Spysheriff nach Download und Wallpaper geändert |
||
---|---|---|
#0
| ||
11.12.2005, 13:25
...neu hier
Beiträge: 1 |
||
|
||
11.12.2005, 13:27
Ehrenmitglied
Beiträge: 29434 |
#17
crunch
CCleaner lösche alle temp-Dateien http://virus-protect.org/temp.html kopiere hier die 4 Textdateien http://virus-protect.org/datfindbat.html kopiere das Log vom Silentrunner http://virus-protect.org/silentrunner.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
12.12.2005, 21:44
...neu hier
Beiträge: 8 |
#18
Hallo zusammen !!
Ich habe leider genau das gleiche Problem !! Ich habe zwar die Textdateien, aber ich weiss nicht genau welche dateien ich mit der killbox löschen muss !! Ich könnte ja schon mal die 4 Textdateien rein kopieren : 1: Verzeichnis von C:\WINDOWS\system32 12.12.2005 22:14 3'469 ndpqrs22.ini 12.12.2005 20:25 0 uqporu09.html 12.12.2005 20:19 46'592 zlbw.dll 12.12.2005 20:19 57'390 sywsvcs.exe 12.12.2005 20:19 57'390 ll.exe 12.12.2005 20:19 58 svcp.csv 12.12.2005 20:19 4 winsub.xml 12.12.2005 20:19 12'137 mstool.exe 12.12.2005 18:03 54'046 perfc009.dat 12.12.2005 18:03 382'302 perfh009.dat 12.12.2005 18:03 393'122 perfh007.dat 12.12.2005 18:03 65'062 perfc007.dat 12.12.2005 18:03 905'204 PerfStringBackup.INI 09.12.2005 18:14 1'158 wpa.dbl 02.12.2005 20:49 47'880 p90si1ih.dat 02.12.2005 20:49 131'024 m844pbhq.dat 02.12.2005 20:49 4'672 t9rkanj8.dat 12.11.2005 17:14 249'496 FNTCACHE.DAT 11.11.2005 06:00 2'377'568 MRT.exe 05.11.2005 14:01 262'144 wrap_oal.dll 05.11.2005 14:01 86'016 OpenAL32.dll 02.11.2005 00:00 188'416 vorbis.dll 02.11.2005 00:00 45'056 ogg.dll 02.11.2005 00:00 73'728 EmAcmMp3Wrapper.ax 02.11.2005 00:00 151'552 HDX4AACDecoder.ax 02.11.2005 00:00 147'456 HDX4AMRDecoder.ax 02.11.2005 00:00 503'808 hdx4_dshow.dll 02.11.2005 00:00 225'280 HDX4mp4Source.ax 02.11.2005 00:00 921'600 vorbisenc.dll 02.11.2005 00:00 237'568 OggDS.dll 16.10.2005 12:28 302'352 MSWNG300.DLL 16.10.2005 12:13 243'984 VBAR2232.DLL 16.10.2005 12:13 1'015'568 MSJT3032.DLL 16.10.2005 12:12 250'640 MSRD2X32.DLL 15.10.2005 15:53 35'600 MSJINT32.DLL 15.10.2005 15:53 23'824 MSJTER32.DLL 15.10.2005 15:53 76'288 ODBCTL32.DLL 08.10.2005 16:55 43'520 CmdLineExt03.dll 06.10.2005 04:18 280'064 gdi32.dll 06.10.2005 04:08 1'839'616 win32k.sys 04.10.2005 16:26 3'013'120 mshtml.dll 25.09.2005 18:20 98'304 CmdLineExt.dll 23.09.2005 09:00 2'718 59i4r2lm.dat 23.09.2005 04:06 8'491'520 shell32.dll 10.09.2005 02:54 2'067'968 cdosys.dll 03.09.2005 00:53 664'064 wininet.dll 2: (die kann ich einfach nicht löschen!) Verzeichnis von C:\DOKUME~1\BENNI-~1\LOKALE~1\Temp 12.12.2005 18:34 16'384 Perflib_Perfdata_a0c.dat 12.12.2005 18:34 16'384 Perflib_Perfdata_930.dat 12.11.2005 14:03 24'613 IadHide5.dll 3: Verzeichnis von C:\WINDOWS 12.12.2005 21:20 202 NeroDigital.ini 12.12.2005 20:21 1'999 desktop.html 12.12.2005 20:19 2'033 hosts 12.12.2005 20:19 3'052 secure32.html 12.12.2005 20:19 1'024 tool5.exe 12.12.2005 20:19 1'024 tool4.exe 12.12.2005 20:19 8'238 tool3.exe 12.12.2005 20:19 12'137 tool1.exe 12.12.2005 20:19 23'936 toolbar.exe 12.12.2005 20:19 1'024 country.exe 12.12.2005 20:19 29'184 tool2.exe 12.12.2005 20:19 57'544 kl.exe 12.12.2005 20:19 0 uniq 12.12.2005 19:38 334'796 setupapi.log 12.12.2005 19:06 192 winamp.ini 12.12.2005 18:34 0 0.log 12.12.2005 18:34 3'922 ModemLog_Creatix V.9X DSP Data Fax Modem.txt 12.12.2005 18:34 159 wiadebug.log 12.12.2005 18:34 1'484'293 WindowsUpdate.log 12.12.2005 18:34 50 wiaservc.log 12.12.2005 18:33 2'048 bootstat.dat 12.12.2005 18:02 228'213 setupact.log 11.12.2005 23:29 32'540 SchedLgU.Txt 06.12.2005 22:00 286 nsw.log 19.11.2005 01:26 21'763 wmsetup.log 12.11.2005 14:03 118'784 bwUnin-7.2.0.157-8876480SL.exe 12.11.2005 12:12 92'015 iis6.log 12.11.2005 12:12 119'979 ntdtcsetup.log 12.11.2005 12:12 27'081 ocmsn.log 12.11.2005 12:12 195'556 comsetup.log 12.11.2005 12:12 236'695 tsoc.log 12.11.2005 12:12 1'393 imsins.log 12.11.2005 12:12 11'864 KB896424.log 12.11.2005 12:12 307'963 ocgen.log 12.11.2005 12:12 28'543 msgsocm.log 12.11.2005 12:12 572'875 FaxSetup.log 12.11.2005 12:12 20'980 updspapi.log 15.10.2005 20:58 1'393 imsins.BAK 15.10.2005 20:58 20'999 KB901017.log 15.10.2005 20:58 23'259 KB902400.log 15.10.2005 20:57 14'007 KB896688.log 15.10.2005 20:57 13'590 KB905414.log 15.10.2005 20:57 13'388 KB900725.log 15.10.2005 20:57 11'232 KB904706.log 15.10.2005 20:57 11'832 KB905749.log 15.10.2005 15:53 60'416 ST4UNST.EXE 07.10.2005 23:13 0 vpd.properties 25.09.2005 18:16 108'409 DirectX.log 03.09.2005 13:19 3'752 Far Cry HQ Pack Setup Log.txt 03.09.2005 13:19 724'992 iun6002.exe 4: Verzeichnis von C:\ 12.12.2005 22:19 0 sys.txt 12.12.2005 22:19 13'431 system.txt 12.12.2005 22:17 411 systemtemp.txt 12.12.2005 22:17 102'983 system32.txt 12.12.2005 20:19 29'184 winstall.exe 12.12.2005 18:33 1'073'270'784 hiberfil.sys 12.12.2005 18:33 1'610'612'736 pagefile.sys 18.08.2005 08:48 102 Platform.ini 22.04.2005 19:05 4'020 data 04.04.2005 19:36 0 DEUTSCH.DAT 25.10.2004 11:53 211 boot.ini 25.10.2004 11:48 47'564 NTDETECT.COM 25.10.2004 11:48 251'184 ntldr 23.06.2004 08:21 860 IPH.PH 22.06.2004 16:43 0 IO.SYS 22.06.2004 16:43 0 CONFIG.SYS 22.06.2004 16:43 0 MSDOS.SYS 22.06.2004 16:43 0 AUTOEXEC.BAT 29.08.2002 13:00 4'952 bootfont.bin Und hier noch das Log vom Silentrunner: (ich habe es einfach in "eigene Dateien" laufen lassen!) "Silent Runners.vbs", revision 41, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Steam" = (empty string) "LDM" = "C:\Programme\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" ["Logitech"] "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "Windows installer" = "C:\winstall.exe" [null data] "aupd" = "C:\WINDOWS\system32\sywsvcs.exe" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Dit" = "Dit.exe" [null data] "Realtime Monitor" = "C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s" ["Computer Associates International, Inc."] "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."] "Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS] "CHotkey" = "mHotkey.exe" ["Chicony"] "ledpointer" = "CNYHKey.exe" ["Chicony"] "PCMService" = ""C:\Programme\Home Cinema\PowerCinema\PCMService.exe"" ["CyberLink Corp."] "Microsoft Works Update Detection" = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"] "PRISMSTA.EXE" = "PRISMSTA.EXE START" ["Intersil Americas Inc."] "DownloadAccelerator" = "C:\PROGRA~1\DAP\DAP.EXE /STARTUP" ["Speedbit Ltd."] "WheelMouse" = "Amoumain.exe" [null data] "MessengerPlus3" = ""C:\Programme\Messenger Plus! 3\MsgPlus.exe"" ["Patchou"] "VirtualCloneDrive" = ""C:\Programme\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s" ["Elaborate Bytes AG"] "(Default)" = (empty string) "ATICCC" = ""C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime" [null data] "navapp" = "C:\Programme\NavExcel\NavHelper\v2.0.4d\navapp.exe" [null data] "QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "mmtask" = "C:\Programme\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" ["TODO: <Company name>"] "AceGain LiveUpdate" = "C:\Programme\AceGain\LiveUpdate\LiveUpdate.exe" [file not found] "AnyDVD" = "C:\Programme\SlySoft\AnyDVD\AnyDVD.exe" ["SlySoft, Inc."] "Power Scan" = "C:\Programme\Power Scan\powerscan.exe" [file not found] "ndpqrs22" = "C:\WINDOWS\system32\ndpqrs22.exe" [empty string] "Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."] "BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {0000CC75-ACF3-4cac-A0A9-DD3868E06852}\(Default) = "DAPHelper Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\DAP\DAPBHO.dll" ["Speedbit Ltd."] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" [file not found] "{DCED20BE-3645-11D4-BC95-00C04F0E0588}" = "InoShell" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\CA\eTrust Antivirus\InoShell.dll" ["Computer Associates International, Inc."] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS] "{B7056B8E-4F99-44f8-8CBD-282390FE5428}" = "VirtualCloneDrive" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Elaborate Bytes\VirtualCloneDrive\ElbyVCDShell.dll" ["Elaborate Bytes AG"] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS] "{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string] "{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Illustrate\dBpowerAMP\dBShell.dll" [empty string] "{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Illustrate\dBpowerAMP\dMCShell.dll" [empty string] "{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["Broadcom Corporation"] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\CA\eTrust Antivirus\InoShell.dll" ["Computer Associates International, Inc."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\CA\eTrust Antivirus\InoShell.dll" ["Computer Associates International, Inc."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] Group Policies [Description]: ----------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ HIJACK WARNING! "ForceActiveDesktopOn"=dword:00000001 [enables Active Desktop and prevents disabling it] HIJACK WARNING! "Wallpaper" = "C:\WINDOWS\desktop.html" [disables the Display Properties|Desktop (tab) (except the "Customize Desktop..." button); selects wallpaper if Active Desktop is enabled] Active Desktop and Wallpaper: ----------------------------- Active Desktop enabled via Group Policy. Wallpaper selected via Group Policy. Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\ "SCRNSAVE.EXE" = "C:\WINDOWS\System32\scrnsave.scr" [MS] Startup items in "Benni -" & "All Users" startup folders: --------------------------------------------------------- C:\Dokumente und Einstellungen\Benni -\Startmenü\Programme\Autostart INFECTION WARNING! "Registration Myst V" [null data] "wkcalrem" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkCalRem.exe" ["Microsoft® Corporation"] C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "ATI CATALYST System Tray" -> shortcut to: "C:\Programme\ATI Technologies\ATI.ACE\CLI.exe SystemTray" [null data] "BTTray" -> shortcut to: "C:\Programme\Sitecom\Bluetooth Software\BTTray.exe" ["Broadcom Corporation"] "Logitech Desktop Messenger" -> shortcut to: "C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start" ["Logitech"] "Logitech SetPoint" -> shortcut to: "C:\Programme\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 26 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{2D1DDD38-CE4D-459B-A01C-F11BC92D5B69}" = "GMX Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\GMX\GMX Toolbar\toolbar.dll" ["GMX GmbH"] "{86227D9C-0EFE-4F8A-AA55-30386A3F5686}" = "YourSiteBar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\YourSiteBar\ysb.dll" [file not found] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{62999427-33FC-4BAF-9C9C-BCE6BD127F08}" = "DAP Bar" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\DAP\DAPIEBar.dll" [empty string] "{2D1DDD38-CE4D-459B-A01C-F11BC92D5B69}" = "GMX Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\GMX\GMX Toolbar\toolbar.dll" ["GMX GmbH"] "{86227D9C-0EFE-4F8A-AA55-30386A3F5686}" = "YourSiteBar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\YourSiteBar\ysb.dll" [file not found] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {10E42047-DEB9-4535-A118-B3F6EC39B807}\ "ButtonText" = "SideFind" {669695BC-A811-4A9D-8CDF-BA8C795F261C}\ "ButtonText" = "Run DAP" "Exec" = "C:\PROGRA~1\DAP\DAP.EXE" ["Speedbit Ltd."] {CCA281CA-C863-46EF-9331-5C8D4460577F}\ "ButtonText" = "@btrez.dll,-4015" "MenuText" = "@btrez.dll,-4017" "Script" = "C:\Programme\Sitecom\Bluetooth Software\btsendto_ie.htm" [null data] {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\ "ButtonText" = "Real.com" {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://www.msn.ch/Default.asp Missing lines (compared with English-language version): [Strings]: 1 line Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."] Bluetooth Service, btwdins, "C:\Programme\Sitecom\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation"] Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]} Ereignisprotokoll-Überwachung, LogWatch, "C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe" ["Computer Associates"] eTrust Antivirus Job Server, InoTask, ""C:\Programme\CA\eTrust Antivirus\InoTask.exe"" ["Computer Associates International, Inc."] eTrust Antivirus Realtime Server, InoRT, ""C:\Programme\CA\eTrust Antivirus\InoRT.exe"" ["Computer Associates International, Inc."] eTrust Antivirus RPC Server, InoRPC, ""C:\Programme\CA\eTrust Antivirus\InoRpc.exe"" ["Computer Associates International, Inc."] HTTP-SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]} Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS] SAP-Agent, NwSapAgent, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\ipxsap.dll" [MS]} Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS] X10 Device Network Service, x10nets, "C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe" ["X10"] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Bluetooth-Druckeranschluss\Driver = "bthcrp.dll" ["Broadcom Corporation"] Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 37 seconds, including 18 seconds for message boxes) Ist ein bisschen viel, aber ich hoffe das man mir jetzt helfen kann !! Gruss Rockman Dieser Beitrag wurde am 12.12.2005 um 22:07 Uhr von Rockman editiert.
|
|
|
||
13.12.2005, 00:33
Ehrenmitglied
Beiträge: 29434 |
#19
Hallo@Rockman
C:\WINDOWS\system32\p90si1ih.dat C:\WINDOWS\system32\m844pbhq.dat C:\WINDOWS\system32\t9rkanj8.dat C:\WINDOWS\system32\59i4r2lm.dat --> rechtsklick---> oeffnen mit Editor--> kopiere mir was im Texteditor erscheint ------------------------------------------------------------- b]Gehe in die Registry[/b] Start-->Ausfuehren--> regedit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "Wallpaper" = "C:\WINDOWS\desktop.html" <--loeschen Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fix.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden. Zitat REGEDIT4KILLBOX - Pocket KillBox http://virus-protect.org/killbox.html Options: Delete on Reboot / Process all in List )--> anhaken reinkopieren: ... und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes" C:\WINDOWS\system32\ndpqrs22.ini C:\WINDOWS\system32\uqporu09.html C:\WINDOWS\system32\zlbw.dll C:\WINDOWS\system32\sywsvcs.exe C:\WINDOWS\system32\ll.exe C:\WINDOWS\system32\svcp.csv C:\WINDOWS\system32\winsub.xml C:\WINDOWS\system32\mstool.exe C:\WINDOWS\system32\p90si1ih.dat C:\WINDOWS\system32\m844pbhq.dat C:\WINDOWS\system32\t9rkanj8.dat C:\WINDOWS\system32\59i4r2lm.dat C:\WINDOWS\desktop.html C:\WINDOWS\hosts C:\WINDOWS\system32\ndpqrs22.exe C:\WINDOWS\secure32.html C:\WINDOWS\tool5.exe C:\WINDOWS\tool4.exe C:\WINDOWS\tool3.exe C:\WINDOWS\tool1.exe C:\WINDOWS\toolbar.exe C:\WINDOWS\country.exe C:\WINDOWS\tool2.exe C:\WINDOWS\kl.exe C:\WINDOWS\uniq C:\WINDOWS\iun6002.exe C:\winstall.exe PC neustarten Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "fix.reg" auf dem Desktop doppelklicken. deinstallieren: Power Scan YourSiteBar NavExcel Killbox DelTree (include SubDirectories) Man will zum Beispiel einen Ordner löschen . Nun muss man nicht alle Dateien im Ordner einzeln eingeben, sondern klickt die Option DelTree (include subdirectories). Hierbei wird ein komplettes Archiv mitsamt der Unterordner gelöscht. C:\Programme\Power Scan C:\Programme\YourSiteBar C:\Programme\NavExcel --------------------------------------------------------------------------- Hoster.zip http://www.funkytoad.com/download/hoster.zip Press 'Restore Original Hosts' and press 'OK' Exit Program. scanne http://virus-protect.org/microtrend.html Kaspersky -Onlinescanner (poste den scanreport http://virus-protect.org/onlinescan.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
13.12.2005, 21:06
...neu hier
Beiträge: 8 |
#20
Hallo@Sabina
So spät noch wach ! Also, wenn ich die Dateien mit dem Editor öffne, kommen nur ganz viele kleine Kästchen mit ein paar Buchstaben dazwischen !!! Ausser bei der letzten Datei, dort stand etwas, irgenwie sind aber die Dateien jetzt gelöscht !! Ach ja ich habe die Killbox benutzt !! Na gut, also die Datei Power Scan existiert irgendwie gar nich mehr, genau wie YourSiteBar !! Und NavExel könnte ich manuel, einzeln löschen ! Da ich diese funktion "DelTree" bei meiner Killbox gar nicht habe !! Soll ich also den Ordner NavExel löschen ? PS: wenn ich im abgesicherten Modus bin, kann ich dann ganz normal mich anmelden wie wenn ich im normalen Modus wäre ? Gruss Rockman |
|
|
||
14.12.2005, 11:34
Ehrenmitglied
Beiträge: 29434 |
#21
arbeite das erst mal ab, dann sehen wir weiter:
-------------------------------------------------------------------------- alles abarbeiten, wie oben beschrieben, auch die hoster.zip anwenden NavExel alles loeschen ! mit microtrend scannen Kaspersky -Onlinescanner (poste den scanreport) http://virus-protect.org/onlinescan.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
14.12.2005, 12:56
Ehrenmitglied
Beiträge: 6028 |
#22
Tag,Sabine
Bin auch infiziert mit SpySheriif,war ganz zufällig auf eine cr"hiernicht"ck Seite Hier mein Log Logfile of HijackThis v1.99.1 Scan saved at 2:14:33, on 14-12-05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\ESCAN\TRAYICOS.EXE C:\WINDOWS\SYSTEM\KERNELS64.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\VXH8JKDQ2.EXE C:\WINDOWS\SYSTEM\VXH8JKDQ6.EXE C:\WINDOWS\SYSTEM\VXH8JKDQ7.EXE C:\WINDOWS\INET20001\WINLOGON.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINSTALL.EXE C:\WINDOWS\SYSTEM\SYWSVCS.EXE C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE C:\DATA\HIJACKTHIS.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen F1 - win.ini: run=C:\WINDOWS\INET20001\WINLOGON.EXE O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\SYSTEM\ZOLKER011.DLL O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inet20001\3.00.11.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\Program Files\eScan\LAUNCH.EXE" O4 - HKLM\..\Run: [System] C:\WINDOWS\SYSTEM\kernels64.exe O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INET20001\WINLOGON.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [eScan Updater] C:\PROGRA~1\ESCAN\TRAYICOS.EXE O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\SYSTEM\kernels64.exe O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INET20001\WINLOGON.EXE O4 - HKCU\..\Run: [aupd] C:\WINDOWS\SYSTEM\sywsvcs.exe O4 - HKCU\..\RunServices: [aupd] C:\WINDOWS\SYSTEM\sywsvcs.exe O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O10 - Broken Internet access because of LSP provider 'mwnsp.dll' missing O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab O20 - Winlogon Notify: st3 - C:\WINDOWS\G1699615.DLL O21 - SSODL: DDE - {F33812FB-F35C-4674-90F6-FD757C419C51} - C:\WINDOWS\SYSTEM\birdihuy32.dll O21 - SSODL: Module - {429F4BB8-7BF7-4152-8011-3C6F9EB7E892} - C:\WINDOWS\SYSTEM\chp.dll Het volume in station C heeft geen naam. Het volumenummer is 2821-18E0 Map van C:\. SYS TXT 0 14-12-05 2:11 sys.txt SYSTEM TXT 12.773 14-12-05 2:11 system.txt SYSTEM~1 TXT 1.141 14-12-05 2:11 systemtemp.txt SYSTEM32 TXT 377 14-12-05 2:11 system32.txt SCANDISK LOG 486 14-12-05 2:08 SCANDISK.LOG LO1193~1 EXE 6.505 14-12-05 1:50 lo1193031151.exe SPYWAR~1 URL 142 14-12-05 1:49 Spyware Remover.url POPUPB~1 URL 140 14-12-05 1:49 PopUp Blocker.url WINSTALL EXE 29.184 14-12-05 1:49 winstall.exe LO-492~1 EXE 6.505 14-12-05 1:48 lo-492723991.exe 23990098 $$$ 134 13-12-05 9:53 23990098.$$$ MSDOS SYS 1.676 10-12-05 17:50 MSDOS.SYS DETLOG TXT 70.051 10-12-05 17:44 DETLOG.TXT FRUNLOG TXT 1.011 10-12-05 17:41 FRUNLOG.TXT SUHDLOG DAT 5.166 10-12-05 17:36 SUHDLOG.DAT SYSTEM 1ST 466.976 10-12-05 17:36 SYSTEM.1ST MSDOS --- 22 10-12-05 17:14 MSDOS.--- COMMAND COM 96.546 05-05-99 22:22 COMMAND.COM IO SYS 222.390 05-05-99 22:22 IO.SYS 25 bestand(en) 1.124.806 bytes. 0 dir('s) 1.343.750.144 bytes beschikbaar. Het volume in station C heeft geen naam. Het volumenummer is 2821-18E0 Map van C:\WINDOWS. SYSTEM DAT 4.218.912 14-12-05 2:10 SYSTEM.DAT USER DAT 266.272 14-12-05 2:10 USER.DAT TSP LOG 6.551 14-12-05 2:09 tsp.log ESCAN LOG 35.738 14-12-05 2:09 ESCAN.LOG CPERROR LOG 778 14-12-05 2:09 CPERROR.LOG SCHEDLOG TXT 2.643 14-12-05 2:08 SchedLog.Txt SYSTEM INI 1.661 14-12-05 2:08 SYSTEM.INI NDISLOG TXT 0 14-12-05 2:08 NDISLOG.TXT SHELLI~1 740.955 14-12-05 2:02 ShellIconCache ZSETTI~1 DLL 926 14-12-05 1:56 zsettings.dll G1699615 DLL 13.824 14-12-05 1:56 g1699615.dll WIN386 SWP 226.492.416 14-12-05 1:50 WIN386.SWP DESKTO~1 HTM 1.999 14-12-05 1:50 desktop.html COMMAND PIF 967 14-12-05 1:49 command.PIF WIN INI 8.718 14-12-05 1:49 WIN.INI G1317746 DLL 13.824 14-12-05 1:49 g1317746.dll FLAG BLA 2 14-12-05 1:49 flag.bla ESCAN DBF 155 14-12-05 1:28 escan.dbf 220 bestand(en) 241.604.271 bytes. 0 dir('s) 1.343.750.144 bytes beschikbaar. Het volume in station C heeft geen naam. Het volumenummer is 2821-18E0 Map van C:\WINDOWS\SYSTEM32. FOLDER HTT 13.301 10-12-06 17:52 folder.htt DESKTOP INI 266 10-12-06 17:52 desktop.ini ST3 DLL 0 14-12-05 2:04 st3.dll 3 bestand(en) 13.567 bytes. 0 dir('s) 1.343.684.608 bytes beschikbaar. Het volume in station C heeft geen naam. Het volumenummer is 2821-18E0 Map van C:\WINDOWS\TEMP. OQOAOILM HTM 1.102 14-12-05 2:09 oqoaoilm.htm ZBZ BAT 124 14-12-05 1:56 zbz.bat D BAT 123 14-12-05 1:56 d.bat QVXT2~1 GAM 1.632 14-12-05 1:56 qvxt2.game QVXT3~1 GAM 1.632 14-12-05 1:56 qvxt3.game QVXT4~1 GAM 1.632 14-12-05 1:56 qvxt4.game VX4~1 GAM 8.367 14-12-05 1:56 vx4.game VX6~1 GAM 11.776 14-12-05 1:50 vx6.game 1213~1 451 14.357 14-12-05 1:49 1213.4516 MAXDD~1 GAM 12.616 14-12-05 1:49 maxdd.game 2~1 QTD 29.184 14-12-05 1:49 2.qtdfmp 5~1 QTD 3.120 14-12-05 1:49 5.qtdfmp 6~1 QTD 3.152 14-12-05 1:49 6.qtdfmp 7~1 QTD 3.584 14-12-05 1:49 7.qtdfmp 1~1 QTD 1.665 14-12-05 1:49 1.qtdfmp MSIEVENT LOG 764 13-12-05 9:26 msievent.log DRW1144 TMP 6.985 13-12-05 2:33 drw1144.TMP 17 bestand(en) 101.815 bytes. 0 dir('s) 1.343.750.144 bytes beschikbaar. eSCAN C:\lo-492723991.exe File Infected with "Trojan-Downloader.Win32.Small.cax". Action Taken: File deleted! C:\lo1193031151.exe File Infected with "Trojan-Downloader.Win32.Small.cax". Action Taken: File deleted! C:\WINDOWS\g1317746.dll File Infected with "Trojan-Downloader.Win32.Delf.zu". Action Taken: File deleted! C:\WINDOWS\g1699615.dll File Infected with "Trojan-Downloader.Win32.Delf.zu". Unable to delete infected file. Virus could not be removed! C:\WINDOWS\SYSTEM\vxh8jkdq1.exe File Infected with "Trojan-Downloader.Win32.Small.bho". Action Taken: File deleted! C:\WINDOWS\SYSTEM\vxh8jkdq5.exe File Infected with "Trojan-Downloader.Win32.Small.axn". Action Taken: File deleted! C:\WINDOWS\SYSTEM\1286625.exe File Infected with "Trojan-Dropper.Win32.Small.abx". Action Taken: File deleted! C:\WINDOWS\SYSTEM\vxgame1.exe File Infected with "Trojan-Dropper.Win32.Agent.ri". Action Taken: File deleted! C:\WINDOWS\SYSTEM\vxgame2.exe File Infected with "Packed.Win32.Klone.b". Action Taken: File renamed! C:\WINDOWS\SYSTEM\maxd64.exe File Infected with "Trojan.Win32.Dialer.ay". Action Taken: File deleted! C:\WINDOWS\SYSTEM\vxgame3.exe File Infected with "Trojan-Dropper.Win32.Small.aih". Action Taken: File deleted! C:\WINDOWS\SYSTEM\vxgamet2.exe File Infected with "Trojan-Downloader.Win32.Small.bxc". Action Taken: File deleted! C:\WINDOWS\SYSTEM\vxgamet3.exe File Infected with "Trojan-Dropper.Win32.Agent.abu". Action Taken: File deleted! C:\WINDOWS\SYSTEM\chp.dll File Infected with "Trojan.Win32.Spabot.t". Action Taken: File deleted! C:\WINDOWS\SYSTEM\birdihuy32.dll File Infected with "Trojan-Proxy.Win32.Small.ct". Action Taken: File deleted! C:\WINDOWS\SYSTEM\vxgamet4.exe File Infected with "Trojan-Downloader.Win32.Tibs.s". Action Taken: File deleted! C:\WINDOWS\SYSTEM\vxgame6.exe File Infected with "Trojan-Downloader.Win32.CWS.gen". Action Taken: File deleted! C:\WINDOWS\SYSTEM\Fggbdk32.exe File Infected with "Net-Worm.Win32.Padobot.z". Action Taken: File deleted! C:\WINDOWS\SYSTEM\ll.exe File Infected with "Packed.Win32.Klone.b". Action Taken: File renamed! C:\WINDOWS\SYSTEM\vxgame4.exe File Infected with "Trojan-Downloader.Win32.Small.cah". Action Taken: File deleted! C:\WINDOWS\SYSTEM\Fddckppn.dll File Infected with "Net-Worm.Win32.Padobot.z". Action Taken: File deleted! C:\WINDOWS\SYSTEM\CICBBIE0.exe File Infected with "Net-Worm.Win32.Padobot.z". Action Taken: File deleted! C:\WINDOWS\inet20001\services.exe File Infected with "Trojan-Downloader.Win32.CWS.gen". Action Taken: File deleted! C:\WINDOWS\inet20001\mm3.exe File Infected with "Trojan-Spy.Win32.Delf.ig". Action Taken: File deleted! C:\WINDOWS\inet20001\alg.exe File Infected with "Email-Worm.Win32.Delf.i". Action Taken: File deleted! wo dec 14 09:37:24 2005 => Total Number of Files Infected: 25 wo dec 14 09:37:24 2005 => Total Number of Files Renamed: 2 wo dec 14 09:37:24 2005 => Total Number of Files Deleted: 22 wo dec 14 09:37:24 2005 => Total Number of Errors: 1 CounterSpy Spyware Scan Details Start Date: 14-12-05 10:16:45 End Date: 14-12-05 10:34:13 Total Time: 17 mins 28 secs Detected spyware Trojan.vxgame Trojan more information... Status: Deleted Infected files detected c:\windows\system\vxgamet1.exe c:\windows\system\vx.tll c:\windows\flag.bla c:\windows\system\ddr64.dll c:\windows\system\qvxgamet2.exe c:\windows\system\qvxgamet3.exe c:\windows\system\qvxgamet4.exe c:\windows\system\svcp.csv c:\windows\system\winsub.xml c:\windows\system\split1.exe Infected registry entries detected HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 DLLName C:\WINDOWS\G1699615.DLL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 logoff WACLEventLogoff HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 lock WACLEventLock HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 logon WACLEventLogon HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 startup WACLEventStartup HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 shutdown WACLEventShutdown HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 startshell WACLEventStartShell HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 unlock WACLEventUnlock HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 startscreensaver WACLEventStartScreenSaver HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 stopscreensaver WACLEventStopScreenSaver CoolWebSearch.MWSearch Spyware more information... Details: MWSearch adds a search toolbar to Internet Explorer and hijacks the default search page. Status: Deleted Infected files detected c:\windows\zsettings.dll c:\WINDOWS\SYSTEM\ztoolb011.dll Infected registry entries detected HKEY_CLASSES_ROOT\clsid\{B75F75B8-93F3-429D-FF34-660B206D897A} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B75F75B8-93F3-429D-FF34-660B206D897A} Search Terror Search Hijacker more information... Details: Search Terror is a Search Hijacker Status: Deleted Infected files detected c:\windows\system\birdihuy.dll topnetsearch Browser Hijacker more information... Status: Deleted Infected files detected c:\windows\system\zlokdfs9.leo c:\windows\system\ztoolb011.dll Infected registry entries detected HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B75F75B8-93F3-429D-FF34-660B206D897A} CoolWebSearch Browser Hijacker more information... Details: CoolWebSearch is a name given to a wide range of different browser hijackers. Though the code is very different between variants, they are all used to redirect users to coolwebsearch.com and other sites affiliated with its operators. Status: Deleted Infected registry entries detected HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3} HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\ProgID Replace.HBO.1 HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\InprocServer32 C:\WINDOWS\inet20001\3.00.11.dll HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\InprocServer32 ThreadingModel Apartment HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\Programmable HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\TypeLib {516A36EA-AFE2-4965-A492-B198B7F7B018} HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\VersionIndependentProgID Replace.HBO HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3} HBO Class Unclassified.Trojan.H Spyware more information... Status: Deleted Infected registry entries detected HKEY_CLASSES_ROOT\Tubby.ToolBandObj.1 HKEY_CLASSES_ROOT\Tubby.ToolBandObj.1\CLSID {9EAC0102-5E61-2312-BC2D-4D54434D5443} HKEY_CLASSES_ROOT\Tubby.ToolBandObj.1 Search Toolbar Tubby.MakeMeSearch Browser Hijacker more information... Details: MakeMeSearch is a browser redirector that runs as an Internet Explorer browser helper object. MakeMeSearch changes your homepage and browser settings. Status: Deleted Infected registry entries detected HKEY_CURRENT_USER\Software\MTC MTC HKEY_CURRENT_USER\Software\MTC MTC\Options Run 4 HKEY_CURRENT_USER\Software\MTC MTC\Options Shown 1 HKEY_CURRENT_USER\Software\MTC MTC\Options Dnl 0 HKEY_CURRENT_USER\Software\MTC MTC\Options mlu 1026957 HKEY_CURRENT_USER\Software\MTC MTC\Options lu 1026957 HKEY_CURRENT_USER\Software\MTC MTC\Options Flg 2 Krepper Trojan Downloader more information... Details: Krepper is a trojan virus, that modifies website surfing to display advertising, and downloads additional threats Status: Deleted Infected registry entries detected HKEY_CLASSES_ROOT\Replace.HBO HKEY_CLASSES_ROOT\Replace.HBO\CLSID {5321E378-FFAD-4999-8C62-03CA8155F0B3} HKEY_CLASSES_ROOT\Replace.HBO\CurVer Replace.HBO.1 HKEY_CLASSES_ROOT\Replace.HBO HBO Class HKEY_CLASSES_ROOT\Replace.HBO.1 HKEY_CLASSES_ROOT\Replace.HBO.1\CLSID {5321E378-FFAD-4999-8C62-03CA8155F0B3} HKEY_CLASSES_ROOT\Replace.HBO.1 HBO Class HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3} HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\ProgID Replace.HBO.1 HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\InprocServer32 C:\WINDOWS\inet20001\3.00.11.dll HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\InprocServer32 ThreadingModel Apartment HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\Programmable HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\TypeLib {516A36EA-AFE2-4965-A492-B198B7F7B018} HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3}\VersionIndependentProgID Replace.HBO HKEY_CLASSES_ROOT\clsid\{5321E378-FFAD-4999-8C62-03CA8155F0B3} HBO Class Trojan.Proxy.birdihuy Trojan more information... Status: Deleted Infected registry entries detected HKEY_CLASSES_ROOT\clsid\{F33812FB-F35C-4674-90F6-FD757C419C51} HKEY_CLASSES_ROOT\clsid\{F33812FB-F35C-4674-90F6-FD757C419C51}\InProcServer32 C:\WINDOWS\SYSTEM\birdihuy32.dll HKEY_CLASSES_ROOT\clsid\{F33812FB-F35C-4674-90F6-FD757C419C51}\InProcServer32 ThreadingModel Apartment Alexa Toolbar Potential Privacy Risk more information... Details: Alexa is a free, ad-based product which installs itself into your Internet Explorer or Netscape browser. It ads a bar which has a series of links into your browser which gives quite a bit of information about each web page that you visit. Status: Deleted Infected registry entries detected HKEY_CLASSES_ROOT\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum HKEY_CLASSES_ROOT\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum Implementing HKEY_CLASSES_ROOT\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum HKEY_CLASSES_ROOT\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum Implementing bho.CashDeluxe.dwc Misc more information... Status: Deleted Infected registry entries detected HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 logoff WACLEventLogoff HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 lock WACLEventLock HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 logon WACLEventLogon HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 startup WACLEventStartup HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 shutdown WACLEventShutdown HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 startshell WACLEventStartShell HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 unlock WACLEventUnlock HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 startscreensaver WACLEventStartScreenSaver HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3 stopscreensaver WACLEventStopScreenSaver HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}\InprocServer32 ThreadingModel Apartment HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}\InprocServer32 C:\WINDOWS\G1699615.DLL HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}\InprocServer32 ThreadingModel Apartment HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} C:\WINDOWS\G1699615.DLL HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} ThreadingModel Apartment Claria.DashBar Cookie Cookie more information... Details: DashBar cookie is a small text file placed on the user's computer after when visiting the Claria/GAIN DashBar website. Status: Deleted Infected cookies detected c:\windows\cookies\anyuser@belnk[1].txt PayPopup.com Cookie more information... Status: Deleted Infected cookies detected c:\windows\cookies\anyuser@paypopup[2].txt SpyLog.com Cookie more information... Status: Deleted Infected cookies detected c:\windows\cookies\anyuser@spylog[1].txt FastClick.com Cookie more information... Status: Deleted Infected cookies detected c:\windows\cookies\anyuser@media.fastclick[1].txt c:\windows\cookies\anyuser@fastclick[2].txt XXXCounter.com Cookie more information... Status: Deleted Infected cookies detected c:\windows\cookies\anyuser@xxxcounter[1].txt Findwhat Cookie more information... Status: Deleted Infected cookies detected c:\windows\cookies\anyuser@findwhat[1].txt Ein Bild von inet20001 kommt noch Toedeloe __________ MfG Argus Dieser Beitrag wurde am 14.12.2005 um 13:05 Uhr von Arnold editiert.
|
|
|
||
14.12.2005, 13:16
Ehrenmitglied
Beiträge: 29434 |
#23
Zitat Bin auch infiziert mit SpySheriif,war ganz zufällig auf eine cr"hiernicht"ck Seite C:\WINDOWS\SYSTEM32. FOLDER HTT 13.301 10-12-06 17:52 folder.htt das interessiert mich...lasse es mal mit jotti scannen --------------- C:\winstall.exe hat kein Scanner gefunden (und anderes) http://virus-protect.org/artikel/spyware/inet20002.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
15.12.2005, 16:56
...neu hier
Beiträge: 8 |
#24
Hallo@Sabina
Also ich habe alles gemacht ! Hier ist der Scaneraport von Kaspersky: 1. ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Wednesday, December 14, 2005 21:53:34 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 14/12/2005 Kaspersky Anti-Virus database records: 155192 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - Critical Areas: C:\WINDOWS C:\DOKUME~1\BENNI-~1\LOKALE~1\Temp\ Scan Statistics: Total number of scanned objects: 22404 Number of viruses found: 0 Number of infected objects: 0 Number of suspicious objects: 0 Duration of the scan process: 728 sec No malware has been detected. The sections that have been scanned are CLEAN. Scan process completed. 2. ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Thursday, December 15, 2005 00:07:33 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 14/12/2005 Kaspersky Anti-Virus database records: 155192 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ K:\ L:\ Scan Statistics: Total number of scanned objects: 75807 Number of viruses found: 7 Number of infected objects: 17 Number of suspicious objects: 0 Duration of the scan process: 4688 sec Infected Object Name - Virus Name C:\!KillBox\mstool.exe Infected: Trojan-Proxy.Win32.Xorpix.e C:\!KillBox\secure32.html Infected: not-virus:Hoax.Win32.Renos.y C:\!KillBox\tool1.exe Infected: Trojan-Proxy.Win32.Xorpix.e C:\!KillBox\tool2.exe Infected: not-virus:Hoax.Win32.Renos.ae C:\!KillBox\toolbar.exe Infected: Trojan-Downloader.Win32.Adload.j C:\!KillBox\winstall.exe Infected: not-virus:Hoax.Win32.Renos.ae C:\Dokumente und Einstellungen\Benni -\Desktop\rormu501.zip/start.exe/data0001 Infected: Trojan-Downloader.Win32.INService.ja C:\Dokumente und Einstellungen\Benni -\Desktop\rormu501.zip/start.exe Infected: Trojan-Downloader.Win32.INService.ja C:\Dokumente und Einstellungen\Benni -\Desktop\rormu501.zip Infected: Trojan-Downloader.Win32.INService.ja C:\System Volume Information\_restore{2DA43912-92F7-4753-8BDD-56F783EC77D4}\RP238\A0042048.exe/run.exe Infected: Trojan-Downloader.Win32.IstBar.is C:\System Volume Information\_restore{2DA43912-92F7-4753-8BDD-56F783EC77D4}\RP238\A0042048.exe Infected: Trojan-Downloader.Win32.IstBar.is C:\System Volume Information\_restore{2DA43912-92F7-4753-8BDD-56F783EC77D4}\RP244\A0042539.exe Infected: Trojan-Downloader.Win32.INService.gen C:\System Volume Information\_restore{2DA43912-92F7-4753-8BDD-56F783EC77D4}\RP268\A0048687.exe Infected: Trojan-Proxy.Win32.Xorpix.e C:\System Volume Information\_restore{2DA43912-92F7-4753-8BDD-56F783EC77D4}\RP268\A0048691.exe Infected: Trojan-Proxy.Win32.Xorpix.e C:\System Volume Information\_restore{2DA43912-92F7-4753-8BDD-56F783EC77D4}\RP268\A0048692.exe Infected: Trojan-Downloader.Win32.Adload.j C:\System Volume Information\_restore{2DA43912-92F7-4753-8BDD-56F783EC77D4}\RP268\A0048694.exe Infected: not-virus:Hoax.Win32.Renos.ae C:\System Volume Information\_restore{2DA43912-92F7-4753-8BDD-56F783EC77D4}\RP268\A0048697.exe Infected: not-virus:Hoax.Win32.Renos.ae Scan process completed. Gruss Rockman |
|
|
||
15.12.2005, 17:28
Ehrenmitglied
Beiträge: 29434 |
#25
deaktiviere die systemwiederherstellung...dann aktiviere sie wieder
http://virus-protect.org/systemwiederherstellung.html und leere manuell alles in der killbox LOESCHE: C:\Dokumente und Einstellungen\Benni -\Desktop\rormu501.zip dann scanne mit http://virus-protect.org/cureit.html dann sollte wieder alles o.k. sein __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
15.12.2005, 18:08
...neu hier
Beiträge: 8 |
#26
Systemwiderherstellung abgeschlossen !
Soll ich die Killbox ganz löschen ? Also den ganzen Ordner ? Rormu501 gelöscht ! Ach und kann ich die fix.reg und die sheriff.reg von meinem desktop löschen ? oder muss ich die drauf lassen ? gruss Rockman Dieser Beitrag wurde am 15.12.2005 um 18:35 Uhr von Rockman editiert.
|
|
|
||
16.12.2005, 11:46
Ehrenmitglied
Beiträge: 29434 |
#27
die reg-dateien kannst du loeschen, sie sind ja schon der registry beigefugt.
wenn du jetzt noch mal mit kaspersky scannst, muesste alles sauber bleiben __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
02.01.2006, 12:16
...neu hier
Beiträge: 8 |
#28
Hallo Sabina
habe auch das Problem hier meine Log: 1. Verzeichnis von C:\WINDOWS\system32 02.01.2006 08:57 35.870 vsconfig.xml 01.01.2006 20:13 373.114 perfh007.dat 01.01.2006 20:13 365.410 perfh009.dat 01.01.2006 20:13 46.414 perfc009.dat 01.01.2006 20:13 56.062 perfc007.dat 01.01.2006 20:13 848.274 PerfStringBackup.INI 01.01.2006 20:10 226.408 FNTCACHE.DAT 01.01.2006 19:39 1.158 wpa.dbl 01.01.2006 19:30 251 spupdwxp.log 01.01.2006 18:05 4.212 zllictbl.dat 08.12.2005 16:25 2.723.680 MRT.exe 01.12.2005 04:31 1.492.480 shdocvw.dll 24.11.2005 00:58 3.013.632 mshtml.dll 24.11.2005 00:58 1.022.464 browseui.dll 15.11.2005 00:51 71.440 zlcommdb.dll 15.11.2005 00:51 79.624 zlcomm.dll 15.11.2005 00:51 100.104 vsxml.dll 15.11.2005 00:51 382.728 vsutil.dll 15.11.2005 00:51 71.440 vsregexp.dll 15.11.2005 00:50 227.088 vspubapi.dll 15.11.2005 00:50 104.208 vsmonapi.dll 15.11.2005 00:50 141.064 vsinit.dll 15.11.2005 00:50 372.816 vsdatant.sys 15.11.2005 00:50 83.720 vsdata.dll 15.11.2005 00:34 54.960 vsutil_loc0407.dll 05.11.2005 04:16 606.208 urlmon.dll 05.11.2005 04:16 1.056.256 danim.dll 21.10.2005 04:40 664.064 wininet.dll 21.10.2005 04:40 474.112 shlwapi.dll 21.10.2005 04:40 39.424 pngfilt.dll 21.10.2005 04:40 146.432 msrating.dll 21.10.2005 04:40 448.512 mshtmled.dll 21.10.2005 04:40 530.944 mstime.dll 21.10.2005 04:40 96.768 inseng.dll 21.10.2005 04:40 251.392 iepeers.dll 21.10.2005 04:40 152.064 cdfview.dll 21.10.2005 04:40 205.312 dxtrans.dll 21.10.2005 04:40 55.808 extmgr.dll 20.10.2005 23:25 1.094.144 esent.dll 17.10.2005 20:58 65.536 QuickTimeVR.qtx 17.10.2005 20:57 49.152 QuickTime.qts 16.10.2005 19:47 176.167 rmoc3260.dll 16.10.2005 19:47 6.656 pndx5016.dll 16.10.2005 19:47 5.632 pndx5032.dll 16.10.2005 19:47 278.528 pncrt.dll 13.10.2005 00:11 15.584 spmsg.dll 07.10.2005 12:50 483.328 actskn45.ocx 06.10.2005 04:18 280.064 gdi32.dll 06.10.2005 04:08 1.839.616 win32k.sys 2. Verzeichnis von C:\DOKUME~1\TOBIAS~1\LOKALE~1\Temp 02.01.2006 08:58 16.384 ~DF729D.tmp 02.01.2006 08:58 512 ~DFEED.tmp 02.01.2006 08:58 16.384 ~DFEA0.tmp 02.01.2006 08:58 16.384 Perflib_Perfdata_d6c.dat 4 Datei(en) 49.664 Bytes 0 Verzeichnis(se), 20.282.793.984 Bytes frei 3. Verzeichnis von C:\WINDOWS 02.01.2006 10:25 1.125 winamp.ini 02.01.2006 09:19 927 win.ini 02.01.2006 08:57 426.173 WindowsUpdate.log 02.01.2006 08:57 4.052 ModemLog_Smart Link 56K Modem.txt 02.01.2006 08:57 159 wiadebug.log 02.01.2006 08:57 50 wiaservc.log 02.01.2006 08:56 2.048 bootstat.dat 02.01.2006 08:55 32.622 SchedLgU.Txt 01.01.2006 20:06 2.901 mozver.dat 01.01.2006 19:32 316.640 WMSysPr9.prx 01.01.2006 18:26 0 nsreg.dat 01.01.2006 18:25 1.405.223 setupapi.log.0.old 01.01.2006 18:22 107.132 UninstallFirefox.exe 01.01.2006 17:21 0 tool5.exe 01.01.2006 17:21 0 tool4.exe 01.01.2006 17:21 0 tool3.exe 01.01.2006 17:21 0 tool1.exe 01.01.2006 17:21 0 toolbar.exe 01.01.2006 17:21 1.999 desktop.html 01.01.2006 17:20 0 uniq 30.12.2005 21:07 115 PTGE.INI 18.12.2005 14:58 115 PTEG.INI 27.08.2005 20:33 6.400 balloon.wav 27.05.2005 00:22 10.752 hh.exe 23.04.2005 09:53 1.333 hosts 23.04.2005 09:53 0 dimak 03.04.2005 12:53 211 uno.ini 4. Verzeichnis von C:\ 02.01.2006 12:09 0 sys.txt 02.01.2006 12:08 5.107 system.txt 02.01.2006 12:07 453 systemtemp.txt 02.01.2006 12:05 95.861 system32.txt 02.01.2006 08:56 1.610.612.736 pagefile.sys 01.01.2006 21:12 80.597 hpfr3740.log 01.01.2006 18:51 211 boot.ini 01.01.2006 18:45 47.564 NTDETECT.COM 01.01.2006 18:45 251.184 ntldr 30.12.2005 21:07 215 stterm.2 30.12.2005 21:07 0 stterm.u 23.08.2005 12:33 18 stterm 23.04.2005 09:53 252 tmp.txt Log von Silentrunner: "Silent Runners.vbs", revision 41, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS] HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++} "ICQ Lite" = "C:\Programme\ICQLite\ICQLite.exe -trayboot" ["ICQ Ltd."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "SiSUSBRG" = "C:\WINDOWS\SiSUSBrg.exe" ["Silicon Integrated Systems Corp."] "ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."] "ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."] "SunJavaUpdateSched" = "C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe" [null data] "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."] "WinampAgent" = "C:\Programme\Winamp\winampa.exe" [null data] "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe" ["HP"] "Microsoft Works Update Detection" = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"] "ToADiMon.exe" = "C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart" ["Marmiko IT-Solutions GmbH"] "TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] "vmlib" = "vmlib.exe" [file not found] "QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "ICQ Lite" = "C:\Programme\ICQLite\ICQLite.exe -minimize" ["ICQ Ltd."] "BearShare" = ""C:\Programme\BearShare\BearShare.exe" /pause" ["Free Peers, Inc."] "Zone Labs Client" = "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"] "AVGCtrl" = "C:\Programme\AVPersonal\AVGNT.EXE /min" ["H+BEDV Datentechnik GmbH"] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer" \StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS] >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express" \StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\OLKFSTUB.DLL" [MS] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string] "{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universelle Plug & Play-Geräte" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS] "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ INFECTION WARNING! "Shell" = "explorer.exe "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.exe"" [MS], [file not found], [file not found], [file not found], [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] EncodeDivXExt\(Default) = "{E9F5B111-CACC-4FD4-81FD-4EB4FD6765A3}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\DivX\Dr.DivX\EncodeDivXExt.dll" [empty string] ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] Group Policies [Description]: ----------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ HIJACK WARNING! "ForceActiveDesktopOn"=dword:00000001 [enables Active Desktop and prevents disabling it] HIJACK WARNING! "Wallpaper" = "C:\WINDOWS\desktop.html" [disables the Display Properties|Desktop (tab) (except the "Customize Desktop..." button); selects wallpaper if Active Desktop is enabled] Active Desktop and Wallpaper: ----------------------------- Active Desktop enabled via Group Policy. Wallpaper selected via Group Policy. Startup items in "Tobias Schäfer" & "All Users" startup folders: ---------------------------------------------------------------- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office10\OSA.EXE -b -l" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000004\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS] 000000000005\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 29 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [file not found] {B863453A-26C3-4E1F-A54D-A2CD196348E9}\ "ButtonText" = "ICQ Lite" "MenuText" = "ICQ Lite" "Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS] HOSTS file ---------- C:\WINDOWS\System32\drivers\etc\HOSTS maps: 1 domain name to an IP address, 1 of the IP addresses is *not* localhost! Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir Service, AntiVirService, "C:\Programme\AVPersonal\AVGUARD.EXE" ["H+BEDV Datentechnik GmbH"] AntiVir Update, AVWUpSrv, ""C:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"] Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."] Einfache TCP/IP-Dienste, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS] IPv6-Hilfsdienst, 6to4, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]} Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS] RIP-Überwachung, Iprip, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\iprip.dll" [MS]} SmartLinkService, SLService, "slserv.exe" [" "] TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzsnt10\Driver = "hpzsnt10.dll" ["HP"] Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 43 seconds, including 10 seconds for message boxes) Hilf mir bitte!!!! |
|
|
||
02.01.2006, 12:32
Ehrenmitglied
Beiträge: 29434 |
#29
valerossi
gehe in die Registry Start-->Ausfuehren--> regedit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "Wallpaper" = "C:\WINDOWS\desktop.html" <--loeschen KILLBOX - Pocket KillBox http://virus-protect.org/killbox.html Options: Delete on Reboot / Process all in List )--> anhaken reinkopieren: ... und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes" C:\WINDOWS\tool5.exe C:\WINDOWS\tool4.exe C:\WINDOWS\tool3.exe C:\WINDOWS\tool1.exe C:\WINDOWS\toolbar.exe C:\WINDOWS\desktop.html C:\WINDOWS\uniq C:\WINDOWS\balloon.wav C:\WINDOWS\hosts C:\WINDOWS\dimak PC neustarten Hoster.zip http://www.funkytoad.com/download/hoster.zip Press 'Restore Original Hosts' and press 'OK' Exit Program. SmitRem2.8 http://noahdfear.geekstogo.com/click%20counter/click.php?id=1 laden--> in den abgesicherten Modus booten --> öffne smitRem folder --> Doppelklick: RunThis.bat warte, bis der Scan beendet ist (der Bildschirm wird blau werden. das ist normal) http://siri.urz.free.fr/Fix/SmitfraudFix.zip 1. doppelklick smitfraudfix.cmd 2. klicke 1 (es wird ein Report von den infizierten Dateien erstellt) 3. starte den PC neu und druecke beim Hochfahren die Taste F8 und waehle "Abgesicherter Modus" 4. doppelklick smitfraudfix.cmd 5. klicke 2 6. auf die Frage: "Voulez-vous nettoyer le registre ?" antworte mit: o falls festgestellt wird, dass die Datei wininet.dll infiziert ist, antworte auf die Frage: " Corriger le fichier infecté ?" mit o wenn der scane beeendet ist, kopiere die Logfile ab ------------------ Hijackthis http://computercops.biz/zx/Merijn/hijackthis.zip http://virus-protect.org/hjtkurz.html Lade/entpacke HijackThis in einem Ordner --> None of the above just start the program --> Save--> Savelog -->es öffnet sich der Editor nun das KOMPLETTE Log mit rechtem Mausklick abkopieren und ins Forum mit rechtem Mausklick "einfügen" __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
02.01.2006, 13:47
...neu hier
Beiträge: 8 |
#30
Hi Sabina
habe jetzt alles so gemacht. Am Anfang wenn Windows startet kommt noch eine Fehlermeldung: ibm00001.exe nicht gefunden!!!! Hier die Logs: Smitfound Log: SmitFraudFix v2.11 Rapport fait à 13:19:18,59 le 02.01.2006 Executé à partir de C:\Dokumente und Einstellungen\Tobias Sch„fer\Druckumgebung\Desktop\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] »»»»»»»»»»»»»»»»»»»»»»»» Arret des processus »»»»»»»»»»»»»»»»»»»»»»»» Suppression des fichiers infectés »»»»»»»»»»»»»»»»»»»»»»»» Nettoyage du registre Nettoyage terminé. »»»»»»»»»»»»»»»»»»»»»»»» Fin du rapport Hijack Log: Logfile of HijackThis v1.99.1 Scan saved at 13:43:20, on 02.01.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\explorer.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe C:\WINDOWS\SOUNDMAN.EXE C:\Programme\Winamp\winampa.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe C:\Programme\QuickTime\qttask.exe C:\Programme\ICQLite\ICQLite.exe C:\Programme\BearShare\BearShare.exe C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe C:\Programme\AVPersonal\AVGNT.EXE C:\WINDOWS\system32\ctfmon.exe C:\Programme\AVPersonal\AVGUARD.EXE C:\Programme\AVPersonal\AVWUPSRV.EXE C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\kernel.exe C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\sc_watch.exe C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\PROFIL~1.EXE C:\Dokumente und Einstellungen\Tobias Schäfer\Druckumgebung\Desktop\Neuer Ordner\hijackthis\HijackThis.exe F2 - REG:system.ini: Shell=explorer.exe "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.exe" O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [ToADiMon.exe] C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [vmlib] vmlib.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize O4 - HKLM\..\Run: [BearShare] "C:\Programme\BearShare\BearShare.exe" /pause O4 - HKLM\..\Run: [Zone Labs Client] C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1665febc752071ab5118/netzip/RdxIE601_de.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136136312343 O17 - HKLM\System\CCS\Services\Tcpip\..\{88B41272-458A-48B5-BB11-C5D07DEF73B6}: NameServer = 217.237.149.225 217.237.150.141 O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Hab mein bestes gegeben und mich immer an die Anweisungen gehalten°!!! Gruss Tobias |
|
|
||
leute ich versteh nur bahnhoff kann ein paar dateien löschen etc aber wirklich weiter komm ich nicht !! der desktop is wieder normal außer das die farbe von den icons noch blau ist ... und das rote x noch da ist und meine internet exploder startseite immer wieder kommt bitte um hilfe und ein wenig einfacher ! oder deteilierter erklärt ^^