HijackThis log: Wie kann ich TrustIn löschen?

#0
08.07.2006, 17:48
...neu hier

Beiträge: 4
#1 also ich glaub ich hab spyware auf meinem pc....ich bin mehr oder wenig per zufall auf diese seite gestoßen und hab mir die anleitung von hijack this durchgelesen und alles so vorgenommen wie beschrieben....hat ja auch wunderbar geklappt, nur weiss ich gar nicht was ich mit der ausgewerteten log datei anfangen soll.......
die verdächtigte datei heisst trustin...das sind drei verschiedene ordner unter dem ordner Programme.lch hab diese auch schon bei Systemstrg-->Software auch gelöscht aber nach einem neustart sind die wieder da......also hier meine log datei:

Logfile of HijackThis v1.99.1
Scan saved at 17:29:17, on 08.07.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programme\RWTH Aachen\Cisco VPN Client\cvpnd.exe
C:\WINDOWS\system32\DVDRAMSV.exe
c:\Programme\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Programme\Sophos\AutoUpdate\ALsvc.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Sophos\AutoUpdate\ALMon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Programme\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpoofBHO Class - {07A78AEA-4A54-4967-9A60-4B68592D30C7} - C:\WINDOWS\se_spoof.dll
O2 - BHO: WeeklyExecuter Class - {590FFB84-6A29-4797-9C0E-B15DF2C4CDCB} - C:\WINDOWS\inetloader.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Trust Cleaner] "C:\Programme\Trust Cleaner\Trust Cleaner.exe"
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Programme\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Download with NetPumper - C:\Programme\NetPumper\AddUrl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: eBay - {34042179-52D4-4434-9835-873A1760F4AB} - C:\Programme\Internet Explorer\Signup\ToshibaGotoEbay.exe (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE723DF9-9045-430E-9CB6-FA5787224742}: NameServer = 195.50.140.252 195.50.140.114
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros-Konfigurationsdienst (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\RWTH Aachen\Cisco VPN Client\cvpnd.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sophos Anti-Virus Statusreporter (SAVAdminService) - Sophos plc - c:\Programme\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - c:\Programme\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos plc - c:\Programme\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


bitte helft mir das problem zu beseitigen...
danke schonmal
mfg, og
Seitenanfang Seitenende
08.07.2006, 19:38
Member

Beiträge: 77
#2 Hallo ! hatte das selbe problem !! habe dann einfach folgendes programm durchlaufen lassen...und jetzt sind die ordner weg !!


http://virus-protect.org/artikel/tools/smitfrautfix.html


mfg,sattei
Seitenanfang Seitenende
09.07.2006, 14:10
...neu hier

Themenstarter

Beiträge: 4
#3 oh vielen dank sattei, jetzt läuft alles wieder.......;)
Seitenanfang Seitenende
10.07.2006, 12:31
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#4 og99

Information:trustInbar
http://virus-protect.org/artikel/spyware/trustInbar.html

------------------------------------------------------------------------

öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

O2 - BHO: SpoofBHO Class - {07A78AEA-4A54-4967-9A60-4B68592D30C7} - C:\WINDOWS\se_spoof.dll
O2 - BHO: WeeklyExecuter Class - {590FFB84-6A29-4797-9C0E-B15DF2C4CDCB} - C:\WINDOWS\inetloader.dll

PC neustarten


ich schaue noch mal nach, ob noch was zu finden ist:

1.
stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

2.
Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html

3.
poste das log vom Silentrunner
http://virus-protect.org/silentrunner.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.07.2006, 20:04
Member

Beiträge: 77
#5 hi sabina...leider ist der virus auch wieder aufgetaucht...trotz smit fraud fix...das isn richtiger "Schei..." wenn ich mal so sagen darf, dieser trojaner oder was auch immer das ist !!
ich poste hier dir das da oben mal was du geschrieben hast !! hoffe du kannst mir weiterhelfen !!

greetz !!


Datfind.bat :

__________________________________________________________________

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 9C32-5BD2

Verzeichnis von C:\WINDOWS\system32

11.07.2006 21:08 21.504 catsrva.dll
11.07.2006 19:57 61.114 perfc009.dat
11.07.2006 19:57 399.856 perfh009.dat
11.07.2006 19:57 410.916 perfh007.dat
11.07.2006 19:57 72.192 perfc007.dat
11.07.2006 19:57 954.124 PerfStringBackup.INI
02.07.2006 20:28 2.206 wpa.dbl
02.07.2006 17:14 40.960 swsc.exe
02.07.2006 17:14 42.496 swreg.exe
02.07.2006 17:14 288.417 SrchSTS.exe
02.07.2006 17:14 53.248 Process.exe
24.06.2006 12:57 15.360 BASSMOD.dll
22.06.2006 12:47 181.248 rasmans.dll
17.06.2006 10:49 204.120 FNTCACHE.DAT
09.06.2006 03:19 5.967.776 MRT.exe
08.06.2006 17:08 3.002 CONFIG.NT
01.06.2006 20:47 163.840 jgdw400.dll
01.06.2006 20:47 27.648 jgpl400.dll
31.05.2006 11:02 624.640 aswBoot.exe
31.05.2006 10:54 90.112 AVASTSS.scr
29.05.2006 17:32 1.496.576 shdocvw.dll
19.05.2006 17:06 3.076.096 mshtml.dll
19.05.2006 15:16 1.205 lvcoinst.log
18.05.2006 07:36 450.560 jscript.dll
17.05.2006 21:20 43.520 CmdLineExt03.dll
16.05.2006 22:23 28.672 VXBLOCK.dll
16.05.2006 22:23 339.968 PxWave.dll
16.05.2006 22:23 430.080 Px.dll
16.05.2006 22:23 61.440 pxhpinst.exe
16.05.2006 22:23 56.832 pxinsa64.exe
16.05.2006 22:23 1.257.472 PxSFS.DLL
16.05.2006 22:23 57.344 pxcpya64.exe
16.05.2006 22:23 450.560 pxdrv.dll
16.05.2006 22:23 176.128 PxMas.dll
11.05.2006 10:58 104.448 xpsp3res.dll
10.05.2006 07:26 474.624 shlwapi.dll
10.05.2006 07:26 532.480 mstime.dll
10.05.2006 07:26 617.472 urlmon.dll
10.05.2006 07:26 669.184 wininet.dll
10.05.2006 07:26 39.424 pngfilt.dll
10.05.2006 07:26 146.432 msrating.dll
10.05.2006 07:26 448.512 mshtmled.dll
10.05.2006 07:26 251.904 iepeers.dll
10.05.2006 07:26 357.888 dxtmsft.dll
10.05.2006 07:26 205.312 dxtrans.dll
10.05.2006 07:26 1.056.256 danim.dll
10.05.2006 07:26 15.872 jsproxy.dll
10.05.2006 07:26 55.808 extmgr.dll
10.05.2006 07:26 96.768 inseng.dll
10.05.2006 07:26 1.022.976 browseui.dll
10.05.2006 07:26 152.064 cdfview.dll
09.05.2006 20:48 2.523 SpoonUninstall-dBpowerAMP Compaact Mp4 Codec.dat
09.05.2006 20:48 167.936 SpoonUninstall.exe
09.05.2006 20:48 27.958 SpoonUninstall-dBpowerAMP Compaact Mp4 Codec.bmp
09.05.2006 20:48 616 SpoonUninstall-dBpowerAMP FAAC Mp4 Codec.dat
09.05.2006 20:48 27.958 SpoonUninstall-dBpowerAMP FAAC Mp4 Codec.bmp
09.05.2006 20:48 2.070 SpoonUninstall-dBpowerAMP mp3PRO Input Codec.dat
09.05.2006 20:48 27.958 SpoonUninstall-dBpowerAMP mp3PRO Input Codec.bmp
09.05.2006 20:48 2.214 SpoonUninstall-dBpowerAMP Mp4 & AAC Decode Codec.dat
09.05.2006 20:48 27.958 SpoonUninstall-dBpowerAMP Mp4 & AAC Decode Codec.bmp
09.05.2006 20:47 1.869 SpoonUninstall-dBpowerAMP Nero Mp4 Codec.dat
09.05.2006 20:47 27.958 SpoonUninstall-dBpowerAMP Nero Mp4 Codec.bmp
09.05.2006 20:47 2.421 SpoonUninstall-dBpowerAMP Ogg Vorbis Codec.dat
09.05.2006 20:47 33.846 SpoonUninstall-dBpowerAMP Ogg Vorbis Codec.bmp
09.05.2006 20:47 2.177 SpoonUninstall-dBpowerAMP WMA V9 Codec.dat
09.05.2006 20:46 27.958 SpoonUninstall-dBpowerAMP WMA V9 Codec.bmp
09.05.2006 20:45 1.375 SpoonUninstall-dBpowerAMP WMA V9.1 Codec.dat
09.05.2006 20:44 33.846 SpoonUninstall-dBpowerAMP WMA V9.1 Codec.bmp
09.05.2006 20:44 2.463 SpoonUninstall-dMC mp3PRO (CLI) Encoder.dat
09.05.2006 20:44 27.958 SpoonUninstall-dMC mp3PRO (CLI) Encoder.bmp
09.05.2006 20:43 35.128 SpoonUninstall-dBpowerAMP Music Converter.dat
09.05.2006 20:42 33.846 SpoonUninstall-dBpowerAMP Music Converter.bmp
29.04.2006 06:07 5.533.696 wmp.dll
22.04.2006 23:38 58.952 MsgPlusLoader.dll
02.04.2006 12:06 6.948 jupdate-1.5.0_06-b05.log



_________________________________________________________________

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 9C32-5BD2

Verzeichnis von C:\DOKUME~1\Sattei\LOKALE~1\Temp

12.07.2006 19:54 483 LVCOMSX.LOG
12.07.2006 19:53 0 d987_appcompat.txt
2 Datei(en) 483 Bytes
0 Verzeichnis(se), 27.690.446.848 Bytes frei


__________________________________________________________________


Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 9C32-5BD2

Verzeichnis von C:\WINDOWS

12.07.2006 19:56 1.626.950 WindowsUpdate.log
12.07.2006 19:50 0 0.log
12.07.2006 19:50 3.724 ModemLog_Conexant D110 MDC V.9x Modem.txt
12.07.2006 19:50 157 wiadebug.log
12.07.2006 19:50 50 wiaservc.log
12.07.2006 19:49 2.048 bootstat.dat
12.07.2006 19:48 32.612 SchedLgU.Txt
12.07.2006 17:28 1.656.400 ntbtlog.txt
11.07.2006 21:08 29.184 trustinbar.exe
11.07.2006 21:08 230.403 tpopup.exe
11.07.2006 19:48 1.519 OEWABLog.txt
11.07.2006 19:48 3.237 wmsetup.log
11.07.2006 18:59 736 win.ini
10.07.2006 16:17 54.156 QTFont.qfn
09.07.2006 17:52 1.789 setupact.log
08.07.2006 15:28 469 SYSTEM.INI
04.07.2006 19:17 116 NeroDigital.ini
04.07.2006 17:30 2.737 spupdsvc.log
03.07.2006 22:08 531.699 iis6.log
03.07.2006 22:08 145.874 comsetup.log
03.07.2006 22:08 89.175 ntdtcsetup.log
03.07.2006 22:08 20.226 tabletoc.log
03.07.2006 22:08 196.109 tsoc.log
03.07.2006 22:08 1.355 imsins.log
03.07.2006 22:08 22.931 ocmsn.log
03.07.2006 22:08 14.996 KB917734.log
03.07.2006 22:08 29.243 MedCtrOC.log
03.07.2006 22:08 70.917 netfxocm.log
03.07.2006 22:08 21.084 msgsocm.log
03.07.2006 22:08 218.978 ocgen.log
03.07.2006 22:08 419.580 FaxSetup.log
03.07.2006 22:08 148.416 msmqinst.log
03.07.2006 22:08 110.958 setupapi.log
02.07.2006 23:06 1.355 imsins.BAK
02.07.2006 23:06 21.331 KB911280.log
02.07.2006 23:06 21.530 KB918439.log
02.07.2006 23:05 22.068 KB917344.log
02.07.2006 23:05 21.660 KB917953.log
02.07.2006 23:05 37.212 KB916281.log
02.07.2006 23:05 28.415 updspapi.log
02.07.2006 23:05 20.796 KB914389.log
02.07.2006 18:26 134 PatchInstall1Debug.log
02.07.2006 10:36 107.984 War3Unin.dat
29.06.2006 22:00 1.409 QTFont.for
24.06.2006 21:58 32 go
23.06.2006 17:15 754 WORDPAD.INI
13.06.2006 17:20 151 PhotoSnapViewer.INI
23.05.2006 21:35 649 CDPLAYER.INI
20.05.2006 17:24 6.485 mozver.dat
13.05.2006 17:28 512 goldwave.ini
13.05.2006 06:39 12.703 KB900485.log
13.05.2006 06:38 12.251 KB913580.log
11.05.2006 21:20 1.066.943 setupapi.log.0.old
09.05.2006 20:46 316.640 WMSysPr9.prx
06.05.2006 14:07 34.963 DIIUnin.dat
26.04.2006 21:18 121 GEARInstall.log
15.04.2006 08:10 15.851 KB908531.log
15.04.2006 08:09 15.301 KB911562.log
15.04.2006 08:08 17.363 KB912812.log
15.04.2006 08:07 30.132 KB911565.log
15.04.2006 08:06 10.935 KB911567.log
09.04.2006 19:50 502 ODBC.INI


_________________________________________________________________


Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 9C32-5BD2

Verzeichnis von C:\

12.07.2006 19:57 0 sys.txt
12.07.2006 19:56 13.019 system.txt
12.07.2006 19:55 349 systemtemp.txt
12.07.2006 19:55 121.033 system32.txt
12.07.2006 19:49 527.892.480 hiberfil.sys
12.07.2006 19:49 792.723.456 pagefile.sys
09.07.2006 17:53 1.483 rapport.txt
08.07.2006 15:28 311 boot.ini
26.06.2006 16:40 59 wepkeys.txt
05.06.2006 22:25 0 regdump.arm9.txt


______________________________________________________________




Silentrunner:

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe"" ["Nero AG"]
"msnmsgr" = ""C:\Programme\MSN Messenger\msnmsgr.exe" /background" [MS]
"MSMSGS" = ""C:\Programme\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"IntelWireless" = "C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless" ["Intel Corporation"]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"PinnacleDriverCheck" = "C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg" [empty string]
"LVCOMSX" = "C:\WINDOWS\system32\LVCOMSX.EXE" ["Labtec Inc."]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"MessengerPlus3" = ""C:\Programme\MessengerPlus! 3\MsgPlus.exe"" ["Patchou"]
"SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"ICQ Lite" = ""C:\Programme\ICQLite\ICQLite.exe" -minimize" ["ICQ Ltd."]
"Realtime Audio Engine" = "mmrtkrnl.exe" ["ALCATech"]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"SpySweeper" = ""C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /startintray" ["Webroot Software, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{0D4C7057-EAD2-44C6-AD18-9092905F28F1}\(Default) = (no title provided)
-> {HKLM...CLSID} = "ChangerBHO Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\catsrva.dll" [empty string]
{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office\OLKFSTUB.DLL" [MS]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
-> {HKLM...CLSID} = "dBpShell Class"
\InProcServer32\(Default) = "C:\Programme\Illustrate\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
-> {HKLM...CLSID} = "dMCIShell Class"
\InProcServer32\(Default) = "C:\Programme\Illustrate\dBpowerAMP\dMCShell.dll" [empty string]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Labtec Pictures"
-> {HKLM...CLSID} = "My Labtec Pictures"
\InProcServer32\(Default) = "C:\Programme\Logitech\Video\Namespc2.dll" ["Labtec Inc."]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Programme\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"
-> {HKLM...CLSID} = "SmartFTP Shell Extension DLL"
\InProcServer32\(Default) = "C:\Programme\SmartFTP Client 2.0\smarthook.dll" ["SmartFTP"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "MsgPlusLoader.dll" ["Patchou"]

HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e" [file not found], [MS], [file not found], [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
INFECTION WARNING! IntelWireless\DLLName = "C:\Programme\Intel\Wireless\Bin\LgNotify.dll" ["Intel Corporation"]
INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
{FED7043D-346A-414D-ACD7-550D052499A7}\(Default) = "dBpowerAMP Column Handler"
-> {HKLM...CLSID} = "dBpShell Class"
\InProcServer32\(Default) = "C:\Programme\Illustrate\dBpowerAMP\dBShell.dll" [empty string]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Programme\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Programme\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]


Default executables:
--------------------

HKLM\Software\Classes\scrfile\shell\open\command\(Default) = (value not set)


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Sattei\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\MARINE~1.SCR" [file not found]


Enabled Scheduled Tasks:
------------------------

"ISP-Anmeldungserinnerung 1" -> launches: "C:\WINDOWS\system32\OOBE\oobebaln.exe /sys /i /n:1" [MS]
"XoftSpySE" -> launches: "C:\Programme\XoftSpySE\XoftSpy.exe -t" ["ParetoLogic"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 43
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}"
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}" = (no title provided)
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesde.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesde.dll" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesde.dll" ["Yahoo! Inc."]

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

Missing lines (compared with English-language version):
"{855F3B16-6D32-4fe6-8A56-BBB695989046}" = (no title provided)
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, ""C:\Programme\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Programme\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
EvtEng, EvtEng, "C:\Programme\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
IPv6-Hilfsdienst, 6to4, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]}
MSSQLSERVER, MSSQLSERVER, "C:\Programme\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe -sMSSQLSERVER" [MS]
MySql, MySql, "C:\mysql\bin\mysqld-nt.exe" [null data]
NICCONFIGSVC, NICCONFIGSVC, "C:\Programme\Dell\NICCONFIGSVC\NICCONFIGSVC.exe" ["Dell Inc."]
RegSrvc, RegSrvc, "C:\Programme\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
Spectrum24 Event Monitor, S24EventMonitor, "C:\Programme\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
Webroot Spy Sweeper Engine, svcWRSSSDK, "C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
WLANKEEPER, WLANKEEPER, "C:\Programme\Intel\Wireless\Bin\WLKeeper.exe" ["Intel® Corporation"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
Toshiba Bluetooth Monitor\Driver = "tbtmon.dll" ["Toshiba America Business Solutions, Inc."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 41 seconds, including 11 seconds for message boxes)




_______________________________________________________________________


Ahja !!

Gestern hab ich mit nem anti-Spyware prog glaub ich fast alle datein von dem gelöscht...dann habe ich die externe festplatte angeschlossen, dann hat es trustinpopup.exe oder so wieder ausgeführt ?! war das zufall !?? .... ich hab keine exe datein auf der externen platte gefunden... da waren die 2 dll datein die is vorhin mit hijackthis entfernt habe noch da !!


bitte hilf mir weiter !!

ich trau mich meine festplatte nimmer anstecken ;)
!


Sattei
Seitenanfang Seitenende
12.07.2006, 20:15
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#6 1.
Avenger:
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein:

Zitat

registry keys to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TISA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TrustIn Bar
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CA3D70E-1895-11CF-8E15-001234567890}
HKEY_LOCAL_MACHINE\SOFTWARE\TrustIn Bar

Files to delete:
C:\WINDOWS\system32\catsrva.dll
C:\WINDOWS\inetloader.dll
C:\WINDOWS\se_spoof.dll
C:\WINDOWS\trustinbar.exe
C:\WINDOWS\tpopup.exe
Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

**

poste das log vom avenger, was erscheint

2.
Fixe mit dem HijacktHis:

Zitat

O2 - BHO: SpoofBHO Class - {07A78AEA-4A54-4967-9A60-4B68592D30C7} - C:\WINDOWS\se_spoof.dll
O2 - BHO: WeeklyExecuter Class - {590FFB84-6A29-4797-9C0E-B15DF2C4CDCB} - C:\WINDOWS\inetloader.dll
PC neustarten

3.
roguescanfix.exe
http://www.martijnc.be/tools/roguescanfix.exe

+

eingeben -> 1






anhaken: "show log after script end" -> klicke: Execute

**
poste das Log

BFU v1.00.9
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.07.2006, 20:50
Member

Beiträge: 77
#7 HI,


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: could not create zip file.
Error code: 0


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\bindaejq

*******************

Script file located at: ursdxxoj

Could not open script file! Error

Could not open script file! Status: 0xc000003b Abort!
//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\trjankqb

*******************

Script file located at: \??\C:\cxdywhsu.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\catsrva.dll deleted successfully.


File C:\WINDOWS\inetloader.dll not found!
Deletion of file C:\WINDOWS\inetloader.dll failed!

Could not process line:
C:\WINDOWS\inetloader.dll
Status: 0xc0000034



File C:\WINDOWS\se_spoof.dll not found!
Deletion of file C:\WINDOWS\se_spoof.dll failed!

Could not process line:
C:\WINDOWS\se_spoof.dll
Status: 0xc0000034

File C:\WINDOWS\trustinbar.exe deleted successfully.
File C:\WINDOWS\tpopup.exe deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\xvlcwssy

*******************

Script file located at: \??\C:\Program Files\bwiskysc.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\catsrva.dll not found!
Deletion of file C:\WINDOWS\system32\catsrva.dll failed!

Could not process line:
C:\WINDOWS\system32\catsrva.dll
Status: 0xc0000034



File C:\WINDOWS\inetloader.dll not found!
Deletion of file C:\WINDOWS\inetloader.dll failed!

Could not process line:
C:\WINDOWS\inetloader.dll
Status: 0xc0000034



File C:\WINDOWS\se_spoof.dll not found!
Deletion of file C:\WINDOWS\se_spoof.dll failed!

Could not process line:
C:\WINDOWS\se_spoof.dll
Status: 0xc0000034



File C:\WINDOWS\trustinbar.exe not found!
Deletion of file C:\WINDOWS\trustinbar.exe failed!

Could not process line:
C:\WINDOWS\trustinbar.exe
Status: 0xc0000034



File C:\WINDOWS\tpopup.exe not found!
Deletion of file C:\WINDOWS\tpopup.exe failed!

Could not process line:
C:\WINDOWS\tpopup.exe
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890} failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.


___________________________________________________________________


Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
Seitenanfang Seitenende
12.07.2006, 21:10
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#8 nach anwendung vom brute, gibt es noch ein anderes log ..du musst also alles komplett abarbeiten
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.07.2006, 21:39
Member

Beiträge: 77
#9 jo;)

hier:

BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 21:38:38, on 12.07.2006

Option pause between commands: 100 ms
Failed: FileDelete C:\Dokumente und Einstellungen\Sattei\Anwendungsdaten\Microsoft\Internet Explorer\QuickLaunch\SpyFalcon*.* (operation failed)
Failed: FileDelete C:\Dokumente und Einstellungen\Sattei\Anwendungsdaten\Microsoft\Internet Explorer\QuickLaunch\SpywareQuake*.* (operation failed)
Failed: FileDelete C:\Dokumente und Einstellungen\Sattei\Anwendungsdaten\Microsoft\Internet Explorer\QuickLaunch\Spyware Sherif*.* (operation failed)
Failed: FolderDelete C:\Programme\eMedia Codec (folder not found)
Failed: FolderDelete C:\Programme\Media-Codec (folder not found)
Failed: FolderDelete C:\Programme\spyfalcon (folder not found)
Failed: FolderDelete C:\Dokumente und Einstellungen\Sattei\Startmenü\Programme\SpyFalcon (folder not found)
Failed: FolderDelete C:\Dokumente und Einstellungen\Sattei\Startmenü\Programme\SpywareQuake (folder not found)
Failed: FolderDelete C:\Programme\SpywareQuake (folder not found)
Failed: FolderDelete C:\WINDOWS\system32\1024 (folder not found)
Failed: FolderDelete C:\Programme\Trust Cleaner (folder not found)
Failed: FolderDelete C:\Programme\TrustIn Contextual (folder not found)
Failed: FolderDelete C:\Programme\TrustIn Bar (folder not found)
Failed: FolderDelete C:\Programme\TrustIn Popups (folder not found)
Failed: FolderDelete C:\Programme\TrustIn Search (folder not found)
Failed: FolderDelete C:\Programme\SpywareQuake.com (folder not found)
Failed: FolderDelete C:\Programme\SpywareStrike (folder not found)
Failed: FolderDelete C:\Programme\SpyQuake2.com (folder not found)
Failed: FolderDelete C:\Dokumente und Einstellungen\Sattei\Startmenü\Programme\SpyQuake2.com (folder not found)
Script completed.


büdde !!

aber schaut so aus als ob er weg is oder??
Seitenanfang Seitenende
12.07.2006, 21:46
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#10 ja, es schaut so aus..poste das neue log vom hijackThis
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.07.2006, 21:53
Member

Beiträge: 77
#11 Logfile of HijackThis v1.99.1
Scan saved at 21:52:14, on 12.07.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\Programme\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\Programme\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\mysql\bin\mysqld-nt.exe
C:\Programme\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Programme\MessengerPlus! 3\MsgPlus.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\ICQLite\ICQLite.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe
C:\Programme\MSN Messenger\msnmsgr.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Winamp\Winamp.exe
C:\Programme\Roguescanfix\BFU.exe
C:\WINDOWS\explorer.exe
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\Sattei\LOKALE~1\Temp\Rar$EX00.750\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ChangerBHO Class - {0D4C7057-EAD2-44C6-AD18-9092905F28F1} - C:\WINDOWS\system32\catsrva.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programme\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesde.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesde.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C3B7AF3F-DFBB-4CA2-8B16-781DAE1CC583} (Weed Media Activator component) - https://www.shmedlic.com/V3/Consumer/ActivatorComponent/SML.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Programme\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Programme\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Programme\Intel\Wireless\Bin\WLKeeper.exe

also nach meiner untersuchung von dem log schauts recht gut aus !!

also...ich muss jetzt mal ein riesen lob an euch aussprechen !! das is jetzt schon das 2te mal !!

DANKE !!!! werde euch weiterempfehlen !! Und ohne dich Sabina wär ich gar nix ;)
Seitenanfang Seitenende
13.07.2006, 02:14
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#12 Download Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren)

{0D4C7057-EAD2-44C6-AD18-9092905F28F1}

in edit und klicke "Ok".
Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn.
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren: