Bekomme Pipas.A nicht weg!! |
||
---|---|---|
#0
| ||
04.08.2006, 10:04
...neu hier
Beiträge: 6 |
||
|
||
04.08.2006, 14:27
Ehrenmitglied
Beiträge: 29434 |
#2
bitte arbeite alles ab und poste die logs
http://board.protecus.de/t23188.htm (deine Internetverbindung wird auf einen ukrainischen Server umgeleitet, mal sehen, ob wir es bereinigt bekommen...es ist schwierig...) __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
04.08.2006, 16:11
...neu hier
Themenstarter Beiträge: 6 |
#3
Hilfe, auf einen ukrainischen Server - das hört sich ja grauenhaft an... woran siehst Du das denn? Besteht da Gefahr wg. Internetbanking etc...?
1) Okay, hier Schritt 1: Logfile of HijackThis v1.99.1 Scan saved at 16:14:16, on 04.08.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\acs.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Programme\Synaptics\SynTP\SynTPLpr.exe C:\Programme\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\AGRSMMSG.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe D:\Security\Zonealarm\ZoneAlarm\zlclient.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe C:\Programme\Musicmatch\Musicmatch Jukebox\mmtask.exe D:\Online\VPN Client\cvpnd.exe C:\Programme\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe D:\Security\Spybot - Search & Destroy\TeaTimer.exe D:\Online\Newsticker\KlipFolio.exe C:\Programme\Skype\Phone\Skype.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\PGPserv.exe C:\Programme\Siemens\Gigaset PC Card 108\GigasetWLANMonitor.exe C:\Programme\Logitech\SetPoint\SetPoint.exe C:\WINDOWS\system32\wdfmgr.exe D:\Office\OFFICE11\OUTLOOK.EXE C:\Programme\PGP Corporation\PGP Desktop\PGPtray.exe C:\Programme\Gemeinsame Dateien\Logitech\KHAL\KHALMNPR.EXE C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Internet Explorer\iexplore.exe D:\Security\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.amazon.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.arcor.de/ R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Security\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll O3 - Toolbar: GMX Toolbar - {2D1DDD38-CE4D-459b-A01C-F11BC92D5B69} - D:\Online\GMX Toolbar\GMX Toolbar\toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll O4 - HKLM\..\Run: [WinDSL MTU-Adjust] WinDSL_MTU.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programme\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [addob32.exe] C:\WINDOWS\addob32.exe O4 - HKLM\..\Run: [Zone Labs Client] "D:\Security\Zonealarm\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [mmtask] "C:\Programme\Musicmatch\Musicmatch Jukebox\mmtask.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Security\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [KlipFolio] "D:\Online\Newsticker\KlipFolio.exe" /BOOT O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Gigaset WLAN Adapter Monitor.lnk = ? O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Microsoft Office Outlook 2003.lnk = ? O4 - Global Startup: PGPtray.exe.lnk = ? O8 - Extra context menu item: &eBay Search - res://D:\Online\Ebay Toolbar\eBayTb.dll/RCSearch.html O8 - Extra context menu item: &Google-Suche - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Ins Deutsche übersetzen - res://c:\programme\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\Office\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Office\OFFICE11\REFIEBAR.DLL O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Online\ICQLite\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Online\ICQLite\ICQLite\ICQLite.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\pgplsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\pgplsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\pgplsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\pgplsp.dll O12 - Plugin for .mid: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .mov: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .wav: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{03D5B5A0-B23C-47C0-89C1-299C63F33013}: NameServer = 85.255.116.66,85.255.112.61 O17 - HKLM\System\CCS\Services\Tcpip\..\{506218DE-AE6D-4CA8-AF35-3701087E8E19}: NameServer = 85.255.116.66,85.255.112.61 O17 - HKLM\System\CCS\Services\Tcpip\..\{9A962D87-E491-4CB6-83D3-28199D190C17}: NameServer = 85.255.116.66,85.255.112.61 O17 - HKLM\System\CCS\Services\Tcpip\..\{C84259FC-AEE5-4EE3-8A00-22C9BA152A6F}: NameServer = 85.255.116.66,85.255.112.61 O17 - HKLM\System\CS1\Services\Tcpip\..\{03D5B5A0-B23C-47C0-89C1-299C63F33013}: NameServer = 85.255.116.66,85.255.112.61 O17 - HKLM\System\CS2\Services\Tcpip\..\{03D5B5A0-B23C-47C0-89C1-299C63F33013}: NameServer = 85.255.116.66,85.255.112.61 O20 - AppInit_DLLs: OCMAPIHK.DLL O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe O23 - Service: ActiveFax-Server-Service (ActiveFaxServiceNT) - Vogler Software - d:\tools\activefax\Server\ActSrvNT.exe O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Online\VPN Client\cvpnd.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\NCS\Sync\NetSvc.exe O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe 2) + 3) So, Schritt 2 und 3 ebenfalls ausgeführt. Hier das Log gemäß Schritt 3: Start Time= 04.08.2006 16:30:20,51 QuickScan did not find any signs of infected files (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-07-26 11:08:52 ( .D... ) "C:\Dokumente und Einstellungen\Anwendungsdaten\Sun" 2006-07-26 11:07:18 ( .D... ) "C:\Programme\Java" 2006-07-26 11:03:54 ( .D... ) "C:\Programme\Gemeinsame Dateien\Java" 2006-07-11 15:16:40 ( .D... ) "C:\Dokumente und Einstellungen\Anwendungsdaten\Mozilla" 2006-07-11 15:16:14 ( .D... ) "C:\Programme\Mozilla Firefox" 2006-07-09 13:42:58 42920 ( A.... ) "C:\WINDOWS\system32\vsutil_loc0407.dll" 2006-07-09 13:42:44 392824 ( A.... ) "C:\WINDOWS\system32\vsdatant.sys" 2006-07-09 13:42:44 392824 ( A.... ) "C:\WINDOWS\system32\vsdatant.sys" 2006-07-09 13:42:14 83960 ( A.... ) "C:\WINDOWS\system32\zlcomm.dll" 2006-07-09 13:42:14 71672 ( A.... ) "C:\WINDOWS\system32\zlcommdb.dll" 2006-07-09 13:42:12 100344 ( A.... ) "C:\WINDOWS\system32\vsxml.dll" 2006-07-09 13:42:12 59384 ( A.... ) "C:\WINDOWS\system32\vswmi.dll" 2006-07-09 13:42:10 440312 ( A.... ) "C:\WINDOWS\system32\vsutil.dll" 2006-07-09 13:42:10 71672 ( A.... ) "C:\WINDOWS\system32\vsregexp.dll" 2006-07-09 13:42:08 268280 ( A.... ) "C:\WINDOWS\system32\vspubapi.dll" 2006-07-09 13:42:08 157688 ( A.... ) "C:\WINDOWS\system32\vsinit.dll" 2006-07-09 13:42:08 104440 ( A.... ) "C:\WINDOWS\system32\vsmonapi.dll" 2006-07-09 13:42:06 83960 ( A.... ) "C:\WINDOWS\system32\vsdata.dll" 2006-07-05 14:34:54 ( .D.H. ) "C:\Programme\InstallShield Installation Information" 2006-06-29 13:17:36 ( .D... ) "C:\Dokumente und Einstellungen\Anwendungsdaten\Logitech" 2006-06-29 13:13:44 ( .D... ) "C:\Dokumente und Einstellungen\Anwendungsdaten\Musicmatch" 2006-06-29 13:13:32 ( .D... ) "C:\Programme\MUSICMATCH" 2006-06-29 13:12:16 ( .D... ) "C:\Programme\Gemeinsame Dateien\Logitech" 2006-06-29 13:12:10 ( .D... ) "C:\Programme\Logitech" 2006-06-20 23:32:12 796584 ( A.... ) "C:\WINDOWS\system32\libeay32_0.9.6l.dll" 2006-06-16 09:11:46 ( .D... ) "C:\Dokumente und Einstellungen\Anwendungsdaten\Skype" 2006-06-16 09:11:42 ( .D... ) "C:\Programme\Skype" 2006-06-13 11:28:20 57384 ( A.... ) "C:\WINDOWS\system32\avsda.dll" (((((((((((((((((((((((((((((((((((((( Files Created - Last 30days ))))))))))))))))))))))))))))))))))))))))))) 2006-07-26 11:07 49.250 C:\WINDOWS\system32\javaw.exe 2006-07-26 11:07 49.248 C:\WINDOWS\system32\java.exe 2006-07-26 11:07 127.078 C:\WINDOWS\system32\javaws.exe 2006-07-05 14:34 843.776 C:\WINDOWS\system32\AegisE5.dll 2006-07-05 14:34 409.600 C:\WINDOWS\system32\athcfg11.dll 2006-07-05 14:34 36.864 C:\WINDOWS\system32\acs.exe 2006-07-05 14:34 28.672 C:\WINDOWS\system32\RemoveWLAN.exe 2006-07-05 14:34 274.432 C:\WINDOWS\system32\MagicP.exe 2006-07-05 14:34 274.432 C:\WINDOWS\system32\DetectHW.exe 2006-07-05 14:34 274.432 C:\WINDOWS\system32\Detect108HW.exe 2006-07-05 14:34 249.856 C:\WINDOWS\system32\WinXPDisableWZCS.exe 2006-07-05 14:34 110.592 C:\WINDOWS\system32\AegisI5.exe 2006-06-29 13:14 108.544 C:\WINDOWS\system32\pxcpyi64.exe 2006-06-29 13:14 104.960 C:\WINDOWS\system32\pxinsi64.exe 2006-06-29 13:12 28.160 C:\WINDOWS\KHALMNPR.Exe 2006-06-29 13:12 258.352 C:\WINDOWS\system32\unicows.dll 2006-06-29 10:00 796.584 C:\WINDOWS\system32\libeay32_0.9.6l.dll 2006-06-29 10:00 59.384 C:\WINDOWS\system32\vswmi.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "WinDSL MTU-Adjust"="WinDSL_MTU.exe" "SoundMan"="SOUNDMAN.EXE" "SynTPLpr"="C:\\Programme\\Synaptics\\SynTP\\SynTPLpr.exe" "SynTPEnh"="C:\\Programme\\Synaptics\\SynTP\\SynTPEnh.exe" "PRONoMgr.exe"="C:\\Programme\\Intel\\NCS\\PROSet\\PRONoMgr.exe" "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe" "AGRSMMSG"="AGRSMMSG.exe" @="" "KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\ 65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00 "addob32.exe"="C:\\WINDOWS\\addob32.exe" "Zone Labs Client"="\"D:\\Security\\Zonealarm\\ZoneAlarm\\zlclient.exe\"" "avgnt"="\"C:\\Programme\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min" "Samsung Common SM"="\"C:\\WINDOWS\\Samsung\\ComSMMgr\\ssmmgr.exe\" /autorun" "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" "mmtask"="\"C:\\Programme\\Musicmatch\\Musicmatch Jukebox\\mmtask.exe\"" "SunJavaUpdateSched"="C:\\Programme\\Java\\jre1.5.0_06\\bin\\jusched.exe" "SunJavaUpdateSched"="C:\\Programme\\Java\\jre1.5.0_06\\bin\\jusched.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe" "SpybotSD TeaTimer"="D:\\Security\\Spybot - Search & Destroy\\TeaTimer.exe" "KlipFolio"="\"D:\\Online\\Newsticker\\KlipFolio.exe\" /BOOT" "Skype"="\"C:\\Programme\\Skype\\Phone\\Skype.exe\" /nosplash /minimized" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000005 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="Die derzeitige Homepage" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\ 00,00,01,00,00,00 [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE" [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{35B2861B-2B26-4691-9FF0-09083722C736}"="RadExe Extension" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IEXPLORE.EXE] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="IEXPLORE" "hkey"="HKLM" "command"="C:\\Programme\\Internet Explorer\\IEXPLORE.EXE" "inimapping"="0" Contents of the 'Scheduled Tasks' folder Completion time: 04.08.2006 16:30:46,39 ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt ComboFix.2006-08-04.162928.txt ComboFix.2006-08-04.163020.txt 4) SCHRITT 4: Datentr„ger in Laufwerk C: ist System Volumeseriennummer: 0433-25ED Verzeichnis von C:\WINDOWS\system32 04.08.2006 16:38 49.570 perfc007.dat 04.08.2006 16:38 314.842 perfh009.dat 04.08.2006 16:38 41.170 perfc009.dat 04.08.2006 16:38 320.668 perfh007.dat 04.08.2006 16:38 732.342 PerfStringBackup.INI 04.08.2006 16:35 54.112 vsconfig.xml 26.07.2006 11:07 7.006 jupdate-1.5.0_06-b05.log 25.07.2006 08:48 4.212 zllictbl.dat 22.07.2006 11:29 2.206 wpa.dbl 09.07.2006 13:42 42.920 vsutil_loc0407.dll 09.07.2006 13:42 392.824 vsdatant.sys 09.07.2006 13:42 71.672 zlcommdb.dll 09.07.2006 13:42 83.960 zlcomm.dll 09.07.2006 13:42 100.344 vsxml.dll 09.07.2006 13:42 59.384 vswmi.dll 09.07.2006 13:42 440.312 vsutil.dll 09.07.2006 13:42 71.672 vsregexp.dll 09.07.2006 13:42 268.280 vspubapi.dll 09.07.2006 13:42 104.440 vsmonapi.dll 09.07.2006 13:42 157.688 vsinit.dll 09.07.2006 13:42 83.960 vsdata.dll 05.07.2006 14:35 320 results.txt 20.06.2006 23:32 796.584 libeay32_0.9.6l.dll 13.06.2006 11:28 57.384 avsda.dll 24.03.2006 09:57 256 QuickTime.qtp Datentr„ger in Laufwerk C: ist System Volumeseriennummer: 0433-25ED Verzeichnis von C:\DOKUME~1\LOKALE~1\Temp 04.08.2006 16:43 203 jusched.log 04.08.2006 16:33 16.384 ~DFCA14.tmp 04.08.2006 16:27 54.870 bt0105.bat 3 Datei(en) 71.457 Bytes 0 Verzeichnis(se), 5.563.183.104 Bytes frei Verzeichnis von C:\WINDOWS 04.08.2006 16:32 0 0.log 04.08.2006 16:32 2.048 bootstat.dat 04.08.2006 16:31 336.898 WindowsUpdate.log 04.08.2006 16:31 180.569 setupact.log 04.08.2006 13:12 1.258.381 setupapi.log 31.07.2006 17:33 1.572.918 ACD Wallpaper.bmp 22.07.2006 11:54 155 winamp.ini 11.07.2006 15:16 0 nsreg.dat 11.07.2006 15:16 2.266 mozver.dat 05.07.2006 14:28 64 init.ini 29.06.2006 13:14 42.131 wmsetup.log 29.06.2006 13:14 316.640 WMSysPr9.prx 29.06.2006 13:13 86 KE.log 13.06.2006 10:10 1.681.710 ntbtlog.txt 13.05.2006 09:56 1.987 netcfg.log 06.05.2006 18:50 50 wiaservc.log 06.05.2006 18:50 216 wiadebug.log 05.05.2006 18:28 3.832 ModemLog_Agere Systems AC'97 Modem.txt 18.03.2006 11:55 720 win.ini 18.03.2006 11:54 216.064 iun3405.exe 15.02.2006 23:09 164.702 iis6.log Verzeichnis von C:\ 04.08.2006 16:45 0 sys.txt 04.08.2006 16:45 15.472 system.txt 04.08.2006 16:44 385 systemtemp.txt 04.08.2006 16:43 115.863 system32.txt 04.08.2006 16:32 1.207.959.552 pagefile.sys 13.05.2006 09:33 13.783 wiederhergestelltes Dokument.txt 5) Schritt 5) Symptome: a) Umleitung der Links, die bei Benutzung des IE auf google erscheinen b) Spybot findet "PipasA" und löscht ihn, danach erscheint er wieder genauso wie vorher. Spybot lokalisiert das Problem dort: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins Danke!!!! Dieser Beitrag wurde am 04.08.2006 um 16:49 Uhr von lundegaard editiert.
|
|
|
||
05.08.2006, 00:20
Ehrenmitglied
Beiträge: 29434 |
#4
1.
virustotal Oben auf der Seite --> auf Durchsuchen klicken --> die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten http://www.virustotal.com/flash/index_en.html C:\WINDOWS\addob32.exe C:\Windows\System32\OCMAPIHK.DLL poste die reporte ------------------------------------------- 1.1 Dann starte blacklight nochmal und lasse alle Dateien, die es anzeigt umbenennen (ausser C:\WINDOWS\system32\wbem\wbemtest.exe) Dann lass Blacklight den Rechner neu starten. scan --> next none auf rename ändern 2. Download FixWareout http://downloads.subratam.org/Fixwareout.exe Fixwareout.exe --> next --> Install --> Run fixit --> Finish / der PC wird neustarten --> C:\fixwareout\report.txt 3. öffne das HijackThis -- Button "scan" -- vor die Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten Zitat O4 - HKLM\..\Run: [addob32.exe] C:\WINDOWS\addob32.exePC neustarten »» Bei Netzwerk/Eigenschaften des Internetprotokolls auch IP und DNS automatisch beziehen anhaken «« F-Secure Online Scanner Next Generation Beta http://support.f-secure.com/enu/home/ols3.shtml 1. Klicke den Link: "F-Secure Online Scanner Next Generation Beta". 2. Du wirst aufgefordert werden, ein ActiveX-Control zu installieren 3. Installiere diese ActiveX-Komponente 4. Lies die Anleitung und klicke: "Accept" 5. Klicke "Full System Scan" 6. klicke "Show report" - kopiere den Scanreport «« dann poste das neue Log vom HijackThis __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
05.08.2006, 10:38
...neu hier
Themenstarter Beiträge: 6 |
#5
1)
a) Die Datei addob32.exe war auf dem Rechner nirgendwo zu finden... b) STATUS: FINISHEDComplete scanning result of "ocmapihk.dll", received in VirusTotal at 08.05.2006, 10:34:52 (CET). Antivirus Version Update Result AntiVir 6.35.1.0 08.04.2006 no virus found Authentium 4.93.8 08.04.2006 no virus found Avast 4.7.844.0 08.04.2006 no virus found AVG 386 08.04.2006 no virus found BitDefender 7.2 08.05.2006 no virus found CAT-QuickHeal 8.00 08.04.2006 no virus found ClamAV devel-20060426 08.04.2006 no virus found DrWeb 4.33 08.05.2006 no virus found eTrust-InoculateIT 23.72.87 08.04.2006 no virus found eTrust-Vet 12.6.2324 08.04.2006 no virus found Ewido 4.0 08.04.2006 no virus found Fortinet 2.77.0.0 08.05.2006 no virus found F-Prot 3.16f 08.04.2006 no virus found F-Prot4 4.2.1.29 08.04.2006 no virus found Ikarus 0.2.65.0 08.04.2006 no virus found Kaspersky 4.0.2.24 08.05.2006 no virus found McAfee 4822 08.04.2006 no virus found Microsoft 1.1508 08.04.2006 no virus found NOD32v2 1.1693 08.05.2006 no virus found Norman 5.90.23 08.04.2006 no virus found Panda 9.0.0.4 08.04.2006 no virus found Sophos 4.08.0 08.05.2006 no virus found Symantec 8.0 08.05.2006 no virus found TheHacker 5.9.8.186 08.04.2006 no virus found UNA 1.83 08.04.2006 no virus found VBA32 3.11.0 08.04.2006 no virus found VirusBuster 4.3.7:9 08.04.2006 no virus found Aditional Information File size: 49152 bytes MD5: e45f2bb106db9de73256b8db8fd2d6fa 2) Fixwareout ver 1.003 Last edited 07/1/2006 Post this report in the forums please Reg Entries that were deleted HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\oxemd HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps ... Random Runs removed from HKLM "dmexo.exe"=- ... PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Example ipsec6.exe is legitimate »»»»» Search by size and names... C:\WINDOWS\SYSTEM32\CSWFYE~1.REN C:\WINDOWS\SYSTEM32\DMEXOE~1.REN »»»»» Misc files »»»»» Checking for older varients covered by the Rem3 tool »»»»» Search five digit cs, dm and jb files This WILL/CAN also list Legit Files, Submit them at Virustotal C:\WINDOWS\SYSTEM32\DMPVY.EXE 44.111 2004-08-04 C:\WINDOWS\SYSTEM32\DMTQT.EXE 44.111 2004-08-04 Other suspects Directory of C:\WINDOWS\system32 3) a) Hijackthis-Fix durchgeführt (habe nur die Einträge beseitigen lassen, die Du angezeigt hast - so hatte ich das verstanden) b) Scanreport von F-Secure: Scanning Report Saturday, August 05, 2006 11:36:21 - 12:13:28 Computer name: Scanning type: Scan system for viruses, rootkits, spyware Target: C:\ D:\ E:\ F:\ -------------------------------------------------------------------------------- Result: 3 malware found Tracking Cookie (spyware) System (Disinfected) System System -------------------------------------------------------------------------------- Statistics Scanned: Files: 20441 System: 4381 Not scanned: 3 Actions: Disinfected: 1 Renamed: 0 Deleted: 0 None: 2 Submitted: 0 Files not scanned: C:\PAGEFILE.SYS C:\WINDOWS\SYSTEM32\DRIVERS\ATAPI.SYS C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT -------------------------------------------------------------------------------- Options Scanning engines: F-Secure AVP: 6.0.171, 2006-08-04 F-Secure Libra: 2.4.1, 2006-08-02 F-Secure Orion: 1.2.37, 2006-08-04 F-Secure Blacklight: 1.0.31, 0000-00-00 F-Secure Pegasus: 1.19.0, 2006-06-05 F-Secure Draco: 1.0.35, 0259-24-212 Scanning options: Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX Use Advanced heuristics c) Das neue Hijackthis-Logfile: Logfile of HijackThis v1.99.1 Scan saved at 12:18:21, on 05.08.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\acs.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\Programme\Synaptics\SynTP\SynTPLpr.exe C:\Programme\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\AGRSMMSG.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe D:\Security\Zonealarm\ZoneAlarm\zlclient.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe C:\Programme\Musicmatch\Musicmatch Jukebox\mmtask.exe D:\Online\VPN Client\cvpnd.exe C:\Programme\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe D:\Security\Spybot - Search & Destroy\TeaTimer.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Programme\Siemens\Gigaset PC Card 108\GigasetWLANMonitor.exe C:\WINDOWS\system32\PGPserv.exe C:\Programme\PGP Corporation\PGP Desktop\PGPtray.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Internet Explorer\iexplore.exe C:\DOKUME~1\Thorsten\LOKALE~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe C:\DOKUME~1\Thorsten\LOKALE~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe D:\Security\Hijackthis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.arcor.de R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Security\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll O3 - Toolbar: GMX Toolbar - {2D1DDD38-CE4D-459b-A01C-F11BC92D5B69} - D:\Online\GMX Toolbar\GMX Toolbar\toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll O4 - HKLM\..\Run: [WinDSL MTU-Adjust] WinDSL_MTU.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programme\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Zone Labs Client] "D:\Security\Zonealarm\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [mmtask] "C:\Programme\Musicmatch\Musicmatch Jukebox\mmtask.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Security\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [KlipFolio] "D:\Online\Newsticker\KlipFolio.exe" /BOOT O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Gigaset WLAN Adapter Monitor.lnk = ? O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Microsoft Office Outlook 2003.lnk = ? O4 - Global Startup: PGPtray.exe.lnk = ? O8 - Extra context menu item: &eBay Search - res://D:\Online\Ebay Toolbar\eBayTb.dll/RCSearch.html O8 - Extra context menu item: &Google-Suche - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Ins Deutsche übersetzen - res://c:\programme\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\Office\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Office\OFFICE11\REFIEBAR.DLL O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Online\ICQLite\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Online\ICQLite\ICQLite\ICQLite.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\pgplsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\pgplsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\pgplsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\pgplsp.dll O12 - Plugin for .mid: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .mov: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .wav: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab O20 - AppInit_DLLs: OCMAPIHK.DLL O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe O23 - Service: ActiveFax-Server-Service (ActiveFaxServiceNT) - Vogler Software - d:\tools\activefax\Server\ActSrvNT.exe O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Online\VPN Client\cvpnd.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\NCS\Sync\NetSvc.exe O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Danke für Dein Engagement!!! Dieser Beitrag wurde am 05.08.2006 um 12:17 Uhr von lundegaard editiert.
|
|
|
||
05.08.2006, 12:25
Ehrenmitglied
Beiträge: 29434 |
#6
1.
fixe mit dem HijacktHis R3 - Default URLSearchHook is missing ----------------------------------------------------------------------- 2. Avenger http://virus-protect.org/artikel/tools/avenger.html kopiere rein Zitat Files to delete:Klicke die gruene Ampel das Script wird nun ausgeführt, dann wird der PC automatisch neustarten ** poste das log vom avenger, was erscheint 3. multiavtool http://virus-protect.org/multiavtool.html * klicke "3" - McAfee -- es erscheint ein leeres DOS-Fenster. bei der Eingabe "3" im MULTIAVTOOL muss eine Internetverbindung vorhanden sein - man muss eingeben, was gescannt werden soll - C:\Windows\System32 - dann beginnt der Scan, man sollte dann auch scannen lassen: - C:\Windows - C:\ * klicke "6 --> der PC wird neustarten --> suche die 3 Scanreporte in C:\AV-CLS und kopiere sie 4. poste das log vom silentrunner http://virus-protect.org/silentrunner.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
05.08.2006, 14:32
...neu hier
Themenstarter Beiträge: 6 |
#7
1) erledigt!
2) Log des Avenger: Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\fnkwtdso ******************* Script file located at: \??\C:\WINDOWS\system32\ifiaxwny.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\SYSTEM32\DMPVY.EXE deleted successfully. File C:\WINDOWS\SYSTEM32\DMTQT.EXE deleted successfully. File C:\WINDOWS\system32\dmexo.exe not found! Deletion of file C:\WINDOWS\system32\dmexo.exe failed! Could not process line: C:\WINDOWS\system32\dmexo.exe Status: 0xc0000034 File C:\WINDOWS\system32\dmexo.exe.ren deleted successfully. File C:\WINDOWS\addob32.exe not found! Deletion of file C:\WINDOWS\addob32.exe failed! Could not process line: C:\WINDOWS\addob32.exe Status: 0xc0000034 File C:\WINDOWS\system32\csflf.exe.ren not found! Deletion of file C:\WINDOWS\system32\csflf.exe.ren failed! Could not process line: C:\WINDOWS\system32\csflf.exe.ren Status: 0xc0000034 File C:\WINDOWS\system32\dmvqg.exe.ren not found! Deletion of file C:\WINDOWS\system32\dmvqg.exe.ren failed! Could not process line: C:\WINDOWS\system32\dmvqg.exe.ren Status: 0xc0000034 File C:\WINDOWS\rdt.ini not found! Deletion of file C:\WINDOWS\rdt.ini failed! Could not process line: C:\WINDOWS\rdt.ini Status: 0xc0000034 File C:\WINDOWS\balloon.wav not found! Deletion of file C:\WINDOWS\balloon.wav failed! Could not process line: C:\WINDOWS\balloon.wav Status: 0xc0000034 Completed script processing. ******************* Finished! Terminate. 3) a) Options: "C:\WINDOWS\SYSTEM32" /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL /MIME /PROGRAM /EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML" Scanning C: [System] Scanning C:\WINDOWS\SYSTEM32\*.* Summary report on C:\WINDOWS\SYSTEM32\*.* File(s) Total files: ........... 14643 Clean: ................. 14632 Possibly Infected: ..... 0 Cleaned: ............... 0 Non-critical Error(s): 1 Time: 00:07.09 b) Options: "C:\WINDOWS" /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL /MIME /PROGRAM /EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML" Scanning C: [System] Scanning C:\WINDOWS\*.* Summary report on C:\WINDOWS\*.* File(s) Total files: ........... 28858 Clean: ................. 28844 Possibly Infected: ..... 0 Cleaned: ............... 0 Non-critical Error(s): 1 Time: 00:11.49 4) Silent-Runner-Log: "Silent Runners.vbs", revision 46, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "SpybotSD TeaTimer" = "D:\Security\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"] "KlipFolio" = ""D:\Online\Newsticker\KlipFolio.exe" /BOOT" ["Serence Inc."] "Skype" = ""C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "WinDSL MTU-Adjust" = "WinDSL_MTU.exe" ["Engel Technologieberatung, Entwicklung/Verkauf von Soft- und Hardware KG"] "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."] "SynTPLpr" = "C:\Programme\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."] "SynTPEnh" = "C:\Programme\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."] "PRONoMgr.exe" = "C:\Programme\Intel\NCS\PROSet\PRONoMgr.exe" ["Intel(R) Corporation"] "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"] "(Default)" = (empty string) "KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS] "Zone Labs Client" = ""D:\Security\Zonealarm\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"] "avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"] "Samsung Common SM" = ""C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun" ["Samsung Electronics."] "Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."] "mmtask" = ""C:\Programme\Musicmatch\Musicmatch Jukebox\mmtask.exe"" ["Musicmatch Inc."] "SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "AcroIEHlprObj Class" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "D:\Security\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Helper" \InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "D:\Tools\WinRar\rarext.dll" [null data] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "D:\Office\OFFICE11\msohev.dll" [MS] "{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Programme\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."] "{36518101-49AC-42CB-8E4C-40C1F328A565}" = "Rad2 Extension" -> {HKLM...CLSID} = "RadPropExt2 Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\Rad.dll" [empty string] "{5380C14E-C0A1-4D66-87DB-5995E6FF4623}" = "Rad Extension" -> {HKLM...CLSID} = "RadPropExt Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\Rad.dll" [empty string] "{75B8D633-9021-442C-9EA4-FF4BE72CE20F}" = "NRad2 Extension" -> {HKLM...CLSID} = "NRadExt2 Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\NRad.dll" [empty string] "{C6844A1E-2C59-415A-84B3-C6A458372779}" = "RadType Extension" -> {HKLM...CLSID} = "RadTypeExt Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\RadType.dll" [empty string] "{D00900BC-23F7-4FD6-BFA2-8232112C5C49}" = "NRad Extension" -> {HKLM...CLSID} = "NRadExt Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\NRad.dll" [empty string] "{D2FD83AE-994A-4D4B-9097-2C9E11ED85F0}" = "RadClkr Extension" -> {HKLM...CLSID} = "RadClkRExt Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\RadClkR.dll" [empty string] "{7700EB62-DB7C-47AF-A092-04376CA1D24C}" = "RadMnu Extension" -> {HKLM...CLSID} = "RadMnuExt Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\RadMnu.dll" [empty string] "{ED65AB21-B24F-11d3-BA80-00C0CA16AA37}" = "Mobile" -> {HKLM...CLSID} = "Mobile" \InProcServer32\(Default) = "D:\Tools\S 55\DES\DESShellExt.dll" ["Siemens AG"] "{ED65AB22-B24F-11d3-BA80-00C0CA16AA37}" = "Mobile ContextMenuHandler" -> {HKLM...CLSID} = "Mobile ContextMenuHandler" \InProcServer32\(Default) = "D:\Tools\S 55\DES\DESShellExt.dll" ["Siemens AG"] "{ED65AB23-B24F-11d3-BA80-00C0CA16AA37}" = "Mobile PropertySheetHandler" -> {HKLM...CLSID} = "Mobile PropertySheetHandler" \InProcServer32\(Default) = "D:\Tools\S 55\DES\DESShellExt.dll" ["Siemens AG"] "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension" -> {HKLM...CLSID} = "MCLiteShellExt Class" \InProcServer32\(Default) = "D:\Online\ICQLite\ICQLite\ICQLiteShell.dll" [empty string] "{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Sony Ericsson Datei-Manager" -> {HKLM...CLSID} = "Sony Ericsson Datei-Manager" \InProcServer32\(Default) = "D:\Tools\Sony Ericsson\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"] "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "D:\Office\OFFICE11\MLSHEXT.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung" \InProcServer32\(Default) = "D:\Office\OFFICE11\OLKFSTUB.DLL" [MS] "{969223c0-26aa-11d0-90ee-444553540000}" = "Shell Extension" -> {HKLM...CLSID} = "PGP Shell Extension" \InProcServer32\(Default) = "pgpmn.dll" ["PGP Corporation"] "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{35B2861B-2B26-4691-9FF0-09083722C736}" = "RadExe Extension" -> {HKLM...CLSID} = "RadExeExt Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\RadExe.dll" [empty string] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ INFECTION WARNING! "AppInit_DLLs" = "OCMAPIHK.DLL" ["PGP Corporation"] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ "System" = (value not set) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" -> {HKLM...CLSID} = "MCLiteShellExt Class" \InProcServer32\(Default) = "D:\Online\ICQLite\ICQLite\ICQLiteShell.dll" [empty string] Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "D:\Tools\WinRar\rarext.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" -> {HKLM...CLSID} = "MCLiteShellExt Class" \InProcServer32\(Default) = "D:\Online\ICQLite\ICQLite\ICQLiteShell.dll" [empty string] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "D:\Tools\WinRar\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "D:\Tools\WinRar\rarext.dll" [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\WINDOWS\ACD Wallpaper.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\system32\scrnsave.scr" [MS] Startup items in "Thorsten" & "All Users" startup folders: ---------------------------------------------------------- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] "Gigaset WLAN Adapter Monitor" -> shortcut to: "C:\Programme\Siemens\Gigaset PC Card 108\GigasetWLANMonitor.exe" [empty string] "Logitech SetPoint" -> shortcut to: "C:\Programme\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."] "Microsoft Office Outlook 2003" -> shortcut to: "C:\WINDOWS\Installer\{90110407-6000-11D3-8CFE-0150048383C9}\outicon.exe" [null data] "PGPtray.exe" -> shortcut to: "C:\WINDOWS\Installer\{E0CB4638-45BE-42B4-8D63-B6DA4C9F778B}\Icon6560581611.exe" [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\PGPlsp.dll ["PGP Corporation"], 01 - 03, 10 %SystemRoot%\system32\mswsock.dll [MS], 04 - 07, 11 - 30 %SystemRoot%\system32\rsvpsp.dll [MS], 08 - 09 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."] "{2D1DDD38-CE4D-459B-A01C-F11BC92D5B69}" -> {HKLM...CLSID} = "GMX Toolbar" \InProcServer32\(Default) = "D:\Online\GMX Toolbar\GMX Toolbar\toolbar.dll" ["GMX GmbH"] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{2D1DDD38-CE4D-459B-A01C-F11BC92D5B69}" = (no title provided) -> {HKLM...CLSID} = "GMX Toolbar" \InProcServer32\(Default) = "D:\Online\GMX Toolbar\GMX Toolbar\toolbar.dll" ["GMX GmbH"] "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided) -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in" \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06" \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ "ButtonText" = "Recherchieren" {B863453A-26C3-4E1F-A54D-A2CD196348E9}\ "ButtonText" = "ICQ Lite" "MenuText" = "ICQ Lite" "Exec" = "D:\Online\ICQLite\ICQLite\ICQLite.exe" ["ICQ Ltd."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir PersonalEdition Classic Service, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["AVIRA GmbH"] AntiVir Scheduler, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"] Atheros Configuration Service, ACS, "C:\WINDOWS\system32\acs.exe" [null data] Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."] Cisco Systems, Inc. VPN Service, CVPND, ""D:\Online\VPN Client\cvpnd.exe"" ["Cisco Systems, Inc."] HTTP-SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]} PGPserv, PGPserv, "C:\WINDOWS\system32\PGPserv.exe" ["PGP Corporation"] TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ ActiveFax Port\Driver = "ACTMONNT.DLL" ["Vogler Software"] Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS] PDF-XChange\Driver = "pxc25pm.dll" ["Tracker Software"] SSGB3 Langmon\Driver = "ssgb3mon.dll" ["Samsung Electronics."] SUGS1 Langmon\Driver = "SUGS1LMK.DLL" ["Samsung Electronics."] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 37 seconds, including 16 seconds for message boxes) Dieser Beitrag wurde am 05.08.2006 um 16:31 Uhr von lundegaard editiert.
|
|
|
||
05.08.2006, 15:34
Ehrenmitglied
Beiträge: 29434 |
#8
es muesste wieder alles in Ordnung sein loesche das backup vom Avenger, scanne noch mal mit FixWareout (es darf nichts mehr angezeigt werden, gleiches mit BlackLight
scanne noch mal mit spybot. __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
05.08.2006, 16:47
...neu hier
Themenstarter Beiträge: 6 |
#9
Hammer - tausendfachen Dank, Du bist wirklich unglaublich gut!
1) Hier das Fixwareout-Log: DA wurde noch was angezeigt - ich hatte davor aber auch eine neue Startseite beim IE gemacht, vielleicht deshalb... Fixwareout ver 1.003 Last edited 07/1/2006 Post this report in the forums please Reg Entries that were deleted ... Random Runs removed from HKLM ... PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Example ipsec6.exe is legitimate »»»»» Search by size and names... C:\WINDOWS\SYSTEM32\CSWFYE~1.REN »»»»» Misc files »»»»» Checking for older varients covered by the Rem3 tool »»»»» Search five digit cs, dm and jb files This WILL/CAN also list Legit Files, Submit them at Virustotal Other suspects Directory of C:\WINDOWS\system32 2. Blacklight hat nix gefunden... 3. Was mache ich mit den vielen Programmen, die ich dazu jetzt runtergeladen habe... Einfach löschen? Viele Grüße |
|
|
||
05.08.2006, 20:15
Ehrenmitglied
Beiträge: 29434 |
#10
heb sie dir auf...als Erinnerung ..in einem ordner "Sicherheit"
scanne mit panda und poste den report http://virus-protect.org/onlinescan.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
06.08.2006, 12:39
...neu hier
Themenstarter Beiträge: 6 |
#11
1) Der Panda-Report:
Incident Status Location Virus:Trj/Ruins.MB Disinfected C:\WINDOWS\system32cswfy.exe.ren Da hat er die durch Blacklight umbenannte Datei gefunden... heisst das, der Panda-Scan hätte den Pipas.A / Ruins direkt finden und beseitigen können? 2) Wie kann ich so einen Mist denn verhindern? Benutze den IE... hätte auch noch Mozilla auf dem Rechner, verwende den aber eigentlich nie. Wenn ich den verwende - gibt es da besondere Sicherheitseinstellungen, mit denen ich vorbeugen kann? Habe bereits zonealarm... Hammermässig, wie Du das gelöst hast, Sabina. |
|
|
||
Spybot zeigt mir seit einiger Zeit an, auf meinem Computer befände sich ein Ding namens "Pipas.A". Sobald ich ihn durch Spybot beseitige, ist er wieder da. Adaware und AntiVir erkennen ihn gar nicht.
Seitdem werden - wenn ich den IE benutze - meine google-links umgeleitet zu irgendwelchen Werbeseiten.
Wie ich mir das Ding eingefangen habe? Keinen blassen Schimmer.
Ja, ich weiss, Pipas.A bereits Thema. Aber ich kenne mich wirklich nicht so gut mit Computern aus, als dass ich das, was da gepostet wurde, auf meinen Rechner übertragen und den Fehler in irgendwelchen Zeilen, die Hijackthis oder Blacklight ausspucken, erkennen könnte. Deshalb bitte ich Euch, die sich damit auskennen, um Hilfe. Habe die Programme blacklight, hijackthis, spybot, adaware und antivir.
Das hier ist die Datei, die blacklight produziert hat:
08/04/06 10:03:52 [Info]: BlackLight Engine 1.0.37 initialized
08/04/06 10:03:52 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/04/06 10:03:52 [Note]: 7019 4
08/04/06 10:03:52 [Note]: 7005 0
08/04/06 10:03:55 [Note]: 7006 0
08/04/06 10:03:55 [Note]: 7011 1048
08/04/06 10:03:55 [Note]: 7026 0
08/04/06 10:03:55 [Note]: 7026 0
08/04/06 10:04:02 [Note]: FSRAW library version 1.7.1015
08/04/06 10:04:44 [Info]: Hidden file: c:\WINDOWS\system32\csflf.exe
08/04/06 10:04:44 [Note]: 7002 32
08/04/06 10:04:44 [Note]: 7003 1
08/04/06 10:04:44 [Note]: 10002 1
08/04/06 10:04:47 [Info]: Hidden file: c:\WINDOWS\system32\dmvqg.exe
08/04/06 10:04:47 [Note]: 7002 32
08/04/06 10:04:47 [Note]: 7003 1
08/04/06 10:04:47 [Note]: 10002 1
08/04/06 10:05:34 [Info]: Hidden file: c:\WINDOWS\system32\wbem\wbemtest.exe
08/04/06 10:05:34 [Note]: 10002 1
08/04/06 10:06:16 [Note]: 2000 1006
Danke an alle Helfer schon im voraus!!