smart security +Backdoor.Win32.Haxdoor

#0
11.04.2005, 12:51
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#16 Hallo@Havoc

#scanne bitte noch mal mit escan (und berichte, was noch gefunden wurde)

#•RAV ANTIVIRUS SCAN ONLINE
http://www.ravantivirus.com/scan/index.php (berichte vom SCann)

•Online-Scann (Panda)
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
(berichte vom Scann)
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
14.04.2005, 19:28
Member

Beiträge: 11
#17 Moin

Panda scan:

System Files Messages

Scanned Yes 0 0
Infected - 0 0
Suspicious - 0 0
Disinfected - 0 0


RAV - Scan:

Scanned
============================
Objects: 51748
Directories: 3225
Archives: 6439
Size(Kb): -1676010
Infected files: 0

Found
============================
Viruses found: 0
Suspicious files: 0
Disinfected files: 0
Mail files: 86

Gibt es vielleicht in der registry probleme!!!

Havoc
Dieser Beitrag wurde am 14.04.2005 um 19:31 Uhr von Havoc editiert.
Seitenanfang Seitenende
15.04.2005, 00:48
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#18 Hallo@Havoc

Gehe in die Registry

Start<Ausfuehren<regedit

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components

poste mir, was du unter diesem Schluesel-->Desktop alles findest
---------------------------------------------------------------------------
silentrunners
http://www.silentrunners.org/sr_download.html
gehe auf:
Zitat:
Click here to download a zip file.
hier die Erklaerung:
http://www.silentrunners.org/sr_scriptuse.html
klicke: output file is in text format. --> Doppelklick und es oeffnet sich der Editor-->
und poste alles, was angezeigt wird.

und dann scanne bitte noch mal mit escan (um sicher zu gehen, das alles geloescht wurde....)

C:\WINDOWS\Bgo.html
C:\WINDOWS\desktop.html
C:\WINDOWS\Dnn.html
C:\WINDOWS\popup.html
.....
....
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
19.04.2005, 16:35
Member

Beiträge: 11
#19 Moin Moin

"Silent Runners.vbs", revision 35, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ToADiMon.exe" = "C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart" ["Marmiko IT-Solutions GmbH"]
"BDNewsAgent" = "C:\Programme\Softwin\BitDefender Free Edition\bdnagent.exe" [null data]
"AVGCtrl" = "C:\Programme\AVPersonal\AVGNT.EXE /min" ["H+BEDV Datentechnik GmbH"]
"gcasServ" = ""C:\Programme\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"WinampAgent" = "C:\Programme\Winamp\winampa.exe" [null data]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension"
-> {CLSID}\InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2004\sdshelex.dll"" ["TuneUp Software GmbH"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{FA9ECA60-F5FE-11D1-A9AE-00E029170CEB}" = "RVS Shortcut InfoTip Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\RVSITIPS.DLL" ["RVS Datentechnik GmbH, München"]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{D653647D-D607-4DF6-A5B8-48D2BA195F7B}" = "BitDefender Antivirus v7"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Softwin\BitDefender Free Edition\bdshelxt.dll" ["SOFTWIN S.R.L."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\desktop.html"


Enabled Scheduled Tasks:
------------------------

"1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2004\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 26
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}"
-> {CLSID}\(Default) = "ICQ Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir Service, AntiVirService, "C:\Programme\AVPersonal\AVGUARD.EXE" ["H+BEDV Datentechnik GmbH"]
AntiVir Update, AVWUpSrv, ""C:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
BitDefender Communicator, XCOMM, ""C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe" /service" ["Softwin"]
BitDefender Scan Server, bdss, ""C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe" /service" [null data]
ewido security suite control, ewido security suite control, "C:\Programme\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Programme\ewido\security suite\ewidoguard.exe" ["ewido networks"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------


die registry!!!


und das escan-ergebnis:


Fri Apr 08 12:49:38 2005 => ERROR!!! Invalid Entry {0656A137-B161-CADD-9777-E37A75727E78} = C:\WINDOWS\system32\thun32.dll (in key Software\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler). Removing it.

Fri Apr 08 12:49:43 2005 => ERROR!!! Invalid Entry DllName = appmgmts.dll (in key SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}). Removing it.

Fri Apr 08 12:49:55 2005 => ERROR!!! Invalid Entry C:\WINDOWS\system32\Service.exe. Removing SYSTEM\CurrentControlSet\Services\Service...

Fri Apr 08 12:49:57 2005 => ERROR!!! Invalid Entry system32\DRIVERS\wanatw4.sys. Removing SYSTEM\CurrentControlSet\Services\wanatw...

Fri Apr 08 12:53:57 2005 => Scanning File C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\CoolWWWSearchGooglems.zip
Fri Apr 08 12:53:57 2005 => Result: ERROR!!! File C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\CoolWWWSearchGooglems.zip is Not Scanned
Fri Apr 08 12:53:57 2005 => C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\CoolWWWSearchGooglems.zip not Scanned. Possibly password protected...
Fri Apr 08 12:53:57 2005 => Scanning File C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\CoolWWWSearchGooglems1.zip
Fri Apr 08 12:53:57 2005 => Result: ERROR!!! File C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\CoolWWWSearchGooglems1.zip is Not Scanned

Tue Apr 19 16:59:23 2005 => ***** Scanning complete. *****

Tue Apr 19 16:59:23 2005 => Total Objects Scanned: 16063
Tue Apr 19 16:59:23 2005 => Total Virus(es) Found: 0
Tue Apr 19 16:59:23 2005 => Total Disinfected Files: 0
Tue Apr 19 16:59:23 2005 => Total Files Renamed: 0
Tue Apr 19 16:59:23 2005 => Total Deleted Objects: 0
Tue Apr 19 16:59:23 2005 => Total Errors: 0
Tue Apr 19 16:59:23 2005 => Time Elapsed: 00:13:22
Tue Apr 19 16:59:23 2005 => Virus Database Date: 2005/04/07
Tue Apr 19 16:59:23 2005 => Virus Database Count: 125034

Tue Apr 19 16:59:23 2005 => Scan Completed.

thx havoc
Dieser Beitrag wurde am 19.04.2005 um 17:05 Uhr von Havoc editiert.
Seitenanfang Seitenende
22.04.2005, 11:46
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#20 Active Desktop is disabled.--> das muesstest du wieder aktivieren:


poste, was du alles unter diesem Schluessel findest:
HKCU\Software\Microsoft\Internet Explorer\Desktop\

HKCU\Control Panel\Desktop\
"Wallpaper" = -->mit rechtsklick loeschen"C:\WINDOWS\desktop.html"

PC neustarten

1 - Taskleiste Rechtsklick - Eigenschaften.
2 - Taskleiste automatisch ausblenden Aktivieren.
3 - Man kann nun einen kleinen Teil des alten Desktop hintergrundes sehen, da wo die Taskleiste früher war.
4 - Rechtsklick - Eigenschaften auf den kleinen alten Desktop ausschnitt.
5 - Dektop - Desktop anpassen
6 - Web-Karteikarte auswählen
7 - Eintrag "Security"+C:\WINDOWS\desktop.html Löschen

--------------------------------------------------------------------------------------
rechte Maustaste:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
Bei 1 kommt kein Display-Menü mehr beim Klick mit der rechten Maustaste auf den Desktop oder Explorer. Bei NT 4.0 erst ab Service Pack 2 vorhanden.
NoViewContextMenu REG_DWORD Boolean 0

Möglicherweise muss das unter "HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer" wiederholt werden.

Hier ist alles zu dem Thema

http://www.winfaq.de/faq_html/tip0808.htm
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende