HijackThis log: Wie kann ich TrustIn löschen? |
||
---|---|---|
#0
| ||
08.07.2006, 17:48
...neu hier
Beiträge: 4 |
||
|
||
08.07.2006, 19:38
Member
Beiträge: 77 |
#2
Hallo ! hatte das selbe problem !! habe dann einfach folgendes programm durchlaufen lassen...und jetzt sind die ordner weg !!
http://virus-protect.org/artikel/tools/smitfrautfix.html mfg,sattei |
|
|
||
09.07.2006, 14:10
...neu hier
Themenstarter Beiträge: 4 |
#3
oh vielen dank sattei, jetzt läuft alles wieder.......
|
|
|
||
10.07.2006, 12:31
Ehrenmitglied
Beiträge: 29434 |
#4
og99
Information:trustInbar http://virus-protect.org/artikel/spyware/trustInbar.html ------------------------------------------------------------------------ öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten O2 - BHO: SpoofBHO Class - {07A78AEA-4A54-4967-9A60-4B68592D30C7} - C:\WINDOWS\se_spoof.dll O2 - BHO: WeeklyExecuter Class - {590FFB84-6A29-4797-9C0E-B15DF2C4CDCB} - C:\WINDOWS\inetloader.dll PC neustarten ich schaue noch mal nach, ob noch was zu finden ist: 1. stelle den CleanUp genauso ein, wie hier angegeben: http://virus-protect.org/cleanup.html 2. Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab) http://virus-protect.org/datfindbat.html 3. poste das log vom Silentrunner http://virus-protect.org/silentrunner.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
12.07.2006, 20:04
Member
Beiträge: 77 |
#5
hi sabina...leider ist der virus auch wieder aufgetaucht...trotz smit fraud fix...das isn richtiger "Schei..." wenn ich mal so sagen darf, dieser trojaner oder was auch immer das ist !!
ich poste hier dir das da oben mal was du geschrieben hast !! hoffe du kannst mir weiterhelfen !! greetz !! Datfind.bat : __________________________________________________________________ Volume in Laufwerk C: hat keine Bezeichnung. Volumeseriennummer: 9C32-5BD2 Verzeichnis von C:\WINDOWS\system32 11.07.2006 21:08 21.504 catsrva.dll 11.07.2006 19:57 61.114 perfc009.dat 11.07.2006 19:57 399.856 perfh009.dat 11.07.2006 19:57 410.916 perfh007.dat 11.07.2006 19:57 72.192 perfc007.dat 11.07.2006 19:57 954.124 PerfStringBackup.INI 02.07.2006 20:28 2.206 wpa.dbl 02.07.2006 17:14 40.960 swsc.exe 02.07.2006 17:14 42.496 swreg.exe 02.07.2006 17:14 288.417 SrchSTS.exe 02.07.2006 17:14 53.248 Process.exe 24.06.2006 12:57 15.360 BASSMOD.dll 22.06.2006 12:47 181.248 rasmans.dll 17.06.2006 10:49 204.120 FNTCACHE.DAT 09.06.2006 03:19 5.967.776 MRT.exe 08.06.2006 17:08 3.002 CONFIG.NT 01.06.2006 20:47 163.840 jgdw400.dll 01.06.2006 20:47 27.648 jgpl400.dll 31.05.2006 11:02 624.640 aswBoot.exe 31.05.2006 10:54 90.112 AVASTSS.scr 29.05.2006 17:32 1.496.576 shdocvw.dll 19.05.2006 17:06 3.076.096 mshtml.dll 19.05.2006 15:16 1.205 lvcoinst.log 18.05.2006 07:36 450.560 jscript.dll 17.05.2006 21:20 43.520 CmdLineExt03.dll 16.05.2006 22:23 28.672 VXBLOCK.dll 16.05.2006 22:23 339.968 PxWave.dll 16.05.2006 22:23 430.080 Px.dll 16.05.2006 22:23 61.440 pxhpinst.exe 16.05.2006 22:23 56.832 pxinsa64.exe 16.05.2006 22:23 1.257.472 PxSFS.DLL 16.05.2006 22:23 57.344 pxcpya64.exe 16.05.2006 22:23 450.560 pxdrv.dll 16.05.2006 22:23 176.128 PxMas.dll 11.05.2006 10:58 104.448 xpsp3res.dll 10.05.2006 07:26 474.624 shlwapi.dll 10.05.2006 07:26 532.480 mstime.dll 10.05.2006 07:26 617.472 urlmon.dll 10.05.2006 07:26 669.184 wininet.dll 10.05.2006 07:26 39.424 pngfilt.dll 10.05.2006 07:26 146.432 msrating.dll 10.05.2006 07:26 448.512 mshtmled.dll 10.05.2006 07:26 251.904 iepeers.dll 10.05.2006 07:26 357.888 dxtmsft.dll 10.05.2006 07:26 205.312 dxtrans.dll 10.05.2006 07:26 1.056.256 danim.dll 10.05.2006 07:26 15.872 jsproxy.dll 10.05.2006 07:26 55.808 extmgr.dll 10.05.2006 07:26 96.768 inseng.dll 10.05.2006 07:26 1.022.976 browseui.dll 10.05.2006 07:26 152.064 cdfview.dll 09.05.2006 20:48 2.523 SpoonUninstall-dBpowerAMP Compaact Mp4 Codec.dat 09.05.2006 20:48 167.936 SpoonUninstall.exe 09.05.2006 20:48 27.958 SpoonUninstall-dBpowerAMP Compaact Mp4 Codec.bmp 09.05.2006 20:48 616 SpoonUninstall-dBpowerAMP FAAC Mp4 Codec.dat 09.05.2006 20:48 27.958 SpoonUninstall-dBpowerAMP FAAC Mp4 Codec.bmp 09.05.2006 20:48 2.070 SpoonUninstall-dBpowerAMP mp3PRO Input Codec.dat 09.05.2006 20:48 27.958 SpoonUninstall-dBpowerAMP mp3PRO Input Codec.bmp 09.05.2006 20:48 2.214 SpoonUninstall-dBpowerAMP Mp4 & AAC Decode Codec.dat 09.05.2006 20:48 27.958 SpoonUninstall-dBpowerAMP Mp4 & AAC Decode Codec.bmp 09.05.2006 20:47 1.869 SpoonUninstall-dBpowerAMP Nero Mp4 Codec.dat 09.05.2006 20:47 27.958 SpoonUninstall-dBpowerAMP Nero Mp4 Codec.bmp 09.05.2006 20:47 2.421 SpoonUninstall-dBpowerAMP Ogg Vorbis Codec.dat 09.05.2006 20:47 33.846 SpoonUninstall-dBpowerAMP Ogg Vorbis Codec.bmp 09.05.2006 20:47 2.177 SpoonUninstall-dBpowerAMP WMA V9 Codec.dat 09.05.2006 20:46 27.958 SpoonUninstall-dBpowerAMP WMA V9 Codec.bmp 09.05.2006 20:45 1.375 SpoonUninstall-dBpowerAMP WMA V9.1 Codec.dat 09.05.2006 20:44 33.846 SpoonUninstall-dBpowerAMP WMA V9.1 Codec.bmp 09.05.2006 20:44 2.463 SpoonUninstall-dMC mp3PRO (CLI) Encoder.dat 09.05.2006 20:44 27.958 SpoonUninstall-dMC mp3PRO (CLI) Encoder.bmp 09.05.2006 20:43 35.128 SpoonUninstall-dBpowerAMP Music Converter.dat 09.05.2006 20:42 33.846 SpoonUninstall-dBpowerAMP Music Converter.bmp 29.04.2006 06:07 5.533.696 wmp.dll 22.04.2006 23:38 58.952 MsgPlusLoader.dll 02.04.2006 12:06 6.948 jupdate-1.5.0_06-b05.log _________________________________________________________________ Volume in Laufwerk C: hat keine Bezeichnung. Volumeseriennummer: 9C32-5BD2 Verzeichnis von C:\DOKUME~1\Sattei\LOKALE~1\Temp 12.07.2006 19:54 483 LVCOMSX.LOG 12.07.2006 19:53 0 d987_appcompat.txt 2 Datei(en) 483 Bytes 0 Verzeichnis(se), 27.690.446.848 Bytes frei __________________________________________________________________ Volume in Laufwerk C: hat keine Bezeichnung. Volumeseriennummer: 9C32-5BD2 Verzeichnis von C:\WINDOWS 12.07.2006 19:56 1.626.950 WindowsUpdate.log 12.07.2006 19:50 0 0.log 12.07.2006 19:50 3.724 ModemLog_Conexant D110 MDC V.9x Modem.txt 12.07.2006 19:50 157 wiadebug.log 12.07.2006 19:50 50 wiaservc.log 12.07.2006 19:49 2.048 bootstat.dat 12.07.2006 19:48 32.612 SchedLgU.Txt 12.07.2006 17:28 1.656.400 ntbtlog.txt 11.07.2006 21:08 29.184 trustinbar.exe 11.07.2006 21:08 230.403 tpopup.exe 11.07.2006 19:48 1.519 OEWABLog.txt 11.07.2006 19:48 3.237 wmsetup.log 11.07.2006 18:59 736 win.ini 10.07.2006 16:17 54.156 QTFont.qfn 09.07.2006 17:52 1.789 setupact.log 08.07.2006 15:28 469 SYSTEM.INI 04.07.2006 19:17 116 NeroDigital.ini 04.07.2006 17:30 2.737 spupdsvc.log 03.07.2006 22:08 531.699 iis6.log 03.07.2006 22:08 145.874 comsetup.log 03.07.2006 22:08 89.175 ntdtcsetup.log 03.07.2006 22:08 20.226 tabletoc.log 03.07.2006 22:08 196.109 tsoc.log 03.07.2006 22:08 1.355 imsins.log 03.07.2006 22:08 22.931 ocmsn.log 03.07.2006 22:08 14.996 KB917734.log 03.07.2006 22:08 29.243 MedCtrOC.log 03.07.2006 22:08 70.917 netfxocm.log 03.07.2006 22:08 21.084 msgsocm.log 03.07.2006 22:08 218.978 ocgen.log 03.07.2006 22:08 419.580 FaxSetup.log 03.07.2006 22:08 148.416 msmqinst.log 03.07.2006 22:08 110.958 setupapi.log 02.07.2006 23:06 1.355 imsins.BAK 02.07.2006 23:06 21.331 KB911280.log 02.07.2006 23:06 21.530 KB918439.log 02.07.2006 23:05 22.068 KB917344.log 02.07.2006 23:05 21.660 KB917953.log 02.07.2006 23:05 37.212 KB916281.log 02.07.2006 23:05 28.415 updspapi.log 02.07.2006 23:05 20.796 KB914389.log 02.07.2006 18:26 134 PatchInstall1Debug.log 02.07.2006 10:36 107.984 War3Unin.dat 29.06.2006 22:00 1.409 QTFont.for 24.06.2006 21:58 32 go 23.06.2006 17:15 754 WORDPAD.INI 13.06.2006 17:20 151 PhotoSnapViewer.INI 23.05.2006 21:35 649 CDPLAYER.INI 20.05.2006 17:24 6.485 mozver.dat 13.05.2006 17:28 512 goldwave.ini 13.05.2006 06:39 12.703 KB900485.log 13.05.2006 06:38 12.251 KB913580.log 11.05.2006 21:20 1.066.943 setupapi.log.0.old 09.05.2006 20:46 316.640 WMSysPr9.prx 06.05.2006 14:07 34.963 DIIUnin.dat 26.04.2006 21:18 121 GEARInstall.log 15.04.2006 08:10 15.851 KB908531.log 15.04.2006 08:09 15.301 KB911562.log 15.04.2006 08:08 17.363 KB912812.log 15.04.2006 08:07 30.132 KB911565.log 15.04.2006 08:06 10.935 KB911567.log 09.04.2006 19:50 502 ODBC.INI _________________________________________________________________ Volume in Laufwerk C: hat keine Bezeichnung. Volumeseriennummer: 9C32-5BD2 Verzeichnis von C:\ 12.07.2006 19:57 0 sys.txt 12.07.2006 19:56 13.019 system.txt 12.07.2006 19:55 349 systemtemp.txt 12.07.2006 19:55 121.033 system32.txt 12.07.2006 19:49 527.892.480 hiberfil.sys 12.07.2006 19:49 792.723.456 pagefile.sys 09.07.2006 17:53 1.483 rapport.txt 08.07.2006 15:28 311 boot.ini 26.06.2006 16:40 59 wepkeys.txt 05.06.2006 22:25 0 regdump.arm9.txt ______________________________________________________________ Silentrunner: "Silent Runners.vbs", revision 46, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe"" ["Nero AG"] "msnmsgr" = ""C:\Programme\MSN Messenger\msnmsgr.exe" /background" [MS] "MSMSGS" = ""C:\Programme\Messenger\msmsgs.exe" /background" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"] "IntelWireless" = "C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless" ["Intel Corporation"] "dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"] "PinnacleDriverCheck" = "C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg" [empty string] "LVCOMSX" = "C:\WINDOWS\system32\LVCOMSX.EXE" ["Labtec Inc."] "IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"] "MessengerPlus3" = ""C:\Programme\MessengerPlus! 3\MsgPlus.exe"" ["Patchou"] "SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."] "avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data] "ICQ Lite" = ""C:\Programme\ICQLite\ICQLite.exe" -minimize" ["ICQ Ltd."] "Realtime Audio Engine" = "mmrtkrnl.exe" ["ALCATech"] "TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] "SpySweeper" = ""C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /startintray" ["Webroot Software, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "AcroIEHlprObj Class" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {0D4C7057-EAD2-44C6-AD18-9092905F28F1}\(Default) = (no title provided) -> {HKLM...CLSID} = "ChangerBHO Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\catsrva.dll" [empty string] {5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided) -> {HKLM...CLSID} = "DriveLetterAccess" \InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess" -> {HKLM...CLSID} = "DriveLetterAccess" \InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office\OLKFSTUB.DLL" [MS] "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension" -> {HKLM...CLSID} = "MCLiteShellExt Class" \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {HKLM...CLSID} = "Portable Media Devices" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1" -> {HKLM...CLSID} = "dBpShell Class" \InProcServer32\(Default) = "C:\Programme\Illustrate\dBpowerAMP\dBShell.dll" [empty string] "{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter" -> {HKLM...CLSID} = "dMCIShell Class" \InProcServer32\(Default) = "C:\Programme\Illustrate\dBpowerAMP\dMCShell.dll" [empty string] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {HKLM...CLSID} = "iTunes" \InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."] "{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Labtec Pictures" -> {HKLM...CLSID} = "My Labtec Pictures" \InProcServer32\(Default) = "C:\Programme\Logitech\Video\Namespc2.dll" ["Labtec Inc."] "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band" -> {HKLM...CLSID} = "Shell Search Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{472083B0-C522-11CF-8763-00608CC02F24}" = "avast" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Programme\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] "{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler" -> {HKLM...CLSID} = "NeroDigitalIconHandler Class" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"] "{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler" -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"] "{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL" -> {HKLM...CLSID} = "SmartFTP Shell Extension DLL" \InProcServer32\(Default) = "C:\Programme\SmartFTP Client 2.0\smarthook.dll" ["SmartFTP"] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration" -> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration" \InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ INFECTION WARNING! "AppInit_DLLs" = "MsgPlusLoader.dll" ["Patchou"] HKLM\System\CurrentControlSet\Control\Session Manager\ INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e" [file not found], [MS], [file not found], [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"] INFECTION WARNING! IntelWireless\DLLName = "C:\Programme\Intel\Wireless\Bin\LgNotify.dll" ["Intel Corporation"] INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler" -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"] {FED7043D-346A-414D-ACD7-550D052499A7}\(Default) = "dBpowerAMP Column Handler" -> {HKLM...CLSID} = "dBpShell Class" \InProcServer32\(Default) = "C:\Programme\Illustrate\dBpowerAMP\dBShell.dll" [empty string] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Programme\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" -> {HKLM...CLSID} = "MCLiteShellExt Class" \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" -> {HKLM...CLSID} = "MCLiteShellExt Class" \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Programme\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" -> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration" \InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] Default executables: -------------------- HKLM\Software\Classes\scrfile\shell\open\command\(Default) = (value not set) Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Dokumente und Einstellungen\Sattei\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\system32\MARINE~1.SCR" [file not found] Enabled Scheduled Tasks: ------------------------ "ISP-Anmeldungserinnerung 1" -> launches: "C:\WINDOWS\system32\OOBE\oobebaln.exe /sys /i /n:1" [MS] "XoftSpySE" -> launches: "C:\Programme\XoftSpySE\XoftSpy.exe -t" ["ParetoLogic"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 43 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{855F3B16-6D32-4FE6-8A56-BBB695989046}" -> {HKLM...CLSID} = "ICQ Toolbar" \InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{855F3B16-6D32-4FE6-8A56-BBB695989046}" = (no title provided) -> {HKLM...CLSID} = "ICQ Toolbar" \InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided) -> {HKLM...CLSID} = "&Yahoo! Messenger" \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesde.dll" ["Yahoo! Inc."] HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided) -> {HKLM...CLSID} = "&Yahoo! Messenger" \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesde.dll" ["Yahoo! Inc."] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in" \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06" \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."] {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ "ButtonText" = "Messenger" "MenuText" = "Yahoo! Messenger" "CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesde.dll" ["Yahoo! Inc."] {B863453A-26C3-4E1F-A54D-A2CD196348E9}\ "ButtonText" = "ICQ Lite" "MenuText" = "ICQ Lite" "Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ Missing lines (compared with English-language version): "{855F3B16-6D32-4fe6-8A56-BBB695989046}" = (no title provided) -> {HKLM...CLSID} = "ICQ Toolbar" \InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ""C:\Programme\Alwil Software\Avast4\ashServ.exe"" [null data] avast! iAVS4 Control Service, aswUpdSv, ""C:\Programme\Alwil Software\Avast4\aswUpdSv.exe"" [null data] avast! Mail Scanner, avast! Mail Scanner, ""C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"] avast! Web Scanner, avast! Web Scanner, ""C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"] EvtEng, EvtEng, "C:\Programme\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"] IPv6-Hilfsdienst, 6to4, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]} MSSQLSERVER, MSSQLSERVER, "C:\Programme\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe -sMSSQLSERVER" [MS] MySql, MySql, "C:\mysql\bin\mysqld-nt.exe" [null data] NICCONFIGSVC, NICCONFIGSVC, "C:\Programme\Dell\NICCONFIGSVC\NICCONFIGSVC.exe" ["Dell Inc."] RegSrvc, RegSrvc, "C:\Programme\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"] Spectrum24 Event Monitor, S24EventMonitor, "C:\Programme\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "] Webroot Spy Sweeper Engine, svcWRSSSDK, "C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] WLANKEEPER, WLANKEEPER, "C:\Programme\Intel\Wireless\Bin\WLKeeper.exe" ["Intel® Corporation"] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS] Toshiba Bluetooth Monitor\Driver = "tbtmon.dll" ["Toshiba America Business Solutions, Inc."] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 41 seconds, including 11 seconds for message boxes) _______________________________________________________________________ Ahja !! Gestern hab ich mit nem anti-Spyware prog glaub ich fast alle datein von dem gelöscht...dann habe ich die externe festplatte angeschlossen, dann hat es trustinpopup.exe oder so wieder ausgeführt ?! war das zufall !?? .... ich hab keine exe datein auf der externen platte gefunden... da waren die 2 dll datein die is vorhin mit hijackthis entfernt habe noch da !! bitte hilf mir weiter !! ich trau mich meine festplatte nimmer anstecken ! Sattei |
|
|
||
12.07.2006, 20:15
Ehrenmitglied
Beiträge: 29434 |
#6
1.
Avenger: http://virus-protect.org/artikel/tools/avenger.html kopiere rein: Zitat registry keys to delete:Klicke die gruene Ampel das Script wird nun ausgeführt, dann wird der PC automatisch neustarten ** poste das log vom avenger, was erscheint 2. Fixe mit dem HijacktHis: Zitat O2 - BHO: SpoofBHO Class - {07A78AEA-4A54-4967-9A60-4B68592D30C7} - C:\WINDOWS\se_spoof.dllPC neustarten 3. roguescanfix.exe http://www.martijnc.be/tools/roguescanfix.exe + eingeben -> 1 anhaken: "show log after script end" -> klicke: Execute ** poste das Log BFU v1.00.9 __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
12.07.2006, 20:50
Member
Beiträge: 77 |
#7
HI,
////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Error: could not create zip file. Error code: 0 ////////////////////////////////////////// Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\bindaejq ******************* Script file located at: ursdxxoj Could not open script file! Error Could not open script file! Status: 0xc000003b Abort! ////////////////////////////////////////// Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\trjankqb ******************* Script file located at: \??\C:\cxdywhsu.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\catsrva.dll deleted successfully. File C:\WINDOWS\inetloader.dll not found! Deletion of file C:\WINDOWS\inetloader.dll failed! Could not process line: C:\WINDOWS\inetloader.dll Status: 0xc0000034 File C:\WINDOWS\se_spoof.dll not found! Deletion of file C:\WINDOWS\se_spoof.dll failed! Could not process line: C:\WINDOWS\se_spoof.dll Status: 0xc0000034 File C:\WINDOWS\trustinbar.exe deleted successfully. File C:\WINDOWS\tpopup.exe deleted successfully. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890} deleted successfully. Completed script processing. ******************* Finished! Terminate.////////////////////////////////////////// Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\xvlcwssy ******************* Script file located at: \??\C:\Program Files\bwiskysc.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\catsrva.dll not found! Deletion of file C:\WINDOWS\system32\catsrva.dll failed! Could not process line: C:\WINDOWS\system32\catsrva.dll Status: 0xc0000034 File C:\WINDOWS\inetloader.dll not found! Deletion of file C:\WINDOWS\inetloader.dll failed! Could not process line: C:\WINDOWS\inetloader.dll Status: 0xc0000034 File C:\WINDOWS\se_spoof.dll not found! Deletion of file C:\WINDOWS\se_spoof.dll failed! Could not process line: C:\WINDOWS\se_spoof.dll Status: 0xc0000034 File C:\WINDOWS\trustinbar.exe not found! Deletion of file C:\WINDOWS\trustinbar.exe failed! Could not process line: C:\WINDOWS\trustinbar.exe Status: 0xc0000034 File C:\WINDOWS\tpopup.exe not found! Deletion of file C:\WINDOWS\tpopup.exe failed! Could not process line: C:\WINDOWS\tpopup.exe Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890} not found! Deletion of registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890} failed! Status: 0xc0000034 Completed script processing. ******************* Finished! Terminate. ___________________________________________________________________ Export SharedTaskScheduler key ------------------------------ REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" |
|
|
||
12.07.2006, 21:10
Ehrenmitglied
Beiträge: 29434 |
#8
nach anwendung vom brute, gibt es noch ein anderes log ..du musst also alles komplett abarbeiten
__________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
12.07.2006, 21:39
Member
Beiträge: 77 |
#9
jo
hier: BFU v1.00.9 Windows XP SP2 (WinNT 5.01.2600 SP2) Script started at 21:38:38, on 12.07.2006 Option pause between commands: 100 ms Failed: FileDelete C:\Dokumente und Einstellungen\Sattei\Anwendungsdaten\Microsoft\Internet Explorer\QuickLaunch\SpyFalcon*.* (operation failed) Failed: FileDelete C:\Dokumente und Einstellungen\Sattei\Anwendungsdaten\Microsoft\Internet Explorer\QuickLaunch\SpywareQuake*.* (operation failed) Failed: FileDelete C:\Dokumente und Einstellungen\Sattei\Anwendungsdaten\Microsoft\Internet Explorer\QuickLaunch\Spyware Sherif*.* (operation failed) Failed: FolderDelete C:\Programme\eMedia Codec (folder not found) Failed: FolderDelete C:\Programme\Media-Codec (folder not found) Failed: FolderDelete C:\Programme\spyfalcon (folder not found) Failed: FolderDelete C:\Dokumente und Einstellungen\Sattei\Startmenü\Programme\SpyFalcon (folder not found) Failed: FolderDelete C:\Dokumente und Einstellungen\Sattei\Startmenü\Programme\SpywareQuake (folder not found) Failed: FolderDelete C:\Programme\SpywareQuake (folder not found) Failed: FolderDelete C:\WINDOWS\system32\1024 (folder not found) Failed: FolderDelete C:\Programme\Trust Cleaner (folder not found) Failed: FolderDelete C:\Programme\TrustIn Contextual (folder not found) Failed: FolderDelete C:\Programme\TrustIn Bar (folder not found) Failed: FolderDelete C:\Programme\TrustIn Popups (folder not found) Failed: FolderDelete C:\Programme\TrustIn Search (folder not found) Failed: FolderDelete C:\Programme\SpywareQuake.com (folder not found) Failed: FolderDelete C:\Programme\SpywareStrike (folder not found) Failed: FolderDelete C:\Programme\SpyQuake2.com (folder not found) Failed: FolderDelete C:\Dokumente und Einstellungen\Sattei\Startmenü\Programme\SpyQuake2.com (folder not found) Script completed. büdde !! aber schaut so aus als ob er weg is oder?? |
|
|
||
12.07.2006, 21:46
Ehrenmitglied
Beiträge: 29434 |
#10
ja, es schaut so aus..poste das neue log vom hijackThis
__________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
12.07.2006, 21:53
Member
Beiträge: 77 |
#11
Logfile of HijackThis v1.99.1
Scan saved at 21:52:14, on 12.07.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Intel\Wireless\Bin\EvtEng.exe C:\Programme\Intel\Wireless\Bin\S24EvMon.exe C:\Programme\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Alwil Software\Avast4\aswUpdSv.exe C:\Programme\Alwil Software\Avast4\ashServ.exe C:\Programme\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe C:\mysql\bin\mysqld-nt.exe C:\Programme\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\Programme\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe C:\Programme\Alwil Software\Avast4\ashMaiSv.exe C:\Programme\Alwil Software\Avast4\ashWebSv.exe C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\system32\hkcmd.exe C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\WINDOWS\system32\igfxtray.exe C:\Programme\MessengerPlus! 3\MsgPlus.exe C:\Programme\Java\jre1.5.0_06\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Programme\ICQLite\ICQLite.exe C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe C:\Programme\MSN Messenger\msnmsgr.exe C:\Programme\Messenger\msmsgs.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Programme\Winamp\Winamp.exe C:\Programme\Roguescanfix\BFU.exe C:\WINDOWS\explorer.exe C:\Programme\WinRAR\WinRAR.exe C:\DOKUME~1\Sattei\LOKALE~1\Temp\Rar$EX00.750\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: ChangerBHO Class - {0D4C7057-EAD2-44C6-AD18-9092905F28F1} - C:\WINDOWS\system32\catsrva.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programme\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesde.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesde.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O16 - DPF: {C3B7AF3F-DFBB-4CA2-8B16-781DAE1CC583} (Weed Media Activator component) - https://www.shmedlic.com/V3/Consumer/ActivatorComponent/SML.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - AppInit_DLLs: MsgPlusLoader.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: IntelWireless - C:\Programme\Intel\Wireless\Bin\LgNotify.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Programme\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: WLANKEEPER - Intel® Corporation - C:\Programme\Intel\Wireless\Bin\WLKeeper.exe also nach meiner untersuchung von dem log schauts recht gut aus !! also...ich muss jetzt mal ein riesen lob an euch aussprechen !! das is jetzt schon das 2te mal !! DANKE !!!! werde euch weiterempfehlen !! Und ohne dich Sabina wär ich gar nix |
|
|
||
13.07.2006, 02:14
Ehrenmitglied
Beiträge: 29434 |
#12
Download Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren) {0D4C7057-EAD2-44C6-AD18-9092905F28F1} in edit und klicke "Ok". Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn. __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
die verdächtigte datei heisst trustin...das sind drei verschiedene ordner unter dem ordner Programme.lch hab diese auch schon bei Systemstrg-->Software auch gelöscht aber nach einem neustart sind die wieder da......also hier meine log datei:
Logfile of HijackThis v1.99.1
Scan saved at 17:29:17, on 08.07.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programme\RWTH Aachen\Cisco VPN Client\cvpnd.exe
C:\WINDOWS\system32\DVDRAMSV.exe
c:\Programme\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Programme\Sophos\AutoUpdate\ALsvc.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Sophos\AutoUpdate\ALMon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Programme\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpoofBHO Class - {07A78AEA-4A54-4967-9A60-4B68592D30C7} - C:\WINDOWS\se_spoof.dll
O2 - BHO: WeeklyExecuter Class - {590FFB84-6A29-4797-9C0E-B15DF2C4CDCB} - C:\WINDOWS\inetloader.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Trust Cleaner] "C:\Programme\Trust Cleaner\Trust Cleaner.exe"
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Programme\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Download with NetPumper - C:\Programme\NetPumper\AddUrl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: eBay - {34042179-52D4-4434-9835-873A1760F4AB} - C:\Programme\Internet Explorer\Signup\ToshibaGotoEbay.exe (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE723DF9-9045-430E-9CB6-FA5787224742}: NameServer = 195.50.140.252 195.50.140.114
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros-Konfigurationsdienst (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\RWTH Aachen\Cisco VPN Client\cvpnd.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sophos Anti-Virus Statusreporter (SAVAdminService) - Sophos plc - c:\Programme\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - c:\Programme\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos plc - c:\Programme\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
bitte helft mir das problem zu beseitigen...
danke schonmal
mfg, og