NetSky Mutanten als "C:\WINDOWS\Temp\trz*.tmp" |
||
---|---|---|
#0
| ||
11.03.2006, 03:26
...neu hier
Beiträge: 7 |
||
|
||
11.03.2006, 09:47
Ehrenmitglied
Beiträge: 29434 |
#2
FrankyKnife
stelle den CleanUp genauso ein, wie hier angegeben: http://virus-protect.org/cleanup.html Kopiere diese 4 Textdateien. Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab) http://virus-protect.org/datfindbat.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
11.03.2006, 15:48
...neu hier
Themenstarter Beiträge: 7 |
#3
Hi!
vielen dank für deine antwort... das cleanup tool ist wirklick sehr praktisch. endlich mal ein gescheiter standalone cleaner. (andere tools aus dem tweak sector waren immer so aufgebläht und mit vorsicht zu geniessen...) so... hier die resultate von datfind: --- system32 --- Volume in drive C is SYS Volume Seri*hier nicht!* Number is 0C0A-3EA1 Directory of C:\WINDOWS\system32 11.03.2006 15:12 22'175 nvapps.xml 08.03.2006 00:57 2'030 qtplugin.log 07.03.2006 15:58 2'206 wpa.dbl 02.02.2006 20:48 14'848 BASSMOD.dll 17.01.2006 22:36 69'632 ElbyCDIO.dll 04.01.2006 19:46 2'827'616 MRT.exe 04.01.2006 04:35 68'096 webclnt.dll 29.12.2005 03:54 280'064 gdi32.dll 16.12.2005 04:22 825'800 FNTCACHE.DAT 01.12.2005 04:59 1'492'480 shdocvw.dll 24.11.2005 02:06 3'015'680 mshtml.dll 24.11.2005 02:06 1'022'464 browseui.dll 23.11.2005 02:47 65'536 KemXML.dll 23.11.2005 02:47 348'160 msvcr71.dll 23.11.2005 02:47 90'112 KemUtil.dll 23.11.2005 02:47 1'060'864 MFC71.dll 23.11.2005 02:47 258'352 unicows.dll 23.11.2005 02:47 86'016 KemWnd.dll 23.11.2005 02:47 499'712 msvcp71.dll 23.11.2005 02:47 89'088 atl71.dll 23.11.2005 02:47 143'360 kemutb.dll 23.11.2005 02:47 1'047'552 MFC71u.dll 22.11.2005 17:10 2'637 CONFIG.NT 15.11.2005 12:12 126'680 GCCollection.dll 15.11.2005 12:12 117'976 hashlib.dll 15.11.2005 12:12 95'448 gcUnCompress.dll 12.11.2005 15:59 473'600 aswBoot.exe 12.11.2005 15:52 90'112 AVASTSS.scr 05.11.2005 04:16 609'280 urlmon.dll 05.11.2005 04:16 1'054'208 danim.dll ... --- --- systemtemp --- Volume in drive C is SYS Volume Seri*hier nicht!* Number is 0C0A-3EA1 Directory of C:\DOCUME~1\FGCI\LOCALS~1\Temp 11.03.2006 15:13 124'662 system32.tx0 11.03.2006 15:13 128 WcesView.log 11.03.2006 15:12 408 WCESCOMM.LOG 11.03.2006 15:11 16'384 ~DFDE06.tmp 11.03.2006 15:11 218 jusched.log --- --- system --- Volume in drive C is SYS Volume Seri*hier nicht!* Number is 0C0A-3EA1 Directory of C:\WINDOWS 11.03.2006 15:13 17'055 uedit32.INI 11.03.2006 15:12 0 0.log 11.03.2006 15:12 641'936 WindowsUpdate.log 11.03.2006 15:12 49 wiaservc.log 11.03.2006 15:12 159 wiadebug.log 11.03.2006 15:11 2'048 bootstat.dat 11.03.2006 15:10 32'644 SchedLgU.Txt 11.03.2006 15:10 177 winamp.ini 11.03.2006 05:17 69 NeroDigital.ini 11.03.2006 05:11 185'715 setupapi.log 11.03.2006 04:55 26 Lic.xxx 11.03.2006 04:51 1'409 QTFont.for 11.03.2006 04:51 54'156 QTFont.qfn 11.03.2006 03:49 366'369 F-NetSky.log 07.03.2006 22:48 600 winscp.RND 02.03.2006 14:44 29'928 spupdsvc.log 02.03.2006 03:27 380'970 tsoc.log 02.03.2006 03:27 12'057 KB911564.log 02.03.2006 03:27 27'583 tabletoc.log 02.03.2006 03:27 279'682 comsetup.log 02.03.2006 03:27 36'134 ocmsn.log 02.03.2006 03:27 170'764 ntdtcsetup.log 02.03.2006 03:27 1'355 imsins.log 02.03.2006 03:27 991'091 iis6.log 02.03.2006 03:27 86'986 wmsetup.log 02.03.2006 03:27 99'493 netfxocm.log 02.03.2006 03:27 41'255 msgsocm.log 02.03.2006 03:27 401'970 ocgen.log 02.03.2006 03:27 41'925 MedCtrOC.log 02.03.2006 03:27 802'067 FaxSetup.log 02.03.2006 03:27 259'446 msmqinst.log 02.03.2006 03:19 5'876 KB901190.log 02.03.2006 03:19 12'716 KB911927.log 02.03.2006 03:19 18'944 updspapi.log 02.03.2006 03:18 6'212 KB913446.log 02.03.2006 03:17 5'562 KB908519.log 08.02.2006 19:21 161'763 setupact.log 02.02.2006 01:08 26 iTouch.ini 30.01.2006 23:07 138 msicpl.ini 14.01.2006 14:25 6'413 KB912919.log 16.12.2005 04:21 11'311 KB905915.log 16.12.2005 04:20 7'081 KB896424.log 16.12.2005 04:20 0 setuperr.log 08.12.2005 00:40 720'896 iun6002.exe 23.11.2005 14:18 174'162 DirectX.log 22.11.2005 17:06 505 ODBC.INI 15.11.2005 17:58 1'017 cddabase.ini 15.11.2005 17:24 316'640 WMSysPr9.prx 07.11.2005 16:03 159'744 boinc.scr 03.11.2005 13:58 28'160 KHALMNPR.Exe 01.11.2005 12:53 18'878 KB896688.log 01.11.2005 12:52 15'400 KB902400.log 01.11.2005 12:52 7'353 KB904706.log 01.11.2005 12:52 9'135 KB900725.log 01.11.2005 12:51 6'596 KB901017.log 01.11.2005 12:50 6'711 KB905749.log 01.11.2005 12:50 5'881 KB899589.log 01.11.2005 12:50 6'670 KB905414.log ... --- --- sys --- Volume in drive C is SYS Volume Seri*hier nicht!* Number is 0C0A-3EA1 Directory of C:\ 11.03.2006 15:14 0 sys.txt 11.03.2006 15:14 16'269 system.txt 11.03.2006 15:14 460 systemtemp.txt 11.03.2006 15:13 124'662 system32.txt 11.03.2006 15:11 1'610'612'736 pagefile.sys 11.03.2006 04:55 2 AVPCallback.log 09.03.2006 18:36 396 resolve.log 24.07.2005 01:49 125 nvdata.dat 22.04.2005 19:05 4'244 data 22.11.2004 00:03 210 boot.ini 17.10.2004 03:17 151 liprefs.js 27.08.2004 20:56 47'564 NTDETECT.COM 27.08.2004 20:56 250'032 ntldr 01.01.2004 03:04 1'243 logit.log 17.12.2003 02:51 0 itouch_crash_info.txt 16.12.2003 22:07 0 IO.SYS 16.12.2003 22:07 0 CONFIG.SYS 16.12.2003 22:07 0 AUTOEXEC.BAT 16.12.2003 22:07 0 MSDOS.SYS 18.08.2001 13:00 4'952 bootfont.bin 10.12.1999 13:00 148'992 arcldr.exe 10.12.1999 13:00 162'816 arcsetup.exe --- zum abschluss noch ein bissle hijacking: "Silent Runners.vbs", revision 43, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "CursorXP" = "C:\Program Files\CursorXP\CursorXP.exe" [" "] "H/PC Connection Agent" = ""C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Ptipbmf" = "rundll32.exe ptipbmf.dll,SetWriteCacheMode" [MS] "SmcService" = "C:\PROGRA~2\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."] "OpwareSE2" = ""C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"" ["ScanSoft, Inc."] "RemoteControl" = ""C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."] "NVMixerTray" = ""C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"" ["NVIDIA Corporation"] "KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS] "SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [null data] "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "PCMService" = ""C:\Program Files\CyberLink\PowerCinema\PCMService.exe"" ["CyberLink Corp."] "ASUS Probe" = "C:\Program Files\ASUS\Probe\AsusProb.exe" [null data] "FreePDF Assistant" = "C:\Program Files\FreePDF_XP\fpassist.exe" [null data] "Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."] "WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data] "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS] "Babylon Client" = "C:\Program Files\Babylon\Babylon.exe -AutoStart" ["Babylon Ltd."] "avast!" = "C:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe" [null data] "PinnacleDriverCheck" = "C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg" [empty string] "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."] "Nero DriveSpeed" = "C:\PROGRA~2\Nero\NERO7~1\NEROTO~1\DRIVES~1.EXE" ["Nero AG"] "AnyDVD" = "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" ["SlySoft, Inc."] "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {45AD732C-2CE2-4666-B366-B2214AD57A49}\(Default) = "Idea2 SidebarBrowserMonitor Class" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Desktop Sidebar\sbhelp.dll" ["Idea2"] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."] {C49A89A1-D366-4151-904C-16F69B1C444E}\(Default) = "CWebToolsBHO Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microgarden\WebTools\WebTools.dll" ["Microgarden LLC"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~2\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~2\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~2\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~2\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{68f32140-2ca3-11d0-acc1-444553540000}" = "PicaView" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~2\ACDSYS~1\PicaView\PicaView.dll" ["ACD Systems, Ltd."] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshell.dll" ["RealNetworks, Inc."] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~2\MICROS~2\Office\OLKFSTUB.DLL" [MS] "{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~2\Yahoo!\Common\ymmapi20040613.dll" ["Yahoo! Inc."] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{472083B0-C522-11CF-8763-00608CC02F24}" = "avast" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS] "{F2185E5D-720E-4956-90D9-75F6AC141575}" = "Idea2 SidebarIconHandler Class" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Desktop Sidebar\sbhelp.dll" ["Idea2"] "{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"] "{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"] "{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a² Context Menu Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~2\A-SQUA~1\A2CONT~1.DLL" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS] HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ "load" = (value not set) "run" = (value not set) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ "AppInit_DLLs" = (value not set) HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] FileEncrypt\(Default) = "{90A07ACC-0331-4aee-9AAD-A854A9C37667}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Advanced System Optimizer\ShellExt.dll" ["Systweak Inc"] PicaView\(Default) = "{68f32140-2ca3-11d0-acc1-444553540000}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~2\ACDSYS~1\PicaView\PicaView.dll" ["ACD Systems, Ltd."] UltraEdit-32\(Default) = "{b5eedee0-c06e-11cf-8c56-444553540000}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\UltraEdit\ue32ctmn.dll" [empty string] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~2\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~2\Yahoo!\Common\ymmapi20040613.dll" ["Yahoo! Inc."] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ FileEncrypt\(Default) = "{90A07ACC-0331-4aee-9AAD-A854A9C37667}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Advanced System Optimizer\ShellExt.dll" ["Systweak Inc"] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~2\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~2\A-SQUA~1\A2CONT~1.DLL" [null data] avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~2\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\FGCI\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\boinc.scr" ["Space Sciences Laboratory"] Startup items in "FGCI" & "All Users" startup folders: ------------------------------------------------------ C:\Documents and Settings\FGCI\Start Menu\Programs\Startup "Stickies" -> shortcut to: "C:\Program Files\stickies\stickies.exe" [empty string] C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."] "BOINC Manager" -> shortcut to: "C:\Program Files\BOINC\boincmgr.exe /s" ["Space Sciences Laboratory, U.C. Berkeley"] "Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."] "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 25 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."] "{EEF280F3-B6ED-46D8-A8FD-57BD0C4A9ECF}" = "WebToolsFrame Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microgarden\WebTools\WebTools.dll" ["Microgarden LLC"] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{327C2873-E90D-4C37-AA9D-10AC9BABA46C}" = "Easy-WebPrint" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Canon\Easy-WebPrint\Toolband.dll" [empty string] "{E929661E-3728-4E52-BCCB-AE4058F75466}" = "Microgarden WebTools" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microgarden\WebTools\WebTools.dll" ["Microgarden LLC"] "{E0E899AB-F487-11D5-8D29-0050BA6940E3}" = "FlashGet Bar" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~2\FlashGet\fgiebar.dll" [null data] "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {21569614-B795-46B1-85F4-E737A8DC09AD}\ = "Shell Search Band" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS] {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."] HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS] {09FE188B-6E85-479E-9411-51FB2220DF80}\ "ButtonText" = "Subscribe in Desktop Sidebar" "MenuText" = "Subscribe in Desktop Sidebar" "CLSIDExtension" = "{45AD732C-2CE2-4666-B366-B2214AD57A49}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Desktop Sidebar\sbhelp.dll" ["Idea2"] {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\ "ButtonText" = "Create Mobile Favorite" "CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft ActiveSync\inetrepl.dll" [MS] {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\ "MenuText" = "Create Mobile Favorite..." "CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft ActiveSync\inetrepl.dll" [MS] {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ "ButtonText" = "Messenger" "MenuText" = "Yahoo! Messenger" "CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."] {85D1F590-48F4-11D9-9669-0800200C9A66}\ "MenuText" = "Uninstall BitDefender Online Scanner v8" "Exec" = "%windir%\bdoscandel.exe" [null data] {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ "ButtonText" = "FlashGet" "MenuText" = "&FlashGet" "Exec" = "C:\PROGRA~2\FlashGet\flashget.exe" ["Amaze Soft"] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data] avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data] avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"] Crypkey License, Crypkey License, "crypserv.exe" ["Kenonic Controls Ltd."] HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]} NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"] Sygate Personal Firewall Pro, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Canon MP FAX Port\Driver = "CNCUPM2K.dll" ["Canon Inc."] Canon MP Language Monitor MP390\Driver = "CNMLMyf.DLL" ["CANON INC."] PrimoMon\Driver = "Primomonnt.dll" [file not found] Redirected Port\Driver = "redmonnt.dll" [null data] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 42 seconds, including 6 seconds for message boxes) PS: könnte wichtig sein... specs: winXP SP2 (updated) IE & Outlook Express 6.0.2900.2180 avast 4.6 (autostart) sygate firewall 5.5 PS1: scans jeweils mit: avast bitdefender mcafee's "stinger" symantec's "FxNetsky.exe" f-secure's "f-netsky.exe" e-scan check 110 MS-Virus-Removal-v1.12 Microsoft AntiSpyware 10701 pestpatrol 4 spybot search & destroy 1.3 emco malware destroyer 35911 cwshredder 1.57 => alles negativ, ohne resultate bis auf die temp dateien trz9.tmp, trzA.tmp, trzB.tmp usw. PS2: reg cleanups mit: microsoft regclean regcleaner 4.3 advanced system optimizer 2.014 PS3: kleine sys-info: --------[ AIDA32 (c) 1995-2004 Tamas Miklos ]--------------------------------------------------------------------------- Version AIDA32 v3.90 Author tamas.miklos@aida32.hu Homepage http://www.aida32.hu Report Type Quick Report Computer ATHLON2500 Generator FGCI Operating System Microsoft Windows XP Professional 5.1.2600 (WinXP Retail) Date 2006-03-11 Time 15:23 --------[ Summary ]----------------------------------------------------------------------------------------------------- Computer: Operating System Microsoft Windows XP Professional OS Service Pack Service Pack 2 Internet Explorer 6.0.2900.2180 DirectX 4.09.00.0904 (DirectX 9.0) Computer Name ATHLON2500 User Name FGCI Logon Domain ATHLON2500 Date / Time 2006-03-11 / 15:22 Motherboard: CPU Type AMD Athlon XP-A, 1833 MHz (5.5 x 333) 2500+ Motherboard Name Asus A7N8X-E Deluxe (5 PCI, 1 AGP Pro, 1 WiFi, 3 DIMM, Audio, Gigabit LAN) Motherboard Chipset nVIDIA nForce2 Ultra 400 System Memory 1536 MB (DDR SDRAM) BIOS Type Award (05/20/04) Communication Port Communications Port (COM1) Communication Port Communications Port (COM2) Communication Port ECP Printer Port (LPT1) Display: Video Adapter MSI NX 6600 (NVIDIA GeForce 6600) (256 MB) Video Adapter MSI NX 6600 (NVIDIA GeForce 6600) (256 MB) Monitor BenQ FP951 [NoDB] (42500462) Monitor BenQ FP951 [NoDB] (42500468) Multimedia: Audio Adapter nVIDIA MCP2 - Audio Codec Interface Audio Adapter nVIDIA MCP2 - Audio Processing Unit (Dolby Digital) Storage: Floppy Drive Floppy disk drive Disk Drive SAMSUNG SP0812N (80 GB, 7200 RPM, Ultra-ATA/133) Disk Drive SAMSUNG SP1614N (160 GB, 7200 RPM, Ultra-ATA/133) Optical Drive HL-DT-ST DVDRAM GSA-4120B Optical Drive PLEXTOR CD-R PX-W4012A (40x/12x/40x CD-RW) Partitions: C: (NTFS) 40962 MB (20945 MB free) D: (NTFS) 111662 MB (54435 MB free) E: (NTFS) 76347 MB (37495 MB free) Input: Keyboard Logitech PS/2 Keyboard Mouse Logitech-compatible Mouse PS/2 Network: Primary IP Address 192.168.1.100 Primary MAC Address 00-11-2F-58-4C-11 Network Adapter NVIDIA nForce Networking Controller (192.168.1.100) Peripherals: Printer Canon MP390 FAX Printer Canon MP390 Series Printer Printer FreePDF XP DMI: DMI BIOS Vendor Phoenix Technologies, LTD DMI BIOS Version ASUS A7N8X-E Deluxe ACPI BIOS Rev 1011 DMI System Manufacturer ASUSTeK Computer INC. DMI System Product A7N8X-E DMI System Version REV 2.xx DMI System Seri*hier nicht!* Number xxxxxxxxxxx DMI Motherboard Manufacturer ASUSTeK Computer INC. DMI Motherboard Product A7N8X-E DMI Motherboard Version REV 2.xx DMI Motherboard Seri*hier nicht!* Number xxxxxxxxxxx DMI Chassis Manufacturer Chassis Manufactture DMI Chassis Version Chassis Version DMI Chassis Seri*hier nicht!* Number Chassis Seri*hier nicht!* Number DMI Chassis Asset Tag Asset-1234567890 DMI Chassis Type Desktop Case ----------------------------------------------------------------------------------------- end |
|
|
||
11.03.2006, 22:46
Ehrenmitglied
Beiträge: 29434 |
#4
ich kann nichts finden....
multiavtool http://virus-protect.org/multiavtool.html * klicke "3" - McAfee -- es erscheint ein leeres DOS-Fenster. - man muss eingeben, was gescannt werden soll - C:\Windows\System32 dann beginnt der Scan, man sollte dann auch scannen lassen: - C:\Windows - C:\ * klicke "6 --> der PC wird neustarten --> suche die 3 Scanreporte in C:\AV-CLS und kopiere sie __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
13.03.2006, 23:03
...neu hier
Themenstarter Beiträge: 7 |
#5
so... deine email habe ich befolgt.
(leider rasiereren mir dort die diversen tools/scans meinen PC rigoros ohne rücksicht, d.h. da wird automatisch gelöscht was das zeug hält - ohne rückfrage. AUTSCH!!!) nunja, schon passiert: hier mal die qoutes... --- 03/13/2006 17:58:12 Options: "C:\" /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL /MIME /PROGRAM /EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML" Scanning C: [SYS] Scanning C:\*.* C:\Program Files\FlashGet\flashget.exe ... Found potentially unwanted program Adware-FlashGet. The file or process has been deleted. C:\Program Files\FlashGet\Jccatch.dll ... Found potentially unwanted program Adware-FlashGet. The file or process has been deleted. C:\Program Files\FlashGet\UninstallLib.exe\UninstallLib.exe ... Found potentially unwanted program Adware-FlashGet. The file or process has been deleted. C:\Program Files\PassView\pspv.exe ... Found potentially unwanted program PWCrack-PassView. The file or process has been deleted. C:\WINDOWS\Temp\trzB3.tmp ... Found the W32/Netsky.b@MM!zip virus !!! The file or process has been deleted. C:\WINDOWS\Temp\trzB4.tmp ... Found the W32/Netsky.b@MM!zip virus !!! The file or process has been deleted. C:\_install\BROWSER\flashget_download165.exe ... Found potentially unwanted program Adware-Flashget.dr. The file or process has been deleted. C:\_install\WINDOWS\PassView\pspasswordview160.zip\PSPV.EXE ... Found potentially unwanted program PWCrack-PassView. C:\_install\WINDOWS\PassView\pspv162.zip\PSPV.EXE ... Found potentially unwanted program PWCrack-PassView. Summary report on C:\*.* File(s) Total files: ........... 358972 Clean: ................. 358063 Possibly Infected: ..... 2 Cleaned: ............... 0 Deleted: ............... 7 Non-critical Error(s): 0 Time: 01:21.47 --- ANALYSE: 1. "flashget" ist zwar adware, aber ansonsten sauber, oder? (inzwischen de-installiert - die scan-meldungen nerven nämlich inzwischen) 2. "pspv" wird als crack-proggi identifiziert? komisch, oder? 3. "netsky": wie man sieht, habe ich wieder zwei neue .tmp dateien "bekommen". diesmal die variante "W32/Netsky.b@MM" (wenn ich hier aber nach den entsprechenden .exe suche bzw. scans laufen lasse, wird nix gefunden...) => kann das sein, dass ich doch irgendwie diese netsky .tmp dateien als emails über outlook express einfange, und avast löscht diese, aber nicht ganz korrekt??? Dieser Beitrag wurde am 14.03.2006 um 00:42 Uhr von FrankyKnife editiert.
|
|
|
||
14.03.2006, 00:41
Ehrenmitglied
Beiträge: 29434 |
#6
FrankyKnife
man muesste den Downloader finden...es kann sein, dass er sich in einer Mail "versteckt" Wahrscheinlich hast du einen Anhang (zip) geoeffnet............) scanne mit kaspersky (alles, auch die Mails) und poste den scanbericht http://virus-protect.org/onlinescan.html Zitat Virenexperten wie Trend Micro oder Bitdefender haben eine dringende Warnung vor dem neuen WORM_NETSKY.B ausgesprochen, der sich derzeit per E-Mail weltweit verbreitet __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
14.03.2006, 00:42
...neu hier
Themenstarter Beiträge: 7 |
#7
IDEE: gibt es irgendeine möglichkeit, ein verzeichnis zu überwachen oder noch besser: dateien zu analsyieren, z.b. welche software/task schreibt die datei. in meinem falle die .tmp dateien!?
(so käme man dem übeltäter schnell auf die schliche...) PS: OMG wie ich doch die alten AMIGA zeiten vermisse, da wäre sowas ein klax gewesen... |
|
|
||
14.03.2006, 00:44
Ehrenmitglied
Beiträge: 29434 |
#8
1. scanne mit kaspersky
2. http://virus-protect.org/worc.html scannen ...PC neustarten --> vergleichen __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
14.03.2006, 00:48
Ehrenmitglied
Beiträge: 29434 |
#9
scanne im abgesicherten modus
http://www.symantec.com/avcenter/venc/data/w32.netsky@mm.removal.tool.html Hijackthis http://computercops.biz/zx/Merijn/hijackthis.zip http://virus-protect.org/hjtkurz.html Lade/entpacke HijackThis in einem Ordner --> None of the above just start the program --> Save--> Savelog -->es öffnet sich der Editor nun das KOMPLETTE Log mit rechtem Mausklick abkopieren und ins Forum mit rechtem Mausklick "einfügen" Zitat Damit er automatisch beim Start von Windows aktiviert wird, erstellt W32/Netsky-B den folgenden Registrierungseintrag: __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
14.03.2006, 02:25
...neu hier
Themenstarter Beiträge: 7 |
#10
die üblichen scans habe ich schon durch, auch mit den div. "removal tools".
wie gesagt, er findet nix ausser den .tmp dateien. nach den .exe und den reg einträgen habe ich auch schon manuell geschaut. nix!!! (deswegen wundere ich mich ja woher ich den netsky habe, wenn die .exe fehlen?) ok. habe nun mit kaspersky gescannt: --- My EMail: 0 --- Critical Areas: C:\Documents and Settings\FGCI\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-3d05e309-78b7b5e5.class Infected: Exploit.Java.ByteVerify skipped C:\Documents and Settings\FGCI\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-70dda463-3acdddca.class Infected: Trojan.Java.ClassLoader.Dummy.d skipped C:\Documents and Settings\FGCI\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-35d9afb9-6f712126.class --- aber ob das java damit was zu tun hat? mal sehen, ich lösche die classes... |
|
|
||
14.03.2006, 11:35
Ehrenmitglied
Beiträge: 29434 |
#11
Hijackthis
http://computercops.biz/zx/Merijn/hijackthis.zip http://virus-protect.org/hjtkurz.html Lade/entpacke HijackThis in einem Ordner --> None of the above just start the program --> Save--> Savelog -->es öffnet sich der Editor nun das KOMPLETTE Log mit rechtem Mausklick abkopieren und ins Forum mit rechtem Mausklick "einfügen" __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
14.03.2006, 18:46
...neu hier
Themenstarter Beiträge: 7 |
#12
Zitat Sabina posteteja, das ist mir bekannt. aus diesen gründen werden diese mails bei mir sofort gelöscht! ...und schon gar nicht werden anhänge geöffnet!!! hier nun ein aktuelles hijack log: --- Logfile of HijackThis v1.99.1 Scan saved at 18:18:16, on 14.03.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\CyberLink\PowerCinema\PCMService.exe C:\Program Files\ASUS\Probe\AsusProb.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\FreePDF_XP\fpassist.exe C:\WINDOWS\Logi_MwX.Exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Babylon\Babylon.exe C:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe C:\PROGRA~2\Nero\NERO7~1\NEROTO~1\DRIVES~1.EXE C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\CursorXP\CursorXP.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\BOINC\boincmgr.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\stickies\stickies.exe C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\crypserv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\BOINC\boinc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\HijackThis.exe C:\Program Files\UltraEdit\uedit32.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/ F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: CWebToolsBHO Class - {C49A89A1-D366-4151-904C-16F69B1C444E} - C:\Program Files\Microgarden\WebTools\WebTools.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Microgarden WebTools - {E929661E-3728-4E52-BCCB-AE4058F75466} - C:\Program Files\Microgarden\WebTools\WebTools.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode O4 - HKLM\..\Run: [SmcService] C:\PROGRA~2\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe" O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe O4 - HKLM\..\Run: [FreePDF Assistant] C:\Program Files\FreePDF_XP\fpassist.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart O4 - HKLM\..\Run: [avast!] C:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~2\Nero\NERO7~1\NEROTO~1\DRIVES~1.EXE O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe O4 - User Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Easy-WebPrint Drucken - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O8 - Extra context menu item: Easy-WebPrint Schnelldruck - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Vorschau - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Zu Druckliste hinzufügen - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab O21 - SSODL: System - {FBC32AAC-FA6A-4F8C-BF7E-B1413857F343} - (no file) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~2\CachemanXP\CachemanXP.exe O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe --- 1. FLASHGET wurde nochmals komplett entfernt inkl. restleichen davon als BHO's etc. 2. NUTZWERK (nutznavi.dll) habe ich auch gelöscht. keine ahnung woher das kommt oder was das soll, da ich safersurf nicht nutze...?! 3. WAS KÖNNTE DAS SEIN? O21 - SSODL: System - {FBC32AAC-FA6A-4F8C-BF7E-B1413857F343} - (no file) Dieser Beitrag wurde am 14.03.2006 um 18:53 Uhr von FrankyKnife editiert.
|
|
|
||
14.03.2006, 21:21
Ehrenmitglied
Beiträge: 29434 |
#13
1.
mit HijackTHis fixen (ist nur ein Eintrag in der Registry) O21 - SSODL: System - {FBC32AAC-FA6A-4F8C-BF7E-B1413857F343} - (no file) 2. nun, graben wir mal tiefer. RootkitRevealer http://www.sysinternals.com/Utilities/RootkitRevealer.html poste den scanreport __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
14.03.2006, 22:42
...neu hier
Themenstarter Beiträge: 7 |
#14
Zitat Sabina postete...ist gefixt bzw. gelöscht! Zitat Sabina postete...coole page!!! nach solchen tools für windoofs habe ich immer gesucht! leider bringt uns das ROOTKIT wohl auch nicht weiter... --- HKLM\S-1-5-21-1060284298-796845957-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{10EF331B-6B30-98AD-6AA5-CEA7FB1676F3}* 17.11.2005 01:10 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32* 19.11.2004 15:21 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32* 19.11.2004 15:21 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32* 19.11.2004 15:21 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32* 19.11.2004 15:21 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32* 19.11.2004 15:21 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32* 19.11.2004 15:21 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32* 19.11.2004 15:21 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32* 19.11.2004 15:21 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32* 19.11.2004 15:21 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32* 19.11.2004 15:21 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32* 19.11.2004 15:21 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32* 19.11.2004 15:21 0 bytes Key name contains embedded nulls (*) --- PS: heute mal keine .tmp files auf meinem rechner... mal weiter beobachten und dieses "FileMon" ausprobieren... |
|
|
||
15.03.2006, 00:57
Ehrenmitglied
Beiträge: 29434 |
#15
FrankyKnife
1. scanne noch mal mit:multiavtool (scanne mit allen 4 Scannern) 2. wenn dann noch .... trz9.tmp.... erscheinen, arbeite das ab und berichte http://virus-protect.org/regrun.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
bin zwar neu hier im forum, aber schon etwas länger im PC bereich unterwegs. hatte die letzten jahre auch nie grossartig probleme mit viren/trojaner/spyware etc. bzw. fand mittels google immer hilfe oder infos.
nur diesmal ist google eher sprachlos...
seit kurzem läuft mämlich etwas mysteriöses ab. und zwar tauchen immer wieder in meinem dir C:\WINDOWS\Temp dateien nach folgendem muster auf:
trz*.tmp (z.b. trz9.tmp, trzA.tmp, trzB.tmp usw.)
wenn ich diese dateien scanne, geben mir diverse anti-virus scanner unterschiedliches feedback, vom NETSKY-AB bis hin zum NETSKY-Z2 ist alles dabei.
ich habe keine ahnung woher die kommen bzw. wiedurch oder von wem die dateien erstellt werden. (email-story fällt bei mir flach, da nicht blöd und behindert!). desweiteren finde ich auch keine infizierten .exe wie es typisch für NETSKY ist, auch autostart/RUN ist clean. anonsten werden auch keine anderen infizierte dateien irgendwoanders auf meinem rechner gefunden...
scheint zwar alles recht harmlos zu sein, nur wundere ich mich trotzdem.
wäre trotzdem an hilfe, infos, tipps, links etc interessiert. wer weiss...
---
ACHTUNG: anbei einmal bsp dateien - von heute - als .zip (!!! INFIZIERT !!!)
---
trz9.tmp
trzA.tmp
trzB.tmp
infizierten Anhang geloescht. MfG Ralf