lpdriver.sys --> lpdriver.sys, Added by the W32/Tilebot-H

#1

Zitat

hi
darf ich mich bitte anschließen? ich hoffe bei mir ist ansonsten alles in ordnung...?

Logfile of HijackThis v1.99.1
Scan saved at 00:26:24, on 10.11.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\mgabg.exe
C:\Programme\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Programme\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\System32\PDesk.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Vpyj\Gexeu.exe
C:\Programme\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\Programme\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\unikos\LOKALE~1\Temp\Rar$EX00.719\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.seektheglobe.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://listings.ebay.de/_W0QQsocmdZListingItemList?sofocus=pf&sbrftog=1&fcl=3&socmd=ListingItemList&catref=
C3&from=R2&sbrbin=t&satitle=&sacat=9804%26catref%3DC6&fsop=3%26fsoo%3D1&coaction
=compare&copagenum=1&coentrypage=search&fgtp=&a39=-24&a6=-24&a85=-24&a38=-24&a10238=23428&gcs=14
&pfid=15&reqtype=2&pfmode=1&alist=a39%2Ca6%2Ca85%2Ca38%2Ca10238%2Ca3801&pf_query=&pf=
Artikel+anzeigen&sargn=-1%26saslc%3D3&sadis=200&fpos=Postleitzahl&sascs=2&ga10244=10425&ftrt=1&ftrv=1&saprclo=&saprchi=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\Cursors\binnet.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Eiwcltut] C:\Program Files\Vpyj\Gexeu.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SCANINICIO] "C:\Programme\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programme\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka66.exe
O4 - HKLM\..\Run: [System service66] C:\WINDOWS\etb\pokapoka66.exe
O4 - HKCU\..\Run: [key] C:\WINDOWS\System32\sys_xp.exe
O8 - Extra context menu item: &Google-Suche - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://C:\Programme\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124879702796
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124880022015
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyharem.com/stream/mmp.cab
O16 - DPF: {B7E76C25-791F-432E-BDB7-748D01A93FC2} (VacPro.int_ver30) - http://advnt01.com/dialer/int_ver30.CAB
O20 - Winlogon Notify: binnet - C:\WINDOWS\Cursors\binnet.dll
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Programme\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Programme\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

vielen lieben dank
grüsse aus berlin

__________
MfG Sabina

rund um die PC-Sicherheit

#2

Zitat

die einträge O16 geben mir aber zu denken? ich habe doch eine anti virus software installiert?!

ich nutze dsl flat und bin beruflich ca. 12- 20 stunden täglich online. ich bekommen mehrmals im monat von meiner panda software meldungen über virus identifikation + zerstörung! win fixer geht aber nicht weg u. wurde auch nicht gemeldet. anscheinend ist die software nicht in der lage o. mein fachwisssen lässt andere sicherheitseinstellungen nicht zu?

bitte helft mir.
mfg

hallo sabine
formatieren? ich habe viele daten u.informationen auf diesem pc gespeichert! kann ich diese problemlos auf eine mobile festplatte überspielen o. sind die daten auch verseucht? bitte nicht... die daten betreffen den börsenhandel und sind sehr wichtig für mich.
grüsse

__________
MfG Sabina

rund um die PC-Sicherheit

#3

Zitat

unikos

nun, der PC ist voellig verseucht, aber ich kann dir helfen: mache folgendes:
der Winfixer und die Dialer kommt zuletzt (erst mal muessen die Viren runter)

öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.seektheglobe.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

wenn du die Startseite behalten willst...fixe sie nicht...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://listings.ebay.de/_W0QQsocmdZListingItemList?sofocus=pf&sbrftog=1&fcl=3&socmd=ListingItemList&catref=
C3&from=R2&sbrbin=t&satitle=&sacat=9804%26catref%3DC6&fsop=3%26fsoo%3D1&coaction
=compare&copagenum=1&coentrypage=search&fgtp=&a39=-24&a6=-24&a85=-24&a38=-24&a10238=23428&gcs=14
&pfid=15&reqtype=2&pfmode=1&alist=a39%2Ca6%2Ca85%2Ca38%2Ca10238%2Ca3801&pf_query=&pf=
Artikel+anzeigen&sargn=-1%26saslc%3D3&sadis=200&fpos=Postleitzahl&sascs=2&ga10244=10425&ftrt=1&ftrv=1&saprclo=&saprchi=


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Eiwcltut] C:\Program Files\Vpyj\Gexeu.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka66.exe
O4 - HKLM\..\Run: [System service66] C:\WINDOWS\etb\pokapoka66.exe
O4 - HKCU\..\Run: [key] C:\WINDOWS\System32\sys_xp.exe
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyharem.com/stream/mmp.cab
O16 - DPF: {B7E76C25-791F-432E-BDB7-748D01A93FC2} (VacPro.int_ver30) - http://advnt01.com/dialer/int_ver30.CAB

PC neustarten

CCleaner
http://virus-protect.org/temp.html
lösche alle temp-Dateien

kopiere hier die 4 logs
http://virus-protect.org/datfindbat.html

__________
MfG Sabina

rund um die PC-Sicherheit

#4

Zitat

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 7CC4-55D8

Verzeichnis von C:\WINDOWS\system32

10.11.2005 01:10 0 pavjob.log
08.11.2005 11:45 13.646 wpa.dbl
30.10.2005 08:46 380.350 perfh009.dat
30.10.2005 08:46 52.764 perfc009.dat
30.10.2005 08:46 63.580 perfc007.dat
30.10.2005 08:46 391.000 perfh007.dat
30.10.2005 08:46 897.954 PerfStringBackup.INI
12.10.2005 22:18 1.852 d3d9caps.dat
01.10.2005 23:51 1.740 d3d8caps.dat
24.08.2005 17:26 149.200 FNTCACHE.DAT
24.08.2005 15:39 7.168 lpdriver.sys --> lpdriver.sys, Added by the W32/Tilebot-H or W32/Sdbot-ADG
24.08.2005 15:25 99.480 FWSVPN.DLL -->???
24.08.2005 15:05 1.795 MRT.INI
19.08.2005 12:04 0 TFTP3332
19.08.2005 12:04 0 TFTP3352
19.08.2005 12:03 0 TFTP3512
19.08.2005 12:03 0 TFTP3376
19.08.2005 12:03 0 TFTP3480
19.08.2005 12:02 0 TFTP2340
19.08.2005 12:00 0 TFTP3356
19.08.2005 12:00 0 TFTP652
19.08.2005 11:59 0 TFTP572
19.08.2005 11:59 0 TFTP3008
04.08.2005 17:54 1.457.496 MRT.exe
03.08.2005 09:33 520.456 LegitCheckControl.DLL
28.07.2005 11:36 4.608 install.exe
12.07.2005 17:04 23.304 GWFSPidGen.dll
08.07.2005 17:10 238.592 tapisrv(3).dll
08.07.2005 17:10 238.592 tapisrv.dll
08.07.2005 17:10 72.704 remotesp.tsp
06.07.2005 16:17 89.088 atl71.dll
05.07.2005 22:28 602.112 NCTAudioTransform2.dll
05.07.2005 22:28 237.568 lame_enc.dll
05.07.2005 22:28 458.752 NCTAudioPlayer2.dll
05.07.2005 22:28 454.656 NCTAudioRecord2.dll
05.07.2005 22:28 876.544 NCTAudioEditor2.dll
05.07.2005 22:28 307.200 msvcr70.dll
05.07.2005 22:28 1.212.416 NCTAudioInformation2.dll
05.07.2005 22:28 1.986.560 NCTAudioFile2.dll
30.06.2005 03:15 108.544 umpnpmgr.dll
30.06.2005 03:15 108.544 umpnpmgr(3).dll
29.06.2005 02:55 68.608 mscms(2).dll
29.06.2005 02:55 237.056 icm32.dll
29.06.2005 02:55 68.608 mscms.dll
15.06.2005 18:51 285.184 kerberos.dll
15.06.2005 18:51 285.184 kerberos(3).dll
11.06.2005 03:42 102.400 win32spl.dll
11.06.2005 00:55 53.248 spoolsv.exe
11.06.2005 00:55 53.248 spoolsv(2).exe
09.06.2005 21:32 692.736 DivX.dll
06.06.2005 22:13 356.436 DivXMedia.ax
29.05.2005 00:35 692.224 divxdec.ax
27.05.2005 03:04 519.168 hhctrl.ocx
27.05.2005 03:04 128.000 itss.dll
27.05.2005 03:04 38.912 hhsetup.dll
27.05.2005 03:04 143.872 itircl.dll
26.05.2005 03:19 173.536 wuweb.dll
26.05.2005 03:19 178.408 muweb.dll
26.05.2005 03:16 18.200 wups2.dll
26.05.2005 03:16 41.240 wups.dll
26.05.2005 03:16 1.343.768 wuaueng.dll
26.05.2005 03:16 75.544 cdm.dll
26.05.2005 03:16 198.424 iuengine.dll
26.05.2005 03:16 466.200 wuapi.dll
26.05.2005 03:16 174.872 wuauclt1.exe
26.05.2005 03:16 124.696 wuauclt.exe
26.05.2005 03:16 174.872 wuaucpl.cpl
26.05.2005 03:16 128.280 wucltui.dll
26.05.2005 03:16 194.840 wuaueng1.dll
24.05.2005 22:32 4.276 divxsm.tlb
24.05.2005 22:32 524.288 DivXsm.exe
20.05.2005 19:25 3.136 dtu_de.qm
18.05.2005 22:40 200.704 dtu100.dll
17.05.2005 01:43 8.704 xpsp3res.dll
15.05.2005 19:44 32.852 PDData.bin
15.05.2005 19:44 32.768 BGData.bin
11.05.2005 03:41 74.752 telnet.exe
05.05.2005 02:12 671.744 divx_xx11.dll
05.05.2005 02:12 688.128 divx_xx0c.dll
05.05.2005 02:12 688.128 divx_xx07.dll
04.05.2005 13:45 884.736 msimsg.dll
04.05.2005 13:45 78.848 msiexec.exe
04.05.2005 13:45 15.360 msisip.dll
04.05.2005 13:45 271.360 msihnd.dll
04.05.2005 13:45 2.890.240 msi.dll
04.05.2005 11:04 2.780 qtplugin.log
28.04.2005 05:22 3.596.288 qt-dx331.dll
28.04.2005 05:22 57.344 dpv11.dll
28.04.2005 05:22 303.104 dpus11.dll
28.04.2005 05:22 581.632 dpuGUI11.dll
28.04.2005 05:22 245.760 dpu11.dll
28.04.2005 05:22 86.016 dpl100.dll
28.04.2005 05:22 245.408 unicows.dll
28.04.2005 05:22 159.744 ssleay32.dll
28.04.2005 05:22 831.488 libeay32.dll
26.04.2005 07:29 62.976 webclnt.dll
12.04.2005 10:36 37 x.bat
25.02.2005 14:35 361 QuickTime.qtp
25.02.2005 14:33 218 InstDrv.log
25.02.2005 04:34 22.752 spupdsvc.exe
24.02.2005 19:34 15.584 spmsg.dll
23.02.2005 08:02 968 sys_xp.exeopenopenopen
23.02.2005 08:02 4.049 sys_xp.exeopenopenopenopen
04.12.2004 20:15 176.167 rmoc3260.dll
04.12.2004 20:15 5.632 pndx5032.dll
04.12.2004 20:15 6.656 pndx5016.dll
04.12.2004 20:15 278.528 pncrt.dll
07.10.2004 10:47 13.646 wpa.bak
04.10.2004 01:10 98.304 tsccvid.dll ????
06.09.2004 14:25 0 h323log.txt
06.09.2004 13:34 25.065 wmpscheme.xml
06.09.2004 13:31 261 $winnt$.inf
06.09.2004 13:29 2.951 CONFIG.NT
06.09.2004 13:29 16.832 amcompat.tlb
06.09.2004 13:29 23.392 nscompat.tlb
06.09.2004 13:28 488 WindowsLogon.manifest
06.09.2004 13:28 488 logonui.exe.manifest
06.09.2004 13:28 749 sapi.cpl.manifest
06.09.2004 13:28 749 wuaucpl.cpl.manifest
06.09.2004 13:28 749 cdplayer.exe.manifest

Verzeichnis von C:\DOKUME~1\unikos\LOKALE~1\Temp

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 7CC4-55D8

Verzeichnis von C:\WINDOWS

10.11.2005 01:10 0 0.log
10.11.2005 01:10 159 wiadebug.log
10.11.2005 01:10 1.016.350 WindowsUpdate.log
10.11.2005 01:10 50 wiaservc.log
10.11.2005 01:09 2.048 bootstat.dat
08.11.2005 22:24 54.156 QTFont.qfn
31.10.2005 00:17 205.116 setupact.log
23.10.2005 13:11 1.409 QTFont.for
07.10.2005 21:21 227 system.ini
07.10.2005 21:21 767 win.ini
02.10.2005 16:31 306 QTW.INI
01.10.2005 10:58 960.242 setupapi.log
27.09.2005 14:14 42.577 INSTALL.LOG
27.09.2005 14:14 42 ib.ini
26.09.2005 19:46 307.200 Setup1.exe
26.09.2005 19:46 74.752 ST6UNST.EXE
13.09.2005 10:22 14.336 pre2.exe
10.09.2005 08:32 8.264 Germany.exe
24.08.2005 19:56 447.119 iis6.log
24.08.2005 19:56 83.904 ntdtcsetup.log
24.08.2005 19:56 138.674 comsetup.log
24.08.2005 19:56 184.940 tsoc.log
24.08.2005 19:56 20.017 tabletoc.log
24.08.2005 19:56 4.716 KB893803v2Uninst.log
24.08.2005 19:56 1.374 imsins.log
24.08.2005 19:56 68.984 netfxocm.log
24.08.2005 19:56 14.166 ocmsn.log
24.08.2005 19:56 209.584 ocgen.log
24.08.2005 19:56 19.500 msgsocm.log
24.08.2005 19:56 384.261 FaxSetup.log
24.08.2005 19:56 122.892 msmqinst.log
24.08.2005 19:55 1.917 imsins.BAK
24.08.2005 17:54 18.480 KB890046Uninst.log
24.08.2005 17:54 19.395 updspapi.log

24.08.2005 11:56 25.260 uinmzertinmds.opm --> ????
24.08.2005 11:53 12.985 KB898461.log
24.08.2005 11:53 13.617 KB893803v2.log
24.08.2005 11:53 10.852 KB842773.log
20.08.2005 00:29 716.699 LogMSP.txt
20.08.2005 00:24 2 msoffice.ini
19.08.2005 17:07 88.271 inetinfomon.exe ????Beagle.AC@mm
08.08.2005 00:25 532.992 opuc.dll
03.08.2005 18:37 68 BS.INI
16.07.2005 13:19 36.864 unslive.exe ????
09.07.2005 22:17 150 cdplayer.ini
13.06.2005 02:05 1.442 COM+.log
25.05.2005 23:44 10.752 hh.exe
21.05.2005 00:22 10.240 Thumbs.db
20.05.2005 20:05 5.398 pvsw.log
19.05.2005 23:44 772 hpinfo.lnk
18.05.2005 18:25 113 wmsetup.log
15.05.2005 15:16 400 ODBC.INI
14.05.2005 14:51 181 BTI.INI
12.05.2005 19:52 69.632 uinst001.exe
04.05.2005 11:01 725 aolback.exe.lnk
04.05.2005 11:01 316.640 WMSysPr9.prx
04.05.2005 10:59 335 nsreg.dat
24.02.2005 16:51 61 comventure.ini
14.02.2005 15:25 1.008 wsftperr.log
30.01.2005 19:04 194.434 DirectX.log
21.10.2004 16:20 30 RESULT.QTW
21.10.2004 16:20 560 WININI.QTW
21.10.2004 16:20 231 SYSINI.QTW
21.10.2004 16:19 57 VGL.INI
09.10.2004 08:17 1.210 pmupdate.log
09.10.2004 08:17 1.364 MnyAdvPak.log
07.10.2004 10:44 94.722 ntbtlog.txt
16.09.2004 09:55 19.188 Windows Update.log
06.09.2004 14:22 1.920 regopt.log
06.09.2004 14:21 0 Sti_Trace.log

189 Datei(en) 17.199.651 Bytes
0 Verzeichnis(se), 1.359.220.736 Bytes frei

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 7CC4-55D8

Verzeichnis von C:\

10.11.2005 01:38 0 sys.txt
10.11.2005 01:38 9.791 system.txt
10.11.2005 01:37 134 systemtemp.txt
10.11.2005 01:37 96.819 system32.txt
10.11.2005 01:09 805.306.368 pagefile.sys
06.11.2005 10:45 40.569 PANDA.RPT
07.10.2005 21:21 194 boot.ini
02.10.2005 16:38 201 DMF2_WKLog.txt
09.09.2005 23:19 123.359 et20050910.log
09.09.2005 22:59 1.641.329 et20050909.log
09.09.2005 22:38 50.946 pok20050909.log
09.09.2005 22:38 1.071 debug.dcd
09.09.2005 22:38 2.142 debug.src
09.09.2005 22:38 559 debug.param
08.09.2005 22:28 713.430 et20050908.log
08.09.2005 22:28 20.331 pok20050908.log
07.09.2005 22:59 628.439 et20050907.log
07.09.2005 22:21 27.591 pok20050907.log
06.09.2005 22:59 1.672.426 et20050906.log
06.09.2005 22:59 510.446 pok20050906.log
05.09.2005 22:42 1.076.594 et20050905.log
05.09.2005 22:42 409.482 pok20050905.log
04.09.2005 22:43 1.242.917 et20050904.log
04.09.2005 22:40 39.105 pok20050904.log
03.09.2005 22:21 52.625 pok20050903.log
03.09.2005 22:21 2.085.234 et20050903.log
02.09.2005 22:57 1.256.181 et20050902.log
02.09.2005 22:52 29.821 pok20050902.log
01.09.2005 22:21 45.888 pok20050901.log
01.09.2005 22:19 1.510.361 et20050901.log
31.08.2005 22:21 80.357 pok20050831.log
31.08.2005 22:19 1.493.374 et20050831.log
30.08.2005 22:31 170.001 pok20050830.log
30.08.2005 22:31 2.863.844 et20050830.log
29.08.2005 22:58 15.566 pok20050829.log
29.08.2005 22:58 484.448 et20050829.log
19.08.2005 17:07 62 LogMSP.txt
19.08.2005 17:07 88.271 msu.exe
25.07.2005 01:31 14.054 hpfr3420.log
01.07.2005 14:09 1.120 INSTALL.LOG
25.05.2005 19:53 1.186 outlook.reg
20.05.2005 00:02 1.055.140 HighGrow.zip
30.01.2005 21:29 28.870.018 blackupdate html.exe ???
30.01.2005 21:02 28.870.018 black update.exe ???
30.01.2005 18:59 315.624 dxwebsetup.exe ??? (Samsung CDROM Drivers )
22.12.2004 12:33 554 debugInstaller.txt
14.09.2004 00:01 1.720 Adobe Reader 6.0.lnk
06.09.2004 13:29 0 CONFIG.SYS
06.09.2004 13:29 0 MSDOS.SYS
06.09.2004 13:29 0 IO.SYS
06.09.2004 13:29 0 AUTOEXEC.BAT
02.04.2003 13:00 4.952 bootfont.bin
02.04.2003 13:00 47.580 NTDETECT.COM
02.04.2003 13:00 235.296 ntldr
24.05.2001 11:59 162.304 UNWISE.EXE
55 Datei(en) 883.369.842 Bytes
0 Verzeichnis(se), 1.359.224.832 Bytes frei

__________
MfG Sabina

rund um die PC-Sicherheit

#5

Zitat

unikos

sichere erst mal alle deine wichtigen Dateien...Dokumente, Fotos usw.....das ist kein Problem
------------------------------------------------------------------------------------------------
Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten --> kopiere das Ergebnis in das Sicherheitsforum

http://www.virustotal.com/flash/index_en.html

C:\msu.exe
C:\black update.exe
C:\WINDOWS\unslive.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\system32\spmsg.dll
-----------------------------------------------------------------------------------

KILLBOX
http://virus-protect.org/killbox.html

Delete File on Reboot -- anhaken
reinkopieren:
...
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"

C:\WINDOWS\system32\lpdriver.sys
C:\WINDOWS\system32\TFTP3332
C:\WINDOWS\system32\TFTP3352
C:\WINDOWS\system32\TFTP3512
C:\WINDOWS\system32\TFTP3376
C:\WINDOWS\system32\TFTP3480
C:\WINDOWS\system32\TFTP2340
C:\WINDOWS\system32\TFTP3356
C:\WINDOWS\system32\TFTP652
C:\WINDOWS\system32\TFTP572
C:\WINDOWS\system32\TFTP3008
C:\WINDOWS\system32\install.exe
C:\WINDOWS\system32\x.bat
C:\WINDOWS\System32\sys_xp.exe
C:\WINDOWS\system32\sys_xp.exeopenopenopen
C:\WINDOWS\system32\sys_xp.exeopenopenopenopen
C:\WINDOWS\system32\re_file.exe
C:\WINDOWS\pre2.exe
C:\WINDOWS\Germany.exe
C:\WINDOWS\inetinfomon.exe
C:\Program Files\Vpyj\Gexeu.exe
C:\Program Files\Vpyj
C:\WINDOWS\unslive.exe
C:\WINDOWS\etb\pokapoka66.exe
C:\WINDOWS\etb

C:\debug.dcd
C:\debug.src
C:\debug.param
C:\et20050910.log
C:\et20050909.log
C:\pok20050909.log
C:\et20050908.log
C:\pok20050908.log
C:\et20050907.log
C:\pok20050907.log
C:\et20050906.log
C:\pok20050906.log
C:\et20050905.log
C:\pok20050905.log
C:\et20050904.log
C:\pok20050904.log
C:\pok20050903.log
C:\et20050903.log
C:\et20050902.log
C:\pok20050902.log
C:\pok20050901.log
C:\et20050901.log
C:\pok20050831.log
C:\et20050831.log
C:\pok20050830.log
C:\et20050830.log
C:\pok20050829.log
C:\et20050829.log

PC neustarten

ueberpruefe, ob das geloescht ist:
C:\WINDOWS\etb
C:\Program Files\Vpyj

Bagle-Removaltool (scanne)
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle@mm.removal.tool.html

ServiceFilter.zip
http://virus-protect.org/artikel/tools/ServiceFilter.zip
- entzippen
- scannen
- POST_THIS.TXT abkopieren

Registry Search Tool
http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip
eventuelle Meldung vom Virenscanner --- > warnmeldung:bösartiges skript entdeckt --> ignorieren

Doppelklick:regsrch.vbs
reinkopieren:

Lpdriver

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)

Doppelklick:regsrch.vbs
reinkopieren:

TlntSvr

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)

scanne mit den Scannern und poste die Scanreporte
http://virus-protect.org/multiavtool.html

Onlinescan Kaspersky (kopiere den Scanreport ab)
http://virus-protect.org/onlinescan.html

--------------------------------------------------------------------------

Um den Winfixer kuemmern wir uns spaeter...das ist jetzt nicht so wichtig

----------------

Zitat

C:\WINDOWS\system32\sys_xp.exeopenopenopen
C:\WINDOWS\system32\sys_xp.exeopenopenopenopen
C:\WINDOWS\System32\sys_xp.exe
http://vic.zonelabs.com/tmpl/body/CA/virusDetails.jsp?VId=39624
Aliasnamen: [ZIP.]Bagle; [Win32.]Bagle.AC ; [I-Worm.]Bagle.ah (Kaspersky); [W32.]Beagle.AC@mm (Symantec); [Win32/]Bagle.ZIP.Worm; [W32/]Bagle.ag@MM (McAfee) ; [W32/]Bagle.AG-mm (Wildlist);

# %Windir%\ctflog.exe
# %Windir%\explore.exe
# %Windir%\inetinfomon.exe
# %Windir%\MPM.exe
# %Windir%\service.exe
# %Windir%\winlog.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ExtA
http://securityresponse.symantec.com/avcenter/venc/data/trojan.spexta.html

roj/Spexta-A kann sich als E-Mail-Attachment in E-Mails verbreiten, die vorgeben, von "CNN Newsletter" mit der Betreffzeile "TERROR HITS LONDON" zu stammen. Der Trojaner ist als Attachment mit dem Dateinamen "LondonTerrorMovie.zip" darin enthalten.

<System>\lpdriver.sys
http://www.sophos.com/virusinfo/analyses/w32tileboth.html


09.09.2005 22:38 1.071 debug.dcd
09.09.2005 22:38 2.142 debug.src
09.09.2005 22:38 559 debug.param

__________
__________
MfG Sabina

rund um die PC-Sicherheit

#6

Zitat

ich kann nicht mehr über den thread antworten?! wenn ich auf den button drücke, bekomme ich nicht das eingabefeld.

zu meinem pc: ich versuche gerade die schritte durchzugehen. den file:
system/re_file.exe - konnte ich nicht finden. die datei: windows/etb lässt sich nicht löschen! ich hatte auch nicht pokapok66 sondern 63 u. 64, beide habe ich gelöscht. der ordner ist aber voll mit datein + unterordner wie: xml, images usw.

virustotal ist bis jetzt ohne erfolg am laden. passiert aber nichts.

scan hat nichts gefunden...

__________
MfG Sabina

rund um die PC-Sicherheit

#7 KILLBOX
http://virus-protect.org/killbox.html

Delete File on Reboot -- anhaken
reinkopieren:
...
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"

C:\WINDOWS\system32\lpdriver.sys
C:\WINDOWS\system32\TFTP3332
C:\WINDOWS\system32\TFTP3352
C:\WINDOWS\system32\TFTP3512
C:\WINDOWS\system32\TFTP3376
C:\WINDOWS\system32\TFTP3480
C:\WINDOWS\system32\TFTP2340
C:\WINDOWS\system32\TFTP3356
C:\WINDOWS\system32\TFTP652
C:\WINDOWS\system32\TFTP572
C:\WINDOWS\system32\TFTP3008
C:\WINDOWS\system32\install.exe
C:\WINDOWS\system32\x.bat
C:\WINDOWS\System32\sys_xp.exe
C:\WINDOWS\system32\sys_xp.exeopenopenopen
C:\WINDOWS\system32\sys_xp.exeopenopenopenopen
C:\WINDOWS\system32\re_file.exe
C:\WINDOWS\pre2.exe
C:\WINDOWS\Germany.exe
C:\WINDOWS\inetinfomon.exe
C:\Program Files\Vpyj\Gexeu.exe
C:\Program Files\Vpyj
C:\WINDOWS\unslive.exe
C:\WINDOWS\etb\pokapoka66.exe
C:\WINDOWS\etb

C:\debug.dcd
C:\debug.src
C:\debug.param
C:\et20050910.log
C:\et20050909.log
C:\pok20050909.log
C:\et20050908.log
C:\pok20050908.log
C:\et20050907.log
C:\pok20050907.log
C:\et20050906.log
C:\pok20050906.log
C:\et20050905.log
C:\pok20050905.log
C:\et20050904.log
C:\pok20050904.log
C:\pok20050903.log
C:\et20050903.log
C:\et20050902.log
C:\pok20050902.log
C:\pok20050901.log
C:\et20050901.log
C:\pok20050831.log
C:\et20050831.log
C:\pok20050830.log
C:\et20050830.log
C:\pok20050829.log
C:\et20050829.log

C:\WINDOWS\etb

PC neustarten

Bagle-Removaltool (scanne)
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle@mm.removal.tool.html

ServiceFilter.zip
http://virus-protect.org/artikel/tools/ServiceFilter.zip
- entzippen
- scannen
- POST_THIS.TXT abkopieren
__________
MfG Sabina

rund um die PC-Sicherheit

#8 hi ok

bin gerade be den letzten scans. windows.etp habe ich manuel gelöscht. ist dann auch nicht mehr aufgetaucht.

das habe ich bis jetzt:

Results of a file scan
This is a report processed by VirusTotal on 11/17/2005 at 00:32:29 (CET) after scanning the file "msu.exe" file.
Antivirus Version Update Result
AntiVir 6.32.0.6 11.16.2005 SPR/Spam.Delf.J
Avast 4.6.695.0 11.16.2005 no virus found
AVG 718 11.15.2005 no virus found
Avira 6.32.0.6 11.16.2005 SPR/Spam.Delf.J
BitDefender 7.2 11.17.2005 no virus found
CAT-QuickHeal 8.00 11.16.2005 (Suspicious) - DNAScan
ClamAV devel-20051108 11.15.2005 no virus found
DrWeb 4.33 11.16.2005 no virus found
eTrust-Iris 7.1.194.0 11.16.2005 no virus found
eTrust-Vet 11.9.1.0 11.16.2005 no virus found
Fortinet 2.48.0.0 11.16.2005 Spam_SPM-tr
F-Prot 3.16c 11.15.2005 no virus found
Ikarus 0.2.59.0 11.16.2005 no virus found
Kaspersky 4.0.2.24 11.16.2005 SpamTool.Win32.Delf.j
McAfee 4630 11.17.2005 Spam-SPM
NOD32v2 1.1289 11.16.2005 no virus found
Norman 5.70.10 11.16.2005 no virus found
Panda 8.02.00 11.16.2005 no virus found
Sophos 3.99.0 11.16.2005 no virus found
Symantec 8.0 11.15.2005 Trojan.Spexta
TheHacker 5.9.1.036 11.16.2005 no virus found
VBA32 3.10.5 11.16.2005 SpamTool.Win32.Delf.j

C:\black update.exe . hat mehr als 10 mb! go back lautet der befehl?

C:\WINDOWS\unslive.exe kann ich nicht finden! Habe uinst001.exe + unin0407.exe + unvise32qt.exe

This is a report processed by VirusTotal on 11/17/2005 at 02:11:52 (CET) after scanning the file "spupdsvc.exe" file.
Antivirus Version Update Result
AntiVir 6.32.0.6 11.16.2005 no virus found
Avast 4.6.695.0 11.16.2005 no virus found
AVG 718 11.15.2005 no virus found
Avira 6.32.0.6 11.16.2005 no virus found
BitDefender 7.2 11.17.2005 no virus found
CAT-QuickHeal 8.00 11.16.2005 no virus found
ClamAV devel-20051108 11.15.2005 no virus found
DrWeb 4.33 11.16.2005 no virus found
eTrust-Iris 7.1.194.0 11.16.2005 no virus found
eTrust-Vet 11.9.1.0 11.16.2005 no virus found
Fortinet 2.48.0.0 11.17.2005 no virus found
F-Prot 3.16c 11.15.2005 no virus found
Ikarus 0.2.59.0 11.16.2005 no virus found
Kaspersky 4.0.2.24 11.17.2005 no virus found
McAfee 4630 11.17.2005 no virus found
NOD32v2 1.1289 11.16.2005 no virus found
Norman 5.70.10 11.16.2005 no virus found
Panda 8.02.00 11.16.2005 no virus found
Sophos 3.99.0 11.16.2005 no virus found
Symantec 8.0 11.15.2005 no virus found
TheHacker 5.9.1.036 11.16.2005 no virus found
VBA32 3.10.5 11.16.2005 no virus found

This is a report processed by VirusTotal on 11/17/2005 at 02:16:51 (CET) after scanning the file "spmsg.dll" file.
Antivirus Version Update Result
AntiVir 6.32.0.6 11.16.2005 no virus found
Avast 4.6.695.0 11.16.2005 no virus found
AVG 718 11.15.2005 no virus found
Avira 6.32.0.6 11.16.2005 no virus found
BitDefender 7.2 11.17.2005 no virus found
CAT-QuickHeal 8.00 11.16.2005 no virus found
ClamAV devel-20051108 11.15.2005 no virus found
DrWeb 4.33 11.16.2005 no virus found
eTrust-Iris 7.1.194.0 11.16.2005 no virus found
eTrust-Vet 11.9.1.0 11.16.2005 no virus found
Fortinet 2.48.0.0 11.17.2005 no virus found
F-Prot 3.16c 11.15.2005 no virus found
Ikarus 0.2.59.0 11.16.2005 no virus found
Kaspersky 4.0.2.24 11.17.2005 no virus found
McAfee 4630 11.17.2005 no virus found
NOD32v2 1.1289 11.16.2005 no virus found
Norman 5.70.10 11.16.2005 no virus found
Panda 8.02.00 11.16.2005 no virus found
Sophos 3.99.0 11.16.2005 no virus found
Symantec 8.0 11.15.2005 no virus found
TheHacker 5.9.1.036 11.16.2005 no virus found
VBA32 3.10.5 11.16.2005 no virus found

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Professional
Version: 5.1.2600 Service Pack 1
Nov 17, 2005 00:43:55


---> Begin Service Listing <---

Unknown Service # 1
Service Name: MGABGEXE
Display Name: MGABGEXE
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\mgabg.exe
State: Running
Process ID: 1592
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #4
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Verwaltet Software-basierte Schattenkopien des Volumeschattenkopie-Dienstes. Software-basierte ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{9672c603-91c2-4a35-bb7c-07a190c0c689}
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 5
Service Name: virus
Display Name: change me please
Start Mode: Disabled
Start Name: LocalSystem
Description: this is it, you're ...
Service Type: Own Process
Path: "c:\windows\sysdat.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

---> End Service Listing <---

There are 82 Win32 services on this machine.
5 were unrecognized.

Script Execution Time: 0,6879883 seconds.

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "Lpdriver" 17.11.2005 00:45:00

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Lpdriver]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Lpdriver]
"DisplayName"="Lpdriver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Lpdriver\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Lpdriver]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Lpdriver]
"DisplayName"="Lpdriver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Lpdriver\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lpdriver]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lpdriver]
"DisplayName"="Lpdriver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lpdriver\Security]

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "TlntSvr" 17.11.2005 00:46:00

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\TlntSvr.Exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{FE9E4896-A014-11D1-855C-00A0C944138C}]
@="TlntSvr"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{FE9E4896-A014-11D1-855C-00A0C944138C}]
"LocalService"="TlntSvr"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FE9E48A2-A014-11D1-855C-00A0C944138C}\InProcServer32]
@="C:\\WINDOWS\\System32\\tlntsvrp.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FE9E48A4-A014-11D1-855C-00A0C944138C}\LocalServer32]
@="C:\\WINDOWS\\System32\\tlntsvr.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FE9E48A4-A014-11D1-855C-00A0C944138C}\ProgID]
@="TlntSvr.EnumTelnetClientsSvr.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FE9E48A4-A014-11D1-855C-00A0C944138C}\VersionIndependentProgID]
@="TlntSvr.EnumTelnetClientsSvr"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TlntSvr.EnumTelnetClientsSvr]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TlntSvr.EnumTelnetClientsSvr\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TlntSvr.EnumTelnetClientsSvr.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TlntSvr.EnumTelnetClientsSvr.1\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FE9E4895-A014-11D1-855C-00A0C944138C}\1.0]
@="TlntSvr 1.0 Type Library"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FE9E4895-A014-11D1-855C-00A0C944138C}\1.0\0\win32]
@="C:\\WINDOWS\\System32\\tlntsvr.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Tlntsvr]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Tlntsvr]
"EventMessageFile"="C:\\WINDOWS\\System32\\tlntsvr.exe;C:\\WINDOWS\\System32\\xpsp1res.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TlntSvr]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TlntSvr\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Tlntsvr]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Tlntsvr]
"EventMessageFile"="C:\\WINDOWS\\System32\\tlntsvr.exe;C:\\WINDOWS\\System32\\xpsp1res.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TlntSvr]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TlntSvr\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Tlntsvr]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Tlntsvr]
"EventMessageFile"="C:\\WINDOWS\\System32\\tlntsvr.exe;C:\\WINDOWS\\System32\\xpsp1res.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security]

sophos und trend micro sind jetzt schon 90 min. am scanen. ich habe 4 festplatten auf dem rechner.

muss jetzt ins bett. mache morgen weiter, lasse den pc weiter scannen
danke dir.

Sophos Anti-Virus
Version 3.99.0 [Win32/Intel]
Virus data version 3.99, November 2005
Includes detection for 113157 viruses, trojans and worms
Copyright (c) 1989-2005 Sophos Plc, www.sophos.com

System time 00:55:13, System date 17 November 2005
Command line qualifiers are: -f -di -all -remove -mime -mbr -noc -archive -opt=ISCabinet

IDE directory is: c:\AV-CLS\Sophos
Full Scanning

>>> Virus 'Troj/Istbar-Fam' found in file c:\!KillBox\install.exe
Removal successful
>>> Virus 'Troj/Elitebar-K' found in file c:\!KillBox\pokapoka63.exe
Removal successful

Could not open c:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat
Could not open c:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG
Could not open c:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat
Could not open c:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG
Password protected file c:\Dokumente und Einstellungen\unikos\Anwendungsdaten\Adobe\Acrobat\6.0\Messages\DEU\read0600win_DEUadbe0041.pdf
Password protected file c:\Dokumente und Einstellungen\unikos\Anwendungsdaten\Adobe\Acrobat\6.0\Messages\DEU\read0600win_DEUyhoo0011.pdf
>>> Virus fragment 'W95/Whog-878b' found in file c:\Dokumente und Einstellungen\unikos\Desktop\Plat7susArcorAL.exe\SfxArchiveData\data1.cab\ICAB:000bbd59
>>> Virus fragment 'W95/CIH-10xx' found in file c:\Dokumente und Einstellungen\unikos\Desktop\Plat7susArcorAL.exe\SfxArchiveData\data1.cab\ICAB:001a410e
>>> Virus fragment 'W95/CIH-10xx' found in file c:\Dokumente und Einstellungen\unikos\Desktop\Plat7susArcorAL.exe\SfxArchiveData\data2.cab\ICAB:006cd21d\sdisk2
>>> Virus fragment 'W95/CIH-10xx' found in file c:\Dokumente und Einstellungen\unikos\Desktop\Plat7susArcorAL.exe\SfxArchiveData\data2.cab\ICAB:009d3571
>>> Virus fragment 'W95/Whog-878b' found in file c:\Dokumente und Einstellungen\unikos\Desktop\Plat7susArcorAL.exe\SfxArchiveData\pavDll.dll
Removal successful
Password protected file c:\Dokumente und Einstellungen\unikos\Eigene Dateien\Eigene Bilder\logo material\las boca\laboca014.zip\laboca014.tif
Could not open c:\Dokumente und Einstellungen\unikos\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat
Could not open c:\Dokumente und Einstellungen\unikos\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG
Could not open c:\Dokumente und Einstellungen\unikos\Lokale Einstellungen\Temp\~DF16A6.tmp
Could not open c:\Dokumente und Einstellungen\unikos\Lokale Einstellungen\Temp\~DF1F7F.tmp
Could not open c:\Dokumente und Einstellungen\unikos\Lokale Einstellungen\Temp\~DF713E.tmp
Password protected file c:\Programme\Adobe\Acrobat 6.0\Reader\Messages\DEU\RdrMsgDEU.pdf
Password protected file c:\Programme\Adobe\Acrobat 6.0\Reader\Messages\ENU\RdrMsgENU.pdf
>>> Virus fragment 'W95/Whog-878b' found in file c:\Programme\InstallShield Installation Information\{E91563B4-D9EC-11D5-A2BB-00606771B69D}\data1.cab\ICAB:000bbd59
>>> Virus fragment 'W95/CIH-10xx' found in file c:\Programme\InstallShield Installation Information\{E91563B4-D9EC-11D5-A2BB-00606771B69D}\data1.cab\ICAB:001a410e
Removal successful
>>> Virus fragment 'W95/Whog-878b' found in file c:\Programme\InstallShield Installation Information\{E91563B4-D9EC-11D5-A2BB-00606771B69D}\Pavdll.dll
Removal successful

>>> Virus fragment 'W95/CIH-10xx' found in file c:\Programme\Panda Software\Panda Antivirus Platinum\Pavcl.com
Removal successful
>>> Virus fragment 'W95/Whog-878b' found in file c:\Programme\Panda Software\Panda Antivirus Platinum\pavdll.dll
Removal failed
>>> Virus fragment 'W95/CIH-10xx' found in file c:\Programme\Panda Software\Panda Antivirus Platinum\Sdisk2.img\sdisk2
Removal successful
>>> Virus 'Troj/Elitebar-I' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0031356.dll
Removal successful
>>> Virus 'Troj/Elitebar-I' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0031366.dll
Removal successful
>>> Virus 'Troj/Elitebar-I' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0031384.dll
Removal successful
>>> Virus 'Troj/Elitebar-I' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0031405.dll
Removal successful
>>> Virus 'Troj/Elitebar-I' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0032405.dll
Removal successful
>>> Virus 'Troj/Elitebar-I' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0032444.dll
Removal successful
>>> Virus 'Troj/Elitebar-I' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0032453.dll
Removal successful
>>> Virus 'Troj/Elitebar-I' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0032477.dll
Removal successful
>>> Virus 'Troj/Elitebar-I' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0032486.dll
Removal successful
>>> Virus 'Troj/Elitebar-I' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0032521.dll
Removal successful
>>> Virus 'Troj/Elitebar-I' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0032530.dll
Removal successful
>>> Virus 'Troj/Elitebar-I' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0032539.dll
Removal successful
>>> Virus 'Troj/Elitebar-I' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0032551.dll
Removal successful
>>> Virus 'Troj/Elitebar-I' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0032561.dll
Removal successful
>>> Virus 'Troj/Istsvc-A' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0032619.exe
Removal successful
>>> Virus 'Troj/Elitebar-I' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036301.dll
Removal successful
>>> Virus 'Troj/Elitebar-I' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036312.dll
Removal successful
>>> Virus 'Troj/Elitebar-I' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036347.dll
Removal successful
>>> Virus 'Troj/Elitebar-I' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036359.dll
Removal successful
>>> Virus 'Troj/Elitebar-I' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036373.dll
Removal successful
>>> Virus 'Troj/Elitebar-I' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036386.dll
Removal successful
>>> Virus 'Troj/Elitebar-I' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036397.dll
Removal successful
>>> Virus 'Troj/Elitebar-I' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036448.dll
Removal successful
>>> Virus 'Troj/Istbar-Fam' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP92\A0042705.exe
Removal successful
>>> Virus 'Troj/Elitebar-K' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP92\A0042719.exe
Removal successful
>>> Virus 'Troj/Elitebar-I' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP92\A0042727.dll
Removal successful
>>> Virus 'Troj/Istbar-Fam' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP92\A0042736.exe
Removal successful
>>> Virus 'Troj/Elitebar-K' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP92\A0042737.exe
Removal successful
>>> Virus fragment 'W95/Whog-878b' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP92\A0042738.exe\SfxArchiveData\data1.cab\ICAB:000bbd59
>>> Virus fragment 'W95/CIH-10xx' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP92\A0042738.exe\SfxArchiveData\data1.cab\ICAB:001a410e
>>> Virus fragment 'W95/CIH-10xx' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP92\A0042738.exe\SfxArchiveData\data2.cab\ICAB:006cd21d\sdisk2
>>> Virus fragment 'W95/CIH-10xx' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP92\A0042738.exe\SfxArchiveData\data2.cab\ICAB:009d3571
>>> Virus fragment 'W95/Whog-878b' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP92\A0042738.exe\SfxArchiveData\pavDll.dll
Removal successful
>>> Virus fragment 'W95/Whog-878b' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP92\A0042745.dll
Removal successful
>>> Virus fragment 'W95/CIH-10xx' found in file c:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP92\A0042747.com
Removal successful
>>> Virus 'Troj/Agent-DJ' found in file c:\WINDOWS\Cursors\binnet.dll
Removal failed
Could not open c:\WINDOWS\system32\config\system.LOG
>>> Virus 'Troj/Istsvc-A' found in file c:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\CIIOK4WS\istrecover[1].exe
Removal successful
Could not open c:\WINDOWS\system32\spool\PRINTERS\FP00000.SHD
>>> Virus 'W32/Netsky-T' found in file c:\WINDOWS\uinmzertinmds.opm
Removal successful
Could not open PHYSICAL:0081:0000:0000:0001
Could not open PHYSICAL:0082:0000:0000:0001
Could not open PHYSICAL:0083:0000:0000:0001
Could not open PHYSICAL:0084:0000:0000:0001

5 master boot records swept.
57450 files swept in 4 hours, 13 minutes and 33 seconds.
76 errors were encountered.
51 viruses were discovered.
42 files out of 57450 were infected.
Please send infected samples to Sophos for analysis.
For advice consult www.sophos.com, email support@sophos.com
or telephone +44 1235 559933
61 encrypted files were not checked.
Ending Sophos Anti-Virus.


der report von trend micro lässt sich nicht kopieren!

#9 Registry Search Tool

Doppelklick:regsrch.vbs
reinkopieren:

sysdat.exe

und hier posten
---------------------------------------------------------------------

Loesche mit der Killbox oder manuell:

C:\msu.exe\msu.exe
C:\msu.exe
c:\windows\sysdat.exe

Start-->ausfuehren--> regedit

bearbeiten--> suchen--> Lpdriver

Klicke auf Bearbeiten -- Berechtigung und klicke dann auf Vollzugriff -- [Übernehmen] und auf [OK]. Erneuter [Rechtsklick] auf den Schlüssel und versuche diesen zu löschen.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Lpdriver]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Lpdriver]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lpdriver]

PC neustarten

scanne mit Kaspersky und poste den scanreport
http://virus-protect.org/onlinescan.html

suche und loesche:
C:\Program Files\system64.dat
c:\windows\System32\lpdriver.sys (falls es nicht schon geloscht ist...)

----------------------------------------------------------------
ist fuer mich:
25.02.2005 04:34 22.752 spupdsvc.exe

Zitat

Charakteristik: spupdsvc.exe befindet sich im Ordner C:\Windows\System32. Die Dateigröße unter Windows XP ist 15872 bytes.

24.02.2005 19:34 15.584 spmsg.dll ???
__________
MfG Sabina

rund um die PC-Sicherheit

#10 Virus Scan Report File

--------------------------------------------------------------------------------
Virus Scan Information
--------------------------------------------------------------------------------

McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights reserved.
(408) 988-3832 LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for Win32.
Virus data file v4630 created Nov 16 2005
Scanning for 159421 viruses, trojans and variants.

Scanning C: []
C:\msu.exe\msu.exe ... Found the Spam-SPM trojan !!!
The file or process has been deleted.
Scanning C:\*.*
C:\!KillBox\binnet.dll ... Found potentially unwanted program Adware-Virtumundo.
The file or process has been deleted.
C:\!KillBox\Germany.exe ... Found potentially unwanted program Dialer-263.
The file or process has been deleted.
C:\!KillBox\inetinfomon.exe\inetinfomon.exe ... Found the Spam-SPM trojan !!!
The file or process has been deleted.
C:\!KillBox\x.bat ... Found the Generic component trojan !!!
The file or process has been deleted.

C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\UNS5DO7D\Microsoft_Update[1].exe\Microsoft_Update[1].exe ... Found the Spam-SPM trojan !!!
The file or process has been deleted.

C:\Dokumente und Einstellungen\unikos\Desktop\hijackthis.zip\BACKUP-20051110-010637-949.DLL ... Found potentially unwanted program Adware-Adpower.

C:\Programme\Gemeinsame Dateien\WinSoftware\CrXML.dll ... Found potentially unwanted program WinFixer.
The file or process has been deleted.

C:\WINDOWS\Cursors\binnet.dll ... Found potentially unwanted program Adware-Virtumundo.

C:\WINDOWS\pre2.exe ... Found the AdClicker-BA trojan !!!
The file or process has been deleted.

Zitat

13.09.2005 10:22 14.336 pre2.exe
10.09.2005 08:32 8.264 Germany.exe

C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1XV0513Y\cmctl[1].dll ... Found potentially unwanted program Adware-ISTbar.
The file or process has been deleted.

C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1XV0513Y\nem220[1].dll ... Found potentially unwanted program Adware-DFC.
The file or process has been deleted.

C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1XV0513Y\power_remove[1].exe\power_remove[1].exe ... Found potentially unwanted program PowerScan.
The file or process has been deleted.

C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1XV0513Y\SAcc.prod.11jui2005.exe[1]\SAcc.prod.11jui2005.exe[1] ... Found potentially unwanted program Adware-SurfAccuracy.
The file or process has been deleted.

C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\9RXGD02G\istbarcm[1].dll\istbarcm[1].dll ... Found potentially unwanted program YourSiteBar.
The file or process has been deleted.

C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\9RXGD02G\istsvc[1].exe\istsvc[1].exe ... Found potentially unwanted program Adware-ISTbar.b.
The file or process has been deleted.

C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\9RXGD02G\package_MARKETING27[1].exe ... Found potentially unwanted program Adware-BB.
The file or process has been deleted.

C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\9RXGD02G\sfbho13[1].dll\sfbho13[1].dll ... Found potentially unwanted program Adware-SideFind.
The file or process has been deleted.

C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\CIIOK4WS\istdownload[1].exe\istdownload[1].exe ... Found potentially unwanted program Adware-ISTbar.b.
The file or process has been deleted.

C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\CIIOK4WS\sacc_remove[1].exe\sacc_remove[1].exe ... Found potentially unwanted program Adware-SurfAccuracy.
The file or process has been deleted.

C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\W5KPBWZT\optimize[1].exe ... Found potentially unwanted program Adware-DFC.
The file or process has been deleted.

C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\W5KPBWZT\powerscan[1].exe ... Found potentially unwanted program PowerScan.
The file or process has been deleted.

C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\W5KPBWZT\sidefind13[1].dll ... Found potentially unwanted program Adware-SideFind.
The file or process has been deleted.

C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\W5KPBWZT\sidefind[1].exe\sidefind[1].exe ... Found potentially unwanted program Adware-SideFind.
The file or process has been deleted.

--------------------------------------------------------------------------------

Visit the McAfee Online Web Site
Need some help or advice? Send email to Technical

#11 Killbox:
DelTree (include SubDirectories)
Man will zum Beispiel einen Ordner löschen . Nun muss man nicht alle Dateien im Ordner einzeln eingeben, sondern klickt die Option DelTree (include subdirectories).
Hierbei wird ein komplettes Archiv mitsamt der Unterordner gelöscht.

C:\Programme\Gemeinsame Dateien\WinSoftware <---ist der Winfixer

CCleaner
http://www.ccleaner.com/ccdownload.asp
lösche alle temp-Dateien
__________
MfG Sabina

rund um die PC-Sicherheit

#12 wenn das alles erledig ist, loeschen wir Adware-Virtumundo
__________
MfG Sabina

rund um die PC-Sicherheit

#13 sysdat.exe bekomme ich keinen report?! meldet aber: das nichts gefunden wurde.


C:\msu.exe\msu.exe
C:\msu.exe
c:\windows\sysdat.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lpdriver]

C:\Program Files\system64.dat

habe ich nicht gefunden!

kaspersky scan
sieht nicht gut aus:


KASPERSKY ON-LINE SCANNER REPORT
Thursday, November 17, 2005 22:32:15
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 17/11/2005
Kaspersky Anti-Virus database records: 150711
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\

Scan Statistics:
Total number of scanned objects: 61698
Number of viruses found: 11
Number of infected objects: 59
Number of suspicious objects: 0
Duration of the scan process: 1789 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0031314.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0031367.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0031385.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0031406.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0032406.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0032426.exe Infected: Backdoor.Win32.EggDrop.1616
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0032445.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0032454.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0032478.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0032487.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0032522.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0032531.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0032540.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0032552.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0032562.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0032620.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0032621.dll Infected: Trojan-Downloader.Win32.Dyfuca.gen
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0032622.exe Infected: Trojan-Downloader.Win32.IstBar.gen
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0032623.dll Infected: Trojan-Downloader.Win32.Dyfuca.dt
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036278.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036279.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036302.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036303.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036304.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036313.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036314.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036315.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036348.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036349.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036350.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036360.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036361.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036362.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036374.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036375.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036376.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036387.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036388.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036389.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036398.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036399.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036400.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036429.exe Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036442.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036449.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP87\A0036509.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP92\A0042707.exe Infected: Trojan.Win32.Dialer.jr
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP92\A0042708.exe Infected: SpamTool.Win32.Delf.j
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP92\A0042709.exe Infected: Trojan.Win32.Small.cy
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP92\A0042718.exe Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP92\A0042728.dll Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP92\A0042743.exe Infected: Trojan.Win32.Small.cy
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP92\A0042744.exe Infected: Trojan.Win32.Small.cy
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP92\A0042759.exe Infected: SpamTool.Win32.Delf.j
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP92\A0042760.exe Infected: Trojan.Win32.Dialer.jr
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP92\A0042761.exe Infected: SpamTool.Win32.Delf.j
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP92\A0042764.exe Infected: Trojan-Dropper.Win32.Small.aeq
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP92\A0042765.exe Infected: Trojan-Downloader.Win32.Agent.tv
C:\System Volume Information\_restore{E173A2FC-2294-43A5-8C5E-885E438A6625}\RP92\A0042782.dll Infected: Trojan.Win32.Crypt.o

Scan process completed.


über die killbox wird der zugriff auf die: -system volume information verweigert! wie soll ich die viren löschen?

#14 kopiere in die killbox: -->loeschen !!!!!!!!!
(wenn es noch da ist, wird es angezeigt)

c:\windows\sysdat.exe
C:\Program Files\system64.dat

dann neustarten

Doppelklick:regsrch.vbs
reinkopieren:

Lpdriver

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)

ServiceFilter.zip
http://virus-protect.org/artikel/tools/ServiceFilter.zip
- entzippen
- scannen
- POST_THIS.TXT abkopieren

Deaktivieren Wiederherstellung
«XP
Arbeitsplatz-->rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.
http://service1.symantec.com/SUPPORT/INTER/tsgeninfointl.nsf/gdocid/20030807105707924

scanne mit Panda und poste den scanbericht
http://virus-protect.org/onlinescan.html
--------------------------------------------------------------------------------
(wenn die Reinigung beendet ist, aktiviere die Systemwiederherstellung wieder)
__________
MfG Sabina

rund um die PC-Sicherheit

#15 c:\windows\sysdat.exe
C:\Program Files\system64.dat

hab ich reinkopiert: daten existieren nicht!

Doppelklick:regsrch.vbs

hat nichts gefunden, bekomme aber keinen report! auch nach 5 minuten nicht. vorher habe ich ok gedrückt.

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Professional
Version: 5.1.2600 Service Pack 1
Nov 18, 2005 01:38:57


---> Begin Service Listing <---

Unknown Service # 1
Service Name: MGABGEXE
Display Name: MGABGEXE
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\mgabg.exe
State: Running
Process ID: 1580
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 2
Service Name: PAVFIRES
Display Name: Panda Firewall Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\programme\panda software\panda antivirus platinum\firewall\pavfires.exe
State: Running
Process ID: 1608
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 3
Service Name: PAVSRV
Display Name: Panda anti-virus service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\programme\panda software\panda antivirus platinum\pavsrv51.exe
State: Running
Process ID: 1944
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #4
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Verwaltet Software-basierte Schattenkopien des Volumeschattenkopie-Dienstes. Software-basierte ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{9672c603-91c2-4a35-bb7c-07a190c0c689}
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 5
Service Name: virus
Display Name: change me please
Start Mode: Disabled
Start Name: LocalSystem
Description: this is it, you're ...
Service Type: Own Process
Path: "c:\windows\sysdat.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

---> End Service Listing <---

There are 82 Win32 services on this machine.
5 were unrecognized.

Script Execution Time: 1,078125 seconds.