yongli2008
2008-08-20, 12:48
Hi,
On my mom's computer I had Virtumonde and Virtumonde.dll reported by Spybot 1.6 for quite a while. Spybot always wanted me to reboot but couldn't remove them.
Tried many programs, such as Bitdefender Boot CD, but to no avail.
Finally this morning I tried a Quickscan with Malware Bytes Antimalware 1.25.
It found lots of stuff.
Now it seems, that the Ad popups in Windows have disappeared, but I don't quite trust the result. Virtumonde until now always found a way to return.
I found this forum, where great help is provided to many desperate users like me! Could you please take a look at my log and advise, what other steps I would have to do to get rid and stay clear?
Thank you very much for all the good work you are doing.
all the best, Yongli
Hijack after Malwarebytes:
--------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:54, on 20.08.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\Programme\FreePDF\FreePDFA.exe
C:\Programme\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Programme\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\inst\dnser_dyndns_client\DNSer\DNSerSvc.exe
C:\Programme\FRITZ!\IWatch.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Avira\AntiVir PersonalEdition Premium\avmailc.exe
C:\Programme\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mmc.exe
C:\Dokumente und Einstellungen\Elke\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E29F5A2-FE1F-4D73-9E92-29A93115F317} - (no file)
O2 - BHO: (no name) - {4C7ABD87-3026-4193-ADBB-DA7E435BFEF2} - (no file)
O2 - BHO: (no name) - {4FB891BD-FF43-47DA-990A-F83364468357} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Acronis*True*Image Monitor] C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Programme\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [FreePDFAssistent] C:\Programme\FreePDF\FreePDFA.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: SmartSurfer.lnk = C:\Programme\WEBDE\SmartSurfer3.1\SmartSurfer.exe
O4 - Global Startup: ISDNWatch.lnk = C:\Programme\FRITZ!\IWatch.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/130b7f8969e3e9646715/netzip/RdxIE601_de.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205089772703
O16 - DPF: {7BD28BE8-1E1A-4A95-A24B-90E90DA3402E} (Realtime.Realtime_CTL) - http://www.efinancethai.com/rtquote/realtime/realtime.CAB
O16 - DPF: {E818CC8D-CC27-425B-AEBB-C01837723DC6} (Metastock Online (EQUIS)) - http://inv2.asiaplus.co.th/abn/equis/metastock/ms4java.cab
O16 - DPF: {FDE37D01-E2FB-11D4-B6C8-005004C18256} (Jvix Realtime by Surasak.AST) - http://inv2.asiaplus.co.th/broker.ast.jvix/order/jvixast8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{618E0E4E-BEBA-4888-B7A9-2A3A98638713}: NameServer = 192.168.120.252,192.168.120.253
O20 - AppInit_DLLs: pdsgmw.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Avira AntiVir Premium MailGuard Hilfsdienst (AVEService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: Dynamic DNS Updater (DNSerSvc) - Access, Slovenia - C:\inst\dnser_dyndns_client\DNSer\DNSerSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
--
End of file - 6760 bytes
Scanlog Malware Bytes before having it Remove the malware:
-------------------------------------------------------
Malwarebytes' Anti-Malware 1.25
Datenbank Version: 1071
Windows 5.1.2600 Service Pack 2
11:08:52 20.08.2008
mbam-log-08-20-2008 (11-08-38).txt
Scan-Methode: Quick-Scan
Durchsuchte Objekte: 51016
Laufzeit: 7 minute(s), 12 second(s)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 3
Infizierte Registrierungsschlüssel: 15
Infizierte Registrierungswerte: 3
Infizierte Dateiobjekte der Registrierung: 2
Infizierte Verzeichnisse: 0
Infizierte Dateien: 18
Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule:
C:\WINDOWS\system32\urqRKbAQ.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\dhtykvsd.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\mlJBTmLe.dll (Trojan.Vundo.H) -> No action taken.
Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4c7abd87-3026-4193-adbb-da7e435bfef2} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljbtmle (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{4c7abd87-3026-4193-adbb-da7e435bfef2} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8dfc4dca-7739-4f79-ad8e-c01c39a9a185} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{8dfc4dca-7739-4f79-ad8e-c01c39a9a185} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{c82ddc02-f1b1-430d-9412-e93e9406a4ab} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> No action taken.
Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm230a5eb0 (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{4c7abd87-3026-4193-adbb-da7e435bfef2} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\20396d2c (Trojan.Vundo) -> No action taken.
Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\urqrkbaq -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\urqrkbaq -> No action taken.
Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)
Infizierte Dateien:
C:\WINDOWS\system32\mlJBTmLe.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\urqRKbAQ.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\QAbKRqru.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\QAbKRqru.ini2 (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\vchwwrqm.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\mqrwwhcv.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\xdwpbmga.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\agmbpwdx.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\dhtykvsd.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\loxvtgmr.exe (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\biluhcle.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\uqndut.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\vploflpc.exe (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\svbuhvdb.exe (Trojan.Vundo) -> No action taken.
C:\WINDOWS\cookies.ini (Malware.Trace) -> No action taken.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BM230a5eb0.xml (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BM230a5eb0.txt (Trojan.Vundo) -> No action taken.
Quickscan after Removing what it found:
---------------------------------------
Malwarebytes' Anti-Malware 1.25
Datenbank Version: 1071
Windows 5.1.2600 Service Pack 2
11:24:53 20.08.2008
mbam-log-08-20-2008 (11-24-53).txt
Scan-Methode: Quick-Scan
Durchsuchte Objekte: 50860
Laufzeit: 7 minute(s), 2 second(s)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0
Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)
Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)
Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)
Infizierte Dateien:
(Keine bösartigen Objekte gefunden)
Hello Yongli
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Malwarebytes is a great program, one of the best but there may be more of Vundo hiding so lets do a few things.
Disable the TeaTimer, leave it disabled until we're done,
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect
Go to C:\Program Files and create a new folder and name it Hijackthis, then go to where you have Hijackthis currently installed and Cut and Paste it into the new folder, we need to do this for backup purposes so anything we remove with HJT will be there if we need to reinstall it
Do this only after you move HJT to its new folder
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {0E29F5A2-FE1F-4D73-9E92-29A93115F317} - (no file)
O2 - BHO: (no name) - {4C7ABD87-3026-4193-ADBB-DA7E435BFEF2} - (no file)
O2 - BHO: (no name) - {4FB891BD-FF43-47DA-990A-F83364468357} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/130b7f89...dxIE601_de.cab
O20 - AppInit_DLLs: pdsgmw.dll
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.
In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
yongli2008
2008-08-25, 12:50
Dear Ken,
here are the logs. I did the Hijack and Combofix twice, since after the first hijackthis I must have overlooked O20 - AppInit_DLLs: pdsgmw.dll
(I didn`t see it during the first Hijackthis) but saw it when preparing the Hijackthis log for you after combofix, so I removed it with Hijackthis, then did combofix and Hijackthis again.
Also, I want to note, that after I originally posted my problem, I installed Win XP SP3, did a Windows Update IE7 and reinstalled Zonealarm. (That was before your first reply)
thanks again for taking the time and all the best,
yongli
Combofix Log (Second run):
ComboFix 08-08-21.02 - Elke 2008-08-25 11:21:48.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1031.18.57 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Elke\Desktop\ComboFix2.exe
Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.
((((((((((((((((((((((( Dateien erstellt von 2008-07-25 bis 2008-08-25 ))))))))))))))))))))))))))))))
.
2008-08-25 11:09 . 2008-08-25 11:09 <DIR> d-------- C:\WINDOWS\LastGood
2008-08-23 12:45 . 2008-08-23 15:56 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-23 12:45 . 2008-08-23 15:56 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-23 12:42 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-08-23 12:42 . 2008-07-09 09:05 54,672 --a------ C:\WINDOWS\system32\vsutil_loc0407.dll
2008-08-23 12:42 . 2008-07-09 09:05 42,384 --a------ C:\WINDOWS\zllsputility_loc0407.dll
2008-08-23 12:42 . 2008-07-09 09:05 21,904 --a------ C:\WINDOWS\system32\imsinstall_loc0407.dll
2008-08-23 12:42 . 2008-07-09 09:05 17,808 --a------ C:\WINDOWS\system32\imslsp_install_loc0407.dll
2008-08-23 12:41 . 2008-08-23 12:41 <DIR> d-------- C:\Programme\Zone Labs
2008-08-21 11:06 . 2008-08-21 11:06 <DIR> d-------- C:\WINDOWS\system32\de
2008-08-21 11:06 . 2008-08-21 11:06 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-21 10:04 . 2008-04-14 04:22 786,432 --------- C:\WINDOWS\system32\dllcache\migrate.exe
2008-08-21 10:03 . 2008-04-14 03:56 2,973,696 --------- C:\WINDOWS\system32\dllcache\wmploc.dll
2008-08-21 10:02 . 2002-12-03 18:52 660,224 --------- C:\WINDOWS\system32\dllcache\wmplayer.chm
2008-08-20 19:33 . 2008-06-23 18:14 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-08-20 19:33 . 2007-04-17 11:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-08-20 19:33 . 2007-03-08 07:09 1,040,384 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-08-20 19:33 . 2008-06-23 18:14 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-08-20 19:33 . 2008-06-23 18:14 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-08-20 19:33 . 2008-06-23 18:14 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-08-20 19:33 . 2008-06-23 18:14 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-08-20 19:33 . 2008-06-23 18:14 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-08-20 19:33 . 2008-06-23 11:20 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-08-20 17:11 . 2008-08-20 17:11 <DIR> d-------- C:\Programme\MSXML 6.0
2008-08-20 16:09 . 2008-06-14 19:32 273,024 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-20 16:05 . 2008-04-11 21:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-20 16:05 . 2008-05-01 16:34 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-20 16:05 . 2008-05-08 16:02 203,136 --------- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-08-20 15:36 . 2008-08-20 15:36 <DIR> d-------- C:\ComboFix
2008-08-20 10:59 . 2008-08-20 10:59 <DIR> d-------- C:\Programme\Malwarebytes' Anti-Malware
2008-08-20 10:59 . 2008-08-20 10:59 <DIR> d-------- C:\Dokumente und Einstellungen\Elke\Anwendungsdaten\Malwarebytes
2008-08-20 10:59 . 2008-08-20 10:59 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-08-20 10:59 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-20 10:59 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-19 18:10 . 2008-08-19 18:10 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\MailFrontier
2008-08-19 18:09 . 2008-08-23 12:44 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-08-19 18:07 . 2008-08-19 18:07 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-08-19 17:55 . 2008-08-19 17:55 <DIR> d-------- C:\Programme\Avira
2008-08-19 17:55 . 2008-08-19 17:55 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avira
2008-08-19 11:51 . 2008-08-19 11:51 <DIR> d-------- C:\VundoFix Backups
2008-08-07 20:54 . 2008-08-07 20:54 149 --a------ C:\WINDOWS\wininit.ini
2008-08-07 19:27 . 2008-08-07 19:27 <DIR> d-------- C:\Programme\Spybot - Search & Destroy
2008-08-07 19:27 . 2008-08-07 19:27 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 13:05 243,200 ------w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-08-23 13:05 1,343,488 ------w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-07-09 07:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:42 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:42 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 08:14 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-21 05:23 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:46 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 247,296 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
1999-03-11 16:22 99,840 ----a-w C:\Programme\Gemeinsame Dateien\IRAABOUT.DLL
1998-12-09 01:53 70,144 ----a-w C:\Programme\Gemeinsame Dateien\IRAMDMTR.DLL
1998-12-09 01:53 48,640 ----a-w C:\Programme\Gemeinsame Dateien\IRALPTTR.DLL
1998-12-09 01:53 31,744 ----a-w C:\Programme\Gemeinsame Dateien\IRAWEBTR.DLL
1998-12-09 01:53 186,368 ----a-w C:\Programme\Gemeinsame Dateien\IRAREG.DLL
1998-12-09 01:53 17,920 ----a-w C:\Programme\Gemeinsame Dateien\IRASRIAL.DLL
.
((((((((((((((((((((((((((((( snapshot@2008-08-23_15.36.45.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-14 02:22:40 139,264 ----a-w C:\WINDOWS\system32\cscript.exe
+ 2008-05-07 09:07:24 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
+ 2008-05-07 09:07:24 135,168 ------w C:\WINDOWS\system32\dllcache\cscript.exe
+ 2008-05-09 10:54:10 512,000 ------w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2008-05-09 10:54:10 180,224 ------w C:\WINDOWS\system32\dllcache\scrobj.dll
+ 2008-05-09 10:54:10 172,032 ------w C:\WINDOWS\system32\dllcache\scrrun.dll
+ 2008-05-09 10:54:10 430,080 ------w C:\WINDOWS\system32\dllcache\vbscript.dll
+ 2008-05-08 11:24:44 155,648 ------w C:\WINDOWS\system32\dllcache\wscript.exe
+ 2008-05-09 10:54:10 90,112 ------w C:\WINDOWS\system32\dllcache\wshext.dll
- 2008-04-14 02:22:14 512,000 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2008-05-09 10:54:10 512,000 ----a-w C:\WINDOWS\system32\jscript.dll
- 2008-04-14 02:22:24 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
+ 2008-05-09 10:54:10 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
- 2008-04-14 02:22:24 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
+ 2008-05-09 10:54:10 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
- 2007-11-30 11:18:34 18,808 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 12:39:14 18,808 ------w C:\WINDOWS\system32\spmsg.dll
- 2008-04-14 02:22:32 434,176 ----a-w C:\WINDOWS\system32\vbscript.dll
+ 2008-05-09 10:54:10 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
- 2008-04-14 02:23:06 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
+ 2008-05-08 11:24:44 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
- 2008-04-14 02:22:32 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
+ 2008-05-09 10:54:10 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 04:22 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-07-10 04:25 155648]
"Acronis*True*Image Monitor"="C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe" [2004-01-15 16:53 479418]
"Acronis Scheduler2 Service"="C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe" [2004-01-15 16:53 65536]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"InCD"="C:\Programme\Ahead\InCD\InCD.exe" [2003-09-16 21:56 1212466]
"avgnt"="C:\Programme\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2008-08-19 18:00 266497]
"ZoneAlarm Client"="C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 04:22 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msvideo"= o100vc.dll
"vidc.xvid"= xvid.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^ISDNWatch.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\ISDNWatch.lnk
backup=C:\WINDOWS\pss\ISDNWatch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Elke^Startmenü^Programme^Autostart^SmartSurfer.lnk]
path=C:\Dokumente und Einstellungen\Elke\Startmenü\Programme\Autostart\SmartSurfer.lnk
backup=C:\WINDOWS\pss\SmartSurfer.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreePDFAssistent]
--a------ 2003-12-24 16:35 150528 C:\Programme\FreePDF\FreePDFA.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
--a------ 2004-06-20 20:45 630854 C:\Programme\UltraVNC\winvnc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\System32\\ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2004-02-26 12:07]
R2 AntiVirMailService;Avira AntiVir Premium MailGuard;C:\Programme\Avira\AntiVir PersonalEdition Premium\avmailc.exe [2008-08-19 18:00]
R2 antivirwebservice;Avira AntiVir Premium WebGuard;C:\Programme\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE [2008-08-19 18:00]
R2 AVEService;Avira AntiVir Premium MailGuard Hilfsdienst;C:\Programme\Avira\AntiVir PersonalEdition Premium\avesvc.exe [2008-08-19 18:00]
R2 AVMPORT;AVMPORT;C:\WINDOWS\system32\drivers\avmport.sys [2004-05-24 14:35]
R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-05-21 17:08]
R3 AVMWAN;AVM NDIS WAN CAPI-Treiber;C:\WINDOWS\system32\DRIVERS\avmwan.sys [2001-08-17 12:13]
R3 fpcibase;AVM ISDN-Controller FRITZ!Card PCI;C:\WINDOWS\system32\DRIVERS\fpcibase.sys [2001-08-17 12:14]
R3 NETFRITZ;AVM FRITZ!web PPP over ISDN;C:\WINDOWS\system32\DRIVERS\NETFRITZ.SYS [2003-02-24 10:27]
S3 AIDA32Driver;AIDA32Driver;C:\inst\aida32_sysinfo_winxp_sysutil\aida32ee_388\aida32.sys [2003-11-26 00:00]
S3 HCW848NT;Hauppauge Win/TV;C:\WINDOWS\system32\DRIVERS\hcw848nt.sys [2000-06-12 14:54]
S4 DNSerSvc;Dynamic DNS Updater;C:\inst\dnser_dyndns_client\DNSer\DNSerSvc.exe [2003-08-25 13:17]
.
.
------- Zusätzlicher Scan -------
.
O17 -: HKLM\CCS\Interface\{618E0E4E-BEBA-4888-B7A9-2A3A98638713}: NameServer = 192.168.120.252,192.168.120.253
O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 11:29:01
Windows 5.1.2600 Service Pack 3 FAT NTAPI
Scanne versteckte Prozesse...
Scanne versteckte Autostart Einträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
Zeit der Fertigstellung: 2008-08-25 11:32:20
ComboFix-quarantined-files.txt 2008-08-25 09:31:58
ComboFix2.txt 2008-08-23 13:38:30
Pre-Run: 8,919,908,352 Bytes frei
Post-Run: 8,905,244,672 Bytes frei
187 --- E O F --- 2008-08-25 09:13:05
Hijackthis (after Combofix):
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:29, on 25.08.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
C:\Programme\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Programme\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Avira\AntiVir PersonalEdition Premium\avmailc.exe
C:\Programme\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\Programme\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programme\Hijackthis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Acronis*True*Image Monitor] C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205089772703
O17 - HKLM\System\CCS\Services\Tcpip\..\{618E0E4E-BEBA-4888-B7A9-2A3A98638713}: NameServer = 192.168.120.252,192.168.120.253
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Avira AntiVir Premium MailGuard Hilfsdienst (AVEService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
--
End of file - 5557 bytes
First Combofixrun: (Earlier Combofix from Friday):
ComboFix 08-08-21.02 - Elke 2008-08-23 15:20:59.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1031.18.59 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Elke\Desktop\ComboFix2.exe
* Neuer Wiederherstellungspunkt wurde erstellt
Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Dokumente und Einstellungen\angela\Cookies\angela@komtrack[10].txt
C:\Dokumente und Einstellungen\angela\Cookies\angela@komtrack[3].txt
C:\Dokumente und Einstellungen\angela\Cookies\angela@komtrack[4].txt
C:\Dokumente und Einstellungen\angela\Cookies\angela@komtrack[8].txt
C:\Dokumente und Einstellungen\angela\Cookies\angela@komtrack[9].txt
C:\Dokumente und Einstellungen\angela\Cookies\angela@last_search[1].txt
C:\WINDOWS\system32\amhshmxv.ini
C:\WINDOWS\system32\gsehyh.dll
C:\WINDOWS\system32\ltnghfoc.dll
C:\WINDOWS\system32\nyhpvcig.ini
C:\WINDOWS\system32\pdsgmw.dll
C:\WINDOWS\system32\qabfnlta.dll
C:\WINDOWS\system32\rshkqxsw.dll
C:\WINDOWS\system32\vepjcrul.ini
.
((((((((((((((((((((((( Dateien erstellt von 2008-07-23 bis 2008-08-23 ))))))))))))))))))))))))))))))
.
2008-08-23 12:45 . 2008-08-23 15:05 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-23 12:45 . 2008-08-23 15:05 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-23 12:42 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-08-23 12:42 . 2008-07-09 09:05 54,672 --a------ C:\WINDOWS\system32\vsutil_loc0407.dll
2008-08-23 12:42 . 2008-07-09 09:05 42,384 --a------ C:\WINDOWS\zllsputility_loc0407.dll
2008-08-23 12:42 . 2008-07-09 09:05 21,904 --a------ C:\WINDOWS\system32\imsinstall_loc0407.dll
2008-08-23 12:42 . 2008-07-09 09:05 17,808 --a------ C:\WINDOWS\system32\imslsp_install_loc0407.dll
2008-08-23 12:41 . 2008-08-23 12:41 <DIR> d-------- C:\Programme\Zone Labs
2008-08-21 11:06 . 2008-08-21 11:06 <DIR> d-------- C:\WINDOWS\system32\de
2008-08-21 11:06 . 2008-08-21 11:06 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-21 10:04 . 2008-04-14 04:22 786,432 --------- C:\WINDOWS\system32\dllcache\migrate.exe
2008-08-21 10:03 . 2008-04-14 03:56 2,973,696 --------- C:\WINDOWS\system32\dllcache\wmploc.dll
2008-08-21 10:02 . 2002-12-03 18:52 660,224 --------- C:\WINDOWS\system32\dllcache\wmplayer.chm
2008-08-20 19:33 . 2008-06-23 18:14 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-08-20 19:33 . 2007-04-17 11:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-08-20 19:33 . 2007-03-08 07:09 1,040,384 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-08-20 19:33 . 2008-06-23 18:14 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-08-20 19:33 . 2008-06-23 18:14 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-08-20 19:33 . 2008-06-23 18:14 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-08-20 19:33 . 2008-06-23 18:14 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-08-20 19:33 . 2008-06-23 18:14 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-08-20 19:33 . 2008-06-23 11:20 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-08-20 17:11 . 2008-08-20 17:11 <DIR> d-------- C:\Programme\MSXML 6.0
2008-08-20 16:09 . 2008-06-14 19:32 273,024 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-20 16:05 . 2008-04-11 21:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-20 16:05 . 2008-05-01 16:34 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-20 16:05 . 2008-05-08 16:02 203,136 --------- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-08-20 15:36 . 2008-08-20 15:36 <DIR> d-------- C:\ComboFix
2008-08-20 10:59 . 2008-08-20 10:59 <DIR> d-------- C:\Programme\Malwarebytes' Anti-Malware
2008-08-20 10:59 . 2008-08-20 10:59 <DIR> d-------- C:\Dokumente und Einstellungen\Elke\Anwendungsdaten\Malwarebytes
2008-08-20 10:59 . 2008-08-20 10:59 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-08-20 10:59 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-20 10:59 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-19 18:10 . 2008-08-19 18:10 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\MailFrontier
2008-08-19 18:09 . 2008-08-23 12:44 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-08-19 18:07 . 2008-08-19 18:07 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-08-19 17:55 . 2008-08-19 17:55 <DIR> d-------- C:\Programme\Avira
2008-08-19 17:55 . 2008-08-19 17:55 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avira
2008-08-19 11:51 . 2008-08-19 11:51 <DIR> d-------- C:\VundoFix Backups
2008-08-07 20:54 . 2008-08-07 20:54 149 --a------ C:\WINDOWS\wininit.ini
2008-08-07 19:27 . 2008-08-07 19:27 <DIR> d-------- C:\Programme\Spybot - Search & Destroy
2008-08-07 19:27 . 2008-08-07 19:27 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-23 13:05 243,200 ------w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-08-23 13:05 1,343,488 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-07-09 07:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-06-24 16:42 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:42 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 08:14 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-21 05:23 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:46 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 247,296 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
1999-03-11 16:22 99,840 ----a-w C:\Programme\Gemeinsame Dateien\IRAABOUT.DLL
1998-12-09 01:53 70,144 ----a-w C:\Programme\Gemeinsame Dateien\IRAMDMTR.DLL
1998-12-09 01:53 48,640 ----a-w C:\Programme\Gemeinsame Dateien\IRALPTTR.DLL
1998-12-09 01:53 31,744 ----a-w C:\Programme\Gemeinsame Dateien\IRAWEBTR.DLL
1998-12-09 01:53 186,368 ----a-w C:\Programme\Gemeinsame Dateien\IRAREG.DLL
1998-12-09 01:53 17,920 ----a-w C:\Programme\Gemeinsame Dateien\IRASRIAL.DLL
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 04:22 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-07-10 04:25 155648]
"Acronis*True*Image Monitor"="C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe" [2004-01-15 16:53 479418]
"Acronis Scheduler2 Service"="C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe" [2004-01-15 16:53 65536]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"InCD"="C:\Programme\Ahead\InCD\InCD.exe" [2003-09-16 21:56 1212466]
"avgnt"="C:\Programme\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2008-08-19 18:00 266497]
"ZoneAlarm Client"="C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 04:22 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=pdsgmw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msvideo"= o100vc.dll
"vidc.xvid"= xvid.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^ISDNWatch.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\ISDNWatch.lnk
backup=C:\WINDOWS\pss\ISDNWatch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Elke^Startmenü^Programme^Autostart^SmartSurfer.lnk]
path=C:\Dokumente und Einstellungen\Elke\Startmenü\Programme\Autostart\SmartSurfer.lnk
backup=C:\WINDOWS\pss\SmartSurfer.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreePDFAssistent]
--a------ 2003-12-24 16:35 150528 C:\Programme\FreePDF\FreePDFA.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC]
--a------ 2004-06-20 20:45 630854 C:\Programme\UltraVNC\winvnc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\System32\\ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2004-02-26 12:07]
R2 AntiVirMailService;Avira AntiVir Premium MailGuard;C:\Programme\Avira\AntiVir PersonalEdition Premium\avmailc.exe [2008-08-19 18:00]
R2 antivirwebservice;Avira AntiVir Premium WebGuard;C:\Programme\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE [2008-08-19 18:00]
R2 AVEService;Avira AntiVir Premium MailGuard Hilfsdienst;C:\Programme\Avira\AntiVir PersonalEdition Premium\avesvc.exe [2008-08-19 18:00]
R2 AVMPORT;AVMPORT;C:\WINDOWS\system32\drivers\avmport.sys [2004-05-24 14:35]
R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.SYS [2004-05-21 17:08]
R3 AVMWAN;AVM NDIS WAN CAPI-Treiber;C:\WINDOWS\system32\DRIVERS\avmwan.sys [2001-08-17 12:13]
R3 fpcibase;AVM ISDN-Controller FRITZ!Card PCI;C:\WINDOWS\system32\DRIVERS\fpcibase.sys [2001-08-17 12:14]
R3 NETFRITZ;AVM FRITZ!web PPP over ISDN;C:\WINDOWS\system32\DRIVERS\NETFRITZ.SYS [2003-02-24 10:27]
S3 AIDA32Driver;AIDA32Driver;C:\inst\aida32_sysinfo_winxp_sysutil\aida32ee_388\aida32.sys [2003-11-26 00:00]
S3 HCW848NT;Hauppauge Win/TV;C:\WINDOWS\system32\DRIVERS\hcw848nt.sys [2000-06-12 14:54]
S4 DNSerSvc;Dynamic DNS Updater;C:\inst\dnser_dyndns_client\DNSer\DNSerSvc.exe [2003-08-25 13:17]
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
.
------- Zusätzlicher Scan -------
.
O17 -: HKLM\CCS\Interface\{618E0E4E-BEBA-4888-B7A9-2A3A98638713}: NameServer = 192.168.120.252,192.168.120.253
O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 15:35:11
Windows 5.1.2600 Service Pack 3 FAT NTAPI
Scanne versteckte Prozesse...
Scanne versteckte Autostart Einträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
Zeit der Fertigstellung: 2008-08-23 15:38:25
ComboFix-quarantined-files.txt 2008-08-23 13:38:14
Pre-Run: 7,826,866,176 Bytes frei
Post-Run: 9,005,449,216 Bytes frei
179
Hello,
Logs looking good :bigthumb:
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
Malwarebytes<-- This is yours to keep, check for updates and run a scan now and then.
ATF Cleaner <-- This is also yours to keep, run it a few times a month to keep your system nice and clean
Combofix <-- This is not a general all purpose cleaning tool, do not download and run it without supervision
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
How are things running now ???
That's great Yongli :bigthumb:
Have patience with your mom, take your time and teach her some safe surfing tips.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, (Recommended)you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken