Virus Alert eingefangenThema ist geschlossen! |
||
|---|---|---|
Thema ist geschlossen! |
||
| #0
| ||
|
28.07.2008, 15:13
Ehrenmitglied
 Beiträge: 29434 |
||
 
|
|
|
|
28.07.2008, 15:15
Member
Themenstarter Beiträge: 36 |
#32
Signifi ist als Bilddatei im Anhang
Nein leider nicht mehr!!!! Mbr geht nicht! Schwarzes Fenster aber bricht sofort ab ohne Meldung Anhang: Signify.jpg __________ Das Ultimative Allroundboard http://www.guenther-mitterer.at/index.php |
|
|
|
|
|
|
28.07.2008, 15:30
Ehrenmitglied
Beiträge: 29434 |
#33
versuche es mit einer Systemwiederherstellung, auf einen Tag so weit als möglich zurück
Systemwiederherstellung Start -> Hilfe und Support -> zur Option "Computeränderungen mit der Systemwiederherstellung rückgängig machen" Dort wählt man: "Computer zu einem früheren Zeitpunkt wiederherstellen" -> Weiter Die fett angezeigten Daten im Kalender zeigen die gesetzten Wiederherstellungspunkte. dann wende noch mal gmer an __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
28.07.2008, 15:31
Member
Themenstarter Beiträge: 36 |
#34
Tzja die Systemherstellung hab ich beim neu aufsetzen abgeschaltet und nicht wieder ein!!
Somit fällt das auch weg! Es muss doch eine Möglichkeit geben was zu finden?? __________ Das Ultimative Allroundboard http://www.guenther-mitterer.at/index.php |
|
|
|
|
|
|
28.07.2008, 16:23
Ehrenmitglied
 Beiträge: 6028 |
#35
Stet auf dein Desktop kein mbr.log?
Zitat Mbr geht nicht! Schwarzes Fenster aber bricht sofort ab ohne Meldung __________ MfG Argus |
|
|
|
|
|
|
28.07.2008, 16:38
Ehrenmitglied
Beiträge: 6028 |
#36
Verborgene Dateien sichtbar machen
Arbeitsplatz öffnen >Extras >Ordneroptionen >den Reiter "Ansicht" >Versteckte Dateien und Ordner >"alle Dateien und Ordner anzeigen" aktivieren Und >Extras >Ordneroptionen >den Reiter "Ansicht" >Dateien und Ordner >"Geschützte Systemdateien ausblenden (empfohlen)" deaktivieren. Prüfe mal diese Datei(en) bei http://www.virustotal.com/de System32\Drivers\Winbi86.sys System32\Drivers\Winiq31.sys System32\Drivers\Winsb31.sys System32\Drivers\Winuc31.sys Note:Wenn bei ViruTotal die Meldung kommt ” Die Datei wurde bereits analysiert “waehle „Analisiere die Datei“ Es wurde auf diesen rechner ein Program namens "Spyware Process Detector" installiert,bewusst? __________ MfG Argus |
|
|
|
|
|
|
28.07.2008, 16:50
Member
Themenstarter Beiträge: 36 |
#37
Nein kein Log am Desktop! Versteckte DAtein sind an!
Keine der Datein die du geschrieben hast habe ich im Ordner??? Spyware Doctor ist Installiert! Prozess Detector ist Uninstalliert! Was nun? __________ Das Ultimative Allroundboard http://www.guenther-mitterer.at/index.php |
|
|
|
|
|
|
28.07.2008, 16:54
Ehrenmitglied
Beiträge: 29434 |
#38
wende avz an + poste den report
http://virus-protect.org/artikel/tools/avz.html wende systemscan an + poste den report als Anhang http://virus-protect.org/artikel/tools/systemscan.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
28.07.2008, 17:06
Member
Themenstarter Beiträge: 36 |
#39
Systemscan ins im Anhang:
AVZ LOG: AVZ Antiviral Toolkit log; AVZ version is 4.30 Scanning started at 28.07.2008 17:04:01 Database loaded: signatures - 178520, NN profile(s) - 2, microprograms of healing - 56, signature database released 27.07.2008 17:51 Heuristic microprograms loaded: 370 SPV microprograms loaded: 9 Digital signatures of system files loaded: 71511 Heuristic analyzer mode: Medium heuristics level Healing mode: enabled Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights System Restore: enabled 1. Searching for Rootkits and programs intercepting API functions 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE30->7C884FEC Function kernel32.dll:LoadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->7C884F9C Function kernel32.dll:LoadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->7C884FB0 Function kernel32.dll:LoadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->7C884FD8 Function kernel32.dll:LoadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEDB->7C884FC4 IAT modification detected: LoadLibraryA - 7C884F9C<>7C801D7B IAT modification detected: GetProcAddress - 7C884FEC<>7C80AE30 Analysis: ntdll.dll, export table found in section .text Function ntdll.dll:NtClose (111) intercepted, method CodeHijack (method not defined) Function ntdll.dll:NtCreateFile (123) intercepted, method CodeHijack (method not defined) Function ntdll.dll:NtCreateKey (127) intercepted, method CodeHijack (method not defined) Function ntdll.dll:NtCreateSection (137) intercepted, method CodeHijack (method not defined) Function ntdll.dll:NtDeleteKey (151) intercepted, method CodeHijack (method not defined) Function ntdll.dll:NtDeleteValueKey (153) intercepted, method CodeHijack (method not defined) Function ntdll.dll:NtRenameKey (283) intercepted, method CodeHijack (method not defined) Function ntdll.dll:NtSetInformationFile (315) intercepted, method CodeHijack (method not defined) Function ntdll.dll:NtSetValueKey (338) intercepted, method CodeHijack (method not defined) Function ntdll.dll:NtTerminateProcess (348) intercepted, method CodeHijack (method not defined) Function ntdll.dll:NtWriteFile (366) intercepted, method CodeHijack (method not defined) Function ntdll.dll:NtWriteFileGather (367) intercepted, method CodeHijack (method not defined) Function ntdll.dll:NtWriteVirtualMemory (369) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwClose (921) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwCreateFile (933) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwCreateKey (937) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwCreateSection (947) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwDeleteKey (960) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwDeleteValueKey (962) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwRenameKey (1092) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwSetInformationFile (1124) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwSetValueKey (1147) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwTerminateProcess (1157) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwWriteFile (1175) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwWriteFileGather (1176) intercepted, method CodeHijack (method not defined) Function ntdll.dll:ZwWriteVirtualMemory (1178) intercepted, method CodeHijack (method not defined) Analysis: user32.dll, export table found in section .text Function user32.dll:RegisterRawInputDevices (546) intercepted, method ProcAddressHijack.GetProcAddress ->7E3BCE0E->7EEA0080 Function user32.dll:SetWindowsHookExA (651) intercepted, method CodeHijack (method not defined) Function user32.dll:SetWindowsHookExW (652) intercepted, method CodeHijack (method not defined) Analysis: advapi32.dll, export table found in section .text Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=083220) Kernel ntoskrnl.exe found in memory at address 804D7000 SDT = 8055A220 KiST = 804E26A8 (284) Function NtClose (19) intercepted (805678DD->A8D4C1E0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtConnectPort (1F) intercepted (805879EB->A8D4A2F0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtCreateKey (29) intercepted (8057065D->A8D3D750), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtCreateProcess (2F) intercepted (805B135A->A8D4BF10), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtCreateProcessEx (30) intercepted (8057FC60->A8D4C080), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtCreateSection (32) intercepted (805652B3->A8D4CD00), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtCreateSymbolicLinkObject (34) intercepted (8059F509->A8D4C7B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtCreateThread (35) intercepted (8058E63F->A8D4D600), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtDeleteKey (3F) intercepted (805952BE->A8D3D860), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtDeleteValueKey (41) intercepted (80592D50->A8D3D8E0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtDuplicateObject (44) intercepted (805715E0->A8D4C380), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtEnumerateKey (47) intercepted (80570D64->A8D3D990), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtEnumerateValueKey (49) intercepted (8059066B->A8D3DA40), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtFlushKey (4F) intercepted (805DC590->A8D3DAF0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtInitializeRegistry (5C) intercepted (805A8064->A8D3DB70), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtLoadDriver (61) intercepted (805A3AF1->A8D49E50), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtLoadKey (62) intercepted (805AED5D->A8D3E590), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtLoadKey2 (63) intercepted (805AEB9A->A8D3DB90), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtNotifyChangeKey (6F) intercepted (8058A68D->A8D3DC70), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtOpenFile (74) intercepted (8056CD5B->BA6E7030), hook C:\WINDOWS\system32\Drivers\kl1.sys, driver recognized as trusted Function NtOpenKey (77) intercepted (80568D59->A8D3DD50), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtOpenProcess (7A) intercepted (805717C7->A8D4BD00), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtOpenSection (7D) intercepted (80570FD7->A8D4CB20), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtQueryKey (A0) intercepted (80570A6D->A8D3DE30), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtQueryMultipleValueKey (A1) intercepted (8064E320->A8D3DEE0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtQuerySystemInformation (AD) intercepted (8057BC36->A8D4D2B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtQueryValueKey (B1) intercepted (8056A1F1->A8D3DF90), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtRenameKey (C0) intercepted (8064E79E->A8F8812A), hook C:\WINDOWS\system32\drivers\iksysflt.sys Function NtReplaceKey (C1) intercepted (8064F0FA->A8D3E070), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtRequestWaitReplyPort (C8) intercepted (80576CE6->A8D4A900), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtRestoreKey (CC) intercepted (8064EC91->A8D3E100), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtResumeThread (CE) intercepted (8058ECB2->A8D4D5B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtSaveKey (CF) intercepted (8064ED92->A8D3E300), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtSetContextThread (D5) intercepted (8062DCDF->A8D4D940), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtSetInformationFile (E0) intercepted (8057494A->A8D4DF60), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtSetInformationKey (E2) intercepted (8064DE83->A8D3E390), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtSetSecurityObject (ED) intercepted (8059B19B->A8D48A10), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtSetSystemInformation (F0) intercepted (805A7BDD->A8D4C9A0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtSetValueKey (F7) intercepted (80572889->A8D3E430), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtSuspendThread (FE) intercepted (805E045E->A8D4D560), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtSystemDebugControl (FF) intercepted (80649CE3->A8D4A1B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtTerminateProcess (101) intercepted (805822E0->A8D4D150), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtUnloadKey (107) intercepted (8064D9FA->A8D3E550), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtWriteVirtualMemory (115) intercepted (8057E420->A8D4C240), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function FsRtlCheckLockForReadAccess (80512919) - machine code modification Method of JmpTo. jmp A8D4E380 \??\C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function IoIsOperationSynchronous (804E875A) - machine code modification Method of JmpTo. jmp A8D4E880 \??\C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Functions checked: 284, intercepted: 44, restored: 0 1.3 Checking IDT and SYSENTER Analysis for CPU 1 Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Checking not performed: extended monitoring driver (AVZPM) is not installed Driver loaded successfully 1.5 Checking of IRP handlers \FileSystem\ntfs[IRP_MJ_CREATE] = 8A6851F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_CLOSE] = 8A6851F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_WRITE] = 8A6851F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 8A6851F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 8A6851F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_EA] = 8A6851F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_EA] = 8A6851F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 8A6851F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 8A6851F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 8A6851F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 8A6851F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 8A6851F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 8A6851F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 8A6851F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 8A6851F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_PNP] = 8A6851F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_CREATE] = 86EDD1F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_CLOSE] = 86EDD1F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_WRITE] = 86EDD1F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_QUERY_INFORMATION] = 86EDD1F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_SET_INFORMATION] = 86EDD1F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_QUERY_EA] = 86EDD1F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_SET_EA] = 86EDD1F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_QUERY_VOLUME_INFORMATION] = 86EDD1F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_SET_VOLUME_INFORMATION] = 86EDD1F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_DIRECTORY_CONTROL] = 86EDD1F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_FILE_SYSTEM_CONTROL] = 86EDD1F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_DEVICE_CONTROL] = 86EDD1F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_LOCK_CONTROL] = 86EDD1F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_PNP] = 86EDD1F8 -> hook not defined Checking - complete 2. Scanning memory Number of processes found: 44 Number of modules loaded: 548 Scanning memory - complete 3. Scanning disks 4. Checking Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors detected 5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) C:\Programme\Spyware Doctor\smumhook.dll --> Suspicion for Keylogger or Trojan DLL C:\Programme\Spyware Doctor\smumhook.dll>>> Behavioural analysis Behaviour typical for keyloggers not detected File quarantined succesfully (C:\Programme\Spyware Doctor\smumhook.dll) C:\Programme\Spyware Doctor\klg.dat --> Suspicion for Keylogger or Trojan DLL C:\Programme\Spyware Doctor\klg.dat>>> Behavioural analysis Behaviour typical for keyloggers not detected File quarantined succesfully (C:\Programme\Spyware Doctor\klg.dat) C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll --> Suspicion for Keylogger or Trojan DLL C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll>>> Behavioural analysis Behaviour typical for keyloggers not detected File quarantined succesfully (C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll) C:\Programme\Microsoft Office\Office12\GrooveUtil.DLL --> Suspicion for Keylogger or Trojan DLL C:\Programme\Microsoft Office\Office12\GrooveUtil.DLL>>> Behavioural analysis Behaviour typical for keyloggers not detected File quarantined succesfully (C:\Programme\Microsoft Office\Office12\GrooveUtil.DLL) C:\Programme\Microsoft Office\Office12\GrooveNew.DLL --> Suspicion for Keylogger or Trojan DLL C:\Programme\Microsoft Office\Office12\GrooveNew.DLL>>> Behavioural analysis Behaviour typical for keyloggers not detected File quarantined succesfully (C:\Programme\Microsoft Office\Office12\GrooveNew.DLL) Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs 6. Searching for opened TCP/UDP ports used by malicious programs Checking disabled by user 7. Heuristic system check Checking - complete 8. Searching for vulnerabilities >> Services: potentially dangerous service allowed: TermService (Terminaldienste) >> Services: potentially dangerous service allowed: SSDPSRV (SSDP-Suchdienst) >> Services: potentially dangerous service allowed: Schedule (Taskplaner) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: anonymous user access is enabled Checking - complete 9. Troubleshooting wizard >> Abnormal SCR files association >> Abnormal REG files association Checking - complete Files scanned: 592, extracted from archives: 0, malicious software found 0, suspicions - 0 Scanning finished at 28.07.2008 17:04:53 Time of scanning: 00:00:53 If you have a suspicion on presence of viruses or questions on the suspected objects, you can address http://virusinfo.info conference --------------- Zitat BackDoor.Ntrootkit Groupware Anhang: report.txt __________ Das Ultimative Allroundboard http://www.guenther-mitterer.at/index.php Dieser Beitrag wurde am 28.07.2008 um 17:42 Uhr von mitterer14 editiert.
|
|
|
|
|
|
|
28.07.2008, 19:01
Ehrenmitglied
Beiträge: 29434 |
#40
«
das letzte log ist nicht komplett... da fehlt noch ein Teil, scanne noch mal, bitte « du hast dir einen Backdoor eingefangen, BackDoor.Ntrootkit - ich bezweifel, dass du ums Formatieren drumrumkommst  Troj/NtRootK is a kernel rootkit for Windows NT-based operating systems. http://virus-protect.org/artikel/tools/regsearch.html und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren) Winbi86 in edit und klicke "Ok". Notepad wird sich öffnen -- kopiere den Text ab und poste ihn. das gleiche mit: Winiq31 Winsb31 Winuc31 « __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
28.07.2008, 19:10
Member
Themenstarter Beiträge: 36 |
#41
Winbi86:
Windows Registry Editor Version 5.00 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.5.0 ; Results at 28.07.2008 19:06:25 for strings: ; 'winbi86' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Winbi86.sys] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Winbi86.sys] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winbi86] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winbi86] "ImagePath"="System32\\Drivers\\Winbi86.sys" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winbi86\Security] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Winbi86] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Winbi86] "ImagePath"="System32\\Drivers\\Winbi86.sys" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\Winbi86.sys] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\Winbi86.sys] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Winbi86] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Winbi86] "ImagePath"="System32\\Drivers\\Winbi86.sys" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Winbi86\Security] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winbi86.sys] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Winbi86.sys] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winbi86] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winbi86] "ImagePath"="System32\\Drivers\\Winbi86.sys" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winbi86\Security] [HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603] "000"="Winbi86.sys" ; End Of The Log... Winiq31 Windows Registry Editor Version 5.00 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.5.0 ; Results at 28.07.2008 19:08:49 for strings: ; 'winiq31' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Winiq31.sys] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Winiq31.sys] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINIQ31] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINIQ31\0000] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINIQ31\0000] "Service"="Winiq31" "DeviceDesc"="Winiq31" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINIQ31\0000\LogConf] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINIQ31\0000\Control] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winiq31] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winiq31] "ImagePath"="System32\\Drivers\\Winiq31.sys" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winiq31\Enum] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winiq31\Enum] "0"="Root\\LEGACY_WINIQ31\\0000" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\Winiq31.sys] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\Winiq31.sys] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINIQ31] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINIQ31\0000] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINIQ31\0000] "Service"="Winiq31" "DeviceDesc"="Winiq31" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINIQ31\0000\LogConf] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Winiq31] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Winiq31] "ImagePath"="System32\\Drivers\\Winiq31.sys" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winiq31.sys] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Winiq31.sys] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINIQ31] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINIQ31\0000] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINIQ31\0000] "Service"="Winiq31" "DeviceDesc"="Winiq31" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINIQ31\0000\LogConf] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINIQ31\0000\Control] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winiq31] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winiq31] "ImagePath"="System32\\Drivers\\Winiq31.sys" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winiq31\Enum] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winiq31\Enum] "0"="Root\\LEGACY_WINIQ31\\0000" ; End Of The Log... __________ Das Ultimative Allroundboard http://www.guenther-mitterer.at/index.php |
|
|
|
|
|
|
28.07.2008, 19:13
Member
Themenstarter Beiträge: 36 |
#42
Winsb31
Windows Registry Editor Version 5.00 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.5.0 ; Results at 28.07.2008 19:10:45 for strings: ; 'winsb31' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Winsb31.sys] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Winsb31.sys] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winsb31] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winsb31] "ImagePath"="System32\\Drivers\\Winsb31.sys" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winsb31\Security] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Winsb31] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Winsb31] "ImagePath"="System32\\Drivers\\Winsb31.sys" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\Winsb31.sys] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\Winsb31.sys] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Winsb31] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Winsb31] "ImagePath"="System32\\Drivers\\Winsb31.sys" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Winsb31\Security] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winsb31.sys] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Winsb31.sys] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsb31] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsb31] "ImagePath"="System32\\Drivers\\Winsb31.sys" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsb31\Security] ; End Of The Log... Winuc31 Windows Registry Editor Version 5.00 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.5.0 ; Results at 28.07.2008 19:12:18 for strings: ; 'winuc31' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Winuc31.sys] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Winuc31.sys] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINUC31] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINUC31\0000] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINUC31\0000] "Service"="Winuc31" "DeviceDesc"="Winuc31" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINUC31\0000\LogConf] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINUC31\0000\Control] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winuc31] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winuc31] "ImagePath"="System32\\Drivers\\Winuc31.sys" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winuc31\Enum] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winuc31\Enum] "0"="Root\\LEGACY_WINUC31\\0000" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\Winuc31.sys] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\Winuc31.sys] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINUC31] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINUC31\0000] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINUC31\0000] "Service"="Winuc31" "DeviceDesc"="Winuc31" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINUC31\0000\LogConf] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Winuc31] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Winuc31] "ImagePath"="System32\\Drivers\\Winuc31.sys" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winuc31.sys] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Winuc31.sys] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINUC31] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINUC31\0000] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINUC31\0000] "Service"="Winuc31" "DeviceDesc"="Winuc31" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINUC31\0000\LogConf] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINUC31\0000\Control] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winuc31] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winuc31] "ImagePath"="System32\\Drivers\\Winuc31.sys" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winuc31\Enum] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winuc31\Enum] "0"="Root\\LEGACY_WINUC31\\0000" ; End Of The Log... __________ Das Ultimative Allroundboard http://www.guenther-mitterer.at/index.php |
|
|
|
|
|
|
28.07.2008, 19:22
Ehrenmitglied
Beiträge: 29434 |
#43
««
Avenger http://virus-protect.org/artikel/tools/avenger.html setze ein Häkchen in: "Automatically disable any rootkits found" Das Häkchen "Scan for Rootkits" sollte angehakt sein. kopiere in das weisse Feld: Zitat Registry keys to delete:schliesse alle offenen Programme (denn nach Anwendung des Avengers wird der Rechner neustarten) Klicke: Execute bestätige, dass der Rechner neu gestartet wird - klicke "yes" ---------------------------- 2. sdfix http://virus-protect.org/artikel/tools/sdfix.html im Normalmodus RunThis.bat doppelt klicken reinschreiben: 3 3 : wird Sophos geladen wähle die Option 6 scanne + poste den report "SophosReport.txt" (im SDFix-Ordner) __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
28.07.2008, 19:45
Member
Themenstarter Beiträge: 36 |
#44
Sophos Anti-Virus
Version 4.31.0 [Win32/Intel] Virus data version 4.31E, July 2008 Includes detection for 447273 viruses, trojans and worms Copyright (c) 1989-2008 Sophos Plc, www.sophos.com System time 19:44:17, System date 28 July 2008 Command line qualifiers are: -f -remove -nc -nb -dn --stop-scan -idedir=C:\Dokumente und Einstellungen\Gnther Mitterer\Desktop\SDFix\IDE -p=C:\Dokumente und Einstellungen\Gnther Mitterer\Desktop\SDFix\SophosReport.txt IDE directory is: C:\Dokumente und Einstellungen\Gnther Mitterer\Desktop\SDFix\IDE 1 boot sector swept. 208 files swept in 47 seconds. No viruses were discovered. Ending Sophos Anti-Virus. __________ Das Ultimative Allroundboard http://www.guenther-mitterer.at/index.php |
|
|
|
|
|
|
28.07.2008, 19:51
Ehrenmitglied
Beiträge: 29434 |
#45
wende bitte noch mal das obrige Avengerscript an - wenn dann nach neustart das log erscheint, poste es hier
dann lade, RootkitRevealer - wende an + poste den report http://technet.microsoft.com/de-de/sysinternals/bb897445.aspx __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!
bitte erst » hier kostenlos registrieren!!
Folgende Themen könnten Dich auch interessieren:
Copyright © 2024, Protecus.de - Protecus Team - Impressum / Mediadaten
Zitat
irgendwas stimmt nicht auf dem Rechner.... was hälst du davon , wenn du ein sauberes backup einspielst ? Du hast doch eins...oder ?««
Download mbr.exe zum Desktop
Doppelklick mbr.exe um das Tool zu starten
Es wird ein Log erstellt und poste dessen Inhalt in deinen Beitrag
http://virus-protect.org/artikel/tools/mbr.html
__________
MfG Sabina
rund um die PC-Sicherheit