win32:zlob.cw infisziert, antivirus: avast home, winxp sp2

#0
04.06.2006, 13:25
...neu hier

Beiträge: 3
#1 Hallo zusammen

Den Pc meiner eltern hats mal wider erwischt, nun bin ich mit meinem Latein allerdings auch am ende.

Die Warnung tritt so alle 20minuten auf, und der Trojaner kann nicht verschobe, gelöscht oder umbenennt werden.
Avast spuckt follgendes aus:

c:\windows\system32\ld101.tmp
Win32:Zlob-CW [Trj]

Bin froh um schnelle Hilfe.

1. Hijack Logfile:

Zitat

Logfile of HijackThis v1.99.1
Scan saved at 12:51:06, on 04.06.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Programme\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Brother\ControlCenter2\brctrcen.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\RADIX\PROTECT6\rdprsv.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\Radix\Protect6\RdxSet.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Dokumente und Einstellungen\Ryser\Desktop\virusgaggi\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Bluewin Toolbar - {4E7BD74F-2B8D-469E-DCF7-E869A199B87D} - C:\WINDOWS\DOWNLO~1\bluewin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programme\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\MSN Apps\MSN Toolbar\01.02.4000.1001\de-ch\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Bluewin Toolbar - {4E7BD74F-2B8D-469E-DCF7-E869A199B87D} - C:\WINDOWS\DOWNLO~1\bluewin.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\MSN Apps\MSN Toolbar\01.02.4000.1001\de-ch\msntb.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvMixerTray] C:\Programme\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Programme\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Programme\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [PestTrap] C:\Program Files\PestTrap\PestTrap.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Radix Protector.lnk = C:\RADIX\PROTECT6\RdxStart.exe
O4 - Global Startup: Status Monitor.lnk = C:\Programme\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O21 - SSODL: CANONBJ_Deinstall_CNMCP3m.DLL - {70A7095F-3C3C-5C0F-32F9-6253715E44C7} - c:\bjprinter\cnmwindows\canon s520 installer\inst2\wvuxwsy7.dll (file missing)
O21 - SSODL: Age of Empires 2.0 - {3A0D5FEF-0C18-D314-3E41-EE5DD261BB7F} - c:\programme\microsoft games\age of empires ii\winmaualc5.dll (file missing)
O21 - SSODL: AntiVir/XP - {F4513941-F00A-0F71-1964-CDA800704CD2} - c:\programme\avpersonal\winkmknst32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: RadixPRsv - Radix Technologies Ltd. - C:\RADIX\PROTECT6\rdprsv.exe
2. Cleanup ausgeführt

3. Datfind Logs

Zitat

system32:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 0835-A01A

Verzeichnis von C:\WINDOWS\system32

04.06.2006 13:01 30.733 ld101.tmp
04.06.2006 12:49 4.908 stdole3.tlb

04.06.2006 12:06 3.002 CONFIG.NT
03.06.2006 19:49 4.286 ot.ico
03.06.2006 19:49 4.286 ts.ico

31.05.2006 11:02 624.640 aswBoot.exe
31.05.2006 10:54 90.112 AVASTSS.scr
30.05.2006 07:48 13.646 wpa.dbl
29.05.2006 23:15 38.925 regperf.exe
04.05.2006 06:26 5.818.784 MRT.exe
22.04.2006 19:10 5.632 pndx5032.dll
22.04.2006 19:10 6.656 pndx5016.dll
18.04.2006 09:06 174.672 FNTCACHE.DAT
30.03.2006 11:26 1.492.480 shdocvw.dll

Zitat

temp:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 0835-A01A

Verzeichnis von C:\DOKUME~1\Ryser\LOKALE~1\Temp

04.06.2006 13:14 854 TWAIN.LOG
04.06.2006 13:14 3 Twain001.Mtx
04.06.2006 13:14 156 Twunk001.MTX
04.06.2006 13:08 49.152 ~DF7CBB.tmp
04.06.2006 13:02 0 Twunk002.MTX
5 Datei(en) 50.165 Bytes
0 Verzeichnis(se), 8.483.053.568 Bytes frei

Zitat

windows:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 0835-A01A

Verzeichnis von C:\WINDOWS

10.08.2006 14:41 8.192 Thumbs.db
04.06.2006 13:09 1.562.142 WindowsUpdate.log
04.06.2006 13:02 261 wiadebug.log
04.06.2006 13:02 0 0.log
04.06.2006 13:01 50 wiaservc.log
04.06.2006 13:00 2.048 bootstat.dat
04.06.2006 13:00 32.552 SchedLgU.Txt
04.06.2006 12:04 1.911 win.ini
03.06.2006 22:21 54.156 QTFont.qfn
30.05.2006 12:47 490 BIO.INI
29.05.2006 19:31 1.409 QTFont.for
22.05.2006 19:22 60.298 iis6.log
22.05.2006 19:22 140.708 comsetup.log
22.05.2006 19:22 84.688 ntdtcsetup.log
22.05.2006 19:22 155.372 tsoc.log
22.05.2006 19:22 1.374 imsins.log
22.05.2006 19:22 11.231 KB904942.log
22.05.2006 19:22 22.075 ocmsn.log
22.05.2006 19:22 203.833 ocgen.log
22.05.2006 19:22 20.149 msgsocm.log
22.05.2006 19:22 387.959 FaxSetup.log
22.05.2006 19:22 728.678 setupapi.log
22.05.2006 19:22 28.652 updspapi.log
09.05.2006 21:27 1.355 imsins.BAK
09.05.2006 21:27 12.236 KB913580.log
08.05.2006 20:22 126 _delis43.ini
03.05.2006 16:43 128.419 wmsetup.log
26.04.2006 09:01 11.845 KB900485.log
18.04.2006 09:07 2.130 spupdsvc.log
17.04.2006 21:45 15.385 KB908531.log
17.04.2006 21:45 14.512 KB911562.log
17.04.2006 21:44 17.646 KB912812.log
17.04.2006 21:43 17.488 KB911565.log
17.04.2006 21:43 11.138 KB911567.log
17.04.2006 19:28 1.599 7thlevel.ini
06.04.2006 20:02 8.256 WGA.log
07.03.2006 18:02 129.654 Firefox Wallpaper.bmp

Zitat

c:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 0835-A01A

Verzeichnis von C:\

04.06.2006 13:19 0 sys.txt
04.06.2006 13:18 8.829 system.txt
04.06.2006 13:17 489 systemtemp.txt
04.06.2006 13:08 96.133 system32.txt
04.06.2006 13:00 536.399.872 hiberfil.sys
04.06.2006 13:00 805.306.368 pagefile.sys
04.06.2006 12:04 13.030 PDOXUSRS.NET
14.04.2006 09:50 0 AILog.txt
18.02.2006 16:51 1.120 INSTALL.LOG
29.11.2005 09:07 211 boot.ini
26.09.2005 12:35 92 ResumeOmgApDeliveryMgrCntrl_SonicStage_EmdDownloadObj.dmf
16.07.2005 12:57 411.648 DOKUM
16.06.2005 16:04 176 nvmixer.log
29.01.2005 19:20 0 MSDOS.SYS
29.01.2005 19:20 0 CONFIG.SYS
29.01.2005 19:20 0 IO.SYS
29.01.2005 19:20 0 AUTOEXEC.BAT
04.08.2004 14:00 251.184 NTLDR
04.08.2004 14:00 47.564 NTDETECT.COM
04.08.2004 14:00 4.952 bootfont.bin
24.05.2001 13:59 162.304 UNWISE.EXE
21 Datei(en) 1.342.703.972 Bytes
0 Verzeichnis(se), 8.483.053.568 Bytes frei
BTW: ich hab die suche benutzt und auch n aendlichen thread gefunden, allerdings war ich mir nicht sicher ob dieser lösungsweg auf auf den pc meiner eltern zutrifft, und ehrlichgesagt hab ich keine lust die kiste neu aufzusetzen ;)

Grüsse

Dr4g0n
Seitenanfang Seitenende
04.06.2006, 16:16
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#2 Dr4g0n

1.
Download Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren)

PestTrap

in edit und klicke "Ok".
Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn.

------------------------------------------------------------------------

in: "Enter search strings" (reinschreiben oder reinkopieren)

{4E7BD74F-2B8D-469E-DCF7-E869A199B87D}

n edit und klicke "Ok".
Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn.

-----------------------------------------------------------------------

2.
echo.zip
entpacken--> klicke echo.bat --> der Texteditor wird sich öffnen--> Text abkopieren http://virus-protect.org/bat/echo.zip
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
05.06.2006, 16:21
...neu hier

Themenstarter

Beiträge: 3
#3 Reg Search logs:

Zitat

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 05.06.2006 16:16:27 for strings:
; 'pesttrap'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\PestTrap]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\pesttrap.com]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\pesttrap.com\www]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\pesttrap.com]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\pesttrap.com\www]

[HKEY_USERS\S-1-5-19\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\pesttrap.com]

[HKEY_USERS\S-1-5-19\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\pesttrap.com\www]

[HKEY_USERS\S-1-5-19_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\pesttrap.com]

[HKEY_USERS\S-1-5-19_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\pesttrap.com\www]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\pesttrap.com]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\pesttrap.com\www]

[HKEY_USERS\S-1-5-20\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\pesttrap.com]

[HKEY_USERS\S-1-5-20\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\pesttrap.com\www]

[HKEY_USERS\S-1-5-20_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\pesttrap.com]

[HKEY_USERS\S-1-5-20_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\pesttrap.com\www]

[HKEY_USERS\S-1-5-21-1417001333-1958367476-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\pesttrap.com]

[HKEY_USERS\S-1-5-21-1417001333-1958367476-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\pesttrap.com\www]

[HKEY_USERS\S-1-5-21-1417001333-1958367476-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Run]
"PestTrap"="C:\\Program Files\\PestTrap\\PestTrap.exe"

[HKEY_USERS\S-1-5-21-1417001333-1958367476-839522115-1004\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\pesttrap.com]

[HKEY_USERS\S-1-5-21-1417001333-1958367476-839522115-1004\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\pesttrap.com\www]

[HKEY_USERS\S-1-5-21-1417001333-1958367476-839522115-1004_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\pesttrap.com]

[HKEY_USERS\S-1-5-21-1417001333-1958367476-839522115-1004_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\pesttrap.com\www]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\pesttrap.com]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\pesttrap.com\www]

; End Of The Log...

Zitat

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 05.06.2006 16:18:06 for strings:
; '{4e7bd74f-2b8d-469e-dcf7-e869a199b87d}'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bluewin.BLUEWIN\Clsid]
@="{4E7BD74F-2B8D-469E-DCF7-E869A199B87D}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-DCF7-E869A199B87D}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-DCF7-E869A199B87D}\InprocServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-DCF7-E869A199B87D}\ProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
; Contents of value:
; 
"{4E7BD74F-2B8D-469E-DCF7-E869A199B87D}"=hex:02

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-DCF7-E869A199B87D}]

[HKEY_USERS\S-1-5-21-1417001333-1958367476-839522115-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
; Contents of value:
; o×{n+žfÜ÷èi¡™¸}
"{4E7BD74F-2B8D-469E-DCF7-E869A199B87D}"=hex:4f,d7,7b,4e,8d,2b,9e,46,dc,f7,e8,\
69,a1,99,b8,7d

[HKEY_USERS\S-1-5-21-1417001333-1958367476-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{4E7BD74F-2B8D-469E-DCF7-E869A199B87D}]

[HKEY_USERS\S-1-5-21-1417001333-1958367476-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4E7BD74F-2B8D-469E-DCF7-E869A199B87D}]

[HKEY_USERS\S-1-5-21-1417001333-1958367476-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4E7BD74F-2B8D-469E-DCF7-E869A199B87D}\iexplore]

; End Of The Log...
Echo log:

Zitat

10)DPF????
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 0835-A01A

Verzeichnis von C:\WINDOWS\Downloaded Program Files

19.08.2004 14:49 1.105.408 bluewin.dll
25.07.2002 17:13 24.576 dwusplay.dll
25.07.2002 17:13 196.608 dwusplay.exe
16.09.2003 18:05 299.008 isusweb.dll
09.10.2003 10:32 144 QTPlugin.inf
27.08.2005 14:30 5.065 swflash.inf
6 Datei(en) 1.630.809 Bytes

Anzahl der angezeigten Dateien:
6 Datei(en) 1.630.809 Bytes
0 Verzeichnis(se), 8.200.056.832 Bytes frei
Danke schonmal für die Hilfe

Dr4g0n
Seitenanfang Seitenende
06.06.2006, 00:02
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#4 Dr4g0n

Information Pesttrap
http://virus-protect.org/artikel/spyware/pesttrap.html

-----------------------------------------------------------------------

1.
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.
Die Datei "fixme.reg" auf dem Desktop doppelklicken und der Registry beifuegen.

Zitat

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run]
"wininet.dll"=-
"kernel32.dll"=-
"dcomcfg.exe"=-

[-HKEY_CURRENT_USER\Software\PestTrap]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PestTrap]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppManagement\ARPCache\PestTrap]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMap\Domains\pesttrap.com]
[-HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMap\Domains\pesttrap.com]
[-HKEY_USERS\S-1-5-19\Software\Classes\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMap\Domains\pesttrap.com]
[-HKEY_USERS\S-1-5-19_Classes\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMap\Domains\pesttrap.com]
[-HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMap\Domains\pesttrap.com]
[-HKEY_USERS\S-1-5-20\Software\Classes\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMap\Domains\pesttrap.com]
[-HKEY_USERS\S-1-5-20_Classes\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMap\Domains\pesttrap.com]
[-HKEY_USERS\S-1-5-21-1417001333-1958367476-839522115-1004\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMap\Domains\pesttrap.com]
[-HKEY_USERS\S-1-5-21-1417001333-1958367476-839522115-1004_Classes\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\pesttrap.com]
[-HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMap\Domains\pesttrap.com]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bluewin.BLUEWIN\Clsid]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-DCF7-E869A199B87D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-DCF7-E869A199B87D}\InprocServer32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-DCF7-E869A199B87D}\ProgID]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-DCF7-E869A199B87D}]
[-HKEY_USERS\S-1-5-21-1417001333-1958367476-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{4E7BD74F-2B8D-469E-DCF7-E869A199B87D}]
[-HKEY_USERS\S-1-5-21-1417001333-1958367476-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4E7BD74F-2B8D-469E-DCF7-E869A199B87D}]
[-HKEY_USERS\S-1-5-21-1417001333-1958367476-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4E7BD74F-2B8D-469E-DCF7-E869A199B87D}\iexplore]


2.
öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

O2 - BHO: Bluewin Toolbar - {4E7BD74F-2B8D-469E-DCF7-E869A199B87D} - C:\WINDOWS\DOWNLO~1\bluewin.dll
O3 - Toolbar: Bluewin Toolbar - {4E7BD74F-2B8D-469E-DCF7-E869A199B87D} - C:\WINDOWS\DOWNLO~1\bluewin.dll
O4 - HKCU\..\Run: [PestTrap] C:\Program Files\PestTrap\PestTrap.exe
PC neustarten

3.
KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html

Options: Delete on Reboot --> anhaken
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"
reinkopieren: ............

C:\WINDOWS\system32\stdole3.tlb
C:\WINDOWS\system32\ot.ico
C:\WINDOWS\system32\ts.ico
C:\WINDOWS\system32\regperf.exe
C:\WINDOWS\Downloaded Program Files\bluewin.dll

PC neustarten

----------------------------------------------------------------------
4.
deinstalliere..loesche

C:\Program Files\PestTrap
Bluewin Toolbar

-----------------------------------------------------------------------

5.
arbeite smitfraud.fix ab und poste das Log von Option 2
http://virus-protect.org/artikel/tools/smitfrautfix.html

6.
poste das Log vom Silentrunner
http://virus-protect.org/silentrunner.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
06.06.2006, 11:17
...neu hier

Themenstarter

Beiträge: 3
#5

Zitat

Sabina postete
2.
öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

O2 - BHO: Bluewin Toolbar - {4E7BD74F-2B8D-469E-DCF7-E869A199B87D} - C:\WINDOWS\DOWNLO~1\bluewin.dll
O3 - Toolbar: Bluewin Toolbar - {4E7BD74F-2B8D-469E-DCF7-E869A199B87D} - C:\WINDOWS\DOWNLO~1\bluewin.dll
O4 - HKCU\..\Run: [PestTrap] C:\Program Files\PestTrap\PestTrap.exe
PC neustarten
die beiden bluewin.dll's waren im hijack search nichtmehr vorhanden.
Ich habe es mehrmahls versucht.

Zitat

Sabina postete
4.
deinstalliere..loesche

C:\Program Files\PestTrap
Bluewin Toolbar
Das Verzeichniss PestTrap existierte ebenfalls nicht.
Ich habe sogar noch nach einem änlichen ordner gesucht, ohne erfogl

Mit Killbox ging alles wunderbar.

Hier der noch der smitfraudlog aus punkt 2:

Zitat

SmitFraudFix v2.55

Scan done at 11:04:32,15, 06.06.2006
Run from C:\Dokumente und Einstellungen\Ryser\Desktop\virusgaggi\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\atmclk.exe FOUND !
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\hp???.tmp FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\wp.bmp FOUND !
C:\WINDOWS\system32\1024\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Ryser\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOKUME~1\Ryser\FAVORI~1

C:\DOKUME~1\Ryser\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programme


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Und der Silentrunner Log:

Zitat

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"dcomcfg.exe" = "dcomcfg.exe" [null data]
"kernel32.dll" = "C:\WINDOWS\system32\atmclk.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvMixerTray" = "C:\Programme\NVIDIA Corporation\NvMixer\NvMixerTray.exe" ["NVIDIA Corporation"]
"ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"SetDefPrt" = "C:\Programme\Brother\Brmfl04a\BrStDvPt.exe" ["Brother Industories, Ltd."]
"ControlCenter2.0" = "C:\Programme\Brother\ControlCenter2\brctrcen.exe /autorun" ["Brother Industries, Ltd."]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]
"ezShieldProtector for Px" = "C:\WINDOWS\system32\ezSP_Px.exe" ["Easy Systems Japan Ltd."]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Adobe Photo Downloader" = ""C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{6ab7158b-4bff-4160-ad7d-4d622df548cf}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Nothing"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hp100.tmp" [null data]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4}\(Default) = (no title provided)
-> {HKLM...CLSID} = "ST"
\InProcServer32\(Default) = "C:\Programme\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll" [MS]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEToolbarHelper Class"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "MSNToolBandBHO"
\InProcServer32\(Default) = "C:\Programme\MSN Apps\MSN Toolbar\01.02.4000.1001\de-ch\msntb.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universelle Plug & Play-Geräte"
-> {HKLM...CLSID} = "Universelle Plug & Play-Geräte"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Programme\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"CANONBJ_Deinstall_CNMCP3m.DLL" = "{70A7095F-3C3C-5C0F-32F9-6253715E44C7}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "c:\bjprinter\cnmwindows\canon s520 installer\inst2\wvuxwsy7.dll" [file not found]
"Age of Empires 2.0" = "{3A0D5FEF-0C18-D314-3E41-EE5DD261BB7F}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "c:\programme\microsoft games\age of empires ii\winmaualc5.dll" [file not found]
"AntiVir/XP" = "{F4513941-F00A-0F71-1964-CDA800704CD2}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "c:\programme\avpersonal\winkmknst32.dll" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Programme\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Programme\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Ryser\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Startup items in "Ryser" & "All Users" startup folders:
-------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Radix Protector" -> shortcut to: "C:\RADIX\PROTECT6\RdxStart.exe" ["Radix Technologies Ltd."]
"Status Monitor" -> shortcut to: "C:\Programme\Brother\Brmfcmon\BrMfcWnd.exe Brother DCP-110C /STARTUP" ["Brother Industries, Ltd."]
"WinZip Quick Pick" -> shortcut to: "C:\Programme\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc. and H.C. Top Systems B.V."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "MSN"
\InProcServer32\(Default) = "C:\Programme\MSN Apps\MSN Toolbar\01.02.4000.1001\de-ch\msntb.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "0"
-> {HKLM...CLSID} = "MSN"
\InProcServer32\(Default) = "C:\Programme\MSN Apps\MSN Toolbar\01.02.4000.1001\de-ch\msntb.dll" [MS]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{21569614-B795-46B1-85F4-E737A8DC09AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_04"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
avast! Antivirus, avast! Antivirus, ""C:\Programme\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Programme\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
Brother Popup Suspend service for Resource manager, brmfrmps, ""C:\WINDOWS\system32\Brmfrmps.exe" -service " ["Brother Industries, Ltd."]
BrSplService, Brother XP spl Service, "C:\WINDOWS\system32\brsvc01a.exe" ["brother Industries Ltd"]
Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
RadixPRsv, RadixPRsv, "C:\RADIX\PROTECT6\rdprsv.exe" ["Radix Technologies Ltd."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
Canon BJ Language Monitor S520\Driver = "CNMLM3m.DLL" ["CANON INC."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
PDF-XChange\Driver = "C:\WINDOWS\system32\pxc25pm.dll" ["Tracker Software"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 55 seconds, including 18 seconds for message boxes)[/qoute]

Dr4g0n
Seitenanfang Seitenende
06.06.2006, 11:51
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#6 1.
spyfalcon.zip -> http://virus-protect.org/zip/spyfalcon.zip -> entpacken auf dem Desktop -> spyfalcon.reg -> doppeltklicken und der Registry beifuegen

2.
Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein:

Zitat

Files to delete:
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\system32\wp.bmp
C:\WINDOWS\system32\simpole.tlb
C:\WINDOWS\system32\stdole3.tlb
C:\Dokumente und Einstellungen\Ryser\Favoriten\Antivirus Test Online.url
C:\Dokumente und Einstellungen\All Users\Startmenü\Online Security Guide.url
C:\Dokumente und Einstellungen\All Users\Startmenü\Security Troubleshooting.url
Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

**
poste das Log vom Avenger, was erscheint

**

SmitfraudFix
. doppelklick smitfraudfix.cmd
. schreibe: 2
. auf die Frage: "Voulez-vous nettoyer le registre ?" antworte mit: o [o/n] , falls festgestellt wird, dass die Datei wininet.dll infiziert ist, antworte auf die Frage: " Corriger le fichier infecté ?" mit o [o/n]

die Taskleiste verschwindet + Bildschirm..alles wird blau werden...warte...
wenn der Scan beeendet ist, kopiere die Logfile ab

**
poste noch mal das log vom Silentrunner
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende