Virus > C:\windows\system32\howiper.exe > Zugriff verweigertThema ist geschlossen! |
||
---|---|---|
Thema ist geschlossen! |
||
#0
| ||
29.12.2005, 20:10
Member
Beiträge: 32 |
||
|
||
01.01.2006, 17:06
Ehrenmitglied
Beiträge: 29434 |
#2
maravilha
Download f-secure-Beta Trial http://www.f-secure.com/blacklight/ doppelklick: blbeta.exe nach dem Check klicke -- next nun findet man eine log-datei auf dem Desktop: kopiere sie in deinen Thread __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
01.01.2006, 18:06
Member
Themenstarter Beiträge: 32 |
#3
Guten Abend Sabina
Hier die Log-Datei von Blacklight: 01/01/06 17:57:21 [Info]: BlackLight Engine 1.0.30 initialized 01/01/06 17:57:21 [Info]: OS: 5.1 build 2600 (Service Pack 2) 01/01/06 17:57:22 [Note]: 7019 4 01/01/06 17:57:22 [Note]: 7005 0 01/01/06 17:57:53 [Note]: 7006 0 01/01/06 17:57:53 [Note]: 7011 2592 01/01/06 17:57:53 [Note]: FSRAW library version 1.7.1014 01/01/06 17:58:06 [Info]: Hidden file: C:\Programme\HP\Digital Imaging\bin\DestTest.exe 01/01/06 17:58:06 [Note]: 10002 1 01/01/06 17:59:41 [Info]: Hidden file: C:\WINDOWS\system32\wbem\wbemtest.exe 01/01/06 17:59:41 [Note]: 10002 1 01/01/06 17:59:45 [Info]: Hidden file: C:\WINDOWS\system32\csaoc.exe 01/01/06 17:59:45 [Note]: 7002 32 01/01/06 17:59:45 [Note]: 7003 1 01/01/06 17:59:45 [Note]: 10002 1 Vielen Dank, dass du dir die Zeit nimmst, mein System unter die Lupe zu nehmen! Maravilha (bzw. David) |
|
|
||
01.01.2006, 18:25
Ehrenmitglied
Beiträge: 29434 |
#4
Dann starte blacklight nochmal und lasse alle Dateien,
C:\WINDOWS\system32\csaoc.exe die es anzeigt umbenennen scan --> next none auf rename ändern (ausser C:\Programme\HP\Digital Imaging\bin\DestTest.exe C:\WINDOWS\system32\wbem\wbemtest.exe) Dann lass Blacklight den Rechner neu starten. -------------------------------------------------------------- kopiere hier das log vom Silentrunner http://virus-protect.org/silentrunner.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
02.01.2006, 08:27
Member
Themenstarter Beiträge: 32 |
#5
Sabina
Ich habe mit Blacklight die Datei C:\WINDOWS\system32\csaoc.exe umbennen lassen und den PC neu gestartet. Nach dem Neustart meldete Microsoft Antispyware in etwa Folgendes: A startup application needs your approval. Do you want to allow C:\WINDOWS\system32\csaoc.exe...etc? Ich habe auf ALLOW geklickt und hoffe,damit nichts Falsches gemacht zu haben. Hier nun das Silentrunner-Log: HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS] Startup items in "XXX" & "All Users" startup folders: ------------------------------------------------------- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "Adobe Gamma Loader" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."] "Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] "HP Digital Imaging Monitor" -> shortcut to: "C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."] "InterVideo WinCinema Manager" -> shortcut to: "C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe" [empty string] "Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office10\OSA.EXE -b -l" [MS] Enabled Scheduled Tasks: ------------------------ "Norton AntiVirus - Meinen Computer prüfen - XXX" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"] "Symantec NetDetect" -> launches: "C:\Programme\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 25 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Acronis Scheduler2 Service, AcrSch2Svc, ""C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe"" ["Acronis"] InCD File System Service, InCDsrv, "C:\Programme\Ahead\InCD\InCDsrv.exe" ["AHEAD Software"] Iomega App Services, Iomega App Services, ""C:\PROGRA~1\Iomega\System32\AppServices.exe"" ["Iomega Corporation"] iPodService, iPodService, "C:\Programme\iPod\bin\iPodService.exe" ["Apple Computer, Inc."] Norton AntiVirus Auto-Protect-Dienst, navapsvc, ""C:\Programme\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"] Norton AntiVirus Firewall Monitor Service, NPFMntor, ""C:\Programme\Norton AntiVirus\IWP\NPFMntor.exe"" ["Symantec Corporation"] Symantec Core LC, Symantec Core LC, "C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"] Symantec Event Manager, ccEvtMgr, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"] Symantec Network Drivers Service, SNDSrvc, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"] Symantec Settings Manager, ccSetMgr, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"] Symantec SPBBCSvc, SPBBCSvc, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzsnt09\Driver = "hpzsnt09.dll" ["HP"] Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS] [/i] |
|
|
||
02.01.2006, 12:50
Ehrenmitglied
Beiträge: 29434 |
#6
maravilha
kopiere hier die 4 Textdateien http://virus-protect.org/datfindbat.html (3 Monate vom Datum her genuegen) --------- vom Silentrunner wuerde ich gern das komplette Log sehen und nicht nur die Haelfte..... __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
02.01.2006, 21:55
Member
Themenstarter Beiträge: 32 |
#7
Ich hoffe, dass ich dieses Mal das komplette Silentrunner-Log einkopiert habe.
Die Option "Supplementary Searches" habe ich dieses Mal gewählt. "Silent Runners.vbs", revision 41, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "Eraser" = "C:\Programme\Eraser\eraser.exe -hide" ["-"] "Iomega Automatic Backup" = "C:\Programme\Iomega\Iomega Automatic Backup\iBackup.exe" [file not found] "PcSync" = "C:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog" ["Time Information Services Ltd."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "SynTPLpr" = "C:\Programme\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."] "SynTPEnh" = "C:\Programme\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."] "LaunchAp" = "C:\Program Files\Launch Manager\LaunchAp.exe" [empty string] "HotkeyApp" = "C:\Program Files\Launch Manager\HotkeyApp.exe" ["Wistron"] "CtrlVol" = "C:\Program Files\Launch Manager\CtrlVol.exe" [null data] "Wbutton" = ""C:\Program Files\Launch Manager\Wbutton.exe"" [empty string] "IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"] "HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"] "AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"] "NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "InCD" = "C:\Programme\Ahead\InCD\InCD.exe" ["Ahead Software AG"] "Microsoft Works Update Detection" = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"] "gcasServ" = ""C:\Programme\Microsoft AntiSpyware\gcasServ.exe"" [MS] "HP Component Manager" = ""C:\Programme\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"] "TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] "SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."] "HP Software Update" = "C:\Programme\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."] "Acronis True Image Monitor" = ""C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe"" ["Acronis"] "Acronis Scheduler2 Service" = ""C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe"" ["Acronis"] "ccApp" = ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"" ["Symantec Corporation"] "Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"] "iTunesHelper" = ""C:\Programme\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."] "QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "PCSuiteTrayApplication" = "C:\Programme\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray" ["Nokia"] "DataLayer" = "C:\Programme\Gemeinsame Dateien\PCSuite\DataLayer\DataLayer.exe" ["Nokia Mobile Phones Ltd."] "dmnfl.exe" = "C:\WINDOWS\system32\dmnfl.exe" [file not found] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express" \StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."] {BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS] "{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Ahead\InCD\incdshx.dll" ["Ahead Software, Karlsbad, Germany"] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\OLKFSTUB.DLL" [MS] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Real\RealOne Player\rpshell.dll" ["RealNetworks, Inc."] "{3c249f62-e26e-11d4-97f0-009027769c61}" = "Format Shell" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Format Shell\SMSHELL.DLL" ["OnSpec Electronic Inc.,"] "{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682}" = "IZArc DragDrop Menu" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\IZArc\IZArcCM.dll" [null data] "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}" = "IZArc Shell Context Menu" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\IZArc\IZArcCM.dll" [null data] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."] "{8BE13461-936F-11D1-A87D-444553540000}" = "Eraser Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Eraser\erasext.dll" ["-"] "{40950107-FEA6-4d53-A65F-B2DCBA57DD58}" = "Nokia Phone Browser" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"] "{FBFE7864-D495-41f0-B7DC-4BB601CC295E}" = "Contact View" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\ContactView.dll" ["Nokia"] "{C0C4375A-5B72-4efe-929D-3B848C3A1E91}" = "Message View" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\MessageView.dll" ["Nokia"] "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft AntiSpyware\shellextension.dll" [MS] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ INFECTION WARNING! "System" = "csaoc.exe" [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Eraser\erasext.dll" ["-"] IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\IZArc\IZArcCM.dll" [null data] Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\IZArc\IZArcCM.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Eraser\erasext.dll" ["-"] Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Dokumente und Einstellungen\Yuval\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS] Startup items in "Yuval" & "All Users" startup folders: ------------------------------------------------------- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "Adobe Gamma Loader" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."] "Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] "HP Digital Imaging Monitor" -> shortcut to: "C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."] "InterVideo WinCinema Manager" -> shortcut to: "C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe" [empty string] "Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office10\OSA.EXE -b -l" [MS] Enabled Scheduled Tasks: ------------------------ "Norton AntiVirus - Meinen Computer prüfen - Yuval" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"] "Symantec NetDetect" -> launches: "C:\Programme\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 25 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Acronis Scheduler2 Service, AcrSch2Svc, ""C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe"" ["Acronis"] InCD File System Service, InCDsrv, "C:\Programme\Ahead\InCD\InCDsrv.exe" ["AHEAD Software"] Iomega App Services, Iomega App Services, ""C:\PROGRA~1\Iomega\System32\AppServices.exe"" ["Iomega Corporation"] iPodService, iPodService, "C:\Programme\iPod\bin\iPodService.exe" ["Apple Computer, Inc."] Norton AntiVirus Auto-Protect-Dienst, navapsvc, ""C:\Programme\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"] Norton AntiVirus Firewall Monitor Service, NPFMntor, ""C:\Programme\Norton AntiVirus\IWP\NPFMntor.exe"" ["Symantec Corporation"] Symantec Core LC, Symantec Core LC, "C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"] Symantec Event Manager, ccEvtMgr, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"] Symantec Network Drivers Service, SNDSrvc, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"] Symantec Settings Manager, ccSetMgr, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"] Symantec SPBBCSvc, SPBBCSvc, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzsnt09\Driver = "hpzsnt09.dll" ["HP"] Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 9 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 10 seconds. ---------- (total run time: 44 seconds) Und hier die Textdateien von http://virus-protect.org/datfindbat.html: Datentr„ger in Laufwerk C: ist 65_01_31 Volumeseriennummer: ECAE-D346 Verzeichnis von C:\WINDOWS\system32 01.01.2006 12:36 1'158 wpa.dbl 09.12.2005 01:21 2'723'680 MRT.exe 08.12.2005 22:52 51'200 csaoc.exe.ren 07.12.2005 12:46 221'632 FNTCACHE.DAT 07.12.2005 00:33 7'006 jupdate-1.5.0_06-b05.log 01.12.2005 12:14 86'091 S32EVNT1.DLL 01.12.2005 04:31 1'492'480 shdocvw.dll 24.11.2005 00:58 3'013'632 mshtml.dll 24.11.2005 00:58 1'022'464 browseui.dll 15.11.2005 12:12 117'976 hashlib.dll 15.11.2005 12:12 126'680 GCCollection.dll 15.11.2005 12:12 95'448 gcUnCompress.dll 10.11.2005 13:03 127'078 javaws.exe 10.11.2005 13:03 49'265 jpicpl32.cpl 10.11.2005 11:27 49'250 javaw.exe 10.11.2005 11:27 49'248 java.exe 05.11.2005 04:16 606'208 urlmon.dll 05.11.2005 04:16 1'056'256 danim.dll 30.10.2005 09:07 53'770 perfc009.dat 30.10.2005 09:07 382'026 perfh009.dat 30.10.2005 09:07 393'086 perfh007.dat 30.10.2005 09:07 64'848 perfc007.dat 30.10.2005 09:07 902'476 PerfStringBackup.INI 21.10.2005 11:36 289 RootkitReveal.txt 21.10.2005 04:40 664'064 wininet.dll 21.10.2005 04:40 474'112 shlwapi.dll 21.10.2005 04:40 530'944 mstime.dll 21.10.2005 04:40 146'432 msrating.dll 21.10.2005 04:40 448'512 mshtmled.dll 21.10.2005 04:40 39'424 pngfilt.dll 21.10.2005 04:40 96'768 inseng.dll 21.10.2005 04:40 152'064 cdfview.dll 21.10.2005 04:40 251'392 iepeers.dll 21.10.2005 04:40 55'808 extmgr.dll 21.10.2005 04:40 205'312 dxtrans.dll 20.10.2005 23:25 1'094'144 esent.dll 17.10.2005 20:58 65'536 QuickTimeVR.qtx 17.10.2005 20:57 49'152 QuickTime.qts 16.10.2005 09:36 5'618 jupdate-1.5.0_05-b05.log 13.10.2005 00:15 15'584 spmsg.dll 06.10.2005 04:18 280'064 gdi32.dll 06.10.2005 04:08 1'839'616 win32k.sys Achtung: Bei dieser Datei erhalte ich nur Infos bis zum 31.12.05. Datentr„ger in Laufwerk C: ist 65_01_31 Volumeseriennummer: ECAE-D346 Verzeichnis von C:\DOKUME~1\Yuval\LOKALE~1\Temp 02.01.2006 21:23 512 ~DF9341.tmp 02.01.2006 21:23 7'168 ~WRS0003.tmp 02.01.2006 21:22 16'384 ~WRF0001.tmp 02.01.2006 21:12 512 ~DF7E17.tmp 02.01.2006 11:45 160'191 jusched.log 02.01.2006 11:12 32'768 ~DF4831.tmp 02.01.2006 11:12 32'768 ~DFA407.tmp 02.01.2006 07:57 32'768 ~DF97A4.tmp 02.01.2006 07:57 32'768 ~DF8750.tmp 01.01.2006 18:47 32'768 ~DFF0B8.tmp 01.01.2006 18:47 32'768 ~DFDDC6.tmp 01.01.2006 18:44 768 sedb.ldb 01.01.2006 12:23 139'264 sedb.mdb 01.01.2006 11:05 32'768 ~DFE48C.tmp 01.01.2006 11:05 32'768 ~DFC540.tmp 31.12.2005 20:09 2'097'152 NDLC4 31.12.2005 14:43 32'768 ~DFE921.tmp 31.12.2005 14:43 32'768 ~DFCA6F.tmp 18 Datei(en) 2'749'631 Bytes 0 Verzeichnis(se), 17'304'915'968 Bytes frei Datentr„ger in Laufwerk C: ist 65_01_31 Volumeseriennummer: ECAE-D346 Verzeichnis von C:\WINDOWS 02.01.2006 11:51 1'561'933 WindowsUpdate.log 02.01.2006 11:11 159 wiadebug.log 02.01.2006 11:11 4'236 ModemLog_Agere Systems AC'97 Modem.txt 02.01.2006 11:11 50 wiaservc.log 02.01.2006 11:11 0 0.log 02.01.2006 11:11 2'048 bootstat.dat 02.01.2006 09:44 32'644 SchedLgU.Txt 29.12.2005 20:20 54'156 QTFont.qfn 28.12.2005 15:04 39'424 zipinst.exe 26.12.2005 01:29 1'409 QTFont.for 16.12.2005 20:48 6'684 cdplayer.ini 07.12.2005 14:04 1'960 ModemLog_Nokia 6230i IrDA.txt 02.10.2005 15:20 28'722 hpoins03.dat 02.10.2005 15:20 781 win.ini Datentr„ger in Laufwerk C: ist 65_01_31 Volumeseriennummer: ECAE-D346 Verzeichnis von C:\ 02.01.2006 21:53 0 sys.txt 02.01.2006 21:53 5'888 system.txt 02.01.2006 21:50 1'110 systemtemp.txt 02.01.2006 21:46 106'855 system32.txt 02.01.2006 11:11 792'723'456 pagefile.sys 25.09.2004 20:17 211 boot.ini 25.09.2004 19:58 47'564 NTDETECT.COM 25.09.2004 19:58 251'184 ntldr 06.01.2004 09:17 1'119 INSTALL.LOG 15.10.2003 21:16 0 COMLOG.txt 15.09.2003 17:45 1'944 Lang.txt 15.09.2003 17:36 90 setup.log 17.09.2002 04:53 0 CONFIG.SYS 17.09.2002 04:53 0 IO.SYS 17.09.2002 04:53 0 MSDOS.SYS 17.09.2002 04:53 0 AUTOEXEC.BAT 29.08.2002 13:00 4'952 bootfont.bin 24.05.2001 12:59 162'304 UNWISE.EXE 18 Datei(en) 793'306'677 Bytes 0 Verzeichnis(se), 17'304'903'680 Bytes frei Ich hoffe, deine Anleitungen nun richtig befolgt zu haben. Maravilha |
|
|
||
02.01.2006, 22:14
Ehrenmitglied
Beiträge: 29434 |
#8
maravilha
loeschen: C:\WINDOWS\system32\csaoc.exe.ren Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden. Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "fixme.reg" auf dem Desktop doppelklicken Zitat REGEDIT4----------------------------------------------------------------- Download FixWareout: http://swandog46.geekstogo.com/Fixwareout.exe Fixwareout.exe --> next --> Install --> Run fixit --> Finish / der PC wird neustarten --> C:\fixwareout\report.txt -->kopiere die txt-Datei ins Forum __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
03.01.2006, 18:55
Member
Themenstarter Beiträge: 32 |
#9
Sabina
Erfolgserlebnis: Mein Antivirus-Programm hat C:\WINDOWS\system32\csaoc.exe.ren erkannt und gelöscht. Besten Dank an dich für diesen PC-technischen Erfolg! Hier die Txt-Datei von Fixwareout: Fixwareout ver 1.003 Last edited 12/5/2005 Post this report in the forums please Reg Entries that were deleted HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xedocne HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23plhps HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mgcppp HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tesvaf HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\golmedi HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\32refaselif HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\lfnmd HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»» Search by size and names... »»»»» Misc files »»»»» Checking for older varients covered by the Rem3 tool Cheers... Maravilha |
|
|
||
04.01.2006, 00:33
Ehrenmitglied
Beiträge: 29434 |
#10
maravilha
stelle den Cleaner genauso ein, wie hier angegeben: http://virus-protect.org/cleanup.html multiavtool http://virus-protect.org/multiavtool.html klicke "3" McAfee -- es erscheint ein leeres DOS-Fenster. - man muss eingeben, was gescannt werden soll - C:\Windows\System32 dann beginnt der Scan, man sollte dann auch scannen lassen: - C:\Windows - C:\ poste die drei scanreporte __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
04.01.2006, 20:11
Member
Themenstarter Beiträge: 32 |
#11
Liebe Sabina!
Ich denke, dass mein PC nun bereits einen verfrühten Frühjahrsputz erhalten hat ;-) Vielen herzlichen Dank für deine Hilfe! Hier noch die drei abschliessenden Scanreporte: 01/04/2006 15:56:52 Options: "C:\WINDOWS\SYSTEM32" /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL /PROGRAM /EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML" Scanning C: [65_01_31] Scanning C:\WINDOWS\SYSTEM32\*.* Summary report on C:\WINDOWS\SYSTEM32\*.* File(s) Total files: ........... 7548 Clean: ................. 7536 Possibly Infected: ..... 0 Cleaned: ............... 0 Non-critical Error(s): 1 Time: 00:07.55 01/04/2006 16:12:54 Options: "C:\WINDOWS" /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL /PROGRAM /EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML" Scanning C: [65_01_31] Scanning C:\WINDOWS\*.* Summary report on C:\WINDOWS\*.* File(s) Total files: ........... 38311 Clean: ................. 38298 Possibly Infected: ..... 0 Cleaned: ............... 0 Non-critical Error(s): 1 Time: 00:23.06 01/04/2006 17:57:51 Options: "C:\" /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL /PROGRAM /EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML" Scanning C: [65_01_31] Scanning C:\*.* Summary report on C:\*.* File(s) Total files: ........... 267869 Clean: ................. 266565 Possibly Infected: ..... 0 Cleaned: ............... 0 Non-critical Error(s): 2 Time: 01:34.55 Maravilha |
|
|
||
04.01.2006, 22:40
Ehrenmitglied
Beiträge: 29434 |
#12
maravilha
Hijackthis http://computercops.biz/zx/Merijn/hijackthis.zip http://virus-protect.org/hjtkurz.html Lade/entpacke HijackThis in einem Ordner --> None of the above just start the program --> Save--> Savelog -->es öffnet sich der Editor nun das KOMPLETTE Log mit rechtem Mausklick abkopieren und ins Forum mit rechtem Mausklick "einfügen" __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
06.01.2006, 08:15
Member
Themenstarter Beiträge: 32 |
#13
Sabina
Hier das Log von HijackThis: Logfile of HijackThis v1.99.1 Scan saved at 08:12:19, on 06.01.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe C:\Programme\Ahead\InCD\InCDsrv.exe C:\PROGRA~1\Iomega\System32\AppServices.exe C:\Programme\Norton AntiVirus\navapsvc.exe C:\Programme\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\Explorer.EXE C:\Programme\Synaptics\SynTP\SynTPLpr.exe C:\Programme\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Launch Manager\LaunchAp.exe C:\Program Files\Launch Manager\HotkeyApp.exe C:\Program Files\Launch Manager\CtrlVol.exe C:\Program Files\Launch Manager\Wbutton.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\AGRSMMSG.exe C:\Programme\Ahead\InCD\InCD.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe C:\Programme\Microsoft AntiSpyware\gcasServ.exe C:\Programme\HP\hpcoretech\hpcmpmgr.exe C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe C:\Programme\Java\jre1.5.0_06\bin\jusched.exe C:\Programme\HP\HP Software Update\HPWuSchd2.exe C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe C:\Programme\iTunes\iTunesHelper.exe C:\Programme\Microsoft AntiSpyware\gcasDtServ.exe C:\Programme\QuickTime\qttask.exe C:\Programme\iPod\bin\iPodService.exe C:\Programme\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Programme\Gemeinsame Dateien\PCSuite\DataLayer\DataLayer.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Eraser\eraser.exe C:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe C:\PROGRA~1\GEMEIN~1\PCSuite\Services\SERVIC~1.EXE C:\Programme\HP\hpcoretech\comp\hptskmgr.exe C:\PROGRA~1\GEMEIN~1\Nokia\MPAPI\MPAPI3s.exe C:\Dokumente und Einstellungen\Yuval\Desktop\AntiSpyware\Hijackthis\hijackthis\HijackThis.exe C:\Programme\Messenger\msmsgs.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe" O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [gcasServ] "C:\Programme\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [HP Software Update] C:\Programme\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe" O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe" O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programme\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray O4 - HKLM\..\Run: [DataLayer] C:\Programme\Gemeinsame Dateien\PCSuite\DataLayer\DataLayer.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Eraser] C:\Programme\Eraser\eraser.exe -hide O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Programme\Iomega\Iomega Automatic Backup\iBackup.exe O4 - HKCU\..\Run: [PcSync] C:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - Global Startup: Adobe Gamma Loader.lnk = ? O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {AFAB176A-0D25-436A-8555-286F6D7AA388} (CRegFreezeScanModule Object) - http://www.actualresearch.com/de/files/rfscanax.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{22DE1219-3252-408E-9DB0-35547388DBA4}: NameServer = 85.255.115.102,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip\..\{8100A7A3-96FC-4482-9136-D757FE666C3C}: NameServer = 85.255.115.102,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip\..\{A525E3DB-0052-49B2-9359-04A9D4EAAEE9}: NameServer = 85.255.115.102,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip\..\{AB8DAEEA-3585-4648-8262-949198442C04}: NameServer = 85.255.115.102,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip\..\{D142DDE0-6D28-4327-9911-E13A102316C1}: NameServer = 85.255.115.102,85.255.112.5 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Programme\Ahead\InCD\InCDsrv.exe O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programme\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe Lieber Gruss Maravilha |
|
|
||
06.01.2006, 11:14
Ehrenmitglied
Beiträge: 29434 |
#14
maravilha
öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten O17 - HKLM\System\CCS\Services\Tcpip\..\{22DE1219-3252-408E-9DB0-35547388DBA4}: NameServer = 85.255.115.102,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip\..\{8100A7A3-96FC-4482-9136-D757FE666C3C}: NameServer = 85.255.115.102,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip\..\{A525E3DB-0052-49B2-9359-04A9D4EAAEE9}: NameServer = 85.255.115.102,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip\..\{AB8DAEEA-3585-4648-8262-949198442C04}: NameServer = 85.255.115.102,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip\..\{D142DDE0-6D28-4327-9911-E13A102316C1}: NameServer = 85.255.115.102,85.255.112.5 PC neustarten da deine Interneteinstellungen vom Wareout gekapert wurden, haben wir sie geloescht, nun musst du eine neue erstellen, dann poste das neue Log vom HijackThis (es reichen die 017-Eintreage) __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
06.01.2006, 16:48
Member
Themenstarter Beiträge: 32 |
#15
Sabina
Hier das neue Log von HijackThis (nur Bereich mit den 017-Einträgen): O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {AFAB176A-0D25-436A-8555-286F6D7AA388} (CRegFreezeScanModule Object) - http://www.actualresearch.com/de/files/rfscanax.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{22DE1219-3252-408E-9DB0-35547388DBA4}: NameServer = 194.158.230.53,194.158.230.54 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll Fixwareout kapert meine Interneteinstellungen? Kapiere ich als Laie nicht. Cheers Maravilha |
|
|
||
Norton AntiVirus 2005 hat auf meinem PC folgende Viruswarnmeldung angezeigt:
C:\windows\system32\howiper.exe > Reparatur fehlgeschlagen
C:\windows\system32\howiper.exe > Zugriff verweigert
In der Folge wurde auch folgende Adware endeckt, isoliert und von mir manuell gelöscht:
C:\Programme\Microsoft AntiSpyware\Quarantine\D602AE46-138E-4A1D-B3E8-1BBB07\920EF673-ED1D-4761-9772-F1B3CE
Ich vermute, dass mein PC nicht mehr "clean" ist. NAV sowie andere Virenprogramme finden jedoch keine Bedrohungen mehr.
Wie kann ich herausfinden, ob mein System wirklich nicht mehr infiziert ist?
Ich bin um jeden Tipp froh!
Schon jetzt vielen Dank für eure Hilfe.
David[/b]