virus - sndu32.dll - weiss einer wie´s geht?

#0
19.04.2006, 18:41
...neu hier

Beiträge: 8
#1 Hallo,

also ich hatte laut Hijack einige Böse Dateien auf der platte. Nach dem Check mit

Hijackthis
Ad-Aware
spysubstract
spybot
cleanup
saverscan
cwshredder

ist nur noch

Winlogon Notify: sndu32 - C:\WINDOWS\SYSTEM32\sndu32.dll

übrig geblieben + etwa 100 hosts die sich bei jeden Internet Kontakt wieder hochladen.
Mein Rechner läuft soweit eigentlich noch ganz gut. Das scrollen auf Webseiten sieht jedoch eher nach einer Diashow aus.

Parallel hatte ich noch Probleme mit dem ATI Catalyst Control Center, da Net Framework 1.1 (obwohl installiert und vorher intakt) als nicht installiert beschrieben wird und die Control Center dieses Programm braucht um die Treiber anständig zu updaten usw.

Kann das mit den Virus zusammenhängen? (eventuell Einträge verändert??)

Ich habe übrigens nur eine Hardware Firewall. Bitte nicht steinigen.

Ich hoffe mann kann mir hier helfen - die Verzweiflung ist groß.

Hier die Logfile von Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 18:29:39, on 19.04.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
F:\Programme\Programme\PowerDVD\PowerDVD\PDVDServ.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\Programme\Mozilla Firefox\firefox.exe
F:\Programme\Programme\AdobeAcrobat\Reader\AcroRd32.exe
F:\Programme\Programme\Hijackthis\HijackThis.exe

O1 - Hosts: <head>
O1 - Hosts: <style>
O1 - Hosts: a:link { font-family: arial, verdana; font-sizw: 11px; color: #000000; text-decoration: none; }
O1 - Hosts: a:visited { font-family: arial, verdana; font-sizw: 11px; color: #000000; text-decoration: none; }
O1 - Hosts: a:active { font-family: arial, verdana; font-sizw: 11px; color: #000000; text-decoration: none; }
O1 - Hosts: a:hover { font-family: arial, verdana; font-sizw: 11px; color: #000000; text-decoration: underline; }
O1 - Hosts: font { font-family: arial, verdana; font-sizw: 11px; color: #000000; text-decoration: none; }
O1 - Hosts: td{ font-family: arial, verdana; font-sizw: 10px; text-decoration: none; }
O1 - Hosts: table{ font-family: arial, verdana; font-sizw: 11px; text-decoration: none; }
O1 - Hosts: body { background-color: #F0F0F0; scrollbar-face-color: #6E788C; scrollbar-shadow-color: #696969; scrollbar-highlight-color: #cfcfcf; scrollbar-3dlight-color: #cccccc; scrollbar-darkshadow-color: #808080; scrollbar-track-color: #9B9FA7; scrollbar-arrow-color: #000000 }
O1 - Hosts: .title { font-family: arial, verdana; font-size: 9pt; font-weight: normal; }
O1 - Hosts: .distributers { font-family: arial, verdana; font-size: 11pt; font-weight: normal; }
O1 - Hosts: .info { font-family: arial, verdana; font-size: 8pt; font-weight: normal; }
O1 - Hosts: .design { font-family: arial, verdana; font-size: 8pt; font-weight: normal; }
O1 - Hosts: .menu { border-top: 1px #374646 solid; border-left: 1px #374646 solid; border-right: 1px #374646 solid; border-bottom: 1px #374646 solid; font-family: verdana, arial; font-size: 8pt; font-weight: normal; }
O1 - Hosts: .cellheader { border-top: 1px #374646 solid; border-left: 1px #374646 solid; border-right: 1px #374646 solid; border-bottom: 1px #374646 solid; font-family: verdana, arial; font-size: 20pt; font-weight: normal; color: #F1F1F1; }
O1 - Hosts: .scellheader { border-top: 1px #374646 solid; border-left: 1px #374646 solid; border-right: 1px #374646 solid; border-bottom: 1px #374646 solid; font-family: verdana, arial; font-size: 15pt; font-weight: normal; color: #F1F1F1; }
O1 - Hosts: .bigcellheader { border-top: 1px #374646 solid; border-left: 1px #374646 solid; border-right: 1px #374646 solid; border-bottom: 1px #374646 solid; font-family: verdana, arial; font-size: 30pt; font-weight: normal; color: #F1F1F1; link: #F1F1F1; vlink: #F1F1F1; }
O1 - Hosts: .tblheader { background-color: #AAAAAA; border-top: 1px #374646 solid; border-left: 1px #374646 solid; border-right: 1px #374646 solid; border-bottom: 1px #374646 solid; font-family: verdana, arial; font-size: 14pt; font-weight: normal; }
O1 - Hosts: .tdshade1 { background-color: #DDDDDD; border-top: 1px #374646 solid; border-left: 1px #374646 solid; border-right: 1px #374646 solid; border-bottom: 1px #374646 solid; font-family: verdana, arial; font-size: 10pt; font-weight: normal; }
O1 - Hosts: .tdshade2 { background-color: #EEEEEE; border-top: 1px #374646 solid; border-left: 1px #374646 solid; border-right: 1px #374646 solid; border-bottom: 1px #374646 solid; font-family: verdana, arial; font-size: 10pt; font-weight: normal; }
O1 - Hosts: </style>
O1 - Hosts: </head>
O1 - Hosts: <body bgcolor="#ffffff">
O1 - Hosts: <table bgcolor=#ffffff link=#0000ee vlink=#0000ee text=#000000 border=0 align="center" width="100%">
O1 - Hosts: <tr class=cellheader>
O1 - Hosts: <td bgcolor=#788298><center><b>This Account Has Been Suspended</b></center></td>
O1 - Hosts: </tr>
O1 - Hosts: </table>
O1 - Hosts: Please contact the billing/support department as soon as possible.
O1 - Hosts: </body>
O1 - Hosts: </html>
O1 - Hosts: <head>
O1 - Hosts: <style>
O1 - Hosts: a:link { font-family: arial, verdana; font-sizw: 11px; color: #000000; text-decoration: none; }
O1 - Hosts: a:visited { font-family: arial, verdana; font-sizw: 11px; color: #000000; text-decoration: none; }
O1 - Hosts: a:active { font-family: arial, verdana; font-sizw: 11px; color: #000000; text-decoration: none; }
O1 - Hosts: a:hover { font-family: arial, verdana; font-sizw: 11px; color: #000000; text-decoration: underline; }
O1 - Hosts: font { font-family: arial, verdana; font-sizw: 11px; color: #000000; text-decoration: none; }
O1 - Hosts: td{ font-family: arial, verdana; font-sizw: 10px; text-decoration: none; }
O1 - Hosts: table{ font-family: arial, verdana; font-sizw: 11px; text-decoration: none; }
O1 - Hosts: body { background-color: #F0F0F0; scrollbar-face-color: #6E788C; scrollbar-shadow-color: #696969; scrollbar-highlight-color: #cfcfcf; scrollbar-3dlight-color: #cccccc; scrollbar-darkshadow-color: #808080; scrollbar-track-color: #9B9FA7; scrollbar-arrow-color: #000000 }
O1 - Hosts: .title { font-family: arial, verdana; font-size: 9pt; font-weight: normal; }
O1 - Hosts: .distributers { font-family: arial, verdana; font-size: 11pt; font-weight: normal; }
O1 - Hosts: .info { font-family: arial, verdana; font-size: 8pt; font-weight: normal; }
O1 - Hosts: .design { font-family: arial, verdana; font-size: 8pt; font-weight: normal; }
O1 - Hosts: .menu { border-top: 1px #374646 solid; border-left: 1px #374646 solid; border-right: 1px #374646 solid; border-bottom: 1px #374646 solid; font-family: verdana, arial; font-size: 8pt; font-weight: normal; }
O1 - Hosts: .cellheader { border-top: 1px #374646 solid; border-left: 1px #374646 solid; border-right: 1px #374646 solid; border-bottom: 1px #374646 solid; font-family: verdana, arial; font-size: 20pt; font-weight: normal; color: #F1F1F1; }
O1 - Hosts: .scellheader { border-top: 1px #374646 solid; border-left: 1px #374646 solid; border-right: 1px #374646 solid; border-bottom: 1px #374646 solid; font-family: verdana, arial; font-size: 15pt; font-weight: normal; color: #F1F1F1; }
O1 - Hosts: .bigcellheader { border-top: 1px #374646 solid; border-left: 1px #374646 solid; border-right: 1px #374646 solid; border-bottom: 1px #374646 solid; font-family: verdana, arial; font-size: 30pt; font-weight: normal; color: #F1F1F1; link: #F1F1F1; vlink: #F1F1F1; }
O1 - Hosts: .tblheader { background-color: #AAAAAA; border-top: 1px #374646 solid; border-left: 1px #374646 solid; border-right: 1px #374646 solid; border-bottom: 1px #374646 solid; font-family: verdana, arial; font-size: 14pt; font-weight: normal; }
O1 - Hosts: .tdshade1 { background-color: #DDDDDD; border-top: 1px #374646 solid; border-left: 1px #374646 solid; border-right: 1px #374646 solid; border-bottom: 1px #374646 solid; font-family: verdana, arial; font-size: 10pt; font-weight: normal; }
O1 - Hosts: .tdshade2 { background-color: #EEEEEE; border-top: 1px #374646 solid; border-left: 1px #374646 solid; border-right: 1px #374646 solid; border-bottom: 1px #374646 solid; font-family: verdana, arial; font-size: 10pt; font-weight: normal; }
O1 - Hosts: </style>
O1 - Hosts: </head>
O1 - Hosts: <body bgcolor="#ffffff">
O1 - Hosts: <table bgcolor=#ffffff link=#0000ee vlink=#0000ee text=#000000 border=0 align="center" width="100%">
O1 - Hosts: <tr class=cellheader>
O1 - Hosts: <td bgcolor=#788298><center><b>This Account Has Been Suspended</b></center></td>
O1 - Hosts: </tr>
O1 - Hosts: </table>
O1 - Hosts: Please contact the billing/support department as soon as possible.
O1 - Hosts: </body>
O1 - Hosts: </html>
O1 - Hosts: <head>
O1 - Hosts: <style>
O1 - Hosts: a:link { font-family: arial, verdana; font-sizw: 11px; color: #000000; text-decoration: none; }
O1 - Hosts: a:visited { font-family: arial, verdana; font-sizw: 11px; color: #000000; text-decoration: none; }
O1 - Hosts: a:active { font-family: arial, verdana; font-sizw: 11px; color: #000000; text-decoration: none; }
O1 - Hosts: a:hover { font-family: arial, verdana; font-sizw: 11px; color: #000000; text-decoration: underline; }
O1 - Hosts: font { font-family: arial, verdana; font-sizw: 11px; color: #000000; text-decoration: none; }
O1 - Hosts: td{ font-family: arial, verdana; font-sizw: 10px; text-decoration: none; }
O1 - Hosts: table{ font-family: arial, verdana; font-sizw: 11px; text-decoration: none; }
O1 - Hosts: body { background-color: #F0F0F0; scrollbar-face-color: #6E788C; scrollbar-shadow-color: #696969; scrollbar-highlight-color: #cfcfcf; scrollbar-3dlight-color: #cccccc; scrollbar-darkshadow-color: #808080; scrollbar-track-color: #9B9FA7; scrollbar-arrow-color: #000000 }
O1 - Hosts: .title { font-family: arial, verdana; font-size: 9pt; font-weight: normal; }
O1 - Hosts: .distributers { font-family: arial, verdana; font-size: 11pt; font-weight: normal; }
O1 - Hosts: .info { font-family: arial, verdana; font-size: 8pt; font-weight: normal; }
O1 - Hosts: .design { font-family: arial, verdana; font-size: 8pt; font-weight: normal; }
O1 - Hosts: .menu { border-top: 1px #374646 solid; border-left: 1px #374646 solid; border-right: 1px #374646 solid; border-bottom: 1px #374646 solid; font-family: verdana, arial; font-size: 8pt; font-weight: normal; }
O1 - Hosts: .cellheader { border-top: 1px #374646 solid; border-left: 1px #374646 solid; border-right: 1px #374646 solid; border-bottom: 1px #374646 solid; font-family: verdana, arial; font-size: 20pt; font-weight: normal; color: #F1F1F1; }
O1 - Hosts: .scellheader { border-top: 1px #374646 solid; border-left: 1px #374646 solid; border-right: 1px #374646 solid; border-bottom: 1px #374646 solid; font-family: verdana, arial; font-size: 15pt; font-weight: normal; color: #F1F1F1; }
O1 - Hosts: .bigcellheader { border-top: 1px #374646 solid; border-left: 1px #374646 solid; border-right: 1px #374646 solid; border-bottom: 1px #374646 solid; font-family: verdana, arial; font-size: 30pt; font-weight: normal; color: #F1F1F1; link: #F1F1F1; vlink: #F1F1F1; }
O1 - Hosts: .tblheader { background-color: #AAAAAA; border-top: 1px #374646 solid; border-left: 1px #374646 solid; border-right: 1px #374646 solid; border-bottom: 1px #374646 solid; font-family: verdana, arial; font-size: 14pt; font-weight: normal; }
O1 - Hosts: .tdshade1 { background-color: #DDDDDD; border-top: 1px #374646 solid; border-left: 1px #374646 solid; border-right: 1px #374646 solid; border-bottom: 1px #374646 solid; font-family: verdana, arial; font-size: 10pt; font-weight: normal; }
O1 - Hosts: .tdshade2 { background-color: #EEEEEE; border-top: 1px #374646 solid; border-left: 1px #374646 solid; border-right: 1px #374646 solid; border-bottom: 1px #374646 solid; font-family: verdana, arial; font-size: 10pt; font-weight: normal; }
O1 - Hosts: </style>
O1 - Hosts: </head>
O1 - Hosts: <body bgcolor="#ffffff">
O1 - Hosts: <table bgcolor=#ffffff link=#0000ee vlink=#0000ee text=#000000 border=0 align="center" width="100%">
O1 - Hosts: <tr class=cellheader>
O1 - Hosts: <td bgcolor=#788298><center><b>This Account Has Been Suspended</b></center></td>
O1 - Hosts: </tr>
O1 - Hosts: </table>
O1 - Hosts: Please contact the billing/support department as soon as possible.
O1 - Hosts: </body>
O1 - Hosts: </html>
O1 - Hosts: <head>
O1 - Hosts: <style>
O1 - Hosts: a:link { font-family: arial, verdana; font-sizw: 11px; color: #000000; text-decoration: none; }
O1 - Hosts: a:visited { font-family: arial, verdana; font-sizw: 11px; color: #000000; text-decoration: none; }
O1 - Hosts: a:active { font-family: arial, verdana; font-sizw: 11px; color: #000000; text-decoration: none; }
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programme\Programme\AdobeAcrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] F:\Programme\Programme\PowerDVD\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [Skype] "F:\Programme\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: SpySubtract.lnk = F:\Programme\Programme\CWShredder\SpySub.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141214412265
O20 - Winlogon Notify: sndu32 - C:\WINDOWS\SYSTEM32\sndu32.dll
Seitenanfang Seitenende
19.04.2006, 19:17
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#2 oh je...was fuer ein Log.....

Hoster.zip
http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK' Exit Program.

RootkitRevealer -> poste das Log
http://www.sysinternals.com/Utilities/RootkitRevealer.html

-------------------------------------------------------------------

sndu32.dll - Win32/Haxdoor Trojaner
http://virus-protect.org/artikel/dienste/sndu_haxdoor.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
19.04.2006, 19:39
...neu hier

Themenstarter

Beiträge: 8
#3 ...hab ich gemacht.

hier der log:

C:\WINDOWS\system32\klgcptini.dat 13.04.2006 01:24 0 bytes Hidden from Windows API.
C:\WINDOWS\system32\qm.dll 18.04.2006 02:39 36.48 KB Hidden from Windows API.
C:\WINDOWS\system32\qm.sys 18.04.2006 02:39 20.58 KB Hidden from Windows API.
C:\WINDOWS\system32\sndu32.dll 18.04.2006 02:39 36.48 KB Hidden from Windows API.
C:\WINDOWS\system32\sndu64.sys 18.04.2006 02:39 20.58 KB Hidden from Windows API.
C:\WINDOWS\system32\stt82.ini 18.04.2006 02:39 320 bytes Hidden from Windows API.
Seitenanfang Seitenende
19.04.2006, 21:32
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#4 mark-m

Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.

Zitat

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sndu32]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sndu32.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\sndu32.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SNDU32]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SNDU32\0000]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SNDU32\0000\LogConf]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SNDU32\0000\Control]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sndu32]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sndu32\Security]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sndu32\Enum]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\sndu32.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\sndu32.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SNDU32]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SNDU32\0000]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SNDU32\0000\LogConf]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sndu32]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sndu32\Security]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sndu32.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sndu32.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SNDU32]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SNDU32\0000]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SNDU32\0000\LogConf]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SNDU32\0000\Control]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sndu32]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sndu32\Security]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sndu32\Enum]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sndu64.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\sndu64.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SNDU64]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sndu64]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\sndu64.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\sndu64.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SNDU64]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sndu64]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sndu64.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sndu64.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SNDU64]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sndu64]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SYSBUS32]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysbus32]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SYSBUS32]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SYSBUS32\0000\LogConf]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sysbus32]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SYSBUS32]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sysbus32]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSBUS32]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysbus32]


Avenger
http://virus-protect.org/artikel/tools/avenger.html

kopiere rein:

Zitat

Files to delete:

C:\WINDOWS\system32\klgcptini.dat
C:\WINDOWS\system32\drivers\sysbus32.sys
C:\WINDOWS\system32\msupdate32.dll
C:\WINDOWS\system32\qm.dll
C:\WINDOWS\system32\qm.sys
C:\WINDOWS\system32\sndu32.dll
C:\WINDOWS\system32\sndu64.sys
C:\WINDOWS\system32\stt82.ini
klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

öffne das HijackThis -- Button "scan" -- vor Malware-Eintrag Häkchen setzen -- Button "Fix checked" -- PC neustarten

O20 - Winlogon Notify: sndu32 - C:\WINDOWS\SYSTEM32\sndu32.dll

PC neustarten
Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "fixme.reg" auf dem Desktop doppelklicken + der Registry beifuegen

------------------------------------------
**
poste den scanreport vom Avenger

**
dann ueberpruefe noch mal, wie auf der Seite erklaert, wie man die Registryeintraege , die geblieben sind, manuell rausloeschen kann.
http://virus-protect.org/artikel/dienste/sndu_haxdoor.html

**
stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

**
Kopiere diese 4 Textdateien. Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
20.04.2006, 13:25
...neu hier

Themenstarter

Beiträge: 8
#5 So, hat alles soweit geklappt. Hijack findet keine Viren mehr.
Hier ist der Log von Avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tmlvjiln

*******************

Script file located at: \??\C:\WINDOWS\yyojxduj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\klgcptini.dat deleted successfully.


File C:\WINDOWS\system32\drivers\sysbus32.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\sysbus32.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\sysbus32.sys
Status: 0xc0000034



File C:\WINDOWS\system32\msupdate32.dll not found!
Deletion of file C:\WINDOWS\system32\msupdate32.dll failed!

Could not process line:
C:\WINDOWS\system32\msupdate32.dll
Status: 0xc0000034

File C:\WINDOWS\system32\qm.dll deleted successfully.
File C:\WINDOWS\system32\qm.sys deleted successfully.
File C:\WINDOWS\system32\sndu32.dll deleted successfully.
File C:\WINDOWS\system32\sndu64.sys deleted successfully.
File C:\WINDOWS\system32\stt82.ini deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
Seitenanfang Seitenende
20.04.2006, 13:29
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#6 stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

**
Kopiere hier diese 4 Textdateien. Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
20.04.2006, 14:10
...neu hier

Themenstarter

Beiträge: 8
#7 So, ich hab alles so gemacht wie du gesagt hast.

Hier die DAT.find.bat logs:

Verzeichnis von C:\WINDOWS\system32

20.04.2006 12:44 8 tnstt.a3d -> Haxdoor
19.04.2006 19:30 2.550 Uninstall.ico
19.04.2006 19:30 1.406 Help.ico
19.04.2006 19:30 30.590 pavas.ico
19.04.2006 19:27 0 asfiles.txt
19.04.2006 15:33 664 d3d9caps.dat
19.04.2006 14:38 17.698.816 HXJJN
18.04.2006 02:13 2.206 wpa.dbl
17.04.2006 22:36 90 spupdwxp.log
17.04.2006 15:30 39.992 perfc009.dat
17.04.2006 15:30 311.604 perfh009.dat
17.04.2006 15:30 316.594 perfh007.dat
17.04.2006 15:30 48.156 perfc007.dat
04.04.2006 10:43 1.151 ikhcore.log
02.04.2006 12:08 2.154 ssmute.ini
02.04.2006 11:18 4.608 taskdir.dll
02.04.2006 11:18 51.616 parad.raw.exe
02.04.2006 11:18 5.120 gbbe.dll
02.04.2006 11:18 0 bin29a.log

26.03.2006 17:42 897.954 PerfStringBackup.INI
23.03.2006 14:08 7.006 jupdate-1.5.0_06-b05.log
22.03.2006 13:17 176.167 rmoc3260.dll
22.03.2006 13:17 5.632 pndx5032.dll
22.03.2006 13:17 6.656 pndx5016.dll
22.03.2006 13:17 278.528 pncrt.dll
14.03.2006 22:02 115.768 FNTCACHE.DAT
10.03.2006 02:10 4.799.320 MRT.exe
23.02.2006 01:00 0 h323log.txt
23.02.2006 00:32 146.650 BuzzingBee.wav
23.02.2006 00:32 940.794 LoopyMusic.wav
22.02.2006 18:10 25.065 wmpscheme.xml
22.02.2006 18:08 261 $winnt$.inf
22.02.2006 18:07 2.951 CONFIG.NT
22.02.2006 18:07 16.832 amcompat.tlb
22.02.2006 18:07 23.392 nscompat.tlb
22.02.2006 18:06 488 logonui.exe.manifest
22.02.2006 18:06 488 WindowsLogon.manifest
22.02.2006 18:06 749 wuaucpl.cpl.manifest
22.02.2006 18:06 749 cdplayer.exe.manifest
22.02.2006 18:06 749 sapi.cpl.manifest
22.02.2006 18:06 749 ncpa.cpl.manifest
22.02.2006 18:06 749 nwc.cpl.manifest
22.02.2006 18:05 21.740 emptyregdb.dat
14.02.2006 10:20 550.120 LegitCheckControl.dll
04.01.2006 05:35 68.096 webclnt.dll

Verzeichnis von C:\DOKUME~1\Markus\LOKALE~1\Temp

20.04.2006 14:04 206 jusched.log
1 Datei(en) 206 Bytes
0 Verzeichnis(se), 9.747.378.176 Bytes frei

Verzeichnis von C:\WINDOWS

20.04.2006 13:48 821.560 setupapi.log
20.04.2006 13:47 0 0.log
20.04.2006 13:47 2.048 bootstat.dat
20.04.2006 13:46 1.316 SchedLgU.Txt
20.04.2006 13:46 1.202.110 WindowsUpdate.log
20.04.2006 13:20 198.090 ntbtlog.txt
20.04.2006 13:06 155 winamp.ini
19.04.2006 19:30 32 pavsig.txt
19.04.2006 19:27 715 win.ini
19.04.2006 12:46 10 WININIT.INI
18.04.2006 18:58 250.633 DirectX.log
18.04.2006 14:00 60.416 ALCFDRTM.VER
17.04.2006 22:37 59.373 spupdsvc.log
17.04.2006 22:37 26.509 wmsetup.log
17.04.2006 22:37 1.285 DtcInstall.log
17.04.2006 22:37 316.640 WMSysPr9.prx
17.04.2006 22:36 31.337 medctroc.Log
17.04.2006 22:35 490.839 svcpack.log
17.04.2006 22:27 103.944 ntdtcsetup.log
17.04.2006 22:27 763.719 iis6.log
17.04.2006 22:27 172.756 comsetup.log
17.04.2006 22:27 34.282 tabletoc.log
17.04.2006 22:27 1.374 imsins.log
17.04.2006 22:27 22.188 ocmsn.log
17.04.2006 22:27 192.375 KB913446.log
17.04.2006 22:27 306.254 tsoc.log
17.04.2006 22:27 333.866 ocgen.log
17.04.2006 22:27 32.992 msgsocm.log
17.04.2006 22:27 653.222 FaxSetup.log
17.04.2006 22:27 115.417 netfxocm.log
17.04.2006 22:27 210.560 msmqinst.log
17.04.2006 22:27 1.374 imsins.BAK
17.04.2006 22:22 373 cmsetacl.log
17.04.2006 22:22 1.641 sessmgr.setup.log
06.04.2006 12:59 3.697 mozver.dat
02.04.2006 11:33 438 dembat.tm
02.04.2006 11:18 0 emdat.tm

25.03.2006 19:33 1.519 OEWABLog.txt
25.03.2006 19:02 45.214 EPSTPLOG.TXT
23.03.2006 04:49 215 wiadebug.log
22.03.2006 20:18 50 wiaservc.log
17.03.2006 23:39 184.053 setupact.log
06.03.2006 15:48 0 nsreg.dat
06.03.2006 15:47 107.132 UninstallFirefox.exe
04.03.2006 11:01 12.575 KB885250.log
04.03.2006 11:01 12.612 KB887742.log
04.03.2006 11:01 12.147 KB887472.log
04.03.2006 11:01 15.687 KB905915.log
04.03.2006 11:01 27.468 updspapi.log
04.03.2006 11:01 5.773 KB886185.log
04.03.2006 11:01 3.213 KB885884.log
03.03.2006 18:27 27.716 KB904706.log
03.03.2006 18:27 36.080 KB911565.log
01.03.2006 14:21 653 xpsp1hfm.log
01.03.2006 14:21 32.877 KB835732.log
01.03.2006 14:19 30.895 KB905495.log
01.03.2006 14:19 27.705 KB911564.log
01.03.2006 14:19 2.068 vminst.log
01.03.2006 14:18 22.290 KB892944.log
01.03.2006 14:18 16.139 KB905915-IE6SP1-20051122.175908.log
01.03.2006 14:17 11.872 KB835409.log
01.03.2006 14:03 8.400 WGA.log
01.03.2006 14:03 8.563 KB898461.log
01.03.2006 14:03 10.134 KB893803v2.log
01.03.2006 14:03 6.272 KB842773.log
27.02.2006 19:12 169 RtlRack.ini
23.02.2006 22:12 283.648 uninst.exe -> ???
23.02.2006 00:58 0 Sti_Trace.log
23.02.2006 00:57 1.348 regopt.log
23.02.2006 00:57 231 system.ini
23.02.2006 00:56 0 setuperr.log
23.02.2006 00:32 60.416 ALCFDRTM.EXE
22.02.2006 18:48 400 ODBC.INI
22.02.2006 18:18 1.442 COM+.log
22.02.2006 18:11 5.680 Ascd_tmp.ini
22.02.2006 18:09 8.192 REGLOCS.OLD
22.02.2006 18:07 0 control.ini
22.02.2006 18:07 299.552 WMSysPrx.prx
22.02.2006 18:07 4.161 ODBCINST.INI
22.02.2006 18:06 280 Windows Update.log
22.02.2006 18:06 749 WindowsShell.Manifest
22.02.2006 18:05 37 vbaddin.ini
22.02.2006 18:05 36 vb.ini

Verzeichnis von C:\

20.04.2006 14:08 0 sys.txt
20.04.2006 14:07 7.591 system.txt
20.04.2006 14:06 293 systemtemp.txt
20.04.2006 14:06 96.503 system32.txt
20.04.2006 14:05 240 datFind.zip
20.04.2006 13:47 1.610.612.736 pagefile.sys
20.04.2006 13:06 2.496 avenger.txt
17.04.2006 22:22 211 boot.ini
02.04.2006 11:18 0 exit
02.04.2006 11:18 1.024 tool4.exe
02.04.2006 11:18 1.024 tool5.exe
02.04.2006 11:18 1.024 tool1.exe
02.04.2006 11:18 1.024 toolbar.exe
02.04.2006 11:18 3.072 ms1.exe
02.04.2006 11:18 1.024 country.exe
02.04.2006 11:18 3.051 secure32.html
02.04.2006 11:17 70.144 kl1.exe
02.04.2006 11:17 32.768 tool2.exe
02.04.2006 11:17 32.768 winstall.exe
02.04.2006 11:17 0 uniq

03.03.2006 18:11 47.564 NTDETECT.COM
03.03.2006 18:11 251.184 ntldr
22.02.2006 18:07 0 IO.SYS
22.02.2006 18:07 0 AUTOEXEC.BAT
22.02.2006 18:07 0 CONFIG.SYS
22.02.2006 18:07 0 MSDOS.SYS
23.01.2006 15:36 429 datFind.bat
23.08.2001 14:00 4.952 bootfont.bin
28 Datei(en) 1.611.171.122 Bytes
0 Verzeichnis(se), 9.747.374.080 Bytes frei


Bin ich wieder frei von Viren???
Was kann ich noch tun?

Lg und vielen Dank für deine Hilfe !!!!!!!!!!

Markus


jetzt hat es geklappt:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\igyclwax

*******************

Script file located at: \??\C:\wnqndepo.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\tnstt.a3d deleted successfully.
File C:\WINDOWS\system32\ikhcore.log deleted successfully.
File C:\WINDOWS\system32\ssmute.ini deleted successfully.
File C:\WINDOWS\system32\taskdir.dll deleted successfully.
File C:\WINDOWS\system32\parad.raw.exe deleted successfully.
File C:\WINDOWS\system32\gbbe.dll deleted successfully.
File C:\WINDOWS\system32\bin29a.log deleted successfully.
File C:\WINDOWS\RtlRack.ini deleted successfully.
File C:\WINDOWS\dembat.tm deleted successfully.
File C:\WINDOWS\emdat.tm deleted successfully.


File C:\WINDOWS\exit not found!
Deletion of file C:\WINDOWS\exit failed!

Could not process line:
C:\WINDOWS\exit
Status: 0xc0000034

File C:\tool4.exe deleted successfully.
File C:\tool5.exe deleted successfully.
File C:\tool1.exe deleted successfully.
File C:\toolbar.exe deleted successfully.
File C:\ms1.exe deleted successfully.
File C:\country.exe deleted successfully.
File C:\secure32.html deleted successfully.
File C:\kl1.exe deleted successfully.
File C:\tool2.exe deleted successfully.
File C:\winstall.exe deleted successfully.
File C:\uniq deleted successfully.

Completed script processing.
Dieser Beitrag wurde am 20.04.2006 um 16:01 Uhr von mark-m editiert.
Seitenanfang Seitenende
20.04.2006, 15:36
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#8 mark-m

Avenger

http://virus-protect.org/artikel/tools/avenger.html

kopiere rein:

Zitat

Files to delete:

C:\WINDOWS\system32\tnstt.a3d
C:\WINDOWS\system32\ikhcore.log
C:\WINDOWS\system32\ssmute.ini
C:\WINDOWS\system32\taskdir.dll
C:\WINDOWS\system32\parad.raw.exe
C:\WINDOWS\system32\gbbe.dll
C:\WINDOWS\system32\bin29a.log
C:\WINDOWS\RtlRack.ini
C:\WINDOWS\dembat.tm
C:\WINDOWS\emdat.tm
C:\WINDOWS\exit
C:\tool4.exe
C:\tool5.exe
C:\tool1.exe
C:\toolbar.exe
C:\ms1.exe
C:\country.exe
C:\secure32.html
C:\kl1.exe
C:\tool2.exe
C:\winstall.exe
C:\uniq

gruene Ampel klicken
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten
poste das log

dann: poste das Log vom Silentrunner
http://virus-protect.org/silentrunner.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
20.04.2006, 15:56
...neu hier

Themenstarter

Beiträge: 8
#9 Avenger hat mir nach dem Neustart folgende Fehlermeldung angezeigt:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\dehybcml

*******************

Script file located at: ksltktkk

Could not open script file! Error

Could not open script file! Status: 0xc000003b Abort!


Versuchs noch einmal....




Also hier jetzt noch der Log von Silent Runner:

"Silent Runners.vbs", revision 44, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Skype" = ""F:\Programme\Programme\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"RemoteControl" = "F:\Programme\Programme\PowerDVD\PowerDVD\PDVDServ.exe" ["Cyberlink Corp."]
"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]
"SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"ATICCC" = ""C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "F:\Programme\Programme\AdobeAcrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "F:\Programme\Programme\WinRaR\rarext.dll" [null data]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Programme\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{B427BFD7-8087-447e-8FC4-EFDFE6534FF1}" = "Automation Object"
-> {HKCU...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\gbbe.dll" [file not found]

HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * PFDNNT C:\WINDOWS\SYSTEM32\RDRLIB.DLL" [file not found], [MS], [file not found], [file not found], [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "F:\Programme\Programme\AdobeAcrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "F:\Programme\Programme\WinRaR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "F:\Programme\Programme\WinRaR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "F:\Programme\Programme\WinRaR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Markus\Anwendungsdaten\Mozilla\Firefox\Desktop Hintergrund.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Enabled Scheduled Tasks:
------------------------

"1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar mit Pop-Up-Blocker"
\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar mit Pop-Up-Blocker"
\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]


Miscellaneous IE Hijack Points
------------------------------

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

Missing lines (compared with English-language version):
HIJACK WARNING! "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
EPSON BiD Monitor1\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 26 seconds, including 18 seconds for message boxes)


Was gibts noch zu tun?
lg

markus
Dieser Beitrag wurde am 20.04.2006 um 16:05 Uhr von mark-m editiert.
Seitenanfang Seitenende
20.04.2006, 16:04
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#10 KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html

Options: Delete on Reboot --> anhaken
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"
reinkopieren: .....

C:\WINDOWS\system32\tnstt.a3d
C:\WINDOWS\system32\ikhcore.log
C:\WINDOWS\system32\ssmute.ini
C:\WINDOWS\system32\taskdir.dll
C:\WINDOWS\system32\parad.raw.exe
C:\WINDOWS\system32\gbbe.dll
C:\WINDOWS\system32\bin29a.log
C:\WINDOWS\RtlRack.ini
C:\WINDOWS\dembat.tm
C:\WINDOWS\emdat.tm
C:\WINDOWS\exit
C:\tool4.exe
C:\tool5.exe
C:\tool1.exe
C:\toolbar.exe
C:\ms1.exe
C:\country.exe
C:\secure32.html
C:\kl1.exe
C:\tool2.exe
C:\winstall.exe
C:\uniq

PC neustarten


dann der silentrunner ;)
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
20.04.2006, 16:21
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#11 1.
Gehe in die Registry
Start - Ausfuehren - regedit

bearbeiten - suchen - gbbe.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
{B427BFD7-8087-447e-8FC4-EFDFE6534FF1} --> loeschen

PC neustarten

2.
aproposfix
http://swandog46.geekstogo.com/aproposfix.exe
lade aproposfix.exe

boote (unbedingt in den abgesicherten Modus)

klicke RunThis.bat
klicke "enter" und warte, bis sich das Fenster schliesst.
dann kopiere die log.txt ab.

3.
poste noch mal die vier Logs von datfinbat

vorher
C:\WINDOWS\exit
mit der Killbox loeschen
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
20.04.2006, 16:46
...neu hier

Themenstarter

Beiträge: 8
#12 Logs von Datfind:

Verzeichnis von C:\WINDOWS\system32

20.04.2006 14:28 380.350 perfh009.dat
20.04.2006 14:28 52.764 perfc009.dat
20.04.2006 14:28 391.000 perfh007.dat
20.04.2006 14:28 63.580 perfc007.dat
20.04.2006 14:28 786.220 PerfStringBackup.INI
19.04.2006 19:30 2.550 Uninstall.ico
19.04.2006 19:30 1.406 Help.ico
19.04.2006 19:27 0 asfiles.txt
19.04.2006 15:33 664 d3d9caps.dat
19.04.2006 14:38 17.698.816 HXJJN
18.04.2006 02:13 2.206 wpa.dbl
17.04.2006 22:36 90 spupdwxp.log
23.03.2006 14:08 7.006 jupdate-1.5.0_06-b05.log
22.03.2006 13:17 176.167 rmoc3260.dll
22.03.2006 13:17 5.632 pndx5032.dll
22.03.2006 13:17 6.656 pndx5016.dll
22.03.2006 13:17 278.528 pncrt.dll
22.03.2006 05:56 257.536 ati2dvag.dll
22.03.2006 05:50 114.688 atipdlxx.dll
22.03.2006 05:50 77.824 Oemdspif.dll
22.03.2006 05:50 26.112 Ati2mdxx.exe
22.03.2006 05:50 41.984 ati2edxx.dll
22.03.2006 05:50 61.440 ati2evxx.dll
22.03.2006 05:48 405.504 ati2evxx.exe
22.03.2006 05:48 53.248 ATIDDC.DLL
22.03.2006 05:42 307.200 atiiiexx.dll
22.03.2006 05:40 2.662.688 ati3duag.dll
22.03.2006 05:33 1.130.752 ativvaxx.dll
22.03.2006 05:33 6.684.672 atioglx1.dll
22.03.2006 05:24 5.025.792 atioglxx.dll
22.03.2006 05:18 151.552 atikvmag.dll
22.03.2006 05:17 17.408 atitvo32.dll
22.03.2006 05:12 258.048 ati2cqag.dll
22.03.2006 04:38 286.720 ATIDEMGR.dll
17.03.2006 15:37 520.192 ati2sgag.exe
14.03.2006 22:02 115.768 FNTCACHE.DAT
10.03.2006 02:10 4.799.320 MRT.exe
23.02.2006 01:00 0 h323log.txt
23.02.2006 00:32 146.650 BuzzingBee.wav
23.02.2006 00:32 940.794 LoopyMusic.wav
22.02.2006 18:10 25.065 wmpscheme.xml
22.02.2006 18:08 261 $winnt$.inf
22.02.2006 18:07 2.951 CONFIG.NT
22.02.2006 18:07 16.832 amcompat.tlb
22.02.2006 18:07 23.392 nscompat.tlb
22.02.2006 18:06 488 logonui.exe.manifest
22.02.2006 18:06 488 WindowsLogon.manifest
22.02.2006 18:06 749 cdplayer.exe.manifest
22.02.2006 18:06 749 sapi.cpl.manifest
22.02.2006 18:06 749 wuaucpl.cpl.manifest
22.02.2006 18:06 749 ncpa.cpl.manifest
22.02.2006 18:06 749 nwc.cpl.manifest
22.02.2006 18:05 21.740 emptyregdb.dat
14.02.2006 10:20 550.120 LegitCheckControl.dll
13.02.2006 22:29 121.995 atiicdxx.dat
26.01.2006 03:48 6.005 atifglpf.xml
04.01.2006 05:35 68.096 webclnt.dll


Verzeichnis von C:\DOKUME~1\Markus\LOKALE~1\Temp

20.04.2006 16:40 16.384 Perflib_Perfdata_77c.dat
20.04.2006 16:40 16.384 Perflib_Perfdata_784.dat
20.04.2006 16:40 16.384 Perflib_Perfdata_3f8.dat
20.04.2006 16:24 1.030 jusched.log
20.04.2006 14:34 6.777.928 yayng2bn.exe
20.04.2006 14:28 2.323 dotNetFx.log
20.04.2006 14:28 7.228 ASPNETSetup.log
03.04.2006 18:29 5.632 uninstall.exe
22.02.2006 18:22 46.080 d8935.mst
9 Datei(en) 6.889.373 Bytes
0 Verzeichnis(se), 9.654.644.736 Bytes frei


Verzeichnis von C:\WINDOWS

20.04.2006 16:40 0 0.log
20.04.2006 16:39 2.048 bootstat.dat
20.04.2006 16:38 1.206.742 WindowsUpdate.log
20.04.2006 16:38 305.582 ntbtlog.txt
20.04.2006 16:36 2.828 SchedLgU.Txt
20.04.2006 16:26 155 winamp.ini
20.04.2006 14:51 828.844 setupapi.log
20.04.2006 14:49 2.896 COM+.log
19.04.2006 19:30 32 pavsig.txt
19.04.2006 19:27 715 win.ini
19.04.2006 12:46 10 WININIT.INI
18.04.2006 18:58 250.633 DirectX.log
18.04.2006 14:00 60.416 ALCFDRTM.VER
17.04.2006 22:37 59.373 spupdsvc.log
17.04.2006 22:37 26.509 wmsetup.log
17.04.2006 22:37 1.285 DtcInstall.log
17.04.2006 22:37 316.640 WMSysPr9.prx
17.04.2006 22:36 31.337 medctroc.Log
17.04.2006 22:35 490.839 svcpack.log
17.04.2006 22:27 763.719 iis6.log
17.04.2006 22:27 172.756 comsetup.log
17.04.2006 22:27 103.944 ntdtcsetup.log
17.04.2006 22:27 22.188 ocmsn.log
17.04.2006 22:27 192.375 KB913446.log
17.04.2006 22:27 306.254 tsoc.log
17.04.2006 22:27 34.282 tabletoc.log
17.04.2006 22:27 1.374 imsins.log
17.04.2006 22:27 653.222 FaxSetup.log
17.04.2006 22:27 32.992 msgsocm.log
17.04.2006 22:27 115.417 netfxocm.log
17.04.2006 22:27 333.866 ocgen.log
17.04.2006 22:27 210.560 msmqinst.log
17.04.2006 22:27 1.374 imsins.BAK
17.04.2006 22:27 198.899 KB912919.log
17.04.2006 22:27 221.746 KB911927.log
17.04.2006 22:26 211.407 KB910437.log
17.04.2006 22:26 196.233 KB908519.log
17.04.2006 22:26 197.763 KB905749.log
17.04.2006 22:26 206.932 KB905414.log
17.04.2006 22:26 224.602 KB902400.log
17.04.2006 22:26 204.161 KB901214.log
17.04.2006 22:25 215.956 KB901017.log
17.04.2006 22:25 204.937 KB900725.log
17.04.2006 22:25 216.739 KB899591.log
17.04.2006 22:25 204.772 KB899589.log
17.04.2006 22:25 223.922 KB899587.log
17.04.2006 22:25 194.635 KB896428.log
17.04.2006 22:24 218.833 KB896424.log
17.04.2006 22:24 215.857 KB896423.log
17.04.2006 22:24 222.172 KB896422.log
17.04.2006 22:24 215.463 KB896358.log
17.04.2006 22:24 216.396 KB893756.log
17.04.2006 22:24 204.191 KB891781.log
17.04.2006 22:23 200.622 KB890859.log
17.04.2006 22:23 206.431 KB890046.log
17.04.2006 22:23 198.527 KB888302.log
17.04.2006 22:23 211.808 KB888113.log
17.04.2006 22:23 216.496 KB885836.log
17.04.2006 22:22 221.038 KB885835.log
17.04.2006 22:22 213.002 KB873339.log
17.04.2006 22:22 373 cmsetacl.log
17.04.2006 22:22 1.641 sessmgr.setup.log
06.04.2006 12:59 3.697 mozver.dat
25.03.2006 19:33 1.519 OEWABLog.txt
25.03.2006 19:02 45.214 EPSTPLOG.TXT
23.03.2006 04:49 215 wiadebug.log
22.03.2006 20:18 50 wiaservc.log
17.03.2006 23:39 184.053 setupact.log
06.03.2006 15:48 0 nsreg.dat
06.03.2006 15:47 107.132 UninstallFirefox.exe
04.03.2006 11:01 12.575 KB885250.log
04.03.2006 11:01 12.612 KB887742.log
04.03.2006 11:01 12.147 KB887472.log
04.03.2006 11:01 15.687 KB905915.log
04.03.2006 11:01 27.468 updspapi.log
04.03.2006 11:01 5.773 KB886185.log
04.03.2006 11:01 3.213 KB885884.log
03.03.2006 18:27 27.716 KB904706.log
03.03.2006 18:27 36.080 KB911565.log
01.03.2006 14:21 653 xpsp1hfm.log
01.03.2006 14:21 32.877 KB835732.log
01.03.2006 14:19 30.895 KB905495.log
01.03.2006 14:19 27.705 KB911564.log
01.03.2006 14:19 2.068 vminst.log
01.03.2006 14:18 22.290 KB892944.log
01.03.2006 14:18 16.139 KB905915-IE6SP1-20051122.175908.log
01.03.2006 14:17 11.872 KB835409.log
01.03.2006 14:03 8.400 WGA.log
01.03.2006 14:03 8.563 KB898461.log
01.03.2006 14:03 10.134 KB893803v2.log
01.03.2006 14:03 6.272 KB842773.log
23.02.2006 22:12 283.648 uninst.exe
23.02.2006 00:58 0 Sti_Trace.log
23.02.2006 00:57 1.348 regopt.log
23.02.2006 00:57 231 system.ini
23.02.2006 00:56 0 setuperr.log
23.02.2006 00:32 60.416 ALCFDRTM.EXE
22.02.2006 18:48 400 ODBC.INI
22.02.2006 18:11 5.680 Ascd_tmp.ini
22.02.2006 18:09 8.192 REGLOCS.OLD
22.02.2006 18:07 0 control.ini
22.02.2006 18:07 299.552 WMSysPrx.prx
22.02.2006 18:07 4.161 ODBCINST.INI
22.02.2006 18:06 280 Windows Update.log
22.02.2006 18:06 749 WindowsShell.Manifest
22.02.2006 18:05 36 vb.ini
22.02.2006 18:05 37 vbaddin.ini


Verzeichnis von C:\

20.04.2006 16:44 0 sys.txt
20.04.2006 16:44 7.449 system.txt
20.04.2006 16:43 730 systemtemp.txt
20.04.2006 16:42 97.066 system32.txt
20.04.2006 16:41 240 datFind.zip
20.04.2006 16:39 1.610.612.736 pagefile.sys
20.04.2006 15:58 3.262 avenger.txt
20.04.2006 15:52 972 xayfdsjq.txt
17.04.2006 22:22 211 boot.ini
02.04.2006 11:18 0 exit
03.03.2006 18:11 47.564 NTDETECT.COM
03.03.2006 18:11 251.184 ntldr
22.02.2006 18:07 0 CONFIG.SYS
22.02.2006 18:07 0 MSDOS.SYS
22.02.2006 18:07 0 IO.SYS
22.02.2006 18:07 0 AUTOEXEC.BAT
23.01.2006 15:36 429 datFind.bat
23.08.2001 14:00 4.952 bootfont.bin
18 Datei(en) 1.611.026.795 Bytes
0 Verzeichnis(se), 9.654.632.448 Bytes frei


und das hier hat aproposfix ausgespuckt:

Log of AproposFix v1.1

************

Running from directory:
F:\aproposfix

************



Registry entries found:


************

No service found!

Removing hidden folder:
No folder found!

Deleting files:


Backing up files:
Done!

Removing registry entries:

REGEDIT4


Done!

Finished!
Seitenanfang Seitenende
20.04.2006, 18:13
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#13 loesche mit der Killbox:

C:\DOKUME~1\Markus\LOKALE~1\Temp\yayng2bn.exe
C:\WINDOWS\system32\HXJJN
C:\exit
C:\xayfdsjq.txt

PC neustarten

wende noch mal CleanUp an (im abges.Modus)

scanne mit Kaspersky und poste den scanreport
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
20.04.2006, 20:12
...neu hier

Themenstarter

Beiträge: 8
#14 Mannomann...ich dachte ich wär soweit durch mit dem Mist. Da hat sich ja fast nichts getan. 19 Viren erkannt.....schlimm schlimm.

Macht das denn Sinn die alle zu löschen??? Wann werde ich denn damit fertig sein?

Die Laufwerke G und H sind übrigens von einem anderen Rechner den ich an meinem angeschlossen habe.

Kann es sein dass ich mir immer wieder neue Viren ziehe aus dem Netz wenn ich online gehe?
Recht die Hardware Firewall nicht aus?

Hier erst mal das Ergebnis vom Kaspersky:


Total number of scanned objects 107311
Number of viruses found 19
Number of infected objects 104
Number of suspicious objects 0
Duration of the scan process 01:03:30

Infected Object Name Virus Name Last Action
C:\avenger\backup-20.04.2006-15.53.55,93.zip/avenger/qm.sys Infected: Backdoor.Win32.Haxdoor.ih skipped
C:\avenger\backup-20.04.2006-15.53.55,93.zip/avenger/sndu64.sys Infected: Backdoor.Win32.Haxdoor.ih skipped
C:\avenger\backup-20.04.2006-15.53.55,93.zip ZIP: infected - 2 skipped
C:\avenger\backup.zip/avenger/gbbe.dll Infected: Trojan-Spy.Win32.Banker.akf skipped
C:\avenger\backup.zip/avenger/kl1.exe Infected: Trojan-Dropper.Win32.Small.amd skipped
C:\avenger\backup.zip/avenger/ms1.exe Infected: Trojan-Downloader.Win32.Small.cpa skipped
C:\avenger\backup.zip/avenger/parad.raw.exe Infected: Packed.Win32.Tibs skipped
C:\avenger\backup.zip/avenger/secure32.html Infected: Trojan.Win32.Harnig.k skipped
C:\avenger\backup.zip/avenger/taskdir.dll Infected: Trojan-Proxy.Win32.Lager.aq skipped
C:\avenger\backup.zip/avenger/tool2.exe Infected: not-virus:Hoax.Win32.Renos.ca skipped
C:\avenger\backup.zip/avenger/winstall.exe Infected: not-virus:Hoax.Win32.Renos.ca skipped
C:\avenger\backup.zip ZIP: infected - 8 skipped
C:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\Microsoft\Outlook\Outlook.pst/Persönliche Ordner/Gelöschte Objekte/29 Mar 2006 09:46 from VOLKSBANKEN RAIFFEISENBANKEN AG 2006:VOLK/bellboy.gif Infected: Trojan-Spy.HTML.Bankfraud.ot skipped
C:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\Microsoft\Outlook\Outlook.pst Mail MS Mail: infected - 1 skipped
C:\Program Files\paytime.exe Infected: Trojan.Win32.StartPage.adi skipped
C:\Program Files\secure32.html Infected: Trojan.Win32.Harnig.k skipped
C:\System Volume Information\_restore{DE32C5B7-8F71-4D54-9138-B39A4DE1C776}\RP162\A0022924.sys Infected: Backdoor.Win32.Haxdoor.ih skipped
C:\System Volume Information\_restore{DE32C5B7-8F71-4D54-9138-B39A4DE1C776}\RP162\A0022925.sys Infected: Backdoor.Win32.Haxdoor.ih skipped
C:\System Volume Information\_restore{DE32C5B7-8F71-4D54-9138-B39A4DE1C776}\RP172\A0024539.dll Infected: Trojan-Spy.Win32.Small.dg skipped
C:\System Volume Information\_restore{DE32C5B7-8F71-4D54-9138-B39A4DE1C776}\RP172\A0024540.dll Infected: Trojan-Spy.Win32.Small.dg skipped
C:\System Volume Information\_restore{DE32C5B7-8F71-4D54-9138-B39A4DE1C776}\RP172\A0024541.exe Infected: Trojan-Spy.Win32.Small.dg skipped
C:\System Volume Information\_restore{DE32C5B7-8F71-4D54-9138-B39A4DE1C776}\RP172\A0024542.dll Infected: Trojan-Spy.Win32.Small.dg skipped
C:\System Volume Information\_restore{DE32C5B7-8F71-4D54-9138-B39A4DE1C776}\RP172\A0024547.dll Infected: Trojan-Spy.Win32.Banker.azq skipped
C:\System Volume Information\_restore{DE32C5B7-8F71-4D54-9138-B39A4DE1C776}\RP172\A0024576.sys Infected: Backdoor.Win32.Haxdoor.ih skipped
C:\System Volume Information\_restore{DE32C5B7-8F71-4D54-9138-B39A4DE1C776}\RP172\A0024578.sys Infected: Backdoor.Win32.Haxdoor.ih skipped
C:\System Volume Information\_restore{DE32C5B7-8F71-4D54-9138-B39A4DE1C776}\RP176\A0025363.dll Infected: Trojan-Spy.Win32.Banker.akf skipped
C:\System Volume Information\_restore{DE32C5B7-8F71-4D54-9138-B39A4DE1C776}\RP176\A0025364.exe Infected: Trojan-Dropper.Win32.Small.amd skipped
C:\System Volume Information\_restore{DE32C5B7-8F71-4D54-9138-B39A4DE1C776}\RP176\A0025365.exe Infected: Trojan-Downloader.Win32.Small.cpa skipped
C:\System Volume Information\_restore{DE32C5B7-8F71-4D54-9138-B39A4DE1C776}\RP176\A0025366.exe Infected: Packed.Win32.Tibs skipped
C:\System Volume Information\_restore{DE32C5B7-8F71-4D54-9138-B39A4DE1C776}\RP176\A0025369.dll Infected: Trojan-Proxy.Win32.Lager.aq skipped
C:\System Volume Information\_restore{DE32C5B7-8F71-4D54-9138-B39A4DE1C776}\RP176\A0025371.exe Infected: not-virus:Hoax.Win32.Renos.ca skipped
C:\System Volume Information\_restore{DE32C5B7-8F71-4D54-9138-B39A4DE1C776}\RP176\A0025375.exe Infected: not-virus:Hoax.Win32.Renos.ca skipped
C:\WINDOWS\Downloaded Program Files\ysbactivex.dll Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\WINDOWS\system\ctldlg32.dll Infected: Trojan-Spy.Win32.Agent.lv skipped
F:\Programme\Programme\Hijackthis\backups\backup-20060402-113310-916.dll Infected: Trojan-Spy.Win32.Agent.lv skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (Westeuropäische Nor . ... /[From DEUTSCHE BANK ][Date Fri, 2 Dec 2005 15:04:27 +0100 (Westeuropäische Normalzeit)]/html Infected: Trojan-Spy.HTML.Bankfraud.li skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (West ... /[From Volksbanken Raiffeisenbanken AG ][Date Fri, 18 Nov 2005 15:00:30 +0100 (Westeuropäische Normalzeit)]/html Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (Westeuropäische Nor ... /[F . ... /[From Christian Rex ][Date Tue, 22 Nov 2005 18:04:51 +0100 (Westeuropäische Normalzeit)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (Westeuropäische Nor ... /[F ... .. ... /[F ... /[From service@mitfahrzentrale.de][Date Wed, 23 Nov 2005 17:53:41 +0100 (Westeuropäische Normalzeit)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (Westeuropäische Nor ... /[F ... .. ... /[From bucklemania ][Date Thu, 24 Nov 2005 09:37:56 +0100 (Westeuropäische Normalzeit)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (Westeuropäische Nor ... /[F ... ... /[From Shirin.Sadigh@kremer-kommunikation.de][Date Thu, 24 Nov 2005 11:39:33 +0100 (Westeuropäische Normalzeit)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (Westeuropäische Nor ... /[F ... /[From reuven schockner ][Date Fri, 25 Nov 2005 18:06:40 +0100 (Westeuropäische Normalzeit)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (Westeuropäische Nor ... /[F .. . ... ... /[From Holger Lohmann ][Date Sat, 26 Nov 2005 16:02:08 +0100 (Westeuropäische Normalzeit)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (Westeuropäische Nor ... /[F .. . ... /[From Shirin.Sadigh@kremer-kommunikation.de][Date Mon, 28 Nov 2005 10:30:45 +0100 (Westeuropäische Normalzeit)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (Westeuropäische Nor ... /[F .. . ... /[From Shirin.Sadigh@kremer-kommunikation.de][Date Mon, 28 Nov 2005 11:16:38 +0100 (Westeuropäische Normalzeit)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (Westeuropäische Nor ... /[F .. ... /[From Hofmann, Janine ][Date Thu, 1 Dec 2005 10:30:42 +0100 (Westeuropäische Normalzeit)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (Westeuropäische Nor ... /[F ... /[From Daniel Toschka ][Date Thu, 1 Dec 2005 17:58:03 +0100 (Westeuropäische Normalzeit)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (Westeuropäische Nor ... /[F ... / ... /[From Shirin.Sadigh@kremer-kommunikation.de][Date Thu, 1 Dec 2005 18:13:42 +0100 (Westeuropäische Normalzeit)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (Westeuropäische Nor ... /[F ... / ... /[From Shirin.Sadigh@kremer-kommunikation.de][Date Thu, 1 Dec 2005 18:16:01 +0100 (Westeuropäische Normalzeit)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (Westeuropäische Nor ... /[F ... /[From Daniel T ... /[From alexandrahummel@aol.com][Date Mon, 5 Dec 2005 18:33:24 +0100 (Westeuropäische Normalzeit)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (Westeuropäische Nor ... /[F ... /[From Daniel Toschka ][Date Tue, 6 Dec 2005 20:51:56 +0100 (Westeuropäische Normalzeit)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (Westeuropäische Nor ... /[From Aylin Menemencioglu ][Date Thu, 8 Dec 2005 12:57:19 +0100 (Westeuropäische Normalzeit)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (Westeuropäische Normalzeit)]/ ... /[From Thomas Condic ][Date Thu, 8 Dec 2005 16:53:39 +0100 (Westeuropäische Normalzeit)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (Westeuropäische Normalzeit)]/UNN ... /[From Michael Gralla ][Date Thu, 8 Dec 2005 19:29:52 +0100 (Westeuropäische Normalzeit)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (Westeuropäische Normalzeit)]/UNN ... /[From Shirin.Sadigh@kremer-kommunikation.de][Date Fri, 9 Dec 2005 08:35:32 +0100 (Westeuropäische Normalzeit)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (Westeuropäische Normalzeit)]/UNN ... /[From Shiri ... /[From AlexSchuerner@web.de][Date Tue, 13 Dec 2005 11:55:18 +0100 (Westeuropäische Normalzeit)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (Westeuropäische Normalzeit)]/UNN ... /[From Shirin.Sadigh@kremer-kommunikation.de][Date Tue, 13 Dec 2005 12:24:58 +0100 (Westeuropäische Normalzeit)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (Westeuropäische Normalzeit)]/UNN ... /[From Shirin.Sadigh@kremer-kommunikation.de][Date Tue, 13 Dec 2005 12:49:14 +0100 (Westeuropäische Normalzeit)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (Westeuropäische Normalzeit)]/UNNAMED/[F ... /[From leon lierzer ][Date Wed, 14 Dec 2005 12:40:43 +0100 (Westeuropäische Normalzeit)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (Westeuropäische Normalzeit)]/UNNAMED/[From Hofman ... /[From AlexSchuerner@web.de][Date Fri, 16 Dec 2005 08:28:05 +0100 (Westeuropäische Normalzeit)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (Westeuropäische Normalzeit)]/UNNAMED/[From Hofmann, Janine ][Date Fri, 16 Dec 2005 17:05:21 +0100 (Westeuropäische Normalzeit)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED/[From Ronald Menke ][Date Tue, 20 Dec 2005 13:15:39 +0100 (Westeuropäische Normalzeit)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:05 +0000]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:04 +0000]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:03 +0000]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm/[From IncrediMail][Date Tue, 8 Jun 2004 12:00:02 +0000]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\IM\Identities\{CE6A07AC-D2AB-4E12-8060-E6B30CC070DE}\Message Store\Inbox.imm Mail: infected - 31 skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\Microsoft\Outlook\Outlook.pst/Persönliche Ordner/Posteingang/18 Nov 2005 14:08 from Volksbanken Raiffeisenbanken AG;)ie Infor.rtf Infected: Trojan-Spy.HTML.Bankfraud.kd skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\Microsoft\Outlook\Outlook.pst/Persönliche Ordner/Posteingang/02 Dec 2005 14:08 from DEUTSCHE BANK;)EUTSCHE BANK INTERNET-BANK.rtf Infected: Trojan-Spy.HTML.Bankfraud.li skipped
G:\Dokumente und Einstellungen\Markus\Lokale Einstellungen\Anwendungsdaten\Microsoft\Outlook\Outlook.pst Mail MS Mail: infected - 2 skipped
G:\Programme\Norton AntiVirus\Quarantine\04537A71/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y skipped
G:\Programme\Norton AntiVirus\Quarantine\04537A71 ZIP: infected - 1 skipped
G:\Programme\Norton AntiVirus\Quarantine\04537A71 CryptFF: infected - 1 skipped
G:\Programme\Norton AntiVirus\Quarantine\10EA7629/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y skipped
G:\Programme\Norton AntiVirus\Quarantine\10EA7629 ZIP: infected - 1 skipped
G:\Programme\Norton AntiVirus\Quarantine\10EA7629 CryptFF: infected - 1 skipped
G:\Programme\Norton AntiVirus\Quarantine\11661C35/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y skipped
G:\Programme\Norton AntiVirus\Quarantine\11661C35 ZIP: infected - 1 skipped
G:\Programme\Norton AntiVirus\Quarantine\11661C35 CryptFF: infected - 1 skipped
G:\Programme\Norton AntiVirus\Quarantine\330E3705/myphoto.jpg .exe Infected: Email-Worm.Win32.Dumaru.o skipped
G:\Programme\Norton AntiVirus\Quarantine\330E3705 ZIP: infected - 1 skipped
G:\Programme\Norton AntiVirus\Quarantine\330E3705 CryptFF: infected - 1 skipped
G:\Programme\Norton AntiVirus\Quarantine\33597CB3/myphoto.jpg .exe Infected: Email-Worm.Win32.Dumaru.o skipped
G:\Programme\Norton AntiVirus\Quarantine\33597CB3 ZIP: infected - 1 skipped
G:\Programme\Norton AntiVirus\Quarantine\33597CB3 CryptFF: infected - 1 skipped
G:\Programme\Norton AntiVirus\Quarantine\33767692/myphoto.jpg .exe Infected: Email-Worm.Win32.Dumaru.o skipped
G:\Programme\Norton AntiVirus\Quarantine\33767692 ZIP: infected - 1 skipped
G:\Programme\Norton AntiVirus\Quarantine\33767692 CryptFF: infected - 1 skipped
G:\Programme\Norton AntiVirus\Quarantine\373B66B4 Infected: Trojan-Downloader.Win32.Agent.zm skipped
G:\Programme\Norton AntiVirus\Quarantine\38652BB5/myphoto.jpg .exe Infected: Email-Worm.Win32.Dumaru.o skipped
G:\Programme\Norton AntiVirus\Quarantine\38652BB5 ZIP: infected - 1 skipped
G:\Programme\Norton AntiVirus\Quarantine\38652BB5 CryptFF: infected - 1 skipped
G:\Programme\Norton AntiVirus\Quarantine\67D52D58/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y skipped
G:\Programme\Norton AntiVirus\Quarantine\67D52D58 ZIP: infected - 1 skipped
G:\Programme\Norton AntiVirus\Quarantine\67D52D58 CryptFF: infected - 1 skipped
G:\Programme\Norton AntiVirus\Quarantine\69A0407D/myphoto.jpg .exe Infected: Email-Worm.Win32.Dumaru.o skipped
G:\Programme\Norton AntiVirus\Quarantine\69A0407D ZIP: infected - 1 skipped
G:\Programme\Norton AntiVirus\Quarantine\69A0407D CryptFF: infected - 1 skipped
G:\Programme\Norton AntiVirus\Quarantine\6E6C3C33/File-packed_dataInfo.exe Infected: Email-Worm.Win32.Sober.y skipped
G:\Programme\Norton AntiVirus\Quarantine\6E6C3C33 ZIP: infected - 1 skipped
G:\Programme\Norton AntiVirus\Quarantine\6E6C3C33 CryptFF: infected - 1 skipped
G:\Programme\Norton AntiVirus\Quarantine\76A851D8/myphoto.jpg .exe Infected: Email-Worm.Win32.Dumaru.o skipped
G:\Programme\Norton AntiVirus\Quarantine\76A851D8 ZIP: infected - 1 skipped
G:\Programme\Norton AntiVirus\Quarantine\76A851D8 CryptFF: infected - 1 skipped

Da hab ich mir wohl beim installieren von Norton ganz ordentlich die platte verseucht. Wie kommen die Viren denn in die Ordner von Avenger? War da auch n Virus drin bein downloaden???
Was kann ich denn jetzt machen? Bin langsam echt ein wenig frustriert wegen der sche.....

Danke schon mal für die hilfe!

lg
Dieser Beitrag wurde am 20.04.2006 um 21:23 Uhr von mark-m editiert.
Seitenanfang Seitenende
20.04.2006, 23:59
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#15 es sieht doch gut aus ;) ...das schlimmste ist ueberstanden... jeder andere haette allerdings formatiert... wenn er das log vom HijackThis gesehen haette...

die Viren sind nun im BackUp vom Avenger und nicht mehr aktiv...ist normal.

1.
loesche mit der Killbox:

C:\Program Files\paytime.exe
C:\Program Files\secure32.html
C:\avenger\backup-20.04.2006-15.53.55,93.zip
C:\avenger\backup.zip
C:\WINDOWS\Downloaded Program Files\ysbactivex.dll
C:\WINDOWS\system\ctldlg32.dll

PC neustarten

2.
Arbeitsplatz-->Rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.

3.
loesche alle infizierten Mails

so kann man die Mail restlos aus der Inbox zu entfernen:
1. Mail aus Inbox löschen
2. Mülleimer leeren
3. Inbox komprimieren (Datei-Menü)
http://virus-protect.org/artikel/newsletter/deutbkfraud.html

4.
smitfraudfix
http://virus-protect.org/artikel/tools/smitfrautfix.html
abarbeiten - poste das Log

5.
*
leere die Quarantaene vom Norton
*
loeschen:
F:\Programme\Programme\Hijackthis\backups\backup-20060402-113310-916.dll

6.
scanne noch mal mit Kaspersky ;)
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren: