Virus TR/Dldr.Multi.B.4.J auf meinem system, Antivir machtlos

#0
26.04.2006, 12:11
Member

Beiträge: 12
#1 Hi! Ich hab mir den Virus TR/Dldr.Multi.B.4.J eingefangen, antivir schaffts nicht, ihn zu entfernen...
habt ihr vielleicht irgendwelche tipps dazu?
wäre echt hilfreich...
__________
Die Antwort: 42
Seitenanfang Seitenende
26.04.2006, 12:22
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#2 Blans

1.
stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

2.
Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html

3.
Hijackthis
http://computercops.biz/zx/Merijn/hijackthis.zip
http://virus-protect.org/hjtkurz.html
Lade/entpacke HijackThis in einem Ordner
--> None of the above just start the program --> Save--> Savelog -->es öffnet sich der Editor
nun das KOMPLETTE Log mit rechtem Mausklick abkopieren und ins Forum mit rechtem Mausklick "einfügen"
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
26.04.2006, 12:41
Member

Themenstarter

Beiträge: 12
#3 kommt der datfind.bat log:
Nr1:
Verzeichnis von C:\WINDOWS\system32

26.04.2006 11:58 14.848 BASSMOD.dll
26.04.2006 11:55 29.204 nvapps.xml
23.04.2006 19:34 2.828 KGyGaAvL.sys
23.04.2006 13:59 231.184 FNTCACHE.DAT
22.04.2006 00:02 81.920 ElbyCDIO.dll
21.04.2006 11:19 3.045 sdbackup.reg
16.04.2006 04:09 664 d3d9caps.dat
03.04.2006 18:27 1.158 wpa.dbl
28.03.2006 14:29 53.572 perfc009.dat
28.03.2006 14:29 381.828 perfh009.dat
28.03.2006 14:29 392.842 perfh007.dat
28.03.2006 14:29 64.650 perfc007.dat
28.03.2006 14:29 902.476 PerfStringBackup.INI
17.02.2006 13:20 3.521.856 mi2.exe
17.02.2006 13:18 368.739 mi1.exe
11.02.2006 17:56 7.006 jupdate-1.5.0_06-b05.log
26.01.2006 20:36 716.800 divxdec.ax
26.01.2006 20:36 574.976 DivX.dll
26.01.2006 20:35 679.936 divx_xx07.dll
26.01.2006 20:35 679.936 divx_xx0c.dll
26.01.2006 20:35 663.552 divx_xx11.dll
24.01.2006 20:08 12.288 DivXWMPExtType.dll
18.01.2006 14:05 57.344 avsda.dll

Nr2:
Verzeichnis von C:\DOKUME~1\EVASTB~1\LOKALE~1\Temp

26.04.2006 11:55 32.768 ~DF6AA8.tmp

Nr3:
Verzeichnis von C:\WINDOWS

26.04.2006 12:25 759.682 setupapi.log
26.04.2006 11:55 0 0.log
26.04.2006 11:55 2.048 bootstat.dat
26.04.2006 11:54 50.646 WindowsUpdate.log
25.04.2006 21:44 822 wiadebug.log
25.04.2006 19:56 3.932.214 wallpaper.bmp
25.04.2006 19:54 50 wiaservc.log
23.04.2006 18:49 69 NeroDigital.ini
23.04.2006 14:08 32.386 FontData.fdb
23.04.2006 12:38 63.073 iis6.log
23.04.2006 12:38 158.624 tsoc.log
23.04.2006 12:38 1.917 imsins.log
23.04.2006 12:38 138.047 comsetup.log
23.04.2006 12:38 82.252 ntdtcsetup.log
23.04.2006 12:38 21.532 ocmsn.log
23.04.2006 12:38 20.193 msgsocm.log
23.04.2006 12:38 198.290 ocgen.log
23.04.2006 12:38 416.044 FaxSetup.log
23.04.2006 12:06 54.156 QTFont.qfn
21.04.2006 20:21 50.673 wmsetup.log
21.04.2006 18:50 1.409 QTFont.for
21.04.2006 13:10 482 win.ini
21.04.2006 11:07 28.503 DirectX.log
23.03.2006 23:17 250 KLETT.INI
22.03.2006 17:35 516 WININIT.INI
22.03.2006 17:35 123 TMPCPYIS.BAT
22.03.2006 17:35 122 TMPDELIS.BAT
22.03.2006 17:35 26 WINSTART.BAT
22.03.2006 17:35 1.040 ODBC.INI
22.03.2006 17:34 4.429 ODBCINST.INI
21.02.2006 13:57 12.862 EPISMG00.SWB
14.01.2006 15:39 0 iPlayer.INI

Nr4:
Verzeichnis von C:\

26.04.2006 12:40 0 sys.txt
26.04.2006 12:40 8.619 system.txt
26.04.2006 12:39 287 systemtemp.txt
26.04.2006 12:36 105.129 system32.txt
26.04.2006 12:12 0 ms1.exe
26.04.2006 12:05 3.063 secure32.html
26.04.2006 12:05 32.768 winstall.exe
26.04.2006 12:05 73.728 kl1.exe
26.04.2006 12:05 0 uniq
26.04.2006 11:55 1.073.270.784 hiberfil.sys
26.04.2006 11:55 1.610.612.736 pagefile.sys
07.01.2006 19:47 0 ________


Und hier der hijackthislog:

Logfile of HijackThis v1.99.1
Scan saved at 12:44:13, on 26.04.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\ICQLite\ICQLite.exe
C:\Programme\ANYCOM\Blue USB-200-250\BTTray.exe
C:\Programme\NetCommy\NetCommy.exe
C:\Programme\ANYCOM\Blue USB-200-250\bin\btwdins.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLService.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
c:\Program Files\paytime.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
D:\Download\BSINSTALL.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Eva Stübel\Desktop\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/fuji/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
R3 - URLSearchHook: 3 Search with Google - {6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89} - C:\Programme\Google Toolbar\toolbar-w-google-r.dll
F2 - REG:system.ini: Shell=explorer.exe "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.exe"
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: XBTB06823 - {BA463437-C3DE-47da-8280-87596824388A} - C:\PROGRA~1\GOOGLE~1\TOOLBA~1.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O3 - Toolbar: 3 Search with Google - {6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89} - C:\Programme\Google Toolbar\toolbar-w-google-r.dll
O4 - HKLM\..\Run: [Verknüpfung mit der High Definition Audio-Eigenschaftenseite] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus D88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE /P23 "EPSON Stylus D88 Series" /O6 "USB001" /M "Stylus D88"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [EumexInst] "F:\Setup.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [BearShare] "C:\Programme\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AnyDVD] C:\Programme\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [SysTray] c:\Program Files\paytime.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Programme\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [NBJ] "C:\Programme\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [E06DXLRD_7032968] "C:\Programme\Microsoft Encarta\Encarta 2006 Enzyklopaedie DVD\EDICT.EXE" -m
O4 - HKCU\..\Run: [shell] "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: NetCommy-Autostart.lnk = C:\Programme\NetCommy\NetCommy.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Programme\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Programme\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Programme\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Programme\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\ANYCOM\Blue USB-200-250\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\ANYCOM\Blue USB-200-250\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\ANYCOM\Blue USB-200-250\btsendto_ie.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programme\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programme\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O12 - Plugin for .mid: C:\Programme\Internet Explorer\PLUGINS\npqtplugin2.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\wmfhotfix.dll
O20 - Winlogon Notify: nkunpack - C:\WINDOWS\SYSTEM32\nkunpack.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\ANYCOM\Blue USB-200-250\bin\btwdins.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\CyberLink\Shared Files\RichVideo.exe


vielen herzlich dank im vorraus...
__________
Die Antwort: 42
Dieser Beitrag wurde am 26.04.2006 um 12:45 Uhr von Blans editiert.
Seitenanfang Seitenende
26.04.2006, 14:20
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#4 Blans

Avenger
http://virus-protect.org/artikel/tools/avenger.html

kopiere rein:

Zitat

Files to delete:

D:\Download\BSINSTALL.exe
C:\WINDOWS\system32\mi2.exe
C:\WINDOWS\system32\mi1.exe
C:\WINDOWS\SYSTEM32\nkunpack.dll
c:\Program Files\paytime.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.dll
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00002.dll
C:\WINDOWS\system32\service\dll.dll
C:\WINDOWS\system32\service\dllp.txt
C:\WINDOWS\system32\service\explorer.exe
C:\ms1.exe
C:\secure32.html
C:\winstall.exe
C:\kl1.exe
C:\uniq
klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

F2 - REG:system.ini: Shell=explorer.exe "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.exe"

O4 - HKLM\..\Run: [SysTray] c:\Program Files\paytime.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Programme\Free Download Manager\fdm.exe -autorun

O4 - HKCU\..\Run: [shell] "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Programme\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Programme\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Programme\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Programme\Free Download Manager\dlpage.htm

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe (file missing)

O20 - Winlogon Notify: nkunpack - C:\WINDOWS\SYSTEM32\nkunpack.dll
PC neustarten

-----------
0.
deinstalliere:
C:\Programme\BearShare
C:\Programme\Free Download Manager

1.
poste das Log vom avenger

2.
ewido (scanne und poste den report)
http://virus-protect.org/ewido.html

3.
RootkitRevealer-> poste das Log
http://www.sysinternals.com/Utilities/RootkitRevealer.html

4.
poste das Log vom Silentrunner
Die Option "Supplementary Searches" waehlen
http://virus-protect.org/silentrunner.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
26.04.2006, 15:10
Member

Themenstarter

Beiträge: 12
#5 Hier kommt das Avengerlog:
ich hab zusätzlich & im Nachhinein noch die C:\WINDOWS\SYSTEM32\nkunpack.dll
hinzugefügt, da antivir ständig gemeldet hat, dass in dieser datei der trojaner TR/Dldr.Multi.B.4.J sitzen würde


1.Log
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\bgqldxni

*******************

Script file located at: \??\C:\WINDOWS\wouxavlh.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File D:\Download\BSINSTALL.exe deleted successfully.
File C:\WINDOWS\system32\mi2.exe deleted successfully.
File C:\WINDOWS\system32\mi1.exe deleted successfully.
File c:\Program Files\paytime.exe deleted successfully.
File C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.exe deleted successfully.


File C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.dll not found!
Deletion of file C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.dll failed!

Could not process line:
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00001.dll
Status: 0xc0000034

File C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00002.dll deleted successfully.


Could not open file C:\WINDOWS\system32\service\dll.dll for deletion
Deletion of file C:\WINDOWS\system32\service\dll.dll failed!

Could not process line:
C:\WINDOWS\system32\service\dll.dll
Status: 0xc000003a



Could not open file C:\WINDOWS\system32\service\dllp.txt for deletion
Deletion of file C:\WINDOWS\system32\service\dllp.txt failed!

Could not process line:
C:\WINDOWS\system32\service\dllp.txt
Status: 0xc000003a



Could not open file C:\WINDOWS\system32\service\explorer.exe for deletion
Deletion of file C:\WINDOWS\system32\service\explorer.exe failed!

Could not process line:
C:\WINDOWS\system32\service\explorer.exe
Status: 0xc000003a

File C:\ms1.exe deleted successfully.
File C:\secure32.html deleted successfully.
File C:\winstall.exe deleted successfully.
File C:\kl1.exe deleted successfully.
File C:\uniq deleted successfully.

Completed script processing.

*******************

Finished! Terminate.//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\bgqldxni

*******************

Script file located at: \??\C:\WINDOWS\wouxavlh.txt

Script file not found! Error

Could not open script file! Status: 0xc0000034 Abort!


2.Log
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ocbcqcdm

*******************

Script file located at: \??\C:\WINDOWS\pwqkwfob.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\nkunpack.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

ewido-report:

---------------------------------------------------------
ewido anti-malware - Scan Report
---------------------------------------------------------

+ Erstellt am: 15:36:28, 26.04.2006
+ Report-Checksumme: 154B2BB5

+ Scanergebnis:

HKLM\SOFTWARE\Classes\WUSN.1 -> Adware.SaveNow : Gesäubert mit Backup
C:\avenger\backup-26.04.2006-14.48.58,14.zip/avenger/ibm00001.exe -> Trojan.Sinowal.l : Fehler beim Säubern
C:\avenger\backup-26.04.2006-14.48.58,14.zip/avenger/ibm00002.dll -> Trojan.Sinowal.l : Fehler beim Säubern
C:\avenger\backup-26.04.2006-14.48.58,14.zip/avenger/kl1.exe -> Trojan.Sinowal.l : Fehler beim Säubern
C:\avenger\backup.zip/avenger/nkunpack.dll -> Backdoor.Haxdoor.hh : Fehler beim Säubern
:mozilla.16:C:\Dokumente und Einstellungen\Eva Stübel\Anwendungsdaten\Mozilla\Firefox\Profiles\vk23fh95.default\cookies.txt -> TrackingCookie.Ivwbox : Gesäubert mit Backup
C:\Dokumente und Einstellungen\Eva Stübel\Eigene Dateien\ICQ Lite\217618095\Kadda_295678998\einfach genial.EXE -> Not-A-Virus.BadJoke.Win32.Badgame : Gesäubert mit Backup
C:\zia00284/avenger/nkunpack.dll -> Backdoor.Haxdoor.hh : Fehler beim Säubern
C:\zia00712/avenger/ibm00001.exe -> Trojan.Sinowal.l : Fehler beim Säubern
C:\zia00712/avenger/ibm00002.dll -> Trojan.Sinowal.l : Fehler beim Säubern
C:\zia00712/avenger/kl1.exe -> Trojan.Sinowal.l : Fehler beim Säubern
D:\Download\Adobe_Serial_Generator_v2.04Raibiez.zip/crack.exe -> Downloader.Harnig.ax : Fehler beim Säubern
D:\Download\readme_translator.exe -> Adware.Stud : Gesäubert mit Backup


::Report Ende

rootkitreveal report:

HKLM\S-1-5-21-3349688752-2729225167-2751615303-1007\Software\Zepter Software\RegLib*0885d7b1 23.04.2006 22:51 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\s0 28.12.2005 13:53 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\s1 28.12.2005 13:53 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\s2 28.12.2005 13:53 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\g0 28.12.2005 13:53 32 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\h0 28.12.2005 13:53 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 28.12.2005 14:38 0 bytes Hidden from Windows API.
C:\Dokumente und Einstellungen\Eva Stübel\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\vk23fh95.default\Cache\AD54DB3Fd01 26.04.2006 15:43 71.50 KB Hidden from Windows API.
C:\Dokumente und Einstellungen\Eva Stübel\Lokale Einstellungen\Temp\Silent Runners.zip 26.04.2006 15:43 71.50 KB Hidden from Windows API.
C:\System Volume Information\_restore{FF6E7E15-8DD2-4E51-A0A5-00FCCC22C32F}\RP35\A0011096.exe 26.04.2006 12:05 1.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{FF6E7E15-8DD2-4E51-A0A5-00FCCC22C32F}\RP35\A0011097.dll 26.04.2006 12:05 61.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{FF6E7E15-8DD2-4E51-A0A5-00FCCC22C32F}\RP35\A0011098.exe 26.04.2006 12:05 72.00 KB Visible in Windows API, but not in MFT or directory index.

silentrunnerslog:

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Power2GoExpress" = "*Z" (unwritable string) [file not found]
"NBJ" = ""C:\Programme\Ahead\Nero BackItUp\NBJ.exe"" ["Ahead Software AG"]
"E06DXLRD_7032968" = ""C:\Programme\Microsoft Encarta\Encarta 2006 Enzyklopaedie DVD\EDICT.EXE" -m" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Verknüpfung mit der High Definition Audio-Eigenschaftenseite" = "HDAShCut.exe" ["Windows (R) Server 2003 DDK provider"]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]
"{1290A33C-85F5-4164-A1BE-7DD299D4986A}" = ""C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"" ["CyberLink Corp."]
"PCMService" = ""C:\Program Files\CyberLink\PowerCinema\PCMService.exe"" ["CyberLink Corp."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"EPSON Stylus D88 Series" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE /P23 "EPSON Stylus D88 Series" /O6 "USB001" /M "Stylus D88"" ["SEIKO EPSON CORPORATION"]
"DAEMON Tools" = ""C:\Programme\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]
"SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"EumexInst" = ""F:\Setup.exe"" [file not found]
"avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["H+BEDV Datentechnik GmbH"]
"ICQ Lite" = "C:\Programme\ICQLite\ICQLite.exe -minimize" ["ICQ Ltd."]
"BearShare" = ""C:\Programme\BearShare\BearShare.exe" /pause" [file not found]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]
"AnyDVD" = "C:\Programme\SlySoft\AnyDVD\AnyDVD.exe" ["SlySoft, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Companion BHO"
\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{BA463437-C3DE-47da-8280-87596824388A}\(Default) = "XBTB06823"
-> {HKLM...CLSID} = "XBTB06823 Class"
\InProcServer32\(Default) = "C:\PROGRA~1\GOOGLE~1\TOOLBA~1.DLL" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {HKLM...CLSID} = "Bluetooth-Umgebung"
\InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["Broadcom Corporation."]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Programme\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "C:\WINDOWS\system32\wmfhotfix.dll" [null data]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]


Group Policies [Description]:
-----------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "ForceActiveDesktopOn"=dword:00000001
[enables Active Desktop and prevents disabling it]

"Wallpaper" = (value not set)
[disables the Display Properties|Desktop (tab) (except the "Customize
Desktop..." button); selects wallpaper if Active Desktop is enabled]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop enabled via Group Policy.

Wallpaper selected via Group Policy.


Startup items in "Eva Stübel" & "All Users" startup folders:
------------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"BTTray" -> shortcut to: "C:\Programme\ANYCOM\Blue USB-200-250\BTTray.exe" ["Broadcom Corporation."]
"NetCommy-Autostart" -> shortcut to: "C:\Programme\NetCommy\NetCommy.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Companion"
\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll" ["Yahoo! Inc."]
"{855F3B16-6D32-4FE6-8A56-BBB695989046}"
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."]
"{6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89}"
-> {HKLM...CLSID} = "3 Search with Google"
\InProcServer32\(Default) = "C:\Programme\Google Toolbar\toolbar-w-google-r.dll" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Companion"
\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll" ["Yahoo! Inc."]
"{855F3B16-6D32-4FE6-8A56-BBB695989046}" = (no title provided)
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."]
"{6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89}" = (no title provided)
-> {HKLM...CLSID} = "3 Search with Google"
\InProcServer32\(Default) = "C:\Programme\Google Toolbar\toolbar-w-google-r.dll" [file not found]

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"

{B205A35E-1FC4-4CE3-818B-899DBBB3388C}\

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]

{CCA281CA-C863-46EF-9331-5C8D4460577F}\
"ButtonText" = "@btrez.dll,-4015"
"MenuText" = "@btrez.dll,-4017"
"Script" = "C:\Programme\ANYCOM\Blue USB-200-250\btsendto_ie.htm" [null data]

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
"ButtonText" = "Yahoo! Messenger"
"MenuText" = "Yahoo! Messenger"
"Exec" = "C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe" ["Yahoo! Inc."]

{F4430FE8-2638-42E5-B849-800749B94EED}\
"ButtonText" = "PartyPoker.net"
"MenuText" = "PartyPoker.net"
"Exec" = "C:\Programme\PartyGaming.Net\PartyPokerNet\RunPF.exe" [file not found]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

Missing lines (compared with English-language version):
"{855F3B16-6D32-4fe6-8A56-BBB695989046}" = (no title provided)
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."]
"{6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89}" = (no title provided)
-> {HKLM...CLSID} = "3 Search with Google"
\InProcServer32\(Default) = "C:\Programme\Google Toolbar\toolbar-w-google-r.dll" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir PersonalEdition Classic Service, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["AVIRA GmbH"]
AntiVir Scheduler, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
Bluetooth Service, btwdins, "C:\Programme\ANYCOM\Blue USB-200-250\bin\btwdins.exe" ["Broadcom Corporation."]
C-DillaCdaC11BA, C-DillaCdaC11BA, "C:\WINDOWS\system32\drivers\CDAC11BA.EXE" ["Macrovision"]
CyberLink Background Capture Service (CBCS), CLCapSvc, ""C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe"" [empty string]
CyberLink Media Library Service, CyberLink Media Library Service, ""C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe"" ["Cyberlink"]
Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Programme\CyberLink\Shared Files\RichVideo.exe"" [empty string]
CyberLink Task Scheduler (CTS), CLSched, ""C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe"" [empty string]
ewido security suite control, ewido security suite control, "C:\Programme\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Programme\ewido anti-malware\ewidoguard.exe" ["ewido networks"]
Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Bluetooth-Druckeranschluss\Driver = "bthcrp.dll" ["Broadcom Corporation."]
EPSON Stylus D88 Series 2KMonitor5E\Driver = "E_FLMABE.DLL" ["SEIKO EPSON CORPORATION"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 13 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 10 seconds.
---------- (total run time: 40 seconds)


und es ist noch ein neues problem aufgetreten:
der desktophintergrund ist jetzt nur noch einfarbig, und bei den anzeigeeigenschaften unter dem registerreiter "Desktop" ist das feld, in dem man normalerweise das hintergrundbild einstellt, inaktiv, ebenso wie der button "Durchsuchen" daneben. die einzigen aktiven felder sind "Farbe" und "Desktop anpassen"... wenn du da noch ne idee hättest... das wäre echt genial...


vielen dank schonmal, meine schwester ist ganz happy, das war nämlich ihr rechner...
__________
Die Antwort: 42
Dieser Beitrag wurde am 26.04.2006 um 16:09 Uhr von Blans editiert.
Seitenanfang Seitenende
26.04.2006, 16:58
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#6 1.
loesche:

C:\avenger\backup.zip
C:\zia00284
C:\zia00712
D:\Download\Adobe_Serial _ Generator _v2.04Raibiez.zip

-------------------------------------------------------------------
2.
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fix.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.

Zitat

REGEDIT4

[HKEY_CURRENT_USER\\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoActiveDesktopChanges"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSaveSettings"=-
"NoViewContextMenu"=-
"NoActiveDesktop"=-
"ForceActiveDesktopOn"=-
"ClassicShell"=-
"NoThemesTab"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoAddingComponents"=-
"NoComponents"=-
"NoDeletingComponents"=-
"NoEditingComponents"=-
"NoCloseDragDropBands"=-
"NoMovingBands"=-
"NoHTMLWallPaper"=-
"NoChangingWallPaper"=-
3.
Die Datei "fix.reg" auf dem Desktop doppelklicken.
und der Registry mit "ja" beifuegen

PC neustarten

---------------

4.
Arbeitsplatz-->Rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.
(nach der Reinigung wieder aktivieren)

5.
scanne mit Kaspersky und poste den scanreport
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
26.04.2006, 18:49
Member

Themenstarter

Beiträge: 12
#7 KASPERSKY ON-LINE SCANNER REPORT
Wednesday, April 26, 2006 6:45:46 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 26/04/2006
Kaspersky Anti-Virus database records: 178567
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
H:\
I:\
J:\
K:\
L:\
M:\
N:\
Scan Statistics
Total number of scanned objects 88914
Number of viruses found 3
Number of infected objects 5
Number of suspicious objects 0
Duration of the scan process 00:58:54

Infected Object Name Virus Name Last Action
C:\Program Files\secure32.html Infected: Trojan.Win32.Harnig.a skipped
D:\Download\adobephotoshopalbumstarter20_MhOxAiVqPsBcAuDf.zip/Freecheats.exe/data0001 Infected: Trojan-Downloader.Win32.IstBar.ki skipped
D:\Download\adobephotoshopalbumstarter20_MhOxAiVqPsBcAuDf.zip/Freecheats.exe/data0003 Infected: Trojan-Downloader.Win32.IstBar.ny skipped
D:\Download\adobephotoshopalbumstarter20_MhOxAiVqPsBcAuDf.zip/Freecheats.exe Infected: Trojan-Downloader.Win32.IstBar.ny skipped
D:\Download\adobephotoshopalbumstarter20_MhOxAiVqPsBcAuDf.zip ZIP: infected - 3 skipped
Scan process completed

Vielen Dank nochmal...
__________
Die Antwort: 42
Seitenanfang Seitenende
26.04.2006, 22:38
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#8 Blans

loesche:
C:\Program Files\secure32.html

D:\Download\adobephotoshopalbumstarter20_MhOxAiVqPsBcAuDf.zip
D:\Download\Adobe_Serial _ Generator _v2.04Raibiez.zip

dann sage deiner Schwester, sie soll in Zukunft keine C r a c s mehr laden ;)

.............................

arbeite das noch ab...dann sollte wieder alles sauber sein .
http://virus-protect.org/artikel/tools/smitfrautfix.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende