Virus Alert! Spyware Quake ... Your computer is infected! usw.

#0
18.06.2006, 13:13
Member

Beiträge: 156
#16 Hallo Sabina,

ja einige PopUps kommen noch.

Danke

Lg Stefan
__________
Danke für Eure super Unterstützung!
Lg Stefan
Seitenanfang Seitenende
18.06.2006, 14:29
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#17 befallener

0.
öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

O3 - Toolbar: QuickSearch SearchBar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Programme\QuickSearch\QuickSearchBar3_28.dll (file missing)

O4 - HKCU\..\Run: [BraveSentry] C:\Program Files\BraveSentry\BraveSentry.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=5071
O16 - DPF: {F0BC061F-DAF9-4533-8011-53BCB4C10307} (Installations Assistent) - http://install.serviceurl.de/InstallationsAssistent.ocx
PC neustarten

1.
deinstalliere:
BraveSentry

2.
Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein:

Zitat

Files to delete:
C:\Dokumente und Einstellungen\Daniel\Desktop\BraveSentrySetup.exe
C:\Program Files\BraveSentry\BraveSentry.exe
C:\Program Files\BraveSentry\Uninstall.exe
C:\WINDOWS\system32\rundll32.exe.Z-missing.txt
C:\WINDOWS\system32\ot.ico
C:\WINDOWS\system32\ts.ico
C:\WINDOWS\system32\yvvdj.dll
C:\WINDOWS\system32\hp85C5.tmp
C:\WINDOWS\system32\hp88B8.tmp
C:\WINDOWS\system32\ncompat.tlb
C:\WINDOWS\system32\stickrep.dll.Delete
Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

3.
poste das Log vom Avenger, was erscheint

4.
arbeite smitfraud.fix genau ab
http://virus-protect.org/artikel/tools/smitfrautfix.html

5.
Counterspy
http://virus-protect.org/counterspy.html
* nach dem Scan muss man sich entscheiden für:

*Ignore
*Remove --> Status: Deleted
*Quarantaine

wähle immer Remove und starte den PC neu (dann kopiere den Scanreport ab
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
18.06.2006, 14:32
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#18 Okto1967

SmitRem2.8
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
Doppelklick: smitRem.exe -> Klicke: Start --> klicke: ok

* öffne smitRem --> Doppelklick: RunThis.bat warte, bis der Scan beendet ist (der Bildschirm wird blau werden. das ist normal)
wenn ein uninstaller vorhanden ist, den smitRem entfernt, wird der uninstaller gestartet. Klicke einfach den Uninstall button und warte, bis deinstalliert wurde.

poste die smitfile.txt
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
18.06.2006, 20:20
...neu hier

Beiträge: 3
#19 Avenger sagt:

Zitat

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ymchyxuy

*******************

Script file located at: \??\C:\Program Files\kyibqdxr.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\Dokumente und Einstellungen\Daniel\Desktop\BraveSentrySetup.exe not found!
Deletion of file C:\Dokumente und Einstellungen\Daniel\Desktop\BraveSentrySetup.exe failed!

Could not process line:
C:\Dokumente und Einstellungen\Daniel\Desktop\BraveSentrySetup.exe
Status: 0xc0000034



File C:\Program Files\BraveSentry\BraveSentry.exe not found!
Deletion of file C:\Program Files\BraveSentry\BraveSentry.exe failed!

Could not process line:
C:\Program Files\BraveSentry\BraveSentry.exe
Status: 0xc0000034

File C:\Program Files\BraveSentry\Uninstall.exe deleted successfully.
File C:\WINDOWS\system32\rundll32.exe.Z-missing.txt deleted successfully.


File C:\WINDOWS\system32\ot.ico not found!
Deletion of file C:\WINDOWS\system32\ot.ico failed!

Could not process line:
C:\WINDOWS\system32\ot.ico
Status: 0xc0000034



File C:\WINDOWS\system32\ts.ico not found!
Deletion of file C:\WINDOWS\system32\ts.ico failed!

Could not process line:
C:\WINDOWS\system32\ts.ico
Status: 0xc0000034



File C:\WINDOWS\system32\yvvdj.dll not found!
Deletion of file C:\WINDOWS\system32\yvvdj.dll failed!

Could not process line:
C:\WINDOWS\system32\yvvdj.dll
Status: 0xc0000034



File C:\WINDOWS\system32\hp85C5.tmp not found!
Deletion of file C:\WINDOWS\system32\hp85C5.tmp failed!

Could not process line:
C:\WINDOWS\system32\hp85C5.tmp
Status: 0xc0000034



File C:\WINDOWS\system32\hp88B8.tmp not found!
Deletion of file C:\WINDOWS\system32\hp88B8.tmp failed!

Could not process line:
C:\WINDOWS\system32\hp88B8.tmp
Status: 0xc0000034



File C:\WINDOWS\system32\ncompat.tlb not found!
Deletion of file C:\WINDOWS\system32\ncompat.tlb failed!

Could not process line:
C:\WINDOWS\system32\ncompat.tlb
Status: 0xc0000034



File C:\WINDOWS\system32\stickrep.dll.Delete not found!
Deletion of file C:\WINDOWS\system32\stickrep.dll.Delete failed!

Could not process line:
C:\WINDOWS\system32\stickrep.dll.Delete
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.
counter spy sagt:

Zitat

Spyware Scan Details
Start Date: 18.06.2006 20:42:46
End Date: 18.06.2006 21:33:19
Total Time: 50 mins 33 secs

Detected spyware

QuickSearch Toolbar Toolbar more information...
Details: QuickSearch Toolbar hijacks Internet Explorers search URLs to direct traffic to quicksearch.com.
Status: Deleted


UltraKeyboard 3.65 Commercial Key Logger more information...
Details: UltraKeyboard is a Keylogger.
Status: Deleted

Infected files detected
c:\programme\ultrakeyboard\051025.txt
c:\programme\ultrakeyboard\051026.txt
c:\programme\ultrakeyboard\051027.txt
c:\programme\ultrakeyboard\051028.txt
c:\programme\ultrakeyboard\051029.txt
c:\programme\ultrakeyboard\051030.txt
c:\programme\ultrakeyboard\051031.txt
c:\programme\ultrakeyboard\051101.txt
c:\programme\ultrakeyboard\051102.txt
c:\programme\ultrakeyboard\051103.txt
c:\programme\ultrakeyboard\051104.txt
c:\programme\ultrakeyboard\051105.txt
c:\programme\ultrakeyboard\051107.txt
c:\programme\ultrakeyboard\kbhook.dll
c:\programme\ultrakeyboard\ultrakeyboard.exe
c:\programme\ultrakeyboard\ultrakeyboard.ini


AFX Windows Rootkit 2003 Backdoor more information...
Details: AFX Windows Rootkit 2003 is a backdoor trojan.
Status: Deleted

Infected files detected
c:\windows\system32\process.exe


DesktopScam Trojan Downloader more information...
Details: DesktopScam is a trojan that is downloaded with rogue security applicatons in order to frighten the affected user into purchasing the rogue program.
Status: Deleted

Infected files detected
c:\dokumente und einstellungen\daniel\favoriten\antivirus test online.url


SpywareQuake Rogue Security Program more information...
Details: SpywareQuake is a purported anti-spyware application to scan for and remove spyware from users' computers.
Status: Deleted

Infected files detected
C:\WINDOWS\Temp\SQLanguage.ini


KaZaA P2P Program more information...
Details: KaZaA is a peer-to-peer (P2P) application that allows its users to join together in a network via the Internet and share files from each other's hard drives.
Status: Ignored

Infected registry entries detected
HKEY_CURRENT_USER\Software\Kazaa
HKEY_CURRENT_USER\Software\Kazaa\Advanced MaxSearchResult 200
HKEY_CURRENT_USER\Software\Kazaa\Advanced SuperNode 0
HKEY_CURRENT_USER\Software\Kazaa\Advanced ScanFolder 0
HKEY_CURRENT_USER\Software\Kazaa\InstantMessaging IgnoreAll 0
HKEY_CURRENT_USER\Software\Kazaa\InstantMessaging IgnoredUsers
HKEY_CURRENT_USER\Software\Kazaa\k-lite InstallSig 6
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Lite K++\ColumnOrder Video 0,1,2,3,4,5,6,7,8,9,10,
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Lite K++\ColumnOrder Image 0,1,2,3,4,5,6,7,8,9,
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Lite K++\ColumnSortStates1 Video 0
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Lite K++\ColumnSortStates1 Image 0
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Lite K++\ColumnSortStates2 Video 0
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Lite K++\ColumnSortStates2 Image 0
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Lite K++\ColumnWidths Video 153,57,98,75,70,52,70,78,75,70,245,
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Lite K++\ColumnWidths Image 153,57,98,70,75,70,70,70,75,245,
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Lite K++\CombinedSortedColumns Video -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Lite K++\CombinedSortedColumns Image -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Lite K++\VideoWidth 0 295
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Lite K++\VideoWidth 1 72
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Lite K++\VideoWidth 2 108
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Lite K++\VideoWidth 3 80
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Lite K++\VideoWidth 4 82
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Lite K++\VideoWidth 5 60
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Lite K++\VideoWidth 6 64
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Lite K++\VideoWidth 7 76
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Lite K++\VideoWidth 8 76
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Lite K++\VideoWidth 9 180
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Lite K++\VideoWidth 10 64
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Lite K++\VideoWidth 11 50
HKEY_CURRENT_USER\Software\Kazaa\Kazaa Lite K++\VideoWidth 12 64
HKEY_CURRENT_USER\Software\Kazaa\LocalContent DisableSharing 0
HKEY_CURRENT_USER\Software\Kazaa\LocalContent DownloadDir D:\Incoming
HKEY_CURRENT_USER\Software\Kazaa\ResultsFilter adult_filter_level 0
HKEY_CURRENT_USER\Software\Kazaa\ResultsFilter showDisableAdultFilter 1
HKEY_CURRENT_USER\Software\Kazaa\ResultsFilter virus_filter 0
HKEY_CURRENT_USER\Software\Kazaa\ResultsFilter firewall_filter 1
HKEY_CURRENT_USER\Software\Kazaa\ResultsFilter bogus_filter 1
HKEY_CURRENT_USER\Software\Kazaa\ResultsFilter custom_filter_phrases .scr, .vbs, .jpg.exe, .jpg.vbs, .avi.exe, .avi.vbs, .mp3.exe, .mp3.vbs, -fulldownloader, 3-fulldwnloader, -full-downloader, -games-fulldownloader, divx-fulldownloader, 3-full-dwnloader-
HKEY_CURRENT_USER\Software\Kazaa\Skins SkinsDir C:\Programme\Kazaa Lite K++\Skins
HKEY_CURRENT_USER\Software\Kazaa\SOCKS Enabled 0
HKEY_CURRENT_USER\Software\Kazaa\Transfer ConcurrentDownloads 8
HKEY_CURRENT_USER\Software\Kazaa\Transfer ConcurrentUploads 6
HKEY_CURRENT_USER\Software\Kazaa\Transfer UploadBandwidth 368
HKEY_CURRENT_USER\Software\Kazaa\Transfer NoUploadLimitWhenIdle 0
HKEY_CURRENT_USER\Software\Kazaa\Transfer CacheHost 0
HKEY_CURRENT_USER\Software\Kazaa\Transfer CachePort 0
HKEY_CURRENT_USER\Software\Kazaa\Transfer CacheDiscoveryTime 1133622621
HKEY_CURRENT_USER\Software\Kazaa\Transfer DlDir0 D:\Incoming
HKEY_CURRENT_USER\Software\Kazaa\UserDetails CountryCode DE
HKEY_CURRENT_USER\Software\Kazaa\UserDetails UserName KazaaLiteK++
HKEY_CURRENT_USER\Software\Kazaa\UserDetails Email user@kazaalite.kpp
HKEY_CURRENT_USER\Software\Kazaa\UserDetails Newsletter 0
HKEY_CURRENT_USER\Software\Kazaa\UserDetails AutoConnected 0
HKEY_CURRENT_USER\Software\Kazaa LimitBitrate 0
HKEY_CURRENT_USER\Software\Kazaa LastSearchHash


MediaTickets CDT Adware (General) more information...
Details: MediaTickets CDT is an adware program that displays advertisements, reduces the security settings for the Trusted Sites zone in Internet Explorer, and attempts to fraudulently install trusted publishers.
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\CLSID\{39DA2444-065F-47CB-B27C-CCB1A39C06B7}
HKEY_CLASSES_ROOT\CLSID\{39DA2444-065F-47CB-B27C-CCB1A39C06B7}\InprocServer32 C:\WINDOWS\DOWNLO~1\MEDIAT~1.OCX
HKEY_CLASSES_ROOT\CLSID\{39DA2444-065F-47CB-B27C-CCB1A39C06B7} MediaTicketsInstaller Property Page
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx .Owner {9EB320CE-BE1D-4304-A081-4B4665414BEF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx {9EB320CE-BE1D-4304-A081-4B4665414BEF}


CoolWebSearch.WinRes Adware (General) more information...
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\clsid\{2D38A51A-23C9-48a1-A33C-48675AA2B494}
HKEY_CLASSES_ROOT\clsid\{2D38A51A-23C9-48a1-A33C-48675AA2B494}\InprocServer32 C:\WINDOWS\winres.dll
HKEY_CLASSES_ROOT\clsid\{2D38A51A-23C9-48a1-A33C-48675AA2B494}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\{2D38A51A-23C9-48a1-A33C-48675AA2B494}\ProgID WinRes.WindowsResources.1
HKEY_CLASSES_ROOT\clsid\{2D38A51A-23C9-48a1-A33C-48675AA2B494}\TypeLib {344EE577-2027-4714-82FF-0D7538488547}
HKEY_CLASSES_ROOT\clsid\{2D38A51A-23C9-48a1-A33C-48675AA2B494}\VersionIndependentProgID WinRes.WindowsResources
HKEY_CLASSES_ROOT\clsid\{2D38A51A-23C9-48a1-A33C-48675AA2B494} WindowsResources


Trojan.Vxgame Trojan more information...
Details: Vxgame is a trojan that silently downloads additional malware from the internet and alters the system's security settings by disabling the Windows firewall.
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\Interface\{4781DAA6-4DE5-47A1-B02A-945F0D017A9E}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\TypeLib\{5530D356-0063-41B9-B20D-E9D799E8D907}
HKEY_CLASSES_ROOT\TypeLib\{5530D356-0063-41B9-B20D-E9D799E8D907}\1.0\0\win32 C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx
HKEY_CLASSES_ROOT\TypeLib\{5530D356-0063-41B9-B20D-E9D799E8D907}\1.0\FLAGS 2
HKEY_CLASSES_ROOT\TypeLib\{5530D356-0063-41B9-B20D-E9D799E8D907}\1.0\HELPDIR C:\WINDOWS\Downloaded Program Files
HKEY_CLASSES_ROOT\TypeLib\{5530D356-0063-41B9-B20D-E9D799E8D907}\1.0 MEDIATICKETSINSTALLERLib
HKEY_CLASSES_ROOT\TypeLib\{5530D356-0063-41B9-B20D-E9D799E8D907}\1.0\0
HKEY_CLASSES_ROOT\TypeLib\{5530D356-0063-41B9-B20D-E9D799E8D907}\1.0\0\win32 C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx


CoolWebSearch Hijacker more information...
Details: CoolWebSearch is a name given to a wide range of different browser hijackers. Though the code is very different between variants, they are all used to redirect users to CoolWebSearch.com and other sites affiliated with its operators.
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\clsid\{2D38A51A-23C9-48a1-A33C-48675AA2B494}
HKEY_CLASSES_ROOT\clsid\{2D38A51A-23C9-48a1-A33C-48675AA2B494}\InprocServer32 C:\WINDOWS\winres.dll
HKEY_CLASSES_ROOT\clsid\{2D38A51A-23C9-48a1-A33C-48675AA2B494}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\{2D38A51A-23C9-48a1-A33C-48675AA2B494}\ProgID WinRes.WindowsResources.1
HKEY_CLASSES_ROOT\clsid\{2D38A51A-23C9-48a1-A33C-48675AA2B494}\TypeLib {344EE577-2027-4714-82FF-0D7538488547}
HKEY_CLASSES_ROOT\clsid\{2D38A51A-23C9-48a1-A33C-48675AA2B494}\VersionIndependentProgID WinRes.WindowsResources
HKEY_CLASSES_ROOT\clsid\{2D38A51A-23C9-48a1-A33C-48675AA2B494} WindowsResources

sieht alles ganz gut aus, oder? ich habe im moment keine popups und mein rechner ist wieder schneller. Yippie und Danke bis hier her Sabina!
Dieser Beitrag wurde am 18.06.2006 um 21:59 Uhr von befallener editiert.
Seitenanfang Seitenende
18.06.2006, 20:22
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#20 befallener

arbeite smitfraud.fix genau ab
http://virus-protect.org/artikel/tools/smitfrautfix.html


Counterspy
http://virus-protect.org/counterspy.html
* nach dem Scan muss man sich entscheiden für:

*Ignore
*Remove --> Status: Deleted
*Quarantaine

wähle immer Remove und starte den PC neu (dann kopiere den Scanreport ab
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende