Home » Spyware & Browser Hijacker Support Forum » Trojan WIN32/Alemod.H!DLL Spyware » Themenansicht

Trojan WIN32/Alemod.H!DLL Spyware
#0
19.04.2006, 11:09
Freak-X-Heav
Member

Beiträge: 13
#1 Hallo erstmal
hab mir vor kurzem einen Trojaner eingefangen.
Hier mein Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:07:01, on 19.04.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Canon Electronics\Scan Panel\drpanel.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\Analog Devices\SoundMAX\SMTray.exe
C:\Programme\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Programme\FreePDF\FreePDFA.exe
C:\Programme\QuickTime\qttask.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
c:\programme\ascent\bin\acsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\Programme\CA\eTrust Antivirus\InoRpc.exe
C:\Programme\CA\eTrust Antivirus\InoRT.exe
C:\Programme\CA\eTrust Antivirus\InoTask.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Ascent\Server\MSSQL$ASCENTCAPTURE\Binn\sqlservr.exe
C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\snmp.exe
C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
C:\Programme\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Programme\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Programme\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Dokumente und Einstellungen\vh.PROCOMPNT\Lokale Einstellungen\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Scan Panel] "C:\Programme\Canon Electronics\Scan Panel\drpanel.exe" /Stay
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Smapp] C:\Programme\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Programme\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [FreePDFAssistent] C:\Programme\FreePDF\FreePDFA.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IECheck] C:\WINDOWS\IECheck.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Google-Suche - res://C:\Programme\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://C:\Programme\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://intranet
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139477897016
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = procomp.lan
O17 - HKLM\Software\..\Telephony: DomainName = procomp.lan
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0589099-4DAD-42A5-BA83-759EEFBFEAA6}: NameServer = 10.10.20.9,10.10.20.6
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = procomp.lan
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = procomp.lan
O23 - Service: Ascent Capture-Dienst (Ascent Capture Service) - Kofax Image Products - c:\programme\ascent\bin\acsvc.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoTask.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Programme\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: SentinelProtectionServer - SafeNet, Inc - C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Programme\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

scheint wahrscheinlich was mit diesen beiden exe-Dateien was zu tun zu haben:
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
Seitenanfang Seitenende
19.04.2006, 11:50
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#2 Freak-X-Heav

stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

Kopiere diese 4 Textdateien. Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html

Lade echo.zip --> entpacken--> klicke echo.bat --> der Texteditor wird sich oeffnen--> Text abkopieren
http://virus-protect.org/bat/echo.zip
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
19.04.2006, 12:34
Freak-X-Heav
Member

Themenstarter

Beiträge: 13
#3 erstmal danke für die schnelle antwort.
hier meine 4 textdateien:

Verzeichnis von C:\WINDOWS\system32

18.04.2006 09:20 16.832 amcompat.tlb
18.04.2006 09:20 23.392 nscompat.tlb
18.04.2006 07:54 2.206 wpa.dbl
13.04.2006 11:18 102.814 perfc009.dat
13.04.2006 11:18 535.646 perfh007.dat
13.04.2006 11:18 507.076 perfh009.dat
13.04.2006 11:18 118.072 perfc007.dat
13.04.2006 11:18 1.281.048 PerfStringBackup.INI
12.04.2006 15:08 8.192 udpmod.dll
12.04.2006 15:08 8.192 questmod.dll
12.04.2006 15:08 8.192 runsrv32.exe
12.04.2006 15:08 8.192 txfdb32.dll
12.04.2006 15:08 8.192 runsrv32.dll
12.04.2006 15:08 8.192 tcpservice2.exe
12.04.2006 15:07 8.192 CWS_iestart.exe
12.04.2006 15:07 8.192 mirarsearch_toolbar.exe
12.04.2006 13:42 0 wupdmgr.tmp
12.04.2006 13:11 16.896 winapi32.dll
12.04.2006 13:11 71.172 winsrv32.exe
12.04.2006 13:11 8.708 shell386.exe
12.04.2006 12:56 52.129 parad.raw.exe
12.04.2006 12:56 11.249 azebar.xml
06.04.2006 12:48 5.143.456 MRT.exe
31.03.2006 07:58 241.536 FNTCACHE.DAT
30.03.2006 11:26 1.492.480 shdocvw.dll
30.03.2006 03:16 18.944 xpsp3res.dll
24.03.2006 06:37 49.152 wdigest.dll
23.03.2006 22:34 3.074.560 mshtml.dll
18.03.2006 13:09 615.424 urlmon.dll
17.03.2006 11:11 679.424 inetcomm.dll
17.03.2006 06:03 8.493.056 shell32.dll
17.03.2006 02:38 28.672 verclsid.exe
10.03.2006 06:09 5.533.696 wmp.dll
04.03.2006 05:34 152.064 cdfview.dll
14.02.2006 10:20 550.120 LegitCheckControl.dll

Verzeichnis von C:\DOKUME~1\VH1B63~1.PRO\LOKALE~1\Temp

19.04.2006 11:57 512 ~DF4770.tmp
19.04.2006 11:57 512 ~DF354C.tmp
19.04.2006 11:57 28.334 ~WRS1062.tmp
19.04.2006 11:57 13.019.069 saOffice2.log
19.04.2006 11:57 512 ~DF2B70.tmp
19.04.2006 11:57 938.056 ESICLIENT.LOG
19.04.2006 11:57 2.165 ARCMEM_SAPERION.LOG
...
...

Verzeichnis von C:\WINDOWS

19.04.2006 12:00 1.233.467 WindowsUpdate.log
19.04.2006 08:02 0 0.log
19.04.2006 07:59 2.048 bootstat.dat
18.04.2006 16:57 32.440 SchedLgU.Txt
18.04.2006 15:46 76.207 setupapi.log
18.04.2006 15:23 5.513 KOFAX200.INI
18.04.2006 15:20 2.746 spupdsvc.log
18.04.2006 14:52 676.749 iis6.log
18.04.2006 14:52 76.281 ntdtcsetup.log
18.04.2006 14:52 161.278 tsoc.log
18.04.2006 14:52 123.996 comsetup.log
18.04.2006 14:52 2.170 imsins.log
18.04.2006 14:52 16.491 tabletoc.log
18.04.2006 14:52 58.522 netfxocm.log
18.04.2006 14:52 183.514 ocgen.log
18.04.2006 14:52 18.856 ocmsn.log
18.04.2006 14:52 24.170 MedCtrOC.log
18.04.2006 14:52 17.269 msgsocm.log
18.04.2006 14:52 348.181 FaxSetup.log
18.04.2006 14:52 114.574 msmqinst.log
18.04.2006 14:33 130 LCIDFlt.INI
18.04.2006 12:03 180 hpbafd.ini
18.04.2006 10:14 23.295 KB911565.log
18.04.2006 10:14 88.265 wmsetup.log
18.04.2006 10:09 214 wiadebug.log
18.04.2006 09:58 50 wiaservc.log
18.04.2006 09:21 459 wmsetup10.log
18.04.2006 09:19 316.640 WMSysPr9.prx
13.04.2006 11:19 4.819 imsins.BAK
13.04.2006 10:07 45 calera.ini
13.04.2006 09:56 3.728 dahotfix.log
13.04.2006 09:56 19.371 dasetup.log
13.04.2006 07:56 12.484 KB904942.log
13.04.2006 07:56 20.393 updspapi.log
12.04.2006 16:35 107.132 UninstallFirefox.exe
12.04.2006 16:35 10.786 mozver.dat
12.04.2006 15:08 8.192 dlmax.dll
12.04.2006 15:08 8.192 alxtb1.dll
12.04.2006 15:08 8.192 alxie328.dll
12.04.2006 15:08 8.192 alexaie.dll
12.04.2006 13:42 145.920 rfscanax.dll
12.04.2006 13:41 10.809 win-sec-center-logo.gif
12.04.2006 13:41 1.014 warning-bar-ico.gif
12.04.2006 13:41 6.575 remove-spyware-btn.gif
12.04.2006 13:41 64 close-bar.gif
12.04.2006 13:41 177 blue-bg.gif
12.04.2006 13:18 113.742 ntbtlog.txt
12.04.2006 13:12 20.907 KB912812.log
12.04.2006 12:57 0 keyboard101.dat
12.04.2006 12:57 0 newname.dat
12.04.2006 12:56 7.054 sc.exe
12.04.2006 12:56 5.609 loadadv728.exe
12.04.2006 12:56 292 form.js
12.04.2006 12:56 12.344 azesearch.bmp
12.04.2006 09:30 753.903 setuplog.txt
12.04.2006 08:08 15.633 KB908531.log
12.04.2006 08:08 14.819 KB911562.log
12.04.2006 08:06 10.899 KB911567.log
11.04.2006 13:33 3.193 setscan.ini
06.04.2006 16:03 206 VRSDemo.ini
06.04.2006 16:02 163 VRSInput.ini
06.04.2006 16:01 1.419 Default traps.cts
05.04.2006 13:19 2.623 sql.MIF
05.04.2006 12:12 45.878 sqlsp.log
05.04.2006 12:12 1.400 setup.iss
05.04.2006 12:12 128 setup.log
05.04.2006 12:05 160 TRYRW.LOG
05.04.2006 12:05 1.035.280 setupapi.log.0.old
05.04.2006 11:48 28.310 sqlstp.log
27.03.2006 08:11 663 win.ini
06.03.2006 16:46 8.613 WGA.log
15.02.2006 09:09 10.782 KB911927.log
15.02.2006 09:09 7.235 KB911564.log
15.02.2006 09:08 10.572 KB913446.log
09.02.2006 17:55 1.486 ie7beta2_main.log
09.02.2006 16:09 692 DBIFC.INI
09.02.2006 16:09 524 ODBC.INI
09.02.2006 12:47 199 ARCHIEF.INI
09.02.2006 12:47 23 winhelp.ini

Verzeichnis von C:\

19.04.2006 12:03 0 sys.txt
19.04.2006 12:03 10.748 system.txt
19.04.2006 12:02 24.782 systemtemp.txt
19.04.2006 12:02 110.455 system32.txt
19.04.2006 07:59 536.399.872 hiberfil.sys
19.04.2006 07:59 805.306.368 pagefile.sys
06.04.2006 16:02 48.959 00000001.TIF
06.04.2006 16:02 91 00000001.INI
27.03.2006 16:15 0 Autoexec.bat
14.02.2006 12:54 115.920 UpdatePatch.log
14.02.2006 12:54 30 UpdatePatch.txt

und hier der Text von echo:

10)DPF????
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: C0AC-50D9

Verzeichnis von C:\WINDOWS\Downloaded Program Files

19.05.2003 16:30 205.880 MsnUpld.dll
19.05.2003 16:32 406 MsnUpld.inf
26.05.2005 05:19 293 muweb.inf
09.10.2003 11:32 144 QTPlugin.inf
27.03.2006 13:00 5.019 swflash.inf
15.04.2004 15:56 52.224 ucrDE-DE.dll
19.05.2003 16:32 51.712 UCRen-us.dll
30.06.2003 23:41 1.689 WMV9VCM.inf
8 Datei(en) 317.367 Bytes

Anzahl der angezeigten Dateien:
8 Datei(en) 317.367 Bytes
0 Verzeichnis(se), 24.564.506.624 Bytes frei
10)DPF????
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: C0AC-50D9

Verzeichnis von C:\WINDOWS\Downloaded Program Files

19.05.2003 16:30 205.880 MsnUpld.dll
19.05.2003 16:32 406 MsnUpld.inf
26.05.2005 05:19 293 muweb.inf
09.10.2003 11:32 144 QTPlugin.inf
27.03.2006 13:00 5.019 swflash.inf
15.04.2004 15:56 52.224 ucrDE-DE.dll
19.05.2003 16:32 51.712 UCRen-us.dll
30.06.2003 23:41 1.689 WMV9VCM.inf
8 Datei(en) 317.367 Bytes

Anzahl der angezeigten Dateien:
8 Datei(en) 317.367 Bytes
0 Verzeichnis(se), 24.564.502.528 Bytes frei
Seitenanfang Seitenende
19.04.2006, 13:52
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#4 Freak-X-Heav

http://virus-protect.org/artikel/spyware/mirarsearch.html

----------------------------------------------------------------

es ist ganz wichtig, dass du CleanUp anwendest, da die Downloader ueber die temporaeren Dateien auf den Rechner gelangen.
Am besten, du wendest CleanUp im abgesicherten Modus an. !
einmal vor der Reinigung und dann noch einmal danach.. !!!!!!!!!!!
http://virus-protect.org/cleanup.html

Avenger
http://virus-protect.org/artikel/tools/avenger.html

kopiere rein:

Zitat

Files to delete:

C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
C:\WINDOWS\system32\amcompat.tlb
C:\WINDOWS\system32\nscompat.tlb
C:\WINDOWS\system32\udpmod.dll
C:\WINDOWS\system32\questmod.dll
C:\WINDOWS\system32\runsrv32.exe
C:\WINDOWS\system32\susp.exe
C:\WINDOWS\system32\txfdb32.dll
C:\WINDOWS\system32\runsrv32.dll
C:\WINDOWS\system32\tcpservice2.exe
C:\WINDOWS\system32\CWS_iestart.exe
C:\WINDOWS\system32\mirarsearch_toolbar.exe
C:\WINDOWS\system32\wupdmgr.tmp
C:\WINDOWS\system32\winapi32.dll
C:\WINDOWS\system32\winsrv32.exe
C:\WINDOWS\system32\shell386.exe
C:\WINDOWS\system32\parad.raw.exe
C:\WINDOWS\system32\azebar.xml

C:\WINDOWS\dlmax.dll
C:\WINDOWS\alxtb1.dll
C:\WINDOWS\alxie328.dll
C:\WINDOWS\alexaie.dll
C:\WINDOWS\rfscanax.dll
C:\WINDOWS\win-sec-center-logo.gif
C:\WINDOWS\warning-bar-ico.gif
C:\WINDOWS\remove-spyware-btn.gif
C:\WINDOWS\close-bar.gif
C:\WINDOWS\blue-bg.gif
C:\WINDOWS\ntbtlog.txt
C:\WINDOWS\keyboard101.dat
C:\WINDOWS\newname.dat
C:\WINDOWS\sc.exe
C:\WINDOWS\loadadv728.exe
C:\WINDOWS\form.js
C:\WINDOWS\azesearch.bmp

klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten


öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe

PC neustarten

poste das Log vom Avenger...dann sehen wir weiter
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
19.04.2006, 14:58
Freak-X-Heav
Member

Themenstarter

Beiträge: 13
#5 hab ein kleines problem mit avenger gehabt, darum kamm zuerst:

Zitat

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Fatal error: could not create new script file.
Error code: 0
Error logged to errorlog.txt. Aborting now!
beim 2. Mal kam dann:

Zitat

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\krhdbjwc

*******************

Script file located at: \??\C:\renjslda.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\wupdmgr.exe deleted successfully.
File C:\WINDOWS\osaupd.exe deleted successfully.
File C:\WINDOWS\system32\amcompat.tlb deleted successfully.
File C:\WINDOWS\system32\nscompat.tlb deleted successfully.
File C:\WINDOWS\system32\udpmod.dll deleted successfully.
File C:\WINDOWS\system32\questmod.dll deleted successfully.
File C:\WINDOWS\system32\runsrv32.exe deleted successfully.


File C:\WINDOWS\system32\susp.exe not found!
Deletion of file C:\WINDOWS\system32\susp.exe failed!

Could not process line:
C:\WINDOWS\system32\susp.exe
Status: 0xc0000034

File C:\WINDOWS\system32\txfdb32.dll deleted successfully.
File C:\WINDOWS\system32\runsrv32.dll deleted successfully.
File C:\WINDOWS\system32\tcpservice2.exe deleted successfully.
File C:\WINDOWS\system32\CWS_iestart.exe deleted successfully.
File C:\WINDOWS\system32\mirarsearch_toolbar.exe deleted successfully.
File C:\WINDOWS\system32\wupdmgr.tmp deleted successfully.
File C:\WINDOWS\system32\winapi32.dll deleted successfully.
File C:\WINDOWS\system32\winsrv32.exe deleted successfully.
File C:\WINDOWS\system32\shell386.exe deleted successfully.
File C:\WINDOWS\system32\parad.raw.exe deleted successfully.
File C:\WINDOWS\system32\azebar.xml deleted successfully.
File C:\WINDOWS\dlmax.dll deleted successfully.
File C:\WINDOWS\alxtb1.dll deleted successfully.
File C:\WINDOWS\alxie328.dll deleted successfully.
File C:\WINDOWS\alexaie.dll deleted successfully.
File C:\WINDOWS\rfscanax.dll deleted successfully.
File C:\WINDOWS\win-sec-center-logo.gif deleted successfully.
File C:\WINDOWS\warning-bar-ico.gif deleted successfully.
File C:\WINDOWS\remove-spyware-btn.gif deleted successfully.
File C:\WINDOWS\close-bar.gif deleted successfully.
File C:\WINDOWS\blue-bg.gif deleted successfully.
File C:\WINDOWS\ntbtlog.txt deleted successfully.
File C:\WINDOWS\keyboard101.dat deleted successfully.
File C:\WINDOWS\newname.dat deleted successfully.
File C:\WINDOWS\sc.exe deleted successfully.
File C:\WINDOWS\loadadv728.exe deleted successfully.
File C:\WINDOWS\form.js deleted successfully.
File C:\WINDOWS\azesearch.bmp deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
Seitenanfang Seitenende
19.04.2006, 15:41
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#6 poste das Log vom Silentrunner
http://virus-protect.org/silentrunner.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
19.04.2006, 15:49
Freak-X-Heav
Member

Themenstarter

Beiträge: 13
#7

Zitat

"Silent Runners.vbs", revision 44, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"IECheck" = "C:\WINDOWS\IECheck.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Scan Panel" = ""C:\Programme\Canon Electronics\Scan Panel\drpanel.exe" /Stay" ["Canon Electronics"]
"MsmqIntCert" = "regsvr32 /s mqrt.dll" [MS]
"SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"Smapp" = "C:\Programme\Analog Devices\SoundMAX\SMTray.exe" ["Analog Devices, Inc."]
"DrvLsnr" = "C:\Programme\Analog Devices\SoundMAX\DrvLsnr.exe" ["adi"]
"FreePDFAssistent" = "C:\Programme\FreePDF\FreePDFA.exe" [null data]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Realtime Monitor" = "C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s" ["Computer Associates International, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\programme\google\googletoolbar2.dll" ["Google Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEToolbarHelper Class"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"
-> {HKLM...CLSID} = "SmartFTP Shell Extension DLL"
\InProcServer32\(Default) = "C:\Programme\SmartFTP\smarthook.dll" ["SmartFTP"]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {HKLM...CLSID} = "ShellLink for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {HKLM...CLSID} = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{B94E2601-D7A1-11d4-A1EE-444553540000}" = "PNAgent IconH"
-> {HKLM...CLSID} = "DesktopPortal Icon Handler"
\InProcServer32\(Default) = "C:\Programme\Citrix\ICA Client\dpihand.dll" ["Citrix Systems, Inc."]
"{DCED20BE-3645-11D4-BC95-00C04F0E0588}" = "InoShell"
-> {HKLM...CLSID} = "InoShell"
\InProcServer32\(Default) = "C:\Programme\CA\eTrust Antivirus\InoShell.dll" ["Computer Associates International, Inc."]
"{00020000-0000-1011-8004-0000C06B5161}" = "WIBU-SYSTEMS Shell Extension"
-> {HKLM...CLSID} = "WIBU-SYSTEMS Shell Extension"
\InProcServer32\(Default) = "C:\Programme\WIBU-SYSTEMS\System\WibuShellExt.dll" ["WIBU-SYSTEMS AG"]
"{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}" = "PhotoToys"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\phototoys.dll" [MS]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{00020000-0000-1011-8004-0000C06B5161}\(Default) = (no title provided)
-> {HKLM...CLSID} = "WIBU-SYSTEMS Shell Extension"
\InProcServer32\(Default) = "C:\Programme\WIBU-SYSTEMS\System\WibuShellExt.dll" ["WIBU-SYSTEMS AG"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588}"
-> {HKLM...CLSID} = "InoShell"
\InProcServer32\(Default) = "C:\Programme\CA\eTrust Antivirus\InoShell.dll" ["Computer Associates International, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588}"
-> {HKLM...CLSID} = "InoShell"
\InProcServer32\(Default) = "C:\Programme\CA\eTrust Antivirus\InoShell.dll" ["Computer Associates International, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\vh.PROCOMPNT\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Startup items in "vh" & "All Users" startup folders:
----------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Acrobat Assistant" -> shortcut to: "C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe" ["Adobe Systems Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\programme\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\programme\google\googletoolbar2.dll" ["Google Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://intranet

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ascent Capture-Dienst, Ascent Capture Service, "c:\programme\ascent\bin\acsvc.exe" [null data]
DameWare Mini Remote Control, DWMRCS, "C:\WINDOWS\SYSTEM32\DWRCS.EXE -service" ["DameWare Development LLC"]
eTrust Antivirus Job Server, InoTask, ""C:\Programme\CA\eTrust Antivirus\InoTask.exe"" ["Computer Associates International, Inc."]
eTrust Antivirus Realtime Server, InoRT, ""C:\Programme\CA\eTrust Antivirus\InoRT.exe"" ["Computer Associates International, Inc."]
eTrust Antivirus RPC Server, InoRPC, ""C:\Programme\CA\eTrust Antivirus\InoRpc.exe"" ["Computer Associates International, Inc."]
Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
Message Queuing, MSMQ, "C:\WINDOWS\system32\mqsvc.exe" [MS]
Message Queuing Triggers, MSMQTriggers, "C:\WINDOWS\system32\mqtgsvc.exe" [MS]
MSSQL$ASCENTCAPTURE, MSSQL$ASCENTCAPTURE, "C:\Programme\Ascent\Server\MSSQL$ASCENTCAPTURE\Binn\sqlservr.exe -sASCENTCAPTURE" [MS]
SentinelProtectionServer, SentinelProtectionServer, ""C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe"" ["SafeNet, Inc"]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Programme\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
VMware Authorization Service, VMAuthdService, "C:\Programme\VMware\VMware Workstation\vmware-authd.exe" ["VMware, Inc."]
VMware DHCP Service, VMnetDHCP, "C:\WINDOWS\system32\vmnetdhcp.exe" ["VMware, Inc."]
VMware NAT Service, VMware NAT Service, "C:\WINDOWS\system32\vmnat.exe" ["VMware, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
Ice Monitor C\Driver = "BICMONNT.DLL" ["Black Ice Software"]
LPR Port\Driver = "lprmon.dll" [MS]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 31 seconds, including 2 seconds for message boxes)
Scheint alles OK zu sein oder? Das einzige Problem ist jetzt bei mir, dass irgend etwas meine WinXP-Firewall blockiert!

2. Wie schaut es eigentlich mit dieser lsass.exe-Datei aus?
Seitenanfang Seitenende
19.04.2006, 16:03
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#8 1.
erklaere mir, was das bedeutet...wozu gehoert das ???
O4 - HKCU\..\Run: [IECheck] C:\WINDOWS\IECheck.exe

2.
kommt die Virenmeldung noch ?

3.
poste das log von winpfind
http://virus-protect.org/winpfind.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
19.04.2006, 16:51
Freak-X-Heav
Member

Themenstarter

Beiträge: 13
#9 1. also bei der IECheck.exe handelt es sich höchstwahrscheinlich um ein Virus oder so ähnlich. Ich selbst habe keine Ahnung aber meine Freunde sagen, wenn man es bei google eingibt, dann schaut es mehr so aus als ob es ein Virus wäre.

2. Die Virenmeldung kommt nicht mehr.
Aber ich kann im eTrust Antivirus DRWATSON, ntuser.dat(.log) und ganze Menge anderer log-Dateien nicht öffnen, damit sie überprüft werden.
PS: Das siehst du z. B. auch in dem winpfind-log.

3. Hier der log von winpfind:

Zitat

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PEC2 26.01.2006 09:21:48 31303 C:\WINDOWS\pixcache.ini

Checking %System% folder...
aspack 01.04.2003 13:41:54 116804 C:\WINDOWS\SYSTEM32\BIIMG.DLL
PEC2 18.08.2001 14:00:00 41118 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 15.07.2005 20:36:36 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 15.07.2005 20:36:36 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PEC2 30.09.2005 10:16:48 162816 C:\WINDOWS\SYSTEM32\DWRCS.EXE
PECompact2 30.09.2005 10:16:48 162816 C:\WINDOWS\SYSTEM32\DWRCS.EXE
PEC2 30.09.2005 10:16:52 43520 C:\WINDOWS\SYSTEM32\DWRCST.EXE
PECompact2 30.09.2005 10:16:52 43520 C:\WINDOWS\SYSTEM32\DWRCST.EXE
aspack 01.04.2003 13:39:54 60484 C:\WINDOWS\SYSTEM32\JPEG32.DLL
PTech 14.02.2006 10:20:14 550120 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 06.04.2006 12:48:40 5143456 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 06.04.2006 12:48:40 5143456 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04.08.2004 00:57:10 733696 C:\WINDOWS\SYSTEM32\ntdll.dll
UPX! 04.03.2006 05:34:46 18432 C:\WINDOWS\SYSTEM32\oleext.dll
Umonitor 04.08.2004 00:57:34 686592 C:\WINDOWS\SYSTEM32\rasdlg.dll
aspack 19.04.2005 15:33:00 141892 C:\WINDOWS\SYSTEM32\SAAPI32.DLL
PEC2 21.09.2000 16:31:46 180224 C:\WINDOWS\SYSTEM32\thr.dll
aspack 12.03.2004 14:23:58 99908 C:\WINDOWS\SYSTEM32\TIFF32.DLL
UPX! 23.05.2005 16:09:36 242688 C:\WINDOWS\SYSTEM32\wbocx450.ocx

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
19.04.2006 14:52:08 S 2048 C:\WINDOWS\bootstat.dat
19.04.2006 14:52:12 S 64 C:\WINDOWS\CSC\00000001
18.04.2006 15:19:54 S 64 C:\WINDOWS\CSC\00000002
12.04.2006 12:58:54 S 64 C:\WINDOWS\CSC\csc1.tmp
01.03.2006 10:36:08 H 10820 C:\WINDOWS\Help\nocontnt.GID
24.03.2006 07:11:00 S 10337 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB904942.cat
23.03.2006 01:17:22 S 14054 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB908531.cat
23.03.2006 08:15:46 S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911562.cat
13.03.2006 17:08:34 S 7898 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911565.cat
17.03.2006 11:24:30 S 12455 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911567.cat
30.03.2006 12:03:42 S 22339 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912812.cat
19.04.2006 16:38:24 H 1024 C:\WINDOWS\system32\config\default.LOG
19.04.2006 16:07:02 H 1024 C:\WINDOWS\system32\config\SAM.LOG
19.04.2006 15:02:46 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
19.04.2006 16:50:14 H 1024 C:\WINDOWS\system32\config\software.LOG
19.04.2006 16:47:16 H 1024 C:\WINDOWS\system32\config\system.LOG
13.04.2006 07:56:48 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
20.02.2006 17:17:20 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\d119d851-f3dd-4e98-bbbf-36c1a1fabb3b
20.02.2006 17:17:20 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
19.04.2006 14:52:14 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 04.08.2004 00:58:24 70656 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 04.08.2004 00:58:24 555008 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04.08.2004 00:58:24 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 04.08.2004 00:58:24 138240 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 04.08.2004 00:58:24 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04.08.2004 00:58:24 157184 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 04.08.2004 00:58:24 359424 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04.08.2004 00:58:24 133120 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04.08.2004 00:58:24 381440 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04.08.2004 00:58:24 69632 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 10.11.2005 14:03:50 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Kofax Image Products 11.03.2005 17:20:14 200704 C:\WINDOWS\SYSTEM32\KSM310.CPL
Microsoft Corporation 18.08.2001 14:00:00 189440 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04.08.2004 00:58:24 625152 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 18.08.2001 14:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 04.08.2004 00:58:24 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04.08.2004 00:58:24 260096 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 18.08.2001 14:00:00 38400 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 04.08.2004 00:58:24 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Pixel Translations Incorporated18.12.2001 01:24:08 53520 C:\WINDOWS\SYSTEM32\PIXMDLCN.CPL
Microsoft Corporation 04.08.2004 00:58:24 117248 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 04.08.2004 00:58:24 303104 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 18.08.2001 14:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04.08.2004 00:58:24 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
WIBU-SYSTEMS AG 25.03.2005 04:51:34 794624 C:\WINDOWS\SYSTEM32\WibuKe32.cpl
Microsoft Corporation 04.08.2004 00:58:24 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26.05.2005 05:16:22 174872 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 04.08.2004 00:58:24 70656 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 04.08.2004 00:58:24 555008 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 04.08.2004 00:58:24 138240 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 04.08.2004 00:58:24 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 04.08.2004 00:58:24 157184 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 04.08.2004 00:58:24 359424 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 04.08.2004 00:58:24 133120 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 04.08.2004 00:58:24 69632 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 18.08.2001 14:00:00 189440 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 04.08.2004 00:58:24 625152 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 18.08.2001 14:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 04.08.2004 00:58:24 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 04.08.2004 00:58:24 260096 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 18.08.2001 14:00:00 38400 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 04.08.2004 00:58:24 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 04.08.2004 00:58:24 117248 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 04.08.2004 00:58:24 159744 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 04.08.2004 00:58:24 303104 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 18.08.2001 14:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 04.08.2004 00:58:24 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 04.08.2004 00:58:24 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 26.05.2005 05:16:22 174872 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
06.04.2006 12:37:56 1804 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Acrobat Assistant.lnk
22.11.2005 13:02:04 HS 84 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
22.11.2005 12:46:48 HS 62 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
22.11.2005 13:02:04 HS 84 C:\Dokumente und Einstellungen\vh.PROCOMPNT\Startmenü\Programme\Autostart\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
08.03.2006 14:10:30 1696 C:\Dokumente und Einstellungen\vh.PROCOMPNT\Anwendungsdaten\AdobeDLM.log
22.11.2005 12:46:48 HS 62 C:\Dokumente und Einstellungen\vh.PROCOMPNT\Anwendungsdaten\desktop.ini
08.03.2006 14:10:30 0 C:\Dokumente und Einstellungen\vh.PROCOMPNT\Anwendungsdaten\dm.ini
16.12.2005 14:02:32 23049 C:\Dokumente und Einstellungen\vh.PROCOMPNT\Anwendungsdaten\Microsoft Excel.ADR

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
=

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Programme\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\InoShell
{DCED20BE-3645-11D4-BC95-00C04F0E0588} = C:\Programme\CA\eTrust Antivirus\InoShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\InoShell
{DCED20BE-3645-11D4-BC95-00C04F0E0588} = C:\Programme\CA\eTrust Antivirus\InoShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{00020000-0000-1011-8004-0000C06B5161}
= C:\Programme\WIBU-SYSTEMS\System\WibuShellExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\programme\google\googletoolbar2.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}
AcroIEToolbarHelper Class = C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{182EC0BE-5110-49C8-A062-BEB1D02A220B}
Adobe PDF = C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tipps und Tricks = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\programme\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Konsole : C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Recherchieren :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Programme\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11D0-B416-00C04FB90376}
&Tipps und Tricks = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer-Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\programme\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Scan Panel "C:\Programme\Canon Electronics\Scan Panel\drpanel.exe" /Stay
MsmqIntCert regsvr32 /s mqrt.dll
SunJavaUpdateSched C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
Smapp C:\Programme\Analog Devices\SoundMAX\SMTray.exe
DrvLsnr C:\Programme\Analog Devices\SoundMAX\DrvLsnr.exe
FreePDFAssistent C:\Programme\FreePDF\FreePDFA.exe
QuickTime Task "C:\Programme\QuickTime\qttask.exe" -atboottime
Realtime Monitor C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\system32\ctfmon.exe
IECheck C:\WINDOWS\IECheck.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
{17492023-C23A-453E-A040-C7C580BBF700} 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 1
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 19.04.2006 16:50:54
Dieser Beitrag wurde am 19.04.2006 um 17:03 Uhr von Freak-X-Heav editiert.
Seitenanfang Seitenende
19.04.2006, 17:22
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#10 Einzelne Dateien scannen
Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten
http://www.virustotal.com/flash/index_en.html

C:\WINDOWS\IECheck.exe
C:\WINDOWS\SYSTEM32\SAAPI32.DLL
C:\WINDOWS\SYSTEM32\TIFF32.DLL
C:\WINDOWS\SYSTEM32\wbocx450.ocx

poste hier das Ergebnis

--------------------------------------------------------------------

Zitat

um das zu loeschen:
UPX! 04.03.2006 05:34:46 18432 C:\WINDOWS\SYSTEM32\oleext.dll
mache folgendes:
1.
SmitRem2.8
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
Doppelklick: smitRem.exe -> Klicke: Start --> klicke: ok

2.
Fixe mit dem HijackThis:

O4 - HKCU\..\Run: [IECheck] C:\WINDOWS\IECheck.exe


Starte den PC neu --> in den abgesicherten Modus (Taste F8 drücken, wenn der PC hochfährt)

3.
- * öffne smitRem --> Doppelklick: RunThis.bat warte, bis der Scan beendet ist (der Bildschirm wird blau werden. das ist normal)

wenn ein uninstaller vorhanden ist, den smitRem entfernt, wird der uninstaller gestartet. Klicke einfach den Uninstall button und warte, bis deinstalliert wurde.

--------------------------------------------------------------------
4.
Hoster.zip
http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK' Exit Program.

5.
poste die smitrem.txt hier

6.
scanne mit Kaspersky und poste den scanreport
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
20.04.2006, 10:40
Freak-X-Heav
Member

Themenstarter

Beiträge: 13
#11 Virustotal-Log:

IECheck.exe

Zitat

AntiVir 6.34.0.24 04.20.2006 no virus found
Avast 4.6.695.0 04.18.2006 no virus found
AVG 386 04.19.2006 no virus found
Avira 6.34.0.56 04.19.2006 no virus found
BitDefender 7.2 04.20.2006 no virus found
CAT-QuickHeal 8.00 04.19.2006 no virus found
ClamAV devel-20060202 04.19.2006 no virus found
DrWeb 4.33 04.20.2006 no virus found
eTrust-InoculateIT 23.71.134 04.19.2006 no virus found
eTrust-Vet 12.4.2167 04.19.2006 no virus found
Ewido 3.5 04.19.2006 no virus found
Fortinet 2.71.0.0 04.20.2006 no virus found
F-Prot 3.16c 04.19.2006 no virus found
Ikarus 0.2.59.0 04.19.2006 no virus found
Kaspersky 4.0.2.24 04.20.2006 no virus found
McAfee 4744 04.19.2006 no virus found
NOD32v2 1.1497 04.19.2006 no virus found
Norman 5.90.15 04.19.2006 no virus found
Panda 9.0.0.4 04.19.2006 no virus found
Sophos 4.04.0 04.20.2006 no virus found
Symantec 8.0 04.20.2006 no virus found
TheHacker 5.9.7.131 04.19.2006 no virus found
UNA 1.83 04.17.2006 no virus found
VBA32 3.10.5 04.19.2006 no virus found
Die Erklärung für iecheck.exe steht hier drin:
http://www.3davenue.com/startup/iecheck.exe.php

SAAPI32.DLL

Zitat

AntiVir 6.34.0.24 04.20.2006 no virus found
Avast 4.6.695.0 04.18.2006 no virus found
AVG 386 04.19.2006 no virus found
Avira 6.34.0.56 04.19.2006 no virus found
BitDefender 7.2 04.20.2006 no virus found
CAT-QuickHeal 8.00 04.19.2006 no virus found
ClamAV devel-20060202 04.19.2006 no virus found
DrWeb 4.33 04.20.2006 no virus found
eTrust-InoculateIT 23.71.134 04.19.2006 no virus found
eTrust-Vet 12.4.2167 04.19.2006 no virus found
Ewido 3.5 04.19.2006 no virus found
Fortinet 2.71.0.0 04.20.2006 suspicious
F-Prot 3.16c 04.19.2006 no virus found
Ikarus 0.2.59.0 04.19.2006 no virus found
Kaspersky 4.0.2.24 04.20.2006 no virus found
McAfee 4744 04.19.2006 no virus found
NOD32v2 1.1497 04.19.2006 no virus found
Norman 5.90.15 04.19.2006 no virus found
Panda 9.0.0.4 04.19.2006 no virus found
Sophos 4.04.0 04.20.2006 no virus found
Symantec 8.0 04.20.2006 no virus found
TheHacker 5.9.7.131 04.19.2006 no virus found
UNA 1.83 04.18.2006 no virus found
VBA32 3.10.5 04.19.2006 no virus found
TIFF32.DLL

Zitat

AntiVir 6.34.0.24 04.20.2006 no virus found
Avast 4.6.695.0 04.18.2006 no virus found
AVG 386 04.19.2006 no virus found
Avira 6.34.0.56 04.19.2006 no virus found
BitDefender 7.2 04.20.2006 no virus found
CAT-QuickHeal 8.00 04.19.2006 no virus found
ClamAV devel-20060202 04.19.2006 no virus found
DrWeb 4.33 04.20.2006 no virus found
eTrust-InoculateIT 23.71.134 04.19.2006 no virus found
eTrust-Vet 12.4.2167 04.19.2006 no virus found
Ewido 3.5 04.19.2006 no virus found
Fortinet 2.71.0.0 04.20.2006 suspicious
F-Prot 3.16c 04.19.2006 no virus found
Ikarus 0.2.59.0 04.19.2006 no virus found
Kaspersky 4.0.2.24 04.20.2006 no virus found
McAfee 4744 04.19.2006 no virus found
NOD32v2 1.1497 04.19.2006 no virus found
Norman 5.90.15 04.19.2006 no virus found
Panda 9.0.0.4 04.19.2006 no virus found
Sophos 4.04.0 04.20.2006 no virus found
Symantec 8.0 04.20.2006 no virus found
TheHacker 5.9.7.131 04.19.2006 no virus found
UNA 1.83 04.17.2006 no virus found
VBA32 3.10.5 04.19.2006 no virus found
wbocx450.ocx

Zitat

AntiVir 6.34.0.24 04.20.2006 no virus found
Avast 4.6.695.0 04.18.2006 no virus found
AVG 386 04.19.2006 no virus found
Avira 6.34.0.56 04.19.2006 no virus found
BitDefender 7.2 04.20.2006 no virus found
CAT-QuickHeal 8.00 04.19.2006 no virus found
ClamAV devel-20060202 04.19.2006 no virus found
DrWeb 4.33 04.20.2006 no virus found
eTrust-InoculateIT 23.71.134 04.19.2006 no virus found
eTrust-Vet 12.4.2167 04.19.2006 no virus found
Ewido 3.5 04.19.2006 no virus found
Fortinet 2.71.0.0 04.20.2006 suspicious
F-Prot 3.16c 04.19.2006 no virus found
Ikarus 0.2.59.0 04.19.2006 no virus found
Kaspersky 4.0.2.24 04.20.2006 no virus found
McAfee 4744 04.19.2006 no virus found
NOD32v2 1.1497 04.19.2006 no virus found
Norman 5.90.15 04.19.2006 no virus found
Panda 9.0.0.4 04.19.2006 Suspicious file
Sophos 4.04.0 04.20.2006 no virus found
Symantec 8.0 04.20.2006 no virus found
TheHacker 5.9.7.131 04.19.2006 no virus found
UNA 1.83 04.17.2006 no virus found
VBA32 3.10.5 04.19.2006 no virus found
SmitREM-Log:

Zitat

smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]

Running from
C:\Dokumente und Einstellungen\vh.PROCOMPNT\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 532 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! ;)
Kaspersky Scanreport:

Zitat

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, April 20, 2006 10:34:28 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 20/04/2006
Kaspersky Anti-Virus database records: 177635
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 61295
Number of viruses found: 9
Number of infected objects: 46
Number of suspicious objects: 0
Duration of the scan process: 01:13:06

Infected Object Name / Virus Name / Last Action
C:\avenger\backup.zip/avenger/loadadv728.exe Infected: Trojan-Downloader.Win32.Harnig.bh skipped
C:\avenger\backup.zip/avenger/osaupd.exe Infected: not-virus:Hoax.Win32.Renos.cq skipped
C:\avenger\backup.zip/avenger/parad.raw.exe Infected: Packed.Win32.Tibs skipped
C:\avenger\backup.zip/avenger/sc.exe Infected: Packed.Win32.Tibs skipped
C:\avenger\backup.zip/avenger/shell386.exe Infected: not-virus:Hoax.Win32.Renos.cm skipped
C:\avenger\backup.zip/avenger/winapi32.dll Infected: not-virus:Hoax.Win32.Renos.ck skipped
C:\avenger\backup.zip/avenger/winsrv32.exe Infected: not-virus:Hoax.Win32.Renos.cl skipped
C:\avenger\backup.zip/avenger/wupdmgr.exe Infected: not-virus:Hoax.Win32.Renos.cq skipped
C:\avenger\backup.zip ZIP: infected - 8 skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP127\A0025445.exe Infected: Trojan.Win32.Small.ev skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP127\A0025450.exe Infected: not-virus:Hoax.Win32.Renos.cq skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP127\A0025455.exe Infected: not-virus:Hoax.Win32.Renos.cq skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP127\A0026467.exe Infected: not-virus:Hoax.Win32.Renos.cq skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP127\A0026492.exe Infected: Trojan.Win32.Small.ev skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP127\A0026496.exe Infected: not-virus:Hoax.Win32.Renos.cq skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP127\A0026542.exe Infected: not-virus:Hoax.Win32.Renos.cq skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP127\A0026934.exe Infected: not-virus:Hoax.Win32.Renos.cq skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP128\A0026951.exe Infected: not-virus:Hoax.Win32.Renos.cq skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP128\A0027020.exe Infected: not-virus:Hoax.Win32.Renos.cq skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP128\A0027604.exe Infected: not-virus:Hoax.Win32.Renos.cq skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP128\A0027644.exe Infected: not-virus:Hoax.Win32.Renos.cq skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP128\snapshot\MFEX-1.DAT Infected: not-virus:Hoax.Win32.Renos.cq skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP129\A0027683.exe Infected: Trojan-Downloader.Win32.Adload.ap skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP130\A0027741.exe Infected: Trojan.Win32.Small.ev skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP130\A0027745.exe Infected: not-virus:Hoax.Win32.Renos.cq skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP131\A0028009.exe Infected: not-virus:Hoax.Win32.Renos.cq skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP131\snapshot\MFEX-1.DAT Infected: not-virus:Hoax.Win32.Renos.cq skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP132\snapshot\MFEX-1.DAT Infected: not-virus:Hoax.Win32.Renos.cq skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP133\snapshot\MFEX-1.DAT Infected: not-virus:Hoax.Win32.Renos.cq skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP134\A0029008.exe Infected: not-virus:Hoax.Win32.Renos.cq skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP134\snapshot\MFEX-1.DAT Infected: not-virus:Hoax.Win32.Renos.cq skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP135\A0029053.exe Infected: not-virus:Hoax.Win32.Renos.cq skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP135\A0029302.exe Infected: Trojan-Downloader.Win32.Adload.ai skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP135\A0029418.exe Infected: not-virus:Hoax.Win32.Renos.cq skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP135\A0029488.exe Infected: not-virus:Hoax.Win32.Renos.cq skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP135\A0029498.exe Infected: not-virus:Hoax.Win32.Renos.cq skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP135\A0029512.exe Infected: Trojan-Downloader.Win32.Harnig.bh skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP135\A0029515.exe Infected: not-virus:Hoax.Win32.Renos.cq skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP135\A0029516.exe Infected: Packed.Win32.Tibs skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP135\A0029521.exe Infected: Packed.Win32.Tibs skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP135\A0029522.exe Infected: not-virus:Hoax.Win32.Renos.cm skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP135\A0029526.dll Infected: not-virus:Hoax.Win32.Renos.ck skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP135\A0029527.exe Infected: not-virus:Hoax.Win32.Renos.cl skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP135\A0029528.exe Infected: not-virus:Hoax.Win32.Renos.cq skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP135\A0029605.dll Infected: Trojan.Win32.Small.ev skipped
C:\System Volume Information\_restore{3617BB09-1923-4BAF-BA2C-D94B3A2EDF3A}\RP135\snapshot\MFEX-1.DAT Infected: not-virus:Hoax.Win32.Renos.cq skipped

Scan process completed.
Seitenanfang Seitenende
20.04.2006, 11:42
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#12 1.
loesche
C:\avenger\backup.zip
C:\WINDOWS\SYSTEM32\wbocx450.ocx

2.
benennen die dll um in old
C:\WINDOWS\SYSTEM32\SAAPI32.DLL
lasse es so. (falls es keine Probleme mit irgendeinem wichtigen Proggie gibt.
wenn das eintritt, wieder das old loeschen und die dll wieder herstellen

3.
smitfraud.fix anwenden (poste dann den report)
http://virus-protect.org/artikel/tools/smitfrautfix.html

4.
Arbeitsplatz-->Rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.
(dann wieder aktivieren)

5.
Dr.Web
http://virus-protect.org/cureit.html

Poste bitte das, was drweb gefuinden hat. Dazu unter Start - Ausfuehren

%userprofil%\doctorweb\cureit.log

eingeben und enter druecken. Den Inhalt der Dinge, die Drweb gefunden hat bitte posten.
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
20.04.2006, 12:42
Freak-X-Heav
Member

Themenstarter

Beiträge: 13
#13 Hier mein DR WEB Scanreport:

Zitat

Dr.Web(R) Scanner für Windows v4.33.2 (4.33.2.03283)
Copyright (c) Igor Daniloff, 1992-2006
Bericht erstellt auf: 2006-04-20, 11:48:56 [PC-VH][vh]
Befehlszeilen-Schalter: "C:\DOKUME~1\VH1B63~1.PRO\LOKALE~1\Temp\RarSFX0\cureit.exe" /lng:de-cureit.dwl /ini:cureit_XP.ini

Prüfstatistiken

Geprüfte Objekte: 122073
Infizierte Objekte gefunden: 0
Objekte mit Modifikation gefunden: 0
Verdächtige Objekte gefunden: 0
Adware-Programm gefunden: 0
Dialer-Programm gefunden: 0
Scherz-Programm gefunden: 0
Riskware programm gefunden: 0
Hacktool-Programm gefunden: 0
Desinfizierte Objekte: 0
Gelöschte Objekte: 0
Umbenannte Objekte: 0
Verschobene Objekte: 0
Ignorierte Objekte: 1
Leistung:: 917 Kb/s
Dauer:: 00:46:29
Seitenanfang Seitenende
20.04.2006, 13:07
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#14 nun...es muesste wieder alles sauber sein ;)
poste noch mal das log vom HijackThis
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
20.04.2006, 13:09
Freak-X-Heav
Member

Themenstarter

Beiträge: 13
#15 gut danke schön, dass du mir geholfen hast. Wenn ich trotzdem noch ein paar Probleme haben sollte, dann sag ich dir Bescheid! ;)
hier mein hijackthis-log:

Zitat

Logfile of HijackThis v1.99.1
Scan saved at 13:10:43, on 20.04.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Canon Electronics\Scan Panel\drpanel.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\Analog Devices\SoundMAX\SMTray.exe
C:\Programme\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Programme\FreePDF\FreePDFA.exe
C:\Programme\QuickTime\qttask.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
c:\programme\ascent\bin\acsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programme\CA\eTrust Antivirus\InoRpc.exe
C:\Programme\CA\eTrust Antivirus\InoRT.exe
C:\Programme\CA\eTrust Antivirus\InoTask.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Ascent\Server\MSSQL$ASCENTCAPTURE\Binn\sqlservr.exe
C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\snmp.exe
C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
C:\Programme\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Programme\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Programme\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Programme\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Dev-Cpp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Scan Panel] "C:\Programme\Canon Electronics\Scan Panel\drpanel.exe" /Stay
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Smapp] C:\Programme\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Programme\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [FreePDFAssistent] C:\Programme\FreePDF\FreePDFA.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Google-Suche - res://C:\Programme\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://C:\Programme\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://intranet
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139477897016
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = procomp.lan
O17 - HKLM\Software\..\Telephony: DomainName = procomp.lan
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0589099-4DAD-42A5-BA83-759EEFBFEAA6}: NameServer = 10.10.20.9,10.10.20.6
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = procomp.lan
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = procomp.lan
O23 - Service: Ascent Capture-Dienst (Ascent Capture Service) - Kofax Image Products - c:\programme\ascent\bin\acsvc.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoTask.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Programme\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: SentinelProtectionServer - SafeNet, Inc - C:\Programme\Gemeinsame Dateien\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Programme\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren:
Seite(n): 1