Problem mit C:\Windows\system32\scvhost.exe |
||
---|---|---|
#0
| ||
20.07.2006, 10:15
Ehrenmitglied
Beiträge: 29434 |
||
|
||
20.07.2006, 10:50
Member
Themenstarter Beiträge: 30 |
#17
So zum 1.
Bericht: Complete scanning result of "server3.exe", received in VirusTotal at 07.20.2006, 10:44:42 (CET). Antivirus Version Update Result AntiVir 6.35.0.21 07.20.2006 HEUR/Crypted Authentium 4.93.8 07.19.2006 W32/Prorat.BY@bd Avast 4.7.844.0 07.19.2006 no virus found AVG 386 07.19.2006 no virus found BitDefender 7.2 07.20.2006 BehavesLike:Win32.IRC-Backdoor CAT-QuickHeal 8.00 07.19.2006 (Suspicious) - DNAScan ClamAV devel-20060426 07.20.2006 no virus found DrWeb 4.33 07.20.2006 no virus found eTrust-InoculateIT 23.72.73 07.20.2006 no virus found eTrust-Vet 12.6.2303 07.20.2006 no virus found Ewido 4.0 07.19.2006 no virus found Fortinet 2.77.0.0 07.19.2006 suspicious F-Prot 3.16f 07.19.2006 security risk named W32/Prorat.BY@bd F-Prot4 4.2.1.29 07.19.2006 W32/Prorat.BY@bd Ikarus 0.2.65.0 07.20.2006 no virus found Kaspersky 4.0.2.24 07.20.2006 Backdoor.Win32.G_Spot.20 McAfee 4810 07.19.2006 New Malware.p Microsoft 1.1508 07.20.2006 no virus found NOD32v2 1.1668 07.19.2006 probably unknown NewHeur_PE virus Norman 5.90.23 07.20.2006 no virus found Panda 9.0.0.4 07.20.2006 Suspicious file Sophos 4.07.0 07.20.2006 no virus found Symantec 8.0 07.20.2006 no virus found TheHacker 5.9.8.178 07.19.2006 no virus found UNA 1.83 07.19.2006 no virus found VBA32 3.11.0 07.19.2006 suspected of Backdoor.xBot.15 VirusBuster 4.3.7:9 07.19.2006 no virus found Aditional Information File size: 97280 bytes MD5: a7aabf19bb0f95a7314cc1edbe42f3eb SHA1: 0a0010863fd28d9556d5c29bae6359742567aaf7 So zu Punkt 2 Beim 1. Datentr„ger in Laufwerk C: ist System Volumeseriennummer: 58CE-A961 Beim 2. Datentr„ger in Laufwerk C: ist System Volumeseriennummer: 58CE-A961 Verzeichnis von c:\mIRC\download 07.06.2006 22:42 97.280 svchost.exe 1 Datei(en) 97.280 Bytes Verzeichnis von c:\WINDOWS\system32 04.08.2004 14:00 14.336 svchost.exe 1 Datei(en) 14.336 Bytes Verzeichnis von c:\WINDOWS\system32\dllcache 04.08.2004 14:00 14.336 svchost.exe 1 Datei(en) 14.336 Bytes Anzahl der angezeigten Dateien: 3 Datei(en) 125.952 Bytes 0 Verzeichnis(se), 136.899.207.168 Bytes frei Beim 3. Datentr„ger in Laufwerk C: ist System Volumeseriennummer: 58CE-A961 Verzeichnis von c:\WINDOWS\system32\drivers 29.04.2006 16:58 40.448 Xprotector.sys 1 Datei(en) 40.448 Bytes Anzahl der angezeigten Dateien: 1 Datei(en) 40.448 Bytes 0 Verzeichnis(se), 136.899.207.168 Bytes frei |
|
|
||
20.07.2006, 11:40
Ehrenmitglied
Beiträge: 29434 |
#18
Download Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren) Xprotector in edit und klicke "Ok". Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn. in: "Enter search strings" (reinschreiben oder reinkopieren) server3.exe in edit und klicke "Ok". Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn. in: "Enter search strings" (reinschreiben oder reinkopieren) wsock32 in edit und klicke "Ok". Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn. __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
20.07.2006, 11:46
Member
Themenstarter Beiträge: 30 |
#19
Okay^^
hier ist der 1. REGEDIT4 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.1.0 ; Results at 20.07.2006 11:44:11 for strings: ; 'xprotector' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_XPROTECTOR] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_XPROTECTOR\0000] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_XPROTECTOR\0000] "Service"="XPROTECTOR" "DeviceDesc"="XPROTECTOR" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_XPROTECTOR\0000\LogConf] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_XPROTECTOR] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_XPROTECTOR\0000] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_XPROTECTOR\0000] "Service"="XPROTECTOR" "DeviceDesc"="XPROTECTOR" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_XPROTECTOR\0000\LogConf] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPROTECTOR] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPROTECTOR\0000] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPROTECTOR\0000] "Service"="XPROTECTOR" "DeviceDesc"="XPROTECTOR" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPROTECTOR\0000\LogConf] ; End Of The Log... und hier der 2. REGEDIT4 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.1.0 ; Results at 20.07.2006 11:45:15 for strings: ; 'server3.exe' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS [HKEY_USERS\S-1-5-21-436374069-1757981266-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*] "d"="C:\\WINDOWS\\system32\\server3.exe" [HKEY_USERS\S-1-5-21-436374069-1757981266-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe] "a"="C:\\WINDOWS\\system32\\server3.exe" ; End Of The Log... so weiter gehts^^ hätte nie gedacht das sowas so extrem lange dauert |
|
|
||
20.07.2006, 11:48
Ehrenmitglied
Beiträge: 29434 |
#20
es fehlt noch eine ..und was beschwerst du dich...der Rechner gehoerte formatiert, du laedst froehlich backdoors ueber den mIRC.................
__________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
20.07.2006, 11:50
Member
Themenstarter Beiträge: 30 |
#21
Okay hier der letze:
REGEDIT4 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.1.0 ; Results at 20.07.2006 11:49:17 for strings: ; 'wsock32' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\ServiceProvider] ; Contents of value: ; %systemroot%\system32\wsock32.dll " edit (Sabina) Mhmhmh okay und was kann ich dagegen machen? Haste nen tipp für mich^^ Denn wie du sicherlich bemerkt haste habe ich wirklich keine ahnung xD |
|
|
||
20.07.2006, 11:53
Ehrenmitglied
Beiträge: 29434 |
#22
avenger
http://virus-protect.org/artikel/tools/avenger.html kopiere rein: Zitat registry keys to delete:Klicke die gruene Ampel das Script wird nun ausgeführt, dann wird der PC automatisch neustarten ** poste das log vom avenger, was nach neustart erscheint __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
20.07.2006, 11:57
Member
Themenstarter Beiträge: 30 |
#23
Okay gemacht
das kam raus Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\dvipabyl ******************* Script file located at: \??\C:\WINDOWS\system32\lcqhkujv.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_XPROTECTOR deleted successfully. Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_XPROTECTOR deleted successfully. Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPROTECTOR not found! Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPROTECTOR failed! Could not process line: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XPROTECTOR Status: 0xc0000034 File C:\WINDOWS\system32\wsock32.sys not found! Deletion of file C:\WINDOWS\system32\wsock32.sys failed! Could not process line: C:\WINDOWS\system32\wsock32.sys Status: 0xc0000034 File c:\WINDOWS\system32\drivers\Xprotector.sys deleted successfully. File C:\WINDOWS\system32\server3.exe deleted successfully. File c:\mIRC\download\svchost.exe deleted successfully. Completed script processing. ******************* Finished! Terminate. |
|
|
||
20.07.2006, 12:01
Ehrenmitglied
Beiträge: 29434 |
#24
multiavtool.
http://virus-protect.org/multiavtool.html * klicke "3" - McAfee -- es erscheint ein leeres DOS-Fenster. bei der Eingabe "3" im MULTIAVTOOL muss eine Internetverbindung vorhanden sein - man muss eingeben, was gescannt werden soll - C:\Windows\System32 -> dann beginnt der Scan, man sollte dann auch scannen lassen: - C:\Windows - C:\ * klicke "6 --> der PC wird neustarten --> suche die 3 Scanreporte in C:\AV-CLS und kopiere sie __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
20.07.2006, 14:05
Member
Themenstarter Beiträge: 30 |
#25
Okay ich habe es nun alles gemacht.
Aber immer wenn ich nen scann protokoll aufrufe gibt er mir nur das letze und es ist auch nur 1 vorhanden naja ich habe es dann nochmal laufen lassen und immer danach hat er es mir ausgegeben darauf habe ich es gespeichert in einem word dokument. Ich hoffe das hat nicht irgendwas verfälscht Also fangen wir an Virus Scan Report File Virus Scan Information McAfee VirusScan for Win32 v4.40.0 Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights reserved. (408) 988-3832 LICENSED COPY - Sep 23 2004 Scan engine v4.4.00 for Win32. Virus data file v4805 created Jul 12 2006 Scanning for 201016 viruses, trojans and variants. Virus Scan Results 07/20/2006 13:52:43 Options: "C:\WINDOWS\SYSTEM32" /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL /MIME /PROGRAM /EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML" Scanning C: [System] Scanning C:\WINDOWS\SYSTEM32\*.* Summary report on C:\WINDOWS\SYSTEM32\*.* File(s) Total files: ........... 7890 Clean: ................. 7880 Possibly Infected: ..... 0 Cleaned: ............... 0 Non-critical Error(s): 1 Time: 00:03.04 dann das 2. Virus Scan Report File Virus Scan Information McAfee VirusScan for Win32 v4.40.0 Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights reserved. (408) 988-3832 LICENSED COPY - Sep 23 2004 Scan engine v4.4.00 for Win32. Virus data file v4805 created Jul 12 2006 Scanning for 201016 viruses, trojans and variants. Virus Scan Results 07/20/2006 13:24:35 Options: "C:\WINDOWS" /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL /MIME /PROGRAM /EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML" Scanning C: [System] Scanning C:\WINDOWS\*.* Summary report on C:\WINDOWS\*.* File(s) Total files: ........... 22548 Clean: ................. 22538 Possibly Infected: ..... 0 Cleaned: ............... 0 Non-critical Error(s): 1 Time: 00:06.52 jetzt das 3. Virus Scan Report File Virus Scan Information McAfee VirusScan for Win32 v4.40.0 Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights reserved. (408) 988-3832 LICENSED COPY - Sep 23 2004 Scan engine v4.4.00 for Win32. Virus data file v4805 created Jul 12 2006 Scanning for 201016 viruses, trojans and variants. Virus Scan Results 07/20/2006 12:49:40 Options: "C:\" /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL /MIME /PROGRAM /EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML" Scanning C: [System] Scanning C:\*.* C:\avenger\backup.zip\SERVER3.EXE ... Found trojan or variant New Malware.p !!! Please send a copy of the file to McAfee C:\avenger\backup.zip\SVCHOST.EXE ... Found trojan or variant New Malware.p !!! Please send a copy of the file to McAfee C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Wanadoo Edition\Celtic Kings - Rage of War\Celtic Kings mit GameSpy Arcade online spielen.url ... Found potentially unwanted program Adware-Url.gen. The file or process has been deleted. C:\mIRC\download\server4.exe ... Found trojan or variant New Malware.p !!! Please send a copy of the file to McAfee The file or process has been deleted. C:\Programme\Ground Control II\gsa.url ... Found potentially unwanted program Adware-Url.gen. The file or process has been deleted. C:\Programme\ICQToolbar\toolbaru.inf ... Found potentially unwanted program Adware-Softomate. The file or process has been deleted. Summary report on C:\*.* File(s) Total files: ........... 117102 Clean: ................. 117056 Possibly Infected: ..... 3 Cleaned: ............... 0 Deleted: ............... 4 Non-critical Error(s): 3 Time: 00:30.52 So hoffe ich habe alles richtig gemacht. Neu gestartet habe ich auch^^ |
|
|
||
21.07.2006, 01:30
Ehrenmitglied
Beiträge: 29434 |
#26
haette ich mir denken koennen, dass es da noch mehr gibt.....
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als listen.bat mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden. --> die listen.bat doppelt klicken--> kopiere den Text, der erscheint Zitat cd\ __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
21.07.2006, 08:44
Member
Themenstarter Beiträge: 30 |
#27
mhmh das kam raus^^
ich hoffe das habe ich richtig gemacht weil es ging ein bisschen zu schnell xD Datentr„ger in Laufwerk C: ist System Volumeseriennummer: 58CE-A961 Verzeichnis von C:\mIRC\download 20.07.2006 12:58 <DIR> . 20.07.2006 12:58 <DIR> .. 0 Datei(en) 0 Bytes 2 Verzeichnis(se), 131.405.357.056 Bytes frei Dieser Beitrag wurde am 21.07.2006 um 09:03 Uhr von [MO] editiert.
|
|
|
||
21.07.2006, 11:10
Ehrenmitglied
Beiträge: 29434 |
#28
es waren also nur die server3.exe und server4. exe und svchost.exe drin....
ServiceFilter.zip http://virus-protect.org/artikel/tools/ServiceFilter.zip - entzippen - doppelklick auf die datei ServiceFilter.vbs - versions-nummer bestätigen - scannen - öffnen von wordpad oder editor erlauben - POST_THIS.TXT abkopieren + das log von winpfind http://virus-protect.org/winpfind.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
21.07.2006, 11:43
Member
Themenstarter Beiträge: 30 |
#29
So post_this hat das gesagt :
The script did not recognize the services listed below. This does not mean that they are a problem. To copy the entire contents of this document for posting: At the top of this window click "Edit" then "Select All" Next click "Edit" again then "Copy" Now right click in the forum post box then click "Paste" ######################################## ServiceFilter 1.1 by rand1038 Microsoft Windows XP Home Edition Version: 5.1.2600 Service Pack 2 Jul 21, 2006 11:36:13 ---> Begin Service Listing <--- Unknown Service # 1 Service Name: AntiVirScheduler Display Name: AntiVir Scheduler Start Mode: Auto Start Name: LocalSystem Description: Dienst zur Planung und Steuerung von Prüf- und Updateaufgaben der AntiVir PersonalEdition ... Service Type: Own Process Path: c:\programme\antivir personaledition classic\sched.exe State: Running Process ID: 288 Started: Wahr Exit Code: 0 Accept Pause: Wahr Accept Stop: Wahr Unknown Service # 2 Service Name: AntiVirService Display Name: AntiVir PersonalEdition Classic Service Start Mode: Auto Start Name: LocalSystem Description: Echtzeit Virenschutz durch H+BEDV AntiVir ... Service Type: Own Process Path: c:\programme\antivir personaledition classic\avguard.exe State: Running Process ID: 304 Started: Wahr Exit Code: 0 Accept Pause: Falsch Accept Stop: Wahr Unknown Service #3 Service Name: aspnet_state Display Name: ASP.NET State Service Start Mode: Manual Start Name: NT AUTHORITY\NetworkService Description: Provides support for out-of-process session states for ASP.NET. If this service is stopped, ... Service Type: Own Process Path: c:\windows\microsoft.net\framework\v2.0.50727\aspnet_state.exe State: Stopped Process ID: 0 Started: Falsch Exit Code: 1077 Accept Pause: Falsch Accept Stop: Falsch Unknown Service #4 Service Name: aswUpdSv Display Name: avast! iAVS4 Control Service Start Mode: Auto Start Name: LocalSystem Description: Bietet das automatische Update für avast! ... Service Type: Own Process Path: "c:\programme\alwil software\avast4\aswupdsv.exe" State: Running Process ID: 348 Started: Wahr Exit Code: 0 Accept Pause: Falsch Accept Stop: Wahr Unknown Service #5 Service Name: avast! Antivirus Display Name: avast! Antivirus Start Mode: Auto Start Name: LocalSystem Description: Verwaltet und implementiert avast! Antivirus Dienste für diesen Computer. Dies beinhaltet den ... Service Type: Own Process Path: "c:\programme\alwil software\avast4\ashserv.exe" State: Stopped Process ID: 0 Started: Falsch Exit Code: 0 Accept Pause: Falsch Accept Stop: Falsch Unknown Service # 6 Service Name: avast! Mail Scanner Display Name: avast! Mail Scanner Start Mode: Manual Start Name: LocalSystem Description: Implementiert Mailüberprüfung durch avast! ... Service Type: Own Process Path: "c:\programme\alwil software\avast4\ashmaisv.exe" /service State: Stopped Process ID: 0 Started: Falsch Exit Code: 1077 Accept Pause: Falsch Accept Stop: Falsch Unknown Service # 7 Service Name: avast! Web Scanner Display Name: avast! Web Scanner Start Mode: Manual Start Name: LocalSystem Description: Implementiert Internetüberprüfung (HTTP) durch avast! ... Service Type: Own Process Path: "c:\programme\alwil software\avast4\ashwebsv.exe" /service State: Stopped Process ID: 0 Started: Falsch Exit Code: 1077 Accept Pause: Falsch Accept Stop: Falsch Unknown Service # 8 Service Name: Brother XP spl Service Display Name: BrSplService Start Mode: Auto Start Name: LocalSystem Description: ... Service Type: Own Process Path: c:\windows\system32\brsvc01a.exe State: Running Process ID: 1872 Started: Wahr Exit Code: 0 Accept Pause: Wahr Accept Stop: Wahr Unknown Service # 9 Service Name: clr_optimization_v2.0.50727_32 Display Name: .NET Runtime Optimization Service v2.0.50727_X86 Start Mode: Manual Start Name: LocalSystem Description: Microsoft .NET Framework ... Service Type: Own Process Path: c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe State: Stopped Process ID: 0 Started: Falsch Exit Code: 1077 Accept Pause: Falsch Accept Stop: Falsch Unknown Service # 10 Service Name: de_serv Display Name: AVM FRITZ!web Routing Service Start Mode: Manual Start Name: LocalSystem Description: ... Service Type: Own Process Path: c:\programme\gemeinsame dateien\avm\de_serv.exe State: Stopped Process ID: 0 Started: Falsch Exit Code: 1077 Accept Pause: Falsch Accept Stop: Falsch Unknown Service #11 Service Name: Nla Display Name: NLA (Network Location Awareness) Start Mode: Boot Start Name: LocalSystem Description: Sammelt und speichert Netzwerkkonfigurations- und Standortinformationen und benachrichtigt ... Service Type: Share Process Path: \systemroot\c:\windows\system32\svchost.exe -k netsvcs State: Running Process ID: 1132 Started: Wahr Exit Code: 0 Accept Pause: Falsch Accept Stop: Wahr Unknown Service #12 Service Name: NVSvc Display Name: NVIDIA Display Driver Service Start Mode: Boot Start Name: LocalSystem Description: Provides system and desktop level support to the NVIDIA display ... Service Type: Own Process Path: \systemroot\c:\windows\system32\nvsvc32.exe State: Stopped Process ID: 0 Started: Falsch Exit Code: 1077 Accept Pause: Falsch Accept Stop: Falsch Unknown Service #13 Service Name: SharedAccess Display Name: Windows-Firewall/Gemeinsame Nutzung der Internetverbindung Start Mode: Boot Start Name: LocalSystem Description: Bietet allen Computern in Heim- und kleinen Firmennetzwerken Dienste für die ... Service Type: Share Process Path: \systemroot\c:\windows\system32\svchost.exe -k netsvcs State: Stopped Process ID: 0 Started: Falsch Exit Code: 1077 Accept Pause: Falsch Accept Stop: Falsch Unknown Service #14 Service Name: SwPrv Display Name: MS Software Shadow Copy Provider Start Mode: Manual Start Name: LocalSystem Description: Verwaltet Software-basierte Schattenkopien des Volumeschattenkopie-Dienstes. Software-basierte ... Service Type: Own Process Path: c:\windows\system32\dllhost.exe /processid:{a3b71fbd-22e2-4644-b261-884b49640181} State: Stopped Process ID: 0 Started: Falsch Exit Code: 1077 Accept Pause: Falsch Accept Stop: Falsch Unknown Service #15 Service Name: Symantec Core LC Display Name: Symantec Core LC Start Mode: Boot Start Name: LocalSystem Description: Symantec Core ... Service Type: Own Process Path: \systemroot\"c:\programme\gemeinsame dateien\symantec shared\ccpd-lc\symlcsvc.exe" State: Stopped Process ID: 0 Started: Falsch Exit Code: 1077 Accept Pause: Falsch Accept Stop: Falsch Unknown Service # 16 Service Name: TUWinStylerThemeSvc Display Name: TuneUp WinStyler Theme Service Start Mode: Manual Start Name: LocalSystem Description: ... Service Type: Own Process Path: "c:\programme\tuneup utilities 2006\winstylerthemesvc.exe" State: Stopped Process ID: 0 Started: Falsch Exit Code: 1077 Accept Pause: Falsch Accept Stop: Falsch ---> End Service Listing <--- There are 91 Win32 services on this machine. 16 were unrecognized. Script Execution Time: 0,59375 seconds. So und zum 2. Teil WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding. If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly. »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600 Internet Explorer Version: 6.0.2900.2180 »»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»» Checking %SystemDrive% folder... aspack 12.09.2005 02:00:00 665816 C:\NAVEX15.SYS aspack 12.09.2005 02:00:00 963069 C:\NAVEX15.VXD aspack 12.09.2005 02:00:00 706168 C:\NAVEX32A.DLL SAHAgent 12.09.2005 02:00:00 960521 C:\VIRSCAN1.DAT FSG! 12.09.2005 02:00:00 1402652 C:\VIRSCAN8.DAT UPX! 12.09.2005 02:00:00 2661441 C:\VIRSCAN9.DAT FSG! 12.09.2005 02:00:00 2661441 C:\VIRSCAN9.DAT Checking %ProgramFilesDir% folder... Checking %WinDir% folder... UPX! 05.03.2006 19:02:30 65536 C:\WINDOWS\IFinst27.exe Checking %System% folder... UPX! 31.05.2006 11:02:04 624640 C:\WINDOWS\SYSTEM32\aswBoot.exe aspack 26.05.2005 16:34:52 2297552 C:\WINDOWS\SYSTEM32\d3dx9_26.dll aspack 22.07.2005 20:59:04 2319568 C:\WINDOWS\SYSTEM32\d3dx9_27.dll PEC2 04.08.2004 14:00:00 41118 C:\WINDOWS\SYSTEM32\dfrg.msc PTech 19.06.2006 16:19:42 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll aspack 07.07.2006 03:21:46 6757792 C:\WINDOWS\SYSTEM32\MRT.exe aspack 04.08.2004 14:00:00 733696 C:\WINDOWS\SYSTEM32\ntdll.dll Umonitor 04.08.2004 14:00:00 686592 C:\WINDOWS\SYSTEM32\rasdlg.dll winsync 04.08.2004 14:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu PTech 19.06.2006 16:19:26 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe Checking %System%\Drivers folder and sub-folders... Checking the Windows folder and sub-folders for system and hidden files within the last 60 days... 21.07.2006 10:49:08 S 2048 C:\WINDOWS\bootstat.dat 21.07.2006 10:58:20 H 4212 C:\WINDOWS\system32\zllictbl.dat 29.05.2006 18:16:04 S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat 01.06.2006 22:28:44 S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat 19.06.2006 16:20:58 S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat 21.07.2006 10:57:44 H 1024 C:\WINDOWS\system32\config\default.LOG 21.07.2006 10:49:10 H 1024 C:\WINDOWS\system32\config\SAM.LOG 21.07.2006 10:50:54 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG 21.07.2006 11:39:18 H 1024 C:\WINDOWS\system32\config\software.LOG 21.07.2006 11:23:12 H 1024 C:\WINDOWS\system32\config\system.LOG 17.07.2006 01:20:32 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG 17.07.2006 01:20:48 S 558 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\A44F4E7CB3133FF765C39A53AD8FCFDD 17.07.2006 01:20:48 S 146 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\A44F4E7CB3133FF765C39A53AD8FCFDD 01.06.2006 20:01:36 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\f3e9469f-829c-4e2b-9ccd-248231b97317 01.06.2006 20:01:36 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred 21.07.2006 10:49:16 H 6 C:\WINDOWS\Tasks\SA.DAT Checking for CPL files... Microsoft Corporation 04.08.2004 14:00:00 70656 C:\WINDOWS\SYSTEM32\access.cpl Realtek Semiconductor Corp. 19.03.2004 04:44:32 14250496 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL Microsoft Corporation 04.08.2004 14:00:00 555008 C:\WINDOWS\SYSTEM32\appwiz.cpl Microsoft Corporation 04.08.2004 14:00:00 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl Microsoft Corporation 04.08.2004 14:00:00 138240 C:\WINDOWS\SYSTEM32\desk.cpl Microsoft Corporation 04.08.2004 14:00:00 80384 C:\WINDOWS\SYSTEM32\firewall.cpl Microsoft Corporation 04.08.2004 14:00:00 157184 C:\WINDOWS\SYSTEM32\hdwwiz.cpl Microsoft Corporation 04.08.2004 14:00:00 359424 C:\WINDOWS\SYSTEM32\inetcpl.cpl Microsoft Corporation 04.08.2004 14:00:00 133120 C:\WINDOWS\SYSTEM32\intl.cpl Microsoft Corporation 04.08.2004 14:00:00 381440 C:\WINDOWS\SYSTEM32\irprops.cpl Microsoft Corporation 04.08.2004 14:00:00 69632 C:\WINDOWS\SYSTEM32\joy.cpl Sun Microsystems, Inc. 10.11.2005 14:03:50 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl Microsoft Corporation 04.08.2004 14:00:00 189440 C:\WINDOWS\SYSTEM32\main.cpl Microsoft Corporation 04.08.2004 14:00:00 625152 C:\WINDOWS\SYSTEM32\mmsys.cpl Microsoft Corporation 04.08.2004 14:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl Microsoft Corporation 04.08.2004 14:00:00 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl Microsoft Corporation 04.08.2004 14:00:00 260096 C:\WINDOWS\SYSTEM32\nusrmgr.cpl 10.10.2005 22:49:00 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl Microsoft Corporation 04.08.2004 14:00:00 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl Microsoft Corporation 04.08.2004 14:00:00 117248 C:\WINDOWS\SYSTEM32\powercfg.cpl Microsoft Corporation 04.08.2004 14:00:00 303104 C:\WINDOWS\SYSTEM32\sysdm.cpl Microsoft Corporation 04.08.2004 14:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl Microsoft Corporation 04.08.2004 14:00:00 94208 C:\WINDOWS\SYSTEM32\timedate.cpl Microsoft Corporation 04.08.2004 14:00:00 148480 C:\WINDOWS\SYSTEM32\wscui.cpl Microsoft Corporation 26.05.2005 05:16:22 174872 C:\WINDOWS\SYSTEM32\wuaucpl.cpl Microsoft Corporation 04.08.2004 14:00:00 70656 C:\WINDOWS\SYSTEM32\dllcache\access.cpl Microsoft Corporation 04.08.2004 14:00:00 555008 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl Microsoft Corporation 04.08.2004 14:00:00 138240 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl Microsoft Corporation 04.08.2004 14:00:00 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl Microsoft Corporation 04.08.2004 14:00:00 157184 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl Microsoft Corporation 04.08.2004 14:00:00 359424 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl Microsoft Corporation 04.08.2004 14:00:00 133120 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl Microsoft Corporation 04.08.2004 14:00:00 69632 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl Microsoft Corporation 04.08.2004 14:00:00 189440 C:\WINDOWS\SYSTEM32\dllcache\main.cpl Microsoft Corporation 04.08.2004 14:00:00 625152 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl Microsoft Corporation 04.08.2004 14:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl Microsoft Corporation 04.08.2004 14:00:00 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl Microsoft Corporation 04.08.2004 14:00:00 260096 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl Microsoft Corporation 04.08.2004 14:00:00 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl Microsoft Corporation 04.08.2004 14:00:00 117248 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl Microsoft Corporation 04.08.2004 14:00:00 159744 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl Microsoft Corporation 04.08.2004 14:00:00 303104 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl Microsoft Corporation 04.08.2004 14:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl Microsoft Corporation 04.08.2004 14:00:00 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl Microsoft Corporation 04.08.2004 14:00:00 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl Microsoft Corporation 26.05.2005 05:16:22 174872 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»» Checking files in %ALLUSERSPROFILE%\Startup folder... 15.11.2005 19:41:24 HS 84 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini 17.11.2005 12:26:28 1651 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Logitech SetPoint.lnk 15.11.2005 19:25:02 1714 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk Checking files in %ALLUSERSPROFILE%\Application Data folder... 15.11.2005 19:24:00 HS 62 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini Checking files in %USERPROFILE%\Startup folder... 15.11.2005 19:41:24 HS 84 C:\Dokumente und Einstellungen\User_1\Startmenü\Programme\Autostart\desktop.ini 05.03.2006 12:01:40 640 C:\Dokumente und Einstellungen\User_1\Startmenü\Programme\Autostart\Xfire.lnk Checking files in %USERPROFILE%\Application Data folder... 15.11.2005 19:24:00 HS 62 C:\Dokumente und Einstellungen\User_1\Anwendungsdaten\desktop.ini 31.05.2006 14:02:12 71640 C:\Dokumente und Einstellungen\User_1\Anwendungsdaten\GDIPFONTCACHEV1.DAT 20.07.2006 13:49:50 5252 C:\Dokumente und Einstellungen\User_1\Anwendungsdaten\wklnhst.dat »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»» [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] SV1 = [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers] HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\avast {472083B0-C522-11CF-8763-00608CC02F24} = C:\Programme\Alwil Software\Avast4\ashShell.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ICQLiteMenu {73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Programme\ICQLite\ICQLiteShell.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\IPSContMenu {EBDF1F20-C829-11D1-8233-0020AF3E97A9} = HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Shell Extension for Malware scanning {45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Programme\AntiVir PersonalEdition Classic\shlext.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TuneUp Shredder {00DF1F20-0849-A4D1-0239-00D0AF3E9CB0} = "C:\Programme\TuneUp Utilities 2006\sdshelex.dll" HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} Start Menu Pin = %SystemRoot%\system32\SHELL32.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avast {472083B0-C522-11CF-8763-00608CC02F24} = C:\Programme\Alwil Software\Avast4\ashShell.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\IPSContMenu {EBDF1F20-C829-11D1-8233-0020AF3E97A9} = HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Shell Extension for Malware scanning {45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Programme\AntiVir PersonalEdition Classic\shlext.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu {73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Programme\ICQLite\ICQLiteShell.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\IPSContMenu {EBDF1F20-C829-11D1-8233-0020AF3E97A9} = HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TuneUp Shredder {00DF1F20-0849-A4D1-0239-00D0AF3E9CB0} = "C:\Programme\TuneUp Utilities 2006\sdshelex.dll" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7D4D6379-F301-4311-BEBA-E26EB0561882} = C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F} = C:\Programme\Spybot - Search & Destroy\SDHelper.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} SSVHelper Class = C:\Programme\Java\jre1.5.0_06\bin\ssv.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376} &Tipps und Tricks = %SystemRoot%\system32\shdocvw.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar] {855F3B16-6D32-4fe6-8A56-BBB695989046} = ICQ Toolbar : C:\Programme\ICQToolbar\toolbaru.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} MenuText = Sun Java Konsole : C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B205A35E-1FC4-4CE3-818B-899DBBB3388C} MenuText = : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B863453A-26C3-4e1f-A54D-A2CD196348E9} ButtonText = ICQ Lite : C:\Programme\ICQLite\ICQLite.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683} ButtonText = Messenger : C:\Programme\Messenger\msmsgs.exe [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} Explorer-Band = %SystemRoot%\system32\shdocvw.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser {C4069E3A-68F1-403E-B40E-20066696354B} = : HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\system32\browseui.dll {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll {855F3B16-6D32-4FE6-8A56-BBB695989046} = ICQ Toolbar : C:\Programme\ICQToolbar\toolbaru.dll {C4069E3A-68F1-403E-B40E-20066696354B} = : [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] SoundMan SOUNDMAN.EXE NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup nwiz nwiz.exe /install NvMediaCenter RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe Logitech Hardware Abstraction Layer KHALMNPR.EXE SunJavaUpdateSched C:\Programme\Java\jre1.5.0_06\bin\jusched.exe avast! C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe ICQ Lite "C:\Programme\ICQLite\ICQLite.exe" -minimize SunServer C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunserver.exe avgnt "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min Zone Labs Client "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] IMAIL Installed = 1 MAPI Installed = 1 MSFS Installed = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] MSMSGS "C:\Programme\Messenger\msmsgs.exe" /background MsnMsgr "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background SpybotSD TeaTimer C:\Programme\Spybot - Search & Destroy\TeaTimer.exe [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] ICQ Lite C:\Programme\ICQLite\ICQLite.exe -trayboot [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run Generic Host Process C:\WINDOWS\system32\scvhost.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = {0DF44EAA-FF21-4412-828E-260A8728E7F1} = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system dontdisplaylastusername 0 legalnoticecaption legalnoticetext undockwithoutlogon 1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WinOldApp Disabled 0 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies] HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, Shell = explorer.exe System = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain = crypt32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet = cryptnet.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll = cscdll.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy = sclgntfy.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn = WlNotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon = WgaLogon.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon = wlnotify.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path Debugger = ntsd -d [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] AppInit_DLLs »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder. Scan completed on 21.07.2006 11:41:40 |
|
|
||
21.07.2006, 13:15
Ehrenmitglied
Beiträge: 29434 |
#30
1.
virustotal Oben auf der Seite --> auf Durchsuchen klicken --> mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten http://www.virustotal.com/flash/index_en.html C:\WINDOWS\IFinst27.exe poste den report --------------------------------------------------------------- 2. poste dieses log http://virus-protect.org/registry_stuff.html --------------------------------------------------------------- Gehe in die Registry Start - Ausfuehren - regedit bearbeiten - suchen - (einkopieren: ) Generic Host Process und scvhost.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run Generic Host Process <---loeschen + was du sonst noch findest. PC neustarten __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
virustotal
Oben auf der Seite --> auf Durchsuchen klicken --> die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten
http://www.virustotal.com/flash/index_en.html
C:\WINDOWS\system32\server3.exe
poste den bericht
2.
Start > Ausfuehren --> reinschreiben --> cmd.exe
und ok. kopiere rein und poste alles, was im Texteditor erscheint
dir /s /a "c:\scvhost*.*" > c:\find.txt & start notepad c:\find.txt
dir /s /a "c:\svchost*.*" > c:\find.txt & start notepad c:\find.txt
dir /s /a "c:\XPROTECTOR*.*" > c:\find.txt & start notepad c:\find.txt
+
__________
MfG Sabina
rund um die PC-Sicherheit