Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung
Probleme mit RazeSpyware

Probleme mit RazeSpyware


Log-Analyse und Auswertung: Probleme mit RazeSpyware

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML.

Antwort
Seite 2 von 2 1 2
Alt 06.08.2006, 22:09   #16
Wildone
 
Probleme mit RazeSpyware - Standard

Probleme mit RazeSpyware


Hallo,
standen bei Panda die Pfade der jeweiligen Funde nicht dabei?

Wie ist dasd eigentlich jetzt, wenn du die O17 Einträge fixt, kommen sie dann immernoch zurück?


Grüße Wildone

Alt 07.08.2006, 03:53   #17
stringx1
 
Probleme mit RazeSpyware - Standard

Probleme mit RazeSpyware


Hallo Wildone,

Hier die Pfade von der Pandaauswertung:

C:\Dokumente und Einstellungen\User1\Cookie
C:\Dokumente und Einstellungen\User1\Cookie
C:\Dokumente und Einstellungen\User1\Cookie
C:\WINDOWS\balloon.wav
C:\WINDOWS\Bilder.exe
C:\WINDOWS\rdt.ini

Und zu zweitens:

im abgesicherten Modus sind die O17-Einträge nicht mehr vorhanden, aber wenn ich im normalen Modus HijackThis starte, sind sie noch vorhanden.

LG
stringx1
__________________
Alt 07.08.2006, 09:11   #18
Wildone
 
Probleme mit RazeSpyware - Standard

Probleme mit RazeSpyware


Hallo,
fixe sie mal im normalen Modus, sind sie nach einem Neustart wieder da?
das kannst du gleich mal löschen:
C:\WINDOWS\balloon.wav
C:\WINDOWS\Bilder.exe
C:\WINDOWS\rdt.ini

poste außerdem mal ein Log von Silentrunners.



Grüße Wildone
__________________
Alt 07.08.2006, 13:44   #19
stringx1
 
Probleme mit RazeSpyware - Standard

Probleme mit RazeSpyware


Habe nochmal im normalmodus gefixt.
Leider sind die O17- Einträge nach dem Neustart immernoch da.

hier die Auswertung von silentrunners:


"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Programme\Messenger\msmsgs.exe" /background" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"TPP Auto Loader" = "C:\WINDOWS\tppaldr.exe" ["Cypress Semiconductor"]
"Zone Labs Client" = "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"ToADiMon.exe" = "C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart" ["Marmiko IT-Solutions GmbH"]
"rxrfv.exe" = "C:\WINDOWS\system32\rxrfv.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{0A082D00-EC93-11D0-B1E6-80580BC10627}" = "Corel Media Folder Root Menu Handler"
-> {HKLM...CLSID} = "Corel Media Folder Root Menu Handler"
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]
"{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}" = "Folder To Corel Media Folder Menu Handler"
-> {HKLM...CLSID} = "Folder To Corel Media Folder Menu Handler"
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]
"{854AF161-1AE1-11D1-AB9B-00C0F00683EB}" = "Corel Media Folder"
-> {HKLM...CLSID} = "Corel Media Folder"
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]
"{E856F161-1AE5-11d1-AB9B-00C0F00683EB}" = "Corel Media Folder"
-> {HKLM...CLSID} = "Corel Media Folder"
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]
"{CDB89701-262F-11D1-AB9C-00C0F00683EB}" = "Corel Media Find Folder"
-> {HKLM...CLSID} = "Corel Media Find Folder"
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]
"{F8152501-455F-11D1-B1E6-444553540000}" = "Corel Media Folder Copy Hook Handler"
-> {HKLM...CLSID} = "Corel Media Folder Copy Hook Handler"
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]
"{8E524B0D-04F0-11D1-B74A-00A0C90646A4}" = "IconFactTemp.NSIconHandlerFactory"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CNSFlt80.dll" ["Corel Corporation"]
"{A2AC368A-F883-11D0-B745-00A0C90646A4}" = "NSFiltManDll.FiltManCom"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CNSFlt80.dll" ["Corel Corporation"]
"{B63FCD5A-2396-11D1-B762-00A0C90646A4}" = "*i" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFnd80.dll" ["Corel Corporation"]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csixk.exe" [file not found]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
VersionsMenu\(Default) = "{03170921-4754-11cf-AB9A-00C0F00683EB}"
-> {HKLM...CLSID} = "Corel Versions"
\InProcServer32\(Default) = "C:\COREL\Versions\CVersion.dll" ["Corel Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
FolderToCorelMediaFolder\(Default) = "{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}"
-> {HKLM...CLSID} = "Folder To Corel Media Folder Menu Handler"
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
VersionsMenu\(Default) = "{03170921-4754-11cf-AB9A-00C0F00683EB}"
-> {HKLM...CLSID} = "Corel Versions"
\InProcServer32\(Default) = "C:\COREL\Versions\CVersion.dll" ["Corel Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\User 1\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "User 1" & "All Users" startup folders:
--------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Corel MEDIA FOLDERS INDEXER 8" -> shortcut to: "C:\Corel\Graphics8\Programs\MFIndexer.exe " ["Corel Corporation"]
"Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir PersonalEdition Classic Service, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["AVIRA GmbH"]
AntiVir Scheduler, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Programme\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 53 seconds, including 9 seconds for message boxes)


Wenn alles nicht mehr geht, muß ich den Rechner halt neu aufsetzen.

Alt 07.08.2006, 17:44   #20
Wildone
 
Probleme mit RazeSpyware - Standard

Probleme mit RazeSpyware


Hallo,
lösche folgende Dateien mit killbox mit der Option "delete on reboot":
C:\WINDOWS\system32\rxrfv.exe
C:\WINDOWS\system32\csixk.exe (falls vorhanden)

danach postest du ein neues Log von Silentrunners.


Grüße Wildone


Alt 07.08.2006, 19:15   #21
stringx1
 
Probleme mit RazeSpyware - Standard

Probleme mit RazeSpyware


Hallo Wildone,

Die rxrfv.exe existiert nicht mehr. Andessen Stelle steht jetzt die "C:\WINDOWS\system32\afmll.exe".
Die "System" = "csixk.exe" ist nicht auffindbar

Auswertung:

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Programme\Messenger\msmsgs.exe" /background" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"TPP Auto Loader" = "C:\WINDOWS\tppaldr.exe" ["Cypress Semiconductor"]
"Zone Labs Client" = "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"ToADiMon.exe" = "C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart" ["Marmiko IT-Solutions GmbH"]
"afmll.exe" = "C:\WINDOWS\system32\afmll.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{0A082D00-EC93-11D0-B1E6-80580BC10627}" = "Corel Media Folder Root Menu Handler"
-> {HKLM...CLSID} = "Corel Media Folder Root Menu Handler"
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]
"{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}" = "Folder To Corel Media Folder Menu Handler"
-> {HKLM...CLSID} = "Folder To Corel Media Folder Menu Handler"
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]
"{854AF161-1AE1-11D1-AB9B-00C0F00683EB}" = "Corel Media Folder"
-> {HKLM...CLSID} = "Corel Media Folder"
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]
"{E856F161-1AE5-11d1-AB9B-00C0F00683EB}" = "Corel Media Folder"
-> {HKLM...CLSID} = "Corel Media Folder"
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]
"{CDB89701-262F-11D1-AB9C-00C0F00683EB}" = "Corel Media Find Folder"
-> {HKLM...CLSID} = "Corel Media Find Folder"
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]
"{F8152501-455F-11D1-B1E6-444553540000}" = "Corel Media Folder Copy Hook Handler"
-> {HKLM...CLSID} = "Corel Media Folder Copy Hook Handler"
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]
"{8E524B0D-04F0-11D1-B74A-00A0C90646A4}" = "IconFactTemp.NSIconHandlerFactory"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CNSFlt80.dll" ["Corel Corporation"]
"{A2AC368A-F883-11D0-B745-00A0C90646A4}" = "NSFiltManDll.FiltManCom"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CNSFlt80.dll" ["Corel Corporation"]
"{B63FCD5A-2396-11D1-B762-00A0C90646A4}" = "*Z" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFnd80.dll" ["Corel Corporation"]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csixk.exe" [file not found]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
VersionsMenu\(Default) = "{03170921-4754-11cf-AB9A-00C0F00683EB}"
-> {HKLM...CLSID} = "Corel Versions"
\InProcServer32\(Default) = "C:\COREL\Versions\CVersion.dll" ["Corel Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
FolderToCorelMediaFolder\(Default) = "{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}"
-> {HKLM...CLSID} = "Folder To Corel Media Folder Menu Handler"
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
VersionsMenu\(Default) = "{03170921-4754-11cf-AB9A-00C0F00683EB}"
-> {HKLM...CLSID} = "Corel Versions"
\InProcServer32\(Default) = "C:\COREL\Versions\CVersion.dll" ["Corel Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\User 1\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "User 1" & "All Users" startup folders:
--------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Corel MEDIA FOLDERS INDEXER 8" -> shortcut to: "C:\Corel\Graphics8\Programs\MFIndexer.exe " ["Corel Corporation"]
"Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir PersonalEdition Classic Service, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["AVIRA GmbH"]
AntiVir Scheduler, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Programme\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 46 seconds, including 4 seconds for message boxes)


LG
stringx1

Alt 07.08.2006, 19:28   #22
Wildone
 
Probleme mit RazeSpyware - Standard

Probleme mit RazeSpyware


Hallo,
existiert sie nicht mehr weil du sie gelöscht hast? Wenn nicht dann löschst du halt die
C:\WINDOWS\system32\afmll.exe
mit killbox mit der Option delete on reboot.


Grüße Wildone

Alt 07.08.2006, 21:15   #23
stringx1
 
Probleme mit RazeSpyware - Standard

Probleme mit RazeSpyware


Hi,

Die Datei hatte sich wieder geändert in "C:\WINDOWS\system32\xskln.exe. Habe diese mit delete on reboot gelöscht und danach mit silent runners gescannt. In der Auswertung steht sie noch drin, aber als ich die sys32 durchgesehen habe, war sie nicht mehr vorhanden.

Hier der scan nach dem löschen der Datei:

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Programme\Messenger\msmsgs.exe" /background" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"TPP Auto Loader" = "C:\WINDOWS\tppaldr.exe" ["Cypress Semiconductor"]
"Zone Labs Client" = "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"ToADiMon.exe" = "C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart" ["Marmiko IT-Solutions GmbH"]
"xskln.exe" = "C:\WINDOWS\system32\xskln.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{0A082D00-EC93-11D0-B1E6-80580BC10627}" = "Corel Media Folder Root Menu Handler"
-> {HKLM...CLSID} = "Corel Media Folder Root Menu Handler"
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]
"{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}" = "Folder To Corel Media Folder Menu Handler"
-> {HKLM...CLSID} = "Folder To Corel Media Folder Menu Handler"
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]
"{854AF161-1AE1-11D1-AB9B-00C0F00683EB}" = "Corel Media Folder"
-> {HKLM...CLSID} = "Corel Media Folder"
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]
"{E856F161-1AE5-11d1-AB9B-00C0F00683EB}" = "Corel Media Folder"
-> {HKLM...CLSID} = "Corel Media Folder"
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]
"{CDB89701-262F-11D1-AB9C-00C0F00683EB}" = "Corel Media Find Folder"
-> {HKLM...CLSID} = "Corel Media Find Folder"
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]
"{F8152501-455F-11D1-B1E6-444553540000}" = "Corel Media Folder Copy Hook Handler"
-> {HKLM...CLSID} = "Corel Media Folder Copy Hook Handler"
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]
"{8E524B0D-04F0-11D1-B74A-00A0C90646A4}" = "IconFactTemp.NSIconHandlerFactory"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CNSFlt80.dll" ["Corel Corporation"]
"{A2AC368A-F883-11D0-B745-00A0C90646A4}" = "NSFiltManDll.FiltManCom"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CNSFlt80.dll" ["Corel Corporation"]
"{B63FCD5A-2396-11D1-B762-00A0C90646A4}" = "*a" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFnd80.dll" ["Corel Corporation"]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csixk.exe" [file not found]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
VersionsMenu\(Default) = "{03170921-4754-11cf-AB9A-00C0F00683EB}"
-> {HKLM...CLSID} = "Corel Versions"
\InProcServer32\(Default) = "C:\COREL\Versions\CVersion.dll" ["Corel Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
FolderToCorelMediaFolder\(Default) = "{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}"
-> {HKLM...CLSID} = "Folder To Corel Media Folder Menu Handler"
\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
VersionsMenu\(Default) = "{03170921-4754-11cf-AB9A-00C0F00683EB}"
-> {HKLM...CLSID} = "Corel Versions"
\InProcServer32\(Default) = "C:\COREL\Versions\CVersion.dll" ["Corel Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\User 1\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "User 1" & "All Users" startup folders:
--------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Corel MEDIA FOLDERS INDEXER 8" -> shortcut to: "C:\Corel\Graphics8\Programs\MFIndexer.exe " ["Corel Corporation"]
"Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir PersonalEdition Classic Service, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["AVIRA GmbH"]
AntiVir Scheduler, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Programme\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 41 seconds, including 4 seconds for message boxes)


LG
und vielen lieben Dank für die Hilfe

Alt 07.08.2006, 22:00   #24
Wildone
 
Probleme mit RazeSpyware - Standard

Probleme mit RazeSpyware


Hallo,
was ich immer wissen muss, hat sich die Datei nach dem löschen wieder hergestellt, oder einfach nach einem Neustart. Versuche hjetzt mal die O17 Einträge zu fixen, kommen sie nun wieder?


Grüße Wildone

Alt 08.08.2006, 07:29   #25
stringx1
 
Probleme mit RazeSpyware - Standard

Probleme mit RazeSpyware


Hey suuuuuuuuuper freu.
Auch nach dem Neustart sind O17-Einträge verschwunden. Sytem noch mal mit ewido gescannt und TrojanDNSChanger auch aus dem Speicher verschwunden.

hier die logfile von hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 08:17:55, on 08.08.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\tppaldr.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Dokumente und Einstellungen\User 1\Eigene Dateien\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ToADiMon.exe] C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programme\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


vielen vielen Dank *freu* für deine Hilfe



LG
stringx1
Geändert von stringx1 (08.08.2006 um 07:36 Uhr)

Alt 08.08.2006, 09:55   #26
Wildone
 
Probleme mit RazeSpyware - Standard

Probleme mit RazeSpyware


Hallo,
okay, dann war es das, überlege dir mal wo du dir den Spass eingehandelt haben könntest! Zukünftig keine Dateien aus unseriösen Quellen mehr ausführen und außerdem den IE sicher konfigurieren (oder FF benutzen).



Grüße Wildone

Alt 08.08.2006, 10:33   #27
stringx1
 
Probleme mit RazeSpyware - Standard

Probleme mit RazeSpyware


Klaro werde meiner Freundin ausrichten, dass sie öfters mal schauen soll, wo und was sie auf ihren Rechner lädt. Da ich ihn ihr den Rechner demnächst wieder übergeben kann. Allerdingfs müßte sie sich dann Gedanken machen, da ich nicht weiß wo sie rumsurft.


Also nochmal vielen lieben Dank

LG
stringx1

Antwort
Seite 2 von 2 1 2

Themen zu Probleme mit RazeSpyware
adobe, antivir, avira, bho, danger, dateien, dll, einstellungen, explorer, hijackthis, hintergrund, internet, internet explorer, messenger, microsoft, nvidia, problem, programme, rundll, spyware, system, system32, warnung, web.de, windows, windows xp


« Langsamer Rechner, vermutlich Smitfraud-infektion | Ich bitte dringedst um Hilfe »


Ähnliche Themen: Probleme mit RazeSpyware


  1. Win 7 64bit: Internet / Performance / Downstream probleme durch angebliche port probleme !
    Log-Analyse und Auswertung - 26.04.2014 (19)
  2. Windows 7: Verdacht auf Trojaner (Probleme über Probleme)
    Log-Analyse und Auswertung - 18.03.2014 (10)
  3. Probleme mit FRST gemäß Anleitung AW:Probleme mit static.australianbrewingcompany.com
    Plagegeister aller Art und deren Bekämpfung - 19.01.2014 (41)
  4. Firefox probleme :advertisement popups,download probleme
    Plagegeister aller Art und deren Bekämpfung - 09.04.2010 (18)
  5. pc probleme
    Log-Analyse und Auswertung - 25.04.2009 (0)
  6. Probleme mit ff und ie
    Plagegeister aller Art und deren Bekämpfung - 28.06.2008 (27)
  7. Probleme mit idd*.tmp.exe und w*.tmp.exe
    Plagegeister aller Art und deren Bekämpfung - 08.02.2007 (4)
  8. Need Help! Probleme über Probleme ...
    Log-Analyse und Auswertung - 22.12.2006 (5)
  9. Probleme mit pc -.-
    Log-Analyse und Auswertung - 03.08.2006 (3)
  10. RazeSpyware - Wie werde ich es los???
    Log-Analyse und Auswertung - 21.07.2006 (2)
  11. razespyware
    Plagegeister aller Art und deren Bekämpfung - 19.01.2006 (18)
  12. RazeSpyware
    Log-Analyse und Auswertung - 22.11.2005 (17)
  13. neuling braucht hilfe bei razespyware
    Log-Analyse und Auswertung - 14.10.2005 (7)
  14. IE probleme
    Log-Analyse und Auswertung - 19.06.2005 (4)
  15. Probleme mit dem IE
    Plagegeister aller Art und deren Bekämpfung - 25.12.2004 (7)
  16. probleme bei MSN
    Plagegeister aller Art und deren Bekämpfung - 24.12.2004 (1)
  17. BIN NEU mit probleme
    Plagegeister aller Art und deren Bekämpfung - 19.12.2004 (18)
Anleitungen und Tipps

- Für alle Hilfesuchenden! Was beachten?

- Anleitung: MyStartSearch.com entfernen

- Anleitung: WebSearches löschen

- Hilfe: iStartSurf entfernen – so gehts!

- Anleitung: Omiga Plus richtig entfernen

- Browser Viren entfernen


Zum Thema Probleme mit RazeSpyware - Hallo, standen bei Panda die Pfade der jeweiligen Funde nicht dabei? Wie ist dasd eigentlich jetzt, wenn du die O17 Einträge fixt, kommen sie dann immernoch zurück? Grüße Wildone - Probleme mit RazeSpyware...
Archiv
Du betrachtest: Probleme mit RazeSpyware auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131