
Malewarebytes:
Code:
Malwarebytes' Anti-Malware 1.28
Datenbank Version: 1159
Windows 5.1.2600 Service Pack 3

16.09.2008 02:02:13
mbam-log-2008-09-16 (02-02-12).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|)
Durchsuchte Objekte: 104415
Laufzeit: 36 minute(s), 34 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 35
Infizierte Registrierungswerte: 3
Infizierte Dateiobjekte der Registrierung: 1
Infizierte Verzeichnisse: 4
Infizierte Dateien: 69

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CLASSES_ROOT\html.html (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{474372cd-d5af-40f7-9004-921f0e347dd0} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{74ebcffb-af2d-4dd4-a9bc-2ac12864b3ec} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74ebcffb-af2d-4dd4-a9bc-2ac12864b3ec} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\html.html.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0b682cc1-fb40-4006-a5dd-99edd3c9095d} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{54645654-2225-4455-44a1-9f4543d34545} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5c7f15e1-f31a-44fd-aa1a-2ec63aaffd3a} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\dpcproxy (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Classes\hol5_vxiewer.full.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Invictus (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Golden Palace Casino PT (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\28rnzuky11 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Somefox (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
C:\WINDOWS\mslagent (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\akl (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Programme\Inet Delivery (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\gtkhizut\yrelqhof.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\system32\mshtml90.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\2_mslagent.dll (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\mslagent.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\uninstall.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\akl\akl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Programme\akl\akl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Programme\akl\uninstall.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Programme\akl\unsetup.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Programme\Inet Delivery\inetdl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Programme\Inet Delivery\intdel.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\a.bat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\base64.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\FVProtect.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\userconfig9x.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winsystem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip1.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip2.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip3.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zipped.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\iTunesMusic.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\akttzn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\anticipator.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtoolb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bsva-egihsg52.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dpcproxy.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\emesx.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\h@tkeysh@@k.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hoproxy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hxiwlgpm.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hxiwlgpm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\medup012.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\medup020.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msgp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msnbho.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mtr2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mwin32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\netode.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\newsd32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ps1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\psof1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\psoft1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\regc64.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\regm64.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Rundl1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sncntr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssurf022.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssvchost.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysreq.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\taack.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\taack.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\temp#01.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\thun.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\thun32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\VBIEWER.OCX (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vcatchpi.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winlogonpc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winsystem.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WINWGPX.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vbsys2.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\psrr\Lokale Einstellungen\Temp\video207.cfg.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Dokumente und Einstellungen\psrr\Lokale Einstellungen\Temp\video207.cfg (Trojan.FakeAlert) -> Quarantined and deleted successfully.

psrr 16.09.2008 01:27
und die Hijackthis-File noch:

Highjackthis:
Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:17:46, on 16.09.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\xampp\apache\bin\apache.exe
C:\xampp\mysql\bin\mysqld-nt.exe
C:\xampp\apache\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Dokumente und Einstellungen\XXX\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\dqzexwdi.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Dokumente und Einstellungen\XXX\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [smartadmapl] C:\WINDOWS\system32\dqzexwdi.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-21-1844237615-838170752-1801674531-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'postgres')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\xampp\apache\bin\apache.exe
O23 - Service: mysql - Unknown owner - C:\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Programme\PostgreSQL\8.3\bin\pg_ctl.exe

--
End of file - 4408 bytes

"C:\WINDOWS\system32\dqzexwdi.exe" läuft noch... :( ich bekomm auch noch weiterhin eine bestimmte Fake-Message!

Gruß und gute Nacht! :)

Mellosun 16.09.2008 10:24
OK, schaut ja schonmal nicht schlecht aus!

Nächster Schritt:

ComboFix
  • Lade dir das Tool hier herunter auf den Desktop -> KLICK
Das Programm jedoch noch nicht starten sondern zuerst folgendes tun:
  • Schliesse alle Anwendungen und Programme, vor allem deine Antiviren-Software und andere Hintergrundwächter, sowie deinen Internetbrowser.
    Vermeide es auch explizit während das Combofix läuft die Maus und Tastatur zu benutzen.
  • Starte nun die combofix.exe von deinem Desktop aus, bestätige die Warnmeldungen und lass dein System durchsuchen.
  • Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte abkopieren und in deinen Beitrag einfügen. Das log findest du außerdem unter: C:\ComboFix.txt.
Wichtiger Hinweis:
Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.
Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten.

(ausführliche Anleitung -> Ein Leitfaden und Tutorium zur Nutzung von ComboFix)


Und ein neues Hijackthis Log nach der Bereinigung!

psrr 16.09.2008 13:50
combofix-log:
Code:
ComboFix 08-09-15.02 - XXX 2008-09-16 14:35:41.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1031.18.250 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\XXX\Desktop\ComboFix.exe
 * Neuer Wiederherstellungspunkt wurde erstellt

Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.

(((((((((((((((((((((((  Dateien erstellt von 2008-08-16 bis 2008-09-16  ))))))))))))))))))))))))))))))
.

2008-09-16 14:26 . 2008-09-16 14:26        <DIR>        d--------        C:\Programme\CCleaner
2008-09-16 01:22 . 2008-09-16 01:22        <DIR>        d--------        C:\Programme\Malwarebytes' Anti-Malware
2008-09-16 01:22 . 2008-09-16 01:22        <DIR>        d--------        C:\Dokumente und Einstellungen\XXX\Anwendungsdaten\Malwarebytes
2008-09-16 01:22 . 2008-09-16 01:22        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-09-16 01:22 . 2008-09-10 00:04        38,528        --a------        C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-16 01:22 . 2008-09-10 00:03        17,200        --a------        C:\WINDOWS\system32\drivers\mbam.sys
2008-09-15 18:49 . 2008-09-15 18:49        <DIR>        d--------        C:\Programme\Trend Micro
2008-09-15 17:46 . 2008-09-16 02:04        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\gtkhizut
2008-09-15 17:46 . 2008-09-15 17:46        86,016        --a------        C:\WINDOWS\system32\dqzexwdi.exe
2008-09-09 22:55 . 2008-07-26 17:30        <DIR>        d--h-----        C:\Dokumente und Einstellungen\postgres\Vorlagen
2008-09-09 22:55 . 2008-07-26 18:07        <DIR>        dr-------        C:\Dokumente und Einstellungen\postgres\Startmenü
2008-09-09 22:55 . 2008-07-26 18:07        <DIR>        d--h-----        C:\Dokumente und Einstellungen\postgres\Netzwerkumgebung
2008-09-09 22:55 . 2008-09-16 14:37        <DIR>        d--h-----        C:\Dokumente und Einstellungen\postgres\Lokale Einstellungen
2008-09-09 22:55 . 2008-07-26 18:07        <DIR>        d--------        C:\Dokumente und Einstellungen\postgres\Favoriten
2008-09-09 22:55 . 2008-07-26 18:07        <DIR>        d--h-----        C:\Dokumente und Einstellungen\postgres\Druckumgebung
2008-09-09 22:55 . 2008-07-26 18:07        <DIR>        dr-h-----        C:\Dokumente und Einstellungen\postgres\Anwendungsdaten
2008-09-09 22:55 . 2008-09-09 22:55        <DIR>        d--------        C:\Dokumente und Einstellungen\postgres
2008-09-09 22:50 . 2008-09-09 22:50        <DIR>        d--------        C:\Programme\PostgreSQL
2008-09-09 22:44 . 2008-09-09 22:56        <DIR>        d--------        C:\Programme\PokerTracker 3
2008-09-09 11:39 . 2008-09-09 11:39        <DIR>        d--------        C:\Programme\WinSCP
2008-09-08 18:38 . 2008-09-08 18:38        <DIR>        d--------        C:\Dokumente und Einstellungen\XXX\workspace
2008-09-07 20:57 . 2008-09-07 20:57        <DIR>        d--------        C:\WINDOWS\Sun
2008-09-05 17:17 . 2008-09-11 18:40        <DIR>        d--------        C:\Dokumente und Einstellungen\XXX\Anwendungsdaten\gtk-2.0
2008-09-04 00:46 . 2008-09-04 00:46        <DIR>        d--------        C:\Dokumente und Einstellungen\XXX\Anwendungsdaten\ACD Systems
2008-09-04 00:44 . 2008-09-04 00:44        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ACD Systems
2008-09-04 00:41 . 2008-09-04 00:49        <DIR>        d--------        C:\Programme\ACD Systems
2008-09-04 00:26 . 2008-09-04 00:26        <DIR>        d--------        C:\Programme\Google
2008-09-02 22:33 . 2008-04-14 04:22        221,184        --a------        C:\WINDOWS\system32\wmpns.dll
2008-08-26 19:18 . 2008-08-26 19:18        <DIR>        d--------        C:\Dokumente und Einstellungen\XXX\Anwendungsdaten\Subversion
2008-08-26 19:10 . 2008-08-26 19:14        <DIR>        d--------        C:\xampp
2008-08-26 18:11 . 2008-09-08 17:58        <DIR>        d--------        C:\workspace
2008-08-26 18:08 . 2008-08-26 18:08        <DIR>        d--------        C:\Programme\Sun
2008-08-26 18:08 . 2008-06-10 02:32        73,728        --a------        C:\WINDOWS\system32\javacpl.cpl
2008-08-26 18:03 . 2008-08-26 18:08        <DIR>        d--------        C:\Programme\Java
2008-08-26 18:03 . 2008-08-26 18:03        <DIR>        d--------        C:\Programme\Gemeinsame Dateien\Java
2008-08-25 21:06 . 2008-08-25 21:06        <DIR>        d--------        C:\WINDOWS\system32\de-de
2008-08-25 21:06 . 2008-08-25 21:06        <DIR>        d--------        C:\WINDOWS\system32\de
2008-08-25 21:06 . 2008-08-25 21:06        <DIR>        d--------        C:\WINDOWS\system32\bits
2008-08-25 21:06 . 2008-08-25 21:06        <DIR>        d--------        C:\WINDOWS\l2schemas
2008-08-25 21:03 . 2002-02-11 22:00        97,280        --a------        C:\WINDOWS\system32\CNMLM3q.DLL
2008-08-25 21:03 . 2002-02-11 22:00        5,632        --a------        C:\WINDOWS\system32\CNMVS3q.DLL
2008-08-25 21:02 . 2008-08-25 21:02        <DIR>        d--h-----        C:\BJPrinter
2008-08-25 21:02 . 1998-10-21 18:43        328,704        --a------        C:\WINDOWS\IsUn0407.exe
2008-08-25 21:02 . 2002-01-17 11:48        36,864        --a------        C:\WINDOWS\system32\CNMCP3Q.EXE
2008-08-25 21:01 . 2008-08-25 21:06        <DIR>        d--------        C:\WINDOWS\ServicePackFiles
2008-08-25 20:29 . 2004-08-03 22:41        1,041,536        ---------        C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-08-25 20:28 . 2004-08-04 00:38        701,952        ---------        C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-08-25 20:12 . 2008-09-16 12:15        <DIR>        d--------        C:\Programme\eclipse
2008-08-25 20:10 . 2008-08-25 20:10        <DIR>        d---s----        C:\Dokumente und Einstellungen\XXX\UserData
2008-08-25 19:50 . 2008-08-25 19:50        2,422        --a------        C:\WINDOWS\system32\wpa.bak

.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-16 10:00        ---------        d-----w        C:\Dokumente und Einstellungen\XXX\Anwendungsdaten\.purple
2008-09-16 09:37        ---------        d-----w        C:\Programme\Mozilla Thunderbird
2008-09-10 21:25        ---------        d-----w        C:\Programme\Full Tilt Poker
2008-09-09 18:38        ---------        d-----w        C:\Programme\PokerRoom.com
2008-08-17 18:42        ---------        d-----w        C:\Programme\bwin
2008-07-29 20:14        ---------        d-----w        C:\Dokumente und Einstellungen\XXX\Anwendungsdaten\Thunderbird
2008-07-29 20:14        ---------        d-----w        C:\Dokumente und Einstellungen\XXX\Anwendungsdaten\Talkback
2008-07-29 17:28        ---------        d--h--w        C:\Programme\InstallShield Installation Information
2008-07-29 16:16        ---------        d-----w        C:\Programme\Gemeinsame Dateien\Adobe
2008-07-28 17:31        ---------        d-----w        C:\Programme\Pidgin
2008-07-28 17:31        ---------        d-----w        C:\Programme\Aspell
2008-07-28 17:29        ---------        d-----w        C:\Programme\Gemeinsame Dateien\GTK
2008-07-28 17:16        ---------        d-----w        C:\Programme\Realtek
2008-07-28 17:16        ---------        d-----w        C:\Programme\Gemeinsame Dateien\InstallShield
2008-07-28 12:53        ---------        d-----w        C:\Programme\Avira
2008-07-28 12:53        ---------        d-----w        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avira
2008-07-28 12:27        ---------        d-----w        C:\Programme\DIFX
2008-07-28 12:26        684,032        ----a-w        C:\WINDOWS\system32\NETw4c32.dll
2008-07-28 12:26        2,772,992        ----a-w        C:\WINDOWS\system32\NETw4r32.dll
2008-07-28 12:26        2,530,176        ----a-w        C:\WINDOWS\system32\drivers\NETw4x32.sys
2008-07-28 12:04        ---------        d-----w        C:\Programme\PC Wizard 2008
2008-07-26 15:35        ---------        d-----w        C:\Programme\microsoft frontpage
2008-07-26 15:33        ---------        d-----w        C:\Programme\Online-Dienste
2008-07-26 15:32        ---------        d-----w        C:\Programme\Gemeinsame Dateien\Dienste
2008-07-18 20:10        94,920        ----a-w        C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10        53,448        ----a-w        C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10        45,768        ----a-w        C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10        36,552        ----a-w        C:\WINDOWS\system32\wups.dll
2008-07-18 20:09        563,912        ----a-w        C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09        325,832        ----a-w        C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09        205,000        ----a-w        C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09        1,811,656        ----a-w        C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:26        253,952        ----a-w        C:\WINDOWS\system32\es.dll
2008-06-24 16:42        74,240        ----a-w        C:\WINDOWS\system32\mscms.dll
2008-06-23 15:10        671,744        ----a-w        C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46        247,296        ----a-w        C:\WINDOWS\system32\mswsock.dll
.

((((((((((((((((((((((((((((  Autostart Punkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="C:\Dokumente und Einstellungen\XXX\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]
"smartadmapl"="C:\WINDOWS\system32\dqzexwdi.exe" [2008-09-15 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-02-15 131072]
"avgnt"="C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 262401]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"RTHDCPL"="RTHDCPL.EXE" [2006-02-27 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\xampp\\apache\\bin\\apache.exe"=
"C:\\Programme\\Pidgin\\pidgin.exe"=
"C:\\Programme\\eclipse\\eclipse.exe"=
"C:\\Programme\\WinSCP\\WinSCP.exe"=

R2 Apache2.2;Apache2.2;C:\xampp\apache\bin\apache.exe [2008-06-14 17408]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;C:\Programme\PostgreSQL\8.3\bin\pg_ctl.exe runservice -w -N pgsql-8.3 -D C:\Programme\PostgreSQL\8.3\data\ [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\umenu.exe

*Newly Created Service* - PROCEXP90
.
Inhalt des "geplante Tasks" Ordners
.
.
------- Zusätzlicher Scan -------
.
FireFox -: Profile - C:\Dokumente und Einstellungen\XXX\Anwendungsdaten\Mozilla\Firefox\Profiles\8hk5kdfm.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.de/
FF -: plugin - C:\Dokumente und Einstellungen\XXX\Lokale Einstellungen\Anwendungsdaten\Google\Update\1.2.131.11\npGoogleOneClick5.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-16 14:37:24
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-09-16 14:38:10
ComboFix-quarantined-files.txt  2008-09-16 12:38:07

Pre-Run: 9 Verzeichnis(se), 29,186,105,344 Bytes frei
Post-Run: 12 Verzeichnis(se), 29,324,775,424 Bytes frei

154        --- E O F ---        2008-09-10 11:46:25


Alle Zeitangaben in WEZ +1. Es ist jetzt 23:29 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19