Wie entferne ich den Virus W32/Nsag.B?

#61 Redfire

nun ja...du haettest auch einen eigenen Thread eroeffnen koennen....seufz....

1.Log
Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: 009D-68C0

Verzeichnis von C:\WINDOWS\system32

26.12.2005 21:49 28.996 nvapps.xml
24.12.2005 17:11 36.864 intercept.dll
24.12.2005 15:22 6.652 scmt16.exe
22.12.2005 18:23 2.206 wpa.dbl
08.12.2005 07:36 7.006 jupdate-1.5.0_06-b05.log
27.11.2005 17:33 4.182 KGyGaAvL.sys
27.11.2005 17:33 56 32730BF033.sys
21.11.2005 17:54 96.256 sptd2141.sys
21.11.2005 17:43 98.304 CmdLineExt.dll
10.11.2005 13:03 127.078 javaws.exe
10.11.2005 13:03 49.265 jpicpl32.cpl
10.11.2005 11:27 49.250 javaw.exe
10.11.2005 11:27 49.248 java.exe
09.11.2005 21:11 91.888 FNTCACHE.DAT
30.10.2005 22:27 316.594 perfh007.dat
30.10.2005 22:27 311.604 perfh009.dat
30.10.2005 22:27 39.992 perfc009.dat
30.10.2005 22:27 48.156 perfc007.dat
30.10.2005 22:27 723.744 PerfStringBackup.INI
13.10.2005 00:11 15.584 spmsg.dll
06.10.2005 04:18 280.064 gdi32.dll
06.10.2005 04:08 1.839.616 win32k.sys
04.10.2005 16:26 3.013.120 mshtml.dll
23.09.2005 16:54 34.064 lhacm.acm
23.09.2005 04:06 8.491.520 shell32.dll
21.09.2005 11:29 2.778 qtplugin.log
14.09.2005 22:28 608.448 comctl32.ocx
14.09.2005 20:17 53.248 pxhpinst.exe
10.09.2005 02:54 2.067.968 cdosys.dll
03.09.2005 00:53 664.064 WININET.DLL.VIR
03.09.2005 00:53 18.432 oleext.dll
03.09.2005 00:53 1.484.288 shdocvw.dll
03.09.2005 00:53 530.432 mstime.dll
03.09.2005 00:53 448.512 mshtmled.dll
03.09.2005 00:53 55.808 extmgr.dll
03.09.2005 00:53 96.768 inseng.dll
03.09.2005 00:53 39.424 pngfilt.dll
03.09.2005 00:53 251.392 iepeers.dll

2.Log
Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: 009D-68C0

Verzeichnis von C:\DOKUME~1\Mace\LOKALE~1\Temp

3.Log
Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: 009D-68C0

Verzeichnis von C:\WINDOWS

26.12.2005 23:24 513 DFC.INI
26.12.2005 21:49 1.389.101 WindowsUpdate.log
26.12.2005 21:49 159 wiadebug.log
26.12.2005 21:49 50 wiaservc.log
26.12.2005 21:49 2.048 bootstat.dat
26.12.2005 12:22 32.638 SchedLgU.Txt
24.12.2005 17:11 36.864 intercept.dll
24.12.2005 15:31 227 system.ini
24.12.2005 15:31 770 win.ini
24.12.2005 15:23 3.087 secure32.html
24.12.2005 15:22 61.726 kl.exe
24.12.2005 15:22 0 uniq
24.12.2005 13:50 139 msicpl.ini
16.12.2005 19:32 116 NeroDigital.ini
15.12.2005 21:28 2 msoffice.ini
09.12.2005 06:34 3.372 mozver.dat
02.12.2005 19:45 1.125 winamp.ini
01.12.2005 14:41 99.970 UninstallFirefox.exe
12.10.2005 14:08 7.777 Userpic2.jpg
12.10.2005 14:04 5.259 Userpicplain.jpg
17.08.2005 16:10 97 acc1.txt
15.08.2005 20:56 811 eReg.dat

4.Log
Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: 009D-68C0

Verzeichnis von C:\

26.12.2005 23:26 0 sys.txt
26.12.2005 23:25 4.980 system.txt
26.12.2005 23:25 125 systemtemp.txt
26.12.2005 23:24 104.744 system32.txt
26.12.2005 21:49 805.306.368 pagefile.sys
24.12.2005 21:50 1.267 smitfiles.txt
24.12.2005 15:31 211 boot.ini
21.11.2005 17:54 664.064 sptd.sys
17.08.2005 16:12 0 BHO.log
17.08.2005 16:10 5.416 ResponseText.log
17.08.2005 16:10 5.668 ResponseXML.log
17.08.2005 16:10 426 Request.log

-----------------------------------------------------------------------


ich moechte gern noch das Log vom HijackThis sehen.....
http://virus-protect.org/hjtkurz.html
__________
MfG Sabina

rund um die PC-Sicherheit

#62

Zitat

Sabina postete
adsspy...scanne, dann loesche alle steams, das ist sehr wichtig...es gibt eine Funktion, mit der du alle loeschen kannst.
optionen asspy: Quick scan und ignore system data info streams ist das ok?
dann loesche die obrigen Dateien mit der killbox

PC neustarten
+
INTURS.DAT--> rechtsklick--> oeffnen mit dem Editor--> poste, was dort steht

#63 Sry wollte nicht noch weiter auf machen.
Hier meine Hijack Log.


Logfile of HijackThis v1.99.1
Scan saved at 01:10:51, on 27.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\FRITZ!DSL\Awatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\USB Disk Tool\USNDISKT.EXE
C:\WINDOWS\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\TGTSoft\StyleXP\StyleXP.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Dokumente und Einstellungen\Mace\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Programme\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - (no file)
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Programme\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [AWatch] C:\Programme\FRITZ!DSL\Awatch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVMixerTray] "C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [USB Disk Tool] C:\Programme\USB Disk Tool\USNDISKT.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Programme\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Shell] "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyharem.com/stream/mmp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EC78D46-BA93-4F6A-85B2-992754612E4D}: NameServer = 217.237.150.141 217.237.150.97
O17 - HKLM\System\CCS\Services\Tcpip\..\{495B316F-5C97-4228-B25A-20817DDF157D}: NameServer = 192.168.122.252,192.168.122.253
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EC78D46-BA93-4F6A-85B2-992754612E4D}: NameServer = 217.237.150.141 217.237.150.97
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\smc.exe

MfG Red

#64

Zitat

Sabina postete
stta

Quick scan und ignore system data info streams ist das ok?--> ist o.k.

erst mal machst du den scan, wenn dann die Streams erscheinen, muss es auch eine remove-Funktion geben
am besten...du postest erst mal, was der scan ergibt

__________
MfG Sabina

rund um die PC-Sicherheit

#65 Redfire

Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten --> kopiere das Ergebnis in das Sicherheitsforum
http://www.virustotal.com/flash/index_en.html

C:\WINDOWS\system32\32730BF033.sys
C:\WINDOWS\system32\sptd2141.sys
C:\sptd.sys
C:\WINDOWS\system32\javaw.exe
C:\WINDOWS\system32\java.exe
__________
MfG Sabina

rund um die PC-Sicherheit

#66

Zitat

Sabina postete
adsspy...scanne, dann loesche alle steams, das ist sehr wichtig...es gibt eine Funktion, mit der du alle loeschen kannst.
habe alle gelöscht
dann loesche die obrigen Dateien mit der killbox
habe ich gemacht

4logs:

Verzeichnis von C:\

27.12.2005 01:24 0 sys.txt
27.12.2005 01:24 9.500 system.txt
27.12.2005 01:24 1.701 systemtemp.txt
27.12.2005 01:24 103.312 system32.txt
25.12.2005 22:02 2.080 smitfiles.txt
01.09.2005 20:59 4.947.958 adorage-protocol.txt
05.02.2005 16:32 1.512 sataraidevents.log
05.02.2005 11:22 211 boot.ini
05.02.2005 11:18 47.564 NTDETECT.COM

Verzeichnis von C:\WINDOWS

27.12.2005 01:20 1.998.696 WindowsUpdate.log
27.12.2005 01:20 12.689 KB905915.log
27.12.2005 01:19 0 0.log
27.12.2005 01:19 159 wiadebug.log
27.12.2005 01:19 50 wiaservc.log
27.12.2005 01:19 2.048 bootstat.dat
27.12.2005 01:17 32.618 SchedLgU.Txt
26.12.2005 11:07 1.378 QUICKEN.INI
26.12.2005 09:17 567 win.ini
26.12.2005 09:16 670.219 setupapi.log
25.12.2005 21:57 185.284 setupact.log
25.12.2005 21:49 702.930 ntbtlog.txt
25.12.2005 00:06 19.141 KB902400.log
25.12.2005 00:06 16.036 msgsocm.log
24.12.2005 08:58 7.503 KB886185.log
24.12.2005 08:58 30 INTURS.DAT
22.12.2005 17:42 54.156 QTFont.qfn
19.12.2005 22:14 116.683 wmsetup.log
18.12.2005 23:36 322 _delis43.ini
18.12.2005 00:14 0 nsreg.dat
17.12.2005 12:18 400.330 iis6.log
17.12.2005 12:18 69.925 ntdtcsetup.log
17.12.2005 12:18 116.376 comsetup.log
17.12.2005 12:18 16.710 tabletoc.log
17.12.2005 12:18 1.393 imsins.log
17.12.2005 12:18 156.432 KB896424.log
17.12.2005 12:18 55.852 netfxocm.log
17.12.2005 12:18 166.895 ocgen.log
17.12.2005 12:18 313.149 FaxSetup.log
17.12.2005 12:18 107.880 msmqinst.log
17.12.2005 12:18 20.102 updspapi.log
17.12.2005 12:18 1.393 imsins.BAK
17.12.2005 12:18 7.200 KB910437.log
12.12.2005 20:11 56.541 KB896688.log
06.12.2005 17:29 141 AVMASTER.INI
06.12.2005 17:29 116 NeroDigital.ini
06.12.2005 09:27 26.680 F„cher.bmp
06.12.2005 09:27 80 explorer.scf
04.12.2005 17:41 150.966 tsoc.log
29.11.2005 21:23 23.285 medctroc.Log
29.11.2005 21:23 18.024 ocmsn.log
26.11.2005 12:55 197.761 cwfjv.log
06.11.2005 10:49 1.409 QTFont.for
18.10.2005 18:02 148 VUI.pref
15.10.2005 20:09 13.482 KB900725.log
15.10.2005 20:09 11.972 KB905749.log
15.10.2005 20:00 16.982 KB904706.log
15.10.2005 20:00 17.282 KB905414.log
15.10.2005 20:00 16.472 KB901017.log
15.10.2005 20:00 16.453 KB899589.log
31.08.2005 09:02 17.705 cdplayer.ini


Verzeichnis von C:\DOKUME~1\Walter\LOKALE~1\Temp

27.12.2005 01:19 32.768 ~DFB0A9.tmp
27.12.2005 01:19 32.768 ~DF6ADA.tmp
27.12.2005 01:19 16.384 ~DF4259.tmp
27.12.2005 01:19 49.152 ~DF2063.tmp
27.12.2005 01:19 1.332 jusched.log
27.12.2005 01:14 16.384 ~DF3FA4.tmp
27.12.2005 00:47 32.768 ~DFE0C1.tmp
27.12.2005 00:46 16.384 ~DF890E.tmp
27.12.2005 00:46 49.152 ~DF5849.tmp
27.12.2005 00:46 32.768 ~DF5CC5.tmp
27.12.2005 00:43 16.384 ~DF9324.tmp
27.12.2005 00:40 32.768 ~DFB8B7.tmp
27.12.2005 00:40 32.768 ~DF53C9.tmp
27.12.2005 00:40 16.384 ~DF5278.tmp
27.12.2005 00:40 49.152 ~DF2585.tmp
26.12.2005 09:10 32.768 ~DFBE13.tmp
26.12.2005 09:09 16.384 ~DF80CF.tmp
26.12.2005 09:09 49.152 ~DF43EE.tmp
26.12.2005 09:09 32.768 ~DF3579.tmp
25.12.2005 22:16 32.768 ~DFA336.tmp
25.12.2005 22:15 16.384 ~DF5E1F.tmp
25.12.2005 22:15 32.768 ~DF3DBD.tmp
25.12.2005 22:15 49.152 ~DF2ABD.tmp
25.12.2005 22:02 32.768 ~DFC24C.tmp
25.12.2005 22:02 49.152 ~DF9884.tmp
25.12.2005 22:02 2.550 1.tmp
25.12.2005 22:02 32.768 ~DFC0B2.tmp
25.12.2005 22:01 16.384 ~DF7873.tmp
25.12.2005 21:50 32.768 ~DF46CF.tmp
25.12.2005 21:49 16.384 ~DF6278.tmp
30 Datei(en) 872.234 Bytes


Verzeichnis von C:\WINDOWS\system32

20.12.2005 14:44 2.206 wpa.dbl
17.12.2005 17:50 175.464 FNTCACHE.DAT
08.12.2005 16:25 2.723.680 MRT.exe
30.10.2005 07:00 311.604 perfh009.dat
30.10.2005 07:00 316.594 perfh007.dat
30.10.2005 07:00 39.992 perfc009.dat
30.10.2005 07:00 48.156 perfc007.dat
30.10.2005 07:00 723.744 PerfStringBackup.INI
20.10.2005 23:25 1.094.144 esent.dll
20.10.2005 15:37 40.960 SDelete.dll
20.10.2005 15:37 24.924 openports.dll
18.10.2005 17:58 87 ssprs.tgz
18.10.2005 17:58 73 ssprs.dll
18.10.2005 17:58 219 lsprst7.tgz
18.10.2005 17:58 205 lsprst7.dll
13.10.2005 00:11 15.584 spmsg.dll
06.10.2005 04:18 280.064 gdi32.dll
06.10.2005 04:08 1.839.616 win32k.sys
23.09.2005 04:06 8.491.520 shell32.dll
10.09.2005 02:54 2.067.968 cdosys.dll
03.09.2005 00:53 474.112 shlwapi.dll
01.09.2005 02:44 292.352 winsrv.dll
01.09.2005 02:44 19.968 linkinfo.dll


PC neustarten
+
INTURS.DAT--> rechtsklick--> oeffnen mit dem Editor--> poste, was dort steht

inturs.dat:

Ʌ㱙рឤԀ鱖ꬶρﮒԀ
䀀


Das hatte ich vorhin auch noch gemacht:
Hoster.zip
http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK' Exit Program.

#67 Hier mein Scan.

This is a report processed by VirusTotal on 12/27/2005 at 01:25:15 (CET) after scanning the file "32730BF033.sys" file.

Antivirus Version Update Result
AntiVir 6.33.0.70 12.26.2005 no virus found
Avast 4.6.695.0 12.24.2005 no virus found
AVG 718 12.23.2005 no virus found
Avira 6.33.0.70 12.26.2005 no virus found
BitDefender 7.2 12.27.2005 no virus found
CAT-QuickHeal 8.00 12.24.2005 no virus found
ClamAV devel-20051108 12.26.2005 no virus found
DrWeb 4.33 12.26.2005 no virus found
eTrust-Iris 7.1.194.0 12.26.2005 no virus found
eTrust-Vet 12.4.1.0 12.25.2005 no virus found
Fortinet 2.54.0.0 12.26.2005 no virus found
F-Prot 3.16c 12.26.2005 no virus found
Ikarus 0.2.59.0 12.23.2005 no virus found
Kaspersky 4.0.2.24 12.27.2005 no virus found
McAfee 4659 12.26.2005 no virus found
NOD32v2 1.1340 12.26.2005 no virus found
Norman 5.70.10 12.26.2005 no virus found
Panda 8.02.00 12.26.2005 no virus found
Sophos 4.01.0 12.26.2005 no virus found
Symantec 8.0 12.27.2005 no virus found
TheHacker 5.9.1.061 12.25.2005 no virus found
VBA32 3.10.5 12.26.2005 no virus found

VirusTotal is a free service offered by Hispasec Sistemas.
There are no guarantees about the availability and continuity of this service.
Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product,
these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

This is a report processed by VirusTotal on 12/27/2005 at 01:29:35 (CET) after scanning the file "sptd2141.sys" file.

Antivirus Version Update Result
AntiVir 6.33.0.70 12.26.2005 no virus found
Avast 4.6.695.0 12.24.2005 no virus found
AVG 718 12.23.2005 no virus found
Avira 6.33.0.70 12.26.2005 no virus found
BitDefender 7.2 12.27.2005 no virus found
CAT-QuickHeal 8.00 12.24.2005 no virus found
ClamAV devel-20051108 12.26.2005 no virus found
DrWeb 4.33 12.26.2005 no virus found
eTrust-Iris 7.1.194.0 12.26.2005 no virus found
eTrust-Vet 12.4.1.0 12.25.2005 no virus found
Fortinet 2.54.0.0 12.26.2005 no virus found
F-Prot 3.16c 12.26.2005 no virus found
Ikarus 0.2.59.0 12.23.2005 no virus found
Kaspersky 4.0.2.24 12.27.2005 no virus found
McAfee 4659 12.26.2005 no virus found
NOD32v2 1.1340 12.26.2005 no virus found
Norman 5.70.10 12.26.2005 no virus found
Panda 8.02.00 12.26.2005 no virus found
Sophos 4.01.0 12.26.2005 no virus found
Symantec 8.0 12.27.2005 no virus found
TheHacker 5.9.1.061 12.25.2005 no virus found
VBA32 3.10.5 12.26.2005 no virus found

VirusTotal is a free service offered by Hispasec Sistemas.
There are no guarantees about the availability and continuity of this service.
Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product,
these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

#68 stta

loesche:
inturs.dat

wende cleanUp genau nach Anleitung ab
http://virus-protect.org/cleanup.html
Verzeichnis von C:\DOKUME~1\Walter\LOKALE~1\Temp
--> muss leer sein

arbeite die scanner ab (berichte, falls etwas gefunden wurde)
http://virus-protect.org/multiavtool.html

nun scanne mit kaspersky und poste den scanreport
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#69 Redfire

SmitRem2.8
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1

laden--> in den abgesicherten Modus booten --> öffne smitRem folder --> Doppelklick: RunThis.bat
warte, bis der Scan beendet ist (der Bildschirm wird blau werden. das ist normal)
suche smitfiles.txt und kopiere die Textdatei in den Thread

morgen erklaere ich dir dann, wie du den anderen Virus loeschen kannst....heute ist es zu spaet....ich kann mich nicht mehr konzentrieren....
__________
MfG Sabina

rund um die PC-Sicherheit

#70 So da bin ich wieder.
Hier die txt datei.


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

oleext.dll


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 852 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN!

#71

Zitat

Sabina postete
stta

loesche:
inturs.dat

gelöscht

wende cleanUp genau nach Anleitung ab
http://virus-protect.org/cleanup.html
Verzeichnis von C:\DOKUME~1\Walter\LOKALE~1\Temp
--> muss leer sein

cleanUp nach Anleitung folgender log:

CleanUp! started on 12/27/05 18:43:50.
C:\Dokumente und Einstellungen\Walter\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\Walter\Lokale Einstellungen\Verlauf\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
'Typed URLs' (Internet Explorer) - removed from the registry.
C:\Dokumente und Einstellungen\Walter\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\DOKUME~1\Walter\LOKALE~1\Temp\jusched.log - deleted
C:\DOKUME~1\Walter\LOKALE~1\Temp\~DF4D76.tmp currently in use. Will be deleted when Windows is restarted.
C:\DOKUME~1\Walter\LOKALE~1\Temp\~DF62E6.tmp currently in use. Will be deleted when Windows is restarted.
C:\DOKUME~1\Walter\LOKALE~1\Temp\~DF91B0.tmp - deleted
C:\DOKUME~1\Walter\LOKALE~1\Temp\~DFE94D.tmp - deleted
C:\DOKUME~1\Walter\LOKALE~1\Temp\~DF4D76.tmp currently in use. Will be deleted when Windows is restarted.
C:\DOKUME~1\Walter\LOKALE~1\Temp\~DF62E6.tmp currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\Walter\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\Walter\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Prefetch\CLEANUP.EXE-32BD6F36.pf - deleted
'Run MRU' list - removed from the registry.
Paint Recent File List - removed from the registry.
Telnet's MRU list - removed from the registry.
WinZip Extract MRU list - removed from the registry.
WinZip File MRU list - removed from the registry.
CleanUp! 4.0 recovered 59.9 KB of disk space from 4 files.
CleanUp! finished on 12/27/05 18:43:50.

nach dem neustart im temp folder trotzdem folgende Dateien

C:\Dokumente und Einstellungen\Walter\LOKALE~1\Temp>dir
Datenträger in Laufwerk C: ist System
Volumeseriennummer: 0018-FFF4

Verzeichnis von C:\Dokumente und Einstellungen\Walter\LOKALE~1\Temp

27.12.2005 18:44 <DIR> .
27.12.2005 18:44 <DIR> ..
27.12.2005 18:44 222 jusched.log
27.12.2005 18:44 16.384 ~DF3C79.tmp
27.12.2005 18:42 32.768 ~DF4D76.tmp
27.12.2005 18:44 32.768 ~DF5C92.tmp
27.12.2005 18:42 49.152 ~DF62E6.tmp
27.12.2005 18:44 49.152 ~DFD3D.tmp
27.12.2005 18:44 32.768 ~DFF82E.tmp
7 Datei(en) 213.214 Bytes
2 Verzeichnis(se), 12.037.124.096 Bytes frei





Habe das Problem mit CleanUp nochmal nachfolzogen, beim zweiten Versuch folgender log :

CleanUp! started on 12/27/05 18:49:32.
C:\Dokumente und Einstellungen\Walter\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\Walter\Lokale Einstellungen\Verlauf\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\Walter\Lokale Einstellungen\Verlauf\History.IE5\MSHist012005122720051228\index.dat - deleted
C:\Dokumente und Einstellungen\Walter\Lokale Einstellungen\Verlauf\History.IE5\MSHist012005122720051228\ - deleted
'Typed URLs' (Internet Explorer) - removed from the registry.
Visited: Walter@file:///C:/Dokumente%20und%20Einstellungen/Walter/Desktop/Neu%20Textdokument.txt - deleted
Visited: Walter@about:Home - deleted
C:\Dokumente und Einstellungen\Walter\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\Walter\Recent\Neu Textdokument.txt.lnk - deleted
C:\DOKUME~1\Walter\LOKALE~1\Temp\jusched.log - deleted
C:\DOKUME~1\Walter\LOKALE~1\Temp\~DF3C79.tmp - deleted
C:\DOKUME~1\Walter\LOKALE~1\Temp\~DF4D76.tmp - deleted
C:\DOKUME~1\Walter\LOKALE~1\Temp\~DF5C92.tmp - deleted
C:\DOKUME~1\Walter\LOKALE~1\Temp\~DF62E6.tmp - deleted
C:\DOKUME~1\Walter\LOKALE~1\Temp\~DFD3D.tmp currently in use. Will be deleted when Windows is restarted.
C:\DOKUME~1\Walter\LOKALE~1\Temp\~DFF82E.tmp currently in use. Will be deleted when Windows is restarted.
C:\DOKUME~1\Walter\LOKALE~1\Temp\~DFD3D.tmp currently in use. Will be deleted when Windows is restarted.
C:\DOKUME~1\Walter\LOKALE~1\Temp\~DFF82E.tmp currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\Walter\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\Walter\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Dokumente und Einstellungen\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Prefetch\CLEANUP.EXE-32BD6F36.pf - deleted
C:\WINDOWS\Prefetch\CMD.EXE-18AA480B.pf - deleted
C:\WINDOWS\Prefetch\EXPLORER.EXE-04FFEABC.pf - deleted
C:\WINDOWS\Prefetch\FIREFOX.EXE-023BAB85.pf - deleted
C:\WINDOWS\Prefetch\IMAPI.EXE-00F69F6B.pf - deleted
C:\WINDOWS\Prefetch\JUSCHED.EXE-17BECCCC.pf - deleted
C:\WINDOWS\Prefetch\LOGONUI.EXE-306FB0A4.pf - deleted
C:\WINDOWS\Prefetch\NOTEPAD.EXE-1D460EEF.pf - deleted
C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf - deleted
C:\WINDOWS\Prefetch\NWIZ.EXE-2D868757.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-38693527.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-3DD51921.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-6687CE94.pf - deleted
C:\WINDOWS\Prefetch\STCENTER.EXE-074E05D9.pf - deleted
C:\WINDOWS\Prefetch\SUNSERVER.EXE-02905DBC.pf - deleted
C:\WINDOWS\Prefetch\TBPANEL.EXE-24C72497.pf - deleted
C:\WINDOWS\Prefetch\UPDATE.EXE-012E66DE.pf - deleted
C:\WINDOWS\Prefetch\USERINIT.EXE-0FFC3F7E.pf - deleted
C:\WINDOWS\Prefetch\WMIPRVSE.EXE-23177086.pf - deleted
C:\WINDOWS\Prefetch\WUAUCLT.EXE-141D0725.pf - deleted
Emptied Recycle Bin on drive C:
'Run MRU' list - removed from the registry.
Paint Recent File List - removed from the registry.
Telnet's MRU list - removed from the registry.
WinZip Extract MRU list - removed from the registry.
WinZip File MRU list - removed from the registry.
CleanUp! 4.0 recovered 1.2 MB of disk space from 30 files.
CleanUp! finished on 12/27/05 18:49:33.


nach dem Neustart:

Verzeichnis von C:\Dokumente und Einstellungen\Walter\LOKALE~1\Temp

27.12.2005 18:53 <DIR> .
27.12.2005 18:53 <DIR> ..
27.12.2005 18:53 222 jusched.log
27.12.2005 18:53 32.768 ~DF3703.tmp
27.12.2005 18:53 49.152 ~DF3A69.tmp
27.12.2005 18:53 16.384 ~DF5ECE.tmp
27.12.2005 18:53 32.768 ~DF9F36.tmp
5 Datei(en) 131.294 Bytes
2 Verzeichnis(se), 12.038.651.904 Bytes frei

die temp dateien scheinen also immer wieder neu angelegt zu werden.

#72 stta

arbeite die scanner ab (berichte, falls etwas gefunden wurde)
http://virus-protect.org/multiavtool.html

nun scanne mit kaspersky und poste den scanreport
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#73 Redfire

KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html

Options: Delete on Reboot / Process all in List )--> anhaken
reinkopieren:
...
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"

C:\WINDOWS\system32\nvapps.xml
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.dll
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00002.dll
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\tmp.tmp
C:\WINDOWS\system32\intercept.dll
C:\WINDOWS\system32\scmt16.exe
C:\WINDOWS\system32\WININET.DLL.VIR
C:\WINDOWS\system32\oleext.dll
C:\WINDOWS\intercept.dll
C:\WINDOWS\secure32.html
C:\WINDOWS\kl.exe
C:\WINDOWS\uniq

PC neustarten

öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [Shell] "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.exe"
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyharem.com/stream/mmp.cab


Hoster.zip
http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK' Exit Program.

nun scanne mit kaspersky und poste den scanreport
http://virus-protect.org/onlinescan.html
-----------------------------------------------------------------

http://www.malwareupload.com/
Log Dich mit Deiner E-Mail Adresse bei Malwareupload ein und lade die suspekte Datei hoch. Du wirst so schnell wie möglich per E-Mail darüber informiert, ob die Datei wirklich schädlich ist und um welchen Schädling es sich handelt.

C:\WINDOWS\system32\32730BF033.sys
C:\WINDOWS\system32\sptd2141.sys
C:\sptd.sys

-------------

Info:ibm00001.exe
http://virus-protect.org/artikel/spyware/ibm00000.html
__________
MfG Sabina

rund um die PC-Sicherheit

#74 1.log

Sophos Anti-Virus
Version 4.01.0 [Win32/Intel]
Virus data version 4.01, January 2006
Includes detection for 116689 viruses, trojans and worms
Copyright (c) 1989-2006 Sophos Plc, www.sophos.com

System time 22:18:12, System date 27 December 2005
Command line qualifiers are: -f -di -all -remove -mime -mbr -noc -archive -opt=ISCabinet

IDE directory is: c:\AV-CLS\Sophos


Password protected file c:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\PSGuard.zip\sbRecovery.ini
Password protected file c:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy\Recovery\PSGuard.zip\comment
Could not open c:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat
Could not open c:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG
Could not open c:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat
Could not open c:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG
Could not open c:\Dokumente und Einstellungen\Walter\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat
Could not open c:\Dokumente und Einstellungen\Walter\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG
Could not check c:\System Volume Information\_restore{0A0549E3-FF04-40E5-BDC5-F4672D6A69E5}\RP253\snapshot\ComDb.Dat (corrupt)

>>> Virus 'Troj/Iefeat-AK' found in file c:\System Volume Information\_restore{0A0549E3-FF04-40E5-BDC5-F4672D6A69E5}\RP289\A0031174.exe
Removal successful
>>> Virus 'Troj/Iefeat-AK' found in file c:\System Volume Information\_restore{0A0549E3-FF04-40E5-BDC5-F4672D6A69E5}\RP289\A0031175.exe
Removal successful
>>> Virus 'Troj/Iefeat-AK' found in file c:\System Volume Information\_restore{0A0549E3-FF04-40E5-BDC5-F4672D6A69E5}\RP289\A0031176.exe
Removal successful
>>> Virus 'Troj/SpyDldr-C' found in file c:\System Volume Information\_restore{0A0549E3-FF04-40E5-BDC5-F4672D6A69E5}\RP289\A0031177.exe
Removal successful
>>> Virus 'Troj/Iefeat-AK' found in file c:\System Volume Information\_restore{0A0549E3-FF04-40E5-BDC5-F4672D6A69E5}\RP289\A0031185.exe
Removal successful
Could not check c:\System Volume Information\_restore{0A0549E3-FF04-40E5-BDC5-F4672D6A69E5}\RP289\snapshot\ComDb.Dat (corrupt)
Could not check c:\System Volume Information\_restore{0A0549E3-FF04-40E5-BDC5-F4672D6A69E5}\RP290\snapshot\ComDb.Dat (corrupt)
>>> Virus 'Troj/Iefeat-AK' found in file c:\System Volume Information\_restore{0A0549E3-FF04-40E5-BDC5-F4672D6A69E5}\RP291\A0031352.exe
Removal successful
>>> Virus 'Troj/Iefeat-AK' found in file c:\System Volume Information\_restore{0A0549E3-FF04-40E5-BDC5-F4672D6A69E5}\RP291\A0031353.exe
Removal successful
>>> Virus 'Troj/Iefeat-AK' found in file c:\System Volume Information\_restore{0A0549E3-FF04-40E5-BDC5-F4672D6A69E5}\RP291\A0031354.exe
Removal successful
>>> Virus 'Troj/Iefeat-AK' found in file c:\System Volume Information\_restore{0A0549E3-FF04-40E5-BDC5-F4672D6A69E5}\RP291\A0031355.exe
Removal successful
>>> Virus 'Troj/Iefeat-AK' found in file c:\System Volume Information\_restore{0A0549E3-FF04-40E5-BDC5-F4672D6A69E5}\RP291\A0031366.exe
Removal successful
>>> Virus 'Troj/Iefeat-AK' found in file c:\System Volume Information\_restore{0A0549E3-FF04-40E5-BDC5-F4672D6A69E5}\RP291\A0031367.exe
Removal successful
>>> Virus 'Troj/SpyDldr-C' found in file c:\System Volume Information\_restore{0A0549E3-FF04-40E5-BDC5-F4672D6A69E5}\RP291\A0031375.exe
Removal successful
Could not check c:\System Volume Information\_restore{0A0549E3-FF04-40E5-BDC5-F4672D6A69E5}\RP291\snapshot\ComDb.Dat (corrupt)
Could not check c:\System Volume Information\_restore{0A0549E3-FF04-40E5-BDC5-F4672D6A69E5}\RP292\snapshot\ComDb.Dat (corrupt)
Could not check c:\WINDOWS\Registration\R000000000006.clb (corrupt)
Could not check c:\WINDOWS\Registration\R000000000007.clb (corrupt)
>>> Virus fragment 'W95/MrKlunky-A' found in file c:\WINDOWS\system32\ActiveScan\pskavs.dll
Removal successful
Could not open c:\WINDOWS\system32\CatRoot2\edb.log
Could not open c:\WINDOWS\system32\CatRoot2\tmp.edb
Could not open c:\WINDOWS\system32\config\system.LOG
Could not check c:\WINDOWS\system32\emptyregdb.dat (corrupt)


3 master boot records swept.
120297 files swept in 1 hour, 13 minutes and 12 seconds.
226 errors were encountered.
14 viruses were discovered.
14 files out of 120297 were infected.
Please send infected samples to Sophos for analysis.
For advice consult www.sophos.com, email support@sophos.com
or telephone +44 1235 559933
172 encrypted files were not checked.
Ending Sophos Anti-Virus.

#75 stta

es gibt noch mehr scanner und dann mache noch den kaspersky-Check und berichte
__________
MfG Sabina

rund um die PC-Sicherheit