Mal wieder Alcra.B |
||
---|---|---|
#0
| ||
22.03.2006, 21:24
Member
Beiträge: 37 |
||
|
||
22.03.2006, 21:49
Ehrenmitglied
Beiträge: 29434 |
#2
nix1990
arbeite bitte bfu und ewido ab: http://virus-protect.org/artikel/bfu/p2pbfuhtml.html und berichte vom ewido-Scan -------------------------------- den joke kannst du manuell loeschen: D:\Dokumente und Einstellungen\Administrator\Desktop\Finger\Finger.exe D:\Dokumente und Einstellungen\Administrator\Desktop\Finger __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
23.03.2006, 14:00
Member
Themenstarter Beiträge: 37 |
#3
Mit der Anleitung zu Bfu funktioniert das bei mir nicht.
Das Problem ist, dass meine Tastatur - das Zboard - erst strom kriegt wenn ich auf dem "Willkommen" Screen bin. Ansonsten hier mein ewido Bericht: --------------------------------------------------------- ewido anti-malware - Scan Report --------------------------------------------------------- + Erstellt am: 13:53:38, 23.03.2006 + Report-Checksumme: DF6E18BE + Scanergebnis: HKLM\SOFTWARE\Classes\MediaAccX.Installer -> Adware.WinAd : Gesäubert mit Backup HKLM\SOFTWARE\Classes\MediaAccX.Installer\CLSID -> Adware.WinAd : Gesäubert mit Backup HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer -> Adware.Screensavers : Gesäubert mit Backup HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer\CLSID -> Adware.Screensavers : Gesäubert mit Backup HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer\CurVer -> Adware.Screensavers : Gesäubert mit Backup HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer.1 -> Adware.Screensavers : Gesäubert mit Backup HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller -> Adware.Screensavers : Gesäubert mit Backup HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller\CLSID -> Adware.Screensavers : Gesäubert mit Backup HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller\CurVer -> Adware.Screensavers : Gesäubert mit Backup HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller.1 -> Adware.Screensavers : Gesäubert mit Backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll -> Adware.ISTBar : Gesäubert mit Backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreensaversInstaller -> Adware.Screensavers : Gesäubert mit Backup HKU\S-1-5-21-1644491937-2025429265-725345543-1003\Software\IST -> Adware.ISTBar : Gesäubert mit Backup C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Starware -> Adware.Starware : Gesäubert mit Backup C:\Dokumente und Einstellungen\Freestyler\Cookies\freestyler@2o7[1].txt -> TrackingCookie.2o7 : Gesäubert mit Backup C:\Dokumente und Einstellungen\Freestyler\Cookies\freestyler@atdmt[2].txt -> TrackingCookie.Atdmt : Gesäubert mit Backup C:\Dokumente und Einstellungen\Freestyler\Cookies\freestyler@ivwbox[1].txt -> TrackingCookie.Ivwbox : Gesäubert mit Backup C:\Dokumente und Einstellungen\Freestyler\Cookies\freestyler@weborama[2].txt -> TrackingCookie.Weborama : Gesäubert mit Backup C:\Dokumente und Einstellungen\Freestyler\Cookies\freestyler@zedo[1].txt -> TrackingCookie.Zedo : Gesäubert mit Backup C:\Programme\Save -> Adware.SaveNow : Gesäubert mit Backup C:\Programme\SurfAccuracy -> Adware.SurfAccuracy : Gesäubert mit Backup C:\WINDOWS\Downloaded Program Files\MediaAccX.dll -> Adware.WinAD : Gesäubert mit Backup D:\RECYCLER\S-1-5-21-1644491937-2025429265-725345543-1003\Dd23\Shooting Range.exe -> Not-A-Virus.BadJoke.Win32.JepRuss : Gesäubert mit Backup D:\RECYCLER\S-1-5-21-1644491937-2025429265-725345543-1003\Dd8\Finger.exe -> Not-A-Virus.BadJoke.Win32.Finger.b : Gesäubert mit Backup ::Report Ende |
|
|
||
23.03.2006, 14:08
Ehrenmitglied
Beiträge: 29434 |
#4
nix1990
öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten R3 - Default URLSearchHook is missing O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Programme\webHancer\Programs\whsurvey.exe O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccess/ie/bridge-c5.cab PC neustarten deinstallieren/loeschen: C:\Programme\webHancer Counterspy http://virus-protect.org/counterspy.html * nach dem Scan muss man sich entscheiden für: *Ignore *Remove --> Status: Deleted *Quarantaine wähle immer Remove und starte den PC neu (dann kopiere den Scanreport ab __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
23.03.2006, 16:35
Member
Themenstarter Beiträge: 37 |
#5
So, alles erledigt
webHancer war schon nachm Hijack nich mehr aufzufinden. Hier der Scanreport Spyware Scan Details Start Date: 23.03.2006 14:45:33 End Date: 23.03.2006 15:18:24 Total Time: 32 mins 51 secs Detected spyware Paltalk Low Risk Adware more information... Details: Paltalk is an advertising-supported instant messaging client. Status: Deleted Infected files detected C:\palsound.txt C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\palstart.exe Infected registry entries detected HKEY_CURRENT_USER\Software\PalTalk HKEY_CURRENT_USER\Software\PalTalk Installer C:\DOKUME~1\FREEST~1\LOKALE~1\Temp\pal_ncr_qt_a359_r16934.exe HKEY_CURRENT_USER\Software\PalTalk InstallerDesktop C:\Dokumente und Einstellungen\Freestyler\Desktop HKEY_CURRENT_USER\Software\PalTalk InstallerAppDir C:\Programme\Paltalk Messenger HKEY_CURRENT_USER\Software\PalTalk cur_build 104 HKEY_CURRENT_USER\Software\PalTalk host 199.106.211.53 HKEY_CURRENT_USER\Software\PalTalk port 5001 HKEY_CURRENT_USER\Software\PalTalk cur_country DE HKEY_CURRENT_USER\Software\PalTalk PALWND_LEFT 782 HKEY_CURRENT_USER\Software\PalTalk PALWND_TOP 86 HKEY_CURRENT_USER\Software\PalTalk PALWND_HEIGHT 565 HKEY_CURRENT_USER\Software\PalTalk PALWND_WIDTH 242 HKEY_CURRENT_USER\Software\PalTalk noautostart 1 HKEY_CLASSES_ROOT\PalTextCtl.PalText HKEY_CLASSES_ROOT\PalTextCtl.PalText\CLSID {C69AA869-E87F-4B07-AD47-F89C5C44899E} HKEY_CLASSES_ROOT\PalTextCtl.PalText\CurVer PalTextCtl.PalText.1 HKEY_CLASSES_ROOT\PalTextCtl.PalText PalText Class HKEY_CLASSES_ROOT\CLSID\{C69AA869-E87F-4B07-AD47-F89C5C44899E} HKEY_CLASSES_ROOT\CLSID\{C69AA869-E87F-4B07-AD47-F89C5C44899E}\InprocServer32 C:\Programme\Paltalk Messenger\paltextctl.dll HKEY_CLASSES_ROOT\CLSID\{C69AA869-E87F-4B07-AD47-F89C5C44899E}\InprocServer32 ThreadingModel Apartment HKEY_CLASSES_ROOT\CLSID\{C69AA869-E87F-4B07-AD47-F89C5C44899E}\MiscStatus\1 131473 HKEY_CLASSES_ROOT\CLSID\{C69AA869-E87F-4B07-AD47-F89C5C44899E}\MiscStatus 0 HKEY_CLASSES_ROOT\CLSID\{C69AA869-E87F-4B07-AD47-F89C5C44899E}\ProgID PalTextCtl.PalText.1 HKEY_CLASSES_ROOT\CLSID\{C69AA869-E87F-4B07-AD47-F89C5C44899E}\ToolboxBitmap32 C:\Programme\Paltalk Messenger\paltextctl.dll, 101 HKEY_CLASSES_ROOT\CLSID\{C69AA869-E87F-4B07-AD47-F89C5C44899E}\TypeLib {3056AD2C-1727-4968-A415-DDE7FDCD14C4} HKEY_CLASSES_ROOT\CLSID\{C69AA869-E87F-4B07-AD47-F89C5C44899E}\Version 1.0 HKEY_CLASSES_ROOT\CLSID\{C69AA869-E87F-4B07-AD47-F89C5C44899E}\VersionIndependentProgID PalTextCtl.PalText HKEY_CLASSES_ROOT\CLSID\{C69AA869-E87F-4B07-AD47-F89C5C44899E} PalText Class HKEY_CLASSES_ROOT\PalTextCtl.PalText.1 HKEY_CLASSES_ROOT\PalTextCtl.PalText.1\CLSID {C69AA869-E87F-4B07-AD47-F89C5C44899E} HKEY_CLASSES_ROOT\PalTextCtl.PalText.1 PalText Class HKEY_CLASSES_ROOT\.PalTalk HKEY_CLASSES_ROOT\.PalTalk PalTalkFile HKEY_CLASSES_ROOT\.PalTalk Content Type text/PalTalk HKEY_CLASSES_ROOT\AppID\{7A1DEC95-D0F4-4365-8B5F-3C1F1C812C83} HKEY_CLASSES_ROOT\AppID\{7A1DEC95-D0F4-4365-8B5F-3C1F1C812C83} ftpclient HKEY_CLASSES_ROOT\AppID\ftpclient.DLL HKEY_CLASSES_ROOT\AppID\ftpclient.DLL AppID {7A1DEC95-D0F4-4365-8B5F-3C1F1C812C83} HKEY_CLASSES_ROOT\Interface\{1C8970E2-42E2-4D21-BF54-C6CBEE916B58} HKEY_CLASSES_ROOT\Interface\{1C8970E2-42E2-4D21-BF54-C6CBEE916B58}\ProxyStubClsid {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{1C8970E2-42E2-4D21-BF54-C6CBEE916B58}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{1C8970E2-42E2-4D21-BF54-C6CBEE916B58}\TypeLib {3056AD2C-1727-4968-A415-DDE7FDCD14C4} HKEY_CLASSES_ROOT\Interface\{1C8970E2-42E2-4D21-BF54-C6CBEE916B58}\TypeLib Version 1.2 HKEY_CLASSES_ROOT\Interface\{1C8970E2-42E2-4D21-BF54-C6CBEE916B58} IPalText HKEY_CLASSES_ROOT\Interface\{406F9AAB-CA4C-4F82-9376-F5058C4E464F} HKEY_CLASSES_ROOT\Interface\{406F9AAB-CA4C-4F82-9376-F5058C4E464F}\ProxyStubClsid {00020420-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{406F9AAB-CA4C-4F82-9376-F5058C4E464F}\ProxyStubClsid32 {00020420-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{406F9AAB-CA4C-4F82-9376-F5058C4E464F}\TypeLib {3056AD2C-1727-4968-A415-DDE7FDCD14C4} HKEY_CLASSES_ROOT\Interface\{406F9AAB-CA4C-4F82-9376-F5058C4E464F}\TypeLib Version 1.2 HKEY_CLASSES_ROOT\Interface\{406F9AAB-CA4C-4F82-9376-F5058C4E464F} _IPalTextEvents HKEY_CLASSES_ROOT\Interface\{66EB7C9D-FBEB-4B01-AD8A-532CC189D517} HKEY_CLASSES_ROOT\Interface\{66EB7C9D-FBEB-4B01-AD8A-532CC189D517}\ProxyStubClsid {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{66EB7C9D-FBEB-4B01-AD8A-532CC189D517}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{66EB7C9D-FBEB-4B01-AD8A-532CC189D517}\TypeLib {3056AD2C-1727-4968-A415-DDE7FDCD14C4} HKEY_CLASSES_ROOT\Interface\{66EB7C9D-FBEB-4B01-AD8A-532CC189D517}\TypeLib Version 1.2 HKEY_CLASSES_ROOT\Interface\{66EB7C9D-FBEB-4B01-AD8A-532CC189D517} IPalText2 HKEY_CLASSES_ROOT\Interface\{8C728DC6-4BAB-4544-97B8-D8D62B0B97A4} HKEY_CLASSES_ROOT\Interface\{8C728DC6-4BAB-4544-97B8-D8D62B0B97A4}\ProxyStubClsid {00020420-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{8C728DC6-4BAB-4544-97B8-D8D62B0B97A4}\ProxyStubClsid32 {00020420-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{8C728DC6-4BAB-4544-97B8-D8D62B0B97A4}\TypeLib {E41FD921-2A34-444E-805A-3FB0B47CCA1E} HKEY_CLASSES_ROOT\Interface\{8C728DC6-4BAB-4544-97B8-D8D62B0B97A4}\TypeLib Version 1.0 HKEY_CLASSES_ROOT\Interface\{8C728DC6-4BAB-4544-97B8-D8D62B0B97A4} _IsoundsEvents HKEY_CLASSES_ROOT\Interface\{9F13DA3B-F914-4011-A3EB-50FA7FE13B63} HKEY_CLASSES_ROOT\Interface\{9F13DA3B-F914-4011-A3EB-50FA7FE13B63}\ProxyStubClsid {00020420-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{9F13DA3B-F914-4011-A3EB-50FA7FE13B63}\ProxyStubClsid32 {00020420-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{9F13DA3B-F914-4011-A3EB-50FA7FE13B63}\TypeLib {0ADBAB02-0DBA-44D6-8B83-D04E893B57B3} HKEY_CLASSES_ROOT\Interface\{9F13DA3B-F914-4011-A3EB-50FA7FE13B63}\TypeLib Version 1.0 HKEY_CLASSES_ROOT\Interface\{9F13DA3B-F914-4011-A3EB-50FA7FE13B63} _IPalVidCtlEvents HKEY_CLASSES_ROOT\Interface\{AC72F0EE-4EAA-46F7-AC05-28558697314C} HKEY_CLASSES_ROOT\Interface\{AC72F0EE-4EAA-46F7-AC05-28558697314C}\ProxyStubClsid {00020420-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{AC72F0EE-4EAA-46F7-AC05-28558697314C}\ProxyStubClsid32 {00020420-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{AC72F0EE-4EAA-46F7-AC05-28558697314C}\TypeLib {7A1DEC95-D0F4-4365-8B5F-3C1F1C812C83} HKEY_CLASSES_ROOT\Interface\{AC72F0EE-4EAA-46F7-AC05-28558697314C}\TypeLib Version 1.0 HKEY_CLASSES_ROOT\Interface\{AC72F0EE-4EAA-46F7-AC05-28558697314C} _IftclientEvents HKEY_CLASSES_ROOT\Interface\{B63D472B-1029-44FA-B8A5-78A020F76310} HKEY_CLASSES_ROOT\Interface\{B63D472B-1029-44FA-B8A5-78A020F76310}\ProxyStubClsid {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{B63D472B-1029-44FA-B8A5-78A020F76310}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{B63D472B-1029-44FA-B8A5-78A020F76310}\TypeLib {7A1DEC95-D0F4-4365-8B5F-3C1F1C812C83} HKEY_CLASSES_ROOT\Interface\{B63D472B-1029-44FA-B8A5-78A020F76310}\TypeLib Version 1.0 HKEY_CLASSES_ROOT\Interface\{B63D472B-1029-44FA-B8A5-78A020F76310} Iftclient HKEY_CLASSES_ROOT\Interface\{C2361732-3EC8-4DE7-A43C-4A6EDAEB8F9B} HKEY_CLASSES_ROOT\Interface\{C2361732-3EC8-4DE7-A43C-4A6EDAEB8F9B}\ProxyStubClsid {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{C2361732-3EC8-4DE7-A43C-4A6EDAEB8F9B}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{C2361732-3EC8-4DE7-A43C-4A6EDAEB8F9B}\TypeLib {E41FD921-2A34-444E-805A-3FB0B47CCA1E} HKEY_CLASSES_ROOT\Interface\{C2361732-3EC8-4DE7-A43C-4A6EDAEB8F9B}\TypeLib Version 1.0 HKEY_CLASSES_ROOT\Interface\{C2361732-3EC8-4DE7-A43C-4A6EDAEB8F9B} Isounds HKEY_CLASSES_ROOT\Interface\{D4494052-92E0-4DA0-9285-90173E445609} HKEY_CLASSES_ROOT\Interface\{D4494052-92E0-4DA0-9285-90173E445609}\ProxyStubClsid {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{D4494052-92E0-4DA0-9285-90173E445609}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\Interface\{D4494052-92E0-4DA0-9285-90173E445609}\TypeLib {0ADBAB02-0DBA-44D6-8B83-D04E893B57B3} HKEY_CLASSES_ROOT\Interface\{D4494052-92E0-4DA0-9285-90173E445609}\TypeLib Version 1.0 HKEY_CLASSES_ROOT\Interface\{D4494052-92E0-4DA0-9285-90173E445609} IPalVidCtl HKEY_CLASSES_ROOT\PaltalkFile HKEY_CLASSES_ROOT\PaltalkFile\DefaultIcon C:\Programme\Paltalk Messenger\Paltalk.exe,0 HKEY_CLASSES_ROOT\PaltalkFile\Shell\Open\Command C:\Programme\Paltalk Messenger\Paltalk.exe "%1" HKEY_CLASSES_ROOT\TypeLib\{0ADBAB02-0DBA-44D6-8B83-D04E893B57B3} HKEY_CLASSES_ROOT\TypeLib\{0ADBAB02-0DBA-44D6-8B83-D04E893B57B3}\1.0\0\win32 C:\Programme\Paltalk Messenger\WebVideo.dll HKEY_CLASSES_ROOT\TypeLib\{0ADBAB02-0DBA-44D6-8B83-D04E893B57B3}\1.0\FLAGS 0 HKEY_CLASSES_ROOT\TypeLib\{0ADBAB02-0DBA-44D6-8B83-D04E893B57B3}\1.0\HELPDIR C:\Programme\Paltalk Messenger\ HKEY_CLASSES_ROOT\TypeLib\{0ADBAB02-0DBA-44D6-8B83-D04E893B57B3}\1.0 PalVideo 1.0 Type Library HKEY_CLASSES_ROOT\TypeLib\{3056AD2C-1727-4968-A415-DDE7FDCD14C4} HKEY_CLASSES_ROOT\TypeLib\{3056AD2C-1727-4968-A415-DDE7FDCD14C4}\1.2\0\win32 C:\Programme\Paltalk Messenger\paltextctl.dll HKEY_CLASSES_ROOT\TypeLib\{3056AD2C-1727-4968-A415-DDE7FDCD14C4}\1.2\FLAGS 0 HKEY_CLASSES_ROOT\TypeLib\{3056AD2C-1727-4968-A415-DDE7FDCD14C4}\1.2\HELPDIR C:\Programme\Paltalk Messenger\ HKEY_CLASSES_ROOT\TypeLib\{3056AD2C-1727-4968-A415-DDE7FDCD14C4}\1.2 PalTextCtl 1.2 Type Library HKEY_CLASSES_ROOT\TypeLib\{7A1DEC95-D0F4-4365-8B5F-3C1F1C812C83} HKEY_CLASSES_ROOT\TypeLib\{7A1DEC95-D0F4-4365-8B5F-3C1F1C812C83}\1.0\0\win32 C:\Programme\Paltalk Messenger\ftpclient.dll HKEY_CLASSES_ROOT\TypeLib\{7A1DEC95-D0F4-4365-8B5F-3C1F1C812C83}\1.0\FLAGS 0 HKEY_CLASSES_ROOT\TypeLib\{7A1DEC95-D0F4-4365-8B5F-3C1F1C812C83}\1.0\HELPDIR C:\Programme\Paltalk Messenger\ HKEY_CLASSES_ROOT\TypeLib\{7A1DEC95-D0F4-4365-8B5F-3C1F1C812C83}\1.0 ftpclient 1.0 Type Library HKEY_CLASSES_ROOT\TypeLib\{E41FD921-2A34-444E-805A-3FB0B47CCA1E} HKEY_CLASSES_ROOT\TypeLib\{E41FD921-2A34-444E-805A-3FB0B47CCA1E}\1.0\0\win32 C:\Programme\Paltalk Messenger\palsound.dll HKEY_CLASSES_ROOT\TypeLib\{E41FD921-2A34-444E-805A-3FB0B47CCA1E}\1.0\FLAGS 0 HKEY_CLASSES_ROOT\TypeLib\{E41FD921-2A34-444E-805A-3FB0B47CCA1E}\1.0\HELPDIR C:\Programme\Paltalk Messenger\ HKEY_CLASSES_ROOT\TypeLib\{E41FD921-2A34-444E-805A-3FB0B47CCA1E}\1.0 palsound 1.0 Type Library HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PalTalk6_alpha_6.73.1.1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PalTalk6_alpha_6.73.1.1 DisplayName Paltalk Messenger HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PalTalk6_alpha_6.73.1.1 UninstallString C:\WINDOWS\iun6002.exe "C:\Programme\Paltalk Messenger\irunin.ini" DelFin.Media Viewer Adware more information... Details: DelFin Media Viewer, also called PromulGate, is an adware-based media player. Status: Deleted Infected files detected C:\Programme\Free Offers from Freeze.com\registryCleaner.ico BearShare P2P Program more information... Details: BearShare is a peer-to-peer (P2P) application that allows its users to join together in a network via the Internet and share files from each other's hard drives. Status: Ignored Infected files detected D:\Programme\BearShare\BSidle.dll D:\Programme\BearShare Test\BSidle.dll d:\programme\bearshare\runmsc.dll Infected registry entries detected HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07} HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\InprocServer32 d:\Programme\BearShare\RunMSC.dll HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\InprocServer32 ThreadingModel Apartment HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\ProgID RunMSC.Loader.1 HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\TypeLib {905D0DF2-3A0A-4D94-853C-54A12A745905} HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\VersionIndependentProgID RunMSC.Loader HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07} Loader Class HKEY_CLASSES_ROOT\gnufile HKEY_CLASSES_ROOT\gnufile\shell\open\command "d:\Programme\BearShare\BearShare.exe" "%1" HKEY_CLASSES_ROOT\gnufile gnutella HKEY_CLASSES_ROOT\gnufile BrowserFlags 8 HKEY_CLASSES_ROOT\gnufile EditFlags 65536 HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905} HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\0\win32 d:\Programme\BearShare\RunMSC.dll HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\FLAGS 0 HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\HELPDIR d:\Programme\BearShare\ HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0 RunMSC 1.0 Type Library HKEY_CURRENT_USER\appevents\eventlabels\bearsharechatnotifymsg HKEY_CURRENT_USER\appevents\eventlabels\bearsharechatnotifymsg Chat Message Waiting HKEY_CURRENT_USER\appevents\schemes\apps\bearshare HKEY_CURRENT_USER\appevents\schemes\apps\bearshare\BearShareChatNotifyMsg\.Current d:\Programme\BearShare Test\sounds\notify.wav HKEY_CURRENT_USER\appevents\schemes\apps\bearshare\BearShareChatNotifyMsg HKEY_CURRENT_USER\appevents\schemes\apps\bearshare BearShare HKEY_LOCAL_MACHINE\software\bearshare HKEY_LOCAL_MACHINE\software\bearshare InstallDir d:\Programme\BearShare HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare DisplayName BearShare HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare UninstallString D:\PROGRA~1\BEARSH~2\UNWISE.EXE D:\PROGRA~1\BEARSH~2\INSTALL.LOG HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare DisplayVersion 5.0.2.5DE HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare HelpLink http://bearshare.de/Help/index.htm HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare Publisher Free Peers, Inc. HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare URLInfoAbout http://www.freepeers.com HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\bearshare DisplayIcon d:\Programme\BearShare\BearShare.exe,-128 HKEY_USERS\.default\appevents\eventlabels\bearsharechatnotifymsg HKEY_USERS\.default\appevents\eventlabels\bearsharechatnotifymsg Chat Message Waiting HKEY_USERS\.default\appevents\schemes\apps\bearshare HKEY_USERS\.default\appevents\schemes\apps\bearshare\BearShareChatNotifyMsg\.Current d:\Programme\BearShare Test\sounds\notify.wav HKEY_USERS\.default\appevents\schemes\apps\bearshare\BearShareChatNotifyMsg HKEY_USERS\.default\appevents\schemes\apps\bearshare BearShare WhenU.SaveNow Adware more information... Details: WhenU.SaveNow is an adware application that displays pop-up advertising on the desktop in response to users' web browsing. Status: Deleted Infected files detected D:\Programme\BearShare\RunMSC.dll D:\Programme\BearShare\Webstats.exe D:\Programme\BearShare\Webstats.ini D:\Programme\BearShare Test\Webstats.exe D:\Programme\BearShare Test\Webstats.ini Infected registry entries detected HKEY_CLASSES_ROOT\runmsc.loader.1\clsid HKEY_CLASSES_ROOT\runmsc.loader.1\clsid {9F95F736-0F62-4214-A4B4-CAA6738D4C07} HKEY_CLASSES_ROOT\runmsc.loader\clsid HKEY_CLASSES_ROOT\runmsc.loader\clsid {9F95F736-0F62-4214-A4B4-CAA6738D4C07} HKEY_CLASSES_ROOT\runmsc.loader\curver HKEY_CLASSES_ROOT\runmsc.loader\curver RunMSC.Loader.1 HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97} HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}\ProxyStubClsid {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}\TypeLib {905D0DF2-3A0A-4D94-853C-54A12A745905} HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}\TypeLib Version 1.0 HKEY_CLASSES_ROOT\interface\{c285d18d-43a2-4aef-83fb-bf280e660a97} ILoader HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07} HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\InprocServer32 d:\Programme\BearShare\RunMSC.dll HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\InprocServer32 ThreadingModel Apartment HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\ProgID RunMSC.Loader.1 HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\TypeLib {905D0DF2-3A0A-4D94-853C-54A12A745905} HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}\VersionIndependentProgID RunMSC.Loader HKEY_CLASSES_ROOT\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07} Loader Class RBot.steam Trojan more information... Status: Ignored Infected files detected E:\Programme\Valve\platform\steam_dev.exe IST.ISTbar.ActiveX Spyware more information... Details: ISTactivex is an Internet Explorer hijacker, which modifies your homepages and searches without a user’s consent using an Internet Explorer toolbar. Status: Deleted Infected registry entries detected HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls c:\windows\downloaded program files\istactivex.dll NewDotNet Browser Plug-in more information... Details: New.Net is an Internet Explorer spyware/hijacker plug-in that adds subdomains of 'new.net' to your name resolution system (Windows’ Host file), resulting in what appear to be extra top-level domains (.shop, and so on) being resolvable. Status: Deleted Infected registry entries detected HKEY_LOCAL_MACHINE\SOFTWARE\New.net Source HKEY_LOCAL_MACHINE\software\new.net HKEY_LOCAL_MACHINE\software\new.net Source FREEZE~1 IST.PowerScan Adware more information... Details: PowerScan is advertised through in ordinary web pop-ups, but recently it started to install with help from the the ISTBar adware. Status: Deleted Infected registry entries detected HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main bandrest HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Power Scan HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Power Scan DisplayName Power Scan HKEY_LOCAL_MACHINE\Software\microsoft\windows\currentversion\uninstall\Power Scan UninstallString C:\Programme\Power Scan\uninstall.exe IST.SlotchBar Toolbar more information... Details: An adware toolbar program for affiliates to distrubute on sites. Affiliates get paid per install of the toolbar. Status: Deleted Infected registry entries detected HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs C:\WINDOWS\Downloaded Program Files\ISTactivex.dll IST.XXXToolbar Toolbar more information... Details: Adult adware search toolbar for Internet Explorer. XXXToolbar displays a number of pop-up ads when Internet Explorer is running. Status: Deleted Infected registry entries detected HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs C:\WINDOWS\Downloaded Program Files\ISTactivex.dll TinyBar Browser Hijacker more information... Details: TinyBar is an Internet Explorer toolbar that adds registry entries that use the Windows system file shdocvw.dll to display a web page as a toolbar. Status: Deleted Infected registry entries detected HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls c:\windows\downloaded program files\istactivex.dll IST.ISTbar Browser Hijacker more information... Details: ISTbar is an Internet Explorer Hijacker, which modifies your homepages and searches without a user’s consent using an Internet Explorer toolbar. Status: Deleted Infected registry entries detected HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls c:\windows\downloaded program files\istactivex.dll WinAD Adware more information... Details: WinAd open pop-up windows, displaying german language content. Status: Deleted Infected registry entries detected HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll .Owner {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaaccx.dll {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls c:\windows\downloaded program files\mediaaccx.dll ATDMT.com Cookie more information... Status: Deleted Infected cookies detected c:\dokumente und einstellungen\freestyler\cookies\freestyler@atdmt[2].txt Weborama Cookie more information... Status: Deleted Infected cookies detected c:\dokumente und einstellungen\freestyler\cookies\freestyler@weborama[2].txt Zedo Cookie more information... Status: Deleted Infected cookies detected c:\dokumente und einstellungen\freestyler\cookies\freestyler@zedo[2].txt Eine Frage zum Rbot.steam Diesen habe ich auf ignore gesetzt, da ich mir nich sicher bin, ob der die funktionstüchtigkeit von steam (cs) beeinträchtigt. Kannste mir das grünes Licht geben? thx schonma achja, bevor ichs vergesse. wie zur hölle wertet man die ganzen reports aus^^ ich blick da voll nich durch wie du das so schnell hinkriegst xD |
|
|
||
23.03.2006, 16:42
Ehrenmitglied
Beiträge: 29434 |
#6
nun Counterspy erkennt es als Trojaner..ich selbst kenne betreffendes Prog nicht.
lasse die Datei einmal ueberpruefen Einzelne Dateien scannen Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten http://www.virustotal.com/flash/index_en.html E:\Programme\Valve\platform\steam_dev.exe __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
ich hab schon einige Threads zum Worm/Alcra.B gesehn hier, bin daraus aber nicht schlau geworden.
WORM/Alcra.B wurd mir vorhin von meinem AntiVir gepostet aber ich weiß nich wirklich was nun zu tun ist.
Hier schon mal meine Log File.
Logfile of HijackThis v1.99.1
Scan saved at 21:22:28, on 22.03.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\Programme\Razer\razertra.exe
D:\Programme\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Programme\ICQLite\ICQLite.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\Ideazon\Zboard Software\Driver\Zboard.exe
D:\programme\valve\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\Programme\Messenger\msmsgs.exe
D:\Programme\OpenOffice.org1.1.5\program\soffice.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\Razer\razerofa.exe
D:\Programme\Xfire\Xfire.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\DOKUME~1\FREEST~1\LOKALE~1\Temp\mexe.com
C:\DOKUME~1\FREEST~1\LOKALE~1\Temp\kavss.exe
C:\DOKUME~1\FREEST~1\LOKALE~1\Temp\Rar$EX00.407\KillBox.exe
C:\Dokumente und Einstellungen\Freestyler\Desktop\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bunkarattn.de.vu/
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Programme\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [razertra] C:\Programme\Razer\razertra.exe
O4 - HKLM\..\Run: [razer] C:\Programme\Razer\razerhid.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ICQ Lite] d:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "e:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "e:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Steam] "d:\programme\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Startup: OpenOffice.org 1.1.5.lnk = D:\Programme\OpenOffice.org1.1.5\program\quickstart.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = D:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: palstart.exe
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programme\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programme\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - d:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - d:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccess/ie/bridge-c5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{984E62DF-99C2-425F-BEB2-8F5935F94241}: NameServer = 192.168.0.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Nebenbei. Ich habe vorhin eScan laufen lassen und da kommen so Sachen wie
Datei D:\Dokumente und Einstellungen\Administrator\Desktop\Finger\Finger.exe infiziert von "not-virus:BadJoke.Win32.Finger.b" Virus. Aktion vorgenommen: Keine Aktion vorgenommen.
Wie hab ich denn damit zu verfahren?
Danke schon mal im voraus.