Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung
Spyware und Würmer

Spyware und Würmer


Log-Analyse und Auswertung: Spyware und Würmer

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML.

Antwort
Alt 23.10.2006, 13:12   #1
Gunnarsen
 
Spyware und Würmer - Beitrag

Spyware und Würmer


Guten Morgen,

ich habe mit eScan einen sehr intensiven Scan durchgeführt (zugegebenermaßen nicht nach der Anleitung von hier ), weil ich das Gefühl hatte, dass ich unerwünschte Sachen auf meinem PC habe. Der Scan hat das auch bestätigt.
Hier das eScan Log (er hat jede Datei aufgelistet, die er gescannt hat und ich hoffe, dass ich jetzt nicht zu viel oder zu wenig davon gelöscht habe):

Code:
ATTFilter
Mon Oct 23 01:16:03 2006 => Source: C:\DOKUME~1\***\Desktop\mwav.exe
Mon Oct 23 01:16:03 2006 => Version 8.5.7 (C:\DOKUME~1\***\LOKALE~1\Temp\mexe.com)
Mon Oct 23 01:16:03 2006 => Log File: C:\DOKUME~1\***\LOKALE~1\Temp\MWAV.LOG
Mon Oct 23 01:16:03 2006 => Last Scan Date and Time: 22.10.2006 13:02:36
Mon Oct 23 01:16:03 2006 => MWAV Registered: FALSE.
Mon Oct 23 01:16:03 2006 => OS Type: Windows Workstation
Mon Oct 23 01:16:03 2006 => OS: Windows XP
Mon Oct 23 01:16:03 2006 => Ver: Service Pack 2 (Build 2600)
Mon Oct 23 01:16:03 2006 => Windows Root  Folder: C:\WINDOWS
Mon Oct 23 01:16:03 2006 => Windows Sys32 Folder: C:\WINDOWS\system32
Mon Oct 23 01:16:03 2006 => Local Fixed Drives: c:\,d:\
Mon Oct 23 01:16:03 2006 => MWAV Mode: Only Scan files.
Mon Oct 23 01:16:03 2006 => Latest Date of files inside MWAV: 22 Oct 2006  12:34:48.
Mon Oct 23 01:16:05 2006 => AV Library Loaded...
Mon Oct 23 01:16:05 2006 => MWAV doing self scanning...
Mon Oct 23 01:16:05 2006 => MWAV files are clean.
Mon Oct 23 01:16:05 2006 => Virus Database Date: 10/22/2006
Mon Oct 23 01:16:05 2006 => Virus Database Count: 233834
Mon Oct 23 01:16:23 2006 => Downloading AntiVirus and Anti-Spyware Databases...
Mon Oct 23 01:16:32 2006 => Downloads Successful...
Mon Oct 23 01:16:35 2006 => Reload of AntiVirus Signatures successfully done.
Mon Oct 23 01:16:35 2006 => Virus Database Date: 10/23/2006
Mon Oct 23 01:16:35 2006 => Virus Database Count: 233865

Mon Oct 23 01:16:37 2006 => Version 8.5.7 (C:\DOKUME~1\***\LOKALE~1\Temp\mexe.com)
Mon Oct 23 01:16:37 2006 => Log File: C:\DOKUME~1\***\LOKALE~1\Temp\MWAV.LOG
Mon Oct 23 01:16:37 2006 => User Account: ***
Mon Oct 23 01:16:37 2006 => Windows Root  Folder: C:\WINDOWS
Mon Oct 23 01:16:37 2006 => Windows Sys32 Folder: C:\WINDOWS\system32
Mon Oct 23 01:16:37 2006 => OS: Windows XP
Mon Oct 23 01:16:37 2006 => Ver: Service Pack 2 (Build 2600)
Mon Oct 23 01:16:37 2006 => Latest Date of files inside MWAV: 23 Oct 2006  01:04:58.
 
Mon Oct 23 01:16:37 2006 => Options Selected by User:
Mon Oct 23 01:16:37 2006 => Memory Check: Enabled
Mon Oct 23 01:16:37 2006 => Registry Check: Enabled
Mon Oct 23 01:16:37 2006 => StartUp Folder Check: Enabled
Mon Oct 23 01:16:37 2006 => System Folder Check: Enabled
Mon Oct 23 01:16:37 2006 => System Area Check: Disabled
Mon Oct 23 01:16:37 2006 => Services Check: Enabled
Mon Oct 23 01:16:37 2006 => Drive Check Option Disabled
Mon Oct 23 01:16:37 2006 => Folder Check: Disabled
 
Mon Oct 23 01:17:21 2006 => Scanning File C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
Mon Oct 23 01:17:21 2006 => ERROR!!! Invalid Entry \??\F:\INSTALL\GMSIPCI.SYS in SYSTEM\CurrentControlSet\Services\GMSIPCI...
Mon Oct 23 01:17:21 2006 => Scanning File C:\WINDOWS\system32\DRIVERS\msgpc.sys
 
Mon Oct 23 01:17:27 2006 => Offending Key found: HKLM\Software\microsoft\downloadmanager !!!
Mon Oct 23 01:17:27 2006 => Object "istbar Spyware/Adware" found in File System! Action Taken: No Action Taken.

Mon Oct 23 01:17:28 2006 => Offending file found: C:\WINDOWS\system32\empty.exe
Mon Oct 23 01:17:28 2006 => System found infected with conducent flexpak Spyware/Adware (empty.exe)! Action taken: No Action Taken.
 
Mon Oct 23 01:17:28 2006 => Offending file found: C:\WINDOWS\system32\instsrv.exe
Mon Oct 23 01:17:28 2006 => System found infected with ezula Spyware/Adware (instsrv.exe)! Action taken: No Action Taken.
 
Mon Oct 23 01:17:28 2006 => Offending file found: C:\DOKUME~1\***\LOKALE~1\Temp\cmdlineext02.dll
Mon Oct 23 01:17:28 2006 => System found infected with whenu.savenow Spyware/Adware (cmdlineext02.dll)! Action taken: No Action Taken.
 
Mon Oct 23 01:17:57 2006 => Offending Folder found: C:\Dokumente und Einstellungen\***\Lokale Einstellungen\temp\7zeea.tmp\m\midnight oil
Mon Oct 23 01:17:57 2006 => Object "midnight oil Spyware/Adware" found in File System! Action Taken: No Action Taken.

Mon Oct 23 01:18:19 2006 => Offending file found: C:\Dokumente und Einstellungen\***\Lokale Einstellungen\temp\cmdlineext02.dll
Mon Oct 23 01:18:19 2006 => System found infected with whenu.savenow Spyware/Adware (cmdlineext02.dll)! Action taken: No Action Taken.
 
Mon Oct 23 01:18:22 2006 => Offending file found: C:\WINDOWS\system32\pslist.exe
Mon Oct 23 01:18:22 2006 => System found infected with rohbot Worm (C:\WINDOWS\system32\pslist.exe)! Action taken: No Action Taken.
 
Mon Oct 23 01:18:23 2006 => Checking CLSID Reference Entries...
Mon Oct 23 01:18:24 2006 => Entry "HKCR\YServer.Component.1" refers to invalid object "{B26DA9C0-7921-11D4-B0F2-0050DA2B3579}". Action Taken: No Action Taken.

Mon Oct 23 01:18:24 2006 => Checking Module Usage Entries...
Mon Oct 23 01:18:24 2006 => Checking User Trusted External App Entries...
Mon Oct 23 01:18:24 2006 => Checking Shared DLL Entries...
Mon Oct 23 01:18:24 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Gemeinsame Dateien\Microsoft Shared\TEXTCONV\MSWRD832.CNV". Action Taken: No Action Taken.

Mon Oct 23 01:18:24 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\DOKUME~1\***\LOKALE~1\Temp\_ISTMP1.DIR\_ISTMP0.DIR\FileGrp\Msvcrt10.dll". Action Taken: No Action Taken.

Mon Oct 23 01:18:25 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\pxwma.dll". Action Taken: No Action Taken.

Mon Oct 23 01:18:25 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\pxinsi64.exe". Action Taken: No Action Taken.

Mon Oct 23 01:18:25 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\pxcpyi64.exe". Action Taken: No Action Taken.

Mon Oct 23 01:18:25 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\asinst.dll". Action Taken: No Action Taken.

Mon Oct 23 01:18:25 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Equation\eqnedt32.exe". Action Taken: No Action Taken.

Mon Oct 23 01:18:25 2006 => Checking Installer Entries...
Mon Oct 23 01:18:26 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\VentSrv\". Action Taken: No Action Taken.

Mon Oct 23 01:18:26 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Dokumente und Einstellungen\***\Startmenü\Programme\CSE Demoplayer\". Action Taken: No Action Taken.

Mon Oct 23 01:18:26 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\ATI Technologies\ATI.ACE\". Action Taken: No Action Taken.

Mon Oct 23 01:18:26 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\ATI Technologies\ATI.ACE\skins\". Action Taken: No Action Taken.

Mon Oct 23 01:18:26 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\ATI Technologies\ATI.ACE\skins\CATALYST_SteelBlue\". Action Taken: No Action Taken.

Mon Oct 23 01:18:26 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Adobe\Adobe Photoshop CS2\". Action Taken: No Action Taken.

Mon Oct 23 01:18:26 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Adobe\Adobe Photoshop CS2\Required\". Action Taken: No Action Taken.

Mon Oct 23 01:18:26 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Adobe\Adobe Bridge\". Action Taken: No Action Taken.

Mon Oct 23 01:18:26 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\ESL Upper\". Action Taken: No Action Taken.

Mon Oct 23 01:18:26 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\ESL Upper\upload\". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Checking Shared Tools Entries...
Mon Oct 23 01:18:27 2006 => Checking File Extension Entries...
Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".15/addons/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".15/addons/metamod/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".15/gfx/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".46/cstrike/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".46/cstrike/addons/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".46/cstrike/addons/hlguard/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".46/cstrike/addons/hlguard/config/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".46/cstrike/addons/hlguard/dlls/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".46/cstrike/addons/metamod/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".46/cstrike/addons/metamod/dlls/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".46/cstrike/addons/soundcheck/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".afw". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".blob". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".c4d". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".dat". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/gbook/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/ugly/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/v2/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/v2/gbook/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/v2/gbook/images/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/v2/gbook/images/smilies/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/v2/gfx/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".dmg". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".gsm". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".mdl". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".met". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".msf". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".net_IMG_15189". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".popupskin". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ram". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".rmm". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".so". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".spr". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".wad". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".wba". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object "OpenWithList". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Checking Application Cache Entries...
Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Aston". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "ffdshow". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "InstallShield_{3868A8EE-5051-4DB0-8DF6-4F4B8A98D083}". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "InstallShield_{872653C6-5DDC-488B-B7C2-CF9E4D9335E5}". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Miranda IM_is1". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "MSI Live Update 2". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "MSI Live Update 3". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "NVIDIA Audio Driver". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "NVIDIAnForce". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Opera". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Serious Samurize". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "SSUtils". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Works2003Setup". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{0049F6AE-4FE2-4C43-A039-60FCE98A1986}". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{7B802DE5-84E5-4503-965B-2ABFFC78506A}". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{8270831B-8F2F-4B65-8E2C-9712054C38D1}". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{CB2D95C7-189C-4596-B071-CE99C309573D}". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{E51B4CD9-A0A6-4324-B26A-31B3F2DE26CE}". Action Taken: No Action Taken.
 
 
Mon Oct 23 01:36:02 2006 => ***** Scanning complete. *****
 
Mon Oct 23 01:36:02 2006 => Total Objects Scanned: 69192
Mon Oct 23 01:36:02 2006 => Total Critical Objects: 9
Mon Oct 23 01:36:02 2006 => Total Disinfected Objects: 0
Mon Oct 23 01:36:02 2006 => Total Objects Renamed: 0
Mon Oct 23 01:36:02 2006 => Total Deleted Objects: 0
Mon Oct 23 01:36:02 2006 => Total Errors: 73
Mon Oct 23 01:36:02 2006 => Time Elapsed: 00:19:24
Mon Oct 23 01:36:02 2006 => Virus Database Date: 10/23/2006
Mon Oct 23 01:36:02 2006 => Virus Database Count: 233865
 
Mon Oct 23 01:36:02 2006 => Scan Completed.
 
Mon Oct 23 04:11:07 2006 => Virus Database Date: 10/23/2006
Mon Oct 23 04:11:07 2006 => Virus Database Count: 233865
Mon Oct 23 04:11:10 2006 => AV Library Unloaded (3)...
Und hier noch das HijackThis-Log:
Code:
ATTFilter
Logfile of HijackThis v1.99.1
Scan saved at 14:05:08, on 23.10.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\Programme\Ray Adams\ATI Tray Tools\atitray.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\Programme\Miranda IM\miranda32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\Opera\Opera.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Dokumente und Einstellungen\***\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Programme\Ray Adams\ATI Tray Tools\atitray.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programme\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programme\Yahoo!\Messenger\YahooMessenger.exe
O14 - IERESET.INF: START_PAGE_URL=about:blank
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - h**p://w*w.johannrain-softwareentwicklung.de/DE/scan8/oscan8.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\smc.exe
Ich weiß immer nicht, ob ich böse Dateien einfach löschen kann und sowas. Ich hoffe, ihr könnt mir helfen.
Danke im Voraus!

Groove,
Gunnarsen

Edit: Hatte vergessen eine URL zu "zensieren". Und hier noch ein paar Informationen:
Firewall: Router, und Sygate Personal Firewall
AntiVirus: AntiVir (findet aber nichts)
Gestern habe ich schon die Datei "psKill.exe" im System32 Ordner gelöscht, weil sie laut diversen Seiten nicht erwünscht sei.
Geändert von Gunnarsen (23.10.2006 um 13:39 Uhr)

Alt 24.10.2006, 13:43   #2
Gunnarsen
 
Spyware und Würmer - Standard

Spyware und Würmer


Sorry wegen Doppelpost, aber kann mir denn keiner helfen?
__________________
Alt 24.10.2006, 13:57   #3
theRealMcFly
 
Spyware und Würmer - Standard

Spyware und Würmer


EScan scannt nur, löscht aber nichts (No Action Taken.)

Aber das sollte dir weiterhelfen:
http://www.derbilk.de/malware/1_anleitungen_escan.php
__________________
Geändert von theRealMcFly (24.10.2006 um 14:02 Uhr)

Alt 25.10.2006, 14:36   #4
Gunnarsen
 
Spyware und Würmer - Standard

Spyware und Würmer


Erstmal danke für die Antwort.

Hier nun das Log mit der find.bat
Code:
ATTFilter
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   
Funde für "infected" 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   
Mon Oct 23 01:17:28 2006 => System found infected with conducent flexpak Spyware/Adware (empty.exe)! Action taken: No Action Taken.
Mon Oct 23 01:17:28 2006 => System found infected with ezula Spyware/Adware (instsrv.exe)! Action taken: No Action Taken.
Mon Oct 23 01:17:28 2006 => System found infected with whenu.savenow Spyware/Adware (cmdlineext02.dll)! Action taken: No Action Taken.
Mon Oct 23 01:18:19 2006 => System found infected with whenu.savenow Spyware/Adware (cmdlineext02.dll)! Action taken: No Action Taken.
Mon Oct 23 01:18:22 2006 => System found infected with rohbot Worm (C:\WINDOWS\system32\pslist.exe)! Action taken: No Action Taken.
Mon Oct 23 01:36:02 2006 => Total Disinfected Objects: 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   
Funde für "tagged" 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   
Mon Oct 23 01:19:34 2006 => File C:\WINDOWS\system32\psexec.exe tagged as not-a-virus:RiskTool.Win32.PsExec.153. No Action Taken.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   
Funde für "offending" 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   
Mon Oct 23 01:17:27 2006 => Offending Key found: HKLM\Software\microsoft\downloadmanager !!!
Mon Oct 23 01:17:28 2006 => Offending file found: C:\WINDOWS\system32\empty.exe
Mon Oct 23 01:17:28 2006 => Offending file found: C:\WINDOWS\system32\instsrv.exe
Mon Oct 23 01:17:28 2006 => Offending file found: C:\DOKUME~1\***\LOKALE~1\Temp\cmdlineext02.dll
Mon Oct 23 01:17:57 2006 => Offending Folder found: C:\Dokumente und Einstellungen\***\Lokale Einstellungen\temp\7zeea.tmp\m\midnight oil
Mon Oct 23 01:18:19 2006 => Offending file found: C:\Dokumente und Einstellungen\***\Lokale Einstellungen\temp\cmdlineext02.dll
Mon Oct 23 01:18:22 2006 => Offending file found: C:\WINDOWS\system32\pslist.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   
Statistiken: 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   
Mon Oct 23 01:36:02 2006 => Total Objects Scanned: 69192
Mon Oct 23 01:36:02 2006 => Total Critical Objects: 9
Mon Oct 23 01:36:02 2006 => Total Disinfected Objects: 0
Mon Oct 23 01:36:02 2006 => Total Deleted Objects: 0
Mon Oct 23 01:36:02 2006 => Total Errors: 73
Mon Oct 23 01:36:02 2006 => Time Elapsed: 00:19:24
Mon Oct 23 01:16:05 2006 => Virus Database Date: 10/22/2006
Mon Oct 23 01:16:35 2006 => Virus Database Date: 10/23/2006
Mon Oct 23 01:36:02 2006 => Virus Database Date: 10/23/2006
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   
~~~~~~~ © Haui ;-) ~~~~~~~ 
~~~~~~~ Dank an Cidre ~~~~~~~
Was kann ich nun gegen den ganzen Kram machen? :S

Groove,
Gunnarsen

Alt 25.10.2006, 16:43   #5
irrlicht
 
Spyware und Würmer - Standard

Spyware und Würmer


Hallo,
erstens könntest du bei deinem nächsten Post den "Code" weglassen und kopieren wie alle anderen User auch...
Zweitens könntest du selbst googeln,dann hättest du das gefunden :
http://www.sophos.com/security/analyses/w32rohbota.html
Bei "Effects" steht was er macht.
Das heißt Neuaufsetzen und unbedingt alle Passwärter ändern. Ändern ,nicht einfach nur vertauschen !
Irrlicht


Antwort

Themen zu Spyware und Würmer
adobe, antivirus, application, avira, bho, computer, defender, desktop, drivers, einstellungen, error, explorer, heulen, hijack, internet, internet explorer, log file, logfile, msvcrt, object, photoshop, registry, required, seiten, software, spyware, system, temp, urlsearchhook, virus, windows, windows\system32\drivers


« Popups + regedit.com | Wieder leitet Google um, Windows lahm ... »


Ähnliche Themen: Spyware und Würmer


  1. Spyware, Würmer und Trojaner...
    Plagegeister aller Art und deren Bekämpfung - 10.02.2011 (13)
  2. Würmer gefunden, palevo.kk und Spyware - was tun?
    Plagegeister aller Art und deren Bekämpfung - 29.06.2010 (10)
  3. Viren und Würmer und Spyware und komisches Windows Verhalten
    Plagegeister aller Art und deren Bekämpfung - 28.04.2010 (3)
  4. mehrere Würmer?
    Log-Analyse und Auswertung - 24.04.2010 (1)
  5. Warning! Spyware detected on your computer install an antivirus or spyware remover to
    Plagegeister aller Art und deren Bekämpfung - 11.09.2008 (30)
  6. Warning. Spyware detected on your computer. Install an Antivirus or spyware ...
    Plagegeister aller Art und deren Bekämpfung - 25.08.2008 (4)
  7. Trojaner + Würmer?
    Plagegeister aller Art und deren Bekämpfung - 20.07.2008 (12)
  8. 180Solutions Spyware/, VX2 Spyware/Adware, VB and VBA Program Settings Spyware/Adware
    Log-Analyse und Auswertung - 12.07.2006 (10)
  9. Trojaner, Würmer usw.????
    Log-Analyse und Auswertung - 07.07.2006 (3)
  10. Würmer
    Plagegeister aller Art und deren Bekämpfung - 13.12.2005 (5)
  11. Wie krieg ich die Würmer weg?
    Log-Analyse und Auswertung - 16.07.2005 (1)
  12. Würmer in der Wüste
    Log-Analyse und Auswertung - 04.07.2005 (6)
  13. trojaner und würmer
    Plagegeister aller Art und deren Bekämpfung - 02.07.2005 (5)
  14. Viren\Würmer
    Mülltonne - 26.06.2005 (2)
  15. trojaner u. würmer
    Plagegeister aller Art und deren Bekämpfung - 07.06.2005 (3)
  16. Würmer über Würmer
    Plagegeister aller Art und deren Bekämpfung - 10.11.2004 (4)
  17. Gibt es noch Hilfe?? Würmer, Trojaner (Keenval, Alchemic...), Spyware, Dialer auf PC!
    Plagegeister aller Art und deren Bekämpfung - 31.08.2004 (2)
Anleitungen und Tipps

- Für alle Hilfesuchenden! Was beachten?

- Anleitung: MyStartSearch.com entfernen

- Anleitung: WebSearches löschen

- Hilfe: iStartSurf entfernen – so gehts!

- Anleitung: Omiga Plus richtig entfernen

- Browser Viren entfernen


Zum Thema Spyware und Würmer - Guten Morgen, ich habe mit eScan einen sehr intensiven Scan durchgeführt (zugegebenermaßen nicht nach der Anleitung von hier ), weil ich das Gefühl hatte, dass ich unerwünschte Sachen auf meinem - Spyware und Würmer...
Archiv
Du betrachtest: Spyware und Würmer auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131