Home » Spyware & Browser Hijacker Support Forum » Virus Alert! "Your computer is infected" schon wieder auf meinem PC » Themenansicht

Virus Alert! "Your computer is infected" schon wieder auf meinem PC
#0
12.06.2006, 00:25
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#31 da hast du tief in die Internet-Sch...gefasst. Man darf nicht auf alles klicken, was da so blinkt im Net.... ;)

1.
Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein:

Zitat

registry keys to delete:
HKEY_CURRENT_USER\Software\ADSpider
HKEY_LOCAL_MACHINE\Software\ADSpider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\asnt3

Files to delete:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll
C:\WINDOWS\Downloaded Program Files\popcaploader.inf
C:\WINDOWS\system32\runsrv32.exe
C:\WINDOWS\system32\users32.exe
C:\WINDOWS\system32\bridge.dll
C:\WINDOWS\system32\a.exe
C:\WINDOWS\system32\dailytoolbar.dll
C:\WINDOWS\system32\alxres.dll
C:\WINDOWS\system32\lrf.dat
C:\WINDOWS\system32\winlogon.ini
C:\WINDOWS\system32\thlwin32.dll
C:\WINDOWS\system32\winflash.dll
C:\WINDOWS\system32\qjrkvy.exe
C:\WINDOWS\system32\adobepnl.dll
C:\WINDOWS\system32\udpmod.dll
C:\WINDOWS\system32\questmod.dll
C:\WINDOWS\system32\jao.dll
C:\WINDOWS\system32\txfdb32.dll
C:\WINDOWS\system32\runsrv32.dll
C:\WINDOWS\system32\wstart.dll
C:\WINDOWS\system32\tcpservice2.exe
C:\WINDOWS\system32\gnndbuis.exe
C:\WINDOWS\warning-bar-ico.gif
C:\WINDOWS\setupapi.log
C:\WINDOWS\ZServ.dll
C:\WINDOWS\0.log
C:\WINDOWS\dlmax.dll
C:\WINDOWS\Pynix.dll
C:\WINDOWS\BTGrab.dll
C:\WINDOWS\susp.exe
C:\WINDOWS\alxtb1.dll
C:\WINDOWS\alxie328.dll
C:\WINDOWS\alexaie.dll
C:\WINDOWS\close-bar.gif
C:\WINDOWS\spacer.gif
C:\WINDOWS\x.gif
C:\WINDOWS\win_logo.gif
C:\WINDOWS\warning_icon.gif
C:\WINDOWS\v.gif
C:\WINDOWS\ts_header.gif
C:\WINDOWS\ts.gif
C:\WINDOWS\star_small.gif
C:\WINDOWS\star_gray_small.gif
C:\WINDOWS\star_gray.gif
C:\WINDOWS\star.gif
C:\WINDOWS\spyware-detected.gif
C:\WINDOWS\spacer.gif'
C:\WINDOWS\sep_vert.gif
C:\WINDOWS\sep_hor.gif
C:\WINDOWS\security_center_caption.gif
C:\WINDOWS\security-center-logo.gif
C:\WINDOWS\security-center-bg.gif
C:\WINDOWS\scan_btn.gif
C:\WINDOWS\rf_header.gif
C:\WINDOWS\rf.gif
C:\WINDOWS\main_back.gif
C:\WINDOWS\infected.gif
C:\WINDOWS\header_4.gif
C:\WINDOWS\header_3.gif
C:\WINDOWS\header_2.gif
C:\WINDOWS\header_1.gif
C:\WINDOWS\footer_back.jpg
C:\WINDOWS\footer_back.gif
C:\WINDOWS\features.gif
C:\WINDOWS\download_box.gif
C:\WINDOWS\button_freescan.gif
C:\WINDOWS\button_buynow.gif
C:\WINDOWS\box_3.gif
C:\WINDOWS\box_2.gif
C:\WINDOWS\box_1.gif
C:\WINDOWS\bg.gif
C:\WINDOWS\as_header.gif
C:\WINDOWS\as.gif
C:\WINDOWS\about_spyware_bottom.gif
C:\WINDOWS\about_spyware_bg.gif
C:\WINDOWS\gvcasinos.ini
C:\WINDOWS\IFinst27.exe
C:\WINDOWS\NDNuninstall7_22.exe
C:\Programme\ADSPider\ADSpider.exe
C:\Program Files\SpySheriff\base.avd
C:\Program Files\SpySheriff\base001.avd
C:\Program Files\SpySheriff\base002.avd
C:\Program Files\SpySheriff\found.wav
C:\Program Files\SpySheriff\heur001.dll
C:\Program Files\SpySheriff\notfound.wav
C:\Program Files\SpySheriff\removed.wav
C:\Program Files\SpySheriff\SpySheriff.dvm
C:\Program Files\SpySheriff\SpySheriff.exe
C:\Program Files\SpySheriff\Uninstall.exe
Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

**
poste den report vom Avenger, der erscheint + noch mal die 4 logs von datfindbat (bis Januar 2006)
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.06.2006, 00:42
coco100
Member

Beiträge: 23
#32 Hallo
Das hat man davon wenn mann einen 14 jährigen ins Internet lässt.

Also Ich hoffe ich habe es richtig gemacht!!!!

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 1813
Line: HKEY_CURRENT_USER\Software\ADSpider


Error: could not create zip file.
Error code: 1813


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\fxlgcete

*******************

Script file located at: \??\C:\WINDOWS\dfiblxjt.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\Downloaded Program Files\popcaploader.dll deleted successfully.
File C:\WINDOWS\Downloaded Program Files\popcaploader.inf deleted successfully.
File C:\WINDOWS\system32\runsrv32.exe deleted successfully.
File C:\WINDOWS\system32\users32.exe deleted successfully.
File C:\WINDOWS\system32\bridge.dll deleted successfully.
File C:\WINDOWS\system32\a.exe deleted successfully.
File C:\WINDOWS\system32\dailytoolbar.dll deleted successfully.
File C:\WINDOWS\system32\alxres.dll deleted successfully.
File C:\WINDOWS\system32\lrf.dat deleted successfully.
File C:\WINDOWS\system32\winlogon.ini deleted successfully.
File C:\WINDOWS\system32\thlwin32.dll deleted successfully.
File C:\WINDOWS\system32\winflash.dll deleted successfully.
File C:\WINDOWS\system32\qjrkvy.exe deleted successfully.
File C:\WINDOWS\system32\adobepnl.dll deleted successfully.
File C:\WINDOWS\system32\udpmod.dll deleted successfully.
File C:\WINDOWS\system32\questmod.dll deleted successfully.
File C:\WINDOWS\system32\jao.dll deleted successfully.
File C:\WINDOWS\system32\txfdb32.dll deleted successfully.
File C:\WINDOWS\system32\runsrv32.dll deleted successfully.
File C:\WINDOWS\system32\wstart.dll deleted successfully.
File C:\WINDOWS\system32\tcpservice2.exe deleted successfully.
File C:\WINDOWS\system32\gnndbuis.exe deleted successfully.
File C:\WINDOWS\warning-bar-ico.gif deleted successfully.
File C:\WINDOWS\setupapi.log deleted successfully.
File C:\WINDOWS\ZServ.dll deleted successfully.
File C:\WINDOWS\0.log deleted successfully.
File C:\WINDOWS\dlmax.dll deleted successfully.
File C:\WINDOWS\Pynix.dll deleted successfully.
File C:\WINDOWS\BTGrab.dll deleted successfully.
File C:\WINDOWS\susp.exe deleted successfully.
File C:\WINDOWS\alxtb1.dll deleted successfully.
File C:\WINDOWS\alxie328.dll deleted successfully.
File C:\WINDOWS\alexaie.dll deleted successfully.
File C:\WINDOWS\close-bar.gif deleted successfully.
File C:\WINDOWS\spacer.gif deleted successfully.
File C:\WINDOWS\x.gif deleted successfully.
File C:\WINDOWS\win_logo.gif deleted successfully.
File C:\WINDOWS\warning_icon.gif deleted successfully.
File C:\WINDOWS\v.gif deleted successfully.
File C:\WINDOWS\ts_header.gif deleted successfully.
File C:\WINDOWS\ts.gif deleted successfully.
File C:\WINDOWS\star_small.gif deleted successfully.
File C:\WINDOWS\star_gray_small.gif deleted successfully.
File C:\WINDOWS\star_gray.gif deleted successfully.
File C:\WINDOWS\star.gif deleted successfully.
File C:\WINDOWS\spyware-detected.gif deleted successfully.
File C:\WINDOWS\spacer.gif' deleted successfully.
File C:\WINDOWS\sep_vert.gif deleted successfully.
File C:\WINDOWS\sep_hor.gif deleted successfully.
File C:\WINDOWS\security_center_caption.gif deleted successfully.
File C:\WINDOWS\security-center-logo.gif deleted successfully.
File C:\WINDOWS\security-center-bg.gif deleted successfully.
File C:\WINDOWS\scan_btn.gif deleted successfully.
File C:\WINDOWS\rf_header.gif deleted successfully.
File C:\WINDOWS\rf.gif deleted successfully.
File C:\WINDOWS\main_back.gif deleted successfully.
File C:\WINDOWS\infected.gif deleted successfully.
File C:\WINDOWS\header_4.gif deleted successfully.
File C:\WINDOWS\header_3.gif deleted successfully.
File C:\WINDOWS\header_2.gif deleted successfully.
File C:\WINDOWS\header_1.gif deleted successfully.
File C:\WINDOWS\footer_back.jpg deleted successfully.
File C:\WINDOWS\footer_back.gif deleted successfully.
File C:\WINDOWS\features.gif deleted successfully.
File C:\WINDOWS\download_box.gif deleted successfully.
File C:\WINDOWS\button_freescan.gif deleted successfully.
File C:\WINDOWS\button_buynow.gif deleted successfully.
File C:\WINDOWS\box_3.gif deleted successfully.
File C:\WINDOWS\box_2.gif deleted successfully.
File C:\WINDOWS\box_1.gif deleted successfully.
File C:\WINDOWS\bg.gif deleted successfully.
File C:\WINDOWS\as_header.gif deleted successfully.
File C:\WINDOWS\as.gif deleted successfully.
File C:\WINDOWS\about_spyware_bottom.gif deleted successfully.
File C:\WINDOWS\about_spyware_bg.gif deleted successfully.
File C:\WINDOWS\gvcasinos.ini deleted successfully.
File C:\WINDOWS\IFinst27.exe deleted successfully.
File C:\WINDOWS\NDNuninstall7_22.exe deleted successfully.


*******************

Finished! Terminate.

Datentr„ger in Laufwerk C: ist Betriebsystem
Volumeseriennummer: 0C75-E152

Verzeichnis von C:\WINDOWS\system32

12.06.2006 00:48 7.275 nvapps.xml
11.06.2006 21:58 57.384 avsda.dll
11.06.2006 12:22 2.206 wpa.dbl
29.05.2006 22:23 51.355 muzika.xm
10.05.2006 18:01 2.368 SVKP.sys
18.04.2006 14:49 16.832 amcompat.tlb
18.04.2006 14:49 23.392 nscompat.tlb
26.03.2006 13:27 401.084 perfh009.dat
26.03.2006 13:27 60.952 perfc009.dat
26.03.2006 13:27 412.330 perfh007.dat
26.03.2006 13:27 71.942 perfc007.dat
26.03.2006 13:27 958.200 PerfStringBackup.INI
07.03.2006 19:41 3.147 qtplugin.log
17.02.2006 01:27 313.968 FNTCACHE.DAT
14.02.2006 17:16 262.144 wrap_oal.dll
14.02.2006 17:16 86.016 OpenAL32.dll
30.01.2006 12:31 98.304 CmdLineExt.dll
17.01.2006 23:36 69.632 ElbyCDIO.dll
13.01.2006 01:23 364.032 CoreAVC.ax

Datentr„ger in Laufwerk C: ist Betriebsystem
Volumeseriennummer: 0C75-E152

Verzeichnis von C:\DOKUME~1\HELMUT~1\LOKALE~1\Temp

11.06.2006 23:47 32.768 ~DFB4B8.tmp
11.06.2006 22:03 32.768 ~DF9F97.tmp
11.06.2006 21:19 32.768 ~DF9DA6.tmp
11.06.2006 14:39 90.112 ~9.tmp
11.06.2006 14:11 32.768 ~DFBD8.tmp
11.06.2006 12:39 32.768 ~DFA715.tmp
10.06.2006 23:48 16.384 ~DFF5A6.tmp
10.06.2006 23:48 16.384 ~DFF5C2.tmp
10.06.2006 23:48 16.384 ~DFF58A.tmp
10.06.2006 23:48 16.384 ~DFF56E.tmp
10.06.2006 23:47 16.384 ~DF7328.tmp
10.06.2006 23:47 16.384 ~DF6D48.tmp
09.06.2006 21:02 32.768 ~DF617B.tmp
09.06.2006 19:39 94.208 BarControl.dll
09.06.2006 19:39 745.472 GoogleToolbar.dll
09.06.2006 19:39 743.016 GDSSetup.exe
09.06.2006 19:39 71.680 GLB2E.tmp
09.06.2006 19:38 71.680 GLB27.tmp
09.06.2006 19:36 71.680 GLB20.tmp
09.06.2006 19:28 71.680 GLB16.tmp
09.06.2006 19:13 6.494.848 ZGI12.tmp
09.06.2006 19:08 59.964 BoontyGames.0001
09.06.2006 19:06 0 tdm.log
09.06.2006 19:05 640.624 TDM11.tmp
09.06.2006 03:26 103 D1B5B4F1.TMP
07.06.2006 16:30 0 NBR8.tmp
06.06.2006 17:42 40.960 rtdrvmon.exe

Datentr„ger in Laufwerk C: ist Betriebsystem
Volumeseriennummer: 0C75-E152

Verzeichnis von C:\WINDOWS

12.06.2006 00:49 0 0.log
12.06.2006 00:49 159 wiadebug.log
12.06.2006 00:49 1.336.077 WindowsUpdate.log
12.06.2006 00:49 50 wiaservc.log
12.06.2006 00:48 2.048 bootstat.dat
12.06.2006 00:47 32.114 SchedLgU.Txt
10.06.2006 20:14 447 lexstat.ini
09.06.2006 22:07 181 popcinfo.dat
09.06.2006 19:47 1.054 win.ini
04.06.2006 12:59 787 eReg.dat
29.05.2006 19:21 54.156 QTFont.qfn
28.05.2006 21:05 69.760 wmsetup.log
28.05.2006 15:55 1.409 QTFont.for
27.05.2006 02:17 185.621 setupact.log
25.05.2006 20:53 7.680 Thumbs.db
16.05.2006 16:36 235.016 KingComIE.dll
08.05.2006 18:21 48 CDCOPS.INI
30.04.2006 18:54 4.096 d3dx.dat
27.04.2006 21:48 412 ULead32.ini
27.04.2006 07:08 30 Iedit.INI
18.04.2006 14:50 460 wmsetup10.log
13.04.2006 20:56 617.869 iis6.log
13.04.2006 20:56 88.035 ntdtcsetup.log
13.04.2006 20:56 140.632 comsetup.log
13.04.2006 20:56 1.683 tabletoc.log
13.04.2006 20:56 4.880 medctroc.Log
13.04.2006 20:56 200.765 ocgen.log
13.04.2006 20:56 3.739 imsins.log
13.04.2006 20:56 193.123 tsoc.log
13.04.2006 20:56 16.097 ocmsn.log
13.04.2006 20:56 20.215 msgsocm.log
13.04.2006 20:56 382.700 FaxSetup.log
13.04.2006 20:56 6.528 netfxocm.log
13.04.2006 20:56 155.090 msmqinst.log
03.04.2006 18:03 316.640 WMSysPr9.prx
20.03.2006 19:24 4 visualwarlab.dat
06.02.2006 21:37 502 ODBC.INI
06.02.2006 21:37 4.359 ODBCINST.INI
28.01.2006 15:37 230.004 DirectX.log
23.01.2006 21:41 23.634 super.chm
17.01.2006 23:49 307 lpp32.ini
07.01.2006 22:59 8.763 KB912919.log
07.01.2006 22:59 1.355 imsins.BAK
07.01.2006 22:58 457 updspapi.log
07.01.2006 22:54 29.085 spupdsvc.log
07.01.2006 22:54 360 DtcInstall.log
07.01.2006 22:39 461.100 svcpack.log
07.01.2006 22:36 200 cmsetacl.log
07.01.2006 22:22 1.330 sessmgr.setup.log
02.01.2006 20:01 7.390 ModemLog_cFos DSL, Internet, PPPoE.txt

Datentr„ger in Laufwerk C: ist Betriebsystem
Volumeseriennummer: 0C75-E152

Verzeichnis von C:\

12.06.2006 00:52 0 sys.txt
12.06.2006 00:52 10.565 system.txt
12.06.2006 00:51 1.746 systemtemp.txt
12.06.2006 00:51 111.335 system32.txt
12.06.2006 00:48 51.264 avenger.txt
12.06.2006 00:48 1.610.612.736 pagefile.sys
11.06.2006 23:49 17.226 DirDPF.txt
11.06.2006 23:49 2 DirDPFCns.txt
27.05.2006 23:28 4.698 CLDMA.LOG
24.04.2006 21:07 12.288 Thumbs.db
24.04.2006 08:42 2.798 bullet1.html
10.04.2006 20:48 1 DXOkay.bin
07.01.2006 22:36 211 BOOT.BKK
07.01.2006 22:36 211 boot.ini
07.01.2006 22:08 47.564 NTDETECT.COM
07.01.2006 22:08 251.184 ntldr

Alles richtig so???
MFG coco100
Dieser Beitrag wurde am 12.06.2006 um 00:53 Uhr von coco100 editiert.
Seitenanfang Seitenende
12.06.2006, 00:59
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#33 1.
Arbeitsplatz-->Rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.

2.
scanne mit kaspersky und danach mit panda
http://virus-protect.org/onlinescan.html
und poste beide scanreports
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.06.2006, 07:25
coco100
Member

Beiträge: 23
#34 Guten Morgen
Hier sind nun die beiden scanreports

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, June 12, 2006 6:15:37 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 12/06/2006
Kaspersky Anti-Virus database records: 187923
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 156438
Number of viruses found: 3
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 01:35:44

Infected Object Name / Virus Name / Last Action
C:\avenger\backup.zip/avenger/adobepnl.dll Infected: not-virus:Hoax.Win32.Renos.dm skipped
C:\avenger\backup.zip/avenger/gnndbuis.exe Infected: Trojan-Downloader.Win32.VB.aeq skipped
C:\avenger\backup.zip/avenger/qjrkvy.exe Infected: not-virus:Hoax.Win32.Renos.dm skipped
C:\avenger\backup.zip/avenger/users32.exe Infected: not-virus:Hoax.Win32.Renos.dk skipped
C:\avenger\backup.zip/avenger/winflash.dll Infected: not-virus:Hoax.Win32.Renos.dm skipped
C:\avenger\backup.zip ZIP: infected - 5 skipped

Scan process completed.



Incident Status Location

Adware:adware/sahagent Not disinfected c:\windows\system32\bqrufs5f.dat
Dialer:dialer.b Not disinfected c:\windows\downloaded program files\EGAUTH.inf
Dialer:dialer.xd Not disinfected c:\windows\switchagreement.txt
Adware:adware/beginto Not disinfected c:\windows\system32\cache32_rtneg
Adware:adware/fizzle Not disinfected c:\programme\FwBarTemp
Adware:adware/mediatickets Not disinfected Windows Registry
Adware:adware/alexa-toolbar Not disinfected Windows Registry
Spyware:spyware/bridge Not disinfected Windows Registry
Spyware:spyware/dluca Not disinfected Windows Registry
Adware:adware/dailytoolbar Not disinfected Windows Registry
Dialer:dialer.dgi Not disinfected hkey_local_machine\software\Mpb
Spyware:spyware/betterinet Not disinfected Windows Registry
Adware:adware/searchrelevancy Not disinfected Windows Registry
Adware:adware/admess Not disinfected Windows Registry
Adware:adware/savenow Not disinfected Windows Registry
Adware:adware/transponder Not disinfected Windows Registry
Adware:adware/btgrab Not disinfected Windows Registry
Adware:adware/wupd Not disinfected Windows Registry
Dialer:dialer.du Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7B55BB05-0B4D-44FD-81A6-B136188F5DEB}
Spyware:Spyware/New.net Not disinfected C:\avenger\backup.zip[avenger/NDNuninstall7_22.exe]
Adware:Adware/TitanShield Not disinfected C:\avenger\backup.zip[avenger/users32.exe]
Spyware:Cookie/Falkag Not disinfected C:\Dokumente und Einstellungen\Helmut&Nicki\Cookies\helmut&nicki@as-eu.falkag[1].txt
Adware:Adware/Thecoolbar Not disinfected C:\Programme\FwBarTemp\cohelper.exe
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.inf
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.10\HDPlugin1101.dll
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.11\HDPlugin1101.dll
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.12\HDPlugin1101.dll
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.dll
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.inf
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1101.dll
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.dll
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.inf
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1101.dll
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1101.dll
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.5\HDPlugin1101.dll
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.6\HDPlugin1101.dll
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.7\HDPlugin1101.dll
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.8\HDPlugin1101.dll
Adware:Adware/Gator Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.9\HDPlugin1101.dll
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\w?aclt.exe
Potentially unwanted tool:Application/ServUBased.A Not disinfected C:\WINNT\system32\directx\asp\mech\asp.exe
Potentially unwanted tool:Application/Firedaemon.A Not disinfected C:\WINNT\system32\directx\asp\mech\FireDaemon.exe
LG coco100
Seitenanfang Seitenende
12.06.2006, 13:46
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#35 öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: adobepnl.ADOBE_PANEL - {2513A321-CB50-4C5F-91C5-80342AFACFB1} - C:\WINDOWS\system32\adobepnl.dll
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
PC neustarten

1.
kopiere in den Avenger:

Zitat

registry keys to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7B55BB05-0B4D-44FD-81A6-B136188F5DEB}
HKEY_LOCAL_MACHINE\Software\Mpb

Files to delete:
C:\Programme\FwBarTemp\cohelper.exe
c:\windows\system32\bqrufs5f.dat
c:\windows\downloaded program files\EGAUTH.inf
c:\windows\switchagreement.txt
c:\windows\system32\cache32_rtneg
C:\Programme\FwBarTemp\cohelper.exe
C:\Programme\FwBarTemp\searchbar.exe
C:\Programme\FwBarTemp\dist001.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.10\HDPlugin1101.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.11\HDPlugin1101.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.12\HDPlugin1101.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1101.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1101.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1101.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\HDPlugin1101.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\HDPlugin1101.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\HDPlugin1101.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\HDPlugin1101.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.9\HDPlugin1101.dll
gruene Ampel klicken, PC neustarten - poste das log vom Avenger

2.
deinstalliere..loesche:- Thecoolbar
C:\Programme\FwBarTemp

3.
Start > Ausfuehren --> reinschreiben --> cmd.exe

und ok. kopiere rein und poste alles, was im Texteditor erscheint

Zitat

dir /s /a "c:\w?aclt*.*" > c:\find.txt & start notepad c:\find.txt
4.
poste das log von winpfind
http://virus-protect.org/winpfind.html


----------
The CoolBar
http://www.sunbelt-software.com/research/threat_display.cfm?name=The%20CoolBar&threatid=39566
process: C:\Programme\FwBarTemp\searchbar.exe
process: C:\Programme\FwBarTemp\dist001.exe
process: C:\Programme\FwBarTemp\cohelper.exe
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.06.2006, 14:29
coco100
Member

Beiträge: 23
#36 Hallo
Hier sind die scans

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\iygalgml

*******************

Script file located at: \??\C:\Program Files\ovbihxua.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Programme\FwBarTemp\cohelper.exe deleted successfully.
File c:\windows\system32\bqrufs5f.dat deleted successfully.
File c:\windows\downloaded program files\EGAUTH.inf deleted successfully.
File c:\windows\switchagreement.txt deleted successfully.


Error: c:\windows\system32\cache32_rtneg is a folder, not a file!
Deletion of file c:\windows\system32\cache32_rtneg failed!

Could not process line:
c:\windows\system32\cache32_rtneg
Status: 0xc00000ba



File C:\Programme\FwBarTemp\cohelper.exe not found!
Deletion of file C:\Programme\FwBarTemp\cohelper.exe failed!

Could not process line:
C:\Programme\FwBarTemp\cohelper.exe
Status: 0xc0000034

File C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.inf deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.10\HDPlugin1101.dll deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.11\HDPlugin1101.dll deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.12\HDPlugin1101.dll deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.dll deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.inf deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1101.dll deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.dll deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.inf deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1101.dll deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1101.dll deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.5\HDPlugin1101.dll deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.6\HDPlugin1101.dll deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.7\HDPlugin1101.dll deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.8\HDPlugin1101.dll deleted successfully.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.9\HDPlugin1101.dll deleted successfully.


Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7B55BB05-0B4D-44FD-81A6-B136188F5DEB} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7B55BB05-0B4D-44FD-81A6-B136188F5DEB} failed!
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\Software\Mpb deleted successfully.

Completed script processing.

*******************

Finished! Terminate.





Datentr„ger in Laufwerk C: ist Betriebsystem
Volumeseriennummer: 0C75-E152

Verzeichnis von c:\WINDOWS\system32

11.01.2005 16:11 401.408 w?aclt.exe
1 Datei(en) 401.408 Bytes

Anzahl der angezeigten Dateien:
1 Datei(en) 401.408 Bytes
0 Verzeichnis(se), 7.422.439.424 Bytes frei




»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 13.10.2005 21:27:00 RHS 422400 C:\WINDOWS\x2.64.exe

Checking %System% folder...
SAHAgent 14.04.2005 23:16:02 35 C:\WINDOWS\SYSTEM32\70tovmto.ini
UPX! 07.10.2005 19:14:52 RHS 308224 C:\WINDOWS\SYSTEM32\avisynth.dll
SAHAgent 14.04.2005 23:16:02 35 C:\WINDOWS\SYSTEM32\bln02nqv.ini
UPX! 09.07.2004 10:47:04 RHS 167936 C:\WINDOWS\SYSTEM32\CoreAAC.ax
aspack 22.07.2005 20:59:04 2319568 C:\WINDOWS\SYSTEM32\d3dx9_27.dll
PEC2 23.08.2001 14:00:00 41118 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 25.01.2004 RHS 70656 C:\WINDOWS\SYSTEM32\i420vfw.dll
PECompact2 07.05.2005 10:51:34 1051992 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 07.05.2005 10:51:34 1051992 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04.08.2004 09:57:08 733696 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 04.08.2004 09:57:32 686592 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 23.08.2001 14:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
UPX! 28.02.2005 13:16:22 RHS 240128 C:\WINDOWS\SYSTEM32\x.264.exe
UPX! 25.01.2004 RHS 70656 C:\WINDOWS\SYSTEM32\yv12vfw.dll

Checking %System%\Drivers folder and sub-folders...
PTech 04.08.2004 07:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
12.06.2006 14:12:06 S 2048 C:\WINDOWS\bootstat.dat
29.05.2006 19:21:54 H 54156 C:\WINDOWS\QTFont.qfn
25.05.2006 20:53:42 HS 7680 C:\WINDOWS\Thumbs.db
12.06.2006 14:12:52 H 1024 C:\WINDOWS\system32\config\default.LOG
12.06.2006 14:17:18 H 1024 C:\WINDOWS\system32\config\SAM.LOG
12.06.2006 14:12:52 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
12.06.2006 14:20:58 H 1024 C:\WINDOWS\system32\config\software.LOG
12.06.2006 14:13:24 H 1024 C:\WINDOWS\system32\config\system.LOG
16.05.2006 22:47:52 S 18 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004
16.05.2006 22:47:52 S 20531 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
16.05.2006 22:47:52 S 216 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004
16.05.2006 22:47:52 S 216 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
03.06.2006 21:46:26 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\658f0dcb-e556-462e-8def-62516cf206ee
03.06.2006 21:46:26 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
25.04.2006 08:09:38 H 41637 C:\WINDOWS\system32\spool\drivers\w32x86\3\lxbkma.GID
12.06.2006 14:00:00 H 280 C:\WINDOWS\Tasks\A26C5B96918BD9A2.job
12.06.2006 14:12:10 H 6 C:\WINDOWS\Tasks\SA.DAT
05.05.2006 21:30:22 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
05.05.2006 21:30:22 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\AMUYYZWZ\desktop.ini
05.05.2006 21:30:22 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CTIN4PUN\desktop.ini
05.05.2006 21:30:22 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\OXMR85YV\desktop.ini
05.05.2006 21:30:22 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\VC0W6TWA\desktop.ini
05.05.2006 21:30:22 HS 113 C:\WINDOWS\Temp\Verlauf\History.IE5\desktop.ini

Checking for CPL files...
Microsoft Corporation 04.08.2004 09:58:22 70656 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 04.08.2004 09:58:22 555008 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04.08.2004 09:58:22 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 04.08.2004 09:58:22 138240 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 04.08.2004 09:58:22 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04.08.2004 09:58:22 157184 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Inprise Corp. 24.01.2002 16:25:24 351232 C:\WINDOWS\SYSTEM32\ibmgr.cpl
Ahead Software AG 22.07.2003 16:29:22 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl
Microsoft Corporation 04.08.2004 09:58:22 359424 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04.08.2004 09:58:22 133120 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04.08.2004 09:58:22 381440 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04.08.2004 09:58:22 69632 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 03.06.2004 22:05:06 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 23.08.2001 14:00:00 189440 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04.08.2004 09:58:22 625152 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 23.08.2001 14:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 04.08.2004 09:58:22 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04.08.2004 09:58:22 260096 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 20.09.2004 09:09:00 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 23.08.2001 14:00:00 38400 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 04.08.2004 09:58:22 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 04.08.2004 09:58:22 117248 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 16.04.2004 17:00:22 324608 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 04.08.2004 09:58:22 303104 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 23.08.2001 14:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04.08.2004 09:58:22 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 04.08.2004 09:58:22 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26.05.2005 05:16:22 174872 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 23.08.2001 14:00:00 189440 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 23.08.2001 14:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 23.08.2001 14:00:00 38400 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 23.08.2001 14:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
02.10.2004 16:16:56 HS 84 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
07.02.2006 18:58:00 305 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\addr_file.html
02.10.2004 17:07:40 HS 62 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
02.10.2004 16:16:56 HS 84 C:\Dokumente und Einstellungen\Helmut&Nicki\Startmenü\Programme\Autostart\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
09.07.2005 20:15:02 1216 C:\Dokumente und Einstellungen\Helmut&Nicki\Anwendungsdaten\AdobeDLM.log
02.10.2004 17:07:40 HS 62 C:\Dokumente und Einstellungen\Helmut&Nicki\Anwendungsdaten\desktop.ini
09.07.2005 20:15:02 0 C:\Dokumente und Einstellungen\Helmut&Nicki\Anwendungsdaten\dm.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Programme\ICQLite\ICQLiteShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Shell Extension for Malware scanning
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Programme\AntiVir PersonalEdition Classic\shlext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TuneUp Shredder
{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0} = "C:\Programme\TuneUp Utilities 2004\sdshelex.dll"
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Shell Extension for Malware scanning
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Programme\AntiVir PersonalEdition Classic\shlext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Programme\ICQLite\ICQLiteShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TuneUp Shredder
{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0} = "C:\Programme\TuneUp Utilities 2004\sdshelex.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRA~1\Yahoo!\Common\yhexbmesde.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tipps und Tricks = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Konsole :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
ButtonText = Messenger :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Recherchieren :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B863453A-26C3-4e1f-A54D-A2CD196348E9}
ButtonText = ICQ Lite : C:\Programme\ICQLite\ICQLite.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Programme\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\PROGRA~1\Yahoo!\Common\yhexbmesde.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar :
{855F3B16-6D32-4FE6-8A56-BBB695989046} = :
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
TkBellExe "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
avgnt "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
Transponder C:\WINDOWS\system32\susp.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Popupstopper C:\Programme\Meaya\Popup Ad Filter\PopFilter.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 177
CDRAutoRun 1
NoDrives àÿ
NoDriveAutoRun 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 12.06.2006 14:26:22


Richtig so????
LG coco100
Seitenanfang Seitenende
12.06.2006, 14:34
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#37 waehrend ich den Purityscan suche:

Killbox
http://virus-protect.org/killbox.html
Options: Delete on Reboot --> anhaken
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "yes"
reinkopieren: .....

anklicken: ALL FILES !!!!

c:\windows\system32\cache32_rtneg

PC neustarten
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.06.2006, 14:37
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#38 1.
Versteckte- und Systemdateien sichtbar machen
http://virus-protect.org/invisible.html

2.
suche die w..aclt.exe nach Datum und Groesse, sonst findest du sie nicht...und nicht das falsche loeschen !!!

Verzeichnis von c:\WINDOWS\system32\w..aclt.exe

11.01.2005 16:11 401.408 w?aclt.exe
1 Datei(en) 401.408 Bytes
-------------------------

PC neustarten

zum Ueberpuefen:


Start > Ausfuehren --> reinschreiben --> cmd.exe

und ok. kopiere rein und poste alles, was im Texteditor erscheint

Zitat

dir /s /a "c:\w?aclt*.*" > c:\find.txt & start notepad c:\find.txt

__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.06.2006, 14:46
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#39 1.
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als sheriff.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.

Die Datei "sheriff.reg" auf dem Desktop doppelklicken.

Zitat

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Transponder"=-
-----------------------------------
2.
Avenger:

Zitat

Files to delete:
C:\WINDOWS\system32\susp.exe
C:\WINDOWS\SYSTEM32\70tovmto.ini
C:\WINDOWS\SYSTEM32\bln02nqv.ini
C:\WINDOWS\SYSTEM32\x.264.exe
poste den bericht vom Avenger

3.
Hoster.zip
http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK' Exit Program.

4.
Counterspy
http://virus-protect.org/counterspy.html
* nach dem Scan muss man sich entscheiden für:

*Ignore
*Remove --> Status: Deleted
*Quarantaine

wähle immer Remove und starte den PC neu (dann kopiere den Scanreport ab
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.06.2006, 14:50
coco100
Member

Beiträge: 23
#40 Hallo
Ich habe hier nur eine wuaclt.exe auf die die Daten zutreffen .Ist die gemeint????
Seitenanfang Seitenende
12.06.2006, 14:52
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#41

Zitat

coco100 postete
Hallo
Ich habe hier nur eine wuaclt.exe auf die die Daten zutreffen .Ist die gemeint????
schau, ob sie am 11.1. geladen wurde , um 16.11. Uhr und 401.408 kb gross ist.
(rechtklick auf die exe und Eigenschaften)

11.01.2005 16:11 401.408 w?aclt.exe
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.06.2006, 14:54
coco100
Member

Beiträge: 23
#42 ja ,ist sie .soll ich die nun löschen und dann weiter deinen anweisungen folgen ???

Zitat

Hier das ergebnis der überprüfung mit cmd.exe
Datentr„ger in Laufwerk C: ist Betriebsystem
Volumeseriennummer: 0C75-E152
Seitenanfang Seitenende
12.06.2006, 15:01
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#43 na klar ;) , loesche diese Datei und arbeite alles weitere ab (Killbox, Avenger, reg-Datei, Counterspy......
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.06.2006, 15:13
coco100
Member

Beiträge: 23
#44 Ich kann counterspy nicht installieren.Er sagt ich hätte die anwendung von windows script host deaktiviert.Was habe ich denn nun falsch gemacht????

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\nniponpr

*******************

Script file located at: \??\C:\WINDOWS\system32\ghvlkocj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\susp.exe not found!
Deletion of file C:\WINDOWS\system32\susp.exe failed!

Could not process line:
C:\WINDOWS\system32\susp.exe
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\70tovmto.ini deleted successfully.
File C:\WINDOWS\SYSTEM32\bln02nqv.ini deleted successfully.
File C:\WINDOWS\SYSTEM32\i420vfw.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\x.264.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\yv12vfw.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
Seitenanfang Seitenende
12.06.2006, 15:16
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#45 hast du schon die c:\windows\system32\cache32_rtneg mit Killbox und (ALL FILES) geloescht ?

schalte den Host ueber xpantispy frei (falls du es installiert hast)

oder

Schau mal, ob es in der Registry (Start -> Ausführen -> regedit) bei dir unter:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings

einen Eintrag mit dem Namen Enabled gibt. Wenn ja, dann weise diesem den Wert 1 zu, dann ist der Scripting Host wieder aktiviert. (dann den PC neustarten)
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren:
Seite(n): 1234