Mal wieder Alcra.B

#0
22.03.2006, 21:24
Member

Beiträge: 37
#1 Hi,
ich hab schon einige Threads zum Worm/Alcra.B gesehn hier, bin daraus aber nicht schlau geworden.
WORM/Alcra.B wurd mir vorhin von meinem AntiVir gepostet aber ich weiß nich wirklich was nun zu tun ist.
Hier schon mal meine Log File.


Logfile of HijackThis v1.99.1
Scan saved at 21:22:28, on 22.03.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\Programme\Razer\razertra.exe
D:\Programme\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Programme\ICQLite\ICQLite.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\Ideazon\Zboard Software\Driver\Zboard.exe
D:\programme\valve\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\Programme\Messenger\msmsgs.exe
D:\Programme\OpenOffice.org1.1.5\program\soffice.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\Razer\razerofa.exe
D:\Programme\Xfire\Xfire.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\DOKUME~1\FREEST~1\LOKALE~1\Temp\mexe.com
C:\DOKUME~1\FREEST~1\LOKALE~1\Temp\kavss.exe
C:\DOKUME~1\FREEST~1\LOKALE~1\Temp\Rar$EX00.407\KillBox.exe
C:\Dokumente und Einstellungen\Freestyler\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bunkarattn.de.vu/
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Programme\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [razertra] C:\Programme\Razer\razertra.exe
O4 - HKLM\..\Run: [razer] C:\Programme\Razer\razerhid.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ICQ Lite] d:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "e:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "e:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Steam] "d:\programme\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Startup: OpenOffice.org 1.1.5.lnk = D:\Programme\OpenOffice.org1.1.5\program\quickstart.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = D:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: palstart.exe
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programme\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programme\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - d:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - d:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccess/ie/bridge-c5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{984E62DF-99C2-425F-BEB2-8F5935F94241}: NameServer = 192.168.0.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)




Nebenbei. Ich habe vorhin eScan laufen lassen und da kommen so Sachen wie

Datei D:\Dokumente und Einstellungen\Administrator\Desktop\Finger\Finger.exe infiziert von "not-virus:BadJoke.Win32.Finger.b" Virus. Aktion vorgenommen: Keine Aktion vorgenommen.

Wie hab ich denn damit zu verfahren?

Danke schon mal im voraus. ;)
Seitenanfang Seitenende
22.03.2006, 21:49
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#2 nix1990

arbeite bitte bfu und ewido ab:

http://virus-protect.org/artikel/bfu/p2pbfuhtml.html
und berichte vom ewido-Scan ;)

--------------------------------
den joke kannst du manuell loeschen:
D:\Dokumente und Einstellungen\Administrator\Desktop\Finger\Finger.exe
D:\Dokumente und Einstellungen\Administrator\Desktop\Finger
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
23.03.2006, 14:00
Member

Themenstarter

Beiträge: 37
#3 Mit der Anleitung zu Bfu funktioniert das bei mir nicht.
Das Problem ist, dass meine Tastatur - das Zboard - erst strom kriegt wenn ich auf dem "Willkommen" Screen bin.

Ansonsten hier mein ewido Bericht:

---------------------------------------------------------
ewido anti-malware - Scan Report
---------------------------------------------------------

+ Erstellt am: 13:53:38, 23.03.2006
+ Report-Checksumme: DF6E18BE

+ Scanergebnis:

HKLM\SOFTWARE\Classes\MediaAccX.Installer -> Adware.WinAd : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\MediaAccX.Installer\CLSID -> Adware.WinAd : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer -> Adware.Screensavers : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer\CLSID -> Adware.Screensavers : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer\CurVer -> Adware.Screensavers : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer.1 -> Adware.Screensavers : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller -> Adware.Screensavers : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller\CLSID -> Adware.Screensavers : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller\CurVer -> Adware.Screensavers : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller.1 -> Adware.Screensavers : Gesäubert mit Backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll -> Adware.ISTBar : Gesäubert mit Backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreensaversInstaller -> Adware.Screensavers : Gesäubert mit Backup
HKU\S-1-5-21-1644491937-2025429265-725345543-1003\Software\IST -> Adware.ISTBar : Gesäubert mit Backup
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Starware -> Adware.Starware : Gesäubert mit Backup
C:\Dokumente und Einstellungen\Freestyler\Cookies\freestyler@2o7[1].txt -> TrackingCookie.2o7 : Gesäubert mit Backup
C:\Dokumente und Einstellungen\Freestyler\Cookies\freestyler@atdmt[2].txt -> TrackingCookie.Atdmt : Gesäubert mit Backup
C:\Dokumente und Einstellungen\Freestyler\Cookies\freestyler@ivwbox[1].txt -> TrackingCookie.Ivwbox : Gesäubert mit Backup
C:\Dokumente und Einstellungen\Freestyler\Cookies\freestyler@weborama[2].txt -> TrackingCookie.Weborama : Gesäubert mit Backup
C:\Dokumente und Einstellungen\Freestyler\Cookies\freestyler@zedo[1].txt -> TrackingCookie.Zedo : Gesäubert mit Backup
C:\Programme\Save -> Adware.SaveNow : Gesäubert mit Backup
C:\Programme\SurfAccuracy -> Adware.SurfAccuracy : Gesäubert mit Backup
C:\WINDOWS\Downloaded Program Files\MediaAccX.dll -> Adware.WinAD : Gesäubert mit Backup
D:\RECYCLER\S-1-5-21-1644491937-2025429265-725345543-1003\Dd23\Shooting Range.exe -> Not-A-Virus.BadJoke.Win32.JepRuss : Gesäubert mit Backup
D:\RECYCLER\S-1-5-21-1644491937-2025429265-725345543-1003\Dd8\Finger.exe -> Not-A-Virus.BadJoke.Win32.Finger.b : Gesäubert mit Backup


::Report Ende
Seitenanfang Seitenende
23.03.2006, 14:08
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#4 nix1990

öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Programme\webHancer\Programs\whsurvey.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccess/ie/bridge-c5.cab

PC neustarten

deinstallieren/loeschen: C:\Programme\webHancer

Counterspy
http://virus-protect.org/counterspy.html
* nach dem Scan muss man sich entscheiden für:

*Ignore
*Remove --> Status: Deleted
*Quarantaine

wähle immer Remove und starte den PC neu (dann kopiere den Scanreport ab
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
23.03.2006, 16:35
Member

Themenstarter

Beiträge: 37
#5 So, alles erledigt ;)
webHancer war schon nachm Hijack nich mehr aufzufinden.
Hier der Scanreport

Spyware Scan Details
Start Date: 23.03.2006 14:45:33
End Date: 23.03.2006 15:18:24
Total Time: 32 mins 51 secs

Detected spyware

Paltalk Low Risk Adware more information...
Details: Paltalk is an advertising-supported instant messaging client.
Status: Deleted

Infected files detected
C:\palsound.txt
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\palstart.exe

Infected registry entries detected
HKEY_CURRENT_USER\Software\PalTalk
HKEY_CURRENT_USER\Software\PalTalk Installer C:\DOKUME~1\FREEST~1\LOKALE~1\Temp\pal_ncr_qt_a359_r16934.exe
HKEY_CURRENT_USER\Software\PalTalk InstallerDesktop C:\Dokumente und Einstellungen\Freestyler\Desktop
HKEY_CURRENT_USER\Software\PalTalk InstallerAppDir C:\Programme\Paltalk Messenger
HKEY_CURRENT_USER\Software\PalTalk cur_build 104
HKEY_CURRENT_USER\Software\PalTalk host 199.106.211.53
HKEY_CURRENT_USER\Software\PalTalk port 5001
HKEY_CURRENT_USER\Software\PalTalk cur_country DE
HKEY_CURRENT_USER\Software\PalTalk PALWND_LEFT 782
HKEY_CURRENT_USER\Software\PalTalk PALWND_TOP 86
HKEY_CURRENT_USER\Software\PalTalk PALWND_HEIGHT 565
HKEY_CURRENT_USER\Software\PalTalk PALWND_WIDTH 242
HKEY_CURRENT_USER\Software\PalTalk noautostart 1
HKEY_CLASSES_ROOT\PalTextCtl.PalText
HKEY_CLASSES_ROOT\PalTextCtl.PalText\CLSID {C69AA869-E87F-4B07-AD47-F89C5C44899E}
HKEY_CLASSES_ROOT\PalTextCtl.PalText\CurVer PalTextCtl.PalText.1
HKEY_CLASSES_ROOT\PalTextCtl.PalText PalText Class
HKEY_CLASSES_ROOT\CLSID\{C69AA869-E87F-4B07-AD47-F89C5C44899E}
HKEY_CLASSES_ROOT\CLSID\{C69AA869-E87F-4B07-AD47-F89C5C44899E}\InprocServer32 C:\Programme\Paltalk Messenger\paltextctl.dll
HKEY_CLASSES_ROOT\CLSID\{C69AA869-E87F-4B07-AD47-F89C5C44899E}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\CLSID\{C69AA869-E87F-4B07-AD47-F89C5C44899E}\MiscStatus\1 131473
HKEY_CLASSES_ROOT\CLSID\{C69AA869-E87F-4B07-AD47-F89C5C44899E}\MiscStatus 0
HKEY_CLASSES_ROOT\CLSID\{C69AA869-E87F-4B07-AD47-F89C5C44899E}\ProgID PalTextCtl.PalText.1
HKEY_CLASSES_ROOT\CLSID\{C69AA869-E87F-4B07-AD47-F89C5C44899E}\ToolboxBitmap32 C:\Programme\Paltalk Messenger\paltextctl.dll, 101
HKEY_CLASSES_ROOT\CLSID\{C69AA869-E87F-4B07-AD47-F89C5C44899E}\TypeLib {3056AD2C-1727-4968-A415-DDE7FDCD14C4}
HKEY_CLASSES_ROOT\CLSID\{C69AA869-E87F-4B07-AD47-F89C5C44899E}\Version 1.0
HKEY_CLASSES_ROOT\CLSID\{C69AA869-E87F-4B07-AD47-F89C5C44899E}\VersionIndependentProgID PalTextCtl.PalText
HKEY_CLASSES_ROOT\CLSID\{C69AA869-E87F-4B07-AD47-F89C5C44899E} PalText Class
HKEY_CLASSES_ROOT\PalTextCtl.PalText.1
HKEY_CLASSES_ROOT\PalTextCtl.PalText.1\CLSID {C69AA869-E87F-4B07-AD47-F89C5C44899E}
HKEY_CLASSES_ROOT\PalTextCtl.PalText.1 PalText Class
HKEY_CLASSES_ROOT\.PalTalk
HKEY_CLASSES_ROOT\.PalTalk PalTalkFile
HKEY_CLASSES_ROOT\.PalTalk Content Type text/PalTalk
HKEY_CLASSES_ROOT\AppID\{7A1DEC95-D0F4-4365-8B5F-3C1F1C812C83}
HKEY_CLASSES_ROOT\AppID\{7A1DEC95-D0F4-4365-8B5F-3C1F1C812C83} ftpclient
HKEY_CLASSES_ROOT\AppID\ftpclient.DLL
HKEY_CLASSES_ROOT\AppID\ftpclient.DLL AppID {7A1DEC95-D0F4-4365-8B5F-3C1F1C812C83}
HKEY_CLASSES_ROOT\Interface\{1C8970E2-42E2-4D21-BF54-C6CBEE916B58}
HKEY_CLASSES_ROOT\Interface\{1C8970E2-42E2-4D21-BF54-C6CBEE916B58}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{1C8970E2-42E2-4D21-BF54-C6CBEE916B58}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{1C8970E2-42E2-4D21-BF54-C6CBEE916B58}\TypeLib {3056AD2C-1727-4968-A415-DDE7FDCD14C4}
HKEY_CLASSES_ROOT\Interface\{1C8970E2-42E2-4D21-BF54-C6CBEE916B58}\TypeLib Version 1.2
HKEY_CLASSES_ROOT\Interface\{1C8970E2-42E2-4D21-BF54-C6CBEE916B58} IPalText
HKEY_CLASSES_ROOT\Interface\{406F9AAB-CA4C-4F82-9376-F5058C4E464F}
HKEY_CLASSES_ROOT\Interface\{406F9AAB-CA4C-4F82-9376-F5058C4E464F}\ProxyStubClsid {00020420-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{406F9AAB-CA4C-4F82-9376-F5058C4E464F}\ProxyStubClsid32 {00020420-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{406F9AAB-CA4C-4F82-9376-F5058C4E464F}\TypeLib {3056AD2C-1727-4968-A415-DDE7FDCD14C4}
HKEY_CLASSES_ROOT\Interface\{406F9AAB-CA4C-4F82-9376-F5058C4E464F}\TypeLib Version 1.2
HKEY_CLASSES_ROOT\Interface\{406F9AAB-CA4C-4F82-9376-F5058C4E464F} _IPalTextEvents
HKEY_CLASSES_ROOT\Interface\{66EB7C9D-FBEB-4B01-AD8A-532CC189D517}
HKEY_CLASSES_ROOT\Interface\{66EB7C9D-FBEB-4B01-AD8A-532CC189D517}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{66EB7C9D-FBEB-4B01-AD8A-532CC189D517}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{66EB7C9D-FBEB-4B01-AD8A-532CC189D517}\TypeLib {3056AD2C-1727-4968-A415-DDE7FDCD14C4}
HKEY_CLASSES_ROOT\Interface\{66EB7C9D-FBEB-4B01-AD8A-532CC189D517}\TypeLib Version 1.2
HKEY_CLASSES_ROOT\Interface\{66EB7C9D-FBEB-4B01-AD8A-532CC189D517} IPalText2
HKEY_CLASSES_ROOT\Interface\{8C728DC6-4BAB-4544-97B8-D8D62B0B97A4}
HKEY_CLASSES_ROOT\Interface\{8C728DC6-4BAB-4544-97B8-D8D62B0B97A4}\ProxyStubClsid {00020420-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{8C728DC6-4BAB-4544-97B8-D8D62B0B97A4}\ProxyStubClsid32 {00020420-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{8C728DC6-4BAB-4544-97B8-D8D62B0B97A4}\TypeLib {E41FD921-2A34-444E-805A-3FB0B47CCA1E}
HKEY_CLASSES_ROOT\Interface\{8C728DC6-4BAB-4544-97B8-D8D62B0B97A4}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\Interface\{8C728DC6-4BAB-4544-97B8-D8D62B0B97A4} _IsoundsEvents
HKEY_CLASSES_ROOT\Interface\{9F13DA3B-F914-4011-A3EB-50FA7FE13B63}
HKEY_CLASSES_ROOT\Interface\{9F13DA3B-F914-4011-A3EB-50FA7FE13B63}\ProxyStubClsid {00020420-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{9F13DA3B-F914-4011-A3EB-50FA7FE13B63}\ProxyStubClsid32 {00020420-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{9F13DA3B-F914-4011-A3EB-50FA7FE13B63}\TypeLib {0ADBAB02-0DBA-44D6-8B83-D04E893B57B3}
HKEY_CLASSES_ROOT\Interface\{9F13DA3B-F914-4011-A3EB-50FA7FE13B63}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\Interface\{9F13DA3B-F914-4011-A3EB-50FA7FE13B63} _IPalVidCtlEvents
HKEY_CLASSES_ROOT\Interface\{AC72F0EE-4EAA-46F7-AC05-28558697314C}
HKEY_CLASSES_ROOT\Interface\{AC72F0EE-4EAA-46F7-AC05-28558697314C}\ProxyStubClsid {00020420-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{AC72F0EE-4EAA-46F7-AC05-28558697314C}\ProxyStubClsid32 {00020420-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{AC72F0EE-4EAA-46F7-AC05-28558697314C}\TypeLib {7A1DEC95-D0F4-4365-8B5F-3C1F1C812C83}
HKEY_CLASSES_ROOT\Interface\{AC72F0EE-4EAA-46F7-AC05-28558697314C}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\Interface\{AC72F0EE-4EAA-46F7-AC05-28558697314C} _IftclientEvents
HKEY_CLASSES_ROOT\Interface\{B63D472B-1029-44FA-B8A5-78A020F76310}
HKEY_CLASSES_ROOT\Interface\{B63D472B-1029-44FA-B8A5-78A020F76310}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{B63D472B-1029-44FA-B8A5-78A020F76310}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{B63D472B-1029-44FA-B8A5-78A020F76310}\TypeLib {7A1DEC95-D0F4-4365-8B5F-3C1F1C812C83}
HKEY_CLASSES_ROOT\Interface\{B63D472B-1029-44FA-B8A5-78A020F76310}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\Interface\{B63D472B-1029-44FA-B8A5-78A020F76310} Iftclient
HKEY_CLASSES_ROOT\Interface\{C2361732-3EC8-4DE7-A43C-4A6EDAEB8F9B}
HKEY_CLASSES_ROOT\Interface\{C2361732-3EC8-4DE7-A43C-4A6EDAEB8F9B}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{C2361732-3EC8-4DE7-A43C-4A6EDAEB8F9B}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{C2361732-3EC8-4DE7-A43C-4A6EDAEB8F9B}\TypeLib {E41FD921-2A34-444E-805A-3FB0B47CCA1E}
HKEY_CLASSES_ROOT\Interface\{C2361732-3EC8-4DE7-A43C-4A6EDAEB8F9B}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\Interface\{C2361732-3EC8-4DE7-A43C-4A6EDAEB8F9B} Isounds
HKEY_CLASSES_ROOT\Interface\{D4494052-92E0-4DA0-9285-90173E445609}
HKEY_CLASSES_ROOT\Interface\{D4494052-92E0-4DA0-9285-90173E445609}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{D4494052-92E0-4DA0-9285-90173E445609}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{D4494052-92E0-4DA0-9285-90173E445609}\TypeLib {0ADBAB02-0DBA-44D6-8B83-D04E893B57B3}
HKEY_CLASSES_ROOT\Interface\{D4494052-92E0-4DA0-9285-90173E445609}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\Interface\{D4494052-92E0-4DA0-9285-90173E445609} IPalVidCtl
HKEY_CLASSES_ROOT\PaltalkFile
HKEY_CLASSES_ROOT\PaltalkFile\DefaultIcon C:\Programme\Paltalk Messenger\Paltalk.exe,0
HKEY_CLASSES_ROOT\PaltalkFile\Shell\Open\Command C:\Programme\Paltalk Messenger\Paltalk.exe "%1"
HKEY_CLASSES_ROOT\TypeLib\{0ADBAB02-0DBA-44D6-8B83-D04E893B57B3}
HKEY_CLASSES_ROOT\TypeLib\{0ADBAB02-0DBA-44D6-8B83-D04E893B57B3}\1.0\0\win32 C:\Programme\Paltalk Messenger\WebVideo.dll
HKEY_CLASSES_ROOT\TypeLib\{0ADBAB02-0DBA-44D6-8B83-D04E893B57B3}\1.0\FLAGS 0
HKEY_CLASSES_ROOT\TypeLib\{0ADBAB02-0DBA-44D6-8B83-D04E893B57B3}\1.0\HELPDIR C:\Programme\Paltalk Messenger\
HKEY_CLASSES_ROOT\TypeLib\{0ADBAB02-0DBA-44D6-8B83-D04E893B57B3}\1.0 PalVideo 1.0 Type Library
HKEY_CLASSES_ROOT\TypeLib\{3056AD2C-1727-4968-A415-DDE7FDCD14C4}
HKEY_CLASSES_ROOT\TypeLib\{3056AD2C-1727-4968-A415-DDE7FDCD14C4}\1.2\0\win32 C:\Programme\Paltalk Messenger\paltextctl.dll
HKEY_CLASSES_ROOT\TypeLib\{3056AD2C-1727-4968-A415-DDE7FDCD14C4}\1.2\FLAGS 0
HKEY_CLASSES_ROOT\TypeLib\{3056AD2C-1727-4968-A415-DDE7FDCD14C4}\1.2\HELPDIR C:\Programme\Paltalk Messenger\
HKEY_CLASSES_ROOT\TypeLib\{3056AD2C-1727-4968-A415-DDE7FDCD14C4}\1.2 PalTextCtl 1.2 Type Library
HKEY_CLASSES_ROOT\TypeLib\{7A1DEC95-D0F4-4365-8B5F-3C1F1C812C83}
HKEY_CLASSES_ROOT\TypeLib\{7A1DEC95-D0F4-4365-8B5F-3C1F1C812C83}\1.0\0\win32 C:\Programme\Paltalk Messenger\ftpclient.dll
HKEY_CLASSES_ROOT\TypeLib\{7A1DEC95-D0F4-4365-8B5F-3C1F1C812C83}\1.0\FLAGS 0
HKEY_CLASSES_ROOT\TypeLib\{7A1DEC95-D0F4-4365-8B5F-3C1F1C812C83}\1.0\HELPDIR C:\Programme\Paltalk Messenger\
HKEY_CLASSES_ROOT\TypeLib\{7A1DEC95-D0F4-4365-8B5F-3C1F1C812C83}\1.0 ftpclient 1.0 Type Library
HKEY_CLASSES_ROOT\TypeLib\{E41FD921-2A34-444E-805A-3FB0B47CCA1E}
HKEY_CLASSES_ROOT\TypeLib\{E41FD921-2A34-444E-805A-3FB0B47CCA1E}\1.0\0\win32 C:\Programme\Paltalk Messenger\palsound.dll
HKEY_CLASSES_ROOT\TypeLib\{E41FD921-2A34-444E-805A-3FB0B47CCA1E}\1.0\FLAGS 0
HKEY_CLASSES_ROOT\TypeLib\{E41FD921-2A34-444E-805A-3FB0B47CCA1E}\1.0\HELPDIR C:\Programme\Paltalk Messenger\
HKEY_CLASSES_ROOT\TypeLib\{E41FD921-2A34-444E-805A-3FB0B47CCA1E}\1.0 palsound 1.0 Type Library
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PalTalk6_alpha_6.73.1.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PalTalk6_alpha_6.73.1.1 DisplayName Paltalk Messenger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PalTalk6_alpha_6.73.1.1 UninstallString C:\WINDOWS\iun6002.exe "C:\Programme\Paltalk Messenger\irunin.ini"


DelFin.Media Viewer Adware more information...
Details: DelFin Media Viewer, also called PromulGate, is an adware-based media player.
Status: Deleted

Infected files detected
C:\Programme\Free Offers from Freeze.com\registryCleaner.ico


BearShare P2P Program more information...
Details: BearShare is a peer-to-peer (P2P) application that allows its users to join together in a network via the Internet and share files from each other's hard drives.
Status: Ignored

Infected files detected
D:\Programme\BearShare\BSidle.dll
D:\Programme\BearShare Test\BSidle.dll
d:\programme\bearshare\runmsc.dll

Infected registry entries detected
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\InprocServer32 d:\Programme\BearShare\RunMSC.dll
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\ProgID RunMSC.Loader.1
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\TypeLib {905D0DF2-3A0A-4D94-853C-54A12A745905}
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\VersionIndependentProgID RunMSC.Loader
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07} Loader Class
HKEY_CLASSES_ROOT\gnufile
HKEY_CLASSES_ROOT\gnufile\shell\open\command "d:\Programme\BearShare\BearShare.exe" "%1"
HKEY_CLASSES_ROOT\gnufile gnutella
HKEY_CLASSES_ROOT\gnufile BrowserFlags 8
HKEY_CLASSES_ROOT\gnufile EditFlags 65536
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\0\win32 d:\Programme\BearShare\RunMSC.dll
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\FLAGS 0
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\HELPDIR d:\Programme\BearShare\
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0 RunMSC 1.0 Type Library
HKEY_CURRENT_USER\appevents\eventlabels\bearsharechatnotifymsg
HKEY_CURRENT_USER\appevents\eventlabels\bearsharechatnotifymsg Chat Message Waiting
HKEY_CURRENT_USER\appevents\schemes\apps\bearshare
HKEY_CURRENT_USER\appevents\schemes\apps\bearshare\BearShareChatNotifyMsg\.Current d:\Programme\BearShare Test\sounds\notify.wav
HKEY_CURRENT_USER\appevents\schemes\apps\bearshare\BearShareChatNotifyMsg
HKEY_CURRENT_USER\appevents\schemes\apps\bearshare BearShare
HKEY_LOCAL_MACHINE\software\bearshare
HKEY_LOCAL_MACHINE\software\bearshare InstallDir d:\Programme\BearShare
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare DisplayName BearShare
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare UninstallString D:\PROGRA~1\BEARSH~2\UNWISE.EXE D:\PROGRA~1\BEARSH~2\INSTALL.LOG
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare DisplayVersion 5.0.2.5DE
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare HelpLink http://bearshare.de/Help/index.htm
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare Publisher Free Peers, Inc.
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare URLInfoAbout http://www.freepeers.com
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare DisplayIcon d:\Programme\BearShare\BearShare.exe,-128
HKEY_USERS\.default\appevents\eventlabels\bearsharechatnotifymsg
HKEY_USERS\.default\appevents\eventlabels\bearsharechatnotifymsg Chat Message Waiting
HKEY_USERS\.default\appevents\schemes\apps\bearshare
HKEY_USERS\.default\appevents\schemes\apps\bearshare\BearShareChatNotifyMsg\.Current d:\Programme\BearShare Test\sounds\notify.wav
HKEY_USERS\.default\appevents\schemes\apps\bearshare\BearShareChatNotifyMsg
HKEY_USERS\.default\appevents\schemes\apps\bearshare BearShare


WhenU.SaveNow Adware more information...
Details: WhenU.SaveNow is an adware application that displays pop-up advertising on the desktop in response to users' web browsing.
Status: Deleted

Infected files detected
D:\Programme\BearShare\RunMSC.dll
D:\Programme\BearShare\Webstats.exe
D:\Programme\BearShare\Webstats.ini
D:\Programme\BearShare Test\Webstats.exe
D:\Programme\BearShare Test\Webstats.ini

Infected registry entries detected
HKEY_CLASSES_ROOT\runmsc.loader.1\clsid
HKEY_CLASSES_ROOT\runmsc.loader.1\clsid {9F95F736-0F62-4214-A4B4-CAA6738D4C07}
HKEY_CLASSES_ROOT\runmsc.loader\clsid
HKEY_CLASSES_ROOT\runmsc.loader\clsid {9F95F736-0F62-4214-A4B4-CAA6738D4C07}
HKEY_CLASSES_ROOT\runmsc.loader\curver
HKEY_CLASSES_ROOT\runmsc.loader\curver RunMSC.Loader.1
HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}
HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}\TypeLib {905D0DF2-3A0A-4D94-853C-54A12A745905}
HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97} ILoader
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\InprocServer32 d:\Programme\BearShare\RunMSC.dll
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\ProgID RunMSC.Loader.1
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\TypeLib {905D0DF2-3A0A-4D94-853C-54A12A745905}
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\VersionIndependentProgID RunMSC.Loader
HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07} Loader Class


RBot.steam Trojan more information...
Status: Ignored

Infected files detected
E:\Programme\Valve\platform\steam_dev.exe


IST.ISTbar.ActiveX Spyware more information...
Details: ISTactivex is an Internet Explorer hijacker, which modifies your homepages and searches without a user’s consent using an Internet Explorer toolbar.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls c:\windows\downloaded program files\istactivex.dll


NewDotNet Browser Plug-in more information...
Details: New.Net is an Internet Explorer spyware/hijacker plug-in that adds subdomains of 'new.net' to your name resolution system (Windows’ Host file), resulting in what appear to be extra top-level domains (.shop, and so on) being resolvable.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\New.net Source
HKEY_LOCAL_MACHINE\software\new.net
HKEY_LOCAL_MACHINE\software\new.net Source FREEZE~1


IST.PowerScan Adware more information...
Details: PowerScan is advertised through in ordinary web pop-ups, but recently it started to install with help from the the ISTBar adware.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main bandrest
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Power Scan
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Power Scan DisplayName Power Scan
HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Power Scan UninstallString C:\Programme\Power Scan\uninstall.exe


IST.SlotchBar Toolbar more information...
Details: An adware toolbar program for affiliates to distrubute on sites. Affiliates get paid per install of the toolbar.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs C:\WINDOWS\Downloaded Program Files\ISTactivex.dll


IST.XXXToolbar Toolbar more information...
Details: Adult adware search toolbar for Internet Explorer. XXXToolbar displays a number of pop-up ads when Internet Explorer is running.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs C:\WINDOWS\Downloaded Program Files\ISTactivex.dll


TinyBar Browser Hijacker more information...
Details: TinyBar is an Internet Explorer toolbar that adds registry entries that use the Windows system file shdocvw.dll to display a web page as a toolbar.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls c:\windows\downloaded program files\istactivex.dll


IST.ISTbar Browser Hijacker more information...
Details: ISTbar is an Internet Explorer Hijacker, which modifies your homepages and searches without a user’s consent using an Internet Explorer toolbar.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls c:\windows\downloaded program files\istactivex.dll


WinAD Adware more information...
Details: WinAd open pop-up windows, displaying german language content.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll .Owner {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls c:\windows\downloaded program files\mediaaccx.dll


ATDMT.com Cookie more information...
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\freestyler\cookies\freestyler@atdmt[2].txt


Weborama Cookie more information...
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\freestyler\cookies\freestyler@weborama[2].txt


Zedo Cookie more information...
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\freestyler\cookies\freestyler@zedo[2].txt


Eine Frage zum Rbot.steam
Diesen habe ich auf ignore gesetzt, da ich mir nich sicher bin, ob der die funktionstüchtigkeit von steam (cs) beeinträchtigt.
Kannste mir das grünes Licht geben? ;)

thx schonma

achja, bevor ichs vergesse.
wie zur hölle wertet man die ganzen reports aus^^ ich blick da voll nich durch wie du das so schnell hinkriegst xD
Seitenanfang Seitenende
23.03.2006, 16:42
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#6 nun Counterspy erkennt es als Trojaner..ich selbst kenne betreffendes Prog nicht.

lasse die Datei einmal ueberpruefen

Einzelne Dateien scannen
Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten
http://www.virustotal.com/flash/index_en.html

E:\Programme\Valve\platform\steam_dev.exe
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende