Virus.Win32.Hidrag.a ??

[BlackDragon~]

also folgendes:
kaspersky meint ich hab 179 von "Virus.Win32.Hidrag.a" verseuchte dateien.. die ich allerdings nicht desinfizieren kann..
desweiteren hab ich bei Firefox das problem das sich ständig popups öffnen.. alle von der selben art glaub ich.. habs auch mal mit opera versucht bin dann aber wieder zu FF gewechselt..

Popups:
http://www.wild-savings.com/tau.html
http://www.announceme-nt.com/tau.html
http://www.redemption-slip.com/tau.html

http://virus-protect.org/cleanup.html

erledigt

http://virus-protect.org/datfindbat.html

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: A843-87B7

Verzeichnis von C:\WINDOWS\system32

22.05.2006 19:01 237.072 h60q0gd5e60.dll
22.05.2006 19:01 236.566 guard.tmp
22.05.2006 18:32 41.108 vsconfig.xml
22.05.2006 18:31 236.566 cffgnt.dll
22.05.2006 18:24 234.018 ir20l5fm1.dll
22.05.2006 17:59 236.566 h44m0eh1eh4.dll
22.05.2006 17:35 236.566 dh32gt.dll
22.05.2006 17:20 234.018 qpdit.dll
22.05.2006 07:24 237.145 lvpq0975e.dll
21.05.2006 21:11 1.632 d3d8caps.dat
21.05.2006 21:02 236.566 n4p40e7qeh.dll
21.05.2006 10:19 236.566 iusutil.dll
19.05.2006 13:31 0 atmtd.dll.tmp
19.05.2006 07:00 236.566 dZdrm.dll
18.05.2006 16:56 236.187 en6sl1j71.dll
18.05.2006 09:04 236.187 qVps0a77ed.dll
16.05.2006 07:30 236.591 p4r40e9qeh.dll
15.05.2006 17:30 236.187 dblayx.dll
14.05.2006 09:43 236.187 buowsewm.dll
12.05.2006 19:36 235.427 l4p20e7oeh.dll
12.05.2006 13:31 235.427 wciscmgr.dll
11.05.2006 13:29 236.187 lgrmonui.dll
10.05.2006 20:47 670.264 FNTCACHE.DAT
10.05.2006 13:29 235.427 nftapi.dll
08.05.2006 19:04 233.778 ksdusx.dll
07.05.2006 21:27 234.003 enj8l11u1.dll
07.05.2006 10:15 234.003 wynscard.dll
06.05.2006 16:23 234.003 mbacm.dll
06.05.2006 16:03 234.178 hrnu0559e.dll
06.05.2006 15:49 174.872 wuauclt1.exe
06.05.2006 15:49 330.240 netsetup.exe
06.05.2006 15:49 127.078 javaws.exe
06.05.2006 15:49 110.592 AegisI5.exe
06.05.2006 13:06 234.178 mvwebdvd.dll
06.05.2006 12:46 236.185 lt0027dmg.dll
06.05.2006 12:11 234.271 lt4027hmg.dll
06.05.2006 11:03 236.943 dVnim.dll
06.05.2006 10:59 236.943 mmexcl40.dll
06.05.2006 10:59 237.237 n4r20e9oeh.dll
06.05.2006 10:58 236.943 flntext.dll
06.05.2006 10:55 235.661 n02u0af9ed2.dll
06.05.2006 10:55 235.057 sipblb.dll
06.05.2006 10:49 235.057 uurdtea.dll
06.05.2006 10:49 235.827 q0ps0a77ed.dll
06.05.2006 09:45 234.272 vpdex.dll
06.05.2006 09:44 2 stera.log
05.05.2006 19:39 234.272 jzsd400.dll
05.05.2006 19:39 234.556 m4820eloehqc0.dll
05.05.2006 18:57 38.925 cbaxw.dll
04.05.2006 06:26 5.818.784 MRT.exe
28.04.2006 18:00 2.206 wpa.dbl
26.04.2006 19:53 7.006 jupdate-1.5.0_06-b05.log
23.04.2006 17:23 4.212 zllictbl.dat
23.04.2006 16:22 0 TFTP1896
22.04.2006 18:14 0 h323log.txt
22.04.2006 17:36 311.740 perfh009.dat
22.04.2006 17:36 40.128 perfc009.dat
22.04.2006 17:36 48.354 perfc007.dat
22.04.2006 17:36 316.924 perfh007.dat
22.04.2006 17:36 723.744 PerfStringBackup.INI
22.04.2006 17:30 25.065 wmpscheme.xml
22.04.2006 17:28 261 $winnt$.inf
22.04.2006 17:22 2.951 CONFIG.NT
22.04.2006 17:22 16.832 amcompat.tlb
22.04.2006 17:22 23.392 nscompat.tlb
22.04.2006 17:20 488 logonui.exe.manifest
22.04.2006 17:20 488 WindowsLogon.manifest
22.04.2006 17:20 749 cdplayer.exe.manifest
22.04.2006 17:20 749 sapi.cpl.manifest
22.04.2006 17:20 749 nwc.cpl.manifest
22.04.2006 17:20 749 wuaucpl.cpl.manifest
22.04.2006 17:20 749 ncpa.cpl.manifest
22.04.2006 17:17 21.740 emptyregdb.dat
22.03.2006 17:46 2.702.336 MSHTML.DLL
22.03.2006 03:29 612.352 xpsp2res.dll
21.03.2006 15:36 1.339.392 SHDOCVW.DLL
17.03.2006 07:03 8.392.192 shell32.dll
17.03.2006 02:49 25.600 verclsid.exe
16.03.2006 11:34 71.448 zlcommdb.dll
16.03.2006 11:34 79.640 zlcomm.dll
16.03.2006 11:33 100.120 vsxml.dll
16.03.2006 11:33 382.744 vsutil.dll
16.03.2006 11:33 71.448 vsregexp.dll
16.03.2006 11:33 227.096 vspubapi.dll
16.03.2006 11:33 104.216 vsmonapi.dll
16.03.2006 11:33 141.080 vsinit.dll
16.03.2006 11:33 372.824 vsdatant.sys
16.03.2006 11:32 83.736 vsdata.dll
16.03.2006 11:16 54.960 vsutil_loc0407.dll
03.03.2006 15:46 498.176 MSTIME.DLL
03.03.2006 15:46 462.848 URLMON.DLL
01.03.2006 21:44 150.528 msdtcuiu.dll
01.03.2006 21:44 11.776 xolehlp.dll
01.03.2006 21:44 64.512 mtxclu.dll
01.03.2006 21:44 368.640 msdtcprx.dll
01.03.2006 21:44 974.336 msdtctm.dll
01.03.2006 21:44 83.456 mtxoci.dll
27.02.2006 14:25 50.688 INETRES.DLL
27.02.2006 14:25 229.376 MSOEACCT.DLL
27.02.2006 14:25 44.032 MSIDENT.DLL
27.02.2006 13:31 596.480 INETCOMM.DLL
27.02.2006 13:31 91.136 MSOERT2.DLL
24.02.2006 15:20 582.144 WININET.DLL
24.02.2006 15:20 236.032 IEPEERS.DLL
24.02.2006 14:24 192.512 DXTRANS.DLL
04.01.2006 05:37 64.000 webclnt.dll
03.01.2006 00:38 260.608 gdi32.dll


Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: A843-87B7

Verzeichnis von C:\DOKUME~1\Frank\LOKALE~1\Temp

22.05.2006 19:03 32.768 ~DFA19B.tmp
22.05.2006 18:33 32.768 ~DF4DAF.tmp
2 Datei(en) 65.536 Bytes
0 Verzeichnis(se), 3.925.487.616 Bytes frei


Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: A843-87B7

Verzeichnis von C:\WINDOWS

22.05.2006 18:38 1.119.461 WindowsUpdate.log
22.05.2006 18:32 0 0.log
22.05.2006 18:31 2.048 bootstat.dat
22.05.2006 18:26 24.892 SchedLgU.Txt
22.05.2006 18:11 472 win.ini
22.05.2006 18:11 227 system.ini
21.05.2006 21:11 111 clientshell.INI
21.05.2006 14:36 113 wmsetup.log
21.05.2006 12:12 246.119 setupapi.log
14.05.2006 23:48 50 wiaservc.log
14.05.2006 23:48 216 wiadebug.log
13.05.2006 12:40 29 standard.sta
12.05.2006 19:30 284.573 iis6.log
12.05.2006 19:30 88.220 comsetup.log
12.05.2006 19:30 53.449 ntdtcsetup.log
12.05.2006 19:30 121.432 tsoc.log
12.05.2006 19:30 13.373 tabletoc.log
12.05.2006 19:30 1.374 imsins.log
12.05.2006 19:30 13.590 KB913580.log
12.05.2006 19:30 46.569 netfxocm.log
12.05.2006 19:30 9.116 ocmsn.log
12.05.2006 19:30 132.655 ocgen.log
12.05.2006 19:30 13.049 msgsocm.log
12.05.2006 19:30 265.856 FaxSetup.log
12.05.2006 19:29 80.272 msmqinst.log
12.05.2006 19:29 18.985 updspapi.log
10.05.2006 15:42 403 ODBC.INI
08.05.2006 19:01 1.355 imsins.BAK



Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: A843-87B7

Verzeichnis von C:\

22.05.2006 19:33 0 sys.txt
22.05.2006 19:32 7.276 system.txt
22.05.2006 19:32 341 systemtemp.txt
22.05.2006 19:31 93.271 system32.txt
22.05.2006 18:43 4.914 hijackthis.log
22.05.2006 18:31 536.399.872 hiberfil.sys
22.05.2006 18:31 805.306.368 pagefile.sys
22.05.2006 18:11 194 boot.ini
19.05.2006 21:46 32.058.805 resolve.log
13.05.2006 11:44 0 logwmemory.bin
06.05.2006 11:51 0 tool5.exe
06.05.2006 11:49 0 tool4.exe
06.05.2006 11:48 0 tool3.exe
06.05.2006 11:46 0 tool1.exe
06.05.2006 11:44 0 toolbar.exe
06.05.2006 11:40 0 country.exe
06.05.2006 11:38 0 tool2.exe
06.05.2006 11:36 0 kl1.exe
06.05.2006 11:36 0 uniq
02.05.2006 07:25 42.496 t9.exe
22.04.2006 17:22 0 IO.SYS
22.04.2006 17:22 0 CONFIG.SYS
22.04.2006 17:22 0 MSDOS.SYS
22.04.2006 17:22 0 AUTOEXEC.BAT

Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 19:34:08, on 22.05.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\mapping\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Strato\Strato.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Opera\Opera.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Winamp\winamp.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.strato.de/dsl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.strato.de/dsl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer von Strato DSL
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\mapping\svchost.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\mapping\svchost.exe
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\System32\cbaxw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [Microsoft (R) Windows Connection Mapping Service] C:\WINDOWS\mapping\svchost.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Startup: Verknüpfung mit Strato DSL.lnk = ?
O4 - Startup: Zone Labs Security.lnk = C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.strato.de/dsl/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 6484808861
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1FCBFAA-BB04-44A8-A3FD-D876BE5F30EB}: NameServer = 194.97.173.124 194.97.173.125
O20 - Winlogon Notify: cbaxw - C:\WINDOWS\SYSTEM32\cbaxw.dll
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\h44m0eh1eh4.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: asn_workshop - Unknown owner - C:\WINDOWS\asn_workshop (file missing)
O23 - Service: Windows Connection Mapping Service (cmapsvc) - Unknown owner - C:\WINDOWS\mapping\svchost.exe
O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Programme\WinAntiVirus Pro 2006\FWSvc.exe (file missing)
O23 - Service: Kaspersky Anti-Virus service (kavsvc) - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

hoffe das ihr mir helfen könnt..

[Nikita]

1.
Arbeitsplatz-->Rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.

2.
Look2Me-Destroyer V1.0.5 anwenden
http://virus-protect.org/l2mfix.html

3.
poste dieses Log und noch mal die 4 Logs von datfindbat

4.
ServiceFilter.zip
http://virus-protect.org/artikel/tools/ ... Filter.zip

- entzippen
- doppelklick auf die datei ServiceFilter.vbs
- versions-nummer bestätigen
- scannen
- öffnen von wordpad oder editor erlauben
- POST_THIS.TXT abkopieren

[BlackDragon~]

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 24.05.2006 11:56:03

Infected! C:\WINDOWS\system32\p0p60a7sed.dll
Infected! C:\WINDOWS\system32\buowsewm.dll
Infected! C:\WINDOWS\system32\cffgnt.dll
Infected! C:\WINDOWS\system32\dblayx.dll
Infected! C:\WINDOWS\system32\dh32gt.dll
Infected! C:\WINDOWS\system32\dVnim.dll
Infected! C:\WINDOWS\system32\dZdrm.dll
Infected! C:\WINDOWS\system32\en6sl1j71.dll
Infected! C:\WINDOWS\system32\enj8l11u1.dll
Infected! C:\WINDOWS\system32\f40o0ed3eh0.dll
Infected! C:\WINDOWS\system32\flntext.dll
Infected! C:\WINDOWS\system32\h60q0gd5e60.dll
Infected! C:\WINDOWS\system32\hrl8053ue.dll
Infected! C:\WINDOWS\system32\hrnu0559e.dll
Infected! C:\WINDOWS\system32\ir20l5fm1.dll
Infected! C:\WINDOWS\system32\iusutil.dll
Infected! C:\WINDOWS\system32\j6l4lg3q16.dll
Infected! C:\WINDOWS\system32\jzsd400.dll
Infected! C:\WINDOWS\system32\ksdusx.dll
Infected! C:\WINDOWS\system32\l4p20e7oeh.dll
Infected! C:\WINDOWS\system32\lgrmonui.dll
Infected! C:\WINDOWS\system32\lsadperf.dll
Infected! C:\WINDOWS\system32\lt0027dmg.dll
Infected! C:\WINDOWS\system32\lt4027hmg.dll
Infected! C:\WINDOWS\system32\lvpq0975e.dll
Infected! C:\WINDOWS\system32\m4820eloehqc0.dll
Infected! C:\WINDOWS\system32\mbacm.dll
Infected! C:\WINDOWS\system32\mmexcl40.dll
Infected! C:\WINDOWS\system32\mvwebdvd.dll
Infected! C:\WINDOWS\system32\n02u0af9ed2.dll
Infected! C:\WINDOWS\system32\n4p40e7qeh.dll
Infected! C:\WINDOWS\system32\n4r20e9oeh.dll
Infected! C:\WINDOWS\system32\nftapi.dll
Infected! C:\WINDOWS\system32\oubccu32.dll
Infected! C:\WINDOWS\system32\p4r40e9qeh.dll
Infected! C:\WINDOWS\system32\py.dll
Infected! C:\WINDOWS\system32\q0ps0a77ed.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\p0p60a7sed.dll
C:\WINDOWS\system32\p0p60a7sed.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\buowsewm.dll
C:\WINDOWS\system32\buowsewm.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\cffgnt.dll
C:\WINDOWS\system32\cffgnt.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dblayx.dll
C:\WINDOWS\system32\dblayx.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dh32gt.dll
C:\WINDOWS\system32\dh32gt.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dVnim.dll
C:\WINDOWS\system32\dVnim.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dZdrm.dll
C:\WINDOWS\system32\dZdrm.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\en6sl1j71.dll
C:\WINDOWS\system32\en6sl1j71.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\enj8l11u1.dll
C:\WINDOWS\system32\enj8l11u1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\f40o0ed3eh0.dll
C:\WINDOWS\system32\f40o0ed3eh0.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\flntext.dll
C:\WINDOWS\system32\flntext.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\h60q0gd5e60.dll
C:\WINDOWS\system32\h60q0gd5e60.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hrl8053ue.dll
C:\WINDOWS\system32\hrl8053ue.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hrnu0559e.dll
C:\WINDOWS\system32\hrnu0559e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ir20l5fm1.dll
C:\WINDOWS\system32\ir20l5fm1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\iusutil.dll
C:\WINDOWS\system32\iusutil.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\j6l4lg3q16.dll
C:\WINDOWS\system32\j6l4lg3q16.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\jzsd400.dll
C:\WINDOWS\system32\jzsd400.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ksdusx.dll
C:\WINDOWS\system32\ksdusx.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\l4p20e7oeh.dll
C:\WINDOWS\system32\l4p20e7oeh.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lgrmonui.dll
C:\WINDOWS\system32\lgrmonui.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lsadperf.dll
C:\WINDOWS\system32\lsadperf.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lt0027dmg.dll
C:\WINDOWS\system32\lt0027dmg.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lt4027hmg.dll
C:\WINDOWS\system32\lt4027hmg.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lvpq0975e.dll
C:\WINDOWS\system32\lvpq0975e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\m4820eloehqc0.dll
C:\WINDOWS\system32\m4820eloehqc0.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mbacm.dll
C:\WINDOWS\system32\mbacm.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mmexcl40.dll
C:\WINDOWS\system32\mmexcl40.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mvwebdvd.dll
C:\WINDOWS\system32\mvwebdvd.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\n02u0af9ed2.dll
C:\WINDOWS\system32\n02u0af9ed2.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\n4p40e7qeh.dll
C:\WINDOWS\system32\n4p40e7qeh.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\n4r20e9oeh.dll
C:\WINDOWS\system32\n4r20e9oeh.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\nftapi.dll
C:\WINDOWS\system32\nftapi.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\oubccu32.dll
C:\WINDOWS\system32\oubccu32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\p4r40e9qeh.dll
C:\WINDOWS\system32\p4r40e9qeh.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\py.dll
C:\WINDOWS\system32\py.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\q0ps0a77ed.dll
C:\WINDOWS\system32\q0ps0a77ed.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OptimalLayout

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2D0D911B-E10A-43FA-A2F2-F3E9A2CAC264}"
HKCR\Clsid\{2D0D911B-E10A-43FA-A2F2-F3E9A2CAC264}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{177F1B8E-003B-4984-9B05-E17772E69F71}"
HKCR\Clsid\{177F1B8E-003B-4984-9B05-E17772E69F71}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{41400689-3ACE-4CCF-8DCA-77E0E2988D3B}"
HKCR\Clsid\{41400689-3ACE-4CCF-8DCA-77E0E2988D3B}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{AC9CDFD3-1059-4063-A45D-BAF164BFF3AB}"
HKCR\Clsid\{AC9CDFD3-1059-4063-A45D-BAF164BFF3AB}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3C564DC6-69CF-4A77-A48A-785528B9043B}"
HKCR\Clsid\{3C564DC6-69CF-4A77-A48A-785528B9043B}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{34303CDC-1AB2-4A2F-A307-0A865FB00160}"
HKCR\Clsid\{34303CDC-1AB2-4A2F-A307-0A865FB00160}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{CDF579FE-6C66-4B38-921A-1EF6FCD1C908}"
HKCR\Clsid\{CDF579FE-6C66-4B38-921A-1EF6FCD1C908}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{70E1DB9F-53A4-4A2F-B5ED-2CC54C834544}"
HKCR\Clsid\{70E1DB9F-53A4-4A2F-B5ED-2CC54C834544}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administratoren - Succeeded



Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: A843-87B7

Verzeichnis von C:\WINDOWS\system32

24.05.2006 12:07 41.108 vsconfig.xml
24.05.2006 07:46 233.720 q6pslg7716.dll
22.05.2006 20:24 1.632 d3d8caps.dat
22.05.2006 17:20 234.018 qpdit.dll
19.05.2006 13:31 0 atmtd.dll.tmp
18.05.2006 09:04 236.187 qVps0a77ed.dll
12.05.2006 13:31 235.427 wciscmgr.dll
10.05.2006 20:47 670.264 FNTCACHE.DAT
07.05.2006 10:15 234.003 wynscard.dll
06.05.2006 15:49 174.872 wuauclt1.exe
06.05.2006 15:49 330.240 netsetup.exe
06.05.2006 15:49 127.078 javaws.exe
06.05.2006 15:49 110.592 AegisI5.exe
06.05.2006 10:55 235.057 sipblb.dll
06.05.2006 10:49 235.057 uurdtea.dll
06.05.2006 09:45 234.272 vpdex.dll
06.05.2006 09:44 2 stera.log
05.05.2006 18:57 38.925 cbaxw.dll
04.05.2006 06:26 5.818.784 MRT.exe
28.04.2006 18:00 2.206 wpa.dbl
26.04.2006 19:53 7.006 jupdate-1.5.0_06-b05.log
23.04.2006 17:23 4.212 zllictbl.dat
23.04.2006 16:22 0 TFTP1896
22.04.2006 18:14 0 h323log.txt
22.04.2006 17:36 311.740 perfh009.dat
22.04.2006 17:36 40.128 perfc009.dat
22.04.2006 17:36 316.924 perfh007.dat
22.04.2006 17:36 48.354 perfc007.dat
22.04.2006 17:36 723.744 PerfStringBackup.INI
22.04.2006 17:30 25.065 wmpscheme.xml
22.04.2006 17:28 261 $winnt$.inf
22.04.2006 17:22 2.951 CONFIG.NT
22.04.2006 17:22 16.832 amcompat.tlb
22.04.2006 17:22 23.392 nscompat.tlb
22.04.2006 17:20 488 logonui.exe.manifest
22.04.2006 17:20 488 WindowsLogon.manifest
22.04.2006 17:20 749 wuaucpl.cpl.manifest
22.04.2006 17:20 749 cdplayer.exe.manifest
22.04.2006 17:20 749 sapi.cpl.manifest
22.04.2006 17:20 749 nwc.cpl.manifest
22.04.2006 17:20 749 ncpa.cpl.manifest
22.04.2006 17:17 21.740 emptyregdb.dat
22.03.2006 17:46 2.702.336 MSHTML.DLL
22.03.2006 03:29 612.352 xpsp2res.dll
21.03.2006 15:36 1.339.392 SHDOCVW.DLL
17.03.2006 07:03 8.392.192 shell32.dll
17.03.2006 02:49 25.600 verclsid.exe
16.03.2006 11:34 71.448 zlcommdb.dll
16.03.2006 11:34 79.640 zlcomm.dll
16.03.2006 11:33 100.120 vsxml.dll
16.03.2006 11:33 382.744 vsutil.dll
16.03.2006 11:33 71.448 vsregexp.dll
16.03.2006 11:33 227.096 vspubapi.dll
16.03.2006 11:33 104.216 vsmonapi.dll
16.03.2006 11:33 141.080 vsinit.dll
16.03.2006 11:33 372.824 vsdatant.sys
16.03.2006 11:32 83.736 vsdata.dll
16.03.2006 11:16 54.960 vsutil_loc0407.dll
03.03.2006 15:46 498.176 MSTIME.DLL
03.03.2006 15:46 462.848 URLMON.DLL
01.03.2006 21:44 150.528 msdtcuiu.dll
01.03.2006 21:44 974.336 msdtctm.dll
01.03.2006 21:44 368.640 msdtcprx.dll
01.03.2006 21:44 83.456 mtxoci.dll
01.03.2006 21:44 11.776 xolehlp.dll
01.03.2006 21:44 64.512 mtxclu.dll
27.02.2006 14:25 229.376 MSOEACCT.DLL
27.02.2006 14:25 44.032 MSIDENT.DLL
27.02.2006 14:25 50.688 INETRES.DLL
27.02.2006 13:31 596.480 INETCOMM.DLL
27.02.2006 13:31 91.136 MSOERT2.DLL
24.02.2006 15:20 236.032 IEPEERS.DLL
24.02.2006 15:20 582.144 WININET.DLL
24.02.2006 14:24 192.512 DXTRANS.DLL


Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: A843-87B7

Verzeichnis von C:\DOKUME~1\Frank\LOKALE~1\Temp

24.05.2006 12:08 32.768 ~DF3357.tmp
24.05.2006 11:48 32.768 ~DF45C9.tmp
24.05.2006 07:03 32.768 ~DF49F5.tmp
23.05.2006 21:55 832 java_install_reg.log
23.05.2006 20:36 2 Twain001.Mtx
23.05.2006 20:36 0 TWAIN.LOG
23.05.2006 19:24 32.768 ~DF8C9.tmp
23.05.2006 15:19 32.768 ~DFCA66.tmp
8 Datei(en) 164.674 Bytes
0 Verzeichnis(se), 1.258.614.784 Bytes frei


Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: A843-87B7

Verzeichnis von C:\WINDOWS

24.05.2006 12:07 0 0.log
24.05.2006 12:07 1.168.337 WindowsUpdate.log
24.05.2006 12:06 2.048 bootstat.dat
24.05.2006 07:47 26.544 SchedLgU.Txt
22.05.2006 20:23 111 clientshell.INI
22.05.2006 18:11 472 win.ini
22.05.2006 18:11 227 system.ini
21.05.2006 14:36 113 wmsetup.log
21.05.2006 12:12 246.119 setupapi.log
14.05.2006 23:48 50 wiaservc.log
14.05.2006 23:48 216 wiadebug.log
13.05.2006 12:40 29 standard.sta
12.05.2006 19:30 284.573 iis6.log
12.05.2006 19:30 88.220 comsetup.log
12.05.2006 19:30 53.449 ntdtcsetup.log
12.05.2006 19:30 121.432 tsoc.log
12.05.2006 19:30 13.373 tabletoc.log
12.05.2006 19:30 1.374 imsins.log
12.05.2006 19:30 13.590 KB913580.log
12.05.2006 19:30 46.569 netfxocm.log
12.05.2006 19:30 9.116 ocmsn.log
12.05.2006 19:30 132.655 ocgen.log
12.05.2006 19:30 13.049 msgsocm.log
12.05.2006 19:30 265.856 FaxSetup.log
12.05.2006 19:29 80.272 msmqinst.log
12.05.2006 19:29 18.985 updspapi.log
10.05.2006 15:42 403 ODBC.INI
08.05.2006 19:01 1.355 imsins.BAK
08.05.2006 19:01 43.490 KB899587.log
08.05.2006 19:01 42.592 KB896422.log
08.05.2006 19:00 43.657 KB885835.log
08.05.2006 19:00 39.665 KB885836.log
08.05.2006 18:59 40.492 KB911927.log
08.05.2006 18:59 641 xpsp1hfm.log
08.05.2006 18:59 34.876 KB835732.log
08.05.2006 18:58 35.992 KB901017.log
08.05.2006 18:57 26.171 KB911565.log
08.05.2006 18:57 36.406 KB899591.log
08.05.2006 18:56 37.789 KB896424.log
08.05.2006 18:56 36.719 KB893756.log
08.05.2006 18:56 35.810 KB911562.log
08.05.2006 18:55 34.341 KB896423.log
08.05.2006 18:55 26.488 KB912812-IE6SP1-20060322.182418.log
08.05.2006 18:54 31.557 KB873339.log
08.05.2006 18:53 25.336 KB914798.log
08.05.2006 18:53 31.769 KB888113.log
08.05.2006 18:52 33.354 KB896358.log
08.05.2006 18:51 27.405 KB910437.log
08.05.2006 18:51 28.573 KB905495.log
08.05.2006 18:50 22.141 KB911564.log
08.05.2006 18:50 35.828 KB902400.log
08.05.2006 18:48 24.010 KB891781.log
08.05.2006 18:48 2.066 vminst.log
08.05.2006 18:47 24.935 KB890046.log
08.05.2006 18:46 23.575 KB899589.log
08.05.2006 18:46 13.588 KB904706.log
08.05.2006 18:45 23.956 KB905414.log
08.05.2006 18:45 23.467 KB901214.log
08.05.2006 18:44 20.168 KB892944.log
08.05.2006 18:44 21.403 KB888302.log
08.05.2006 18:44 25.618 KB900725.log
08.05.2006 18:43 20.933 KB912919.log
08.05.2006 18:42 11.188 KB911567-OE6SP1-20060316.165634.log
08.05.2006 18:42 19.650 KB908531.log
08.05.2006 18:41 16.281 KB905749.log
08.05.2006 18:41 15.236 KB896428.log
08.05.2006 18:40 12.218 KB835409.log
08.05.2006 18:40 15.611 KB908519.log
08.05.2006 18:39 11.562 KB913446.log
08.05.2006 18:38 18.488 KB890859.log
08.05.2006 12:06 6.464 KB842773.log
08.05.2006 12:06 4.427 setupact.log
08.05.2006 12:06 6.152 KB893803v2.log
08.05.2006 12:04 7.206 KB898461.log
08.05.2006 11:48 0 setuperr.log
07.05.2006 21:33 0 Sti_Trace.log
07.05.2006 18:25 9.333 Active Setup Log.txt
06.05.2006 12:35 299.520 uninst.exe
06.05.2006 12:35 249.856 Setup1.exe
06.05.2006 12:35 328.704 IsUn0407.exe
05.05.2006 18:58 0 keyboard171.dat
29.04.2006 14:58 73.216 ST6UNST.EXE
26.04.2006 21:43 72 TC.INI
26.04.2006 20:10 3.148 mozver.dat
23.04.2006 16:19 0 nsreg.dat
23.04.2006 16:17 316.640 WMSysPr9.prx
23.04.2006 16:15 31 wwwbatch.ini
22.04.2006 17:29 8.192 REGLOCS.OLD
22.04.2006 17:22 0 control.ini
22.04.2006 17:22 299.552 WMSysPrx.prx
22.04.2006 17:22 4.161 ODBCINST.INI
22.04.2006 17:20 749 WindowsShell.Manifest
22.04.2006 17:17 36 vb.ini
22.04.2006 17:17 37 vbaddin.ini


Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: A843-87B7

Verzeichnis von C:\

24.05.2006 12:14 0 sys.txt
24.05.2006 12:13 7.276 system.txt
24.05.2006 12:13 642 systemtemp.txt
24.05.2006 12:13 91.717 system32.txt
24.05.2006 12:06 536.399.872 hiberfil.sys
24.05.2006 12:06 805.306.368 pagefile.sys
22.05.2006 19:34 4.839 hijackthis.log
22.05.2006 18:11 194 boot.ini
19.05.2006 21:46 32.058.805 resolve.log
13.05.2006 11:44 0 logwmemory.bin
06.05.2006 11:51 0 tool5.exe
06.05.2006 11:49 0 tool4.exe
06.05.2006 11:48 0 tool3.exe
06.05.2006 11:46 0 tool1.exe
06.05.2006 11:44 0 toolbar.exe
06.05.2006 11:40 0 country.exe
06.05.2006 11:38 0 tool2.exe
06.05.2006 11:36 0 kl1.exe
06.05.2006 11:36 0 uniq
02.05.2006 07:25 42.496 t9.exe
22.04.2006 17:22 0 IO.SYS
22.04.2006 17:22 0 CONFIG.SYS
22.04.2006 17:22 0 MSDOS.SYS
22.04.2006 17:22 0 AUTOEXEC.BAT


The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Professional
Version: 5.1.2600 Service Pack 1
Mai 24, 2006 12:15:27


---> Begin Service Listing <---

Unknown Service # 1
Service Name: Adobe LM Service
Display Name: Adobe LM Service
Start Mode: Manual
Start Name: LocalSystem
Description: Adobe LM ...
Service Type: Own Process
Path: "c:\programme\gemeinsame dateien\adobe systems shared\service\adobelmsvc.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 2
Service Name: asn_workshop
Display Name: asn_workshop
Start Mode: Auto
Start Name: LocalSystem
Description: ASN workshop service by ...
Service Type: Own Process
Path: "c:\windows\asn_workshop"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 3
Service Name: cmapsvc
Display Name: Windows Connection Mapping Service
Start Mode: Auto
Start Name: LocalSystem
Description: Maps network connections to the Windows API. Stopping or disabling this service will result in ...
Service Type: Own Process
Path: c:\windows\mapping\svchost.exe /map
State: Running
Process ID: 232
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 4
Service Name: cmdService
Display Name: Command Service
Start Mode: Disabled
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\rnjhbms\command.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 5
Service Name: FWSvc
Display Name: Firewall service
Start Mode: Auto
Start Name: LocalSystem
Description: Firewall service of WinAntiVirus Pro 2006 checks all incoming and outgoing traffic on your system ...
Service Type: Own Process
Path: c:\programme\winantivirus pro 2006\fwsvc.exe /service
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 6
Service Name: kavsvc
Display Name: Kaspersky Anti-Virus service
Start Mode: Auto
Start Name: LocalSystem
Description: Gewährleistet die Antivirenfunktionalität des auf Ihrem Computer installierten ...
Service Type: Own Process
Path: "c:\programme\kaspersky lab\kaspersky anti-virus personal\kavsvc.exe"
State: Running
Process ID: 224
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 7
Service Name: PowerManager
Display Name: Power Manager
Start Mode: Disabled
Start Name: LocalSystem
Description: Manages the power save features of the ...
Service Type: Own Process
Path: c:\windows\svchost.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 8
Service Name: spupdsvc
Display Name: Windows Service Pack Installer update service
Start Mode: Auto
Start Name: LocalSystem
Description: Enables Installer to complete its scheduled post-reboot ...
Service Type: Own Process
Path: c:\windows\system32\spupdsvc.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1068
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #9
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Verwaltet Software-basierte Schattenkopien des Volumeschattenkopie-Dienstes. Software-basierte ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{c36f34df-1451-4030-a15c-da6d64cb2d21}
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

---> End Service Listing <---

There are 86 Win32 services on this machine.
9 were unrecognized.

Script Execution Time: 4,125 seconds.

[Nikita]

oeffne den Texteditor und kopiere ein:

sc stop Adobe LM Service
sc stop cmdService
sc stop FWSvc
sc stop asn_workshop
sc stop PowerManager
sc stop spupdsvc
sc stop cmapsvc
sc delete cmdService
sc delete FWSvc
sc delete asn_workshop
sc delete PowerManager
sc delete spupdsvc
sc delete cmapsvc
del delete.bat

Auf dem Desktop abspeichern [Gebe bei Dateityp 'Alle Dateien' an.] als delete.bat --> Doppeltklicken

---------------------------------------------------------------------------

öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\mapping\svchost.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\mapping\svchost.exe
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\System32\cbaxw.dll
O4 - HKLM\..\Run: [Microsoft (R) Windows Connection Mapping Service] C:\WINDOWS\mapping\svchost.exe
O20 - Winlogon Notify: cbaxw - C:\WINDOWS\SYSTEM32\cbaxw.dll
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\h44m0eh1eh4.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: asn_workshop - Unknown owner - C:\WINDOWS\asn_workshop (file missing)
O23 - Service: Windows Connection Mapping Service (cmapsvc) - Unknown owner - C:\WINDOWS\mapping\svchost.exe
O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Programme\WinAntiVirus Pro 2006\FWSvc.exe (file missing)

PC neustarten

KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html

Options: Delete on Reboot --> anhaken
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"
reinkopieren: ............

anwenden : Single Files

C:\WINDOWS\system32\q6pslg7716.dll
C:\WINDOWS\system32\fwsvc.sys
C:\Programme\WinAntiVirus Pro 2006\unwizard.exe
C:\Programme\WinAntiVirus Pro 2006\fwsvc.exe
C:\Programme\WinAntiVirus Pro 2006\avkernel.dll
C:\Programme\WinAntiVirus Pro 2006\WinAV.exe
C:\Programme\WinAntiVirus Pro 2006\WAV6COM.dll
C:\Programme\WinAntiVirus Pro 2006\IEFWBHO.dll
C:\Programme\WinAntiVirus Pro 2006\winpgi.dll
C:\WINDOWS\system32\qpdit.dll
C:\WINDOWS\system32\atmtd.dll.tmp
C:\WINDOWS\system32\qVps0a77ed.dll
C:\WINDOWS\system32\wciscmgr.dll
C:\WINDOWS\system32\wynscard.dll
C:\WINDOWS\system32\wuauclt1.exe
C:\WINDOWS\system32\netsetup.exe
C:\WINDOWS\system32\javaws.exe
C:\WINDOWS\system32\AegisI5.exe
C:\WINDOWS\system32\sipblb.dll
C:\WINDOWS\system32\uurdtea.dll
C:\WINDOWS\system32\vpdex.dll
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\cbaxw.dll
C:\WINDOWS\system32\TFTP1896
C:\WINDOWS\mapping\svchost.exe
C:\WINDOWS\uninst.exe
C:\WINDOWS\Setup1.exe
C:\WINDOWS\IsUn0407.exe
C:\WINDOWS\keyboard171.dat
c:\windows\svchost.exe
c:\windows\rnjhbms\asappsrv.dll
c:\windows\rnjhbms\command.exe
C:\logwmemory.bin
C:\tool5.exe
C:\tool4.exe
C:\tool3.exe
C:\tool1.exe
C:\toolbar.exe
C:\country.exe
C:\tool2.exe
C:\kl1.exe
C:\uniq
C:\t9.exe

anwenden: All Files

c:\windows\rnjhbms
c:\windows\mapping
c:\programme\winantivirus pro 2006

PC neustarten

L2mfix anwenden (Option2 , dann PC neustarten, scan abwarten und das log posten)
http://virus-protect.org/l2mfix.html
+

loeschen
C:\Programme\Gemeinsame Dateien\WinAntiVirus Pro 2006
c:\windows\rnjhbms
c:\windows\mapping
c:\programme\winantivirus pro 2006
----------------------------------------------------------------

Download Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren)

FWSvc

in edit und klicke "Ok".
Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn.

das gleiche mache mit:

winantivirus pro 2006

Command Service

PowerManager

asn_workshop

spupdsvc

Windows Connection Mapping Service

Windows Service Pack Installer update service



«

[BlackDragon~]

die nervigen popups sind schon mal weg

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 24.05.2006 18:03:08

Infected! C:\!KillBox\q6pslg7716.dll
Infected! C:\!KillBox\qpdit.dll
Infected! C:\!KillBox\qVps0a77ed.dll
Infected! C:\!KillBox\sipblb.dll
Infected! C:\!KillBox\uurdtea.dll
Infected! C:\!KillBox\vpdex.dll
Infected! C:\!KillBox\wciscmgr.dll
Infected! C:\!KillBox\wynscard.dll
Infected! C:\WINDOWS\system32\q6pslg7716.dll
Infected! C:\WINDOWS\system32\qpdit.dll
Infected! C:\WINDOWS\system32\qVps0a77ed.dll
Infected! C:\WINDOWS\system32\sipblb.dll
Infected! C:\WINDOWS\system32\uurdtea.dll
Infected! C:\WINDOWS\system32\vpdex.dll
Infected! C:\WINDOWS\system32\wciscmgr.dll
Infected! C:\WINDOWS\system32\wynscard.dll

Attempting to delete infected files...

Attempting to delete: C:\!KillBox\q6pslg7716.dll
C:\!KillBox\q6pslg7716.dll Deleted successfully!

Attempting to delete: C:\!KillBox\qpdit.dll
C:\!KillBox\qpdit.dll Deleted successfully!

Attempting to delete: C:\!KillBox\qVps0a77ed.dll
C:\!KillBox\qVps0a77ed.dll Deleted successfully!

Attempting to delete: C:\!KillBox\sipblb.dll
C:\!KillBox\sipblb.dll Deleted successfully!

Attempting to delete: C:\!KillBox\uurdtea.dll
C:\!KillBox\uurdtea.dll Deleted successfully!

Attempting to delete: C:\!KillBox\vpdex.dll
C:\!KillBox\vpdex.dll Deleted successfully!

Attempting to delete: C:\!KillBox\wciscmgr.dll
C:\!KillBox\wciscmgr.dll Deleted successfully!

Attempting to delete: C:\!KillBox\wynscard.dll
C:\!KillBox\wynscard.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\q6pslg7716.dll
C:\WINDOWS\system32\q6pslg7716.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\qpdit.dll
C:\WINDOWS\system32\qpdit.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\qVps0a77ed.dll
C:\WINDOWS\system32\qVps0a77ed.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\sipblb.dll
C:\WINDOWS\system32\sipblb.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\uurdtea.dll
C:\WINDOWS\system32\uurdtea.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\vpdex.dll
C:\WINDOWS\system32\vpdex.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\wciscmgr.dll
C:\WINDOWS\system32\wciscmgr.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\wynscard.dll
C:\WINDOWS\system32\wynscard.dll Deleted successfully!

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administratoren - Succeeded



REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 24.05.2006 18:18:13 for strings:
; 'fwsvc'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...



REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 24.05.2006 18:20:28 for strings:
; 'winantivirus pro 2006'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2BC32EF8-BB73-4099-BB2E-0F2951B3E276}\1.0\0\win32]
@="C:\\Programme\\WinAntiVirus Pro 2006\\IEFWBHO.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2BC32EF8-BB73-4099-BB2E-0F2951B3E276}\1.0\HELPDIR]
@="C:\\Programme\\WinAntiVirus Pro 2006\\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WinAntiVirusPro2006]
"command"="\"C:\\Programme\\WinAntiVirus Pro 2006\\WinAV.exe\" /min"

; End Of The Log...



REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 24.05.2006 18:22:14 for strings:
; 'command service'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...


REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 24.05.2006 18:40:33 for strings:
; 'powermanager'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
"PowerManager"=dword:00000002

; End Of The Log...


REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 24.05.2006 18:42:06 for strings:
; 'asn_workshop'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...


REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 24.05.2006 18:45:00 for strings:
; 'spupdsvc'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB898461\Filelist\2]
"FileName"="spupdsvc.exe.ref"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB898461\Filelist\8]
"FileName"="spupdsvc.exe"

; End Of The Log...


REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 24.05.2006 18:48:40 for strings:
; 'windows connection mapping service'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\mapping\\svchost.exe"="C:\\WINDOWS\\mapping\\svchost.exe:*:Enabled:Microsoft (R) Windows Connection Mapping Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\mapping\\svchost.exe"="C:\\WINDOWS\\mapping\\svchost.exe:*:Enabled:Microsoft (R) Windows Connection Mapping Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\mapping\\svchost.exe"="C:\\WINDOWS\\mapping\\svchost.exe:*:Enabled:Microsoft (R) Windows Connection Mapping Service"

; End Of The Log...


REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 24.05.2006 18:52:23 for strings:
; 'windows service pack installer update service'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...

[Nikita]

1.
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.
Die Datei "fixme.reg" auf dem Desktop doppelklicken und der Registry mit "ja" oder "yes" beifügen

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2BC32EF8-BB73-4099-BB2E-0F2951B3E276}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
"PowerManager"=-

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_POWERMANAGER\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PowerManager]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_POWERMANAGER]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PowerManager]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_POWERMANAGER\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\PowerManager]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PowerManager]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FWSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FWSvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_FWSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\FWSvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FWSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FWSvc]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE\0000]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE\0000]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService]

2
PC neustarten

3.
Oeffne den Texteditor (Notepad) und kopiere diesen Text rein.
mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. abspeichern als: 018.bat.
Doppeltklicken und kopiere den Text ab, der angezeigt wird.

regedit /e c:\key4.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter"
start notepad.exe c:\key4.txt
exit

----------------------
4.
scanne mit Panda und poste den scanreport
http://virus-protect.org/onlinescan.html

-----

powermanager
http://virus-protect.org/artikel/dienst ... nager.html

[BlackDragon~]

bekomme komischer weiße immer wenn ich den pc neustarte meldung nr. 1. und meldung nr 2 hab ich bekommen als ich den ersten schritt mir "ja" beenden wollte..





Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\cbaxw.dll
Adware:adware/webhancer Not disinfected c:\programme\webHancer
Spyware:spyware/virtumonde Not disinfected Windows Registry
Adware:adware/searchexe Not disinfected Windows Registry
Adware:Adware/CommAd Not disinfected C:\!KillBox\asappsrv.dll
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\cbaxw.dll
Adware:Adware/CommAd Not disinfected C:\!KillBox\command.exe
Spyware:Spyware/Virtumonde Not disinfected C:\backups\backup-20060524-174228-207.dll



powermaneger konnt ich auch net löschen weil es den dienst einfach nicht gab..

nochmal hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 09:57:53, on 25.05.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Strato\Strato.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Programme\Winamp\winamp.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.strato.de/dsl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.strato.de/dsl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer von Strato DSL
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\cbaxw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Startup: Verknüpfung mit Strato DSL.lnk = ?
O4 - Startup: Zone Labs Security.lnk = C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.strato.de/dsl/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 6484808861
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1FCBFAA-BB04-44A8-A3FD-D876BE5F30EB}: NameServer = 194.97.173.124 194.97.173.125
O20 - Winlogon Notify: cbaxw - C:\WINDOWS\SYSTEM32\cbaxw.dll
O23 - Service: Kaspersky Anti-Virus service (kavsvc) - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Nikita]

BlackDragon~

0.
wende diese reg an (erstellen, wie oben beschrieben)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2BC32EF8-BB73-4099-BB2E-0F2951B3E276}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
"PowerManager"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent]

1.
Tipps zur Anwendung:
http://www.sophos.com/support/disinfection/jeefoa.html

1.) PC im abgesicherten Modus starten.
2.) Entfernungstool ausführen.
3.) Systemwiederherstellung deaktivieren (wichtig!)
4.) System neu starten.
5.) Entfernungstool nochmals ausführen (zur Kontrolle).
6.) Systemwiederherstellung reaktivieren.
7.) System neu starten.

2.
scanne noch mal mit Kaspersky, aber lasse alle infizierten Dateien (falls es noch welche gibt) desinfizieren (also dieses Kaestchen anhaken)

3.
wende vundofix an und poste den report
http://virus-protect.org/artikel/tools/vundofixx.html

4.
VirtumundoBeGone anwenden (poste den report)
http://secured2k.home.comcast.net/tools ... BeGone.exe

* Save it to your Desktop
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the desktop
* Follow the directions as indicated

please be advised that this program will generate a "BLUE SCREEN OF DEATH"... this is an expected/necessary part of the process, so don't be surprised when it happens.

-------------------------------------------------------------------------------

5.
loesche alles, was du in der Killbox findest:
C:\!KillBox\
+
C:\backups\backup-20060524-174228-207.dll (loeschen)
+
c:\programme\webHancer (versuchen, zu deinstallieren)

6.
mache die WindowsUpdates, lade SP2 und poste das neue Log vom HijackThis


- Das Ausführen von Dateien aus uneriöser Quelle (ausführbare Dateien über Filesharing & Messenger, Mails mit ausführbaren Dateianhängen oder auch ausführbare Dateien auf CD-ROM's von Freunden, die möglicherweise aus diesen Quellen stammen) sollte tunlichst unterlassen werden.