Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Mülltonne (https://www.trojaner-board.de/muelltonne/)
-   -   Virtumonde mal wieder ! combifix und hijackthis durchgeführt (https://www.trojaner-board.de/58276-virtumonde-mal-combifix-hijackthis-durchgefuehrt.html)

grausam 20.08.2008 20:17
Virtumonde mal wieder ! combifix und hijackthis durchgeführt
 
Hallo ihr ! Da hier ja wirklich super geholfen wird,hier mein Problem mit Virtumonde:

Habe soweit alles durchgeführt wie hier : http://www.trojaner-board.de/57895-virtumonde-entfernen.html
beschieben. Hier mein combifix log

ComboFix 08-08-19.02 - renglert 2008-08-20 20:46:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.310 [GMT 2:00]
Running from: C:\Documents and Settings\renglert\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM47eade4e.txt
C:\WINDOWS\BM47eade4e.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\BabKRrCf.ini
C:\WINDOWS\system32\BabKRrCf.ini2
C:\WINDOWS\system32\bagysady.dll
C:\WINDOWS\system32\fCrRKbaB.dll
C:\WINDOWS\system32\fiovuvgd.exe
C:\WINDOWS\system32\idqobvdn.ini
C:\WINDOWS\system32\ldhgdr.dll
C:\WINDOWS\system32\lyzwsv.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mflpvxxm.dll
C:\WINDOWS\system32\mxxvplfm.ini
C:\WINDOWS\system32\ndvboqdi.dll
C:\WINDOWS\system32\nvwmojsi.dll
C:\WINDOWS\system32\omgogvcm.dll
C:\WINDOWS\system32\qoMfcDuV.dll
C:\WINDOWS\system32\x64

.
((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.

2008-08-20 20:34 . 2008-08-20 20:34 <DIR> d-------- C:\Program Files\CCleaner
2008-08-20 15:06 . 2008-08-20 15:30 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-20 15:01 . 2008-08-20 17:25 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-08-20 13:00 . 2008-08-20 18:15 259 --a------ C:\WINDOWS\wininit.ini
2008-08-20 12:58 . 2008-08-20 12:58 0 --a------ C:\WINDOWS\vpc32.INI
2008-08-20 12:15 . 2008-08-20 12:15 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-20 12:15 . 2008-08-20 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-18 15:51 . 2008-08-18 15:51 <DIR> d-------- C:\Program Files\PixLin
2008-08-18 15:00 . 2008-08-18 15:00 <DIR> d-------- C:\Documents and Settings\renglert\Application Data\Apple Computer
2008-08-18 14:59 . 2008-08-18 14:59 <DIR> d-------- C:\Program Files\iPod
2008-08-18 14:58 . 2008-08-18 14:59 <DIR> d-------- C:\Program Files\iTunes
2008-08-18 14:58 . 2008-08-18 14:58 <DIR> d-------- C:\Program Files\Bonjour
2008-08-18 14:57 . 2008-08-18 14:57 <DIR> d-------- C:\Program Files\QuickTime
2008-08-18 14:57 . 2008-08-18 14:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-08-18 14:56 . 2008-08-18 14:56 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-08-18 14:56 . 2008-08-18 14:56 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-18 14:56 . 2008-08-18 14:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-08-05 15:17 . 2008-08-15 10:46 49 --a------ C:\WINDOWS\NeroDigital.ini
2008-07-26 19:02 . 2008-07-26 19:02 <DIR> d-------- C:\Documents and Settings\renglert\Application Data\Ahead
2008-07-26 19:00 . 2004-03-03 20:30 125,184 --a------ C:\WINDOWS\system32\drivers\imagesrv.sys
2008-07-26 19:00 . 2004-03-03 20:30 5,504 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys
2008-07-26 18:59 . 2008-07-26 18:59 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-07-26 18:59 . 2008-07-26 18:59 <DIR> d-------- C:\Program Files\Ahead
2008-07-26 18:59 . 2001-07-06 13:41 569,344 --a------ C:\WINDOWS\system32\imagr5.dll
2008-07-26 18:59 . 2001-07-06 11:44 544,768 --a------ C:\WINDOWS\system32\imagx5.dll
2008-07-26 18:59 . 2001-07-06 17:24 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll
2008-07-26 18:59 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-07-26 18:59 . 2000-06-26 10:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-07-26 18:59 . 2001-06-26 07:15 38,912 --a------ C:\WINDOWS\system32\picn20.dll
2008-07-22 09:44 . 2008-07-22 09:44 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 18:22 --------- d-----w C:\Documents and Settings\renglert\Application Data\FileZilla
2008-08-20 09:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-20 07:38 --------- d-----w C:\Program Files\Winamp Remote
2008-08-13 07:05 --------- d-----w C:\Program Files\Java
2008-07-30 13:25 --------- d-----w C:\Program Files\FileZilla Client
2008-07-25 15:04 --------- d-----w C:\Program Files\Google
2008-06-27 11:32 --------- d-----w C:\Program Files\duke3d
2008-06-25 13:18 --------- d-----w C:\Documents and Settings\renglert\Application Data\fretsonfire
2008-06-25 13:13 --------- d-----w C:\Program Files\Frets on Fire
2008-06-23 14:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-18 09:28 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-08 09:03 68856]
"RIMDeviceManager"="C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" [2006-08-25 17:24 1142922]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 03:23 443968]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 22:02 495616]
"Google Update"="C:\Documents and Settings\renglert\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-07-21 08:42 119280]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-18 07:53 8433664]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-05-18 07:53 81920]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-10 10:03 58416]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-08-30 08:17 200704]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-08-30 08:17 208896]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 21:49 66176]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 09:33 243248]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-08-11 01:30 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-08-11 01:30 512000]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 23:23 1015808]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-08-09 18:32 135168]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-08-09 18:32 155648]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-08-09 18:32 131072]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-12-18 00:00 90112]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Mixer"="C:\Program Files\Mixer\Mixer.exe" [2006-04-22 16:11 573440]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-16 00:54 37376]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 23:22 3739648]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-07 10:33 29744]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2008-08-20 15:10 2131600]
"nwiz"="nwiz.exe" [2007-05-18 07:53 1626112 C:\WINDOWS\system32\nwiz.exe]
"TpShocks"="TpShocks.exe" [2007-03-30 01:40 181808 C:\WINDOWS\system32\TpShocks.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 09:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2007-11-26 16:58:10 576104]
DoubleClick Inc. Cisco VPN 3.6.3 Client.lnk - C:\Program Files\Cisco Systems\ipsecdialer.exe [2007-12-14 17:09:39 1282122]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-05-05 11:15:46 124400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Documents and Settings\renglert\My Documents\My Pictures\silhouette-frog.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\Documents and Settings\renglert\Local Settings\Temporary Internet Files\Content.IE5\MHDQJI98\silhouette-frog[1].jpg
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 23:37 34344 C:\Program Files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 18:06 28672 C:\Program Files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ldhgdr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\fCrRKbaB

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=Local_admin.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\1]
"Script"=addto_local_groups.vbs

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 Shockprf;Shockprf;C:\WINDOWS\system32\DRIVERS\Apsx86.sys [2007-03-03 00:49]
R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM86.sys [2007-03-03 00:47]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2007-08-30 08:17]
R2 CVPNDRV;DoubleClick Inc. IPsec Driver;C:\WINDOWS\system32\Drivers\CVPNDRV.sys [2003-01-31 11:46]
R2 VPatch;ISS Buffer Overflow Exploit Prevention;C:\Program Files\ISS\Proventia Desktop\vpatch.exe [2006-03-25 16:19]
R3 MakoNT;MakoNT;C:\WINDOWS\system32\drivers\MakoNT.sys [2005-10-25 12:54]
R3 rap;rap;C:\WINDOWS\system32\drivers\RapDrv.sys [2005-10-25 12:54]
R4 black;black;C:\WINDOWS\system32\drivers\BlackCat.sys [2005-10-25 12:54]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-05-07 10:33]
S3 LenovoRd;LenovoRd;C:\WINDOWS\system32\Drivers\LenovoRd.sys [2007-06-08 16:36]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [2004-03-24 04:12]
S3 tpflhlp;tpflhlp;C:\Program Files\Lenovo\System Update\session\7luj08us\tpflhlp.sys [2007-07-25 00:14]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{53301152-F0CB-4A4F-8281-42D2EBE39DCF} - (no file)
BHO-{FA717E94-1CF7-4EB3-A4BF-B0241B287FA9} - (no file)
HKLM-Run-44d9edd2 - C:\WINDOWS\system32\ndvboqdi.dll
ShellExecuteHooks-{93f261fc-7dce-4268-9edb-4c94f8afb899} - mscoree.dll
Notify-qoMfcDuV - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\renglert\Application Data\Mozilla\Firefox\Profiles\hjm5tgh4.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - C:\Documents and Settings\renglert\Application Data\Mozilla\plugins\npgoogletalk.dll
FF -: plugin - C:\Documents and Settings\renglert\Local Settings\Application Data\Google\Update\1.2.121.17\npGoogleOneClick.dll
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.1202.1501\npCIDetect11.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\PROGRAM FILES\MOZILLA FIREFOX\plugins\npGoogleGadgetPluginFirefoxWin.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-20 21:07:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Lenovo\HOTKEY\tphklock.dll
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lenovo\ZOOM\TpScrex.exe
C:\Program Files\ISS\Proventia Desktop\blackice.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\RightFAX\FaxCtrl.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-08-20 21:13:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-20 19:12:50

Pre-Run: 131,638,718,464 bytes free
Post-Run: 131,706,576,896 bytes free

245 --- E O F --- 2008-06-23 15:47:05


Alle Zeitangaben in WEZ +1. Es ist jetzt 09:18 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131