Habe immer wieder Virenwarnung in C:\WINDOWS\system32\xdatxzap.zxp

#1 Hallo,
vielleicht könnt ihr mir helfen!? Ich bekomme von Kaspersky die Vierenwarnung

C:\WINDOWS\system32\xdatxzap.zxp und auch C:\WINDOWS\system32\xdatxzap.zxp\p-zipped_file_data pif

Ich kann löschen so viel ich will, die Warnug ist beim nächsten Neustart wieder da!? Würdet Ihr euch bitte mal meinen Lofile ansehen, Danke!

Logfile of HijackThis v1.99.1
Scan saved at 10:10:46, on 10.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\RVS\WCOM\SYSTEM\RVSINST.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\QuickTime\qttask.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\bho\LOKALE~1\Temp\Rar$EX00.772\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Messenger\ycomp.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Messenger\ycomp.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134036202604
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Filter hijack: application/octet-stream - {6585E5B4-4D2A-4A1D-A219-4102C64BA999} - (no file)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RVS Installer (RVSINST) - RVS Datentechnik GmbH, München - C:\Programme\RVS\WCOM\SYSTEM\RVSINST.EXE

#2 Das scheint ein Zip Archiv zu sein. Was meldet KAV fuer eine Malware darin?

Sonst kannst du auch die von datfind.bat erzeugten logfiles hier posten.

http://virus-protect.org/datfindbat.html
__________
MfG Ralf
SEO-Spam Hunter

#3 Hallo Ralf,
hier der erste Teil von datfind.bat! Reicht das aus oder soll ich die ellenlange Liste posten???

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 3C6F-6CCA

Verzeichnis von C:\WINDOWS\system32

09.12.2005 14:35 2.206 wpa.dbl
06.12.2005 01:41 4 fsdbcrpt.kar.{fbdfea4c-c65a-477f-864c-f28667e6277a}
06.12.2005 01:41 4 msdbcrpt.kar.{fbdfea4c-c65a-477f-864c-f28667e6277a}
03.12.2005 01:15 183 imon1.dat
30.10.2005 10:15 380.486 perfh009.dat
30.10.2005 10:15 52.900 perfc009.dat
30.10.2005 10:15 391.330 perfh007.dat
30.10.2005 10:15 63.778 perfc007.dat
30.10.2005 10:15 897.954 PerfStringBackup.INI
22.10.2005 02:18 302.621 SetupCarnival.exe
12.07.2005 18:04 520.456 LegitCheckControl.dll
12.07.2005 18:04 23.304 GWFSPidGen.dll
06.07.2005 16:13 499.712 msvcp71.dll
28.06.2005 19:57 157.698 mscmcde.dll
05.06.2005 13:24 16.832 amcompat.tlb
05.06.2005 13:24 23.392 nscompat.tlb
27.05.2005 00:11 2.535 qtplugin.log
26.05.2005 04:19 173.536 wuweb.dll

#4 Hm, dann muessen wir es etwas anders machen.Lade dir loacate.com von hier herunter:
http://castlecops.com/modules/Forums/attachments/locate_720.zip

entpacke es in einen extra Ordner, starte von dort die locate.bat, dadurch wird eine report.txt in dem Ordner erstellt. Poste den Inhalt dieser TXT Datei hier.

BTW: Was meldet KAV nocheinmal fuer einen Schaedling in der Datei?
__________
MfG Ralf
SEO-Spam Hunter

#5 Hallo Ralf,
ich habe das gemacht wie Du gesagt hast, aber die Textdatei ist ganz merkwürdig, sie wiederholt ständig dasselbe???

C:\Dokumente und Einstellungen\bho\Eigene Dateien\Datenbanken\Privat\locate>LOCATE c:\windows\system32\* /D- /D:T-90 /NR 1>>report.txt

sonst nichts.... habe ich was falsch gemacht???

Die Kaspersky Virenwarnung war:

C:\WINDOWS\system32\xdatxzap.zxp und auch C:\WINDOWS\system32\xdatxzap.zxp\p-zipped_file_data pif

Binn für jede Hilfe Dankbar!!!

Gruß Birgit

Hallo,
das schmeist mir Spybot raus... kann man damit vielleicht etwas anfangen???

Windows.System:
Einstellungen (Registrierungsdatenbank-Änderung, nothing done)
HKEY_USERS\S-1-5-21-789336058-1682526488-1060284298-1006\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispAppearancePage!=W=0

Windows.System: Benutzer-Einstellungen (Registrierungsdatenbank-Änderung, nothing done)
HKEY_USERS\S-1-5-21-789336058-1682526488-1060284298-1006\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage!=W=0

DoubleClick: Verfolgender Cookie (Internet Explorer: bho) (Cookie, nothing done)

#6

Zitat

03.12.2005 01:15 183 imon1.dat

das sollte ueberprueft werden

Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten --> kopiere das Ergebnis in das Sicherheitsforum
http://www.virustotal.com/flash/index_en.html

C:\WINDOWS\system32\imon1.dat
C:\WINDOWS\system32\SetupCarnival.exe
C:\WINDOWS\system32\xdatxzap.zxp


------------------------------------------------------------------------------------


und die datfindbat hat 4 Textdateien, nicht nur eine
http://virus-protect.org/datfindbat.html
__________
MfG Sabina

rund um die PC-Sicherheit

#7 Hallo Sabina,
hier die Ergebnisse von virustotal, ich hoffe, das ich das richtig gemacht habe...
1. Scan:

This is a report processed by VirusTotal on 12/11/2005 at 15:33:28 (CET) after scanning the file "imon1.dat" file.

Antivirus Version Update Result
AntiVir 6.33.0.61 12.09.2005 no virus found
Avast 4.6.695.0 12.10.2005 no virus found
AVG 718 12.08.2005 no virus found
Avira 6.33.0.61 12.09.2005 no virus found
BitDefender 7.2 12.11.2005 no virus found
CAT-QuickHeal 8.00 12.09.2005 no virus found
ClamAV devel-20051108 12.09.2005 no virus found
DrWeb 4.33 12.11.2005 no virus found
eTrust-Iris 7.1.194.0 12.11.2005 no virus found
eTrust-Vet 11.9.1.0 12.09.2005 no virus found
Fortinet 2.54.0.0 12.10.2005 no virus found
F-Prot 3.16c 12.09.2005 no virus found
Ikarus 0.2.59.0 12.11.2005 no virus found
Kaspersky 4.0.2.24 12.11.2005 no virus found
McAfee 4647 12.09.2005 no virus found
NOD32v2 1.1317 12.09.2005 no virus found
Norman 5.70.10 12.09.2005 no virus found
Panda 8.02.00 12.11.2005 no virus found
Sophos 4.00.0 12.10.2005 no virus found
Symantec 8.0 12.11.2005 no virus found
TheHacker 5.9.1.052 12.09.2005 no virus found
VBA32 3.10.5 12.10.2005 no virus found

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

2.Scan:

This is a report processed by VirusTotal on 12/11/2005 at 15:40:07 (CET) after scanning the file "SetupCarnival.exe" file.

Antivirus Version Update Result
AntiVir 6.33.0.61 12.09.2005 no virus found
Avast 4.6.695.0 12.10.2005 no virus found
AVG 718 12.08.2005 no virus found
Avira 6.33.0.61 12.09.2005 no virus found
BitDefender 7.2 12.11.2005 no virus found
CAT-QuickHeal 8.00 12.09.2005 no virus found
ClamAV devel-20051108 12.09.2005 no virus found
DrWeb 4.33 12.11.2005 no virus found
eTrust-Iris 7.1.194.0 12.11.2005 no virus found
eTrust-Vet 11.9.1.0 12.09.2005 no virus found
Fortinet 2.54.0.0 12.10.2005 suspicious
F-Prot 3.16c 12.09.2005 no virus found
Kaspersky 4.0.2.24 12.11.2005 no virus found
McAfee 4647 12.09.2005 no virus found
NOD32v2 1.1317 12.09.2005 no virus found
Norman 5.70.10 12.09.2005 no virus found
Panda 8.02.00 12.11.2005 no virus found
Sophos 4.00.0 12.10.2005 no virus found
Symantec 8.0 12.11.2005 no virus found
TheHacker 5.9.1.052 12.09.2005 no virus found
VBA32 3.10.5 12.10.2005 no virus found

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Scan3:

This is a report processed by VirusTotal on 12/11/2005 at 15:46:19 (CET) after scanning the file "xdatxzap.zxp" file.

Antivirus Version Update Result
AntiVir 6.33.0.61 12.09.2005 Worm/Sober.G
Avast 4.6.695.0 12.10.2005 no virus found
AVG 718 12.08.2005 no virus found
Avira 6.33.0.61 12.09.2005 no virus found
BitDefender 7.2 12.11.2005 Win32.Sober.G@mm
CAT-QuickHeal 8.00 12.09.2005 no virus found
ClamAV devel-20051108 12.09.2005 no virus found
DrWeb 4.33 12.11.2005 no virus found
eTrust-Iris 7.1.194.0 12.11.2005 no virus found
eTrust-Vet 11.9.1.0 12.09.2005 no virus found
Fortinet 2.54.0.0 12.10.2005 W32/Sober.G-mm
F-Prot 3.16c 12.09.2005 W32/Sober.G@mm
Ikarus 0.2.59.0 12.11.2005 no virus found
Kaspersky 4.0.2.24 12.11.2005 Email-Worm.Win32.Sober.g
McAfee 4647 12.09.2005 W32/Sober.g@MM!zip
NOD32v2 1.1317 12.09.2005 no virus found
Norman 5.70.10 12.09.2005 no virus found
Panda 8.02.00 12.11.2005 no virus found
Sophos 4.00.0 12.10.2005 no virus found
Symantec 8.0 12.11.2005 no virus found
TheHacker 5.9.1.052 12.09.2005 no virus found
VBA32 3.10.5 12.10.2005 no virus found

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Die 4 Datfindbat Textdateien sind sooo lang, die bekomme ich hier gar nicht alle gepostet!?

#8 Dafuer ist die locate.com. Die musst du nur nach c:\temp entpacken und von da starten. Da es eine alte Dosversion ist, kommt sie nicht damit klar, wenn sie aus einem Ordner mit langem Dateinamen gestartet wird( die Verschahtelung der Ordner ist auch etwas gross)
__________
MfG Ralf
SEO-Spam Hunter

#9 Hallo Ralf,
hier die Textdatei:

C:\WINDOWS\SYSTEM32\
abg.dat Sun Jan 16 2005 12:48:42p A.... 11 0.01 K
browseui.dll Tue Dec 7 2004 5:41:16p A.... 1,017,856 994.00 K
cblatcq.dll Sun Jan 16 2005 11:58:26a ..SH. 2,014 1.96 K
cdfview.dll Tue Dec 7 2004 5:43:02p A.... 143,360 140.00 K
comdlg32.oca Sun Feb 20 2005 10:47:56p A.... 35,840 35.00 K
cws.txt Fri Feb 25 2005 9:19:12a A.... 222,750 217.53 K
e1.txt Fri Feb 25 2005 9:50:32a A.... 111,422 108.81 K
fntcache.dat Thu Jan 13 2005 6:58:48p A.... 209,696 204.78 K
hashlib.dll Thu Feb 10 2005 10:32:18p A.... 81,120 79.22 K
hhctrl.ocx Thu Dec 2 2004 1:15:00p A.... 512,512 500.50 K
ide21201.vxd Sun Jan 30 2005 6:51:00a A.... 4,720 4.61 K
iepeers.dll Tue Dec 7 2004 11:51:58a A.... 236,032 230.50 K
imon1.dat Thu Jan 13 2005 6:57:48p A.... 92 0.09 K
java.exe Mon Dec 6 2004 8:04:12p A.... 49,248 48.09 K
javaw.exe Mon Dec 6 2004 8:04:20p A.... 49,250 48.09 K
javaws.exe Mon Dec 6 2004 9:31:50p A.... 127,078 124.10 K
jpicpl32.cpl Mon Dec 6 2004 9:31:48p A.... 49,265 48.11 K
mapisvc.inf Wed Jan 19 2005 8:07:08p A.... 12 0.01 K
mmf.sys Tue Mar 1 2005 1:38:34p A.SH. 769 0.75 K
mscomctl.oca Sun Feb 20 2005 10:47:56p A.... 265,728 259.50 K
mshtml.dll Thu Jan 27 2005 3:35:12p A.... 2,806,272 2.68 M
ole32.dll Thu Jan 13 2005 11:33:52p A.... 1,258,496 1.20 M
olecli32.dll Thu Jan 13 2005 11:33:52p A.... 68,608 67.00 K
olecnv32.dll Thu Jan 13 2005 11:33:52p A.... 35,328 34.50 K
pav.sig Wed Feb 16 2005 10:45:44a A.... 8,471,343 8.08 M
perfc009.dat Tue Mar 1 2005 4:33:06p A.... 63,108 61.63 K
perfh009.dat Tue Mar 1 2005 4:33:06p A.... 402,578 393.14 K
perfst~1.ini Fri Feb 25 2005 4:46:10p A.... 477,662 466.46 K
regabg.dat Sun Jan 16 2005 12:48:42p A.... 11 0.01 K
richtx32.oca Wed Feb 23 2005 12:02:22p A.... 64,000 62.50 K
richtx32.ocx Thu Feb 10 2005 10:03:26p A.... 212,240 207.27 K
rmsmrt.dat Sun Jan 16 2005 12:48:42p A.... 11 0.01 K
rpcss.dll Thu Jan 13 2005 11:33:52p A.... 284,672 278.00 K
shdocvw.dll Tue Dec 7 2004 5:34:48p A.... 1,337,344 1.27 M
shell32.dll Tue Dec 21 2004 2:55:12p A.... 8,443,904 8.05 M
shlwapi.dll Tue Dec 7 2004 6:11:50p A.... 402,432 393.00 K
srvsvc.dll Tue Dec 7 2004 1:34:38p A.... 79,872 78.00 K
urlmon.dll Tue Dec 7 2004 4:37:46p A.... 495,104 483.50 K
user32.dll Tue Dec 28 2004 7:31:44p A.... 574,464 561.00 K
wininet.dll Tue Dec 7 2004 4:37:02p A.... 590,336 576.50 K
wpa.dbl Tue Mar 1 2005 12:12:44p A.... 13,646 13.32 K

41 items found: 41 files (2 H/S), 0 directories.
Total of file sizes: 29,200,206 bytes 27.84 M

C:\WINDOWS\
0.log Tue Mar 1 2005 1:38:54p A.... 0 0.00 K
aiepr.ini Tue Dec 28 2004 11:46:42p A.... 943 0.92 K
aimpr.ini Tue Dec 28 2004 11:14:00p A.... 115 0.11 K
archpr.ini Tue Dec 28 2004 11:04:22p A.... 884 0.86 K
atid.ini Wed Jan 26 2005 8:09:16p A.... 24 0.02 K
bootstat.dat Tue Mar 1 2005 1:38:16p A.S.. 2,048 2.00 K
cd Mon Feb 14 2005 6:30:00p A.... 0 0.00 K
coffee~1.bmp Sun Feb 27 2005 3:16:00a A.... 17,632 17.22 K
comsetup.log Mon Feb 28 2005 10:10:06a A.... 47,602 46.48 K
cws.txt Fri Feb 25 2005 9:19:12a A.... 17,296 16.89 K
e2.txt Fri Feb 25 2005 9:50:32a A.... 8,741 8.54 K
ed.log Mon Feb 28 2005 7:31:28a A.... 235 0.23 K
faxsetup.log Mon Feb 28 2005 10:10:06a A.... 140,720 137.42 K
firefo~1.bmp Sun Jan 16 2005 2:47:34a A.... 12,822 12.52 K
hosts Wed Dec 29 2004 11:34:42p A.... 686 0.67 K
hotcore.log Mon Feb 28 2005 7:22:08a A.... 23 0.02 K
iis6.log Mon Feb 28 2005 10:10:06a A.... 20,525 20.04 K
imsins.bak Mon Feb 28 2005 10:09:56a A.... 1,374 1.34 K
imsins.log Mon Feb 28 2005 10:10:06a A.... 1,374 1.34 K
install.ini Wed Feb 16 2005 8:07:20a A.... 45 0.04 K
kb820291.log Thu Feb 17 2005 8:51:22p A.... 11,060 10.80 K
kb833407.log Mon Feb 28 2005 10:05:34a A.... 3,111 3.04 K
kb840987.log Mon Feb 28 2005 10:05:58a A.... 8,636 8.43 K
kb841356.log Mon Feb 28 2005 10:09:56a A.... 22,540 22.01 K
kb871250.log Mon Feb 28 2005 10:06:16a A.... 8,556 8.36 K
kb873333.log Mon Feb 28 2005 10:09:42a A.... 24,094 23.53 K
kb885250.log Mon Feb 28 2005 10:10:06a A.... 27,147 26.51 K
kb885835.log Mon Feb 28 2005 10:07:04a A.... 15,204 14.85 K
kb885836.log Mon Feb 28 2005 10:06:06a A.... 10,288 10.05 K
kb888113.log Mon Feb 28 2005 10:09:06a A.... 20,514 20.03 K
kb888302.log Mon Feb 28 2005 10:08:16a A.... 14,997 14.64 K
kb890047.log Mon Feb 28 2005 10:08:42a A.... 17,033 16.63 K
kb890175.log Mon Feb 28 2005 10:06:36a A.... 11,290 11.02 K
kb891711.log Mon Feb 28 2005 10:06:44a A.... 8,823 8.61 K
kb891781.log Mon Feb 28 2005 10:08:46a A.... 16,918 16.52 K
mdm.ini Sun Feb 20 2005 3:44:32a A.... 185 0.18 K
mozver.dat Fri Dec 24 2004 8:55:46a A.... 13,306 12.99 K
msgsocm.log Mon Feb 28 2005 10:10:06a A.... 7,727 7.54 K
nerodi~1.ini Thu Feb 17 2005 11:17:06p A.... 49 0.05 K
nsreg.dat Wed Jan 26 2005 8:14:04p A.... 335 0.32 K
nsw.log Mon Feb 28 2005 1:27:42p A.... 418 0.41 K
ocgen.log Mon Feb 28 2005 10:10:06a A.... 94,833 92.61 K
ocmsn.log Mon Feb 28 2005 10:10:06a A.... 5,792 5.66 K
odbc.ini Sun Feb 20 2005 3:44:22a A.... 636 0.62 K
odbcinst.ini Sun Feb 20 2005 3:44:22a A.... 4,161 4.06 K
pavsig.txt Wed Feb 16 2005 10:44:58a A.... 32 0.03 K
popcinfo.dat Wed Dec 29 2004 4:02:02p A.... 29 0.03 K
qtfont.for Sat Feb 19 2005 9:16:26p A.... 1,409 1.38 K
qtfont.qfn Tue Feb 22 2005 3:19:50p A..H. 54,156 52.89 K
regsvr32 Mon Feb 14 2005 6:30:08p A.... 0 0.00 K
resetlog.txt Tue Feb 1 2005 7:38:16a A.... 3,755 3.66 K
schedlgu.txt Tue Mar 1 2005 1:37:14p A.... 32,542 31.78 K
setupact.log Sun Feb 20 2005 4:17:46p A.... 120 0.12 K
setupapi.log Tue Mar 1 2005 4:34:00p A.... 268,247 261.96 K
setuperr.log Sat Feb 12 2005 2:43:38p A.... 0 0.00 K
soapbu~1.bmp Sun Feb 27 2005 3:16:00a A.... 66,548 64.99 K
system.ini Sun Feb 27 2005 3:37:14p A.... 227 0.22 K
system32.txt Fri Feb 25 2005 10:12:26a A.... 111,475 108.86 K
thxcfg.ini Sun Feb 20 2005 2:16:40p A.... 32 0.03 K
tsoc.log Mon Feb 28 2005 10:10:06a A.... 60,603 59.18 K
vb.ini Sun Feb 20 2005 3:42:44a A.... 1,309 1.28 K
vbaddin.ini Wed Feb 23 2005 12:02:00p A.... 133 0.13 K
w32dasm8.ini Sun Feb 20 2005 5:45:48p A.... 265 0.26 K
wiadebug.log Fri Jan 28 2005 6:41:40p A.... 216 0.21 K
wiaservc.log Wed Jan 19 2005 9:04:04p ..... 49 0.05 K
win.ini Sun Feb 27 2005 3:37:14p A.... 4,024 3.93 K
winamp.ini Sun Feb 27 2005 5:30:02p A.... 1,125 1.10 K
wmsetup.log Mon Feb 21 2005 3:04:04p A.... 4,882 4.77 K
wplog.txt Fri Feb 18 2005 3:47:38p A.... 0 0.00 K

69 items found: 69 files (2 H/S), 0 directories.
Total of file sizes: 1,231,920 bytes 1.17 M

C:\DOCUME~1\DAVE\LOCALS~1\TEMP\
1575.exe Mon Feb 28 2005 12:57:02p A.... 0 0.00 K
16612.exe Sun Feb 27 2005 3:00:52p A.... 5,632 5.50 K
41.exe Tue Mar 1 2005 11:57:10a A.... 14,848 14.50 K
fccadd4f.tmp Wed Feb 23 2005 3:17:04p A.... 21 0.02 K
imtfc.xml Mon Feb 28 2005 7:10:02a A.... 1,994 1.95 K
imtfd.xml Mon Feb 28 2005 7:10:02a A.... 426 0.41 K
imtfe.xml Mon Feb 28 2005 7:10:02a A.... 686,420 670.33 K
jusched.log Mon Feb 28 2005 9:56:58a A.... 204 0.20 K
kbdummy.0 Mon Feb 28 2005 8:04:56p A.... 56 0.05 K
msiae542.log Sun Feb 27 2005 2:22:02a A.... 294 0.29 K
netfxsl.log Mon Feb 28 2005 10:07:58a A.... 10,986 10.73 K
vminst.log Tue Mar 1 2005 4:34:08p A.... 36,426 35.57 K
~76.tmp Sun Feb 27 2005 2:22:04a A.... 0 0.00 K
~df1a37.tmp Wed Mar 2 2005 9:13:16a A.... 16,384 16.00 K
~df3372.tmp Tue Mar 1 2005 12:11:04p A.... 16,384 16.00 K
~df5e34.tmp Tue Mar 1 2005 1:36:48p A.... 16,384 16.00 K
~df9472.tmp Tue Mar 1 2005 12:17:50p A.... 16,384 16.00 K
~dfb3f8.tmp Tue Mar 1 2005 12:25:06p A.... 16,384 16.00 K
~dfc6e5.tmp Tue Mar 1 2005 1:27:30p A.... 16,384 16.00 K
~dfce0a.tmp Tue Mar 1 2005 1:09:28p A.... 16,384 16.00 K
~dfd6de.tmp Tue Mar 1 2005 1:14:14p A.... 16,384 16.00 K
~dfd814.tmp Tue Mar 1 2005 1:04:52p A.... 16,384 16.00 K
~dfe79b.tmp Tue Mar 1 2005 12:53:52p A.... 16,384 16.00 K

23 items found: 23 files, 0 directories.
Total of file sizes: 921,147 bytes 899.55 K

C:\DOCUME~1\Dave\Desktop\locate\
locate.bat Wed Mar 2 2005 9:51:44a A.... 194 0.19 K
report.txt Wed Mar 2 2005 9:51:50a A.... 10,893 10.64 K

2 items found: 2 files, 0 directories.
Total of file sizes: 11,087 bytes 10.82 K

C:\WINDOWS\SYSTEM32\
fsdbcr~1.{fb Tue 6 Dec 2005 1:41:34 A.... 4 0,00 K
imon1.dat Sat 3 Dec 2005 1:15:26 A.... 183 0,18 K
msdbcr~1.{fb Tue 6 Dec 2005 1:41:34 A.... 4 0,00 K
perfc007.dat Sun 30 Oct 2005 10:15:06 A.... 63.778 62,28 K
perfc009.dat Sun 30 Oct 2005 10:15:06 A.... 52.900 51,66 K
perfh007.dat Sun 30 Oct 2005 10:15:06 A.... 391.330 382,16 K
perfh009.dat Sun 30 Oct 2005 10:15:06 A.... 380.486 371,57 K
perfst~1.ini Sun 30 Oct 2005 10:15:06 A.... 897.954 876,91 K
qtplugin.log Sun 11 Dec 2005 14:41:54 A.... 3.049 2,98 K
setupc~1.exe Sat 22 Oct 2005 2:18:08 A.... 302.621 295,53 K
wpa.dbl Fri 9 Dec 2005 14:35:20 A.... 2.206 2,15 K

11 items found: 11 files, 0 directories.
Total of file sizes: 2.094.515 bytes 1,99 M

C:\WINDOWS\
0.log Sun 11 Dec 2005 16:28:24 A.... 0 0,00 K
bootstat.dat Sun 11 Dec 2005 16:27:56 A.S.. 2.048 2,00 K
comsetup.log Thu 8 Dec 2005 11:08:46 A.... 160.239 156,48 K
cperror.log Fri 28 Oct 2005 16:04:30 A.... 1.588 1,55 K
faxsetup.log Thu 8 Dec 2005 11:08:46 A.... 431.843 421,72 K
iedit.ini Sat 12 Nov 2005 21:23:28 A.... 30 0,03 K
iis6.log Thu 8 Dec 2005 11:08:46 A.... 692.364 676,14 K
imsins.bak Thu 8 Dec 2005 11:08:28 A.... 1.374 1,34 K
imsins.log Thu 8 Dec 2005 11:08:46 A.... 1.374 1,34 K
kb8938~1.log Thu 8 Dec 2005 11:08:28 A.... 5.350 5,22 K
kb898461.log Thu 8 Dec 2005 11:08:46 A.... 7.244 7,07 K
libeay32.dll Fri 21 Oct 2005 14:55:36 A.... 684.032 668,00 K
lic.xxx Thu 27 Oct 2005 21:32:32 A.... 0 0,00 K
medctroc.log Thu 8 Dec 2005 11:08:46 A.... 13.445 13,13 K
mozver.dat Sun 11 Dec 2005 14:35:24 A.... 2.258 2,20 K
msgsocm.log Thu 8 Dec 2005 11:08:46 A.... 23.792 23,23 K
msmqinst.log Thu 8 Dec 2005 11:08:46 A.... 185.802 181,45 K
netfxocm.log Thu 8 Dec 2005 11:08:46 A.... 80.468 78,58 K
nsreg.dat Sun 11 Dec 2005 14:35:36 A.... 0 0,00 K
ntdtcs~1.log Thu 8 Dec 2005 11:08:46 A.... 102.945 100,53 K
ocgen.log Thu 8 Dec 2005 11:08:46 A.... 287.578 280,84 K
ocmsn.log Thu 8 Dec 2005 11:08:46 A.... 20.484 20,00 K
oewablog.txt Thu 27 Oct 2005 2:47:18 A.... 345 0,34 K
qtfont.for Sun 11 Dec 2005 15:15:12 A.... 1.409 1,38 K
qtfont.qfn Sun 11 Dec 2005 16:28:10 A..H. 54.156 52,89 K
schedlgu.txt Sun 11 Dec 2005 16:26:46 A.... 32.546 31,78 K
setupact.log Fri 28 Oct 2005 13:27:38 A.... 187.416 183,02 K
setupapi.log Fri 9 Dec 2005 0:25:24 A.... 574.315 560,85 K
ssleay32.dll Fri 21 Oct 2005 14:55:36 A.... 155.648 152,00 K
tabletoc.log Thu 8 Dec 2005 11:08:46 A.... 21.375 20,87 K
tsoc.log Thu 8 Dec 2005 11:08:46 A.... 231.866 226,43 K
uninst~1.exe Sun 11 Dec 2005 14:35:26 A.... 107.132 104,62 K
wiadebug.log Sun 11 Dec 2005 16:28:22 A.... 159 0,15 K
wiaservc.log Sun 11 Dec 2005 16:28:22 A.... 50 0,05 K
win.ini Fri 28 Oct 2005 13:00:14 A.... 870 0,85 K
window~2.log Sun 11 Dec 2005 16:28:18 A.... 494.958 483,36 K
wmsetup.log Thu 27 Oct 2005 2:47:18 A.... 8.715 8,51 K
wrunin~1.dll Mon 24 Oct 2005 11:30:54 A.... 468.480 457,50 K

38 items found: 38 files (2 H/S), 0 directories.
Total of file sizes: 5.043.698 bytes 4,81 M

C:\DOKUME~1\BHO\LOKALE~1\TEMP\
locate~1.zip Sun 11 Dec 2005 17:50:18 A.... 93.593 91,40 K
locate~2.zip Sun 11 Dec 2005 17:56:38 A.... 93.593 91,40 K
mfpl7014.dll Sun 11 Dec 2005 17:47:42 A.... 917.504 896,00 K
report.txt Sun 11 Dec 2005 17:50:40 A.... 0 0,00 K
~dfbc54.tmp Sun 11 Dec 2005 16:24:30 A.... 16.384 16,00 K

5 items found: 5 files, 0 directories.
Total of file sizes: 1.121.074 bytes 1,07 M

#10

Zitat

Sabina postete
removaltool:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.g@mm.html

kopiere das Log vom Winpfind
http://virus-protect.org/winpfind.html

Zitat

Der Wurm kopiert sich als EXE-Datei in den Windows-Systemordner mit einem Namen, der aus Folgenden zusammengesetzt ist:
sys, host, dir, expolrer, win, run, log, 32, disc, crypt, data, diag, spool, service, smss32
W32/Sober-G erstellt außerdem die folgenden Dateien, um die aufgespürten Daten im Windows-Systemordner zu speichern:
bcegfds.lll
cvqaikxt.apk
datsobex.wwr
wincheck32.dats
winexpoder.dats
winzweier.dats
xdatxzap.zxp
zhcarxxi.vvx

http://www.sophos.de/virusinfo/analyses/w32soberg.html

__________
MfG Sabina

rund um die PC-Sicherheit

#11 Hallo Sabina,
hier der Log vom Winpfind:

»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 29.10.2005 14:55:26 9933766 C:\nentgest.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 18.08.2001 20:00:00 41118 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 12.07.2005 18:04:22 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
aspack 04.08.2004 08:57:08 733696 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 04.08.2004 08:57:32 686592 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 22.10.2005 02:18:08 302621 C:\WINDOWS\SYSTEM32\SetupCarnival.exe
winsync 18.08.2001 20:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 04.08.2004 06:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11.12.2005 16:27:56 S 2048 C:\WINDOWS\bootstat.dat
11.12.2005 16:28:10 H 54156 C:\WINDOWS\QTFont.qfn
08.12.2005 11:03:58 H 0 C:\WINDOWS\inf\oem18.inf
11.12.2005 16:45:12 H 1024 C:\WINDOWS\system32\config\default.LOG
11.12.2005 16:28:06 H 1024 C:\WINDOWS\system32\config\SAM.LOG
11.12.2005 19:58:30 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
11.12.2005 20:19:24 H 1024 C:\WINDOWS\system32\config\software.LOG
11.12.2005 19:58:10 H 1024 C:\WINDOWS\system32\config\system.LOG
11.12.2005 16:28:00 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 04.08.2004 08:58:22 70656 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 04.08.2004 08:58:22 555008 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04.08.2004 08:58:22 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 04.08.2004 08:58:22 138240 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 04.08.2004 08:58:22 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04.08.2004 08:58:22 157184 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 04.08.2004 08:58:22 359424 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04.08.2004 08:58:22 133120 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04.08.2004 08:58:22 381440 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04.08.2004 08:58:22 69632 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 18.08.2001 20:00:00 189440 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04.08.2004 08:58:22 625152 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 18.08.2001 20:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 04.08.2004 08:58:22 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04.08.2004 08:58:22 260096 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 06.10.2003 13:16:00 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 18.08.2001 20:00:00 38400 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 04.08.2004 08:58:22 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 04.08.2004 08:58:22 117248 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 10.07.2002 20:01:38 295936 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 04.08.2004 08:58:22 303104 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 18.08.2001 20:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04.08.2004 08:58:22 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 04.08.2004 08:58:22 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26.05.2005 04:16:22 174872 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 18.08.2001 20:00:00 189440 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 18.08.2001 20:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 18.08.2001 20:00:00 38400 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 18.08.2001 20:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 26.05.2005 04:16:22 174872 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
NVIDIA Corporation 02.05.2003 14:19:00 143360 C:\WINDOWS\SYSTEM32\ReinstallBackups\0003\DriverFiles\nvtuicpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
01.07.2003 21:20:24 HS 84 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
01.07.2003 22:04:12 HS 62 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini
26.07.2003 23:42:08 3 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\DirectCDUserNameG.txt

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
10.02.2004 12:47:04 52968 C:\Dokumente und Einstellungen\bho\Anwendungsdaten\GDIPFONTCACHEV1.DAT
10.03.2004 21:39:20 26792 C:\Dokumente und Einstellungen\bho\Anwendungsdaten\Kommagetrennte Werte (DOS).ADR

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =
Versatel.de ISDN 0404 = IEAK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AntiVir/Win
{a7cda720-84ee-11d0-b5c0-00001b3ca278} = C:\Programme\AVPersonal\AVShlExt.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\CIB pdf brewer
{9CB3ED0A-1CFA-11D9-9A43-000476F770CC} = C:\Programme\CIB software GmbH\CIB pdf brewer\CIBpdfBrContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\IMMenuShellExt
{F8984111-38B6-11D5-8725-0050DA2761C4} = C:\PROGRA~1\INCRED~1\bin\ImShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Kaspersky Anti-Virus
{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TuneUp Shredder
{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0} = "C:\Programme\TuneUp Utilities 2006\sdshelex.dll"
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AntiVir/Win
{a7cda720-84ee-11d0-b5c0-00001b3ca278} = C:\Programme\AVPersonal\AVShlExt.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Kaspersky Anti-Virus
{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TuneUp Shredder
{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0} = "C:\Programme\TuneUp Utilities 2006\sdshelex.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
Yahoo! Companion BHO = C:\Programme\Yahoo!\Messenger\ycomp.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tipps und Tricks = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\Programme\Yahoo!\Messenger\ycomp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
ButtonText = Yahoo! Messenger : C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Programme\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer-Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\Programme\Yahoo!\Messenger\ycomp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
KernelFaultCheck %systemroot%\system32\dumprep 0 -k
QuickTime Task "C:\Programme\QuickTime\qttask.exe" -atboottime
KAVPersonal50 "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
AVGCtrl C:\Programme\AVPersonal\AVGNT.EXE /min

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]


Gruß maju

#12 hast du das angewendet?
removaltool:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.g@mm.html
__________
MfG Sabina

rund um die PC-Sicherheit

#13 Hallo Sabina,
ja, vor dem Log Winpfind habe ich mit symantec W32.Sober Removal Tool
gescannt!!! Das hat auch ziemlich lange gedauert!

Gruß maju

#14 kommt die Meldung vom Kaspersky noch, oder ist alles geleoscht?
__________
MfG Sabina

rund um die PC-Sicherheit

#15 Hallo Sabina,
ich habe mit Kaspersky auch schon gescannt und der meldet nichts mehr!

Glaubst Du, der Virus ist lahm gelegt oder sollte ich noch mal mit einem
anderen Virenscan kontrolieren?

Gruß maju