eScan meldet spyware in system file

magiccat071 · 12.07.2005, 22:56

Hier die posts vom HijackThis und eScan:

Logfile of HijackThis v1.99.1
Scan saved at 20:12:18, on 12.07.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
D:\Program Files\NavNT\vptray.exe
C:\Program Files\FRITZ!DSL\Awatch.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\internat.exe
D:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
D:\Program Files\Downloadspeed\DownloadSpeed.exe
D:\Program Files\GMX Programme\GMX Internet Manager\GMX_Internet_Manager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [vptray] D:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AWatch] "C:\Program Files\FRITZ!DSL\Awatch.exe"
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: ppctlcab - h**p://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - h**p://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - h**p://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - h**p://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - h**p://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - h**p://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - h**ps://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - h**ps://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22680446-C876-4C3F-93AC-B94B483DF63B}: NameServer = 217.237.150.33 217.237.151.161
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6BD4492-AFA6-4454-B722-A0523A856A53}: NameServer = 192.168.122.252,192.168.122.253
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\NavNT\defwatch.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Hier das Log von eScan, hab die voreingestellten Scanoptionen gelassen, weil ich nirgendwo ein Bild mit "blauen Haekchen" gefunden habe

Tue Jul 12 21:18:01 2005 => **********************************************************
Tue Jul 12 21:18:01 2005 => MicroWorld AntiVirus & Spyware Toolkit Utility.
Tue Jul 12 21:18:01 2005 => Copyright © 2003-2005, MicroWorld Technologies Inc.
Tue Jul 12 21:18:01 2005 => **********************************************************
Tue Jul 12 21:18:01 2005 => Version 6.4.1 (C:\Bases_X\mwavscan.com)
Tue Jul 12 21:18:01 2005 => Log File: C:\Bases_X\MWAV.LOG
Tue Jul 12 21:18:01 2005 => MWAV Registered: FALSE.
Tue Jul 12 21:18:01 2005 => MWAV Mode: Only Scan files.
Tue Jul 12 21:18:01 2005 => Latest Date of files inside MWAV: 12 Jul 2005 21:35:50.
Tue Jul 12 21:18:02 2005 => AV Library Loaded...
Tue Jul 12 21:18:02 2005 => MWAV doing self scanning...
Tue Jul 12 21:18:02 2005 => Scanning File C:\Bases_X\kavss.exe
Tue Jul 12 21:18:03 2005 => Scanning File C:\Bases_X\Getvlist.exe
Tue Jul 12 21:18:03 2005 => Scanning File C:\Bases_X\kavss.dll
Tue Jul 12 21:18:03 2005 => Scanning File C:\Bases_X\kavssdi.dll
Tue Jul 12 21:18:03 2005 => Scanning File C:\Bases_X\kavssi.dll
Tue Jul 12 21:18:03 2005 => Scanning File C:\Bases_X\kavvlg.dll
Tue Jul 12 21:18:03 2005 => Scanning File C:\Bases_X\msvlclnt.dll
Tue Jul 12 21:18:03 2005 => Scanning File C:\Bases_X\ipc.dll
Tue Jul 12 21:18:03 2005 => Scanning File C:\Bases_X\main.avi
Tue Jul 12 21:18:03 2005 => Scanning File C:\Bases_X\virus.avi
Tue Jul 12 21:18:03 2005 => MWAV files are clean.
Tue Jul 12 21:18:25 2005 => Virus Database Date: 2005/07/12
Tue Jul 12 21:18:25 2005 => Virus Database Count: 139247

Tue Jul 12 21:19:19 2005 => **********************************************************
Tue Jul 12 21:19:19 2005 => MicroWorld AntiVirus & Spyware Toolkit Utility.
Tue Jul 12 21:19:19 2005 => Copyright © 2003-2005, MicroWorld Technologies Inc.
Tue Jul 12 21:19:19 2005 =>
Tue Jul 12 21:19:19 2005 => Support: support@mwti.net
Tue Jul 12 21:19:19 2005 => Web: http://www.mwti.net
Tue Jul 12 21:19:19 2005 => **********************************************************
Tue Jul 12 21:19:19 2005 => Version 6.4.1 (C:\Bases_X\mwavscan.com)
Tue Jul 12 21:19:19 2005 => Log File: C:\Bases_X\MWAV.LOG
Tue Jul 12 21:19:19 2005 => User Account: User
Tue Jul 12 21:19:19 2005 => Windows Root Folder: C:\WINNT
Tue Jul 12 21:19:19 2005 => Windows Sys32 Folder: C:\WINNT\system32
Tue Jul 12 21:19:19 2005 => OS: Windows NT
Tue Jul 12 21:19:19 2005 => Latest Date of files inside MWAV: 12 Jul 2005 21:35:50.

Tue Jul 12 21:19:19 2005 => Options Selected by User:
Tue Jul 12 21:19:19 2005 => Memory Check: Enabled
Tue Jul 12 21:19:19 2005 => Registry Check: Enabled
Tue Jul 12 21:19:19 2005 => StartUp Folder Check: Enabled
Tue Jul 12 21:19:19 2005 => System Folder Check: Enabled
Tue Jul 12 21:19:19 2005 => System Area Check: Disabled
Tue Jul 12 21:19:19 2005 => Services Check: Enabled
Tue Jul 12 21:19:19 2005 => Drive Check Option Disabled
Tue Jul 12 21:19:19 2005 => Folder Check: Disabled

Tue Jul 12 21:19:27 2005 => ***** Scanning Registry and File system for Adware/Spyware *****
Tue Jul 12 21:19:47 2005 => Offending value found in HKLM\Software\microsoft\downloadmanager !!!
Tue Jul 12 21:20:02 2005 => Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.

Tue Jul 12 21:20:37 2005 => ***** Scanning Registry for errors created because of Adware/Spyware *****
Tue Jul 12 21:20:45 2005 => Entry "HKCR\CLSID\{00020D05-0000-0000-C000-000000000046}" refers to invalid object "outex.dll". Action Taken: No Action Taken.

Tue Jul 12 21:20:57 2005 => Entry "HKCR\CLSID\{99180163-DA16-101A-935C-444553540000}" refers to invalid object "recncl.dll". Action Taken: No Action Taken.

Tue Jul 12 21:20:59 2005 => Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax". Action Taken: No Action Taken.

Tue Jul 12 21:21:09 2005 => Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken.

Was genau muss ich jetzt tun, ich bin nicht sehr fit in manueller Beseitung

Cidre · 13.07.2005, 00:36

Zitat:

hab die voreingestellten Scanoptionen gelassen, weil ich nirgendwo ein Bild mit "blauen Haekchen" gefunden habe

Die Haken, die farblich (blau) unterlegt wurden, hast du wirklich nicht gefunden?

Sofern es sich nicht um einen Fehlalarm von eScan handelt, dann kannst du AltNet wie folgt entfernen -> http://www.spywareremove.com/removeAltnet.html

magiccat071 · 13.07.2005, 01:58

Ich bin auf die empfohlene website und bin dort den Anweisungen gefolgt. Hab aber auf meinem Rechner die angegebenen Registry Eintraege nicht gefunden, auch der empfohlene Scanner hat diese Spyware nicht gefunden. Ich hab nochmals im Safe mode eScan laufen lassen, aber er bringt wieder die gleichen Meldungen. Der angemahnte Registry Eintrag HKLM\Software\Microsoft\downloadmanager hat als Wert "No Value".
Wo koennte das Problem noch liegen?

magiccat071 · 13.07.2005, 12:15

Zitat:

Zitat von Cidre
Die Haken, die farblich (blau) unterlegt wurden, hast du wirklich nicht gefunden? :crazy:

Sofern es sich nicht um einen Fehlalarm von eScan handelt, dann kannst du AltNet wie folgt entfernen -> [url="http://www.spywareremove.com/removeAltnet.html"

http://www.spywareremove.com/removeAltnet.html[/url]

Mein Firefox browser hat das Bild nicht angezeigt, seh es erst jetzt von einem anderen Rechner mit IE.

Jedenfalls hat der neue Spywarescanner nichts gefunden, aber der eScan meckert immer noch.

eScan meldet spyware in system file

Log-Analyse und Auswertung: eScan meldet spyware in system file