Verknüpfungsprobleme - Browserfehler oder Virenbefall?! |
||
---|---|---|
#0
| ||
05.05.2006, 01:10
Ehrenmitglied
Beiträge: 29434 |
||
|
||
05.05.2006, 17:12
Member
Themenstarter Beiträge: 37 |
#17
Hab die File gedownloadet. Mein Antiv Virus sagt mir:
Warnmeldung: Bösartiges Sript entdeckt! Datei: ---------\silent runners.vbs Aktion: Dieses Skript stoppen (empfohlen) Soll ich trotzdem öffnen? |
|
|
||
06.05.2006, 00:03
Ehrenmitglied
Beiträge: 29434 |
#18
ja, das passiert...beachte es bitte nicht, klicke auf "erlauben"
__________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
06.05.2006, 10:40
Member
Themenstarter Beiträge: 37 |
#19
Hier der Report, hoffe man kann den Traffic und solche Spyware daraus erkennen:
"Silent Runners.vbs", revision 45, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "MSMSGS" = ""C:\Programme\Messenger\msmsgs.exe" /background" [MS] "msnmsgr" = ""C:\Programme\MSN Messenger\msnmsgr.exe" /background" [MS] "H/PC Connection Agent" = ""C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Ptipbmf" = "rundll32.exe ptipbmf.dll,SetWriteCacheMode" [MS] "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS] "ccApp" = "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" ["Symantec Corporation"] "ccRegVfy" = "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe" ["Symantec Corporation"] "VC5Player" = "C:\Programme\HHVcdV5Sys\VC5Play.exe" ["H+H Software GmbH"] "QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."] "ScanRegistry" = "C:\W" [file not found] "RecSche" = ""C:\Programme\LifeView TVR\RecSche.exe"" [file not found] "SunServer" = "C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunserver.exe" ["Sunbelt Software"] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "AcroIEHlprObj Class" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."] {BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper" -> {HKLM...CLSID} = "CNavExtBho Class" \InProcServer32\(Default) = "C:\Programme\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {HKLM...CLSID} = "Desktop Explorer" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {HKLM...CLSID} = "nView Desktop Context Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung" \InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS] "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {HKLM...CLSID} = "iTunes" \InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {HKLM...CLSID} = "Portable Media Devices" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band" -> {HKLM...CLSID} = "Shell Search Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] "{0AC6C6C5-F7A8-11D2-BEF4-00C04F990001}" = "Allaire FTP & RDS" -> {HKLM...CLSID} = "Allaire FTP & RDS" \InProcServer32\(Default) = "C:\WINDOWS\system32\CFSHEL~1.DLL" ["Allaire Corp."] "{0E6C58A9-F592-4862-B35F-CA45E24003B3}" = "CloneCD" -> {HKLM...CLSID} = "CloneCD Shell Extension" \InProcServer32\(Default) = "C:\Programme\Elaborate Bytes\CloneCD\ElbyVCDShell.dll" ["Elaborate Bytes"] "{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References" -> {HKLM...CLSID} = "ShellLink for Application References" \InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS] "{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References" -> {HKLM...CLSID} = "Shell Icon Handler for Application References" \InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" -> {HKLM...CLSID} = "IEContextMenu Class" \InProcServer32\(Default) = "C:\Programme\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" -> {HKLM...CLSID} = "IEContextMenu Class" \InProcServer32\(Default) = "C:\Programme\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] Default executables: -------------------- HKCU\Software\Classes\.bat\(Default) = (value not set) HKCU\Software\Classes\.cmd\(Default) = (value not set) HKCU\Software\Classes\.com\(Default) = (value not set) HKCU\Software\Classes\.exe\(Default) = (value not set) HKCU\Software\Classes\.hta\(Default) = (value not set) Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Startup items in "aa" & "All Users" startup folders: ------------------------------------------------------------- C:\Dokumente und Einstellungen\aa\Startmenü\Programme\Autostart "FRITZ!DSL Protect" -> shortcut to: "C:\Programme\FRITZ!DSL\FwebProt.exe" ["AVM Berlin"] Enabled Scheduled Tasks: ------------------------ "Norton AntiVirus - Meinen Computer prüfen" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\DOKUME~1\ALLUSE~1\ANWEND~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"] "Symantec NetDetect" -> launches: "C:\Programme\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000004\LibraryPath = "C:\Programme\FRITZ!DSL\sarah.dll" ["AVM Berlin"] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\Programme\FRITZ!DSL\sarah.dll ["AVM Berlin"], 01 - 03, 23 %SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 22 %SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {21569614-B795-46B1-85F4-E737A8DC09AD}\(Default) = (no title provided) -> {HKLM...CLSID} = "Shell Search Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS] HOSTS file ---------- C:\WINDOWS\System32\drivers\etc\HOSTS maps: 5 domain names to IP addresses, 2 of the IP addresses are *not* localhost! Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AVM IGD CTRL Service, AVM IGD CTRL Service, "C:\Programme\FRITZ!DSL\IGDCTRL.EXE" ["AVM Berlin"] LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."] Norton AntiVirus Auto-Protect-Dienst, navapsvc, "C:\Programme\Norton AntiVirus\navapsvc.exe" ["Symantec Corporation"] NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"] SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Programme\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."] Symantec Event Manager, ccEvtMgr, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"] Virtual CD v5 Security service, VC5SecS, "C:\Programme\HHVcdV5Sys\VC5SecS.exe" ["H+H Software GmbH"] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 21 seconds, including 7 seconds for message boxes) |
|
|
||
06.05.2006, 15:27
Ehrenmitglied
Beiträge: 29434 |
#20
es ist alles in Ordnung, vielleicht nimmst du ueber Start - Ausfuehren - msconfig (letzter Reiter) den VC5Player aus dem Systemstart, vielleicht verursacht er den hohen Traffic
den CounterSpy kaufe nach 14 Tagen..oder deinstalliere ihn. __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
06.05.2006, 16:39
Member
Themenstarter Beiträge: 37 |
#21
big thx, nur ein Problem habe ich noch, sorry.
Im Startmenü gibt es den Eintrag: Systemstartelement: W Befehl: C:\W In einem anderen Thread habe ich gelesen, dass man das mit Hijackis scannen tut und im abgesicherten Modus löschen kann. Ist das eine Spyware ? |
|
|
||
06.05.2006, 16:41
Ehrenmitglied
Beiträge: 29434 |
#22
ja, du kannst es mit HijackThis fixen oder ueber msconfig rausnehmen und loeschen. (ich denke aber, du findest es nicht mehr)
in der Registry kannst du es ebenfalls rausloeschen... HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "ScanRegistry" = "C:\W" __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
30.09.2006, 20:21
...neu hier
Beiträge: 1 |
#23
Hallo Sabina,
habe einen über Symantec einen Online-Scan drüberlaufen lassen. Da hat meine Firewall F-Secure Internet Security Alarm geschlagen. Eine Anwendung mit dem Namen WSOOPScan.exe will auf das Internet zugreifen. Hatte zuerst gedacht das gehört zu Symantec. Habe es aber nachher nicht mehr zugelassen. Über google.de gesucht und auf die HP hier gelandet. Den Beitrag gelesen. Aber ehrlich gesagt, verstehe ich nur Bahnhof. Habe ich jetzt einen Virus, Trojaner o. ä.? F-Secure hat nix von dergleichen gefunden. Nur halt das Programm auf Internet zugreifen will. Habe die EXE-Datei vorsichtshalber mal gelöscht. Wenn das ein Schädling war/ist, für was habe ich dann F-Secure...? Ist denn jetzt nach meinem Löschen alles weg? Danke! Dago |
|
|
||
01.10.2006, 00:36
Ehrenmitglied
Beiträge: 29434 |
#24
DagobertD
wenn du in Zukunft einmal eine suspekte Datei hast, lasse sie ueberpruefen: Zitat virustotalC:\Documents and Settings\Owner\Application Data\WholeSecurity\CAT\WSOOPScan.exe __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
http://virus-protect.org/silentrunner.html
__________
MfG Sabina
rund um die PC-Sicherheit