Auch ein critical system error problem ... |
||
---|---|---|
#0
| ||
27.09.2006, 23:42
...neu hier
Beiträge: 7 |
||
|
||
28.09.2006, 15:04
Ehrenmitglied
Beiträge: 29434 |
#2
1.
codec.zip laden - auf dem Desktop entpacken - doppelt anklicken und die reg-Datei der Registry beifügen http://virus-protect.org/zip/codec.zip 2. Avenger http://virus-protect.org/artikel/tools/avenger.html kopiere rein Zitat registry keys to delete:Klicke die gruene Ampel das Script wird nun ausgeführt, dann wird der PC automatisch neustarten ** poste das log vom avenger, was nach neustart erscheint ** mit smitfraudfix http://virus-protect.org/artikel/tools/smitfrautfix.html scannen (Option 1 und 2) - lasse auch die Registry mitreinigen poste beide scanreporte «« öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten Zitat R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blankPC neustarten ** neue Startseite gehe zur Systemsteuerung --> Internetoptionen --> auf dem Reiter Allgemein bei Temporäre Internetdateien klickst du Dateien löschen --> auch bei Alle Offlineinhalte löschen das Häkchen setzen und mit OK bestätigen --> Auf den Reiter Programme gehen und dort auf Webeinstellungen zurücksetzen klicken, mit Ja bestätigen, fall Nachfrage kommt --> auf Übernehmen und abschließend auf OK klicken und stelle eine neue Startseite ein +++ scanne mit Counterspy, nach dem scan stelle alles auf remove und poste den scanreport http://virus-protect.org/counterspy.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
29.09.2006, 00:20
...neu hier
Themenstarter Beiträge: 7 |
#3
Hallo,
vielen Dank soweit, ich fürchte es hat nicht alles geklappt - Avenger hat ganz schön viele Fehlermeldungen gebracht. Ich fürchte auch ich habe einen SmitFraudFix - File verloren. Und Hijack bietet mir keinen der genannten Einträge an. ////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Syntax error in line --- does not appear to be a valid registry path. Line will be ignored. Error code: 1813 Line: HKEY_CURRENT_USER\Software\WinAntiVirus Pro 2006 ////////////////////////////////////////// Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\mjcpjpcd ******************* Script file located at: \??\C:\WINDOWS\llcpklwi.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF deleted successfully. Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vspf_hk deleted successfully. Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vspf deleted successfully. Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FWSvc not found! Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FWSvc failed! Could not process line: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FWSvc Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\FWSvc not found! Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\FWSvc failed! Could not process line: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\FWSvc Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\FWSvc not found! Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\FWSvc failed! Could not process line: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\FWSvc Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FWSvc not found! Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FWSvc failed! Could not process line: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FWSvc Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FWSVC not found! Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FWSVC failed! Could not process line: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FWSVC Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_FWSVC not found! Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_FWSVC failed! Could not process line: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_FWSVC Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_FWSVC not found! Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_FWSVC failed! Could not process line: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_FWSVC Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FWSVC not found! Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FWSVC failed! Could not process line: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FWSVC Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FOPN not found! Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FOPN failed! Could not process line: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FOPN Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\FOPN not found! Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\FOPN failed! Could not process line: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\FOPN Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\FOPN not found! Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\FOPN failed! Could not process line: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\FOPN Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FOPN not found! Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FOPN failed! Could not process line: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FOPN Status: 0xc0000034 File C:\WINDOWS\system32\drivers\vspf5.sys not found! Deletion of file C:\WINDOWS\system32\drivers\vspf5.sys failed! Could not process line: C:\WINDOWS\system32\drivers\vspf5.sys Status: 0xc0000034 File C:\WINDOWS\system32\drivers\vspf_hk5.sys not found! Deletion of file C:\WINDOWS\system32\drivers\vspf_hk5.sys failed! Could not process line: C:\WINDOWS\system32\drivers\vspf_hk5.sys Status: 0xc0000034 File C:\WINDOWS\system32\drivers\fopn.sys not found! Deletion of file C:\WINDOWS\system32\drivers\fopn.sys failed! Could not process line: C:\WINDOWS\system32\drivers\fopn.sys Status: 0xc0000034 File C:\WINDOWS\system32\av.cpl not found! Deletion of file C:\WINDOWS\system32\av.cpl failed! Could not process line: C:\WINDOWS\system32\av.cpl Status: 0xc0000034 File C:\WINDOWS\system32\stera.log deleted successfully. File C:\WINDOWS\system32\stera.exe not found! Deletion of file C:\WINDOWS\system32\stera.exe failed! Could not process line: C:\WINDOWS\system32\stera.exe Status: 0xc0000034 File C:\WINDOWS\system32\stera.job deleted successfully. File C:\WINDOWS\system32\atl71.dll deleted successfully. File C:\WINDOWS\system32\SpOrder.dll deleted successfully. File C:\WINDOWS\system32\msvcp71.dll deleted successfully. File C:\WINDOWS\system32\msvcr71.dll deleted successfully. File C:\WINDOWS\system32\mfc71.dll deleted successfully. File C:\WINDOWS\system32\titiau.dll deleted successfully. File C:\WINDOWS\zkoam.dll deleted successfully. Folder C:\Programme\Gemeinsame Dateien\WinAntiVirus Pro 2006 deleted successfully. Folder C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\WinAntiVirus Pro 2006 deleted successfully. Folder C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\WinSoftware not found! Deletion of folder C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\WinSoftware failed! Could not process line: C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\WinSoftware Status: 0xc0000034 Folder C:\Programme\WinAntiVirus Pro 2006 deleted successfully. Folder C:\Programme\Common Files\WinAntiVirus Pro 2006 not found! Deletion of folder C:\Programme\Common Files\WinAntiVirus Pro 2006 failed! Could not process line: C:\Programme\Common Files\WinAntiVirus Pro 2006 Status: 0xc0000034 Folder C:\Programme\Common Files\Companion Wizard deleted successfully. Folder C:\Programme\WinMediaCodec deleted successfully. Folder C:\Programme\vb deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{202a961f-23ae-42b1-9505-ffe3c818d717} not found! Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{202a961f-23ae-42b1-9505-ffe3c818d717} failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A52CD02D-C487-B30D-DB70-31A4C19A741A} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{202a961f-23ae-42b1-9505-ffe3c818d717} not found! Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{202a961f-23ae-42b1-9505-ffe3c818d717} failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A52CD02D-C487-B30D-DB70-31A4C19A741A} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{479fd0cf-5be9-4c63-8cda-b6d371c67bd5} not found! Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{479fd0cf-5be9-4c63-8cda-b6d371c67bd5} failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Programme\Gemeinsame Dateien\WinAntiVirus Pro 2006\WapCHK.dll not found! Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Programme\Gemeinsame Dateien\WinAntiVirus Pro 2006\WapCHK.dll failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\WinAV.exe\shell not found! Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\WinAV.exe\shell failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\WinAV.exe not found! Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\WinAV.exe failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\WinAntiVirus Pro 2006 not found! Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\WinAntiVirus Pro 2006 failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\WinSoftware not found! Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\WinSoftware failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WA6P_is1 not found! Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WA6P_is1 failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Purchased Products\WinAntiVirus Pro 2006 not found! Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Purchased Products\WinAntiVirus Pro 2006 failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\SupportUninstall\WinAntiVirus Pro 2006 not found! Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\SupportUninstall\WinAntiVirus Pro 2006 failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{723D54C7-7483-4EB8-8EED-CE5B2AEA534D} not found! Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{723D54C7-7483-4EB8-8EED-CE5B2AEA534D} failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1AC5C88A-DEA7-462b-A232-04AF5CA42E7E} not found! Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1AC5C88A-DEA7-462b-A232-04AF5CA42E7E} failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2178F3FB-2560-458f-BDEE-631E2FE0DFE4} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B2A3156E-3332-4b47-AF5A-5B121503514F} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B646F5E2-0A48-421d-AC91-F96C92BFC17A} not found! Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B646F5E2-0A48-421d-AC91-F96C92BFC17A} failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E69F0D6A-1C69-4A04-8709-5EAC2019D9BE} not found! Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E69F0D6A-1C69-4A04-8709-5EAC2019D9BE} failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B5141620-C2B2-4d95-9F0F-134D99C87AB0} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0903FECD-7F7A-4790-A819-A3CE08416732} not found! Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0903FECD-7F7A-4790-A819-A3CE08416732} failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{85C99188-BEFD-4c61-A54B-5D7CB0204C1E} not found! Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{85C99188-BEFD-4c61-A54B-5D7CB0204C1E} failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B32FE740-8B67-409A-BCA8-3297263C354E} not found! Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B32FE740-8B67-409A-BCA8-3297263C354E} failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1234890A-5E6E-4867-8136-CA6F1456B235} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{732B6533-7F78-4C47-9C01-2979BA0829B9} not found! Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{732B6533-7F78-4C47-9C01-2979BA0829B9} failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FC0B8EB8-AE24-4FD6-B479-E2B464F32DA6} not found! Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FC0B8EB8-AE24-4FD6-B479-E2B464F32DA6} failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{367A86A5-D048-4785-86BE-4E2706AAFDD9} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2BC32EF8-BB73-4099-BB2E-0F2951B3E276} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\WAVAutoPlay not found! Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\WAVAutoPlay failed! Status: 0xc0000034 Completed script processing. ******************* Finished! Terminate. SmitFraudFix v2.101 Scan done at 23:12:35,96, 28.09.2006 Run from C:\Dokumente und Einstellungen\Admin\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\DOKUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted C:\DOKUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url Deleted C:\DOKUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted C:\DOKUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted C:\Programme\WinHound\ Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning HKLM\SOFTWARE\WinHound.com Deleted Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End |
|
|
||
29.09.2006, 00:35
Ehrenmitglied
Beiträge: 29434 |
#4
hat doch gut geklappt
was du so alles fuer Muell auf dem Rechner hast...alles Tools, die den Rechner zerstoeren... scanne, stelle alles auf remove und poste den report http://virus-protect.org/counterspy.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
29.09.2006, 19:44
...neu hier
Themenstarter Beiträge: 7 |
#5
Hallo Sabina
nochmal vielen Dank, das ist wirklich ein fantastischer Service. Es sieht alles sehr gut aus. Kann man irgendwo mehr darüber erfahren was da jetzt alles gemacht wurde ? Viele Grüße Spyware Scan Details Start Date: 29.09.2006 18:33:25 End Date: 29.09.2006 19:32:14 Total Time: 58 mins 49 secs Detected spyware MoneyTree Dialer more information... Details: MoneyTree is an ActiveX control used to download premium-rate dialers, generally for porn sites. Each time MoneyTree is run, on system startup, it tries to connect to a pornographic website. Status: Deleted Infected registry entries detected HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F7EE4E3689C2DCF4A531C20954D158C1936D9A3C HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F7EE4E3689C2DCF4A531C20954D158C1936D9A3C Blob HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\1567DAAB1377FE3552D2F6F2A2FA80200135EDA5 HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\1567DAAB1377FE3552D2F6F2A2FA80200135EDA5 Blob HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F705E9D8DAA72DF53D068BF60B551EA3103D51D7 HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F705E9D8DAA72DF53D068BF60B551EA3103D51D7 Blob CWS.NS3 Browser Hijacker more information... Details: This is a CoolWebSearch hijacker. Status: Deleted Infected registry entries detected HKEY_CLASSES_ROOT\clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5} HKEY_LOCAL_MACHINE\software\classes\clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\hsa HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\hsa DisplayName Home Search Assistent HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\hsa UninstallString rundll32 url.dll,FileProtocolHandler "http://looking-for.cc/uninstall/HomeSearchAssistant.html" HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\se HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\se DisplayName Search Extender HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\se UninstallString rundll32 url.dll,FileProtocolHandler "http://looking-for.cc/uninstall/SearchExtender.html" HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\sw HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\sw DisplayName Shopping Wizard HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\sw UninstallString rundll32 url.dll,FileProtocolHandler "http://looking-for.cc/uninstall/ShoppingWizard.html" CWS.AboutBlank Browser Hijacker more information... Details: This is a CoolWebSearch hijacker. Status: Deleted Infected registry entries detected HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA UninstallString rundll32 url.dll,FileProtocolHandler "http://looking-for.cc/uninstall/HomeSearchAssistant.html" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA DisplayName Home Search Assistent HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE UninstallString rundll32 url.dll,FileProtocolHandler "http://looking-for.cc/uninstall/SearchExtender.html" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW UninstallString rundll32 url.dll,FileProtocolHandler "http://looking-for.cc/uninstall/ShoppingWizard.html" Trojan.Desktophijack Trojan more information... Details: Trojan.Desktophijack modifies the home page and desktop settings on a compromised computer. Status: Deleted Infected registry entries detected HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main Display Inline Images yes Adw.PSGuard Adware more information... Details: PSGuard is a fraudulent anti-spyware program which uses desktop advertising to scare users into paying for the product. Status: Deleted Infected registry entries detected HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main Display Inline Images yes |
|
|
||
29.09.2006, 23:15
Ehrenmitglied
Beiträge: 29434 |
#6
es muesste wieder alles sauber sein, dennoch mache noch einen Onlinevirenscan mit panda oder ewido und poste den/die reports
http://virus-protect.org/onlinescan.html loesche vorher das backup vom Avenger unter C:\Avenger\backup.zip __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
30.09.2006, 02:02
...neu hier
Themenstarter Beiträge: 7 |
#7
_________________________________________________
ewido anti-spyware online scanner http://www.ewido.net __________________________________________________ Name: Dialer.Generic Path: HKLM\SOFTWARE\Video1\Dialers Risk: High Name: Adware.WinAntiVirus Path: HKU\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4} Risk: Medium Name: Adware.Generic Path: HKU\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{479FD0CF-5BE9-4C63-8CDA-B6D371C67BD5} Risk: Medium Name: Adware.CoolWebSearch Path: HKU\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A52CD02D-C487-B30D-DB70-31A4C19A741A} Risk: Medium Name: Dialer.Generic Path: HKU\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Video1\Dialers Risk: High Name: Dialer.Generic Path: HKU\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Video1\Dialers\Hot_Tarts_de Risk: High Name: Dialer.Generic Path: HKU\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Video1\Dialers\Hot_Tarts_mc Risk: High Name: Not-A-Virus.Hoax.Win32.Renos.er Path: C:\RECYCLER\S-1-5-21-746137067-1060284298-2115272083-1004\Dc9.zip/avenger/titiau.dll Risk: Low Name: Not-A-Virus.Downloader.Win32.WinFixer.o Path: C:\WINDOWS\Downloaded Program Files\UWA6PU_0001_N91M2107NetInstaller.exe Risk: Low Name: Downloader.Dluca Path: C:\WINDOWS\system32\lukvluxm.exe Risk: High Name: Downloader.Dluca Path: C:\WINDOWS\system32\yultfxuq.exe Risk: High |
|
|
||
30.09.2006, 11:29
Ehrenmitglied
Beiträge: 29434 |
#8
Tix
nun, nichts war sauber... aber dafuer haben wir ja auch die Onlinevirenscanner 1. leere den Papierkorb 2. Avenger Zitat registry keys to delete:poste den report vom avenger + das neue Log vom HijackThis __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
30.09.2006, 13:46
...neu hier
Themenstarter Beiträge: 7 |
#9
Hi Sabina,
hätte ich auch ewido das Zeug entfernen lassen können/sollen ? Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\aujjmnqh ******************* Script file located at: \??\C:\Program Files\rsbpencf.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\lukvluxm.exe deleted successfully. File C:\WINDOWS\system32\yultfxuq.exe deleted successfully. File C:\WINDOWS\Downloaded Program Files\UWA6PU_0001_N91M2107NetInstaller.exe deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Video1 deleted successfully. Registry key HKEY_USERS\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Video1 not found! Deletion of registry key HKEY_USERS\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Video1 failed! Status: 0xc0000034 Registry key HKEY_USERS\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4} not found! Deletion of registry key HKEY_USERS\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4} failed! Status: 0xc0000034 Registry key HKEY_USERS\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{479FD0CF-5BE9-4C63-8CDA-B6D371C67BD5} not found! Deletion of registry key HKEY_USERS\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{479FD0CF-5BE9-4C63-8CDA-B6D371C67BD5} failed! Status: 0xc0000034 Registry key HKEY_USERS\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A52CD02D-C487-B30D-DB70-31A4C19A741A} not found! Deletion of registry key HKEY_USERS\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A52CD02D-C487-B30D-DB70-31A4C19A741A} failed! Status: 0xc0000034 Completed script processing. |
|
|
||
30.09.2006, 13:48
Ehrenmitglied
Beiträge: 29434 |
||
|
||
01.10.2006, 22:20
...neu hier
Themenstarter Beiträge: 7 |
#11
__________________________________________________
ewido anti-spyware online scanner http://www.ewido.net __________________________________________________ Name: TrackingCookie.2o7 Path: C:\Dokumente und Einstellungen\Admin\Cookies\admin@msnportal.112.2o7[1].txt Risk: Medium Das sieht schon ueberschaubarer aus: Name: TrackingCookie.Doubleclick Path: :mozilla.21:C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Mozilla\Firefox\Profiles\bzidz00t.default\cookies.txt Risk: Medium Name: TrackingCookie.Googleadservices Path: :mozilla.22:C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Mozilla\Firefox\Profiles\bzidz00t.default\cookies.txt Risk: Medium Name: TrackingCookie.Ivwbox Path: :mozilla.24:C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Mozilla\Firefox\Profiles\bzidz00t.default\cookies.txt Risk: Medium |
|
|
||
02.10.2006, 01:37
Ehrenmitglied
Beiträge: 29434 |
#12
das sind nur cookies, also kein Grund zur panik.
es ist alles wieder sauber - hoffentlich nun entgueltig. ** poste das neue Log vom HijackThis __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
05.10.2006, 10:09
...neu hier
Themenstarter Beiträge: 7 |
#13
Okey:
Logfile of HijackThis v1.99.1 Scan saved at 10:07:22, on 05.10.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\Explorer.EXE C:\Programme\Sunbelt Software\CounterSpy\Consumer\Thread.exe C:\Programme\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe C:\Programme\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe C:\Programme\QuickTime\qttask.exe C:\Programme\Java\jre1.5.0_06\bin\jusched.exe C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunserver.exe C:\Programme\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe C:\Programme\Adobe\Acrobat 4.0\Distillr\AcroTray.exe C:\Programme\Teledat\IWatch.exe C:\Programme\Microsoft Office\Office\OSA.EXE C:\Programme\WinZip\WZQKPICK.EXE C:\Programme\WEB.DE\WEB.DE SmartSurfer\SmartSurfer.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Dokumente und Einstellungen\Admin\Desktop\exes_etc\hijack\HijackThis.exe R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [TomcatStartup] C:\Programme\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe O4 - HKLM\..\Run: [StatusClient] C:\Programme\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [InCD] C:\Programme\ahead\InCD\InCD.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [SunServer] C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunserver.exe O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 4.0\Distillr\AcroTray.exe O4 - Global Startup: ISDNWatch.lnk = C:\Programme\Teledat\IWatch.exe O4 - Global Startup: Office-Start.lnk = C:\Programme\Microsoft Office\Office\OSA.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/mickey/de/win/QuickTimeInstaller.exe O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37710.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{24EA67E5-CFB4-4F0D-9187-0529EB849933}: NameServer = 192.168.121.252,192.168.121.253 O17 - HKLM\System\CCS\Services\Tcpip\..\{6E0C0BE7-1EBA-4BF8-98E0-E52D1B8F8C49}: NameServer = 81.209.208.13 83.133.0.13 O17 - HKLM\System\CCS\Services\Tcpip\..\{A9B13642-BCC6-4615-8852-7B2CAD47AACD}: NameServer = 192.168.115.254 O17 - HKLM\System\CS1\Services\Tcpip\..\{24EA67E5-CFB4-4F0D-9187-0529EB849933}: NameServer = 192.168.121.252,192.168.121.253 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe |
|
|
||
05.10.2006, 12:01
Ehrenmitglied
Beiträge: 29434 |
#14
alles wieder sauber !
wenn es noch Probleme geben sollte - melde dich. __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
Logfile of HijackThis v1.99.1
Scan saved at 22:19:11, on 27.09.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\WinMediaCodec\pmsngr.exe
C:\Programme\WinMediaCodec\pmmon.exe
C:\Programme\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Programme\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Programme\Teledat\IWatch.exe
C:\Programme\Microsoft Office\Office\OSA.EXE
C:\Programme\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\WEB.DE\WEB.DE SmartSurfer\SmartSurfer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Admin\Desktop\hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zkoam.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zkoam.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zkoam.dll/sp.html#53142%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zkoam.dll/sp.html#53142%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zkoam.dll/sp.html#53142%resultposition.net
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Programme\WinMediaCodec\isaddon.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Class - {A52CD02D-C487-B30D-DB70-31A4C19A741A} - C:\WINDOWS\winnt32.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O3 - Toolbar: Protection Bar - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - C:\Programme\WinMediaCodec\iesplugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TomcatStartup] C:\Programme\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [StatusClient] C:\Programme\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] C:\Programme\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: ISDNWatch.lnk = C:\Programme\Teledat\IWatch.exe
O4 - Global Startup: Office-Start.lnk = C:\Programme\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/mickey/de/win/QuickTimeInstaller.exe
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37710.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24EA67E5-CFB4-4F0D-9187-0529EB849933}: NameServer = 192.168.121.252,192.168.121.253
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E0C0BE7-1EBA-4BF8-98E0-E52D1B8F8C49}: NameServer = 62.104.191.241 62.104.196.134
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9B13642-BCC6-4615-8852-7B2CAD47AACD}: NameServer = 192.168.115.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{24EA67E5-CFB4-4F0D-9187-0529EB849933}: NameServer = 192.168.121.252,192.168.121.253
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
2.) Cleanup durchgeführt
3.) Combofix:
Disk Cleanup erfolgte nicht (weiss nicht warum)
Admin - 06-09-27 23:28:57,28 Service Pack 2
ComboFix 06.09.27 - Running from: "C:\Dokumente und Einstellungen\Admin\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2006-08-27 to 2006-09-27 ))))))))))))))))))))))))))))))))))
2006-09-24 02:01 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2006-09-24 02:01 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2006-09-24 02:01 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-09-24 02:01 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2006-09-24 02:01 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2006-09-24 01:35 176,128 --a------ C:\WINDOWS\system32\titiau.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-09-27 23:17 -------- d-------- C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\SmartSurfer
2006-09-27 23:16 -------- d-------- C:\Programme\Mozilla Firefox
2006-09-27 23:12 137187 --a------ C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\iwatch.txt
2006-09-25 23:13 -------- d-------- C:\Programme\WinMediaCodec
2006-09-25 22:38 -------- d-------- C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\AdobeUM
2006-09-25 22:10 -------- d-------- C:\Programme\ICQToolbar
2006-09-24 17:50 -------- d-------- C:\Programme\WinAntiVirus Pro 2006
2006-09-24 13:30 -------- d-------- C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\WinAntiVirus Pro 2006
2006-09-24 02:51 -------- d-------- C:\Programme\vb
2006-09-24 02:10 -------- d-------- C:\Programme\Common Files
2006-09-24 02:01 -------- d-------- C:\Programme\Gemeinsame Dateien\WinAntiVirus Pro 2006
2006-09-24 02:01 -------- d-------- C:\Programme\Gemeinsame Dateien
2006-09-23 12:29 -------- d-------- C:\Programme\Oetinger
2006-09-22 22:40 -------- d-------- C:\Programme\CleanUp!
2006-09-17 08:55 -------- d-------- C:\Programme\PNGIS-EasyEdit Lite
2006-09-01 20:42 -------- d-------- C:\Programme\Internet Explorer
2006-08-24 18:44 -------- d-------- C:\Programme\ICQLite
2006-08-24 18:03 -------- d-------- C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\ICQLite
2006-08-22 20:55 -------- d-------- C:\Programme\Gemeinsame Dateien\Teleca Shared
2006-08-11 22:14 -------- d-------- C:\Programme\Java
2006-08-11 22:12 -------- d-------- C:\Programme\Gemeinsame Dateien\Java
2006-08-06 22:33 -------- d-------- C:\Programme\selfhtml
2006-08-05 22:30 -------- d--h----- C:\Programme\InstallShield Installation Information
2006-08-05 22:30 -------- d-------- C:\Programme\WEB.DE
2006-08-04 22:49 -------- d-------- C:\Programme\Windows NT
2006-07-27 16:20 -------- d---s---- C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Microsoft
2006-07-27 15:25 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-27 10:10 -------- d-------- C:\Programme\Yahoo!
2006-07-27 09:52 -------- d-------- C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Teledat
2006-07-21 10:29 72704 --a------ C:\WINDOWS\system32\hlink.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
@=""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"TomcatStartup"="C:\\Programme\\Hewlett-Packard\\Toolbox2.0\\hpbpsttp.exe"
"StatusClient"="C:\\Programme\\Hewlett-Packard\\Toolbox2.0\\Apache Tomcat 4.0\\webapps\\Toolbox\\StatusClient\\StatusClient.exe /auto"
"QuickTime Task"="\"C:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"InCD"="C:\\Programme\\ahead\\InCD\\InCD.exe"
"SunJavaUpdateSched"="C:\\Programme\\Java\\jre1.5.0_06\\bin\\jusched.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,90,02,00,00,1f,00,00,00,20,01,00,00,2b,01,\
00,00,01,00,00,00
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"pmsngr.exe"="C:\\Programme\\WinMediaCodec\\pmsngr.exe"
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Dokumente und Einstellungen^Admin^Startmenü^Programme^Autostart^WEB.DE SmartSurfer.lnk]
"path"="C:\\Dokumente und Einstellungen\\Admin\\Startmenü\\Programme\\Autostart\\WEB.DE SmartSurfer.lnk"
"backup"="C:\\WINDOWS\\pss\\WEB.DE SmartSurfer.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\WEB.DE\\WEB~1.DES\\SMARTS~1.EXE -m"
"item"="WEB.DE SmartSurfer"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ICQ Lite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ICQLite"
"hkey"="HKLM"
"command"="\"C:\\Programme\\ICQLite\\ICQLite.exe\" -minimize"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Programme\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"wuauserv"=dword:00000002
"wscsvc"=dword:00000002
"mnmsrvc"=dword:00000003
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
Completion time: 27.09.2006 23:29:44.39
ComboFix.txt
ComboFix2.txt
3.) DATFIND.BAT
SYSTEM.TXT:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 9C84-24DF
Verzeichnis von C:\WINDOWS\system32
27.09.2006 23:14 13.646 wpa.dbl
24.09.2006 17:50 4.714 ikhcore.log
24.09.2006 17:41 2 stera.job
24.09.2006 02:36 2 stera.log
24.09.2006 01:35 176.128 titiau.dll
23.09.2006 16:07 11.660 ModemLog_ISDN Internet (PPP over ISDN).txt
11.09.2006 19:37 8.960.936 MRT.exe
01.09.2006 23:33 380.350 perfh009.dat
01.09.2006 23:33 52.764 perfc009.dat
01.09.2006 23:33 391.000 perfh007.dat
01.09.2006 23:33 63.580 perfc007.dat
01.09.2006 23:33 897.954 PerfStringBackup.INI
01.09.2006 10:46 4.622 ModemLog_ISDN Custom Config.txt
01.09.2006 10:46 4.602 ModemLog_ISDN BTX.txt
01.09.2006 10:46 4.640 ModemLog_ISDN Analog Modem (V.32bis).txt
01.09.2006 10:46 4.622 ModemLog_ISDN - ISDN (X.75).txt
01.09.2006 10:46 4.624 ModemLog_ISDN Mailbox (X.75).txt
01.09.2006 10:46 4.652 ModemLog_ISDN SoftCompression X.75-V.42bis.txt
01.09.2006 10:46 4.634 ModemLog_ISDN RAS (PPP over ISDN).txt
11.08.2006 22:14 7.006 jupdate-1.5.0_06-b05.log
28.07.2006 13:28 3.075.072 mshtml.dll
27.07.2006 16:10 254.272 FNTCACHE.DAT
27.07.2006 15:25 679.424 inetcomm.dll
25.07.2006 22:33 615.936 urlmon.dll
21.07.2006 10:29 72.704 hlink.dll
14.07.2006 17:38 332.288 netapi32.dll
14.07.2006 17:25 546.304 hhctrl.ocx
13.07.2006 15:34 8.494.592 shell32.dll
05.07.2006 12:55 1.057.792 kernel32.dll
28.06.2006 21:47 41.134 vsconfig.xml
26.06.2006 19:40 148.480 dnsapi.dll
26.06.2006 19:40 8.192 rasadhlp.dll
23.06.2006 23:41 1.798 ModemLog_ISDN FAX (G3).txt
23.06.2006 13:10 664.576 wininet.dll
23.06.2006 13:10 474.624 shlwapi.dll
23.06.2006 13:10 146.432 msrating.dll
23.06.2006 13:10 1.494.016 shdocvw.dll
23.06.2006 13:10 448.512 mshtmled.dll
23.06.2006 13:10 532.480 mstime.dll
23.06.2006 13:10 39.424 pngfilt.dll
23.06.2006 13:10 251.392 iepeers.dll
23.06.2006 13:10 205.312 dxtrans.dll
23.06.2006 13:10 16.384 jsproxy.dll
23.06.2006 13:10 1.056.256 danim.dll
23.06.2006 13:10 96.768 inseng.dll
23.06.2006 13:10 357.888 dxtmsft.dll
23.06.2006 13:10 55.808 extmgr.dll
23.06.2006 13:10 152.064 cdfview.dll
23.06.2006 13:10 1.022.976 browseui.dll
23.06.2006 10:53 27.136 xpsp3res.dll
22.06.2006 12:47 181.248 rasmans.dll
19.06.2006 16:20 702.768 WgaLogon.dll
19.06.2006 16:19 571.184 LegitCheckControl.dll
19.06.2006 16:19 304.944 WgaTray.exe
10.06.2006 15:09 16.832 amcompat.tlb
10.06.2006 15:09 23.392 nscompat.tlb
01.06.2006 20:47 27.648 jgpl400.dll
01.06.2006 20:47 163.840 jgdw400.dll
TEMP.TXT:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 9C84-24DF
Verzeichnis von C:\DOKUME~1\Admin\LOKALE~1\Temp
27.09.2006 23:32 16.384 ~DF415C.tmp
27.09.2006 23:15 2.089.678 jar_cache13666.tmp
2 Datei(en) 2.106.062 Bytes
0 Verzeichnis(se), 46.072.991.744 Bytes frei
WINDOWS.TXT:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 9C84-24DF
Verzeichnis von C:\WINDOWS
27.09.2006 23:14 54.156 QTFont.qfn
27.09.2006 22:06 7.762 Admin8.xlb
27.09.2006 21:46 130.610 iis6.log
27.09.2006 21:46 246.881 comsetup.log
27.09.2006 21:46 153.185 ntdtcsetup.log
27.09.2006 21:46 326.131 tsoc.log
27.09.2006 21:46 1.917 imsins.log
27.09.2006 21:46 30.968 ocmsn.log
27.09.2006 21:46 431.819 ocgen.log
27.09.2006 21:46 41.737 msgsocm.log
27.09.2006 21:46 818.487 FaxSetup.log
27.09.2006 21:36 526.839 setupapi.log
27.09.2006 21:11 0 0.log
27.09.2006 21:11 2.048 bootstat.dat
25.09.2006 23:15 1.636.186 WindowsUpdate.log
25.09.2006 23:15 32.584 SchedLgU.Txt
25.09.2006 22:37 1.409 QTFont.for
25.09.2006 22:37 227 system.ini
25.09.2006 22:37 519 win.ini
24.09.2006 02:24 73.254 wmsetup.log
21.09.2006 23:02 179.151 setupact.log
18.09.2006 23:33 50 wiaservc.log
18.09.2006 23:33 216 wiadebug.log
17.09.2006 18:37 10.240 Admin.pcb
01.09.2006 23:10 32.667 spupdsvc.log
01.09.2006 20:52 1.355 imsins.BAK
01.09.2006 20:52 16.195 KB917734.log
01.09.2006 20:52 1.176 avmcoins.log
01.09.2006 20:51 19.395 KB920214.log
01.09.2006 20:51 19.715 KB922616.log
01.09.2006 20:50 27.871 updspapi.log
01.09.2006 20:50 19.250 KB911280.log
01.09.2006 20:49 19.207 KB917159.log
01.09.2006 20:49 15.165 WgaNotify.log
01.09.2006 20:46 19.128 KB921398.log
01.09.2006 20:43 22.169 KB918899.log
01.09.2006 20:41 14.435 KB920670.log
01.09.2006 20:41 14.625 KB918439.log
01.09.2006 20:40 15.038 KB914388.log
01.09.2006 20:40 14.135 KB917344.log
01.09.2006 20:39 13.836 KB917953.log
01.09.2006 20:39 13.735 KB917422.log
01.09.2006 20:38 13.285 KB916595.log
01.09.2006 20:38 14.045 KB913580.log
01.09.2006 20:37 13.030 KB920683.log
01.09.2006 20:36 12.696 KB914389.log
31.08.2006 22:21 12.364 KB921883.log
27.07.2006 16:58 5.048 mozver.dat
23.07.2006 21:56 201 wininit.ini
18.07.2006 13:36 410 lernwelt.ini
19.06.2006 15:10 606 Checked.mms
10.06.2006 15:17 190 math2003.INI
10.06.2006 14:38 499 Notice.mms
14.05.2006 22:09 15.919 KB911562.log
14.05.2006 22:09 16.092 KB900485.log
14.05.2006 22:08 17.599 KB912812.log
14.05.2006 22:07 11.765 KB908531.log
14.05.2006 22:06 15.659 KB911565.log
14.05.2006 22:05 10.853 KB911567.log
C.TXT:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 9C84-24DF
Verzeichnis von C:\
27.09.2006 23:36 0 sys.txt
27.09.2006 23:36 13.251 system.txt
27.09.2006 23:34 348 systemtemp.txt
27.09.2006 23:32 106.265 system32.txt
27.09.2006 23:29 8.211 ComboFix.txt
27.09.2006 23:20 8.196 ComboFix2.txt
27.09.2006 22:25 114 files.txt
27.09.2006 21:10 133.746.688 hiberfil.sys
27.09.2006 21:10 268.435.456 pagefile.sys
25.09.2006 22:37 211 boot.ini
22.08.2006 22:43 167 ICQLite.log
24.05.2006 22:10 81 CTX.DAT
16.01.2006 21:31 4.610 ~WRD0000.tmp
5.)
Die Meldung ist Security alert, spyware found und man kommt auf eine Webseite auf der man Antivirenprogramme kaufen soll
Wäre super wenns klappt - jedenfalls vielen Dank