PSGuard-Trojaner

#0
01.07.2005, 20:02
...neu hier

Beiträge: 3
#1 Hallo! Auch ich bin ´befallen worden....

HiJack:
Logfile of HijackThis v1.99.1
Scan saved at 19:36:57, on 01.07.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\Dit.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
C:\Programme\Java\jre1.5.0_02\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Logitech\QCDriver3\LVCOMS.EXE
C:\Programme\Ahead\InCD\InCD.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\Prismsta.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programme\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\Microsoft Office\Office\1031\OLFSNT40.EXE
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\GFI\LANguard Network Security Scanner 3\sscansvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Internet Explorer\iexplore.exe
D:\_Downloads\hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Programme\Gemeinsame Dateien\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Programme\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Programme\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [Prism_Utility] Prismsta.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PSGuard] C:\Programme\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\system32\intel32.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Programme\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Trillian.lnk = C:\Programme\Trillian\trillian.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition-Anschluss.lnk = C:\Programme\Microsoft Office\Office\1031\OLFSNT40.EXE
O8 - Extra context menu item: &Google-Suche - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://C:\Programme\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/284a4fdfd3c8f142ab04/netzip/RdxIE601_de.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114347483007
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {DF6504AC-3EFE-4287-B259-FB299B069C95} (WEBDE Fotoalbum Upload Control) - https://img.web.de/v/aktenkoffer/activex/upload_11110.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD32266F-E81C-45F8-BC24-0403ACB47116}: NameServer = 192.168.1.1
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: GFI LANguard N.S.S. Scheduled Scans Service (lnss_sscans) - GFI Software Ltd. - C:\Programme\GFI\LANguard Network Security Scanner 3\sscansvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

PFIND:
Files found with this application may be legitimate.
Only remove files that you know are malware related.
Checking the C:\WINDOWS folder
C:\WINDOWS\epsuninst.exe: UPX!


Checking the C:\WINDOWS\SYSTEM32 folder
C:\WINDOWS\SYSTEM32\DivX.dll: PEC2
C:\WINDOWS\SYSTEM32\DivX.dll: PECompact2
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack


Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder


Checking the C:\Dokumente und Einstellungen\All Users\Start Menu\programs\Startup\ folder



Checking the C:\Dokumente und Einstellungen\All Users\Application Data folder



Checking the C:\Dokumente und Einstellungen\Sven\Start Menu\programs\Startup\ folder



Checking the C:\Dokumente und Einstellungen\Sven\Application Data folder



Silentrunner:
"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"H/PC Connection Agent" = ""C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"" [MS]
"Bandwidth Monitor Pro" = ""C:\Programme\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized" ["Pro²soft"]
"Skype" = ""C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"Dit" = "Dit.exe" ["ICSI Technology Ltd."]
"ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"CHotkey" = "mHotkey.exe" ["Chicony"]
"ledpointer" = "CNYHKey.exe" ["Chicony"]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"HotKey" = "C:\WINDOWS\Twain_32\FlatBed\HotKey.exe" ["Pmx. Electronics Ltd."]
"SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_02\bin\jusched.exe" ["Sun Microsystems, Inc."]
"LVCOMS" = "C:\Programme\Gemeinsame Dateien\Logitech\QCDriver3\LVCOMS.EXE" ["Logitech Inc."]
"LogitechGalleryRepair" = "C:\Programme\Logitech\ImageStudio\ISStart.exe" [file not found]
"LogitechImageStudioTray" = "C:\Programme\Logitech\ImageStudio\LogiTray.exe" [file not found]
"InCD" = "C:\Programme\Ahead\InCD\InCD.exe" ["Nero AG"]
"AVGCtrl" = "C:\Programme\AVPersonal\AVGNT.EXE /min" ["H+BEDV Datentechnik GmbH"]
"Syslog" = (empty string)
"Prism_Utility" = "Prismsta.exe" ["Intersil Americas Inc."]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]
"PSGuard" = "C:\Programme\PSGuard\PSGuard.exe" [file not found]
"intel32.exe" = "C:\WINDOWS\system32\intel32.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup\ {++}
EXECUTION UNLIKELY: "Registrando Panda ActiveX" = "C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\ActiveScan\as.dll" [MS]
EXECUTION UNLIKELY: "Registrando Panda Almacen" = "C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\ActiveScan\pavpz.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Ahead\InCD\incdshx.dll" ["Nero AG"]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "Sven" & "All Users" startup folders:
------------------------------------------------------

C:\Dokumente und Einstellungen\Sven\Startmenü\Programme\Autostart
"Trillian" -> shortcut to: "C:\Programme\Trillian\trillian.exe" ["Cerulean Studios"]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Symantec Fax Starter Edition-Anschluss" -> shortcut to: "C:\Programme\Microsoft Office\Office\1031\OLFSNT40.EXE" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 24
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll" ["Sun Microsystems, Inc."]

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Mobilen Favoriten erstellen"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft ActiveSync\inetrepl.dll" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Mobilen Favoriten erstellen..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft ActiveSync\inetrepl.dll" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir Service, AntiVirService, ""C:\Programme\AVPersonal\AVGUARD.EXE"" ["H+BEDV Datentechnik GmbH"]
AntiVir Update, AVWUpSrv, ""C:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"]
GFI LANguard N.S.S. Scheduled Scans Service, lnss_sscans, "C:\Programme\GFI\LANguard Network Security Scanner 3\sscansvc.exe" ["GFI Software Ltd."]
InCD Helper, InCDsrv, "C:\Programme\Ahead\InCD\InCDsrv.exe" ["Nero AG"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 79 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 11 seconds.
---------- (total run time: 127 seconds)

Find-IT:


Microsoft Windows XP [Version 5.1.2600]
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\EPSUNI~1.EXE

»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

»»»»» Checking for System32\DrPMon.dll.

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 4018-680A

Verzeichnis von C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 4018-680A

Verzeichnis von C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».
Seitenanfang Seitenende
01.07.2005, 20:42
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#2 Hallo@taucher0815

#öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten

O4 - HKLM\..\Run: [PSGuard] C:\Programme\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\system32\intel32.exe

PC neustarten



Start -- Ausführen -- cmd -- kopiere nur die Einträge der letzten 40 Tage aus dem sich öffnenden Editor raus

einzeln reinkopieren;)dann öffnet sich der Editor)

cd\
cd %windir%\system32
dir /a:-d /o:-d > %systemdrive%\system32.txt
start %systemdrive%\system32.txt
cls
exit

cd\
cd %temp%\
dir /a:-d /o:-d > %systemdrive%\systemtemp.txt
start %systemdrive%\systemtemp.txt
cls
exit

cd\
cd %windir%
dir /a:-d /o:-d > %systemdrive%\system.txt
start %systemdrive%\system.txt
cls
exit

cd\
dir /a:-d /o:-d > %systemdrive%\sys.txt
start %systemdrive%\sys.txt
cls
exit


im abgesicherten modus loeschen:

C:\Programme\PSGuard\PSGuard.exe
C:\WINDOWS\system32\intel32.exe


mache einen Onlinescan mit panda + berichte
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
01.07.2005, 20:58
...neu hier

Themenstarter

Beiträge: 3
#3 Verzeichnis von C:\WINDOWS\system32

26.06.2005 18:57 381.692 perfh009.dat
26.06.2005 18:57 53.436 perfc009.dat
26.06.2005 18:57 392.512 perfh007.dat
26.06.2005 18:57 64.452 perfc007.dat
26.06.2005 18:57 902.652 PerfStringBackup.INI
11.06.2005 10:38 0 dfwmysf14.win
11.06.2005 00:33 4.212 zllictbl.dat
09.06.2005 14:35 1.300.312 MRT.exe
30.05.2005 20:36 2.828 KGyGaAvL.sys
30.05.2005 20:34 56 F57499EBC9.sys
27.05.2005 04:04 137.216 itss.dll
27.05.2005 04:04 546.304 hhctrl.ocx
27.05.2005 04:04 41.472 hhsetup.dll
27.05.2005 04:04 155.136 itircl.dll

Verzeichnis von C:\DOKUME~1\Sven\LOKALE~1\Temp

01.07.2005 20:54 12.763 WcesView.log
01.07.2005 20:14 32.768 ~DFF3C4.tmp
01.07.2005 20:14 279 WCESCOMM.LOG
01.07.2005 20:14 4.185 jusched.log
01.07.2005 19:29 32.768 ~DFECF0.tmp
01.07.2005 19:25 116 kb.log
01.07.2005 18:56 32.768 ~DFF927.tmp
01.07.2005 18:09 455 Dll_.ini
01.07.2005 17:31 130.949 GRD$LOGFILE.LOG
01.07.2005 06:31 32.768 ~DFE9F9.tmp
30.06.2005 07:23 236.134 wcesmgr.log
30.06.2005 07:19 6.262 outstore.log
30.06.2005 06:06 32.768 ~DFF7C1.tmp
27.06.2005 18:33 1.248 java_install_reg.log
27.06.2005 06:12 25.600 ~$_lock.tmp
27.06.2005 05:25 2 Twain001.Mtx
26.06.2005 19:55 373 jupdate1.5.0.xml
26.06.2005 15:36 0 TWAIN.LOG
26.06.2005 08:31 32.768 ~DFEA43.tmp
25.06.2005 19:55 32.768 ~DFEB22.tmp
25.06.2005 17:31 32.768 ~DFEDC6.tmp
25.06.2005 05:31 32.768 ~DFF433.tmp
24.06.2005 16:09 116 574F41BA.TMP
23.06.2005 18:06 717 control.xml
23.06.2005 17:57 983.040 ~DF9DA9.tmp
22.06.2005 06:53 283 wahtmltmp00.htm
21.06.2005 19:50 32.768 ~DFF019.tmp
21.06.2005 07:21 983.040 ~DF5AA3.tmp
21.06.2005 07:21 32.768 ~DFF1B8.tmp
21.06.2005 07:19 7.021 9LQ33YJL.htm
20.06.2005 21:41 983.040 ~DFDA5B.tmp
20.06.2005 21:31 32.768 ~DFFDEA.tmp
19.06.2005 16:18 49.152 ~DFF6.tmp
16.06.2005 21:44 0 is13F.tmp
16.06.2005 21:40 0 isD7.tmp
16.06.2005 21:38 0 isAE.tmp
16.06.2005 21:38 0 is9F.tmp
16.06.2005 21:37 194 MSI29e54.LOG
16.06.2005 21:37 0 is92.tmp
16.06.2005 21:16 0 TempCover2

Verzeichnis von C:\WINDOWS

01.07.2005 20:15 811 win.ini
01.07.2005 20:14 4.442 ModemLog_Creatix V.9X DSP Data Fax Modem.txt
01.07.2005 20:14 551.306 WindowsUpdate.log
01.07.2005 20:14 159 wiadebug.log
01.07.2005 20:14 50 wiaservc.log
01.07.2005 20:14 0 0.log
01.07.2005 20:14 2.048 bootstat.dat
01.07.2005 20:13 15.788 SchedLgU.Txt
01.07.2005 20:12 28.525 KB883939.log
01.07.2005 20:12 13.319 updspapi.log
01.07.2005 20:08 17.711 setupapi.log
01.07.2005 18:48 95.980 ntbtlog.txt
01.07.2005 07:42 3.886 newsbot.ini
01.07.2005 07:02 116 NeroDigital.ini
30.06.2005 19:01 1.125 winamp.ini
29.06.2005 05:44 64.057 wmsetup.log
28.06.2005 22:16 42.490 iis6.log
28.06.2005 22:16 1.374 imsins.log
28.06.2005 22:16 48.436 ntdtcsetup.log
28.06.2005 22:16 10.130 ocmsn.log
28.06.2005 22:16 81.206 comsetup.log
28.06.2005 22:16 111.407 tsoc.log
28.06.2005 22:16 7.531 KB898461.log
28.06.2005 22:16 152.009 ocgen.log
28.06.2005 22:16 14.376 msgsocm.log
28.06.2005 22:16 310.982 FaxSetup.log
26.06.2005 18:08 502 wincmd.ini
26.06.2005 17:52 388 wcx_ftp.ini
15.06.2005 09:12 252 setup.iss
14.06.2005 20:57 239.190 KB893066.log
14.06.2005 20:56 1.374 imsins.BAK
14.06.2005 20:56 16.907 KB896428.log
14.06.2005 20:56 17.240 KB896422.log
14.06.2005 20:56 17.711 KB890046.log
14.06.2005 20:56 17.110 KB896358.log
13.06.2005 14:58 145.258 UNNeroVision.cfg
13.06.2005 14:36 45.511 UNNMP.cfg
12.06.2005 19:50 1.062.121 setupapi.log.0.old
11.06.2005 20:32 3.145.782 BGInfo.bmp
27.05.2005 01:22 10.752 hh.exe
23.05.2005 16:34 2.920.448 UNNMP.exe
23.05.2005 16:34 2.920.448 UNNeroVision.exe
19.05.2005 19:51 25.459 cFosSpeed_Setup_Log.txt
18.05.2005 22:57 99.970 UninstallFirefox.exe


Verzeichnis von C:\

01.07.2005 20:56 0 sys.txt
01.07.2005 20:56 9.233 system.txt
01.07.2005 20:56 2.404 systemtemp.txt
01.07.2005 20:56 102.042 system32.txt
01.07.2005 20:13 805.306.368 pagefile.sys
01.07.2005 20:01 1.357 log.txt
01.07.2005 19:42 793 pfind.txt
01.07.2005 19:30 2.742 dltrace.Log
11.06.2005 14:56 210 boot.ini
Seitenanfang Seitenende
01.07.2005, 21:05
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#4 ich hab noch vergessen:

Gehe in die Registry

Start-->Ausfuehren--> regedit

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

loeschen:

"Syslog"

PC neustarten

Zitat

im abgesicherten modus loeschen:
C:\Programme\PSGuard\PSGuard.exe
C:\WINDOWS\system32\intel32.exe


mache einen Onlinescan mit panda + berichte
http://virus-protect.org/onlinescan.html

__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
01.07.2005, 21:20
...neu hier

Themenstarter

Beiträge: 3
#5

Zitat

Sabina postete
mache einen Onlinescan mit panda + berichte
http://virus-protect.org/onlinescan.html
Der scannt leider nicht... Kann an meiner Firewall liegen....

System Files Messages

Scanned Yes 0 0
Infected - 0 0
Suspicious - 0 0
Disinfected - 0 0
Dieser Beitrag wurde am 01.07.2005 um 21:44 Uhr von taucher0815 editiert.
Seitenanfang Seitenende
01.07.2005, 23:27
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#6 C:\Programme\PSGuard\ <--loeschen

escan
http://virus-protect.org/escan.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren: