smart security +Backdoor.Win32.Haxdoor |
||
---|---|---|
#0
| ||
11.04.2005, 12:51
Ehrenmitglied
Beiträge: 29434 |
||
|
||
14.04.2005, 19:28
Member
Beiträge: 11 |
#17
Moin
Panda scan: System Files Messages Scanned Yes 0 0 Infected - 0 0 Suspicious - 0 0 Disinfected - 0 0 RAV - Scan: Scanned ============================ Objects: 51748 Directories: 3225 Archives: 6439 Size(Kb): -1676010 Infected files: 0 Found ============================ Viruses found: 0 Suspicious files: 0 Disinfected files: 0 Mail files: 86 Gibt es vielleicht in der registry probleme!!! Havoc Dieser Beitrag wurde am 14.04.2005 um 19:31 Uhr von Havoc editiert.
|
|
|
||
15.04.2005, 00:48
Ehrenmitglied
Beiträge: 29434 |
#18
Hallo@Havoc
Gehe in die Registry Start<Ausfuehren<regedit HKCU\Software\Microsoft\Internet Explorer\Desktop\Components poste mir, was du unter diesem Schluesel-->Desktop alles findest --------------------------------------------------------------------------- silentrunners http://www.silentrunners.org/sr_download.html gehe auf: Zitat: Click here to download a zip file. hier die Erklaerung: http://www.silentrunners.org/sr_scriptuse.html klicke: output file is in text format. --> Doppelklick und es oeffnet sich der Editor--> und poste alles, was angezeigt wird. und dann scanne bitte noch mal mit escan (um sicher zu gehen, das alles geloescht wurde....) C:\WINDOWS\Bgo.html C:\WINDOWS\desktop.html C:\WINDOWS\Dnn.html C:\WINDOWS\popup.html ..... .... __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
19.04.2005, 16:35
Member
Beiträge: 11 |
#19
Moin Moin
"Silent Runners.vbs", revision 35, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "ToADiMon.exe" = "C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart" ["Marmiko IT-Solutions GmbH"] "BDNewsAgent" = "C:\Programme\Softwin\BitDefender Free Edition\bdnagent.exe" [null data] "AVGCtrl" = "C:\Programme\AVPersonal\AVGNT.EXE /min" ["H+BEDV Datentechnik GmbH"] "gcasServ" = ""C:\Programme\Microsoft AntiSpyware\gcasServ.exe"" [MS] "WinampAgent" = "C:\Programme\Winamp\winampa.exe" [null data] "QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension" -> {CLSID}\InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2004\sdshelex.dll"" ["TuneUp Software GmbH"] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS] "{FA9ECA60-F5FE-11D1-A9AE-00E029170CEB}" = "RVS Shortcut InfoTip Handler" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\RVSITIPS.DLL" ["RVS Datentechnik GmbH, München"] "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] "{D653647D-D607-4DF6-A5B8-48D2BA195F7B}" = "BitDefender Antivirus v7" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Softwin\BitDefender Free Edition\bdshelxt.dll" ["SOFTWIN S.R.L."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"] INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft AntiSpyware\shellextension.dll" [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS] Enabled Wallpaper and Active Desktop: ------------------------------------- Active Desktop is disabled. HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\WINDOWS\desktop.html" Enabled Scheduled Tasks: ------------------------ "1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2004\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 26 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{855F3B16-6D32-4FE6-8A56-BBB695989046}" -> {CLSID}\(Default) = "ICQ Toolbar" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {B863453A-26C3-4E1F-A54D-A2CD196348E9}\ "ButtonText" = "ICQ Lite" "MenuText" = "ICQ Lite" "Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir Service, AntiVirService, "C:\Programme\AVPersonal\AVGUARD.EXE" ["H+BEDV Datentechnik GmbH"] AntiVir Update, AVWUpSrv, ""C:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"] Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."] BitDefender Communicator, XCOMM, ""C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe" /service" ["Softwin"] BitDefender Scan Server, bdss, ""C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe" /service" [null data] ewido security suite control, ewido security suite control, "C:\Programme\ewido\security suite\ewidoctrl.exe" ["ewido networks"] ewido security suite guard, ewido security suite guard, "C:\Programme\ewido\security suite\ewidoguard.exe" ["ewido networks"] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] ---------- This report excludes default entries except where indicated. To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. ---------- die registry!!! und das escan-ergebnis: Fri Apr 08 12:49:38 2005 => ERROR!!! Invalid Entry {0656A137-B161-CADD-9777-E37A75727E78} = C:\WINDOWS\system32\thun32.dll (in key Software\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler). Removing it. Fri Apr 08 12:49:43 2005 => ERROR!!! Invalid Entry DllName = appmgmts.dll (in key SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}). Removing it. Fri Apr 08 12:49:55 2005 => ERROR!!! Invalid Entry C:\WINDOWS\system32\Service.exe. Removing SYSTEM\CurrentControlSet\Services\Service... Fri Apr 08 12:49:57 2005 => ERROR!!! Invalid Entry system32\DRIVERS\wanatw4.sys. Removing SYSTEM\CurrentControlSet\Services\wanatw... Fri Apr 08 12:53:57 2005 => Scanning File C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\CoolWWWSearchGooglems.zip Fri Apr 08 12:53:57 2005 => Result: ERROR!!! File C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\CoolWWWSearchGooglems.zip is Not Scanned Fri Apr 08 12:53:57 2005 => C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\CoolWWWSearchGooglems.zip not Scanned. Possibly password protected... Fri Apr 08 12:53:57 2005 => Scanning File C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\CoolWWWSearchGooglems1.zip Fri Apr 08 12:53:57 2005 => Result: ERROR!!! File C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\CoolWWWSearchGooglems1.zip is Not Scanned Tue Apr 19 16:59:23 2005 => ***** Scanning complete. ***** Tue Apr 19 16:59:23 2005 => Total Objects Scanned: 16063 Tue Apr 19 16:59:23 2005 => Total Virus(es) Found: 0 Tue Apr 19 16:59:23 2005 => Total Disinfected Files: 0 Tue Apr 19 16:59:23 2005 => Total Files Renamed: 0 Tue Apr 19 16:59:23 2005 => Total Deleted Objects: 0 Tue Apr 19 16:59:23 2005 => Total Errors: 0 Tue Apr 19 16:59:23 2005 => Time Elapsed: 00:13:22 Tue Apr 19 16:59:23 2005 => Virus Database Date: 2005/04/07 Tue Apr 19 16:59:23 2005 => Virus Database Count: 125034 Tue Apr 19 16:59:23 2005 => Scan Completed. thx havoc Dieser Beitrag wurde am 19.04.2005 um 17:05 Uhr von Havoc editiert.
|
|
|
||
22.04.2005, 11:46
Ehrenmitglied
Beiträge: 29434 |
#20
Active Desktop is disabled.--> das muesstest du wieder aktivieren:
poste, was du alles unter diesem Schluessel findest: HKCU\Software\Microsoft\Internet Explorer\Desktop\ HKCU\Control Panel\Desktop\ "Wallpaper" = -->mit rechtsklick loeschen"C:\WINDOWS\desktop.html" PC neustarten 1 - Taskleiste Rechtsklick - Eigenschaften. 2 - Taskleiste automatisch ausblenden Aktivieren. 3 - Man kann nun einen kleinen Teil des alten Desktop hintergrundes sehen, da wo die Taskleiste früher war. 4 - Rechtsklick - Eigenschaften auf den kleinen alten Desktop ausschnitt. 5 - Dektop - Desktop anpassen 6 - Web-Karteikarte auswählen 7 - Eintrag "Security"+C:\WINDOWS\desktop.html Löschen -------------------------------------------------------------------------------------- rechte Maustaste: HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer Bei 1 kommt kein Display-Menü mehr beim Klick mit der rechten Maustaste auf den Desktop oder Explorer. Bei NT 4.0 erst ab Service Pack 2 vorhanden. NoViewContextMenu REG_DWORD Boolean 0 Möglicherweise muss das unter "HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer" wiederholt werden. Hier ist alles zu dem Thema http://www.winfaq.de/faq_html/tip0808.htm __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
#scanne bitte noch mal mit escan (und berichte, was noch gefunden wurde)
#•RAV ANTIVIRUS SCAN ONLINE
http://www.ravantivirus.com/scan/index.php (berichte vom SCann)
•Online-Scann (Panda)
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
(berichte vom Scann)
__________
MfG Sabina
rund um die PC-Sicherheit