WareOut + dmbir.exe + hclean32.exe |
||
|---|---|---|
| #0
| ||
|
27.08.2005, 15:50
...neu hier
Beiträge: 8 |
||
 
|
|
|
|
27.08.2005, 16:40
Ehrenmitglied
 Beiträge: 29434 |
#2
Hallo@Curse27
ich brauche ziemlich viele Infos, damit wir auch alle Malware "erwischen" Das hier ist der Anfang...dann kommt noch mehr,(einiges ist sichtbar, aber anders nicht...) silentrunners http://virus-protect.org/silentrunner.html gehe auf: Zitat: Click here to download a zip file. hier die Erklaerung: http://www.silentrunners.org/sr_scriptuse.html klicke: output file is in text format. --> Doppelklick und es oeffnet sich der Editor--> und poste alles, was angezeigt wird. FindT http://bilder.informationsarchiv.net/Nikitas_Tools/FindT.zip in C:\ entpacken -- öffne "FindT" folder -- klicke batch file (runthis.bat) -- poste die txt (Textdatei) in den Thread Lade: rkfiles.zip http://bilder.informationsarchiv.net/Nikitas_Tools/rkfiles.zip -->entpacken--> gehe in den abgesicherten Modus http://www.tu-berlin.de/www/software/virus/savemode.shtml -->Doppelklick(Ausfuehren)-->rkfiles.bat--> warten bis sich das DOS-Fenster schliesst--->poste C:\log.txt __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
27.08.2005, 17:35
...neu hier
Themenstarter Beiträge: 8 |
#3
Erstmal vielen Dank für die schnelle Antwort.
Anbei die Ergebnisse der Scans. Silent Runners: Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "Steam" = (empty string) "WareOut" = ""C:\Programme\WareOut\WareOut.exe"" [file not found] "keybdll" = "systemdll.exe" [file not found] "br0ken" = "AliceSD.exe" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "HTpatch" = "C:\WINDOWS\htpatch.exe" [null data] "SiSUSBRG" = "C:\WINDOWS\SiSUSBrg.exe" ["Silicon Integrated Systems Corp."] "Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS] "ccApp" = ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"" ["Symantec Corporation"] "ICQ Lite" = "D:\ICQ\ICQLite.exe -minimize" ["ICQ Ltd."] "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."] "Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"] "AccG160" = "C:\PROGRA~1\WLANQU~1\AccG160.exe" [null data] "WLAN Quick-Starter" = ""C:\Programme\WLAN Quick-Starter\WLAN Quick-Starter.exe" -update" [null data] "QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "Ulead AutoDetector v2" = "C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe" ["Ulead Systems, Inc."] "hclean32.exe" = "C:\WINDOWS\system32\hclean32.exe" [null data] "dmbir.exe" = "C:\WINDOWS\system32\dmbir.exe" [null data] "browsebar" = "Brong32.exe" [file not found] "WhatsNewBot" = "runload32.exe" [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "D:\AcrobatReader\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}" = "Send To Mail Recipient CMC PowerToy" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\SENDTOX.DLL" [MS] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{F5D92341-0A64-11D0-9956-0000E8096023}" = "CD Copy Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Shellext\CDWSHEXT.DLL" ["VoB Computersysteme GmbH"] "{F5D92342-0A64-11D0-9956-0000E8096023}" = "CD Wizard Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Shellext\CDWSHEXT.DLL" ["VoB Computersysteme GmbH"] "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{2F25CF20-C569-11D1-B94C-00608CB45480}" = "TextPad" -> {CLSID}\InProcServer32\(Default) = "D:\TextPad\System\shellext.dll" ["Helios Software Solutions"] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Real\RealOne Player\rpshellext.dll" [file not found] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 Context Menu Shell Extension" -> {CLSID}\InProcServer32\(Default) = "D:\WinAce\arcext.dll" ["e-merge GmbH"] "{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 DragDrop Shell Extension" -> {CLSID}\InProcServer32\(Default) = "D:\WinAce\arcext.dll" ["e-merge GmbH"] "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 Context Menu Shell Extension" -> {CLSID}\InProcServer32\(Default) = "D:\WinAce\arcext.dll" ["e-merge GmbH"] "{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 Property Sheet Shell Extension" -> {CLSID}\InProcServer32\(Default) = "D:\WinAce\arcext.dll" ["e-merge GmbH"] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ INFECTION WARNING! "System" = "cswge.exe" [null data] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" -> {CLSID}\InProcServer32\(Default) = "D:\ICQ\ICQLiteShell.dll" [empty string] Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] TextPad\(Default) = "{2F25CF20-C569-11D1-B94C-00608CB45480}" -> {CLSID}\InProcServer32\(Default) = "D:\TextPad\System\shellext.dll" ["Helios Software Solutions"] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {CLSID}\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" -> {CLSID}\InProcServer32\(Default) = "D:\WinAce\arcext.dll" ["e-merge GmbH"] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" -> {CLSID}\InProcServer32\(Default) = "D:\ICQ\ICQLiteShell.dll" [empty string] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {CLSID}\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" -> {CLSID}\InProcServer32\(Default) = "D:\WinAce\arcext.dll" ["e-merge GmbH"] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {CLSID}\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] Group Policies [Description] {enabled Group Policy setting}: ------------------------------------------------------------ HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ HIJACK WARNING! "NoBandCustomize"=dword:00000001 [disables toolbar status changes in Internet Explorer|View|Toolbars] {User Configuration|Administrative Templates|Windows Components| Internet Explorer|Toolbars|Disable customizing browser toolbars} Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Dokumente und Einstellungen\Home\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\System32\LONGHORN.SCR" [MS] Startup items in "Home" & "All Users" startup folders: ------------------------------------------------------ C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "Logitech Desktop Messenger" -> shortcut to: "C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start" ["Logitech"] "Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office10\OSA.EXE -b -l" [MS] "ZDWlan" -> shortcut to: "C:\Programme\ZyXEL Technology Corporation\ZyAIR G-220 Utility\ZDWlan.exe" ["TODO: <***>" (unwritable string)] "WinZip Quick Pick" -> shortcut to: "D:\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."] Enabled Scheduled Tasks: ------------------------ "Symantec NetDetect" -> launches: "C:\Programme\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {B863453A-26C3-4E1F-A54D-A2CD196348E9}\ "ButtonText" = "ICQ 4.1" "MenuText" = "ICQ Lite" "Exec" = "D:\ICQ\ICQLite.exe" ["ICQ Ltd."] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ Missing lines (compared with English-language version): "{87A2E757-69EF-9DB0-6A70-69AD57B175FE}" = "msag" -> {CLSID}\InProcServer32\(Default) = "ftbar.dll" [file not found] HOSTS file ---------- C:\WINDOWS\System32\drivers\etc\HOSTS maps: 1 domain name to an IP address, 1 of the IP addresses is *not* localhost! Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ 0190/0900 Warner Überwachungsdienst, 0190_0900_Warner_MonitorService, "D:\0190-Warner\0190 Warner\w0svc.exe" ["Mirko Böer"] Norton AntiVirus Auto-Protect-Dienst, navapsvc, ""C:\Programme\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"] SAVScan, SAVScan, ""C:\Programme\Norton AntiVirus\SAVScan.exe"" ["Symantec Corporation"] Symantec Event Manager, ccEvtMgr, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"] Symantec Settings Manager, ccSetMgr, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"] SymWMI Service, SymWSC, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe"" ["Symantec Corporation"] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] FindT: C:\WINDOWS\RDT.INI C:\WINDOWS\BALLOON.WAV rkfiles: ------------------------ C:\WINDOWS\system32\Uharc.exe: UPX! C:\WINDOWS\system32\msexnpbi.exe: PEFSG! C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213 C:\WINDOWS\system32\DivX.dll: PEC2 C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213 C:\WINDOWS\system32\DivX.dll: PEC2 Files Found in all users startup Folder............ ------------------------ C:\WINDOWS\system32\Uharc.exe: UPX! C:\WINDOWS\system32\msexnpbi.exe: PEFSG! Files Found in all users windows Folder............ ------------------------ Dieser Beitrag wurde am 27.08.2005 um 17:43 Uhr von Curse27 editiert.
|
|
|
|
|
|
|
27.08.2005, 20:37
Ehrenmitglied
Beiträge: 29434 |
#4
http://virus-protect.org/datfindbat.html
bitte abarbeiten (auch die pfade mit abkopieren) __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
27.08.2005, 20:46
...neu hier
Themenstarter Beiträge: 8 |
#5
Ergebnis:
Verzeichnis von C:\WINDOWS\system32 27.08.2005 15:10 2.206 wpa.dbl 25.08.2005 08:50 705 msexnpbi.exe 25.08.2005 08:50 155.648 prwwr.dll 21.08.2005 00:38 204.120 FNTCACHE.DAT 30.07.2005 16:49 219.648 uxtheme.dll Verzeichnis von C:\DOKUME~1\Home\LOKALE~1\Temp 27.08.2005 01:26 73.728 ~A2.tmp 26.08.2005 14:12 16.384 ~DF24B3.tmp 26.08.2005 14:11 52 kb.log 26.08.2005 01:20 12.456 jusched.log 26.08.2005 01:18 5.825 java_install_reg.log 25.08.2005 15:15 16.384 ~DF2220.tmp 25.08.2005 15:09 65.536 ~DF8397.tmp 25.08.2005 09:03 512 ~DF924B.tmp 25.08.2005 09:03 16.384 ~DF9224.tmp 25.08.2005 09:01 16.384 ~DFC787.tmp 25.08.2005 08:50 798.234 IMT10.xml 25.08.2005 08:50 2.036 IMTE.xml 25.08.2005 08:50 426 IMTF.xml 24.08.2005 14:27 16.384 ~DF5052.tmp 21.08.2005 22:24 717 control.xml 20.08.2005 21:56 79 6743D3B0.TMP 20.08.2005 20:02 65.536 ~DF998F.tmp 20.08.2005 13:57 16.384 ~DFC439.tmp 18.08.2005 01:08 22.068 SIntfNT.dll 18.08.2005 01:08 17.324 SIntf32.dll 18.08.2005 01:08 40.448 CmdLineExt03.dll 18.08.2005 01:08 12.305 SIntf16.dll 17.08.2005 20:12 16.384 ~DF4F88.tmp 17.08.2005 20:12 512 ~DF4F92.tmp 17.08.2005 20:11 16.384 ~DF47BD.tmp 17.08.2005 19:40 65.536 ~DFFD1D.tmp 16.08.2005 21:56 65.536 ~DF5260.tmp 16.08.2005 14:59 0 jupdate1.5.0.xml 15.08.2005 20:11 69.632 ~BF.tmp 15.08.2005 17:01 69.632 ~AC.tmp 15.08.2005 14:19 69.632 ~A1.tmp 15.08.2005 13:20 245 temp.bat 15.08.2005 00:29 42.868 AAXC9.tmp 15.08.2005 00:18 42.868 AAXC7.tmp 14.08.2005 13:57 69.632 ~99.tmp 13.08.2005 17:06 69.632 ~A0.tmp 13.08.2005 17:00 69.632 ~98.tmp 13.08.2005 15:35 69.632 ~8D.tmp 13.08.2005 00:31 69.632 ~A7.tmp 12.08.2005 23:49 69.632 ~9F.tmp 12.08.2005 16:42 69.632 ~89.tmp 10.08.2005 22:34 69.632 ~17F.tmp 10.08.2005 21:14 69.632 ~DB.tmp 10.08.2005 15:02 69.632 ~88.tmp 09.08.2005 23:03 61.440 ~BC.tmp 09.08.2005 18:18 61.440 ~87.tmp 08.08.2005 21:49 61.440 ~86.tmp 08.08.2005 04:35 65.536 ~DF4BC2.tmp 08.08.2005 02:12 61.440 ~97.tmp 07.08.2005 23:55 61.440 ~85.tmp 07.08.2005 16:21 65.536 ~DFD903.tmp Verzeichnis von C:\WINDOWS 27.08.2005 20:15 177 winamp.ini 27.08.2005 18:16 99.970 UninstallFirefox.exe 27.08.2005 18:16 2.867 mozver.dat 27.08.2005 17:29 0 0.log 27.08.2005 17:29 159 wiadebug.log 27.08.2005 17:29 2.048 bootstat.dat 27.08.2005 17:28 566.731 WindowsUpdate.log 27.08.2005 17:01 368.588 ntbtlog.txt 27.08.2005 17:00 50 wiaservc.log 27.08.2005 17:00 32.516 SchedLgU.Txt 27.08.2005 15:11 6.400 balloon.wav 26.08.2005 18:19 116 NeroDigital.ini 26.08.2005 18:17 1.409 QTFont.for 26.08.2005 18:17 54.156 QTFont.qfn 25.08.2005 20:53 4.395 rdt.ini 25.08.2005 18:31 724.198 setupapi.log 25.08.2005 17:36 17.665 ntdtcsetup.log 25.08.2005 17:36 30.255 comsetup.log 25.08.2005 17:36 121.443 iis6.log 25.08.2005 17:36 7.488 KB898461.log 25.08.2005 17:36 32.484 tsoc.log 25.08.2005 17:36 3.660 ocmsn.log 25.08.2005 17:36 1.374 imsins.log 25.08.2005 17:36 3.648 tabletoc.log 25.08.2005 17:36 3.292 msgsocm.log 25.08.2005 17:36 28.982 msmqinst.log 25.08.2005 17:36 53.483 FaxSetup.log 25.08.2005 17:36 44.423 ocgen.log 25.08.2005 17:36 5.411 medctroc.Log 25.08.2005 17:36 10.366 netfxocm.log 25.08.2005 17:36 1.374 imsins.BAK 25.08.2005 17:36 7.764 KB893803v2.log 21.08.2005 22:24 163.246 wmsetup.log 20.08.2005 00:16 191.389 setupact.log 17.08.2005 15:21 1.912 Directx.log 15.08.2005 13:18 710 SIERRA.INI Verzeichnis von C:\ 27.08.2005 20:44 0 sys.txt 27.08.2005 20:43 8.298 system.txt 27.08.2005 20:42 13.205 systemtemp.txt 27.08.2005 20:41 108.064 system32.txt 27.08.2005 17:27 891 log.txt 27.08.2005 17:26 367 win.txt 27.08.2005 17:26 0 windows.txt 27.08.2005 17:22 79 start.txt 27.08.2005 16:58 234 file.txt 25.08.2005 08:50 9.137 ~WRF0409.tmp |
|
|
|
|
|
|
27.08.2005, 20:48
Ehrenmitglied
Beiträge: 29434 |
#6
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.
Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "fixme.reg" auf dem Desktop doppelklicken REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"=- "System"="" [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WareOut] [-HKEY_LOCAL_MACHINE\SOFTWARE\WareOut] [-HKEY_CURRENT_USER\Software\WareOut] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoBandCustomize"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion] "Disabled"=- [-HKEY_LOCAL_MACHINE\SOFTWARE\SearchToolbar] [-HKEY_CURRENT_USER\Software\SearchToolbar] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{08BEC6AA-49FC-4379-3587-4B21E286C19E}"=- [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hclean32.exe"=- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx] "Flags"=dword:00000008 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\000] "runonce1"="\"C:\\HJT\\hijackthis.exe\"" ------------------------------------------------------------------------------------ deinstallieren: WareOut loeschen: C:\Programme\WareOut einige pfade kenne ich nicht...deshalb einige DATEIEN doppelt..... •KillBox http://bilder.informationsarchiv.net/Nikitas_Tools/KillBox.zip Anleitung: (bebildert) http://virus-protect.org/killbox.html •Delete File on Reboot <--anhaken und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes" C:\WINDOWS\system32\msexnpbi.exe C:\WINDOWS\system32\prwwr.dll C:\WINDOWS\system32\AliceSD.exe C:\WINDOWS\system32\hclean32.exe C:\WINDOWS\system32\dmbir.exe C:\WINDOWS\system32\Brong32.exe C:\WINDOWS\system32\cswge.exe C:\WINDOWS\system32\systemdll.exe C:\WINDOWS\system32\runload32.exe C:\WINDOWS\dmbir.exe C:\WINDOWS\AliceSD.exe C:\WINDOWS\Brong32.exe C:\WINDOWS\RDT.INI C:\WINDOWS\BALLOON.WAV neustarten CCleaner--> loesche alle *temp-Datein http://virus-protect.org/temp.html Onlinescans: (berichte)-->Panda und andere.... http://virus-protect.org/onlinescan.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
28.08.2005, 17:44
...neu hier
Themenstarter Beiträge: 8 |
#7
So, ich habe alles so gemacht wie oben beschrieben und habe danach keine Virenmeldung von Norton mehr bekommen. Allerdings konnte ich WareOut weder deinstallieren, noch den Ordner löschen, dieser existiert bei mir nicht. Danach habe ich mit Panda gescannt und war etwas entsetzt.
Das Ergebnis: Incident Status Location Spyware:spyware/wareout No disinfected C:\WINDOWS\system32\loadctr32.exe Adware:Adware/Findspy No disinfected C:\WINDOWS\system32\rdsndin.exe Adware:Adware/QuickWeb No disinfected C:\WINDOWS\system32\ntfsnlpa.exe Virus:Trj/DelCache.A Disinfected C:\WINDOWS\system32\cspns.exe Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32m.sys Adware:adware/gator No disinfected C:\WINDOWS\GatorPdpSetup.log Adware:adware/cws No disinfected C:\Dokumente und Einstellungen\All Users\Favoriten\AdultGambling.url Virus:Trj/DelCache.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP284\A0106813.exe Virus:Trj/Qhost.BP Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP284\A0106818.EXE Virus:Trj/Troiram.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP284\A0106820.EXE Adware:Adware/Findspy No disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP284\A0106838.exe Adware:Adware/QuickWeb No disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP284\A0106839.exe Virus:Trj/DelCache.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP284\A0106848.exe Virus:Trj/Qhost.BP Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP284\A0106852.EXE Virus:Trj/Troiram.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP284\A0106853.EXE Virus:Trj/DelCache.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP284\A0106860.exe Virus:Trj/Qhost.BP Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP284\A0106864.EXE Virus:Trj/Troiram.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP284\A0106865.EXE Virus:Trj/DelCache.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP287\A0107102.exe Virus:Trj/Qhost.BP Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP287\A0107106.EXE Virus:Trj/Troiram.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP287\A0107107.EXE Adware:Adware/Findspy No disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP287\A0107108.exe Adware:Adware/QuickWeb No disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP287\A0107109.exe Virus:Trj/Qhost.BP Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP287\A0107112.EXE Virus:Trj/DelCache.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP287\A0107113.exe Virus:Trj/Troiram.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP287\A0107117.EXE Virus:Trj/Troiram.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP288\A0108292.EXE Virus:Trj/DelCache.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP288\A0107212.exe Virus:Trj/Troiram.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP288\A0107216.EXE Adware:Adware/Findspy No disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP288\A0107217.exe Adware:Adware/QuickWeb No disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP288\A0107218.exe Virus:Trj/DelCache.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP288\A0107227.exe Virus:Trj/DelCache.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP288\A0107232.exe Virus:Trj/Qhost.BP Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP288\A0107236.EXE Virus:Trj/Troiram.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP288\A0107237.EXE Virus:Trj/DelCache.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP288\A0107257.exe Virus:Trj/DelCache.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP288\A0108257.exe Virus:Trj/Qhost.BP Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP288\A0108261.exe Virus:Trj/Troiram.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP288\A0108262.exe Virus:Trj/DelCache.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP288\A0108265.exe Virus:Trj/Qhost.BP Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP288\A0108269.EXE Virus:Trj/Troiram.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP288\A0108270.EXE Adware:Adware/Findspy No disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP288\A0108271.exe Adware:Adware/QuickWeb No disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP288\A0108272.exe Virus:Trj/DelCache.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP288\A0108303.exe Virus:Trj/DelCache.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP288\A0108276.exe Virus:Trj/Troiram.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP288\A0108286.EXE Adware:Adware/SBSoft No disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP288\A0108290.dll Virus:Trj/Qhost.BP Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP288\A0108291.EXE Adware:Adware/MyWay No disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP276\A0102147.EXE Adware:Adware/MyWay No disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP276\A0102417.DLL Virus:Trj/DelCache.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP283\A0105711.exe Virus:Trj/Qhost.BP Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP283\A0105715.exe Virus:Trj/Troiram.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP283\A0105716.exe Spyware:Spyware/WareOut No disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP283\A0105717.exe Spyware:Spyware/WareOut No disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP283\A0105718.exe Virus:Trj/DelCache.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP283\A0106711.exe Virus:Trj/Qhost.BP Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP283\A0106715.exe Virus:Trj/Troiram.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP283\A0106716.exe Virus:Trj/DelCache.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP283\A0106719.exe Virus:Trj/Qhost.BP Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP283\A0106723.EXE Virus:Trj/Troiram.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP283\A0106724.EXE Virus:Trj/DelCache.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP283\A0106731.exe Virus:Trj/Qhost.BP Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP283\A0106735.EXE Virus:Trj/Troiram.A Disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP283\A0106736.EXE Adware:Adware/InstaFinder No disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP283\A0106784.exe Adware:Adware/InstaFinder No disinfected C:\System Volume Information\_restore{6CED5A1E-9E01-4382-901B-D1E972DD3A53}\RP283\A0106785.dll Mit allen anderen Scans wurden diese Dateien dann aber nicht mehr gefunden und auch sonst keine Viren oder Trojaner. Allerdings stehen im HJT-Log immernoch Dinge drin, die eigentlich gelöscht sein sollten :-( Logfile of HijackThis v1.99.1 Scan saved at 17:56:02, on 28.08.2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe D:\0190-Warner\0190 Warner\w0svc.exe C:\Programme\Norton AntiVirus\navapsvc.exe C:\Programme\Norton AntiVirus\SAVScan.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\htpatch.exe C:\WINDOWS\system32\RunDll32.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe C:\Programme\Logitech\MouseWare\system\em_exec.exe C:\Programme\QuickTime\qttask.exe C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\ZyXEL Technology Corporation\ZyAIR G-220 Utility\ZDWlan.exe D:\WinZip\WZQKPICK.EXE C:\WINDOWS\system32\wscntfy.exe D:\Firefox\firefox.exe C:\Programme\Messenger\msmsgs.exe E:\Downloads\Programme\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.arcor.de R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.arcor.de R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.arcor.de R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arcor.de R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Arcor AG & Co. KG R3 - URLSearchHook: (no name) - {87A2E757-69EF-9DB0-6A70-69AD57B175FE} - ftbar.dll (file missing) O1 - Hosts: localhost 127.0.0.1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\AcrobatReader\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ICQ Lite] D:\ICQ\ICQLite.exe -minimize O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [AccG160] C:\PROGRA~1\WLANQU~1\AccG160.exe O4 - HKLM\..\Run: [WLAN Quick-Starter] "C:\Programme\WLAN Quick-Starter\WLAN Quick-Starter.exe" -update O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe O4 - HKLM\..\Run: [dmbir.exe] C:\WINDOWS\system32\dmbir.exe O4 - HKLM\..\Run: [browsebar] Brong32.exe O4 - HKLM\..\Run: [WhatsNewBot] runload32.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_04\bin\jusched.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WareOut] "C:\Programme\WareOut\WareOut.exe" O4 - HKCU\..\Run: [keybdll] systemdll.exe O4 - HKCU\..\Run: [br0ken] AliceSD.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: ZDWlan.lnk = ? O4 - Global Startup: WinZip Quick Pick.lnk = D:\WinZip\WZQKPICK.EXE O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQ\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQ\ICQLite.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124983908531 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{3D663A03-2E2C-47EF-9AC3-7A8921ADD958}: NameServer = 69.50.176.158,85.255.112.8 O17 - HKLM\System\CCS\Services\Tcpip\..\{69D8824E-325D-4C18-A78E-092091631379}: NameServer = 69.50.176.158,85.255.112.8 O17 - HKLM\System\CCS\Services\Tcpip\..\{B36D21D6-5AAB-41A0-BE26-4685C4BCF11D}: NameServer = 69.50.176.158,85.255.112.8 O23 - Service: 0190/0900 Warner Überwachungsdienst (0190_0900_Warner_MonitorService) - Mirko Böer - D:\0190-Warner\0190 Warner\w0svc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe O23 - Service: AVM FRITZ!web Routing Service (de_serv) - Unknown owner - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe (file missing) O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe Dieser Beitrag wurde am 28.08.2005 um 17:56 Uhr von Curse27 editiert.
|
|
|
|
|
|
|
28.08.2005, 18:47
Ehrenmitglied
Beiträge: 29434 |
#8
Hallo@Curse27
Fixe mit dem HijackThis: R3 - URLSearchHook: (no name) - {87A2E757-69EF-9DB0-6A70-69AD57B175FE} - ftbar.dll (file missing) O1 - Hosts: localhost 127.0.0.1 O4 - HKLM\..\Run: [dmbir.exe] C:\WINDOWS\system32\dmbir.exe O4 - HKLM\..\Run: [browsebar] Brong32.exe O4 - HKLM\..\Run: [WhatsNewBot] runload32.exe O4 - HKCU\..\Run: [WareOut] "C:\Programme\WareOut\WareOut.exe" O4 - HKCU\..\Run: [keybdll] systemdll.exe O4 - HKCU\..\Run: [br0ken] AliceSD.exe PC neustarten suchen/loeschen:...falls es die dll noch gibt.... ftbar.dll einfach mal in die killbox kopieren und beim letzten neustarten C:\WINDOWS\system32\dmbir.exe C:\WINDOWS\system32\loadctr32.exe C:\WINDOWS\system32\rdsndin.exe C:\WINDOWS\system32\ntfsnlpa.exe C:\WINDOWS\system32\cspns.exe C:\WINDOWS\smdat32m.sys C:\WINDOWS\GatorPdpSetup.log PC neustarten FindT http://bilder.informationsarchiv.net/Nikitas_Tools/FindT.zip in C:\ entpacken -- öffne "FindT" folder -- klicke (runthis.bat) -- poste die txt (Textdatei) in den Thread W.O.R.C. bitte abarbeiten http://virus-protect.org/Artikel/Tools/worc.html datfind.bat --bitte abarbeiten http://virus-protect.org/datfindbat.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
28.08.2005, 19:21
...neu hier
Themenstarter Beiträge: 8 |
#9
FindT sagt folgendes:
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\STRINGS.EXE W.O.R.C. findet anscheinend nichts. Datfind.bat: Verzeichnis von C:\WINDOWS\system32 28.08.2005 16:41 3.799 jupdate-1.5.0_04-b05.log 28.08.2005 16:18 0 asfiles.txt 28.08.2005 16:16 1.718 Open.ico 28.08.2005 16:16 2.550 Uninstall.ico 28.08.2005 16:16 1.406 Help.ico 28.08.2005 16:16 1.406 AddQuit.ico 28.08.2005 16:16 5.350 IE.ico 28.08.2005 16:16 9.470 Desktop.ico 28.08.2005 16:16 1.718 Quick.ico 27.08.2005 15:10 2.206 wpa.dbl 21.08.2005 00:38 204.120 FNTCACHE.DAT Verzeichnis von C:\DOKUME~1\Home\LOKALE~1\Temp 28.08.2005 19:02 1.537 jusched.log 28.08.2005 19:01 16.384 ~DF3E73.tmp 28.08.2005 19:01 442 kb.log 28.08.2005 16:42 824 java_install_reg.log 28.08.2005 16:40 23.536 java_install.log 28.08.2005 16:35 879 jinstall.cfg 28.08.2005 16:35 84.005 tmp.xpi Verzeichnis von C:\WINDOWS 28.08.2005 19:02 0 0.log 28.08.2005 19:02 159 wiadebug.log 28.08.2005 19:02 2.048 bootstat.dat 28.08.2005 19:01 32.516 SchedLgU.Txt 28.08.2005 19:01 719.988 WindowsUpdate.log 28.08.2005 19:01 50 wiaservc.log 28.08.2005 16:59 762.664 setupapi.log 28.08.2005 16:41 2.988 mozver.dat 28.08.2005 16:18 717 win.ini 28.08.2005 15:50 485.416 ntbtlog.txt 27.08.2005 20:15 177 winamp.ini 27.08.2005 18:16 99.970 UninstallFirefox.exe 26.08.2005 18:19 116 NeroDigital.ini 26.08.2005 18:17 54.156 QTFont.qfn 26.08.2005 18:17 1.409 QTFont.for 25.08.2005 17:36 121.443 iis6.log 25.08.2005 17:36 32.484 tsoc.log 25.08.2005 17:36 17.665 ntdtcsetup.log 25.08.2005 17:36 30.255 comsetup.log 25.08.2005 17:36 7.488 KB898461.log 25.08.2005 17:36 1.374 imsins.log 25.08.2005 17:36 3.660 ocmsn.log 25.08.2005 17:36 3.648 tabletoc.log 25.08.2005 17:36 53.483 FaxSetup.log 25.08.2005 17:36 44.423 ocgen.log 25.08.2005 17:36 5.411 medctroc.Log 25.08.2005 17:36 10.366 netfxocm.log 25.08.2005 17:36 3.292 msgsocm.log 25.08.2005 17:36 28.982 msmqinst.log 25.08.2005 17:36 1.374 imsins.BAK 25.08.2005 17:36 7.764 KB893803v2.log 21.08.2005 22:24 163.246 wmsetup.log 20.08.2005 00:16 191.389 setupact.log 17.08.2005 15:21 1.912 Directx.log 15.08.2005 13:18 710 SIERRA.INI Verzeichnis von C:\ 28.08.2005 19:20 0 sys.txt 28.08.2005 19:19 8.099 system.txt 28.08.2005 19:19 584 systemtemp.txt 28.08.2005 19:18 108.845 system32.txt 28.08.2005 19:06 250 file.txt 27.08.2005 17:27 891 log.txt 27.08.2005 17:26 0 windows.txt 27.08.2005 17:26 367 win.txt 27.08.2005 17:22 79 start.txt Dieser Beitrag wurde am 28.08.2005 um 19:26 Uhr von Curse27 editiert.
|
|
|
|
|
|
|
28.08.2005, 19:23
Ehrenmitglied
Beiträge: 29434 |
#10
o.k. poste bitte das neue Log vom HijackThis (aber vorher fixen und neustarten) --> siehe oben
 __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
28.08.2005, 19:26
...neu hier
Themenstarter Beiträge: 8 |
#11
Logfile of HijackThis v1.99.1
Scan saved at 19:23:46, on 28.08.2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe D:\0190-Warner\0190 Warner\w0svc.exe C:\Programme\Norton AntiVirus\navapsvc.exe C:\Programme\Norton AntiVirus\SAVScan.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\htpatch.exe C:\WINDOWS\system32\RunDll32.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe C:\Programme\QuickTime\qttask.exe C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe C:\Programme\Logitech\MouseWare\system\em_exec.exe C:\Programme\Java\jre1.5.0_04\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\ZyXEL Technology Corporation\ZyAIR G-220 Utility\ZDWlan.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe D:\WinZip\WZQKPICK.EXE C:\WINDOWS\system32\wscntfy.exe C:\Programme\Messenger\msmsgs.exe C:\Programme\Norton AntiVirus\OPScan.exe D:\Firefox\firefox.exe E:\Downloads\Programme\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.arcor.de R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.arcor.de R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.arcor.de R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arcor.de R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Arcor AG & Co. KG R3 - URLSearchHook: (no name) - {87A2E757-69EF-9DB0-6A70-69AD57B175FE} - ftbar.dll (file missing) O1 - Hosts: localhost 127.0.0.1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\AcrobatReader\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ICQ Lite] D:\ICQ\ICQLite.exe -minimize O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [AccG160] C:\PROGRA~1\WLANQU~1\AccG160.exe O4 - HKLM\..\Run: [WLAN Quick-Starter] "C:\Programme\WLAN Quick-Starter\WLAN Quick-Starter.exe" -update O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_04\bin\jusched.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\RunOnce: [ICQ Lite] D:\ICQ\ICQLite.exe -trayboot O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: ZDWlan.lnk = ? O4 - Global Startup: WinZip Quick Pick.lnk = D:\WinZip\WZQKPICK.EXE O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQ\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQ\ICQLite.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124983908531 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{3D663A03-2E2C-47EF-9AC3-7A8921ADD958}: NameServer = 69.50.176.158,85.255.112.8 O17 - HKLM\System\CCS\Services\Tcpip\..\{69D8824E-325D-4C18-A78E-092091631379}: NameServer = 69.50.176.158,85.255.112.8 O17 - HKLM\System\CCS\Services\Tcpip\..\{B36D21D6-5AAB-41A0-BE26-4685C4BCF11D}: NameServer = 69.50.176.158,85.255.112.8 O23 - Service: 0190/0900 Warner Überwachungsdienst (0190_0900_Warner_MonitorService) - Mirko Böer - D:\0190-Warner\0190 Warner\w0svc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe O23 - Service: AVM FRITZ!web Routing Service (de_serv) - Unknown owner - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe (file missing) O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe |
|
|
|
|
|
|
28.08.2005, 19:27
Ehrenmitglied
Beiträge: 29434 |
#12
Fixe mit dem HijackThis.
R3 - URLSearchHook: (no name) - {87A2E757-69EF-9DB0-6A70-69AD57B175FE} - ftbar.dll (file missing) O1 - Hosts: localhost 127.0.0.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{3D663A03-2E2C-47EF-9AC3-7A8921ADD958}: NameServer = 69.50.176.158,85.255.112.8 O17 - HKLM\System\CCS\Services\Tcpip\..\{69D8824E-325D-4C18-A78E-092091631379}: NameServer = 69.50.176.158,85.255.112.8 O17 - HKLM\System\CCS\Services\Tcpip\..\{B36D21D6-5AAB-41A0-BE26-4685C4BCF11D}: NameServer = 69.50.176.158,85.255.112.8 neustarten •Hoster-Tool : http://members.aol.com/toadbee/hoster.zip Press 'Restore Original Hosts' and press 'OK' Exit Program. dann poste das neue Log __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
28.08.2005, 19:33
...neu hier
Themenstarter Beiträge: 8 |
#13
An dieser Adresse ist die Zip-Datei defekt.
Habe das Programm aber noch woanders gefunden. http://www.funkytoad.com/download/hoster.zip HJT: Logfile of HijackThis v1.99.1 Scan saved at 19:39:11, on 28.08.2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe D:\0190-Warner\0190 Warner\w0svc.exe C:\Programme\Norton AntiVirus\navapsvc.exe C:\Programme\Norton AntiVirus\SAVScan.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\htpatch.exe C:\WINDOWS\system32\RunDll32.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe C:\Programme\QuickTime\qttask.exe C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe C:\Programme\Logitech\MouseWare\system\em_exec.exe C:\Programme\Java\jre1.5.0_04\bin\jusched.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\ZyXEL Technology Corporation\ZyAIR G-220 Utility\ZDWlan.exe D:\WinZip\WZQKPICK.EXE C:\WINDOWS\system32\wscntfy.exe D:\Firefox\firefox.exe C:\Programme\Messenger\msmsgs.exe E:\Downloads\Programme\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.arcor.de R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.arcor.de R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.arcor.de R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arcor.de R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Arcor AG & Co. KG O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\AcrobatReader\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ICQ Lite] D:\ICQ\ICQLite.exe -minimize O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [AccG160] C:\PROGRA~1\WLANQU~1\AccG160.exe O4 - HKLM\..\Run: [WLAN Quick-Starter] "C:\Programme\WLAN Quick-Starter\WLAN Quick-Starter.exe" -update O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_04\bin\jusched.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: ZDWlan.lnk = ? O4 - Global Startup: WinZip Quick Pick.lnk = D:\WinZip\WZQKPICK.EXE O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQ\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQ\ICQLite.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124983908531 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab O23 - Service: 0190/0900 Warner Überwachungsdienst (0190_0900_Warner_MonitorService) - Mirko Böer - D:\0190-Warner\0190 Warner\w0svc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe O23 - Service: AVM FRITZ!web Routing Service (de_serv) - Unknown owner - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe (file missing) O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe Dieser Beitrag wurde am 28.08.2005 um 19:42 Uhr von Curse27 editiert.
|
|
|
|
|
|
|
28.08.2005, 19:44
Ehrenmitglied
Beiträge: 29434 |
#14
Hallo@Curse27
es ist wieder alles in Odnung <deaktiviere die Systemwiederherstellung, dann setze das Haekchen wieder, also aktiviere sie wieder) Ansonsten: alles Gute fuer dich + PC __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
28.08.2005, 19:49
...neu hier
Themenstarter Beiträge: 8 |
#15
Das freut mich zu hören.
Vielen, vielen Dank Sabina für die schnelle und kompetente Hilfe. Ich hoffe, ich muss diese sobald nicht wieder in Anspruch nehmen :-) Vielen Dank! Curse27 |
|
|
|
|
|
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!
bitte erst » hier kostenlos registrieren!!
Folgende Themen könnten Dich auch interessieren:
Seite(n): 1
Copyright © 2024, Protecus.de - Protecus Team - Impressum / Mediadaten
Das aktuelle HJT-Log:
Logfile of HijackThis v1.99.1
Scan saved at 15:43:28, on 27.08.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\0190-Warner\0190 Warner\w0svc.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\ZyXEL Technology Corporation\ZyAIR G-220 Utility\ZDWlan.exe
D:\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\alg.exe
C:\Programme\Messenger\msmsgs.exe
E:\Downloads\Programme\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.arcor.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.arcor.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.arcor.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arcor.de
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Arcor AG & Co. KG
R3 - URLSearchHook: (no name) - {87A2E757-69EF-9DB0-6A70-69AD57B175FE} - ftbar.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\AcrobatReader\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ICQ Lite] D:\ICQ\ICQLite.exe -minimize
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AccG160] C:\PROGRA~1\WLANQU~1\AccG160.exe
O4 - HKLM\..\Run: [WLAN Quick-Starter] "C:\Programme\WLAN Quick-Starter\WLAN Quick-Starter.exe" -update
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [browsebar] Brong32.exe
O4 - HKLM\..\Run: [WhatsNewBot] runload32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WareOut] "C:\Programme\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [keybdll] systemdll.exe
O4 - HKCU\..\Run: [br0ken] AliceSD.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZDWlan.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = D:\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQ\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQ\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124983908531
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D663A03-2E2C-47EF-9AC3-7A8921ADD958}: NameServer = 69.50.176.158,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{69D8824E-325D-4C18-A78E-092091631379}: NameServer = 69.50.176.158,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{B36D21D6-5AAB-41A0-BE26-4685C4BCF11D}: NameServer = 69.50.176.158,85.255.112.8
O23 - Service: 0190/0900 Warner Überwachungsdienst (0190_0900_Warner_MonitorService) - Mirko Böer - D:\0190-Warner\0190 Warner\w0svc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - Unknown owner - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
Vielen Dank im Voraus für die Hilfe!