security center "fake" balloon tip ..."your computer might be at risk"

#31 Hi!

Danke blue. Ich hatte gestern Abend wohl etwas geschwächelt. Der Escan macht keine Falschmeldungen in dem Sinne, sonder sucht nach einem Schema. In diesem Falle z.B.:

tagged:Monitor.Win32 <-- Er meldet das dies Programm dein System Monitors. Das kann bei einer schädlichen Datei ja gewissermaßen schlecht sein ;-)

RemoteAdmin <-- nunja, das man das system aus der Ferne "steuert"

rojan.WinREG.StartPage <-- halt das es sich um eine erstellte Reg Datei handelt.

MfG,
__________
Yourhighness
Yourhighness' Seite / Mein Blog (Englisch)

#32 Hallo,
kann mir bitte jemand helfen, diesen Virus wieder von meinem PC zu bekommen...
Mein AntiVir Programm meldet mir den Virus: qhost.qrwenn ich den Browser öffne und dann stürzt der Browser ab und muss geschlossen werden.

Ich habe meinen PC schon mit eScan gescannt und folgende Log-Datei erhalten:

Wäre echt super, wenn mir jemand hiermit helfen kann, denn weiter weiss ich auch nicht...

Vielen Dank!


--------------------------------------------------
-------------------- INFECTED --------------------
--------------------------------------------------

1: Thu Aug 11 14:59:32 2005 => File C:\WINDOWS\System32\gpreetup.dll infected by "Virus.Win32.Bayan-based" Virus! Action Taken: No Action Taken.
2: Thu Aug 11 15:03:48 2005 => Scanning Folder: C:\Programme\AVPersonal\INFECTED\*.*
3: Thu Aug 11 15:03:48 2005 => Scanning File C:\Programme\AVPersonal\INFECTED\winupdate43313275[1].VIR
4: Thu Aug 11 15:03:48 2005 => File C:\Programme\AVPersonal\INFECTED\winupdate43313275[1].VIR infected by "Trojan-Dropper.Win32.Small.ue" Virus! Action Taken: No Action Taken.
5: Thu Aug 11 15:12:56 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP93\A0035338.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
6: Thu Aug 11 15:12:56 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP93\A0035363.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
7: Thu Aug 11 15:12:57 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP93\A0035391.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
8: Thu Aug 11 15:12:58 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP93\A0035416.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
9: Thu Aug 11 15:12:58 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP93\A0035428.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
10: Thu Aug 11 15:12:59 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP93\A0035455.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
11: Thu Aug 11 15:12:59 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP93\A0035473.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
12: Thu Aug 11 15:13:00 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP93\A0035486.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
13: Thu Aug 11 15:13:00 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP93\A0035490.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
14: Thu Aug 11 15:13:03 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0035536.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
15: Thu Aug 11 15:13:03 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0035540.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
16: Thu Aug 11 15:13:03 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0035555.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
17: Thu Aug 11 15:13:03 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0035559.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
18: Thu Aug 11 15:13:03 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0035573.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
19: Thu Aug 11 15:13:03 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0035577.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
20: Thu Aug 11 15:13:04 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0035586.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
21: Thu Aug 11 15:13:04 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0035590.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
22: Thu Aug 11 15:13:14 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0035867.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
23: Thu Aug 11 15:13:14 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0035871.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
24: Thu Aug 11 15:13:15 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0035885.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
25: Thu Aug 11 15:13:15 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0035889.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
26: Thu Aug 11 15:13:16 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0036885.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
27: Thu Aug 11 15:13:16 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0036889.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
28: Thu Aug 11 15:13:16 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0036900.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
29: Thu Aug 11 15:13:16 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0036904.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
30: Thu Aug 11 15:13:16 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0036913.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
31: Thu Aug 11 15:13:16 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0036917.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
32: Thu Aug 11 15:13:17 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0036928.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
33: Thu Aug 11 15:13:17 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0036932.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
34: Thu Aug 11 15:13:17 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0036946.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
35: Thu Aug 11 15:13:17 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0036950.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
36: Thu Aug 11 15:13:17 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0037946.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
37: Thu Aug 11 15:13:17 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0037950.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
38: Thu Aug 11 15:13:17 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0037959.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
39: Thu Aug 11 15:13:18 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0037963.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
40: Thu Aug 11 15:13:20 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP95\A0038049.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
41: Thu Aug 11 15:13:20 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP95\A0038053.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
42: Thu Aug 11 15:13:20 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP95\A0038067.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
43: Thu Aug 11 15:13:20 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP95\A0038071.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
44: Thu Aug 11 15:13:21 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP95\A0038108.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
45: Thu Aug 11 15:13:22 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP95\A0038112.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
46: Thu Aug 11 15:13:22 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP95\A0038121.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
47: Thu Aug 11 15:17:11 2005 => File C:\WINDOWS\system32\gpreetup.dll infected by "Virus.Win32.Bayan-based" Virus! Action Taken: No Action Taken.

--------------------------------------------------
--------------------- TAGGED ---------------------
--------------------------------------------------

1: Thu Aug 11 15:13:15 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0035878.exe tagged as "not-a-virus:AdWare.Msnagent.b". Action Taken: No Action Taken.
2: Thu Aug 11 15:13:15 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0035918.exe tagged as "not-a-virus:AdWare.Msnagent.b". Action Taken: No Action Taken.
3: Thu Aug 11 15:13:16 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0036924.exe tagged as "not-a-virus:AdWare.Msnagent.b". Action Taken: No Action Taken.
4: Thu Aug 11 15:13:17 2005 => File C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0036941.exe tagged as "not-a-virus:AdWare.Msnagent.b". Action Taken: No Action Taken.

--------------------------------------------------
--------------------- ERRORS ---------------------
--------------------------------------------------

1: Thu Aug 11 14:57:50 2005 => ERROR!!! Invalid Entry mmtask = c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe (in key SOFTWARE\Microsoft\Windows\CurrentVersion\Run). No Action Taken.
2: Thu Aug 11 14:57:56 2005 => ERROR!!! Invalid Entry \??\E:\INSTALL\GMSIPCI.SYS in SYSTEM\CurrentControlSet\Services\GMSIPCI...
3: Thu Aug 11 14:57:56 2005 => ERROR!!! Invalid Entry System32\DRIVERS\IPFilter.sys in SYSTEM\CurrentControlSet\Services\IPFilter...
4: Thu Aug 11 14:57:57 2005 => ERROR!!! Invalid Entry \??\E:\NTACCESS.sys in SYSTEM\CurrentControlSet\Services\NTACCESS...
5: Thu Aug 11 14:57:58 2005 => ERROR!!! Invalid Entry \??\E:\NTGLM7X.sys in SYSTEM\CurrentControlSet\Services\SetupNTGLM7X...
6: Thu Aug 11 14:58:13 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\axload.dll". Action Taken: No Action Taken.
7: Thu Aug 11 14:58:15 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\pxwma.dll". Action Taken: No Action Taken.
8: Thu Aug 11 14:58:16 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Gemeinsame Dateien\SCM\ICONFIG.EXE". Action Taken: No Action Taken.
9: Thu Aug 11 14:58:16 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Gemeinsame Dateien\SCM\ICONFIG.DLL". Action Taken: No Action Taken.
10: Thu Aug 11 14:58:18 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Ahead\NeroDigital\settings.xml". Action Taken: No Action Taken.
11: Thu Aug 11 14:58:18 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Ahead\Nero PhotoSnap\NeroPhotoSnap_fra.chm". Action Taken: No Action Taken.
12: Thu Aug 11 14:58:18 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Ahead\Nero PhotoSnap\PhotoSnap-Jpn.nls". Action Taken: No Action Taken.
13: Thu Aug 11 14:58:18 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Ahead\Nero PhotoSnap\PhotoSnapViewer-Jpn.nls". Action Taken: No Action Taken.
14: Thu Aug 11 14:58:18 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Ahead\Nero MediaHome\NeroMediaHome_Fra.chm". Action Taken: No Action Taken.
15: Thu Aug 11 14:58:18 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Ahead\Nero MediaHome\NeroMediaHome_Jpn.chm". Action Taken: No Action Taken.
16: Thu Aug 11 14:58:18 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Ahead\CoverDesigner\NeroCoverDesigner_fra.chm". Action Taken: No Action Taken.
17: Thu Aug 11 14:58:18 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Ahead\CoverDesigner\covered-jpn.nls". Action Taken: No Action Taken.
18: Thu Aug 11 14:58:18 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Ahead\Nero Recode\NeroRecode_fra.chm". Action Taken: No Action Taken.
19: Thu Aug 11 14:58:18 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Ahead\Nero Recode\Recode-Jpn.nls". Action Taken: No Action Taken.
20: Thu Aug 11 14:58:18 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Ahead\Nero ShowTime\NeroShowTime_Fra.chm". Action Taken: No Action Taken.
21: Thu Aug 11 14:58:18 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Ahead\Nero ShowTime\ShowTime-Jpn.nls". Action Taken: No Action Taken.
22: Thu Aug 11 14:58:18 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Ahead\Nero ShowTime\Skins\standard.bmp". Action Taken: No Action Taken.
23: Thu Aug 11 14:58:20 2005 => Entry "HKCR\CLSID\{0C5D39B0-460B-11D4-ADE1-0050DACD3DB9}" refers to invalid object "C:\Programme\MUSICMATCH\MUSICMATCH Jukebox\MMRadioEngine.dll". Action Taken: No Action Taken.
24: Thu Aug 11 14:58:21 2005 => Entry "HKCR\CLSID\{1745EDC4-CDCE-4e20-B91E-312F0C2AD16B}" refers to invalid object "C:\Programme\MSN\MSNCoreFiles\msnmetal.dll". Action Taken: No Action Taken.
25: Thu Aug 11 14:58:21 2005 => Entry "HKCR\CLSID\{1EF2E5CB-646F-4F85-A355-8E328652CA60}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~2\MMFWCtrl.ocx". Action Taken: No Action Taken.
26: Thu Aug 11 14:58:21 2005 => Entry "HKCR\CLSID\{23AA6EBC-86AA-11D2-8F58-00E02916007D}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~2\mmjbctrl.ocx". Action Taken: No Action Taken.
27: Thu Aug 11 14:58:21 2005 => Entry "HKCR\CLSID\{23AA6EBD-86AA-11D2-8F58-00E02916007D}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~2\mmjbctrl.ocx". Action Taken: No Action Taken.
28: Thu Aug 11 14:58:22 2005 => Entry "HKCR\CLSID\{27855D52-0913-4F88-A8CC-343D374E7CC9}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~2\MMFWCtrl.ocx". Action Taken: No Action Taken.
29: Thu Aug 11 14:58:22 2005 => Entry "HKCR\CLSID\{2B7E6AA9-C4FA-4951-815B-4AFE39D81453}" refers to invalid object "C:\Programme\Messenger\msgsc.dll". Action Taken: No Action Taken.
30: Thu Aug 11 14:58:23 2005 => Entry "HKCR\CLSID\{399CB6C4-7312-11D2-B4D9-00105A0422DF}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~2\HHACTI~1.DLL". Action Taken: No Action Taken.
31: Thu Aug 11 14:58:26 2005 => Entry "HKCR\CLSID\{5E05D214-DD15-47cd-B5BC-65FAC825D3D0}" refers to invalid object "C:\Programme\MSN\MSNCoreFiles\msnmetal.dll". Action Taken: No Action Taken.
32: Thu Aug 11 14:58:27 2005 => Entry "HKCR\CLSID\{6B58B5DC-7405-11D2-8F58-00E02916007D}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~2\mmjbctrl.ocx". Action Taken: No Action Taken.
33: Thu Aug 11 14:58:27 2005 => Entry "HKCR\CLSID\{6B58B5DD-7405-11D2-8F58-00E02916007D}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~2\mmjbctrl.ocx". Action Taken: No Action Taken.
34: Thu Aug 11 14:58:27 2005 => Entry "HKCR\CLSID\{6B58B5E0-7405-11D2-8F58-00E02916007D}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~2\mmjbctrl.ocx". Action Taken: No Action Taken.
35: Thu Aug 11 14:58:27 2005 => Entry "HKCR\CLSID\{6B58B5E1-7405-11D2-8F58-00E02916007D}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~2\mmjbctrl.ocx". Action Taken: No Action Taken.
36: Thu Aug 11 14:58:27 2005 => Entry "HKCR\CLSID\{6B58B5E4-7405-11D2-8F58-00E02916007D}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~2\mmjbctrl.ocx". Action Taken: No Action Taken.
37: Thu Aug 11 14:58:27 2005 => Entry "HKCR\CLSID\{6B58B5E5-7405-11D2-8F58-00E02916007D}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~2\mmjbctrl.ocx". Action Taken: No Action Taken.
38: Thu Aug 11 14:58:27 2005 => Entry "HKCR\CLSID\{724bb6a4-e526-450f-affa-ab9b45129111}" refers to invalid object "C:\WINDOWS\System32\wmv9dmod.dll". Action Taken: No Action Taken.
39: Thu Aug 11 14:58:29 2005 => Entry "HKCR\CLSID\{83D4679F-B6D7-11D2-BF36-00C04FB90A03}" refers to invalid object "C:\PROGRA~1\MESSEN~1\rtcimsp.dll". Action Taken: No Action Taken.
40: Thu Aug 11 14:58:29 2005 => Entry "HKCR\CLSID\{84268CDA-5AE9-409C-94E9-B6FEB4B5A123}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~2\MMFWCtrl.ocx". Action Taken: No Action Taken.
41: Thu Aug 11 14:58:30 2005 => Entry "HKCR\CLSID\{959F94FD-DD1E-11D2-B559-00105A0422DF}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~2\HHACTI~1.DLL". Action Taken: No Action Taken.
42: Thu Aug 11 14:58:30 2005 => Entry "HKCR\CLSID\{9EFBF860-5685-11D3-AA3D-00C04F4C5275}" refers to invalid object "cdooff.dll". Action Taken: No Action Taken.
43: Thu Aug 11 14:58:31 2005 => Entry "HKCR\CLSID\{AB1D8565-40E9-4616-984D-98465687E82C}" refers to invalid object "C:\Programme\Messenger\msgsc.dll". Action Taken: No Action Taken.
44: Thu Aug 11 14:58:31 2005 => Entry "HKCR\CLSID\{ADC4FE5F-9ACA-4551-8AD1-7B1DEF9D6BE8}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~2\MMFWCtrl.ocx". Action Taken: No Action Taken.
45: Thu Aug 11 14:58:32 2005 => Entry "HKCR\CLSID\{B617F87F-1856-43BC-ADEB-C43922F7A575}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~2\MMFWCtrl.ocx". Action Taken: No Action Taken.
46: Thu Aug 11 14:58:32 2005 => Entry "HKCR\CLSID\{B69003B3-C55E-4b48-836C-BC5946FC3B28}" refers to invalid object "C:\Programme\Messenger\msgsc.dll". Action Taken: No Action Taken.
47: Thu Aug 11 14:58:33 2005 => Entry "HKCR\CLSID\{C3DB19A6-D5A2-11D2-8F58-00E02916007D}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~2\mmjbctrl.ocx". Action Taken: No Action Taken.
48: Thu Aug 11 14:58:35 2005 => Entry "HKCR\CLSID\{CE0E7204-D82C-4273-8A70-919963F4CFE0}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~2\MMFWCtrl.ocx". Action Taken: No Action Taken.
49: Thu Aug 11 14:58:35 2005 => Entry "HKCR\CLSID\{D326DC3B-8ADF-456A-B1B7-8A9E37704C60}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~2\MMFWCtrl.ocx". Action Taken: No Action Taken.
50: Thu Aug 11 14:58:35 2005 => Entry "HKCR\CLSID\{D98E820F-6ACD-4dc0-921E-9841E3D8B4A7}" refers to invalid object "E:\player\WMMP.EXE". Action Taken: No Action Taken.
51: Thu Aug 11 14:58:37 2005 => Entry "HKCR\CLSID\{EFAC012B-2A65-4D0B-9237-ADBADD94DFE9}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~2\MMFWCtrl.ocx". Action Taken: No Action Taken.
52: Thu Aug 11 14:58:37 2005 => Entry "HKCR\CLSID\{F0FDBF9F-63BF-4BFB-A3DB-E7B7FCF3F7DE}" refers to invalid object "C:\Programme\MUSICMATCH\MUSICMATCH Jukebox\directorps.dll". Action Taken: No Action Taken.
53: Thu Aug 11 14:58:37 2005 => Entry "HKCR\CLSID\{F1DD8F2C-1A49-40F0-9649-ACB3AB7AF86A}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~2\MMFWCtrl.ocx". Action Taken: No Action Taken.
54: Thu Aug 11 14:58:37 2005 => Entry "HKCR\CLSID\{F3A614DC-ABE0-11d2-A441-00C04F795683}" refers to invalid object "C:\Programme\Messenger\msgsc.dll". Action Taken: No Action Taken.
55: Thu Aug 11 14:58:38 2005 => Entry "HKCR\CLSID\{F4C6D6E0-A8FB-4281-BE24-1662D646FE2B}" refers to invalid object "E:\player\WMMP.EXE". Action Taken: No Action Taken.
56: Thu Aug 11 14:58:38 2005 => Entry "HKCR\CLSID\{FB215E25-F536-4B36-8262-ECF59601FAC1}" refers to invalid object "C:\PROGRA~1\MUSICM~1\MUSICM~2\MMFWCtrl.ocx". Action Taken: No Action Taken.
57: Thu Aug 11 14:58:38 2005 => Entry "HKCR\CLSID\{FB7199AB-79BF-11d2-8D94-0000F875C541}" refers to invalid object "C:\Programme\Messenger\msgsc.dll". Action Taken: No Action Taken.
58: Thu Aug 11 14:58:38 2005 => Entry "HKCR\CLSID\{FBE840E5-13A5-4cff-B2A9-4D1E64A17FF2}" refers to invalid object "E:\player\WMMP.EXE". Action Taken: No Action Taken.
59: Thu Aug 11 14:58:51 2005 => Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
60: Thu Aug 11 14:58:51 2005 => Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
61: Thu Aug 11 14:58:51 2005 => Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
62: Thu Aug 11 14:58:57 2005 => Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
63: Thu Aug 11 14:58:57 2005 => Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
64: Thu Aug 11 14:59:02 2005 => Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
65: Thu Aug 11 14:59:02 2005 => Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
66: Thu Aug 11 15:01:50 2005 => Scanning File C:\Dokumente und Einstellungen\Jens\Favoriten\Meine Homepages\error!.url [**]
67: Thu Aug 11 15:01:53 2005 => Result: ERROR!!! File C:\Dokumente und Einstellungen\Jens\Lokale Einstellungen\Anwendungsdaten\Shareaza\Incomplete\N2FUKAK6MJT4IJDNVKHGGMVK5ZY6BZPG Winzip 9.0 Full Version - Cracked +Crack _ Seri*hier nicht!*.zip is Not Scanned

--------------------------------------------------
-------- DATEIEN ZUM LÖSCHEN HINZUGEFÜGT ---------
--------------------------------------------------

1: C:\WINDOWS\System32\gpreetup.dll => Virus.Win32.Bayan-based
2: C:\Programme\AVPersonal\INFECTED\winupdate43313275[1].VIR => Trojan-Dropper.Win32.Small.ue
3: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP93\A0035338.exe => Trojan-Dropper.Win32.Vidro.u
4: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP93\A0035363.exe => Trojan-Dropper.Win32.Vidro.u
5: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP93\A0035391.exe => Trojan-Dropper.Win32.Vidro.u
6: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP93\A0035416.exe => Trojan-Dropper.Win32.Vidro.u
7: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP93\A0035428.exe => Trojan-Dropper.Win32.Vidro.u
8: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP93\A0035455.exe => Trojan-Dropper.Win32.Vidro.u
9: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP93\A0035473.exe => Trojan-Dropper.Win32.Vidro.u
10: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP93\A0035486.exe => Trojan-Dropper.Win32.Vidro.u
11: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP93\A0035490.exe => Trojan-Dropper.Win32.Vidro.u
12: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0035536.exe => Trojan-Dropper.Win32.Vidro.u
13: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0035540.exe => Trojan-Dropper.Win32.Vidro.u
14: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0035555.exe => Trojan-Dropper.Win32.Vidro.u
15: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0035559.exe => Trojan-Dropper.Win32.Vidro.u
16: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0035573.exe => Trojan-Dropper.Win32.Vidro.u
17: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0035577.exe => Trojan-Dropper.Win32.Vidro.u
18: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0035586.exe => Trojan-Dropper.Win32.Vidro.u
19: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0035590.exe => Trojan-Dropper.Win32.Vidro.u
20: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0035867.exe => Trojan-Dropper.Win32.Vidro.u
21: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0035871.exe => Trojan-Dropper.Win32.Vidro.u
22: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0035885.exe => Trojan-Dropper.Win32.Vidro.u
23: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0035889.exe => Trojan-Dropper.Win32.Vidro.u
24: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0036885.exe => Trojan-Dropper.Win32.Vidro.u
25: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0036889.exe => Trojan-Dropper.Win32.Vidro.u
26: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0036900.exe => Trojan-Dropper.Win32.Vidro.u
27: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0036904.exe => Trojan-Dropper.Win32.Vidro.u
28: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0036913.exe => Trojan-Dropper.Win32.Vidro.u
29: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0036917.exe => Trojan-Dropper.Win32.Vidro.u
30: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0036928.exe => Trojan-Dropper.Win32.Vidro.u
31: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0036932.exe => Trojan-Dropper.Win32.Vidro.u
32: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0036946.exe => Trojan-Dropper.Win32.Vidro.u
33: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0036950.exe => Trojan-Dropper.Win32.Vidro.u
34: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0037946.exe => Trojan-Dropper.Win32.Vidro.u
35: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0037950.exe => Trojan-Dropper.Win32.Vidro.u
36: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0037959.exe => Trojan-Dropper.Win32.Vidro.u
37: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP94\A0037963.exe => Trojan-Dropper.Win32.Vidro.u
38: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP95\A0038049.exe => Trojan-Dropper.Win32.Vidro.u
39: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP95\A0038053.exe => Trojan-Dropper.Win32.Vidro.u
40: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP95\A0038067.exe => Trojan-Dropper.Win32.Vidro.u
41: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP95\A0038071.exe => Trojan-Dropper.Win32.Vidro.u
42: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP95\A0038108.exe => Trojan-Dropper.Win32.Vidro.u
43: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP95\A0038112.exe => Trojan-Dropper.Win32.Vidro.u
44: C:\System Volume Information\_restore{A603A1F8-CFD6-4F33-8D89-882C00530F2E}\RP95\A0038121.exe => Trojan-Dropper.Win32.Vidro.u
45: C:\WINDOWS\system32\gpreetup.dll => Virus.Win32.Bayan-based

--------------------------------------------------
-------------------- Statistik -------------------
--------------------------------------------------

Thu Aug 11 15:20:40 2005 => Total Objects Scanned: 65425
Thu Aug 11 15:20:40 2005 => Total Virus(es) Found: 50
Thu Aug 11 15:20:40 2005 => Total Errors: 66
Thu Aug 11 15:20:40 2005 => Virus Database Date: 2005/08/11
Thu Aug 11 15:20:40 2005 => Virus Database Count: 143089
Thu Aug 11 16:32:35 2005 => Total Objects Scanned: 65425
Thu Aug 11 16:32:35 2005 => Total Virus(es) Found: 50
Thu Aug 11 16:32:35 2005 => Total Errors: 66

#33 Hallo@soho101

•KillBox
http://bilder.informationsarchiv.net/Nikitas_Tools/KillBox.zip
Anleitung: (bebildert)
http://virus-protect.org/killbox.html

•Delete File on Reboot <--anhaken

und klicke auf das rote Kreuz,
wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes"

C:\WINDOWS\System32\gpreetup.dll
C:\Programme\AVPersonal\INFECTED\winupdate43313275[1].VIR
C:\Programme\AVPersonal\INFECTED\winupdate43313275[1].VIR

PC neustarten

#neue Startseite
gehe zur Systemsteuerung --> Internetoptionen --> auf dem Reiter Allgemein bei Temporäre Internetdateien klickst du Dateien löschen --> auch bei Alle Offlineinhalte löschen das Häkchen setzen und mit OK bestätigen --> Auf den Reiter Programme gehen und dort auf Webeinstellungen zurücksetzen klicken, mit Ja bestätigen, fall Nachfrage kommt --> auf Übernehmen und abschließend auf OK klicken und stelle eine neue Startseite ein

deaktivieren Wiederherstellung (dann aktiviere sie wieder)
«XP
Arbeitsplatz-->rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.

loeschen:(falls es nicht bewusst von dir erstellt wurde)
C:\Dokumente und Einstellungen\Jens\Favoriten\Meine Homepages\error!.url

CCleaner--> loesche alle *temp-Datein
http://virus-protect.org/temp.html

HijackThis
http://virus-protect.org/hjtkurz.html
Lade/entpacke HijackThis in einem Ordner
-->None of the above,
just start the program --> Save--> Savelog -->es öffnet sich der
Editor -->
oder:
Do a system scan and save a logfile --> Save--> Savelog -->es öffnet sich der
Editor -->
nun das KOMPLETTE Log mit rechtem Mausklick abkopieren und ins
Forum mit rechtem Mausklick "einfügen"
__________
MfG Sabina

rund um die PC-Sicherheit

#34 Hallo, ihe Leidensgenossen und Helfer!

Auch ich habe massive Probleme mit meinem PC!
Click.526 sowie qhost.qr werden regelmäßig von Antivir gefunden, aber mit dem löschen und beseitigen habe ich auch so meine Probleme...!!!

Habe mir auch HJT besorgt und möchte hier mal den Scan einstellen! Wäre super, wenn sich damit auseinandersetzt und mir eventuell Hilfe leisten kann!

Vielen Dank schon mal im voraus!

Logfile of HijackThis v1.99.1
Scan saved at 17:16:05, on 20.08.2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
D:\ANTIVIR\AVGCTRL.EXE
C:\PROGRAMME\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAMME\FINEPIXVIEWER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAMME\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAMME\OUTLOOK EXPRESS\MSIMN.EXE
C:\UNZIPPED\HIJACKTHIS_199\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.65.101.250/sbms/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supret.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\MRHOP.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\MRHOP.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\MRHOP.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\MRHOP.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://drvvv.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F1 - win.ini: load=load=load=load=
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAMME\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_18_0.DLL
O3 - Toolbar: Yahoo! Assistent - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAMME\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_18_0.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [AVGCtrl] D:\ANTIVIR\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [REGSHAVE] C:\Programme\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O4 - HKCU\..\Run: [atl_helper] slamm.exe
O4 - HKCU\..\Run: [msag] ms-its.exe
O4 - HKCU\..\Run: [Serviceprocess] SysEntry.exe
O4 - Startup: Exif Launcher.lnk = C:\Programme\FinePixViewer\QuickDCF.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://sc.communities.msn.com/controls/chat/msnchat45.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O18 - Filter: text/html - {13832EEC-210E-4C85-AE4F-E72CC657AD4D} - C:\WINDOWS\MRHOP.DLL
O18 - Filter: text/plain - {13832EEC-210E-4C85-AE4F-E72CC657AD4D} - C:\WINDOWS\MRHOP.DLL

#35 Hallo@legloverboy

Neuaufsetzen waere das vernuenftigst, oder willst du reinigen ?

#öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.65.101.250/sbms/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supret.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\MRHOP.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\MRHOP.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\MRHOP.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\MRHOP.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://drvvv.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F1 - win.ini: load=load=load=load=
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O4 - HKCU\..\Run: [atl_helper] slamm.exe
O4 - HKCU\..\Run: [msag] ms-its.exe
O4 - HKCU\..\Run: [Serviceprocess] SysEntry.exe
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O18 - Filter: text/html - {13832EEC-210E-4C85-AE4F-E72CC657AD4D} - C:\WINDOWS\MRHOP.DLL
O18 - Filter: text/plain - {13832EEC-210E-4C85-AE4F-E72CC657AD4D} - C:\WINDOWS\MRHOP.DLL

PC neustarten

loeschen:
C:\WINDOWS\MRHOP.DLL
c:\windows\winlogon.exe
c:\eied_s7.cab
c:\ex.cab
SysEntry.exe
slamm.exe

CCleaner--> loesche alle *temp-Datein
http://virus-protect.org/temp.html

#neue Startseite
gehe zur Systemsteuerung --> Internetoptionen --> auf dem Reiter Allgemein bei Temporäre Internetdateien klickst du Dateien löschen --> auch bei Alle Offlineinhalte löschen das Häkchen setzen und mit OK bestätigen --> Auf den Reiter Programme gehen und dort auf Webeinstellungen zurücksetzen klicken, mit Ja bestätigen, fall Nachfrage kommt --> auf Übernehmen und abschließend auf OK klicken und stelle eine neue Startseite ein

BitDefender Free Edition v7 (berichte vom Scan)
http://virus-protect.org/antivirenfree.html

mache Onlinescan mit panda + berichte vom Scan
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#36 Hallo, Sabina!

Danke erstmal für die schnelle Antwort!

Habe den Nachmittag damit verbracht alle meine verwendeten Programme upzudaten (...bin stolzer Besitzer eines 56K-Modems!!!!!)

Ok, hatte dank deiner Tipps wenigstens den Erfolg, dass Antivir und auch bidefender die Trojaner nicht mehr finden!

Trotz allem läuft mein Rechner absolut instabil!!!

Ich bin so ein mittlerer Jahrgang, bin also noch mit dem guten MS-DOS 6.22 erzogen worden!!!
Da war ja das Formatieren der Festplatte eine Kleinigkeit!!! Doch dank MrGates fühle ich mich ziemlich hilflos!!!

Könntest du mir vielleicht noch sagen, wie ich mein C-Laufwerk "plattmachen" kann???

Ich habe mit größter Mühe mal unter Win95 die Festplatte formatiert, aber nach der Neuinstallation von Win95 waren einige Login's/Passwörter sofort wieder in den benutzten Programmen eingefügt! Das gab mir schon zu denken!!!

Unter WinME funktioniert ja gar nichts mehr!!!!!

Wäre super, wenn ich nochmals Tips von dir/Euch bekommen würde!


Liebe Grüße,
legloverboy Joachim

#37 Hallo@legloverboy

Pote mir mal bitte das neue Log vom HijackThis:

(was das Formatieren betrifft, das faellt in die Sparte Software...da kenne ich mich nicht so gut aus)
Datensicherung waere dann vielleicht auch noch ein Thema...)
__________
MfG Sabina

rund um die PC-Sicherheit

#38 Hallo Sabina!

Ich konnte die zu löschenden Dateien gar nicht finden! Mit HJT hab ich zwar alles gelöscht, was du angegeben hast, aber es war wieder eine Datei "hgqhp.exe" unter Windows/System! Die kann ich allerdings nicht löschen, weil sie aktiv ist! Und ich vermute(bin mir zu 99% sicher), dass diese Datei der Auslöser für diese beiden Trojaner bei mir ist!

Auch folgende Zeilen kommen mir komisch vor:
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
O4 - HKLM\..\Run: [HCLEAN32.EXE] C:\WINDOWS\SYSTEM\HCLEAN32.EXE
O4 - HKLM\..\Run: [dmaci.exe] C:\WINDOWS\SYSTEM\dmaci.exe


Und deshalb würde ich doch lieber den Rechner plattmachen!!! Mich nervt das ganze schon gewaltig! Ich hoffe nur, dass danach nicht noch irgendwelche Dateien auf der Festplatte sind!!!


Hier trotzallem der aktuelle Log:

Logfile of HijackThis v1.99.1
Scan saved at 17:29:31, on 23.08.2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\SOFTWIN\BITDEFENDER SCAN SERVER\BDSS.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\SOFTWIN\BITDEFENDER COMMUNICATOR\XCOMMSVR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
D:\DOWNLOADS\ANTIVIRENPROGRAMME\ANTIVIR\AVGCTRL.EXE
C:\PROGRAMME\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAMME\SOFTWIN\BITDEFENDER FREE EDITION\BDMCON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMME\SOFTWIN\BITDEFENDER FREE EDITION\BDNAGENT.EXE
C:\PROGRAMME\FINEPIXVIEWER\QUICKDCF.EXE
C:\PROGRAMME\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAMME\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\UNZIPPED\HIJACKTHIS_199\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAMME\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_18_0.DLL
O3 - Toolbar: Yahoo! Assistent - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAMME\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_18_0.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [AVGCtrl] D:\DOWNLOADS\ANTIVIRENPROGRAMME\ANTIVIR\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [REGSHAVE] C:\Programme\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HCLEAN32.EXE] C:\WINDOWS\SYSTEM\HCLEAN32.EXE
O4 - HKLM\..\Run: [dmaci.exe] C:\WINDOWS\SYSTEM\dmaci.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BDMCon] C:\Programme\Softwin\BitDefender Free Edition\\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Programme\Softwin\BitDefender Free Edition\\bdnagent.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [BitDefender Scan Server] C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\\bdss.exe
O4 - HKLM\..\RunServices: [BitDefender Communicator] C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\\xcommsvr.exe
O4 - HKLM\..\RunServices: [BitDefender Live! Init] C:\Programme\Softwin\BitDefender Free Edition\\bdinit.exe
O4 - Startup: Exif Launcher.lnk = C:\Programme\FinePixViewer\QuickDCF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://sc.communities.msn.com/controls/chat/msnchat45.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab

#39 Hallo@legloverboy

Fixe mit dem HijackThis:
O4 - HKLM\..\Run: [dmaci.exe] C:\WINDOWS\SYSTEM\dmaci.exe

neustarten

FindT
http://bilder.informationsarchiv.net/Nikitas_Tools/FindT.zip
in C:\ entpacken -- öffne "FindT" folder -- klicke (runthis.bat) -- poste die txt (Textdatei) in den Thread

silentrunners
http://virus-protect.org/silentrunner.html
und poste alles, was angezeigt wird.

WinPFind
http://www.bleepingcomputer.com/files/winpfind.php
Anleitung: http://virus-protect.org/winpfind.html
__________
MfG Sabina

rund um die PC-Sicherheit

#40 Hi,

I respond to this message, because the problem which is described here resembles a very nasty problem that I fixed on the computer of a friend of mine. This piece of spyware is very hard to find. None of the scanners I tried could find this spyware. It couldn't even be detected with HijackThis.

The symptoms:

Every few minutes a fake Security-Center-icon shows up in the systemtray with a balloon saying 'Your computer might be at risk' etc. It also shows a link which will open a help file which will give you wrong info about how to solve the problem. This spyware will also try to download other spyware and virusses. These new spyware and virusses may or may not be detected by your antivirus or antispyware. But even if they are detected and cleaned the original spyware will reside in memory and keep popping up the balloon. It may even do other harm, which I am not aware of.

Finding the problem:

Searching through forum I found a lot of people trying to defeat this one. But most people were trying to clean the virusses which were downloaded by the 'invissible' spyware. The spyware seems to be downloading different types of virusses and spyware so everybody was talking about different infected files, which makes it even more difficult to get a grip on. There were two files that seem to be really connected to our enemy:

C:\Windows\Balloon.wav
C:\Windows\Rdt.ini

I used some tools to do memory dumps and then pattern-match with files on the harddisk I traced it back to the file:

C:\Windows\System32\csgpz.exe

This is a very weird file. It is about 50KB in size. If you try to copy it, you can't delete it anymore. When I tryed to find any references in the registry or HijackThis, I couldn't find anything. My guess is that the contents of this file cause a bufferoverflow in some part of Windows (probably the Explorer). This will also occur on boot of the system. And it will get in memory by using the bufferoverflow as an exploit. That's why you won't see the file in memory either. When I searched on the forums I didn't see this file in any log-dumps of other victims, but I did see an exe-file starting with 'cs', followed by three other, random characters in some cases.

Resolving:

Reboot in safe-mode (press F8 when boot-sequence begins). Delete the files Balloon.wav and Rdt.ini. Look in the Windows\System32 folder and locate an exe-file, beginning with 'cs' and having size of 50KB. Also delete this one (use shift-delete, to be sure it's really gone!) Now reboot. Go to Control Panel \ System \ System Restore. Turn off system restore on all drives. Do a full virus-scan and full spyware-scan with reliable and fully updated programs. Turn on system restore again.

After this the balloon did not come back and no new virusses were downloaded anymore. On my friends machine there was still one more problem. I don't know if it is related to the problem described here. When I used explorer to navigate through folders on harddisk, the explorer would freeze and crash occasionally. If this also happens to you I recommend ExploreXP: http://www.explorerxp.com/ Use this for as long as this problem isn't solved.

Good luck! I hope you can fix this now.
May all spyware-programmers burn in hell!

Heathcliff

#41 Hallo@Eddy72

HijackThis (poste as Log)
http://virus-protect.org/hjtkurz.html

kopiere bitte die 4 Logs hier (3 Monate vom Datum her genuegen
http://virus-protect.org/datfindbat.html
+

das Log vom Silentrunner
http://virus-protect.org/silentrunner.html

+
Download f-secure-Beta Trial
http://www.f-secure.com/blacklight/
doppelklick: blbeta.exe
nach dem Check klicke -- next
nun findet man eine Textdatei auf dem Desktop: kopiere sie in deinen Thread
__________
MfG Sabina

rund um die PC-Sicherheit

#42 Hallo Sabina,
erstmal staunen, so viele Daten, Ok)


Logfile of HijackThis v1.99.1
Scan saved at 12:32:56, on 31.10.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Programme\Babylon\Babylon.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\FRITZ!DSL\FritzDSL.exe
C:\Programme\Opera\Opera.exe
D:\Internet\Tools\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?iiehf
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - HKCU\..\Run: [Babylon Translator] C:\Programme\Babylon\Babylon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O16 - DPF: {09954582-CAC3-4E05-A09C-4955BBD3187F} (Privat-X Client) - http://www.px24.com/ax/px_client_en.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124349109429
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://god.t-online.de/download/ExentCtl.ocx
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4581/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{330665B8-FAC5-415B-B704-1BD8FDD15412}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{895ED79E-7318-45A0-80FA-7A0ADBA820BA}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{A69AFF8F-7B0B-4015-838F-246EB7F54203}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{B24038E9-0741-46BA-A524-7433B2E9DD14}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDB0FCFB-6D5C-498C-82B9-D542EC11011F}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{330665B8-FAC5-415B-B704-1BD8FDD15412}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CS3\Services\Tcpip\..\{330665B8-FAC5-415B-B704-1BD8FDD15412}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.157,85.255.112.6
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe



Datentr„ger in Laufwerk C: ist SYSTEM
Datentr„gernummer: 1834-1AE3

Verzeichnis von C:\WINNT\system32

31.10.2005 13:12 31.767 vsconfig.xml
30.10.2005 16:38 1.406 AddQuit.ico
30.10.2005 16:38 1.718 Open.ico
30.10.2005 16:38 2.550 Uninstall.ico
30.10.2005 16:38 1.406 Help.ico
30.10.2005 16:38 5.350 IE.ico
30.10.2005 16:38 1.718 Quick.ico
30.10.2005 16:38 9.470 Desktop.ico
30.10.2005 07:36 239.144 FNTCACHE.DAT
25.09.2005 10:04 4.212 zllictbl.dat
25.09.2005 09:12 155.488 Status.MPF
29.08.2005 19:09 71.424 zlcommdb.dll
29.08.2005 19:09 79.616 zlcomm.dll
29.08.2005 19:09 100.096 vsxml.dll
29.08.2005 19:09 382.720 vsutil.dll
29.08.2005 19:09 71.424 vsregexp.dll
29.08.2005 19:08 227.072 vspubapi.dll
29.08.2005 19:08 104.192 vsmonapi.dll
29.08.2005 19:08 141.056 vsinit.dll
29.08.2005 19:08 368.256 vsdatant.sys
29.08.2005 19:08 83.712 vsdata.dll
14.08.2005 09:23 0 asfiles.txt
08.08.2005 11:43 100.352 dfrg.msc
07.08.2005 00:22 26.764 nvapps.xml
05.08.2005 00:02 3.799 jupdate-1.5.0_04-b05.log
29.07.2005 21:07 73.728 asuninst.exe
12.07.2005 18:04 23.304 GWFSPidGen.dll
12.07.2005 18:04 520.456 LegitCheckControl.dll


Datentr„ger in Laufwerk C: ist SYSTEM
Datentr„gernummer: 1834-1AE3

Verzeichnis von C:\DOKUME~1\Casper\LOKALE~1\Temp

29.10.2005 19:26 0 akcF7.tmp
29.10.2005 15:30 16.384 ~DFC29C.tmp
29.10.2005 15:30 16.384 ~DFCCB2.tmp
29.10.2005 15:01 983 TmpICQMagic_{EC202595-1DFD-4301-A1EA-13C1E331B505}26624.html
29.10.2005 13:00 0 nsu538.tmp
29.10.2005 12:56 10.134 dat531.tmp
28.10.2005 21:45 0 7ri239.tmp
28.10.2005 21:45 0 ggo235.tmp
28.10.2005 21:43 0 v1s216.tmp
28.10.2005 21:42 0 x3j20E.tmp
28.10.2005 21:41 0 ss3208.tmp
27.10.2005 19:30 11.670 java_install_reg.log
25.10.2005 17:28 0 w3l5D7.tmp
25.10.2005 17:27 0 uyz5D6.tmp
25.10.2005 17:27 0 zit5D5.tmp
25.10.2005 17:26 0 7215D2.tmp
25.10.2005 17:24 0 5rv5CE.tmp
25.10.2005 17:22 0 ob85CA.tmp
25.10.2005 17:21 0 95w5C8.tmp
25.10.2005 17:21 0 sti5C7.tmp
25.10.2005 17:20 0 h7y5C4.tmp
25.10.2005 13:56 0 lc732B.tmp
25.10.2005 13:56 0 3xr32A.tmp
25.10.2005 13:55 0 b7q329.tmp
25.10.2005 13:55 0 rpb328.tmp
25.10.2005 13:54 0 nhx327.tmp
20.10.2005 13:28 312 MSI4ba61.LOG
10.10.2005 14:08 312 MSI729ef.LOG
09.10.2005 11:22 36.864 CmdLineExt02.dll
09.10.2005 11:22 4.592 SIntfIcn.ani
09.10.2005 11:22 19.924 SIntf32.dll
09.10.2005 11:22 12.067 SIntf16.dll
09.10.2005 11:22 24.516 SIntfNT.dll
25.09.2005 09:51 10.134 dat1.tmp
25.09.2005 09:40 10.134 dat7C.tmp
21.09.2005 11:14 45.096 _VWUPSRV.EXE
02.09.2005 14:21 474 mcm2E.tmp
26.08.2005 16:28 344.625 Google_Earth_3.0.0395_beta_050826-162817.dmp
26.08.2005 13:45 628 ~GE1CF.kmz
25.08.2005 14:00 663 jupdate1.5.0.xml
25.08.2005 12:46 474 mcm1C8.tmp
15.08.2005 12:23 53.834 nsu538.exe
15.08.2005 10:46 236 unknown.htm
10.08.2005 20:01 8.118 peanuts.bmp
10.08.2005 20:01 8.118 doodle.bmp
09.08.2005 22:09 40.448 13c64.mst
09.08.2005 22:09 40.448 29a683d.mst
05.08.2005 00:08 263.305 azplugins_1.5.1.jar
05.08.2005 00:07 708 AZU40200.tmp
05.08.2005 00:01 23.552 java_install.log
05.08.2005 00:00 58.368 523010.mst
03.08.2005 20:44 53 temp.fr5D4D
07.07.2005 14:03 102.479 ICQLSRP.dll
07.07.2005 13:54 32.847 ICQRT.dll


Datentr„ger in Laufwerk C: ist SYSTEM
Datentr„gernummer: 1834-1AE3

Verzeichnis von C:\WINNT

31.10.2005 13:12 53 hosts
31.10.2005 13:12 0 CONFIG.SYS
31.10.2005 13:12 0 AUTOEXEC.BAT
31.10.2005 13:12 13.341 stsheets.dat
31.10.2005 13:11 438.191 WindowsUpdate.log
31.10.2005 13:11 32.548 SchedLgU.Txt
31.10.2005 13:11 1.108.138 ShellIconCache
31.10.2005 08:42 6.400 balloon.wav
30.10.2005 16:38 15.646 setupapi.log
30.10.2005 11:08 141 msicpl.ini
30.10.2005 08:11 1.072 wmsetup.log
27.10.2005 19:31 2.712 ModemLog_Standard 56000 bps K56Flex Modem.txt
14.10.2005 13:51 3.301 GPlrLanc.dat
02.10.2005 09:42 132 winamp.ini
15.08.2005 09:36 32 pavsig.txt
09.08.2005 22:10 316.640 WMSysPr9.prx
25.07.2005 11:13 117.248 GPlrLanc.exe


Datentr„ger in Laufwerk C: ist SYSTEM
Datentr„gernummer: 1834-1AE3

Verzeichnis von C:\

31.10.2005 13:25 0 sys.txt
31.10.2005 13:25 6.135 system.txt
31.10.2005 13:24 3.522 systemtemp.txt
31.10.2005 13:22 99.624 system32.txt
31.10.2005 13:12 0 AUTOEXEC.BAT
31.10.2005 13:12 402.653.184 PAGEFILE.SYS
22.06.2005 21:33 5 AVPCallback.log



"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Babylon Translator" = "C:\Programme\Babylon\Babylon.exe" ["Babylon Ltd."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 DragDrop Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Property Sheet Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office\OLKFSTUB.DLL" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csoft.exe" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Dokumente und Einstellungen\Default User\Eigene Dateien\vs0017b0008_1024.jpg"


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]


10/31/05 13:18:25 [Info]: BlackLight Engine 1.0.24 initialized
10/31/05 13:18:25 [Info]: OS: 5.0 build 2195 (Service Pack 4)
10/31/05 13:18:25 [Note]: 4019 4
10/31/05 13:18:25 [Note]: 4005 0
10/31/05 13:18:37 [Note]: 4006 0
10/31/05 13:18:37 [Note]: 4011 1084
10/31/05 13:18:37 [Note]: FSRAW library version 1.7.1013
10/31/05 13:18:40 [Info]: Hidden file: C:\WINNT\SYSTEM32\WBEM\WBEMTEST.EXE
10/31/05 13:18:42 [Info]: Hidden file: C:\WINNT\SYSTEM32\NTFSNLPA.EXE
10/31/05 13:18:44 [Info]: Hidden file: C:\WINNT\SYSTEM32\DOSX.EXE
10/31/05 13:18:46 [Info]: Hidden file: C:\WINNT\SYSTEM32\CISVVC.EXE
10/31/05 13:18:48 [Info]: Hidden file: C:\WINNT\SYSTEM32\CSOFT.EXE
10/31/05 13:18:48 [Note]: 4002 32
10/31/05 13:18:48 [Note]: 4003 1
10/31/05 13:18:50 [Info]: Hidden file: C:\WINNT\SYSTEM32\X.EXE
10/31/05 13:18:52 [Info]: Hidden file: C:\WINNT\SYSTEM32\MSSWCHX.EXE
10/31/05 13:18:54 [Info]: Hidden file: C:\WINNT\SYSTEM32\MSSOSXRT.EXE
10/31/05 13:18:56 [Info]: Hidden file: C:\WINNT\SYSTEM32\PAX.EXE
10/31/05 13:18:58 [Info]: Hidden file: C:\WINNT\SYSTEM32\POSIX.EXE
10/31/05 13:19:00 [Info]: Hidden file: C:\WINNT\SYSTEM32\DMVHV.EXE
10/31/05 13:19:02 [Info]: Hidden file: C:\WINNT\SYSTEM32\UPTDSRV2.EXE
10/31/05 13:19:04 [Info]: Hidden file: C:\WINNT\SYSTEM32\XKZZL.DLL
10/31/05 13:19:06 [Info]: Hidden file: C:\WINNT\SYSTEM32\DRV2CLTR.DLL
10/31/05 13:19:08 [Info]: Hidden file: C:\WINNT\SYSTEM32\VWIPXSPX.EXE
10/31/05 13:19:10 [Info]: Hidden file: C:\WINNT\SYSTEM32\RDSNDIN.EXE
10/31/05 13:19:12 [Info]: Hidden file: C:\WINNT\SYSTEM32\PLEXTC~1.EXE
10/31/05 13:19:14 [Info]: Hidden file: C:\WINNT\SYSTEM32\HCLEAN32.EXE
10/31/05 13:19:53 [Note]: 4007 0

Mit freundlichen Grüssen
Eddy72

#43 Eddy72

Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.

Zitat

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WareOut]
[-HKEY_LOCAL_MACHINE\SOFTWARE\WareOut]
[-HKEY_CURRENT_USER\Software\WareOut]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoBandCustomize"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]
"Disabled"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\SearchToolbar]
[-HKEY_CURRENT_USER\Software\SearchToolbar]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{08BEC6AA-49FC-4379-3587-4B21E286C19E}"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hclean32.exe"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]
"Flags"=dword:00000008

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\000]
"runonce1"="\"C:\\HJT\\hijackthis.exe\""

-----------------------------------------------------------------------------------------------------------

doppelklick: blbeta.exe
starte blacklight nochmal und lasse alle Dateien, die es anzeigt umbenennen (ausser C:\WINNT\system32\wbem\wbemtest.exe)
Dann lass Blaklight den Rechner neu starten.

öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?iiehf
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O1 - Hosts: 1159680172 auto.search.msn.com
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://god.t-online.de/download/ExentCtl.ocx
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{330665B8-FAC5-415B-B704-1BD8FDD15412}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{895ED79E-7318-45A0-80FA-7A0ADBA820BA}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{A69AFF8F-7B0B-4015-838F-246EB7F54203}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{B24038E9-0741-46BA-A524-7433B2E9DD14}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDB0FCFB-6D5C-498C-82B9-D542EC11011F}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{330665B8-FAC5-415B-B704-1BD8FDD15412}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CS3\Services\Tcpip\..\{330665B8-FAC5-415B-B704-1BD8FDD15412}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.157,85.255.112.6

PC neustarten
Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "fixme.reg" auf dem Desktop doppelklicken

-----------------------------------------------------------------------------------------------

Bitte schicke die umbenannten Dateien,(vorher zippen) sie heissen jetzt z.B. C:\WINNT\system32\hlmicro.exe.ren anstatt C:\WINNT\system32\hlmicro.exe an virus@protecus.de

rechtsklick: mit dem Editor oeffnen(poste mir, was dort steht)
C:\WINNT\stsheets.dat

KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html

Delete File on Reboot -- anhaken
reinkopieren:
...
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"

C:\WINNT\balloon.wav
C:\WINNT\stsheets.dat
C:\WINNT\hosts
C:\WINNT\rdt.ini
C:\DOKUME~1\Casper\LOKALE~1\Temp\nsu538.exe
C:\DOKUME~1\Casper\LOKALE~1\Temp\unknown.htm
C:\DOKUME~1\Casper\LOKALE~1\Temp\peanuts.bmp
C:\DOKUME~1\Casper\LOKALE~1\Temp\doodle.bmp
C:\WINNT\system32\csoft.exe

PC neustarten

Hoster.zip
http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK' Exit Program.

CCleaner (loesche alle temporaeren Dateien)
http://virus-protect.org/temp.html

Conterspy
http://virus-protect.org/counterspy.html
Klicke: "Run a Spyware Scan Now"
- nach dem Scan muss man sich entscheiden für:
*Ignore
*Remove
*Quarantaine
wähle immer Remove und starte den PC neu (dann kopiere den Scanreport ab und ins Sicherheitsforum)

scanne mit Kaspersky und poste den scanreport
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#44 Hallo Sabina,
eine Frage, muss ich das unbedingt im abgesicherten Modus machen? Ich komme zwar bis dort hin wo ich die versch. Moduse drücken kann, aber da passiert nichts. Ich weiss nicht ob das an meiner Tastatur liegt, die spinnt manchmal...

#45 Eddy72

dann versuche es im Normalmodus
__________
MfG Sabina

rund um die PC-Sicherheit