|
Log-Analyse und Auswertung: Internet Explorer öffnet einfach SeitenWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
11.10.2005, 21:44 | #1 |
| Internet Explorer öffnet einfach Seiten Hi, ich hoffe ihr könnt mir helfen... saß jetzt bestimmt schon 6 stunden daran und habe sämtliche antiviren tools durch laufen lassen, wie Ad-Aware SE Personal, AntiVir, Spyware Doctor und wie sie alle heißen.... vll mache ich ja auch einfach nur was falsch. wie oben schon beschrieben öffnet mein internet explorer so alle 5 min irgendwelche seiten und hin und wieder kommt auch ne seite mit folgenden text ">spyware or adware may be damaging your computer. > if you have downloaded music online or visited adult website, spyware may be running in your computer. spyware may cause slow computer speeds, unwanted pop up ads or personal identity theft. > click 'ok' to scan your PC now."!!! ich gebe euch mal nun den log von hijack this: ________________________ Logfile of HijackThis v1.99.1 Scan saved at 22:38:08, on 11.10.2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: O:\WINDOWS\System32\smss.exe O:\WINDOWS\system32\winlogon.exe O:\WINDOWS\system32\services.exe O:\WINDOWS\system32\lsass.exe O:\WINDOWS\system32\svchost.exe O:\WINDOWS\System32\svchost.exe O:\WINDOWS\system32\spoolsv.exe O:\WINDOWS\system32\rundll32.exe O:\WINDOWS\Explorer.EXE F:\Programme\The Cleaner\tcm.exe F:\Programme\The Cleaner\tca.exe O:\WINDOWS\SOUNDMAN.EXE O:\WINDOWS\System32\RUNDLL32.EXE F:\Programme\ICQLite\ICQLite.exe O:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE F:\Programme\D-Tools\daemon.exe F:\Programme\AVPersonal\AVGNT.EXE O:\Programme\Messenger\msmsgs.exe O:\WINDOWS\System32\ctfmon.exe I:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe O:\Programme\VIA\RAID\raid_tool.exe F:\Programme\AVPersonal\AVGUARD.EXE F:\Programme\AVPersonal\AVWUPSRV.EXE O:\WINDOWS\System32\nvsvc32.exe F:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe O:\WINDOWS\System32\wuauclt.exe O:\WINDOWS\System32\wuauclt.exe O:\Programme\Internet Explorer\iexplore.exe O:\Dokumente und Einstellungen\Enduro\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\Programme\ICQToolbar\toolbaru.dll O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - F:\Programme\ICQToolbar\toolbaru.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - O:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE O:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [tcmonitor] F:\Programme\The Cleaner\tcm.exe O4 - HKLM\..\Run: [tcactive] F:\Programme\The Cleaner\tca.exe O4 - HKLM\..\Run: [SpySweeper] "F:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE O:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ICQ Lite] f:\Programme\ICQLite\ICQLite.exe -minimize O4 - HKLM\..\Run: [EM_EXEC] O:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [DAEMON Tools-1033] "F:\Programme\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [AVGCtrl] F:\Programme\AVPersonal\AVGNT.EXE /min O4 - HKLM\..\Run: [AnyDVD] "F:\Programme\SlySoft\AnyDVD\AnyDVD.exe" O4 - HKCU\..\Run: [MSMSGS] "O:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [CTFMON.EXE] O:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\RunOnce: [ICQ Lite] F:\Programme\ICQLite\ICQLite.exe -trayboot O4 - Global Startup: Adobe Reader - Schnellstart.lnk = I:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = O:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: VIA RAID TOOL.lnk = O:\Programme\VIA\RAID\raid_tool.exe O8 - Extra context menu item: &ICQ Toolbar Search - res://F:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - f:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - f:\Programme\ICQLite\ICQLite.exe O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {522696DF-119E-49B5-A82E-03667D741489} - f:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU) O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {522696DF-119E-49B5-A82E-03667D741489} - f:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - h**p://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - h**p://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124753553499 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - h**p://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124753543014 O20 - Winlogon Notify: URL - O:\WINDOWS\system32\gp68l3ju1.dll O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - F:\Programme\AVPersonal\AVGUARD.EXE O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - F:\Programme\AVPersonal\AVWUPSRV.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - O:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - O:\WINDOWS\System32\nvsvc32.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - F:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe _____________________ ich danke euch schonmal im vorraus für eure hilfe!!! mfg enduro |
11.10.2005, 22:22 | #2 |
| Internet Explorer öffnet einfach Seiten Hallo Enduro,
__________________lade Dir clearprog 1.4.1 final und nimm eine Datenträgerbereinigung vor (Programm starten Häckchen bei "Alles Löschen" und auf "Löschen" klicken). Lösche ebenfalls den Quaratäne-Ordener Deines Antivir-Programmes. Scanne dann dDeon System mit Escan . Bitte erst aufmerkam lesen und dann scannen. Teile das Ergebnis miitels der "find.bat" mit. dartus
__________________ |
12.10.2005, 21:37 | #3 |
| Internet Explorer öffnet einfach Seiten die "find.bat" erstellt die escan.txt irgendwie net.... werde morgen nochmal einen scan durchführen und hoffe das ich sie dann erstellen kann
__________________gruß enduro |
12.10.2005, 22:03 | #4 |
| Internet Explorer öffnet einfach Seiten habe es doch nochmal schnell so gemacht und in der log datei nach infected und tagged gesucht: infected gesucht Wed Oct 12 16:45:00 2005 => System found infected with bearshare Spyware/Adware ({558ec983-bedb-9168-b2de-31dbf0ee543e})! Action taken: No Action Taken. Wed Oct 12 16:45:00 2005 => System found infected with cws.loadadv.400 Browser Hijacker ({5e2121ee-0300-11d4-8d3b-444553540000})! Action taken: No Action Taken. Wed Oct 12 16:45:00 2005 => System found infected with bearshare Spyware/Adware ({905d0df2-3a0a-4d94-853c-54a12a745905})! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\temporary internet files\content.ie5\0923gtuj\ads[1].htm Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\temporary internet files\content.ie5\0923gtuj\show_ads[2].js Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (show_ads[2].js)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\temporary internet files\content.ie5\6tajyji1\adswrapper[1].js Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (adswrapper[1].js)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\temporary internet files\content.ie5\is2um5f7\ads[1].htm Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\temporary internet files\content.ie5\kxyzodq3\adsend[1].js Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (adsend[1].js)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\temporary internet files\content.ie5\otsx690h\show_ads[2].js Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (show_ads[2].js)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\temporary internet files\content.ie5\ynsvqd09\adsend[1].js Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (adsend[1].js)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\temporary internet files\content.ie5\ynsvqd09\ads[1].htm Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\Temporary Internet Files\content.ie5\0923gtuj\ads[1].htm Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\Temporary Internet Files\content.ie5\0923gtuj\show_ads[2].js Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (show_ads[2].js)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\Temporary Internet Files\content.ie5\6tajyji1\adswrapper[1].js Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (adswrapper[1].js)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\Temporary Internet Files\content.ie5\is2um5f7\ads[1].htm Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\Temporary Internet Files\content.ie5\kxyzodq3\adsend[1].js Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (adsend[1].js)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\Temporary Internet Files\content.ie5\otsx690h\show_ads[2].js Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (show_ads[2].js)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\Temporary Internet Files\content.ie5\ynsvqd09\adsend[1].js Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (adsend[1].js)! Action taken: No Action Taken. Wed Oct 12 16:45:03 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\Temporary Internet Files\content.ie5\ynsvqd09\ads[1].htm Wed Oct 12 16:45:03 2005 => System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken. Wed Oct 12 21:04:34 2005 => File J:\Programme\Norton AntiVirus\Quarantine\6F5E2D91.dat infected by "Email-Worm.VBS.LoveLetter" Virus! Action Taken: No Action Taken. Wed Oct 12 21:04:34 2005 => Scanning File J:\Programme\Norton AntiVirus\Quarantine\50AC71A0.dat Wed Oct 12 21:04:34 2005 => File J:\Programme\Norton AntiVirus\Quarantine\50AC71A0.dat infected by "Email-Worm.VBS.LoveLetter" Virus! Action Taken: No Action Taken. Wed Oct 12 21:04:34 2005 => Scanning File J:\Programme\Norton AntiVirus\Quarantine\3C9049BB.dat Wed Oct 12 21:04:34 2005 => File J:\Programme\Norton AntiVirus\Quarantine\3C9049BB.dat infected by "Email-Worm.Win32.Stator.a" Virus! Action Taken: No Action Taken. Wed Oct 12 21:04:43 2005 => File J:\Programme\Norton AntiVirus\Quarantine\70602B3D.dat infected by "Email-Worm.VBS.LoveLetter" Virus! Action Taken: No Action Taken. Wed Oct 12 21:04:59 2005 => File J:\Programme\Norton AntiVirus\Quarantine\42E812A8.dat infected by "Email-Worm.VBS.LoveLetter.bt" Virus! Action Taken: No Action Taken. Wed Oct 12 21:05:00 2005 => File J:\Programme\Norton AntiVirus\Quarantine\1B3D68DE.dat infected by "Email-Worm.VBS.LoveLetter.bk" Virus! Action Taken: No Action Taken. Wed Oct 12 21:05:00 2005 => File J:\Programme\Norton AntiVirus\Quarantine\1B4E3ACC.dat infected by "Email-Worm.VBS.LoveLetter.bt" Virus! Action Taken: No Action Taken. Wed Oct 12 21:05:00 2005 => Scanning File J:\Programme\Norton AntiVirus\Quarantine\1B5738C1.dat Wed Oct 12 21:05:00 2005 => File J:\Programme\Norton AntiVirus\Quarantine\1B5738C1.dat infected by "Email-Worm.VBS.generic" Virus! Action Taken: No Action Taken. Wed Oct 12 21:05:00 2005 => Scanning File J:\Programme\Norton AntiVirus\Quarantine\1B6136B6.dat Wed Oct 12 21:05:00 2005 => File J:\Programme\Norton AntiVirus\Quarantine\1B6136B6.dat infected by "Email-Worm.VBS.LoveLetter.bt" Virus! Action Taken: No Action Taken. Wed Oct 12 21:05:00 2005 => Scanning File J:\Programme\Norton AntiVirus\Quarantine\1B680AAF.dat Wed Oct 12 21:05:00 2005 => File J:\Programme\Norton AntiVirus\Quarantine\1B680AAF.dat infected by "Type_Script" Virus! Action Taken: No Action Taken. Wed Oct 12 21:05:00 2005 => Scanning File J:\Programme\Norton AntiVirus\Quarantine\1B6E5EA8.dat Wed Oct 12 21:05:00 2005 => File J:\Programme\Norton AntiVirus\Quarantine\1B6E5EA8.dat infected by "Type_Script" Virus! Action Taken: No Action Taken. Wed Oct 12 21:05:00 2005 => Scanning File J:\Programme\Norton AntiVirus\Quarantine\1B7B0699.dat Wed Oct 12 21:05:00 2005 => File J:\Programme\Norton AntiVirus\Quarantine\1B7B0699.dat infected by "Email-Worm.VBS.generic" Virus! Action Taken: No Action Taken. Wed Oct 12 21:05:00 2005 => Scanning File J:\Programme\Norton AntiVirus\Quarantine\1B825A92.dat Wed Oct 12 21:05:01 2005 => File J:\Programme\Norton AntiVirus\Quarantine\1B825A92.dat infected by "Email-Worm.VBS.LoveLetter.bt" Virus! Action Taken: No Action Taken. Wed Oct 12 21:05:01 2005 => Scanning File J:\Programme\Norton AntiVirus\Quarantine\1B8C5887.dat Wed Oct 12 21:05:01 2005 => File J:\Programme\Norton AntiVirus\Quarantine\1B8C5887.dat infected by "Email-Worm.VBS.generic" Virus! Action Taken: No Action Taken. tagged gesucht _________________ Wed Oct 12 18:08:53 2005 => File F:\SIERRA\Half-Life\hltv.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken. Wed Oct 12 18:13:35 2005 => File F:\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken. Wed Oct 12 20:09:07 2005 => File J:\Downloads\HL CS\HL\HL updates\g(erman)11091110.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken. Wed Oct 12 20:09:19 2005 => File J:\Downloads\HL CS\HL\HL updates\11091110(US).exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken. Wed Oct 12 20:10:54 2005 => File J:\Downloads\HL CS\CS\CS updates\cs1005(englisch).exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken. Wed Oct 12 20:36:01 2005 => File J:\Downloads\Mirc\mirc616.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken. Wed Oct 12 21:14:28 2005 => File J:\Sierra\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.601. No Action Taken. Wed Oct 12 21:16:24 2005 => File O:\Dokumente und Einstellungen\Enduro\Desktop\BSINSTALLDE.exe tagged as "not-a-virus:AdWare.Win32.SaveNow.z". Action Taken: No Action Taken. Wed Oct 12 21:49:00 2005 => File O:\WINDOWS\system32\ckyptext.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Wed Oct 12 21:49:07 2005 => File O:\WINDOWS\system32\cpbjmon.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Wed Oct 12 21:49:07 2005 => File O:\WINDOWS\system32\cuwmdm.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Wed Oct 12 21:49:12 2005 => File O:\WINDOWS\system32\dbnput.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Wed Oct 12 21:49:22 2005 => File O:\WINDOWS\system32\djrgres.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Wed Oct 12 21:53:27 2005 => File O:\WINDOWS\system32\iFspolcy.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Wed Oct 12 21:53:31 2005 => File O:\WINDOWS\system32\isrtprio.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Wed Oct 12 21:53:41 2005 => File O:\WINDOWS\system32\mjiwave.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Wed Oct 12 21:53:56 2005 => File O:\WINDOWS\system32\nhwrsit.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Wed Oct 12 21:53:56 2005 => File O:\WINDOWS\system32\nktui1.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Wed Oct 12 21:54:19 2005 => File O:\WINDOWS\system32\otethk32.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken Wed Oct 12 21:54:39 2005 => File O:\WINDOWS\system32\sqripto.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. |
12.10.2005, 22:05 | #5 |
| Internet Explorer öffnet einfach Seiten Hallo Enduro, den Quarantäne-Ordner Deines Antivir-Programm hadt Du nicht geleert und Du hast "Clearprog" nicht ausgeführt. Bitte nachholen! Downloade Adaware und Spybot S&D . Installieren und updaten. Bereinige Deine Registry z.B. mit Regseeker . Adaware und Spybot nacheinander scannen lassen und alle Fund löschen. Neustart --> Systemwiederherstellung kann wieder aktiviert werden Neues Logfile dartus
__________________ Kein Support per PN Geändert von dartus (12.10.2005 um 22:27 Uhr) |
13.10.2005, 20:51 | #6 |
| Internet Explorer öffnet einfach Seiten schaff das heute net mehr... kriegst den log morgen um 17:30 so |
14.10.2005, 14:33 | #7 |
| Internet Explorer öffnet einfach Seiten k habe nun das auch mit der find.bat hingekriegt. es sind zwar auch lieder darunter aber ich lass den log erstma so wie er angefertigt wurde: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Funde für "infected" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fri Oct 14 06:19:24 2005 => System found infected with bearshare Spyware/Adware ({558ec983-bedb-9168-b2de-31dbf0ee543e})! Action taken: No Action Taken. Fri Oct 14 06:19:24 2005 => System found infected with cws.loadadv.400 Browser Hijacker ({5e2121ee-0300-11d4-8d3b-444553540000})! Action taken: No Action Taken. Fri Oct 14 06:42:23 2005 => Scanning Folder: F:\Programme\AVPersonal\INFECTED\*.* Fri Oct 14 07:19:13 2005 => Scanning File F:\Programme\Return to Castle Wolfenstein\Main\main\maps\infected.bsp Fri Oct 14 07:53:38 2005 => Scanning File G:\sum 41\Sum 41 - Does This Look Infected - 02 - Over My Head.mp3 Fri Oct 14 07:53:38 2005 => Scanning File G:\sum 41\Sum 41 - Does This Look Infected - 05 - Asshole.mp3 Fri Oct 14 07:53:39 2005 => Scanning File G:\sum 41\Sum 41 - Does This Look Infected - 06 - Yesterday.Com.mp3 Fri Oct 14 09:13:11 2005 => Scanning File H:\Programme\Shareaza\Downloads\Metadata\Sum 41 - Does This Look Infected - 02 - Over My Head.mp3.xml Fri Oct 14 09:13:11 2005 => Scanning File H:\Programme\Shareaza\Downloads\Metadata\Sum 41 - Does This Look Infected - 05 - Asshole.mp3.xml Fri Oct 14 09:13:11 2005 => Scanning File H:\Programme\Shareaza\Downloads\Metadata\Sum 41 - Does This Look Infected - 06 - Yesterday.Com.mp3.xml Fri Oct 14 09:13:19 2005 => Scanning File H:\Programme\Shareaza\Incomplete\COAU5WOOJJMOIR6VUYLUE3UXDJT6MVTE ALBUM Sum41 - Does This Look Infected .zip.mp3 [**] Fri Oct 14 09:13:19 2005 => Scanning File H:\Programme\Shareaza\Incomplete\COAU5WOOJJMOIR6VUYLUE3UXDJT6MVTE ALBUM Sum41 - Does This Look Infected .zip.mp3.sd Fri Oct 14 10:27:07 2005 => Scanning File J:\Downloads\Return to Castle Wolfenstein\Maps\Infected.zip Fri Oct 14 10:28:38 2005 => Scanning File J:\Downloads\Return to Castle Wolfenstein\Maps\Maps\main\maps\infected.bsp Fri Oct 14 11:27:07 2005 => Total Disinfected Files: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Funde für "tagged" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fri Oct 14 07:43:23 2005 => File F:\SIERRA\Half-Life\hltv.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken. Fri Oct 14 07:48:05 2005 => File F:\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken. Fri Oct 14 09:42:01 2005 => File J:\Downloads\HL CS\HL\HL updates\g(erman)11091110.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken. Fri Oct 14 09:42:13 2005 => File J:\Downloads\HL CS\HL\HL updates\11091110(US).exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken. Fri Oct 14 09:43:47 2005 => File J:\Downloads\HL CS\CS\CS updates\cs1005(englisch).exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken. Fri Oct 14 10:08:53 2005 => File J:\Downloads\Mirc\mirc616.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken. Fri Oct 14 10:46:18 2005 => File J:\Sierra\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.601. No Action Taken. Fri Oct 14 10:48:28 2005 => File O:\Dokumente und Einstellungen\Enduro\Desktop\BSINSTALLDE.exe tagged as "not-a-virus:AdWare.Win32.SaveNow.z". Action Taken: No Action Taken. Fri Oct 14 11:20:51 2005 => File O:\WINDOWS\system32\ckyptext.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:20:58 2005 => File O:\WINDOWS\system32\cpbjmon.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:20:58 2005 => File O:\WINDOWS\system32\cuwmdm.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:21:03 2005 => File O:\WINDOWS\system32\dbnput.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:21:13 2005 => File O:\WINDOWS\system32\djrgres.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:25:11 2005 => File O:\WINDOWS\system32\dwvx_xx11.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:25:12 2005 => File O:\WINDOWS\system32\dywsock.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:25:16 2005 => File O:\WINDOWS\system32\gtu32.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:25:19 2005 => File O:\WINDOWS\system32\iFspolcy.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:25:23 2005 => File O:\WINDOWS\system32\isrtprio.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:25:27 2005 => File O:\WINDOWS\system32\kddfi.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:25:34 2005 => File O:\WINDOWS\system32\mjiwave.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:25:49 2005 => File O:\WINDOWS\system32\nhwrsit.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:25:49 2005 => File O:\WINDOWS\system32\nktui1.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:25:50 2005 => File O:\WINDOWS\system32\nphwvid.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:26:12 2005 => File O:\WINDOWS\system32\otethk32.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Fri Oct 14 11:26:32 2005 => File O:\WINDOWS\system32\sqripto.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Funde für "offending" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fri Oct 14 06:19:25 2005 => Offending value found in HKLM\Software\Licenses: {i56b3cf0d9ab991e1} !!! Fri Oct 14 06:19:25 2005 => Offending value found in HKLM\Software\Licenses: {056b3cf0d9ab991e1} !!! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Statistiken: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fri Oct 14 11:27:07 2005 => Total Virus(es) Found: 29 Fri Oct 14 11:27:07 2005 => Total Errors: 35 Fri Oct 14 11:27:07 2005 => Time Elapsed: 05:03:17 Fri Oct 14 11:27:07 2005 => Total Objects Scanned: 170652 Fri Oct 14 06:18:08 2005 => Virus Database Date: 2005/10/13 Fri Oct 14 11:27:07 2005 => Virus Database Date: 2005/10/13 Fri Oct 14 15:26:29 2005 => Virus Database Date: 2005/10/13 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~ © Haui ;-) ~~~~~~~ ~~~~~~~ Dank an Cidre ~~~~~~~ |
14.10.2005, 22:48 | #8 |
| Internet Explorer öffnet einfach Seiten Hallo Enduro, hast Du "Adaware" und "Spybot" scannen lassen? Falls nein. lösche mit Hilfe der Killbox alle Funde mit der Bezeichnung --> AdWare.Win32.Look2Me.ab (17) und AdWare.Win32.SaveNow.z (1). Setzte die Option "Delete on Reboot". Kopiere die jeweiligen Pfade in die Killbox. Jeweils mit Ok --> Ok bestätigen Nach der letzten Datei --> Killbox schlieesen und Neustarten WICHTIG: Update Dein System so schnell wie möglich auf SP2 und alle weiteren Sicherheitsupdates! dartus
__________________ Kein Support per PN Geändert von dartus (14.10.2005 um 23:01 Uhr) |
15.10.2005, 15:46 | #9 |
| Internet Explorer öffnet einfach Seiten doch habe ich... spybot findet nichts und bei jedem mal adware scan findet er immer die selben 3 viren obwohl ich sie jedesmal in quarantäne bringe und sie anschließend lösche : Tracking Cookie Object Recognized! Type : IECache Entry Data : enduro@partners.webmasterplan[2].txt TAC Rating : 3 Category : Data Miner Comment : Hits:2 Value : Cookie:enduro@partners.webmasterplan.com/ Expires : 14.10.2015 LastSync : Hits:2 UseCount : 0 Hits : 2 Tracking Cookie Object Recognized! Type : IECache Entry Data : enduro@2o7[1].txt TAC Rating : 3 Category : Data Miner Comment : Hits:3 Value : Cookie:enduro@2o7.net/ Expires : 14.10.2010 16:20:14 LastSync : Hits:3 UseCount : 0 Hits : 3 Tracking Cookie Object Recognized! Type : IECache Entry Data : enduro@tradedoubler[1].txt TAC Rating : 3 Category : Data Miner Comment : Hits:3 Value : Cookie:enduro@tradedoubler.com/ Expires : 09.10.2025 16:02:54 LastSync : Hits:3 UseCount : 0 Hits : 3 PS.: mit dem service pack 2 funkioniert eine ganze reihe meiner sachen auf dem rechner net mehr und auch so halte ich net sehr viel von diesem update... Geändert von Enduro (15.10.2005 um 15:52 Uhr) |
15.10.2005, 22:40 | #10 |
| Internet Explorer öffnet einfach Seiten Hallo Enduro, was Adaware meldet sind Cookies von "Drittanbietern". IExplorer öffnen --> Extras -->Internetoptionen --> Datenschutz --> erweitert --> Cookies von Drittanbietern sperren --> ok Benutze zum Surfen zukünftig einen sicheren Browser . Da musst Du wahrlich sehr spezielle Programme benutze, die unter SP 2 nicht laufen. IMHO ist es absolut ratsam SP 2 zu installieren. dartus
__________________ Kein Support per PN |
16.10.2005, 14:07 | #11 |
| Internet Explorer öffnet einfach Seiten habe mir mozilla gesaugt und es bauen sich immer noch einfach seiten auf... habe auch aber auch die cookies sperren alssen wie unten beschrieben und ist leider immer noch keine besserung in sicht. mozilla fragt mich nun immer ob ich einen cookie bei den seiten www.ad-w-a-r-e.com/ad.yieldmanager.com/www212.paypopup.com/ click.jamba.de/partners.webmasterplan.com/www.jamba.de/6.192.130.141/ c.azjmp.com/us.dadamobile.com usw.... einsetzen lassen möchte. und danach bauen sich die besagten seiten immer wieder von alleine auf(wenn erlaubt) und hin und wieder auch welche ohne bestätigung.... mfg enduro |
16.10.2005, 14:12 | #12 |
| Internet Explorer öffnet einfach Seiten Hallo, lösche die Datei C:\bases_x\mwav.log. Scanne erneut mit eScan. Poste ein Silentrunners-Logfile zusammen mit den eScan-Ergebnissen. |
16.10.2005, 23:30 | #13 |
| Internet Explorer öffnet einfach Seiten k habe ich getan, werde dir nun erstma den escan log geben und danach den anderen: eScan ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Funde für "infected" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sun Oct 16 17:30:10 2005 => System found infected with bearshare Spyware/Adware ({558ec983-bedb-9168-b2de-31dbf0ee543e})! Action taken: No Action Taken. Sun Oct 16 17:30:10 2005 => System found infected with cws.loadadv.400 Browser Hijacker ({5e2121ee-0300-11d4-8d3b-444553540000})! Action taken: No Action Taken. Sun Oct 16 17:30:15 2005 => System found infected with whenu.savenow Spyware/Adware (adsend[1].js)! Action taken: No Action Taken. Sun Oct 16 17:30:15 2005 => System found infected with whenu.savenow Spyware/Adware (adswrapper[1].js)! Action taken: No Action Taken. Sun Oct 16 17:30:15 2005 => System found infected with whenu.savenow Spyware/Adware (show_ads[2].js)! Action taken: No Action Taken. Sun Oct 16 17:30:15 2005 => System found infected with whenu.savenow Spyware/Adware (adsend[1].js)! Action taken: No Action Taken. Sun Oct 16 17:30:15 2005 => System found infected with whenu.savenow Spyware/Adware (adswrapper[1].js)! Action taken: No Action Taken. Sun Oct 16 17:30:15 2005 => System found infected with whenu.savenow Spyware/Adware (show_ads[2].js)! Action taken: No Action Taken. Sun Oct 16 17:53:23 2005 => Scanning Folder: F:\Programme\AVPersonal\INFECTED\*.* Sun Oct 16 18:29:33 2005 => Scanning File F:\Programme\Return to Castle Wolfenstein\Main\main\maps\infected.bsp Sun Oct 16 19:04:24 2005 => Scanning File G:\sum 41\Sum 41 - Does This Look Infected - 02 - Over My Head.mp3 Sun Oct 16 19:04:24 2005 => Scanning File G:\sum 41\Sum 41 - Does This Look Infected - 05 - Asshole.mp3 Sun Oct 16 19:04:24 2005 => Scanning File G:\sum 41\Sum 41 - Does This Look Infected - 06 - Yesterday.Com.mp3 Sun Oct 16 20:24:52 2005 => Scanning File H:\Programme\Shareaza\Downloads\Metadata\Sum 41 - Does This Look Infected - 02 - Over My Head.mp3.xml Sun Oct 16 20:24:52 2005 => Scanning File H:\Programme\Shareaza\Downloads\Metadata\Sum 41 - Does This Look Infected - 05 - Asshole.mp3.xml Sun Oct 16 20:24:52 2005 => Scanning File H:\Programme\Shareaza\Downloads\Metadata\Sum 41 - Does This Look Infected - 06 - Yesterday.Com.mp3.xml Sun Oct 16 20:25:00 2005 => Scanning File H:\Programme\Shareaza\Incomplete\COAU5WOOJJMOIR6VUYLUE3UXDJT6MVTE ALBUM Sum41 - Does This Look Infected .zip.mp3 [**] Sun Oct 16 20:25:00 2005 => Scanning File H:\Programme\Shareaza\Incomplete\COAU5WOOJJMOIR6VUYLUE3UXDJT6MVTE ALBUM Sum41 - Does This Look Infected .zip.mp3.sd Sun Oct 16 21:38:46 2005 => Scanning File J:\Downloads\Return to Castle Wolfenstein\Maps\Infected.zip Sun Oct 16 21:40:17 2005 => Scanning File J:\Downloads\Return to Castle Wolfenstein\Maps\Maps\main\maps\infected.bsp Sun Oct 16 22:39:05 2005 => Total Disinfected Files: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Funde für "tagged" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sun Oct 16 18:54:08 2005 => File F:\SIERRA\Half-Life\hltv.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken. Sun Oct 16 18:58:50 2005 => File F:\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken. Sun Oct 16 20:53:44 2005 => File J:\Downloads\HL CS\HL\HL updates\g(erman)11091110.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken. Sun Oct 16 20:53:56 2005 => File J:\Downloads\HL CS\HL\HL updates\11091110(US).exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken. Sun Oct 16 20:55:30 2005 => File J:\Downloads\HL CS\CS\CS updates\cs1005(englisch).exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken. Sun Oct 16 21:20:35 2005 => File J:\Downloads\Mirc\mirc616.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken. Sun Oct 16 21:57:55 2005 => File J:\Sierra\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.601. No Action Taken. Sun Oct 16 22:00:11 2005 => File O:\Dokumente und Einstellungen\Enduro\Desktop\BSINSTALLDE.exe tagged as "not-a-virus:AdWare.Win32.SaveNow.z". Action Taken: No Action Taken. Sun Oct 16 22:32:49 2005 => File O:\WINDOWS\system32\ckyptext.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:32:55 2005 => File O:\WINDOWS\system32\cpbjmon.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:32:56 2005 => File O:\WINDOWS\system32\cuwmdm.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:33:01 2005 => File O:\WINDOWS\system32\dbnput.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:33:11 2005 => File O:\WINDOWS\system32\djrgres.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:37:08 2005 => File O:\WINDOWS\system32\dwvx_xx11.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:37:09 2005 => File O:\WINDOWS\system32\dywsock.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:37:13 2005 => File O:\WINDOWS\system32\gtu32.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:37:17 2005 => File O:\WINDOWS\system32\iFspolcy.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:37:21 2005 => File O:\WINDOWS\system32\isrtprio.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:37:25 2005 => File O:\WINDOWS\system32\kddfi.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:37:31 2005 => File O:\WINDOWS\system32\mjiwave.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:37:32 2005 => File O:\WINDOWS\system32\mnvcr71.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:37:46 2005 => File O:\WINDOWS\system32\nhwrsit.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:37:46 2005 => File O:\WINDOWS\system32\nktui1.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:37:47 2005 => File O:\WINDOWS\system32\nphwvid.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:38:09 2005 => File O:\WINDOWS\system32\otethk32.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. Sun Oct 16 22:38:30 2005 => File O:\WINDOWS\system32\sqripto.dll tagged as "not-a-virus:AdWare.Win32.Look2Me.ab". Action Taken: No Action Taken. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Funde für "offending" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sun Oct 16 17:30:12 2005 => Offending value found in HKLM\Software\Licenses: {i56b3cf0d9ab991e1} !!! Sun Oct 16 17:30:12 2005 => Offending value found in HKLM\Software\Licenses: {056b3cf0d9ab991e1} !!! Sun Oct 16 17:30:15 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\temporary internet files\content.ie5\8967wden\adsend[1].js Sun Oct 16 17:30:15 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\temporary internet files\content.ie5\khmv4bc7\adswrapper[1].js Sun Oct 16 17:30:15 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\temporary internet files\content.ie5\yt2nyxkt\show_ads[2].js Sun Oct 16 17:30:15 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\Temporary Internet Files\content.ie5\8967wden\adsend[1].js Sun Oct 16 17:30:15 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\Temporary Internet Files\content.ie5\khmv4bc7\adswrapper[1].js Sun Oct 16 17:30:15 2005 => Offending file found: O:\Dokumente und Einstellungen\Enduro\Lokale Einstellungen\Temporary Internet Files\content.ie5\yt2nyxkt\show_ads[2].js ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Statistiken: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sun Oct 16 22:39:05 2005 => Total Virus(es) Found: 36 Sun Oct 16 22:39:05 2005 => Total Errors: 35 Sun Oct 16 22:39:05 2005 => Time Elapsed: 05:04:47 Sun Oct 16 22:39:05 2005 => Total Objects Scanned: 171544 Sun Oct 16 22:39:05 2005 => Virus Database Date: 2005/10/13 Mon Oct 17 00:21:15 2005 => Virus Database Date: 2005/10/13 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~ © Haui ;-) ~~~~~~~ ~~~~~~~ Dank an Cidre ~~~~~~~ ________________________________________________________________ silentrunners: "Silent Runners.vbs", revision 41, h**p://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Steam" = (empty string) "MSMSGS" = ""O:\Programme\Messenger\msmsgs.exe" /background" [MS] "CTFMON.EXE" = "O:\WINDOWS\System32\ctfmon.exe" [MS] HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++} "ICQ Lite" = "F:\Programme\ICQLite\ICQLite.exe -trayboot" ["ICQ Ltd."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "NvCplDaemon" = "RUNDLL32.EXE O:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS] "tcmonitor" = "F:\Programme\The Cleaner\tcm.exe" ["MooSoft Development"] "tcactive" = "F:\Programme\The Cleaner\tca.exe" ["MooSoft Development"] "SpySweeper" = ""F:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /startintray" ["Webroot Software, Inc."] "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "NvMediaCenter" = "RUNDLL32.EXE O:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS] "ICQ Lite" = "f:\Programme\ICQLite\ICQLite.exe -minimize" ["ICQ Ltd."] "EM_EXEC" = "O:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" ["Logitech Inc. "] "DAEMON Tools-1033" = ""F:\Programme\D-Tools\daemon.exe" -lang 1033" ["DAEMON'S HOME"] "AVGCtrl" = "F:\Programme\AVPersonal\AVGNT.EXE /min" ["H+BEDV Datentechnik GmbH"] "AnyDVD" = ""F:\Programme\SlySoft\AnyDVD\AnyDVD.exe"" ["SlySoft, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ICQLite\ICQLiteShell.dll" [empty string] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\Audiodev.dll" [MS] "{36533DA5-8FB6-4D67-BAA9-7DD407FE32D5}" = (no title provided) -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\system32\vbmdbg.dll" [null data] "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration" -> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! policies\DLLName = "O:\WINDOWS\system32\jt0q07d5e.dll" [null data] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ICQLite\ICQLiteShell.dll" [empty string] TheCleaner\(Default) = "{2DE506B9-4320-11d3-8E42-002035221EDA}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\The Cleaner\tcshellex.dll" ["MooSoft Development"] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ICQLite\ICQLiteShell.dll" [empty string] TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\The Cleaner\tcshellex.dll" ["MooSoft Development"] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" -> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."] TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\The Cleaner\tcshellex.dll" ["MooSoft Development"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "O:\WINDOWS\web\wallpaper\Grüne Idylle.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "O:\WINDOWS\System32\logon.scr" [MS] Startup items in "Enduro" & "All Users" startup folders: -------------------------------------------------------- O:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "Adobe Reader - Schnellstart" -> shortcut to: "I:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] "Logitech Desktop Messenger" -> shortcut to: "O:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start" [empty string] "VIA RAID TOOL" -> shortcut to: "O:\Programme\VIA\RAID\raid_tool.exe" ["VIA Technologies"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{855F3B16-6D32-4FE6-8A56-BBB695989046}" = "ICQ Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{855F3B16-6D32-4FE6-8A56-BBB695989046}" = "ICQ Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."] Extensions (Tools menu items, main toolbar menu buttons) HKCU\Software\Microsoft\Internet Explorer\Extensions\ {522696DF-119E-49B5-A82E-03667D741489}\ "ButtonText" = "Klicke hier um das Projekt xp-AntiSpy zu unterstützen" "MenuText" = "Unterstützung für xp-AntiSpy" "Exec" = "f:\Programme\xp-AntiSpy\sponsoring\sponsor.html" [null data] HKLM\Software\Microsoft\Internet Explorer\Extensions\ {2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\ "ButtonText" = "Spyware Doctor" "CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}" -> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."] {B863453A-26C3-4E1F-A54D-A2CD196348E9}\ "ButtonText" = "ICQ Lite" "MenuText" = "ICQ Lite" "Exec" = "f:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ Missing lines (compared with English-language version): "{855F3B16-6D32-4fe6-8A56-BBB695989046}" = "ICQ Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir Service, AntiVirService, "F:\Programme\AVPersonal\AVGUARD.EXE" ["H+BEDV Datentechnik GmbH"] AntiVir Update, AVWUpSrv, ""F:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"] NVIDIA Display Driver Service, NVSvc, "O:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"] Webroot Spy Sweeper Engine, svcWRSSSDK, "F:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."] Windows User Mode Driver Framework, UMWdf, "O:\WINDOWS\System32\wdfmgr.exe" [MS] Keyboard Driver Filters: ------------------------ HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\ "UpperFilters" = INFECTION WARNING! "Lkbdflt2" ["Logitech"] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 31 seconds, including 6 seconds for message boxes) |
16.10.2005, 23:56 | #14 | |||
| Internet Explorer öffnet einfach Seiten Lade ClearProg herunter. Starte den PC im abgesicherten Modus und lösche alle Temp-Files von Windows und vom Internet Explorer mit ClearProg. Lösche diese Dateien, z.B. mit Killbox (eine hab' ich dir mal hervorgehoben, damit du weißt, was ich meine) Zitat:
O:\WINDOWS\system32\vbmdbg.dll O:\WINDOWS\system32\jt0q07d5e.dll (Diese Datei heißt nach dem Neustart anders. Wenn du ein neues Silentrunners-Log erstellst, steht sie aber ander gleichen Stelle, z.b. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! policies\DLLName = "O:\WINDOWS\system32\sjd73487df.dll" [null data]. Alternativ erscheint sie auch als O20-Eintrag in HjT) Fixe außerdem den zufällig erstellten O20-Eintrag in HjT Navigiere in der Registry (Start-> Ausführen-> regedit -> [Enter]) zum Schlüssel Zitat:
Zitat:
Neustart. Neues SilentRunners-Log und die ewido-Ergebnisse posten. |
17.10.2005, 12:00 | #15 |
| Internet Explorer öffnet einfach Seiten als erstes der log des silentrunners: "Silent Runners.vbs", revision 41, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Steam" = (empty string) "MSMSGS" = ""O:\Programme\Messenger\msmsgs.exe" /background" [MS] "CTFMON.EXE" = "O:\WINDOWS\System32\ctfmon.exe" [MS] HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++} "ICQ Lite" = "F:\Programme\ICQLite\ICQLite.exe -trayboot" ["ICQ Ltd."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "NvCplDaemon" = "RUNDLL32.EXE O:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS] "tcmonitor" = "F:\Programme\The Cleaner\tcm.exe" ["MooSoft Development"] "tcactive" = "F:\Programme\The Cleaner\tca.exe" ["MooSoft Development"] "SpySweeper" = ""F:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /startintray" ["Webroot Software, Inc."] "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "NvMediaCenter" = "RUNDLL32.EXE O:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS] "ICQ Lite" = "f:\Programme\ICQLite\ICQLite.exe -minimize" ["ICQ Ltd."] "EM_EXEC" = "O:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" ["Logitech Inc. "] "DAEMON Tools-1033" = ""F:\Programme\D-Tools\daemon.exe" -lang 1033" ["DAEMON'S HOME"] "AVGCtrl" = "F:\Programme\AVPersonal\AVGNT.EXE /min" ["H+BEDV Datentechnik GmbH"] "AnyDVD" = ""F:\Programme\SlySoft\AnyDVD\AnyDVD.exe"" ["SlySoft, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ICQLite\ICQLiteShell.dll" [empty string] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\System32\Audiodev.dll" [MS] "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration" -> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."] "{36533DA5-8FB6-4D67-BAA9-7DD407FE32D5}" = (no title provided) -> {CLSID}\InProcServer32\(Default) = "O:\WINDOWS\system32\dpmsadsn.dll" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! ModuleUsage\DLLName = "O:\WINDOWS\system32\fpj4031qe.dll" [null data] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ewido\security suite\context.dll" ["ewido networks"] ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ICQLite\ICQLiteShell.dll" [empty string] TheCleaner\(Default) = "{2DE506B9-4320-11d3-8E42-002035221EDA}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\The Cleaner\tcshellex.dll" ["MooSoft Development"] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ewido\security suite\context.dll" ["ewido networks"] ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ICQLite\ICQLiteShell.dll" [empty string] TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\The Cleaner\tcshellex.dll" ["MooSoft Development"] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" -> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."] TheCleaner\(Default) = "{2DE506B9-4320-11D3-8E42-002035221EDA}" -> {CLSID}\InProcServer32\(Default) = "F:\Programme\The Cleaner\tcshellex.dll" ["MooSoft Development"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "O:\WINDOWS\web\wallpaper\Grüne Idylle.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "O:\WINDOWS\System32\logon.scr" [MS] Startup items in "Enduro" & "All Users" startup folders: -------------------------------------------------------- O:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "Adobe Reader - Schnellstart" -> shortcut to: "I:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] "Logitech Desktop Messenger" -> shortcut to: "O:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start" [empty string] "VIA RAID TOOL" -> shortcut to: "O:\Programme\VIA\RAID\raid_tool.exe" ["VIA Technologies"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{855F3B16-6D32-4FE6-8A56-BBB695989046}" = "ICQ Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{855F3B16-6D32-4FE6-8A56-BBB695989046}" = "ICQ Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."] Extensions (Tools menu items, main toolbar menu buttons) HKCU\Software\Microsoft\Internet Explorer\Extensions\ {522696DF-119E-49B5-A82E-03667D741489}\ "ButtonText" = "Klicke hier um das Projekt xp-AntiSpy zu unterstützen" "MenuText" = "Unterstützung für xp-AntiSpy" "Exec" = "f:\Programme\xp-AntiSpy\sponsoring\sponsor.html" [null data] HKLM\Software\Microsoft\Internet Explorer\Extensions\ {2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\ "ButtonText" = "Spyware Doctor" "CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}" -> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."] {B863453A-26C3-4E1F-A54D-A2CD196348E9}\ "ButtonText" = "ICQ Lite" "MenuText" = "ICQ Lite" "Exec" = "f:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ Missing lines (compared with English-language version): "{855F3B16-6D32-4fe6-8A56-BBB695989046}" = "ICQ Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "F:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir Service, AntiVirService, "F:\Programme\AVPersonal\AVGUARD.EXE" ["H+BEDV Datentechnik GmbH"] AntiVir Update, AVWUpSrv, ""F:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"] ewido security suite control, ewido security suite control, "F:\Programme\ewido\security suite\ewidoctrl.exe" ["ewido networks"] ewido security suite guard, ewido security suite guard, "F:\Programme\ewido\security suite\ewidoguard.exe" ["ewido networks"] NVIDIA Display Driver Service, NVSvc, "O:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"] Webroot Spy Sweeper Engine, svcWRSSSDK, "F:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."] Windows User Mode Driver Framework, UMWdf, "O:\WINDOWS\System32\wdfmgr.exe" [MS] Keyboard Driver Filters: ------------------------ HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\ "UpperFilters" = INFECTION WARNING! "Lkbdflt2" ["Logitech"] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 25 seconds, including 3 seconds for message boxes) _____________________________________________________________________________________________ ewitolog: --------------------------------------------------------- ewido security suite - Scan Report --------------------------------------------------------- + Erstellt am: 12:11:02, 17.10.2005 + Report-Checksumme: 69C9A351 + Scanergebnis: O:\WINDOWS\SoftwareDistribution\Download\7cd8322ddb034116adc611f13235be423cf05661/mrt.exe -> Heuristic.Win32.AVKiller : Gesäubert mit Backup O:\WINDOWS\SoftwareDistribution\Download\7cd8322ddb034116adc611f13235be423cf05661/mrt.exe -> Heuristic.Win32.AVKiller : Gesäubert mit Backup [676] O:\WINDOWS\system32\lhrhelp.dll -> Spyware.Look2Me : Fehler beim Säubern [1436] O:\WINDOWS\system32\lhrhelp.dll -> Spyware.Look2Me : Fehler beim Säubern C:\WINDOWS\Cookies\stephen@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Gesäubert mit Backup C:\Program Files\SpySheriff\Uninstall.exe -> Adware.SpySheriff : Gesäubert mit Backup O:\!KillBox\ckyptext.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\cpbjmon.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\cuwmdm.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\dbnput.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\djrgres.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\dwvx_xx11.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\dywsock.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\gtu32.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\iFspolcy.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\isrtprio.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\kddfi.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\mjiwave.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\mnvcr71.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\nhwrsit.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\nktui1.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\nphwvid.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\otethk32.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\sqripto.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\!KillBox\vbmdbg.dll -> Spyware.Look2Me : Gesäubert mit Backup O:\WINDOWS\system32\whadefui.dll -> Spyware.Look2Me : Gesäubert mit Backup ::Report Ende die datei die sich selbst immer neu generiert "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! ModuleUsage\DLLName = "O:\WINDOWS\system32\fpj4031qe.dll" [null data]" ist leider nicht löschbar weder mit hijack noch killbox.... und ewido verzweifelt auch daran... |
Themen zu Internet Explorer öffnet einfach Seiten |
ad-aware, adobe, adobe reader, adware, avg, danke, desktop, dll, einstellungen, explorer, hijack, hijack this, hijackthis, hilfe!!, icqtoolbar, internet, internet explorer, nvidia, rundll, scan, seiten, software, spyware, system, urlsearchhook, webroot, windows, windows xp, öffnet |