Kann die Trojaner net loswerden

#1 Hallo,
mein PC reagier, als wenn er mit PS Guard infiziert ist, kann es aber nicht wegmachen. Aber mein Ativirus wurde deaktiviert und kann den nicht finden. Ewido hat auch nichts gefunden nur Kaspersky onlinescanner.

Trojan Backdoor, Agent und Qhost

alsi ich smirtem.tool benutz habe ist das ganze system unstabil und kann nicht mehr Kaspersky onlinescaner durchführen.

Hier die logs:

Logfile of HijackThis v1.99.1
Scan saved at 17:27:45, on 17.11.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Vládík\Plocha\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O21 - SSODL: IEFilter - {5083881C-CA8E-4B63-8846-071F1E9E92E4} - C:\WINDOWS\system32\IEFilter.dll
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


datfindbat logs:
Svazek v jednotce C nem § dnou jmenovku.
S‚riov‚ Ÿ¡slo svazku je B082-975F.

Vìpis adres ýe C:\WINDOWS\system32

16.11.2005 23:00 2ÿ544 CONFIG.NT
16.11.2005 22:58 2ÿ206 wpa.dbl
15.11.2005 11:36 0 filter.drv
15.11.2005 11:01 554 hgakheg.dll
15.11.2005 11:01 141ÿ312 dnhexpei.exe
13.11.2005 19:02 43ÿ520 CmdLineExt03.dll
12.11.2005 15:59 473ÿ600 aswBoot.exe
12.11.2005 15:52 90ÿ112 AVASTSS.scr
09.11.2005 20:56 38ÿ905 nvapps.nvb
07.11.2005 19:21 111ÿ784 FNTCACHE.DAT
01.11.2005 00:29 233ÿ472 wrap_oal.dll
01.11.2005 00:29 81ÿ920 OpenAL32.dll
30.10.2005 10:05 46ÿ016 perfc005.dat
30.10.2005 10:05 309ÿ716 perfh005.dat
30.10.2005 10:05 311ÿ604 perfh009.dat
30.10.2005 10:05 39ÿ992 perfc009.dat
30.10.2005 10:05 714ÿ754 PerfStringBackup.INI

Svazek v jednotce C nem § dnou jmenovku.
S‚riov‚ Ÿ¡slo svazku je B082-975F.

Vìpis adres ýe C:\DOCUME~1\VLDK~1\LOCALS~1\Temp


Svazek v jednotce C nem § dnou jmenovku.
S‚riov‚ Ÿ¡slo svazku je B082-975F.

Vìpis adres ýe C:\WINDOWS

17.11.2005 17:24 0 0.log
17.11.2005 17:24 2ÿ048 bootstat.dat
17.11.2005 16:33 5ÿ037ÿ072 spybotsd14.exe
15.11.2005 13:14 2ÿ931 WTRAN32.INI
15.11.2005 13:14 0 XXLGSC
09.11.2005 20:24 31ÿ101ÿ648 81.85_forceware_winxp2k_international_whql.exe
07.11.2005 19:03 583 win.ini
04.11.2005 22:23 33 WTRDCTM.INI
04.11.2005 22:21 490 TRNCOM.INI
04.11.2005 22:21 666 WEBTRAN4.INI
04.11.2005 22:21 1ÿ038 WDICT32.INI
26.10.2005 17:10 20 level.ini
26.10.2005 17:06 231 system.ini
26.10.2005 16:22 494 ODBC.INI
26.10.2005 15:38 737ÿ280 iun6002.exe
26.10.2005 15:36 316ÿ640 WMSysPr9.prx
26.10.2005 15:16 8ÿ192 REGLOCS.OLD
26.10.2005 15:13 0 control.ini
26.10.2005 15:13 299ÿ552 WMSysPrx.prx
26.10.2005 15:13 4ÿ265 ODBCINST.INI
26.10.2005 15:12 749 WindowsShell.Manifest
26.10.2005 15:11 37 vbaddin.ini
26.10.2005 15:11 36 vb.ini
08.10.2003 10:41 57ÿ344 SOUNDMAN.EXE
02.09.2003 06:54 208ÿ896 alcupd.exe
17.07.2003 08:09 139ÿ264 alcrmv.exe
09.11.2002 13:47 10ÿ752 hh.exe


Svazek v jednotce C nem § dnou jmenovku.
S‚riov‚ Ÿ¡slo svazku je B082-975F.

Vìpis adres ýe C:\

17.11.2005 17:49 0 sys.txt
17.11.2005 17:49 3ÿ283 system.txt
17.11.2005 17:49 135 systemtemp.txt
17.11.2005 17:47 93ÿ988 system32.txt
17.11.2005 17:24 805ÿ306ÿ368 pagefile.sys
17.11.2005 17:05 996 smitfiles.txt
30.10.2005 10:29 1ÿ112ÿ304 wrar351cz.exe
30.10.2005 10:25 5ÿ580ÿ416 wz100beta.exe
26.10.2005 15:13 0 CONFIG.SYS
26.10.2005 15:13 0 MSDOS.SYS
26.10.2005 15:13 0 IO.SYS
26.10.2005 15:13 0 AUTOEXEC.BAT
26.10.2005 15:09 194 boot.ini
29.08.2002 02:05 234ÿ160 ntldr
28.08.2002 22:08 47ÿ580 NTDETECT.COM
25.10.2001 15:00 4ÿ952 Bootfont.bin
16 soubor…, 812ÿ384ÿ376 bajt…
Adres ý…: 0, Volnìch bajt…: 110ÿ803ÿ378ÿ176



endlich nach 2 restarts ist der onlionescanner durchgekommen hier report:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, November 17, 2005 18:01:37
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 17/11/2005
Kaspersky Anti-Virus database records: 150648
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\VLDK~1\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 9471
Number of viruses found: 3
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 281 sec

Infected Object Name - Virus Name
C:\WINDOWS\system32\dnhexpei.exe Infected: Backdoor.Win32.PPdoor.bm
C:\WINDOWS\system32\drivers\etc\hosts Infected: Trojan.Win32.Qhost.bu
C:\WINDOWS\system32\IEFilter.dll Infected: Trojan.Win32.Agent.fd
C:\WINDOWS\system32\MSIEHelper.dll Infected: Trojan.Win32.Agent.fd
C:\WINDOWS\system32\Service.exe Infected: Trojan.Win32.Agent.fd

Scan process completed.

#2 KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html

Delete File on Reboot -- anhaken
reinkopieren:
...
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"

C:\WINDOWS\system32\hgakheg.dll
C:\WINDOWS\system32\biosefui.exe
C:\WINDOWS\system32\ydyzjmaa.dll
C:\WINDOWS\system32\dnhexpei.exe
C:\WINDOWS\system32\IEFilter.dll
C:\WINDOWS\system32\MSIEHelper.dll
C:\WINDOWS\system32\Service.exe
C:\WINDOWS\iun6002.exe

PC neustarten

Hijackthis auf "open the misc tool section" klicken und dann auf "delete an NT Service" und die Namen angeben, aber mache dies nur bei diesen O23 Einträgen!

O21 - SSODL: IEFilter - {5083881C-CA8E-4B63-8846-071F1E9E92E4} - C:\WINDOWS\system32\IEFilter.dll

PC neustarten

Hoster.zip
http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK' Exit Program.

Registry Search Tool
http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip
eventuelle Meldung vom Virenscanner --- > warnmeldung:bösartiges skript entdeckt --> ignorieren

Doppelklick:regsrch.vbs
reinkopieren:

IEFilter

Press 'OK'

warten, bis die Suche beendet ist. (Ergebnis bitte posten)
__________
MfG Sabina

rund um die PC-Sicherheit

#3

Zitat

Sabina postete
PC neustarten

Hijackthis auf "open the misc tool section" klicken und dann auf "delete an NT Service" und die Namen angeben, aber mache dies nur bei diesen O23 Einträgen!

Hier habe ich nicht verstanden welche Namen gemeint sind








RegSch: No instances of "IEFilter" found



Logfile of HijackThis v1.99.1
Scan saved at 17:33:02, on 20.11.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Avast4\ashWebSv.exe
C:\Documents and Settings\Vládík\Plocha\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, November 20, 2005 17:44:10
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 20/11/2005
Kaspersky Anti-Virus database records: 150996
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 23027
Number of viruses found: 2
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 551 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{A331153C-72B4-489B-8A60-CFCCEA764F06}\RP22\A0016178.exe Infected: Trojan.Win32.Agent.fd
C:\System Volume Information\_restore{A331153C-72B4-489B-8A60-CFCCEA764F06}\RP22\A0016179.dll Infected: Trojan.Win32.Agent.fd
C:\System Volume Information\_restore{A331153C-72B4-489B-8A60-CFCCEA764F06}\RP22\A0016180.dll Infected: Trojan.Win32.Agent.fd
C:\System Volume Information\_restore{A331153C-72B4-489B-8A60-CFCCEA764F06}\RP22\A0016181.exe Infected: Backdoor.Win32.PPdoor.bm

Scan process completed.



Svazek v jednotce C nem §dnou jmenovku.
S‚riov‚ Ÿ¡slo svazku je B082-975F.

Vìpis adresýe C:\WINDOWS\system32

16.11.2005 23:00 2ÿ544 CONFIG.NT
16.11.2005 22:58 2ÿ206 wpa.dbl
15.11.2005 11:36 0 filter.drv
13.11.2005 19:02 43ÿ520 CmdLineExt03.dll
12.11.2005 15:59 473ÿ600 aswBoot.exe
12.11.2005 15:52 90ÿ112 AVASTSS.scr
09.11.2005 20:56 38ÿ905 nvapps.nvb
07.11.2005 19:21 111ÿ784 FNTCACHE.DAT
01.11.2005 00:29 233ÿ472 wrap_oal.dll
01.11.2005 00:29 81ÿ920 OpenAL32.dll
30.10.2005 10:05 309ÿ716 perfh005.dat
30.10.2005 10:05 311ÿ604 perfh009.dat
30.10.2005 10:05 46ÿ016 perfc005.dat
30.10.2005 10:05 39ÿ992 perfc009.dat
30.10.2005 10:05 714ÿ754 PerfStringBackup.INI
26.10.2005 17:09 0 h323log.txt
26.10.2005 17:07 98ÿ304 CmdLineExt.dll
26.10.2005 15:18 25ÿ065 wmpscheme.xml
26.10.2005 15:16 386 $winnt$.inf
26.10.2005 15:13 16ÿ832 amcompat.tlb
26.10.2005 15:13 23ÿ392 nscompat.tlb
26.10.2005 15:13 488 logonui.exe.manifest
26.10.2005 15:13 488 WindowsLogon.manifest
26.10.2005 15:12 749 ncpa.cpl.manifest
26.10.2005 15:12 749 cdplayer.exe.manifest
26.10.2005 15:12 749 sapi.cpl.manifest
26.10.2005 15:12 749 wuaucpl.cpl.manifest
26.10.2005 15:12 749 nwc.cpl.manifest
26.10.2005 15:11 21ÿ812 emptyregdb.dat

Svazek v jednotce C nem §dnou jmenovku.
S‚riov‚ Ÿ¡slo svazku je B082-975F.

Vìpis adresýe C:\DOCUME~1\VLDK~1\LOCALS~1\Temp


Svazek v jednotce C nem §dnou jmenovku.
S‚riov‚ Ÿ¡slo svazku je B082-975F.

Vìpis adresýe C:\WINDOWS

20.11.2005 17:46 60 setupact.log
20.11.2005 17:46 0 setuperr.log
20.11.2005 17:28 0 0.log
20.11.2005 17:28 2ÿ048 bootstat.dat
17.11.2005 16:33 5ÿ037ÿ072 spybotsd14.exe
15.11.2005 13:14 2ÿ931 WTRAN32.INI
15.11.2005 13:14 0 XXLGSC
09.11.2005 20:24 31ÿ101ÿ648 81.85_forceware_winxp2k_international_whql.exe
07.11.2005 19:03 583 win.ini
04.11.2005 22:23 33 WTRDCTM.INI
04.11.2005 22:21 490 TRNCOM.INI
04.11.2005 22:21 666 WEBTRAN4.INI
04.11.2005 22:21 1ÿ038 WDICT32.INI
26.10.2005 17:10 20 level.ini
26.10.2005 17:06 231 system.ini
26.10.2005 16:22 494 ODBC.INI
26.10.2005 15:36 316ÿ640 WMSysPr9.prx
26.10.2005 15:16 8ÿ192 REGLOCS.OLD
26.10.2005 15:13 0 control.ini
26.10.2005 15:13 299ÿ552 WMSysPrx.prx
26.10.2005 15:13 4ÿ265 ODBCINST.INI
26.10.2005 15:12 749 WindowsShell.Manifest
26.10.2005 15:11 37 vbaddin.ini
26.10.2005 15:11 36 vb.ini
08.10.2003 10:41 57ÿ344 SOUNDMAN.EXE


Svazek v jednotce C nem §dnou jmenovku.
S‚riov‚ Ÿ¡slo svazku je B082-975F.

Vìpis adresýe C:\

20.11.2005 17:48 0 sys.txt
20.11.2005 17:47 3ÿ334 system.txt
20.11.2005 17:47 135 systemtemp.txt
20.11.2005 17:47 93ÿ738 system32.txt
20.11.2005 17:46 996 smitfiles.txt
20.11.2005 17:28 805ÿ306ÿ368 pagefile.sys
30.10.2005 10:29 1ÿ112ÿ304 wrar351cz.exe
30.10.2005 10:25 5ÿ580ÿ416 wz100beta.exe
26.10.2005 15:13 0 CONFIG.SYS
26.10.2005 15:13 0 MSDOS.SYS
26.10.2005 15:13 0 IO.SYS
26.10.2005 15:13 0 AUTOEXEC.BAT
26.10.2005 15:09 194 boot.ini
29.08.2002 02:05 234ÿ160 ntldr
28.08.2002 22:08 47ÿ580 NTDETECT.COM
25.10.2001 15:00 4ÿ952 Bootfont.bin
16 soubor…, 812ÿ384ÿ177 bajt…
Adresý…: 0, Volnìch bajt…: 110ÿ798ÿ553ÿ088

#4 Deaktivieren Wiederherstellung
«XP
Arbeitsplatz-->rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.
http://service1.symantec.com/SUPPORT/INTER/tsgeninfointl.nsf/gdocid/20030807105707924

boooten, dann wieder aktivieren

Registry Search Tool
http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip
eventuelle Meldung vom Virenscanner --- > warnmeldung:bösartiges skript entdeckt --> ignorieren

Doppelklick:regsrch.vbs
reinkopieren:

IEFilter

Press 'OK'

warten, bis die Suche beendet ist. (Ergebnis bitte posten)

---------------------------------------------------------------------------------
dann scanne und poste die scanreports
http://virus-protect.org/multiavtool.html
__________
MfG Sabina

rund um die PC-Sicherheit

#5 RegSch: No instances of "IEFilter" found


Sophos Anti-Virus
Version 4.00.0 [Win32/Intel]
Virus data version 4.00, December 2005
Includes detection for 114549 viruses, trojans and worms
Copyright (c) 1989-2005 Sophos Plc, www.sophos.com

System time 17:03:02, System date 26 November 2005
Command line qualifiers are: -f -di -all -remove -mime -mbr -noc -archive -opt=ISCabinet

IDE directory is: c:\AV-CLS\Sophos

Password protected file C:\Documents and Settings\All Users\Data aplikac¡\Spybot - Search & Destroy\Recovery\AlexaRelated.zip\related.htm
Password protected file C:\Documents and Settings\All Users\Data aplikac¡\Spybot - Search & Destroy\Recovery\AlexaRelated.zip\sbRecovery.ini
Password protected file C:\Documents and Settings\All Users\Data aplikac¡\Spybot - Search & Destroy\Recovery\AlexaRelated.zip\comment
Password protected file C:\Documents and Settings\All Users\Data aplikac¡\Spybot - Search & Destroy\Recovery\DesktopActiveDesktop.zip\sbRecovery.reg
Password protected file C:\Documents and Settings\All Users\Data aplikac¡\Spybot - Search & Destroy\Recovery\DesktopActiveDesktop.zip\sbRecovery.ini
Password protected file C:\Documents and Settings\All Users\Data aplikac¡\Spybot - Search & Destroy\Recovery\DesktopActiveDesktop.zip\comment
Could not open C:\Documents and Settings\LocalService\Local Settings\Data aplikac¡\Microsoft\Windows\UsrClass.dat
Could not open C:\Documents and Settings\LocalService\Local Settings\Data aplikac¡\Microsoft\Windows\UsrClass.dat.LOG
Could not open C:\Documents and Settings\NetworkService\Local Settings\Data aplikac¡\Microsoft\Windows\UsrClass.dat
Could not open C:\Documents and Settings\NetworkService\Local Settings\Data aplikac¡\Microsoft\Windows\UsrClass.dat.LOG
Could not open C:\Documents and Settings\Vld¡k\Data aplikac¡\Skype\remmiw\call256.dbb
Could not open C:\Documents and Settings\Vld¡k\Data aplikac¡\Skype\remmiw\contactgroup256.dbb
Could not open C:\Documents and Settings\Vld¡k\Data aplikac¡\Skype\remmiw\index2.dat
Could not open C:\Documents and Settings\Vld¡k\Data aplikac¡\Skype\remmiw\profile256.dbb
Could not open C:\Documents and Settings\Vld¡k\Data aplikac¡\Skype\remmiw\user1024.dbb
Could not open C:\Documents and Settings\Vld¡k\Data aplikac¡\Skype\remmiw\user16384.dbb
Could not open C:\Documents and Settings\Vld¡k\Data aplikac¡\Skype\remmiw\voicemail256.dbb
Could not open C:\Documents and Settings\Vld¡k\Local Settings\Data aplikac¡\Microsoft\Windows\UsrClass.dat
Could not open C:\Documents and Settings\Vld¡k\Local Settings\Data aplikac¡\Microsoft\Windows\UsrClass.dat.LOG
Could not open C:\Documents and Settings\Vld¡k\Local Settings\Temp\~DFF79D.tmp
Could not check C:\Documents and Settings\Vld¡k\Local Settings\Temporary Internet Files\Content.IE5\JWFCHGLP\hijackthis_199[1].zip\HijackThis.exe (part of multi volume archive)
Could not check C:\Documents and Settings\Vld¡k\Local Settings\Temporary Internet Files\Content.IE5\JWFCHGLP\hijackthis_199[1].zip\HijackThis.exe (part of multi volume archive)
Could not check C:\Documents and Settings\Vld¡k\Local Settings\Temporary Internet Files\Content.IE5\JWFCHGLP\hijackthis_199[1].zip (part of multi volume archive)
Could not check C:\Documents and Settings\Vld¡k\Local Settings\Temporary Internet Files\Content.IE5\JWFCHGLP\hijackthis_199[2].zip\HijackThis.exe (part of multi volume archive)
Could not check C:\Documents and Settings\Vld¡k\Local Settings\Temporary Internet Files\Content.IE5\JWFCHGLP\hijackthis_199[2].zip\HijackThis.exe (part of multi volume archive)
Could not check C:\Documents and Settings\Vld¡k\Local Settings\Temporary Internet Files\Content.IE5\JWFCHGLP\hijackthis_199[2].zip (part of multi volume archive)
Password protected file C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\Messages\CZE\RdrMsgCZE.pdf
Password protected file C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\Messages\ENU\RdrMsgENU.pdf
Could not check C:\Program Files\icq5_setup.exe\SfxArchiveData\Sarc0000 (corrupt)
Could not check C:\System Volume Information\_restore{A331153C-72B4-489B-8A60-CFCCEA764F06}\RP1\snapshot\ComDb.Dat (corrupt)
Could not check C:\WINDOWS\Registration\R000000000003.clb (corrupt)
Could not check C:\WINDOWS\Registration\R000000000006.clb (corrupt)
Could not check C:\WINDOWS\Registration\R000000000007.clb (corrupt)
Could not open C:\WINDOWS\system32\config\system.LOG
Could not check C:\WINDOWS\system32\emptyregdb.dat (corrupt)
Could not open C:\WINDOWS\Temp\Perflib_Perfdata_6a8.dat
Could not open C:\WINDOWS\Temp\_avast4_\Webshlock.txt
Password protected file C:\wz100beta.exe\SfxArchiveData\SETUP.WZ\WINZIP32.EX_

1 master boot record swept.
24866 files swept in 30 minutes and 24 seconds.
38 errors were encountered.
No viruses were discovered.
9 encrypted files were not checked.
Ending Sophos Anti-Virus.



Trend = kein report
McAfee = kein report




þ AVPDOS32 Start 26-11-2005 17:48:52


Version 3.0 build 135
Last update: 26.11.2005, 159438 records.

Command line: /- /E /* /MD /MP /Y /Z- /W+=ScanReport.txt C:
Profile defdos32.prf (from 27.06.2001 03:00:00)

c:\WRAR35~1.EXE archive: RAR
c:\WRAR35~1.EXE/Formats\UNACEV2.DLL packed: PE_Patch
c:\AV-CLS\MULTI_AV.EXE archive: ZIP
c:\AV-CLS\MULTI_AV.EXE/UNZIP.EXE packed: Diet
c:\AV-CLS\UNRAR.EXE packed: UPX
c:\AV-CLS\UNZIP.EXE packed: Diet
c:\AV-CLS\SOPHOS\ESDZ.EXE archive: ZIP
c:\AV-CLS\SOPHOS\SAV32SFX.EXE archive: ZIP
c:\AV-CLS\SOPHOS\WEB_IDES.EXE packed: UPX
c:\AV-CLS\SOPHOS\WEB_IDES.EXE archive: RarSFX
c:\AV-CLS\SOPHOS\WEB_IDES.EXE/data.rar archive: RAR
c:\AV-CLS\SOPHOS\WEB_IDES.EXE archive: RAR
c:\AV-CLS\TREND\SYSCLEAN.COM archive: Embedded EXE
c:\DOCUME~1\ALLUSE~1\DATAAP~1\SPYBOT~1\RECOVERY\ALEXAR~1.ZIP archive: ZIP
c:\DOCUME~1\ALLUSE~1\DATAAP~1\SPYBOT~1\RECOVERY\ALEXAR~1.ZIP/related.htm password protected.
c:\DOCUME~1\ALLUSE~1\DATAAP~1\SPYBOT~1\RECOVERY\ALEXAR~1.ZIP/sbRecovery.ini password protected.
c:\DOCUME~1\ALLUSE~1\DATAAP~1\SPYBOT~1\RECOVERY\DESKTO~1.ZIP archive: ZIP
c:\DOCUME~1\ALLUSE~1\DATAAP~1\SPYBOT~1\RECOVERY\DESKTO~1.ZIP/sbRecovery.reg password protected.
c:\DOCUME~1\ALLUSE~1\DATAAP~1\SPYBOT~1\RECOVERY\DESKTO~1.ZIP/sbRecovery.ini password protected.
c:\DOCUME~1\VLµDÖK\DATAAP~1\MICROS~1\æABLONY\NORMAL.DOT archive: Embedded
c:\DOCUME~1\VLµDÖK\DOKUME~1\TABULKY\TABULKY.ZIP archive: ZIP
c:\DOCUME~1\VLµDÖK\DOKUME~1\¬EæTINY\NFSU2C~1.ZIP archive: ZIP
c:\DOCUME~1\VLµDÖK\LOCALS~1\DATAAP~1\MICROS~1\OUTLOOK\OUTLOOK.PST archive: Mail MS Mail
c:\DOCUME~1\VLµDÖK\LOCALS~1\DATAAP~1\MICROS~1\OUTLOOK\OUTLOOK.PST/Osobní složky\Doruèená pošta\05 Nov 2005 08:42 from Tuning Centrum e-shop:'VYPRODEJ - CIRA S.rtf packed: Html2Rtf
c:\DOCUME~1\VLµDÖK\LOCALS~1\DATAAP~1\MICROS~1\OUTLOOK\OUTLOOK.PST/Osobní složky\Doruèená pošta\05 Nov 2005 03:22 from JRC CZECH a.s.:zadost o souhlas se zasila.rtf packed: Html2Rtf
c:\DOCUME~1\VLµDÖK\LOCALS~1\DATAAP~1\MICROS~1\OUTLOOK\OUTLOOK.PST/Osobní složky\Doruèená pošta\04 Nov 2005 08:22 from Funstore.cz:Akce hry za 1Kè a nové hry na.rtf packed: Html2Rtf
c:\DOCUME~1\VLµDÖK\LOCALS~1\DATAAP~1\MICROS~1\OUTLOOK\OUTLOOK.PST/Osobní složky\Doruèená pošta\03 Nov 2005 12:01 from TUNING SHOP:Re: Dotaz.eml archive: Mail
c:\DOCUME~1\VLµDÖK\LOCALS~1\DATAAP~1\MICROS~1\OUTLOOK\OUTLOOK.PST/Osobní složky\Doruèená pošta\03 Nov 2005 12:01 from TUNING SHOP:Re: Dotaz.rtf packed: Html2Rtf
c:\DOCUME~1\VLµDÖK\LOCALS~1\DATAAP~1\MICROS~1\OUTLOOK\OUTLOOK.PST/Osobní složky\Doruèená pošta\03 Nov 2005 12:39 from TUNING SHOP:Re: Upozorneni.eml archive: Mail
c:\DOCUME~1\VLµDÖK\LOCALS~1\DATAAP~1\MICROS~1\OUTLOOK\OUTLOOK.PST/Osobní složky\Doruèená pošta\03 Nov 2005 12:39 from TUNING SHOP:Re: Upozorneni.rtf archive: Mail
c:\DOCUME~1\VLµDÖK\LOCALS~1\DATAAP~1\MICROS~1\OUTLOOK\OUTLOOK.PST/Osobní složky\Doruèená pošta\03 Nov 2005 08:24 from TUNING SHOP:Re: Dotaz.eml archive: Mail
c:\DOCUME~1\VLµDÖK\LOCALS~1\DATAAP~1\MICROS~1\OUTLOOK\OUTLOOK.PST/Osobní složky\Doruèená pošta\03 Nov 2005 08:24 from TUNING SHOP:Re: Dotaz.rtf packed: Html2Rtf
c:\DOCUME~1\VLµDÖK\LOCALS~1\DATAAP~1\MICROS~1\OUTLOOK\OUTLOOK.PST/Osobní složky\Doruèená pošta\06 Nov 2005 09:52 from informace@jrc.cz:ZLEVNENE HRY Z INVEXU + .rtf packed: Html2Rtf
c:\DOCUME~1\VLµDÖK\LOCALS~1\DATAAP~1\MICROS~1\OUTLOOK\OUTLOOK.PST/Osobní složky\Doruèená pošta\06 Nov 2005 18:25 from direct@jrc.czotvrzeni objednavky her v .rtf packed: Html2Rtf
c:\DOCUME~1\VLµDÖK\LOCALS~1\DATAAP~1\MICROS~1\OUTLOOK\OUTLOOK.PST/Osobní složky\Doruèená pošta\07 Nov 2005 10:26 from dotazy@hifishop.cz:Vase objednavka cislo:.rtf packed: Html2Rtf
c:\DOCUME~1\VLµDÖK\LOCALS~1\DATAAP~1\MICROS~1\OUTLOOK\OUTLOOK.PST/Osobní složky\Doruèená pošta\08 Nov 2005 14:05 from dotazy@hifishop.czotvrzení o expedici.rtf packed: Html2Rtf
c:\DOCUME~1\VLµDÖK\LOCALS~1\DATAAP~1\MICROS~1\OUTLOOK\OUTLOOK.PST/Osobní složky\Doruèená pošta\09 Nov 2005 19:51 from apetrus@seznam.czotvrzení objednávky.rtf packed: Html2Rtf
c:\DOCUME~1\VLµDÖK\LOCALS~1\DATAAP~1\MICROS~1\OUTLOOK\OUTLOOK.PST/Osobní složky\Doruèená pošta\09 Nov 2005 21:05 from Tuning Centrum e-shop:'AKCE ALESSIO - LI.rtf packed: Html2Rtf
c:\DOCUME~1\VLµDÖK\LOCALS~1\DATAAP~1\MICROS~1\OUTLOOK\OUTLOOK.PST/Osobní složky\Doruèená pošta\09 Nov 2005 21:36 from knihy@eton.cz:ETON.CZ - KNIŽNÍ NOVINKY.rtf packed: Html2Rtf
c:\DOCUME~1\VLµDÖK\LOCALS~1\DATAAP~1\MICROS~1\OUTLOOK\OUTLOOK.PST/Osobní složky\Doruèená pošta\13 Nov 2005 10:57 from Tuning Centrum e-shop:'VYPRODEJ - AUTO H.rtf packed: Html2Rtf
c:\DOCUME~1\VLµDÖK\LOCALS~1\DATAAP~1\MICROS~1\OUTLOOK\OUTLOOK.PST/Osobní složky\Doruèená pošta\19 Nov 2005 09:38 from Tuning Centrum e-shop:'VYPRODEJE, SLEVY,.rtf packed: Html2Rtf
c:\DOCUME~1\VLµDÖK\LOCALS~1\DATAAP~1\MICROS~1\OUTLOOK\OUTLOOK.PST/Osobní složky\Doruèená pošta\23 Nov 2005 19:24 from Tuning Centrum e-shop:'ZAHAJEN VANOCNI P.rtf packed: Html2Rtf
c:\DOCUME~1\VLµDÖK\LOCALS~1\DATAAP~1\MICROS~1\OUTLOOK\OUTLOOK.PST/Osobní složky\Doruèená pošta\23 Nov 2005 19:26 from direct@jrc.czotvrzeni objednavky her v .rtf packed: Html2Rtf
c:\DOCUME~1\VLµDÖK\LOCALS~1\DATAAP~1\MICROS~1\OUTLOOK\OUTLOOK.PST/Osobní složky\Odeslaná pošta\26 Oct 2005 18:52 to 'pavel.schoterl@seznam.cz':zpráva.rtf packed: Html2Rtf
c:\DOCUME~1\VLµDÖK\LOCALS~1\DATAAP~1\MICROS~1\OUTLOOK\OUTLOOK.PST/Osobní složky\Odeslaná pošta\01 Nov 2005 23:01 to 'Pavel Schoterl':RE: pokus.eml archive: Mail
c:\DOCUME~1\VLµDÖK\LOCALS~1\DATAAP~1\MICROS~1\OUTLOOK\OUTLOOK.PST/Osobní složky\Odeslaná pošta\01 Nov 2005 23:01 to 'Pavel Schoterl':RE: pokus.rtf archive: Mail
c:\DOCUME~1\VLµDÖK\LOCALS~1\DATAAP~1\MICROS~1\OUTLOOK\OUTLOOK.PST/Osobní složky\Odeslaná pošta\01 Nov 2005 23:21 to 'jkdesign@jkdesign.cz'otaz.rtf packed: Html2Rtf
c:\DOCUME~1\VLµDÖK\LOCALS~1\DATAAP~1\MICROS~1\OUTLOOK\OUTLOOK.PST/Osobní složky\Odeslaná pošta\02 Nov 2005 10:34 to 'TUNING SHOP':RE: Dotaz.eml archive: Mail

c:\HRY\EASPOR~2\NHL06\SUPPORT\EREG.BIN packed: Swf2Swc
c:\HRY\EASPOR~2\NHL06\SUPPORT\EUROPE~1\DE\WEBHELP.CAB archive: CAB
c:\HRY\EASPOR~2\NHL06\SUPPORT\EUROPE~1\DE\WEBHELP.JAR archive: ZIP
c:\HRY\EASPOR~2\NHL06\SUPPORT\EUROPE~1\EN-UK\WEBHELP.CAB archive: CAB
c:\HRY\EASPOR~2\NHL06\SUPPORT\EUROPE~1\EN-UK\WEBHELP.JAR archive: ZIP
c:\HRY\EASPOR~2\NHL06\SUPPORT\EUROPE~1\FI\WEBHELP.CAB archive: CAB
c:\HRY\EASPOR~2\NHL06\SUPPORT\EUROPE~1\FI\WEBHELP.JAR archive: ZIP
c:\HRY\EASPOR~2\NHL06\SUPPORT\EUROPE~1\FR-FR\WEBHELP.CAB archive: CAB
c:\HRY\EASPOR~2\NHL06\SUPPORT\EUROPE~1\FR-FR\WEBHELP.JAR archive: ZIP
c:\HRY\EASPOR~2\NHL06\SUPPORT\EUROPE~1\SV\WEBHELP.CAB archive: CAB
c:\HRY\EASPOR~2\NHL06\SUPPORT\EUROPE~1\SV\WEBHELP.JAR archive: ZIP
c:\HRY\GTA\GTASA1~1.EXE archive: NSIS
c:\HRY\GTA\GTASA1~1.EXE/stream archive: NSIS
c:\HRY\NEEDFO~1\SUPPORT\EREG.BIN packed: Swf2Swc
c:\HRY\NEEDFO~1\SUPPORT\EAHELP~1\WEBHELP.CAB archive: CAB
c:\HRY\NEEDFO~1\SUPPORT\EAHELP~1\WEBHELP.JAR archive: ZIP
c:\PROGRA~1\ICQ5_S~1.EXE packed: WiseSFX Dropper
c:\PROGRA~1\ICQ5_S~1.EXE archive: ZIP
c:\PROGRA~1\ICQ5_S~1.EXE/SHFOLDER.EXE archive: CAB
c:\PROGRA~1\ICQ5_S~1.EXE/ICQLITE.EMO archive: CAB
c:\PROGRA~1\ADOBE\ACROBA~1.0CE\READER\ADOBEU~1.EXE packed: PECompact
c:\PROGRA~1\AVAST4\UNACEV2.DLL packed: PE_Patch
c:\PROGRA~1\AVAST4\CZECH\HELP\CHECKL~1.CHM archive: CHM
c:\PROGRA~1\AVAST4\CZECH\HELP\HELP.CHM archive: CHM
c:\PROGRA~1\BSPLAYER\BSPLAY.EXE packed: PE_Patch
c:\PROGRA~1\BSPLAYER\BSPLAY.EXE packed: TeLock
c:\PROGRA~1\BSPLAYER\BSPLAY.EXE packed: PE-Crypt.BSP
c:\PROGRA~1\BSPLAYER\UNINST~1.EXE archive: NSIS
c:\PROGRA~1\BSPLAYER\SKINS\BATLIT~1.BSZ archive: ZIP
c:\PROGRA~1\BSPLAYER\SKINS\MEDIAB~1.BSZ archive: ZIP
c:\PROGRA~1\BSPLAYER\SKINS\MEDIAB~2.BSZ archive: ZIP
c:\PROGRA~1\BSPLAYER\SKINS\SHOWTI~1.BSZ archive: ZIP
c:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\1029\FM20.CHM archive: CHM
c:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\1029\OWCDCH10.CHM archive: CHM
c:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\1029\OWCDPL10.CHM archive: CHM
c:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\1029\OWCDSS10.CHM archive: CHM
c:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\1029\OWCFUN10.CHM archive: CHM
c:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\1029\OWCRCH10.CHM archive: CHM
c:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\1029\OWCRDP10.CHM archive: CHM
c:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\1029\OWCRPL10.CHM archive: CHM
c:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\1029\OWCRSS10.CHM archive: CHM
c:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\1029\OWCVBA10.CHM archive: CHM
c:\PROGRA~1\COMMON~1\SYSTEM\OLEDB~1\SQLSOLDB.CHM archive: CHM
c:\PROGRA~1\ICQLITE\LITEDA~1\LOADER.SWF packed: Swf2Swc
c:\PROGRA~1\ICQLITE\PLUGINS\MIB\DEVILS\BUDDYD~1\BUDDY_~1.SWF packed: Swf2Swc
c:\PROGRA~1\ICQLITE\PLUGINS\MIB\DEVILS\BUDDYD~1\BUDDY_~2.SWF packed: Swf2Swc
c:\PROGRA~1\ICQLITE\PLUGINS\MIB\DEVILS\OWNERD~1\OWNER_~1.SWF packed: Swf2Swc
c:\PROGRA~1\ICQLITE\PLUGINS\MIB\DEVILS\OWNERD~1\OWNER_~2.SWF packed: Swf2Swc
c:\PROGRA~1\ICQLITE\PLUGINS\MIB\SERVICE\SRVMNG\SRV_UT~1.EMO archive: CAB


Scan process completed.

Result for all objects:

Sector Objects : 0 Known viruses : 1
Files : 60115 Virus bodies : 1
Folders : 1522 Disinfected : 0
Archives : 654 Deleted : 1
Packed : 197 Warnings : 0
Suspicious : 0
Scan speed (Kb/sec) : 9779 Corrupted : 0
Scan time : 00:22:30 I/O Errors : 0

#6 scanne mit Kaspersky und poste den scanreport
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit