Home » Spyware & Browser Hijacker Support Forum » Explorer.exe stürzt ab drwtsn32 und 6*svchost usw... » Themenansicht
Explorer.exe stürzt ab drwtsn32 und 6*svchost usw... |
||
|---|---|---|
| #0
| ||
|
17.02.2007, 02:11
Member
Beiträge: 11 |
||
 
|
|
|
|
17.02.2007, 02:43
Ehrenmitglied
 Beiträge: 29434 |
#2
gehe ins Systemprotrokoll -> Start -> Ausführen -> eventvwr.msc
Schau nach Fehlern unter System und Anwendung __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
17.02.2007, 19:55
Member
Themenstarter Beiträge: 11 |
#3
Hallo Sabina!
Danke für die rasch Antwort :-) Unter SYSTEM habe ich folgende Fehler gefunden: Der Dienst "Anwendungsverwaltung" wurde mit folgendem Fehler beendet: Das angegebene Modul wurde nicht gefunden. Erscheint ungefähr 30mal hintereinander am selben Tag. Unter ANWENDUNG: Fehlgeschlagene Anwendung explorer.exe, Version 6.0.2900.2180, fehlgeschlagenes Modul unkown, Version 0.0.0.0, Fehleradresse 0x0134640e Die Fehleradresse ist jedesmal anders Stillstehende Anwendung explorer.exe Fehlgeschlagene Anwendung drwtsn32.exe, Version 5.1.2600.0, fehlgeschlagenes Modul dbghelp.dll, Version 5.1.2600.2180 Dr. watson habe ich entfernt! Felhgeschlagene Anwendung ppcontrol.exe usw... Pestpatrol habe ich vor kurzem deinstalliert Fehlgeschlagene Anwendung explorer.exe, Version 6.0.2900.2180, fehlgeschlagenes Modul acroiehelper.dll Fehlgeschlagene Anw. spoolsv.exe Modul winofc.dll Problem habe ich gelöst indem ich den Netzwerkdrucker eine andere Adresse zugewiesen habe. fehlg. Anw. setup.exe Modul setup.exe ???? Fehlg. Anw. dktray.exe Modul unknown fehlg. Anw. avgnt.exe Modul unknown Hab ich auch schon deinstalliert. Fehlg. Anw. dk3tray.exe Modul unknown Fehlg. Anw. adberdr709_de_de.exe Modul unknown Fehlg. Anw. vlc.exe Modul libvlc.dll Stillst. Anw. Feehand MX.exe Fehlg. Anw. winamp.exe Ansonsten schreibt er noch Warnungen vom MSIinstaller |
|
|
|
|
|
|
17.02.2007, 22:00
Ehrenmitglied
Beiträge: 29434 |
#4
SDFix.zip entpacken
http://virus-protect.org/artikel/tools/sdfix.html es erscheint folgende Meldung: "The SDFix Folder has been extracted to %systemdrive% - Please run from that location. (%systemdrive% = drive that contains the Windows directory - typically C:\SDFix )" unter C:\ findet man nun den SDFix-Ordner boote in den abgesicherten Modus (die Taste F8 drücken, während der Rechner neustartet) gehe in den Ordner C:\SDFix RunThis.bat doppelt klicken schreibe: Y folge allen Anweisungen, während gescannt wird - dann wird der Rechner neustarten kopiere mit der rechten Maustaste den Text ab, der erscheint - und in den Beitrag, __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
18.02.2007, 15:32
Member
Themenstarter Beiträge: 11 |
#5
Hier der Report!
SDFix: Version 1.66 Run by ger - 18.02.2007 @ 15:19:55,53 Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Name: Path: Restoring Windows Registry Entries Restoring Default Hosts File Rebooting... Normal Mode: Checking Files: No Trojan Files Found... ADS Check: C:\WINDOWS\system32 No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "D:\\setup\\HPZNET01.EXE"="D:\\setup\\HPZNET01.EXE:*:Enabled:hpznet01.exe" "C:\\WINDOWS\\system32\\spoolsv.exe"="C:\\WINDOWS\\system32\\spoolsv.exe:*:Enabled:Spooler SubSystem App" "C:\\Programme\\Azureus\\Azureus.exe"="C:\\Programme\\Azureus\\Azureus.exe:*:Enabled:Azureus" "C:\\Programme\\Macromedia\\FreeHand MX\\FreeHand MX.exe"="C:\\Programme\\Macromedia\\FreeHand MX\\FreeHand MX.exe:*:Enabled:FreeHand MX" "C:\\Programme\\DC++\\DCPlusPlus.exe"="C:\\Programme\\DC++\\DCPlusPlus.exe:*:Enabled  C++""C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test" "C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Eine DLL-Datei als Anwendung ausführen" "C:\\Programme\\Skype\\Phone\\Skype.exe"="C:\\Programme\\Skype\\Phone\\Skype.exe:*:Enabled:Skype" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" Remaining Files: --------------- Checking For Files with Hidden Attributes : Add/Remove Programs List: Windows-Treiberpaket - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0) Adobe Photoshop CS2 Adobe Shockwave Player ATI - Dienstprogramm zur Deinstallation der Software Arial CD Ripper v1.5.6 ATI Display Driver avast! Antivirus Azureus CCleaner (remove only) Codec Pack - All In 1 6.0.3.0 HijackThis 1.99.1 HP Imaging Device Functions 6.0 HP Solution Center and Imaging Support Tools 6.0 Microsoft Internationalized Domain Names Mitigation APIs Windows Internet Explorer 7 Command & Conquer Generals O2Micro Flash Memory Card Windows Driver V2.04 Command and ConquerTM Generals Zero Hour LogonStudio Macromedia Director MX 2004 Magic ISO Maker v5.3 (build 0221) Magic ISO Maker v5.3 (build 0229) Microsoft .NET Framework 2.0 Mozilla Firefox (2.0.0.1) Mozilla Thunderbird (1.5) Microsoft National Language Support Downlevel APIs NSIS Media Extension Security Task Manager 1.7 Skype 3.0 Motorola SM56 Data Fax Modem Spybot - Search & Destroy 1.4 VideoLAN VLC media player 0.8.6 Volo View Express Winamp (remove only) Windows Media Format Runtime WinRAR Archivierer Zoom Player (remove only) Command & Conquer Generals Macromedia Dreamweaver 8 TrayApp hpf_ProductContext Readme Status DVD Solution Adobe Photoshop CS2 Destinations Macromedia Flash 8 J2SE Runtime Environment 5.0 Update 3 J2SE Runtime Environment 5.0 Update 11 Unload Skype Plugin Manager BufferChm Power2Go 4.0 StarOffice 8 SolutionCenter Macromedia Fireworks 8 Microsoft Works Macromedia Extension Manager AutoCAD 2002 - Deutsch Adabas D 13.01.00 eSupportQFolder PowerDVD eTrust Registration Microsoft .NET Framework 2.0 Adobe Stock Photos 1.0 HP Deskjet 6900 series (deu) TuneUp Utilities 2006 LP6940_Help Macromedia Flash Player 8 Macromedia FreeHand MX Macromedia Flash 8 Video Encoder ATI Parental Control & Encoder LP6940Trb Adobe Common File Installer Macromedia Flash Player 8 Plugin ATI Catalyst Control Center dj6940 Apple Software Update DeviceManagementQFolder Adobe Reader 7.0.9 - Deutsch REALTEK GbE & FE Ethernet PCI NIC Driver Adobe Bridge 1.0 PowerProducer dj_taplugin HP Photosmart Essential Firewire Family HPProductAssistant Adobe Help Center 1.0 O2Micro Flash Memory Card Windows Driver V2.04 WebReg HP Software Update PowerDirector Express QuickTime Realtek High Definition Audio Driver Command and ConquerTM Generals Zero Hour Ralink Wireless LAN Card Finished |
|
|
|
|
|
|
18.02.2007, 20:26
Ehrenmitglied
Beiträge: 29434 |
#6
poste dieses log, damit man besser sieht, was auf dem Rechner schief laeuft.
http://virus-protect.org/artikel/tools/comboscan.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
19.02.2007, 04:05
Member
Themenstarter Beiträge: 11 |
#7
Hi, hab die 2te Dateie mal angehängt, dass es nicht so viel Platz einnimmt.
Der nächste Scan, mit Dank ger ComboScan v20070212.14 run by ger on 2007-02-19 at 03:52:51 Computer is in Normal Mode. -------------------------------------------------------------------------------- Successfully created restore point. Performed disk cleanup. -- HijackThis log (run as ger.com) ---------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 03:52:59, on 19.02.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Alwil Software\Avast4\aswUpdSv.exe C:\Programme\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\o2flash.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\Programme\Alwil Software\Avast4\ashMaiSv.exe C:\Programme\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\MAFWTray.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Programme\Spybot - Search & Destroy\TeaTimer.exe C:\Programme\RALINK\Common\RaUI.exe C:\Dokumente und Einstellungen\ger\Desktop\comboscan.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\DOKUME~1\ger\LOKALE~1\Temp\~tedmhoo.tmp\ger.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gericom.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://gmx.net O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_11\bin\ssv.dll O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINDOWS\system32\MAFWTray.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Programme\RALINK\Common\RaUI.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_11\bin\npjpi150_11.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_11\bin\npjpi150_11.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab O16 - DPF: {1F831FA3-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file:///C:/Programme/AutoCAD%202002%20Deu/InstFred.ocx O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday-Steuerung) - file:///C:/Programme/AutoCAD%202002%20Deu/AcDcToday.ocx O16 - DPF: {AE563724-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///C:/Programme/AutoCAD%202002%20Deu/InstBanr.ocx O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview-Steuerung) - file:///C:/Programme/AutoCAD%202002%20Deu/AcPreview.ocx O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\CyberLink\Shared Files\RichVideo.exe (file missing) O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe -- HijackThis Fixed Entries (C:\Dokumente und Einstellungen\ger\Desktop\hijackthis_199\backups\) -------------------------------------------------------------------------------- backup-20070215-155102-720 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) backup-20070215-155102-940 O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE backup-20070215-155103-696 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) -- File Associations ------------------------------------------------------------ .bat - batfile - "%1" %* .chm - chm.file - "C:\WINDOWS\hh.exe" %1 .com - comfile - "%1" %* .exe - exefile - "%1" %* .hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1 .inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1 .ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1 .js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %* .lnk - lnkfile - {00021401-0000-0000-C000-000000000046} .pif - piffile - "%1" %* .reg - regfile - regedit.exe "%1" [COLOR=red].scr - AutoCADScriptFile - C:\WINDOWS\NOTEPAD.EXE "%1"[/COLOR] .txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1 .vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %* -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------- 3 61883 (61883-Einheitsgerät) - system32\DRIVERS\61883.sys 0 ACPIEC (Microsoft Embedded Controllertreiber) - system32\DRIVERS\ACPIEC.sys 2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.3.0) - system32\DRIVERS\AegisP.sys 1 AmdK8 (AMD-Prozessortreiber) - system32\DRIVERS\AmdK8.sys 3 Arp1394 (1394-ARP-Clientprotokoll) - system32\DRIVERS\arp1394.sys 3 ati2mtag - system32\DRIVERS\ati2mtag.sys 3 Avc (AVC-Gerät) - system32\DRIVERS\avc.sys 3 DELTAFW (Service for M-Audio FW Driver (WDM)) - system32\DRIVERS\deltafw.sys 3 dtscsi - \SystemRoot\System32\Drivers\dtscsi.sys 3 GMSIPCI - \??\E:\INSTALL\GMSIPCI.SYS 3 HDAudBus (Microsoft UAA Bus Driver for High Definition Audio) - system32\DRIVERS\HDAudBus.sys 3 HidUsb (Microsoft HID Class-Treiber) - system32\DRIVERS\hidusb.sys 3 HPZid412 (IEEE-1284.4 Driver HPZid412) - system32\DRIVERS\HPZid412.sys 3 HPZipr12 (Print Class Driver for IEEE-1284.4 HPZipr12) - system32\DRIVERS\HPZipr12.sys 3 HPZius12 (USB to IEEE-1284.4 Translation Driver HPZius12) - system32\DRIVERS\HPZius12.sys 3 IntcAzAudAddService (Service for Realtek HD Audio (WDM)) - system32\drivers\RtkHDAud.sys 4 mchInjDrv - \??\C:\WINDOWS\TEMP\mc21.tmp 3 mouhid (Maus-HID-Treiber) - system32\DRIVERS\mouhid.sys 3 NIC1394 (1394-Netzwerktreiber) - system32\DRIVERS\nic1394.sys 0 O2MDRDR - system32\DRIVERS\o2media.sys 0 O2SDRDR - system32\DRIVERS\o2sd.sys 0 ohci1394 (OHCI-konformer IEEE 1394-Hostcontroller) - system32\DRIVERS\ohci1394.sys 0 PCIIde - system32\DRIVERS\pciide.sys 3 pfc (Padus ASPI Shell) - system32\drivers\pfc.sys 0 PxHelp20 - System32\Drivers\PxHelp20.sys 3 RT61 (Ralink RT61 Wireless Driver) - system32\DRIVERS\RT61.sys 3 RTL8023xp (Realtek 10/100/1000 NIC Family all in one NDIS XP Driver) - system32\DRIVERS\Rtnicxp.sys 3 rtl8139 (NT-Treiber für Realtek RTL8139(A/B/C)-basierten PCI-Fast Ethernet-Adapter) - system32\DRIVERS\RTL8139.SYS 3 sdbus - system32\DRIVERS\sdbus.sys 3 smserial - system32\DRIVERS\smserial.sys 0 sptd - System32\Drivers\sptd.sys 3 usbccgp (Microsoft Standard-USB-Haupttreiber) - system32\DRIVERS\usbccgp.sys 3 usbehci (Miniporttreiber für erweiterten Microsoft USB 2.0-Hostcontroller) - system32\DRIVERS\usbehci.sys 3 usbohci (Miniporttreiber für Microsoft USB Open Host-Controller) - system32\DRIVERS\usbohci.sys 3 usbprint (Microsoft USB-Druckerklasse) - system32\DRIVERS\usbprint.sys 3 usbscan (USB-Scannertreiber) - system32\DRIVERS\usbscan.sys 3 USBSTOR (USB-Massenspeichertreiber) - system32\DRIVERS\USBSTOR.SYS -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- 3 Adobe LM Service - "C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe" 3 aspnet_state (ASP.NET State Service) - %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe 2 aswUpdSv (avast! iAVS4 Control Service) - "C:\Programme\Alwil Software\Avast4\aswUpdSv.exe" 2 Ati HotKey Poller - %SystemRoot%\system32\Ati2evxx.exe 2 avast! Antivirus - "C:\Programme\Alwil Software\Avast4\ashServ.exe" 3 avast! Mail Scanner - "C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service 3 avast! Web Scanner - "C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service 3 clr_optimization_v2.0.50727_32 (.NET Runtime Optimization Service v2.0.50727_X86) - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 3 HP Port Resolver - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE 3 HP Status Server - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE 3 IDriverT (InstallDriver Table Manager) - "C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe" 3 Macromedia Licensing Service - "C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe" 2 O2Flash (O2Micro Flash Memory) - C:\WINDOWS\system32\o2flash.exe 2 Pml Driver HPZ12 - C:\WINDOWS\system32\HPZipm12.exe 2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "C:\Programme\CyberLink\Shared Files\RichVideo.exe" 2 TUWinStylerThemeSvc (TuneUp WinStyler Theme Service) - "C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe" 2 UMWdf (Windows User Mode Driver Framework) - C:\WINDOWS\system32\wdfmgr.exe -- Scheduled Tasks -------------------------------------------------------------- 2007-02-16 18:44:09 392 --a------ C:\WINDOWS\Tasks\1-Klick-Wartung.job<1-KLIC~1.JOB> 2007-01-08 15:59:04 276 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB> -- Files created between 2007-01-19 and 2007-02-19 ------------------------------ 2007-02-18 15:11:59 0 d-------- C:\SDFix 2007-02-15 18:44:35 0 d-------- C:\Programme\Gemeinsame Dateien\ACD Systems<ACDSYS~1> 2007-02-15 18:44:22 10368 --a------ C:\WINDOWS\system32\drivers\pfc.sys<Unsigned: Padus, Inc.> 2007-02-15 16:24:11 0 d-------- C:\Programme\CCleaner 2007-02-15 15:15:38 0 d-------- C:\Programme\Security Task Manager<SECURI~1> 2007-02-12 12:45:14 0 d-------- C:\Programme\Gemeinsame Dateien\NSIS 2007-02-07 13:25:01 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys<Unsigned: ALWIL Software> 2007-02-07 13:24:56 90112 --a------ C:\WINDOWS\system32\AVASTSS.scr 2007-02-07 13:24:56 689280 --a------ C:\WINDOWS\system32\aswBoot.exe<Signed: n/a> 2007-02-07 13:24:53 0 d-------- C:\Programme\Alwil Software<ALWILS~1> 2007-02-07 12:37:40 0 d-------- C:\spoolerlogs<SPOOLE~1> 2007-02-04 12:16:32 94958 --a------ C:\WINDOWS\system32\1170591391.exe<117059~1.EXE><Unsigned: n/a> 2007-01-29 08:24:13 980 --a------ C:\WINDOWS\eReg.dat 2007-01-29 07:46:23 0 d-------- C:\Programme\EA Games<EAGAME~1> 2007-01-28 16:28:02 0 d-------- C:\Programme\DAEMON Tools<DAEMON~1> -- Find3M Report ---------------------------------------------------------------- 2007-02-19 03:50:17 0 d-------- C:\Programme\Mozilla Firefox<MOZILL~1> 2007-02-19 03:49:31 0 d-------- C:\Programme\Mozilla Thunderbird<MOZILL~2> 2007-02-15 21:26:47 0 d-------- C:\Dokumente und Einstellungen\ger\Anwendungsdaten\Azureus 2007-02-15 18:46:27 0 d-------- C:\Dokumente und Einstellungen\ger\Anwendungsdaten\ACD Systems<ACDSYS~1> 2007-02-15 18:44:35 0 d-------- C:\Programme\Gemeinsame Dateien<GEMEIN~1> 2007-02-15 16:20:46 23552 --a------ C:\WINDOWS\system32\ctfmon.exe<Unsigned: Gerhard Schlager> 2007-02-15 15:38:20 0 d-------- C:\Dokumente und Einstellungen\ger\Anwendungsdaten\Help 2007-02-15 14:29:18 0 d-------- C:\Dokumente und Einstellungen\ger\Anwendungsdaten\StarOffice8<STAROF~1> 2007-02-15 13:27:32 0 d-------- C:\Programme\Java 2007-02-14 20:25:10 0 d-------- C:\Dokumente und Einstellungen\ger\Anwendungsdaten\Skype 2007-02-10 19:37:02 0 d-------- C:\Programme\PestPatrol<PESTPA~1> 2007-02-07 20:25:57 0 d-------- C:\Programme\Office-Bibliothek<OFFICE~1> 2007-02-06 18:07:38 0 d-------- C:\Programme\Gemeinsame Dateien\Microsoft Shared<MICROS~1> 2007-02-06 18:06:16 0 d--h----- C:\Programme\InstallShield Installation Information<INSTAL~1> 2007-02-05 01:17:31 0 d-------- C:\Dokumente und Einstellungen\ger\Anwendungsdaten\AdobeUM 2007-01-30 17:09:44 0 d-------- C:\Dokumente und Einstellungen\ger\Anwendungsdaten\dvdcss 2007-01-29 10:29:36 12400 --a------ C:\WINDOWS\system32\drivers\secdrv.sys<Unsigned: Macrovision Europe Ltd> 2007-01-28 16:23:33 646392 --a------ C:\WINDOWS\system32\drivers\sptd.sys<Unsigned: n/a> 2007-01-27 15:47:51 0 d-------- C:\Programme\Arial CD Ripper<ARIALC~1> 2007-01-27 01:05:04 0 d-------- C:\Programme\Azureus 2007-01-26 17:38:53 654 --a------ C:\Dokumente und Einstellungen\ger\Anwendungsdaten\wklnhst.dat 2007-01-24 16:36:36 5 --a------ C:\WINDOWS\system32\SySRip.dat 2007-01-16 16:20:11 5 --a------ C:\WINDOWS\system32\systemr.dat 2007-01-14 13:15:38 0 d-------- C:\Dokumente und Einstellungen\ger\Anwendungsdaten\Tracktion<TRACKT~1> 2007-01-14 11:56:35 0 d-------- C:\Programme\Tracktion2<TRACKT~1> 2007-01-12 14:11:08 0 d-------- C:\Dokumente und Einstellungen\ger\Anwendungsdaten\Autodesk 2007-01-11 23:54:43 0 d-------- C:\Dokumente und Einstellungen\ger\Anwendungsdaten\Google 2007-01-11 17:56:19 0 d-------- C:\Dokumente und Einstellungen\ger\Anwendungsdaten\Mozilla 2007-01-11 17:56:16 0 d-------- C:\Dokumente und Einstellungen\ger\Anwendungsdaten\Thunderbird<THUNDE~1> 2007-01-09 15:57:59 0 d-------- C:\Programme\AutoCAD 2002 Deu<AUTOCA~1> 2007-01-09 15:52:51 4039 --a------ C:\WINDOWS\mozver.dat 2007-01-07 02:07:26 0 d-------- C:\Programme\MagicISO 2007-01-07 01:50:05 0 d-------- C:\Programme\Gemeinsame Dateien\Macromedia Shared<MACROM~2> 2007-01-07 01:50:04 0 d-------- C:\Dokumente und Einstellungen\ger\Anwendungsdaten\Macromedia<MACROM~1> 2007-01-07 01:49:01 0 d-------- C:\Programme\Macromedia<MACROM~1> 2007-01-03 18:36:55 0 d-------- C:\Programme\Winamp 2007-01-03 15:22:12 2277888 --a------ C:\WINDOWS\system32\TUKernel.exe<Unsigned: Microsoft Corporation> 2006-12-30 20:41:08 0 d-------- C:\Dokumente und Einstellungen\ger\Anwendungsdaten\Adobe 2006-12-30 17:33:13 0 d-------- C:\Programme\killbox 2006-12-30 16:56:04 0 d-------- C:\Programme\M-Audio 2006-12-30 16:55:45 0 d-------- C:\Programme\M-Audio Firewire Family<M-AUDI~1> 2006-12-30 00:54:08 0 d-------- C:\Programme\ChameleonXP<CHAMEL~1> 2006-12-29 13:48:16 0 d-------- C:\Programme\Zoom Player<ZOOMPL~1> 2006-12-29 00:21:24 0 d-------- C:\Dokumente und Einstellungen\ger\Anwendungsdaten\vlc 2006-12-29 00:03:21 0 d-------- C:\Programme\VideoLAN 2006-12-28 16:53:32 0 d-------- C:\Programme\Microsoft Works<MICROS~2> 2006-12-25 16:24:37 0 d-------- C:\Programme\Apple Software Update<APPLES~1> 2006-12-23 01:47:41 105828 --a------ C:\WINDOWS\HPFins09.dat 2006-12-23 01:46:50 0 d-------- C:\Programme\Hewlett-Packard<HEWLET~1> 2006-12-23 01:46:37 0 d-------- C:\Programme\Gemeinsame Dateien\HP 2006-12-23 01:46:33 0 d-------- C:\Programme\HP 2006-12-23 01:15:40 3749888 --a------ C:\WINDOWS\system32\logonuiX.exe<Unsigned: Microsoft Corporation> 2006-12-23 00:28:44 0 d-------- C:\Programme\WinCustomize<WINCUS~1> 2006-12-23 00:28:44 0 d-------- C:\Programme\Gemeinsame Dateien\Stardock 2006-12-23 00:24:03 2955264 --a------ C:\WINDOWS\logonui.exe<Unsigned: Microsoft Corporation> 2006-12-22 23:11:39 441 --a------ C:\bootbak.bat 2006-12-22 20:59:07 0 d-------- C:\Programme\QuickTime<QUICKT~1> 2006-12-22 17:41:16 0 d-------- C:\Programme\CyberLink<CYBERL~1> 2006-12-22 17:35:40 0 d-------- C:\Programme\Skype 2006-12-22 17:35:40 0 d-------- C:\Programme\Gemeinsame Dateien\Skype 2006-12-19 16:11:52 0 d-------- C:\Dokumente und Einstellungen\ger\Anwendungsdaten\Sun 2006-12-07 21:17:18 0 --a------ C:\WINDOWS\nsreg.dat 2006-12-05 18:25:14 405692 --a------ C:\WINDOWS\system32\perfh007.dat 2006-12-05 18:25:14 70976 --a------ C:\WINDOWS\system32\perfc007.dat 2006-11-30 12:34:16 737280 --a------ C:\WINDOWS\iun6002.exe<Unsigned: Indigo Rose Corporation> -- Registry Dump ---------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "SpybotSD TeaTimer"="C:\\Programme\\Spybot - Search & Destroy\\TeaTimer.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "MAFWTaskbarApp"="C:\\WINDOWS\\system32\\MAFWTray.exe" "avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{483910AC-20E0-42A6-B6F5-3902EEF878D0}"="NSIS Media Extension" "{151BD732-D167-4A50-A7F0-9DF0DD2C7247}"="MSCTFP ShellHook Module" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoRecentDocsHistory"=dword:00000001 [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 -- End of ComboScan: finished at 2007-02-19 at 03:53:35 ------------------------- Anhang: Supplementary.txt
|
|
|
|
|
|
|
19.02.2007, 12:42
Ehrenmitglied
Beiträge: 29434 |
#8
guitarimp
1. deaktiviere den SpybotSD TeaTimer 2. Information: NSIS Media -> Advertisement NSIS Media http://virus-protect.org/artikel/spyware/nsis.html --------------------------------------- 3. Avenger http://virus-protect.org/artikel/tools/avenger.html Input script manually (anhaken) kopiere in: View/edit script * Zitat Registry values to delete:nach dem neustart erscheint ein log vom avenger - poste es hier --------------------------- Zitat 4 mchInjDrv - \??\C:\WINDOWS\TEMP\mc21.tmp - Backdoor "Graybird.N.1 (?)virustotal Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen (oder gleich die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf "Send"... jetzt abwarten - dann mit der rechten Maustaste den Text markieren -> kopieren - einfügen http://www.virustotal.com/flash/index_en.html C:\WINDOWS\TEMP\mc21.tmp C:\WINDOWS\system32\1170591391.exe poste hier die scanreporte ' __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
20.02.2007, 00:48
Member
Themenstarter Beiträge: 11 |
#9
Also Gemeinsame dateien/nsis hab ich gelöscht vorher und die regystry im
editor händisch gelöscht, bis ich draufgekommen bin dass eh der Avenger das für mich macht ;-) Die Datei mc21.tmp gibt es bei mir nicht! lg Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\qhurtays ******************* Script file located at: \??\C:\Program Files\sscrvuip.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Folder C:\Programme\NSIS Media not found! Deletion of folder C:\Programme\NSIS Media failed! Could not process line: C:\Programme\NSIS Media Status: 0xc0000034 Folder C:\Programme\Gemeinsame Dateien\NSIS not found! Deletion of folder C:\Programme\Gemeinsame Dateien\NSIS failed! Could not process line: C:\Programme\Gemeinsame Dateien\NSIS Status: 0xc0000034 Could not open folder C:\Program Files\Common Files\NSIS for deletion Deletion of folder C:\Program Files\Common Files\NSIS failed! Could not process line: C:\Program Files\Common Files\NSIS Status: 0xc000003a Could not delete registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{955F7C01-3417-4F1E-8C31-5A2EF48897CB} Deletion of registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{955F7C01-3417-4F1E-8C31-5A2EF48897CB} failed! Status: 0xc0000034 Could not delete registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{367BDF4B-04E5-46C9-9D83-D68307F659E3} Deletion of registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{367BDF4B-04E5-46C9-9D83-D68307F659E3} failed! Status: 0xc0000034 Could not delete registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{D0ABAB9C-4F67-46C8-8061-11489EDE03DF} Deletion of registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{D0ABAB9C-4F67-46C8-8061-11489EDE03DF} failed! Status: 0xc0000034 Could not delete registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{DDBB6F2B-E2B7-4645-81AF-ECD28FA4E87D} Deletion of registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{DDBB6F2B-E2B7-4645-81AF-ECD28FA4E87D} failed! Status: 0xc0000034 Could not delete registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{097F10A7-487F-4457-AB1F-827C59479A72} Deletion of registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{097F10A7-487F-4457-AB1F-827C59479A72} failed! Status: 0xc0000034 Could not delete registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{DDBB6F2B-E2B7-4645-81AF-ECD28FA4E87D} Deletion of registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{DDBB6F2B-E2B7-4645-81AF-ECD28FA4E87D} failed! Status: 0xc0000034 Could not delete registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{5BACC17E-BDF7-405B-BC68-ECB506395118} Deletion of registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{5BACC17E-BDF7-405B-BC68-ECB506395118} failed! Status: 0xc0000034 Could not delete registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{483910AC-20E0-42A6-B6F5-3902EEF878D0} Deletion of registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{483910AC-20E0-42A6-B6F5-3902EEF878D0} failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NSISMedia not found! Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NSISMedia failed! Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\NSISMedia deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\NSIS deleted successfully. Completed script processing. ******************* Finished! Terminate. Complete scanning result of "1170591391.exe", received in VirusTotal at 02.20.2007, 00:29:32 (CET). Antivirus Version Update Result AntiVir 7.3.1.37 02.19.2007 no virus found Authentium 4.93.8 02.19.2007 no virus found Avast 4.7.936.0 02.19.2007 no virus found AVG 386 02.19.2007 no virus found BitDefender 7.2 02.19.2007 no virus found CAT-QuickHeal 9.00 02.19.2007 no virus found ClamAV devel-20060426 02.19.2007 no virus found DrWeb 4.33 02.19.2007 no virus found eSafe 7.0.14.0 02.19.2007 no virus found eTrust-Vet 30.4.3412 02.19.2007 no virus found Ewido 4.0 02.19.2007 no virus found FileAdvisor 1 02.20.2007 no virus found Fortinet 2.85.0.0 02.19.2007 no virus found F-Prot 4.2.1.29 02.19.2007 no virus found F-Secure 6.70.13030.0 02.19.2007 no virus found Ikarus T3.1.0.31 02.19.2007 no virus found Kaspersky 4.0.2.24 02.20.2007 no virus found McAfee 4966 02.19.2007 no virus found Microsoft 1.2204 02.19.2007 no virus found NOD32v2 2070 02.19.2007 no virus found Norman 5.80.02 02.19.2007 no virus found Panda 9.0.0.4 02.19.2007 no virus found Prevx1 V2 02.20.2007 Covert.Sys.Exec Sophos 4.14.0 02.19.2007 no virus found Sunbelt 2.2.907.0 02.17.2007 no virus found Symantec 10 02.20.2007 no virus found TheHacker 6.1.6.060 02.19.2007 no virus found UNA 1.83 02.19.2007 no virus found VBA32 3.11.2 02.19.2007 suspected of Trojan.StartPage.62 (paranoid heuristics) VirusBuster 4.3.19:9 02.19.2007 no virus found Aditional Information File size: 94958 bytes MD5: 1c6b18796a1d133b537178e19630d11a SHA1: eee7d68e7403f31f8955f29bf0fa9d5d5141bc03 packers: BINARYRES Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=fe5075531964 |
|
|
|
|
|
|
20.02.2007, 00:52
Ehrenmitglied
Beiträge: 29434 |
#10
---------------------------
Download Registry Search by Bobbi Flekman http://virus-protect.org/artikel/tools/regsearch.html und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren) mchInjDrv in edit und klicke "Ok". Notepad wird sich öffnen -- kopiere den Text ab und poste ihn. __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
20.02.2007, 12:26
Member
Themenstarter Beiträge: 11 |
#11
Hi!
Scheint doch da zu sein!? Windows Registry Editor Version 5.00 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.2.0 ; Results at 20.02.2007 12:23:06 for strings: ; 'mchinjdrv' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MCHINJDRV] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MCHINJDRV\0000] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MCHINJDRV\0000] "Service"="mchInjDrv" "DeviceDesc"="mchInjDrv" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MCHINJDRV\0000\LogConf] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mchInjDrv] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV\0000] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV\0000] "Service"="mchInjDrv" "DeviceDesc"="mchInjDrv" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV\0000\LogConf] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV\0000\Control] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV\0000\Control] "ActiveService"="mchInjDrv" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mchInjDrv] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mchInjDrv\Enum] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mchInjDrv\Enum] "0"="Root\\LEGACY_MCHINJDRV\\0000" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MCHINJDRV] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MCHINJDRV\0000] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MCHINJDRV\0000] "Service"="mchInjDrv" "DeviceDesc"="mchInjDrv" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MCHINJDRV\0000\LogConf] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\mchInjDrv] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000] "Service"="mchInjDrv" "DeviceDesc"="mchInjDrv" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000\LogConf] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000\Control] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000\Control] "ActiveService"="mchInjDrv" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum] "0"="Root\\LEGACY_MCHINJDRV\\0000" ; End Of The Log... guitarimp |
|
|
|
|
|
|
20.02.2007, 13:16
Ehrenmitglied
Beiträge: 29434 |
#12
»»
lade unhackme, scanne und berichte http://virus-protect.org/artikel/tools/unhackme.html »» lade, scanne und berichte: AFX Rootkit http://www.greatis.com/unhackme/afxrootkitremoval.htm ----------------------------------------------------------------------- Avenger Zitat registry keys to delete:»» loesche noch nicht das backup vom Avenger.... __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
20.02.2007, 19:42
Member
Themenstarter Beiträge: 11 |
#13
Hallo Sabina!
Ich hab mit unhackme nichts gefunden, nach dem ich nach Avenger neugestartet habe, blieb er beim Login hängen. Nach dem nächsten Neustart hat unhackme etwas unbekanntes gefunden, und nmir geraten nochmals neu zu starten. Erst dann kam das Logfile vom Avenger, und unhackme hat doch nichts gefunden. Unhackme lädt beim start (Blauer Bildschirm)!? lg Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\fmhyneeh ******************* Script file located at: \??\C:\Program Files\oeenkpqg.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MCHINJDRV deleted successfully. Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mchInjDrv deleted successfully. Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MCHINJDRV deleted successfully. Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mchInjDrv deleted successfully. Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_MCHINJDRV deleted successfully. Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\mchInjDrv deleted successfully. Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV not found! Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV failed! Could not process line: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV Status: 0xc0000034 Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv not found! Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv failed! Could not process line: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv Status: 0xc0000034 File C:\WINDOWS\TEMP\mc21.tmp not found! Deletion of file C:\WINDOWS\TEMP\mc21.tmp failed! Could not process line: C:\WINDOWS\TEMP\mc21.tmp Status: 0xc0000034 File C:\WINDOWS\system32\1170591391.exe deleted successfully. Completed script processing. ******************* Finished! Terminate. |
|
|
|
|
|
|
20.02.2007, 20:13
Ehrenmitglied
Beiträge: 29434 |
#14
««
nimm den Unhackme rechts unten in der Taskleiste aus dem Autostart - und dann deinstalliere das Programm wieder. «« http://virus-protect.org/artikel/tools/sdfix.html im Normalmodus RunThis.bat doppelt klicken reinschreiben: 3 3 : wird Sophos geladen - waehle 6 , scanne und poste den report __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
20.02.2007, 22:58
Member
Themenstarter Beiträge: 11 |
#15
Sophos Anti-Virus
Version 4.14.0 [Win32/Intel] Virus data version 4.14, February 2007 Includes detection for 216855 viruses, trojans and worms Copyright (c) 1989-2007 Sophos Plc, www.sophos.com System time 22:27:11, System date 20 February 2007 Command line qualifiers are: -f -remove -nc -nb --stop-scan >>> Virus 'Mal/Packer' found in file C:\My Downloads\CD RIPPER\keygen-EaseCDRipper.exe Removal successful Password protected file C:\Programme\Adobe\Acrobat 7.0\Reader\Messages\DEU\RdrMsgDEU.pdf Password protected file C:\Programme\Adobe\Acrobat 7.0\Reader\Messages\ENU\RdrMsgENU.pdf Password protected file C:\Programme\Adobe\Acrobat 7.0\Reader\Messages\RdrMsgSplash.pdf Password protected file C:\Programme\Adobe\Acrobat 7.0\Reader\WebSearch\WebSearchENU.pdf >>> Virus 'Mal/Packer' found in file C:\System Volume Information\_restore{E0B0A8B2-5EFA-49C5-B4F9-041383E82249}\RP150\A0014745.exe Removal successful Could not open C:\WINDOWS\system32\drivers\sptd.sys 2 boot sectors swept. 40486 files swept in 22 minutes and 13 seconds. 5 errors were encountered. 2 viruses were discovered. 2 files out of 40486 were infected. Please send infected samples to Sophos for analysis. For advice consult www.sophos.com, email support@sophos.com or telephone +44 1235 559933 4 encrypted files were not checked. Ending Sophos Anti-Virus. |
|
|
|
|
|
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!
bitte erst » hier kostenlos registrieren!!
Folgende Themen könnten Dich auch interessieren:
Copyright © 2024, Protecus.de - Protecus Team - Impressum / Mediadaten
Also auch dr. Watson ist abgestürzt, bis ich es entfernt habe, wie viele andere Sachen, aber der Explorer stürzt andauernd ab, unabhängig von einer speziellen Tätigkeit. Manchmal beim öffnen von Thunderbird oder Firefox.
Hab alle möglichen Virenscanner verwendet und Registry gesäubert usw...
Hab alles Autostart rausgenommen.
Ich weiss einfach nicht mehr weiter, und wäre sehr dankbar wenn mir wer helfen könnte!!!!
Danke
Logfile of HijackThis v1.99.1
Scan saved at 16:06:38, on 15.02.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\MAFWTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\CyberLink\Power2Go\Power2GoExpress.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programme\RALINK\Common\RaUI.exe
C:\Programme\Winamp\winamp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Dokumente und Einstellungen\ger\Desktop\hijackthis_199\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gericom.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://gmx.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINDOWS\system32\MAFWTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Programme\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: winamp.lnk = C:\Programme\Winamp\winamp.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Programme\RALINK\Common\RaUI.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1F831FA3-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file:///C:/Programme/AutoCAD%202002%20Deu/InstFred.ocx
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday-Steuerung) - file:///C:/Programme/AutoCAD%202002%20Deu/AcDcToday.ocx
O16 - DPF: {AE563724-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///C:/Programme/AutoCAD%202002%20Deu/InstBanr.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview-Steuerung) - file:///C:/Programme/AutoCAD%202002%20Deu/AcPreview.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\CyberLink\Shared Files\RichVideo.exe (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe