|
Log-Analyse und Auswertung: pc installiert und startet eigenständig AnwendungenWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
27.08.2008, 13:46 | #1 |
| pc installiert und startet eigenständig Anwendungen hi, ich habe das problem, dass mein pc eigenständig irgendwelche Anwendungen installiert und startet (z.B. Antivir XP 2008, AOL Dial in) mit sicherheit handelt es sich aber nicht um antivir 2008 XP. weiteres problem ist, dass ich keine scans ausführen kann. sowohl antivir (habe mit dem bei mir vorinstallierten etrust antivir versucht) als auch spy/ad ware (ad aware bricht nach einer bestimmten zeit ab und programm stürzt ab) bei google kann ich keine suchergebnisse öffnen. beim anklicken öffnet er eigenständig andere seiten, aber schon in bezug mit dem suchbegriff. ich kann auch mein deskophintergrund nicht ändern, die option wurde bei eigenschaften deaktiviert ich hoffe ihr könnt weiterhelfen hier logfile aus hijackthis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:03:18, on 27.08.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Programme\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\mHotkey.exe C:\WINDOWS\CNYHKey.exe C:\WINDOWS\Dit.exe C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe C:\Programme\Home Cinema\PowerCinema\PCMService.exe C:\Programme\Gemeinsame Dateien\AOL\1203702677\ee\aolsoftware.exe C:\PROGRA~1\CA\ETRUST~1\realmon.exe C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\webHancer\Programs\whAgent.exe C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe C:\Programme\Logitech\QuickCam10\QuickCam10.exe C:\Programme\Remote Control Pro\RCPServer.exe C:\WINDOWS\system32\lphcnr5j0ej2n.exe C:\Programme\rhcjr5j0ej2n\rhcjr5j0ej2n.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Windows Media Player\WMPNSCFG.exe C:\Programme\ICQ6\ICQ.exe C:\dokumente und einstellungen\medion\lokale einstellungen\anwendungsdaten\wmycc.exe C:\Programme\Veoh Networks\Veoh\VeohClient.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe C:\WINDOWS\system32\pphcnr5j0ej2n.exe C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLacsd.exe C:\WINDOWS\System32\svchost.exe C:\Programme\CA\eTrust Antivirus\InoRpc.exe C:\Programme\CA\eTrust Antivirus\InoRT.exe C:\Programme\CA\eTrust Antivirus\InoTask.exe C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe c:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe C:\Programme\Windows Live\Messenger\msnmsgr.exe C:\Programme\Gemeinsame Dateien\Logishrd\LQCVFX\COCIManager.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\Programme\Windows Live\Messenger\usnsvc.exe C:\Programme\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT1576177 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Programme\Freecorder\tbFre1.dll R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll R3 - URLSearchHook: livetvbar Toolbar - {ad55c869-668e-457c-b270-0cfb2f61116f} - C:\Programme\livetvbar\tblive.dll O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Programme\ShoppingReport\Bin\2.5.0\ShoppingReport.dll O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Programme\Freecorder\tbFre1.dll O2 - BHO: 375013 helper - {74F7DB6B-86E9-4B91-9D9F-B0D954D7AA5B} - C:\WINDOWS\system32\375013\375013.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll O2 - BHO: livetvbar Toolbar - {ad55c869-668e-457c-b270-0cfb2f61116f} - C:\Programme\livetvbar\tblive.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Programme\Freecorder\tbFre1.dll O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Programme\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O3 - Toolbar: livetvbar Toolbar - {ad55c869-668e-457c-b270-0cfb2f61116f} - C:\Programme\livetvbar\tblive.dll O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [CHotkey] mHotkey.exe O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe O4 - HKLM\..\Run: [Dit] Dit.exe O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AntivirusRegistration] C:\Programme\CA\Etrust Antivirus\Register.exe O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [HostManager] C:\Programme\Gemeinsame Dateien\AOL\1203702677\ee\AOLSoftware.exe O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe" O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Programme\Logitech\QuickCam10\QuickCam10.exe" /hide O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [Remote Control Pro] C:\Programme\Remote Control Pro\RCPServer.exe O4 - HKLM\..\Run: [lphcnr5j0ej2n] C:\WINDOWS\system32\lphcnr5j0ej2n.exe O4 - HKLM\..\Run: [SMrhcjr5j0ej2n] C:\Programme\rhcjr5j0ej2n\rhcjr5j0ej2n.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [LogitechSetup] C:\DOKUME~1\Medion\LOKALE~1\Temp\QuickCam_11.0.0\setup.exe /skip_all_checks /p /start /restart /l:deu O4 - HKCU\..\Run: [Instant Access] C:\WINDOWS\system32\nsinet.exe /res O4 - HKCU\..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [ICQ] "C:\Programme\ICQ6\ICQ.exe" silent O4 - HKCU\..\Run: [wmycc] "c:\dokumente und einstellungen\medion\lokale einstellungen\anwendungsdaten\wmycc.exe" wmycc O4 - HKCU\..\Run: [Veoh] "C:\Programme\Veoh Networks\Veoh\VeohClient.exe" /VeohHide O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &Windows Live Search - res://C:\Programme\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: Download with Xilisoft Download YouTube Video - C:\Programme\Xilisoft\Download YouTube Video\upod_link.HTM O8 - Extra context menu item: In neuer Registerkarte im Hintergrund öffnen - res://C:\Programme\Windows Live Toolbar\Components\de-de\msntabres.dll.mui/229?d8f2a52997324421b577ad1c5966fda3 O8 - Extra context menu item: In neuer Registerkarte im Vordergrund öffnen - res://C:\Programme\Windows Live Toolbar\Components\de-de\msntabres.dll.mui/230?d8f2a52997324421b577ad1c5966fda3 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: In Windows Live Writer in &Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Programme\ShoppingReport\Bin\2.5.0\ShoppingReport.dll O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Programme\ShoppingReport\Bin\2.5.0\ShoppingReport.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {0e921e80-267a-42aa-aee4-60b9a1222a44} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU) O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {0e921e80-267a-42aa-aee4-60b9a1222a44} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU) O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O14 - IERESET.INF: START_PAGE_URL=http://www.msn.de O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110880546187 O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {DF1C8E21-4045-4D67-B528-335F1A4F0DE9} - http://es6-scripts.dlv4.com/binaries/egaccess4/egaccess4_1073_em_XP.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{A9AE2FF8-35DF-4C5B-B467-B5938B4EE82E}: NameServer = 195.50.140.252 195.50.140.114 O22 - SharedTaskScheduler: hruska - {747e1fbe-b70f-441d-bbca-6e536c04924a} - C:\WINDOWS\system32\sozctue.dll (file missing) O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRpc.exe O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRT.exe O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoTask.exe O23 - Service: LVCOMSer - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\SrvLnch\SrvLnch.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Remote Control Pro (RCPServer) - Alchemy Lab - C:\Programme\Remote Control Pro\rcpserver.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe -- End of file - 13323 bytes Geändert von OMER (27.08.2008 um 14:02 Uhr) |
27.08.2008, 13:52 | #2 |
| pc installiert und startet eigenständig Anwendungen Hi,
__________________äh, das dauert etwas länger bis ich mich da durchgewühlt habe... Iiick, Du hast einen RemoteServer drauf... Das sieht nach Neuaufsetzen aus... oder ist das Absicht? chris
__________________ |
27.08.2008, 14:09 | #3 |
| pc installiert und startet eigenständig Anwendungen neuaufsetzen habe ich weniger lust, nur wenn echt nichts mehr geht.
__________________und ja remote server ist absicht. es geht um den pc von meinem kleinen bruder und ich wollte mal zuerst von einem anderem ort versuchen ihm zu helfen. hatte gedacht er hat ein kleineres problem, wo ich nicht unbedingt vor ort sein muss. aber wie ich jetzt merke sieht die sache ernster aus. ps: übrigens; ich hab logfile nochmal geändert. in dem davor hatte ich paar anwendungen per taskmanager geschlossen. hab nochmal neugestartet und nochmal logfile erstellt damit die anwendungen wieder da sind und im logfile enthalten sind. |
27.08.2008, 14:10 | #4 | |
| pc installiert und startet eigenständig Anwendungen Hi, nur für die Datensicherung! Ist das mit dem Remoteserver jetzt Absicht oder nicht? Wird der Rechner beruflich genutzt (Firma?), denn zerschiesst Dir das nachfolgende Script u. U. was... Your Risk... Bitte folgende Files prüfen: Zitat:
Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen (oder gleich die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf "Send"... jetzt abwarten - dann mit der rechten Maustaste den Text markieren -> kopieren - einfügen Bitte poste das Ergebniss mit Filename! Also: Anleitung Avenger (by swandog46) 1.) Lade dir das Tool Avenger und speichere es auf dem Desktop: 2.) Das Programm so einstellen wie es auf dem Bild zu sehen ist. Kopiere nun folgenden Text in das weiße Feld: (bei -> "input script here") Code:
ATTFilter Registry values to delete: HKLM\Software\Microsoft\Windows\CurrentVersion\Run|lphcnr5j0ej2n HKLM\Software\Microsoft\Windows\CurrentVersion\Run|SMrhcjr5j0ej2n HKLM\Software\Microsoft\Windows\CurrentVersion\Run|webHancer Agent Files to delete: C:\WINDOWS\system32\nsinet.exe C:\WINDOWS\system32\lphcnr5j0ej2n.exe C:\Programme\rhcjr5j0ej2n\rhcjr5j0ej2n.exe C:\WINDOWS\system32\375013\375013.dll Folders to delete: C:\Programme\ShoppingReport C:\Program Files\webHancer C:\Programme\rhcjr5j0ej2n 3.) Schliesse nun alle Programme (vorher notfalls abspeichern!) und Browser-Fenster, nach dem Ausführen des Avengers wird das System neu gestartet. 4.) Um den Avenger zu starten klicke auf -> Execute Dann bestätigen mit "Yes" das der Rechner neu startet! 5.) Nachdem das System neu gestartet ist, findest du hier einen Report vom Avenger -> C:\avenger.txt Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board. Hijackthis, fixen: öffne das HijackThis -- Button "scan" -- vor den nachfolgenden Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten Beim fixen müssen alle Programme geschlossen sein! Code:
ATTFilter O22 - SharedTaskScheduler: hruska - {747e1fbe-b70f-441d-bbca-6e536c04924a} - C:\WINDOWS\system32\sozctue.dll (file missing) O16 - DPF: {DF1C8E21-4045-4D67-B528-335F1A4F0DE9} - http://es6-scripts.dlv4.com/binaries/egaccess4/egaccess4_1073_em_XP.cab O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O14 - IERESET.INF: START_PAGE_URL=http://www.msn.de O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Programme\ShoppingReport\Bin\2.5.0\ShoppingReport.dll O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Programme\ShoppingReport\Bin\2.5.0\ShoppingReport.dll O4 - HKCU\..\Run: [wmycc] "c:\dokumente und einstellungen\medion\lokale einstellungen\anwendungsdaten\wmycc.exe" wmycc O4 - HKCU\..\Run: [Instant Access] C:\WINDOWS\system32\nsinet.exe /res O4 - HKLM\..\Run: [lphcnr5j0ej2n] C:\WINDOWS\system32\lphcnr5j0ej2n.exe O4 - HKLM\..\Run: [SMrhcjr5j0ej2n] C:\Programme\rhcjr5j0ej2n\rhcjr5j0ej2n.exe O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe" O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll O2 - BHO: 375013 helper - {74F7DB6B-86E9-4B91-9D9F-B0D954D7AA5B} - C:\WINDOWS\system32\375013\375013.dll O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Programme\ShoppingReport\Bin\2.5.0\ShoppingReport.dll R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT1576177 laufen und alles bereinigen lassen. Danach Online gehen und Logs posten. ACHTUNG: Der RemoteSErverläuft noch als Service, falls das nicht Absicht ist, muß folgender Dienst beendet und gelöscht werden: O23 - Service: Remote Control Pro (RCPServer) - Alchemy Lab - C:\Programme\Remote Control Pro\rcpserver.exe Ich habe Dir nur den RunKey rausgenommen, die SW ist ebenfalls noch auf dem Rechner! MAM: Anleitung hier: http://www.trojaner-board.de/51187-malwarebytes-anti-malware.html Nutze aber bitte diesen Downloadlink http://filepony.de/download-malwarebytes_anti_malware/. CombFix: Lade ComboFix von http://download.bleepingcomputer.com/sUBs/ComboFix.exe und speichert es auf den Desktop. Alle Fenster schliessen und combofix.exe starten und bestätige die folgende Abfrage mit 1 und drücke Enter. Der Scan mit Combofix kann einige Zeit in Anspruch nehmen, also habe etwas Geduld. Während des Scans bitte nichts am Rechner unternehmen Es kann möglich sein, dass der Rechner zwischendurch neu gestartet wird. Nach Scanende wird ein Report angezeigt, den bitte kopieren und in deinem Thread einfuegen. Weitere Anleitung unter:http://www.bleepingcomputer.com/combofix/de/wie-combofix-benutzt-wird Chris Ps.: Java, IE (IE7) und Windows (SP3) könnte auch mal ein Update vertragen! Edit: Remote Server aus den Scripts entfernt... Bitte alles abarbeiten, das hier ist Antivirus 2008 (C:\Programme\rhcjr5j0ej2n\rhcjr5j0ej2n.exe) (denke ich mal...;o)
__________________ Don't bring me down Vor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
27.08.2008, 15:50 | #5 |
| pc installiert und startet eigenständig Anwendungen C:\WINDOWS\system32\nsinet.exe Code:
ATTFilter Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 - - - AntiVir - - DIAL/140760.A.2 Authentium - - W32/InstAccess.B.gen!Eldorado Avast - - Win32:Dialer-gen AVG - - Dialer.28.BM BitDefender - - - CAT-QuickHeal - - PornDialer.InstantAccess.dcm (Not a Virus) ClamAV - - - DrWeb - - - eSafe - - Suspicious File eTrust-Vet - - - Ewido - - - F-Prot - - W32/InstAccess.B.gen!Eldorado F-Secure - - Porn-Dialer.Win32.InstantAccess.dcm Fortinet - - Dial/InstantAccess GData - - Win32:Dialer-gen Ikarus - - Dialer.Win32.InstantAccess Kaspersky - - not-a-virus:Porn-Dialer.Win32.InstantAccess.dcm McAfee - - Generic Dropper.az Microsoft - - Dialer:Win32/InstantAccess NOD32v2 - - - Norman - - - Panda - - Generic Trojan Prevx1 - - Malicious Software Rising - - - Sophos - - InstantAccess Sunbelt - - EGroup.InstantAccess Symantec - - - TheHacker - - Trojan/Dialer.InstantAccess.dcm TrendMicro - - - VBA32 - - Porn-Dialer.Win32.InstantAccess.dcm VirusBuster - - - Webwasher-Gateway - - Dialer.140760.A.2 weitere Informationen MD5: 932358cef85cf21f818a2a804994edb3 SHA1: 74f4337d19c3df40927966a748e5ab358602a37b SHA256: e10641928e77b29c0acd5129814143006937e1026b79397f9c740bafddb76d78 SHA512: b78d237abe99279f6f91e797bd6a23c79bd60a46f318ed712b57eace9552a8606c4204f6dac0e83e660bf16d061f9b21437abc67ac1472564d0967fafbfdcffe C:\WINDOWS\system32\lphcnr5j0ej2n.exe Code:
ATTFilter Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.8.21.0 2008.08.26 - AntiVir 7.8.1.23 2008.08.26 TR/Dldr.Small.gae Authentium 5.1.0.4 2008.08.25 - Avast 4.8.1195.0 2008.08.25 - AVG 8.0.0.161 2008.08.26 Downloader.FraudLoad.N BitDefender 7.2 2008.08.26 Trojan.Peed.JSB CAT-QuickHeal 9.50 2008.08.25 (Suspicious) - DNAScan ClamAV 0.93.1 2008.08.26 - DrWeb 4.44.0.09170 2008.08.26 - eSafe 7.0.17.0 2008.08.24 Suspicious File eTrust-Vet 31.6.6048 2008.08.25 - Ewido 4.0 2008.08.25 - F-Prot 4.4.4.56 2008.08.26 - F-Secure 7.60.13501.0 2008.08.26 Backdoor.Win32.Agent.qcd Fortinet 3.14.0.0 2008.08.26 - GData 2.0.7306.1023 2008.08.20 - Ikarus T3.1.1.34.0 2008.08.26 - K7AntiVirus 7.10.428 2008.08.25 - Kaspersky 7.0.0.125 2008.08.26 Backdoor.Win32.Agent.qcd McAfee 5369 2008.08.25 - Microsoft 1.3807 2008.08.25 Trojan:Win32/Tibs.HP NOD32v2 3387 2008.08.26 Win32/TrojanDownloader.FakeAlert.HJ Norman 5.80.02 2008.08.25 - Panda 9.0.0.4 2008.08.25 - PCTools 4.4.2.0 2008.08.25 - Prevx1 V2 2008.08.26 Malicious Software Rising 20.59.10.00 2008.08.26 - Sophos 4.32.0 2008.08.26 - Sunbelt 3.1.1582.1 2008.08.26 - Symantec 10 2008.08.26 Downloader.MisleadApp TheHacker 6.3.0.6.060 2008.08.23 - TrendMicro 8.700.0.1004 2008.08.26 - VBA32 3.12.8.4 2008.08.25 - ViRobot 2008.8.25.1348 2008.08.25 - VirusBuster 4.5.11.0 2008.08.25 - Webwasher-Gateway 6.6.2 2008.08.26 Trojan.Dldr.Small.gae weitere Informationen File size: 199168 bytes MD5...: 609e59d17a35e514caea543868134d7a SHA1..: eb5db8bc5ae5687361549197b55a4f56c5a394e5 SHA256: d566ad1822c2246a943a5c448dcc1b09b3ba1440d6c690391aa5ecc9f80e6cd4 SHA512: 7ffd7e65d75f112694607b152c93fc3d93ab10afabd1b55bd1ff5c1d1a5c0c33 ae37aa3375d02c9d3647bdddee6959c1984b8149b87d3e958311204ff1ade818 PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x4066c9 timedatestamp.....: 0x48a5befd (Fri Aug 15 17:38:05 2008) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0xecfb 0x9200 7.99 67795eee06789c0a2f8e2358e9a8e0b6 .rdata 0x10000 0x3cd3 0x1800 7.97 b3c34e7072bce1c86ac8b15408500f54 .data 0x14000 0xb66fa 0x22c00 8.00 349e385fc500f5fdf2e5a7ea28e0072b .rsrc 0xcb000 0xf000 0x3000 6.62 d2f28c23e77dbea4100179f07bcfc66f ( 4 imports ) > wsock32.dll: bind, WSAStartup, listen > kernel32.dll: CreatePipe, TerminateProcess, VirtualProtect > gdi32.dll: SetRelAbs, StretchBlt, SetICMMode, ResetDCW, UpdateColors, SaveDC, TextOutW, SetDIBColorTable > shell32.dll: SHAppBarMessage, StrRChrIA, StrStrIA ( 0 exports ) ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=609e59d17a35e514caea543868134d7a Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=680727080024C31B0AFE03FAF8934C0036A45F5C C:\Programme\rhcjr5j0ej2n\rhcjr5j0ej2n.exe Code:
ATTFilter Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.8.21.0 2008.08.25 - AntiVir 7.8.1.23 2008.08.25 - Authentium 5.1.0.4 2008.08.25 - Avast 4.8.1195.0 2008.08.24 - AVG 8.0.0.161 2008.08.25 Downloader.FraudLoad BitDefender 7.2 2008.08.25 - CAT-QuickHeal 9.50 2008.08.22 (Suspicious) - DNAScan ClamAV 0.93.1 2008.08.25 - DrWeb 4.44.0.09170 2008.08.25 - eSafe 7.0.17.0 2008.08.24 - eTrust-Vet 31.6.6047 2008.08.25 - Ewido 4.0 2008.08.25 - F-Prot 4.4.4.56 2008.08.25 - F-Secure 7.60.13501.0 2008.08.25 Trojan.Win32.Monder.gen Fortinet 3.14.0.0 2008.08.25 - GData 2.0.7306.1023 2008.08.20 Trojan.Win32.Monder.gen Ikarus T3.1.1.34.0 2008.08.25 - K7AntiVirus 7.10.427 2008.08.23 - Kaspersky 7.0.0.125 2008.08.25 Trojan.Win32.Monder.gen McAfee 5368 2008.08.22 - Microsoft 1.3807 2008.08.25 - NOD32v2 3384 2008.08.25 a variant of Win32/TrojanDownloader.FakeAlert.HH Panda 9.0.0.4 2008.08.25 - PCTools 4.4.2.0 2008.08.25 - Prevx1 V2 2008.08.25 Malicious Software Rising 20.59.00.00 2008.08.25 - Sophos 4.32.0 2008.08.25 Mal/EncPk-CZ Sunbelt 3.1.1575.1 2008.08.23 - Symantec 10 2008.08.25 - TheHacker 6.3.0.6.060 2008.08.23 - TrendMicro 8.700.0.1004 2008.08.25 - VBA32 3.12.8.4 2008.08.25 Malware-Cryptor.Win32.Rp ViRobot 2008.8.22.1346 2008.08.22 - VirusBuster 4.5.11.0 2008.08.24 - Webwasher-Gateway 6.6.2 2008.08.25 - weitere Informationen File size: 831488 bytes MD5...: fab3e144bfd713104799bef3b9c903b6 SHA1..: 186857083ba8c330314b9396eff0b5c23fd08eaa SHA256: 77eec921fd09bc5505933ce59b4ea28006724b5a87952c95faae960fc709a380 SHA512: a433f29e132223c07731a8f5e1c4e3abcd023f5309bc9e430ffe29ad34b8bf40 12a49abc41b7a800f003c8e0b472cfff4f3505791e31d4e416ad7781f3db5519 PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x401cbf timedatestamp.....: 0x48b2609f (Mon Aug 25 07:34:55 2008) machinetype.......: 0x14c (I386) ( 5 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x984264 0x3000 4.93 44bd1b837a0e4feac1ff3522b23877f1 DATA 0x986000 0xb2478 0xb3000 7.99 53c055f17c6dd087af050afb12012b07 .rsrc 0xa39000 0x13000 0x13000 4.69 0f0439064d04fe96e396687d398c1a8a .idata 0xa4c000 0x600 0x1000 0.72 e1742759eaca71ac68ac44a250b2761d .pack32 0xa4d000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e ( 3 imports ) > kernel32.dll: WritePrivateProfileStructW, DisconnectNamedPipe > user32.dll: ArrangeIconicWindows, EnumThreadWindows > gdi32.dll: GdiInitSpool, SetBrushOrgEx, GdiGetLocalFont, CheckColorsInGamut, EngLockSurface ( 0 exports ) Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=F289CB51008292C5B0B50C9BB6150800B995898E C:\WINDOWS\system32\375013\375013.dll Code:
ATTFilter Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 - - - AntiVir - - TR/Dldr.Zlob.ABMP.9 Authentium - - - Avast - - Win32:E404 AVG - - Lop.4.K BitDefender - - Trojan.Downloader.Zlob.ABMP CAT-QuickHeal - - TrojanDownloader.Zlob.gen ClamAV - - - DrWeb - - Adware.Pors eSafe - - - eTrust-Vet - - Win32/Warefof.J Ewido - - - F-Prot - - - F-Secure - - - FileAdvisor - - High threat detected Fortinet - - - Ikarus - - Trojan-Downloader Kaspersky - - not-a-virus:AdWare.Win32.E404.t McAfee - - Puper.dll Microsoft - - BrowserModifier:Win32/E404 NOD32v2 - - Win32/BHO.NDD Norman - - W32/DLoader.GJPY Panda - - Trj/Downloader.TCF Prevx1 - - Lop.4.K Rising - - - Sophos - - Mal/Generic-A Sunbelt - - BHO.e404.Hijacker Symantec - - Trackware.ProSearch TheHacker - - - VBA32 - - Win32.BHO.NDD VirusBuster - - Trojan.DL.Zlob.ITW Webwasher-Gateway - - Trojan.Dldr.Zlob.ABMP.9 weitere Informationen MD5: 088278d03470789b2cd1adcb6764fdd5 SHA1: ba64b8b66ee05809e24b9b7e41d652e351734ef5 SHA256: d3c1ee49c583700eba0dcc923339fd369ed55e8bd2ac3352517bc89531189357 SHA512: d2923026635dc8cdb14dc936e21d76985916737691ba96d481a7a8f1ba6c69274a371d194251c19c8cd338ff388bdd0843488e32d15ca2baf2b779df4cac8627 avenger.txt Code:
ATTFilter ////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Platform: Windows XP (build 2600, Service Pack 2) Wed Aug 27 16:13:07 2008 16:13:07: Error: Invalid script. A valid script must begin with a command directive. Aborting execution! ////////////////////////////////////////// Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. Hidden driver "tdssserv" found! ImagePath: \systemroot\system32\drivers\tdssserv.sys Start Type: 1 (System) Rootkit scan completed. Error: file "C:\WINDOWS\system32\nsinet.exe" not found! Deletion of file "C:\WINDOWS\system32\nsinet.exe" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist File "C:\WINDOWS\system32\lphcnr5j0ej2n.exe" deleted successfully. File "C:\Programme\rhcjr5j0ej2n\rhcjr5j0ej2n.exe" deleted successfully. File "C:\WINDOWS\system32\375013\375013.dll" deleted successfully. Folder "C:\Programme\ShoppingReport" deleted successfully. Folder "C:\Program Files\webHancer" deleted successfully. Folder "C:\Programme\rhcjr5j0ej2n" deleted successfully. Registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|lphcnr5j0ej2n" deleted successfully. Registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|SMrhcjr5j0ej2n" deleted successfully. Registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|webHancer Agent" deleted successfully. Completed script processing. ******************* Finished! Terminate. hab gedacht vielleicht liegts ja daran dass ich keine verbindung herstellen kann. danach wieder avenger durchführen lassen mit den selben zeilen von dir nur die kleine verbesserung: Code:
ATTFilter Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. Hidden driver "tdssserv" found! ImagePath: \systemroot\system32\drivers\tdssserv.sys Start Type: 1 (System) Rootkit scan completed. File "C:\WINDOWS\system32nsinet.exe" deleted successfully. Error: file "C:\WINDOWS\system32\lphcnr5j0ej2n.exe" not found! Deletion of file "C:\WINDOWS\system32\lphcnr5j0ej2n.exe" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: could not open file "C:\Programme\rhcjr5j0ej2n\rhcjr5j0ej2n.exe" Deletion of file "C:\Programme\rhcjr5j0ej2n\rhcjr5j0ej2n.exe" failed! Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND) --> bad path / the parent directory does not exist Error: file "C:\WINDOWS\system32\375013\375013.dll" not found! Deletion of file "C:\WINDOWS\system32\375013\375013.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: folder "C:\Programme\ShoppingReport" not found! Deletion of folder "C:\Programme\ShoppingReport" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: folder "C:\Program Files\webHancer" not found! Deletion of folder "C:\Program Files\webHancer" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: folder "C:\Programme\rhcjr5j0ej2n" not found! Deletion of folder "C:\Programme\rhcjr5j0ej2n" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: could not delete registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|lphcnr5j0ej2n" Deletion of registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|lphcnr5j0ej2n" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: could not delete registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|SMrhcjr5j0ej2n" Deletion of registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|SMrhcjr5j0ej2n" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: could not delete registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|webHancer Agent" Deletion of registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|webHancer Agent" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing. ******************* Finished! Terminate. erfolglos, immernoch keine verbindung. poste gerade vom laptop aus... edit: übrigens; antivir 2008 startet aber schonmal nicht mehr, gutes zeichen. desktop hintergrund kann ich immernoch nicht verändern. da ist auch so ein bild von einer fehlermeldung / viruswarnung "warning spyware deteceted on your computer warning win32/adware.virtumonde detected on your computer warning win32/privacyremover.m64 detected on your computer" steht noch n bissl text dazu aber das ist die überschrift. das bild sieht so aus als ob eine anwendung gestartet wurde... mit x und minimieren / maximieren oben. ist aber wie gesagt nur ein bild Geändert von OMER (27.08.2008 um 16:07 Uhr) |
27.08.2008, 21:57 | #6 |
| pc installiert und startet eigenständig Anwendungen Hi, um das Internet kümmern wir uns später, DU hast noch einiges auf dem Rechner! Daher unbedingt MAM installieren und laufen lassen und danach Combofix! Poste beide Logs, MAM wird noch einiges killen. Die Internetverbindung hängt mit dem "WebHancer" zusammen... (-> Hijacked Internet access by WebHancer->http://www.pctipp.ch/index.cfm?pid=1377&pk=24523 Entweder neu installieren, oder wir fahren das HJ-Backup dafür zurück, oder wir versuchen die Winsock zu reparieren -> http://www.snapfiles.com/get/lspfix.html...) So, für LSP-Fix: LSPfix wird Dir Reparatur Vorschläge machen falls es nötig ist gehe n i c h t in den Advanced Mode - befolge nur die Vorschläge - beachte Warnungen "IF YOU REALLY KNOW WHAT YOU ARE DOING !" wenn du das siehst machst du besser Nix - sonst kannst Du Dein Netzwerkteil von Windows zu Fuss neumachen - das ist kein Spass ! Eigentlich sollte das problemlos funktionieren, da die gelöschte Datei eindeutig identifiziert werden kann und die Kette neu gebildet werden kann (wenn der Rest OK ist!) chris
__________________ --> pc installiert und startet eigenständig Anwendungen Geändert von Chris4You (27.08.2008 um 22:09 Uhr) |
28.08.2008, 10:45 | #7 |
| pc installiert und startet eigenständig Anwendungen combofix.txt: Code:
ATTFilter ComboFix 08-08-26.03 - Medion 2008-08-27 18:03:08.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.1576 [GMT 2:00] ausgeführt von:: H:\ComboFix.exe * Neuer Wiederherstellungspunkt wurde erstellt Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !! . (((((((((((((((((((((((((((((((((((( Weitere L”schungen )))))))))))))))))))))))))))))))))))))))))))))))) . C:\Dokumente und Einstellungen\All Users\Desktop\crazy girls.lnk C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Antivirus XP 2008 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Antivirus XP 2008.lnk C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Antivirus XP 2008\Antivirus XP 2008.lnk C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Antivirus XP 2008\License Agreement.lnk C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Antivirus XP 2008\Register Antivirus XP 2008.lnk C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Antivirus XP 2008\Uninstall.lnk C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\macromedia\Flash Player\#SharedObjects\VNLL9R24\static.youku.com C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\macromedia\Flash Player\#SharedObjects\VNLL9R24\static.youku.com\v1.0.0233\v\swf\qplayer.swf\youku.sol C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol C:\Dokumente und Einstellungen\Medion\Favoriten\Videos.url C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Anwendungsdaten\wmycc.dat C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Anwendungsdaten\wmycc.exe C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Anwendungsdaten\wmycc_nav.dat C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Anwendungsdaten\wmycc_navps.dat C:\Dokumente und Einstellungen\Medion\Startmenü\crazy girls.lnk C:\WINDOWS\system32\a.exe C:\WINDOWS\system32\softwares.dll . ((((((((((((((((((((((((((((((((((((((( Treiber/Dienste ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SYSREST.SYS -------\Legacy_TDSSSERV -------\Legacy_XPROTECTOR -------\Service_tdssserv -------\Service_XPROTECTOR ((((((((((((((((((((((( Dateien erstellt von 2008-07-27 bis 2008-08-27 )))))))))))))))))))))))))))))) . 2008-08-27 17:07 . 2008-08-27 17:07 <DIR> d-------- C:\Programme\Malwarebytes' Anti-Malware 2008-08-27 17:07 . 2008-08-27 17:07 <DIR> d-------- C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\Malwarebytes 2008-08-27 17:07 . 2008-08-27 17:07 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes 2008-08-27 17:07 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-27 17:07 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-27 14:33 . 2008-08-27 14:33 <DIR> d-------- C:\Programme\Trend Micro 2008-08-27 14:16 . 2008-08-27 14:16 <DIR> d-------- C:\Programme\Lavasoft 2008-08-27 14:16 . 2008-08-27 14:16 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft 2008-08-27 14:15 . 2008-08-27 14:15 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Wise Installation Wizard 2008-08-26 20:40 . 2008-08-26 20:40 <DIR> d-------- C:\Programme\Windows Live Safety Center 2008-08-26 19:55 . 2008-08-26 19:55 <DIR> d-------- C:\Programme\xp-AntiSpy 2008-08-25 17:29 . 2008-08-27 15:18 11,264 --ahs---- C:\WINDOWS\system32\Thumbs.db 2008-08-22 22:02 . 2008-08-22 22:05 <DIR> d-------- C:\Programme\Remote Control Pro 2008-08-22 21:06 . 2008-08-22 21:06 <DIR> d-------- C:\WINDOWS\system32\sounds 2008-08-22 21:06 . 2008-08-22 21:06 <DIR> d-------- C:\WINDOWS\system32\logs 2008-08-22 21:06 . 2008-08-22 21:06 <DIR> d-------- C:\WINDOWS\system32\download 2008-08-22 21:06 . 2008-08-22 21:08 31 --a------ C:\WINDOWS\system32\value.ini 2008-08-22 19:38 . 2008-08-22 19:38 <DIR> d-------- C:\Programme\livetvbar 2008-08-22 19:38 . 2008-08-22 19:38 674,138 --a------ C:\WINDOWS\unins000.exe 2008-08-22 19:38 . 2008-08-22 19:38 9,588 --a------ C:\WINDOWS\unins000.dat 2008-08-22 19:38 . 2008-07-30 06:13 128 --a------ C:\WINDOWS\Free Movies OnDemand.url 2008-08-22 19:38 . 2008-07-18 00:36 128 --a------ C:\WINDOWS\Boost Your PC Performance!.url 2008-08-18 10:10 . 2008-08-18 10:10 <DIR> d-------- C:\Programme\SpeedSim 2008-08-18 10:10 . 2008-08-18 10:10 <DIR> d-------- C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\SpeedSim 2008-08-17 20:15 . 2008-08-17 20:15 <DIR> d-------- C:\Programme\MauZ Php Editor 2008-08-17 20:01 . 2008-08-24 17:07 67 --a------ C:\WINDOWS\SpotAuditor.INI 2008-08-17 19:53 . 2008-08-17 19:56 <DIR> d-------- C:\Programme\Nsasoft 2008-08-16 08:45 . 2008-08-16 08:45 <DIR> d-------- C:\Programme\Veoh Networks 2008-08-12 03:02 . 2008-08-12 03:02 <DIR> d-------- C:\WINDOWS\SQLTools9_KB948109_ENU 2008-08-12 03:00 . 2008-08-12 03:00 <DIR> d-------- C:\WINDOWS\SQL9_KB948109_ENU 2008-08-11 22:36 . 2008-08-22 10:25 <DIR> d-------- C:\Programme\Microsoft Silverlight 2008-08-11 22:14 . 2008-08-12 03:02 <DIR> d-------- C:\Programme\Microsoft SQL Server 2008-08-11 21:58 . 2008-08-11 21:58 <DIR> d-------- C:\Programme\Microsoft Synchronization Services 2008-08-11 21:51 . 2008-08-11 21:51 <DIR> d-------- C:\Programme\Microsoft.NET 2008-08-11 21:51 . 2008-08-11 21:59 <DIR> d-------- C:\Programme\Microsoft Visual Studio 9.0 2008-08-11 21:51 . 2008-08-11 22:00 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft Help 2008-08-11 21:50 . 2008-08-11 21:50 <DIR> d-------- C:\Programme\Microsoft SDKs 2008-08-11 21:47 . 2008-08-11 21:47 <DIR> d-------- C:\WINDOWS\system32\XPSViewer 2008-08-11 21:47 . 2008-08-11 21:47 <DIR> d-------- C:\Programme\Reference Assemblies 2008-08-11 21:47 . 2008-08-11 21:47 <DIR> d-------- C:\Programme\MSBuild 2008-08-11 21:45 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll 2008-08-11 21:39 . 2008-08-11 21:39 <DIR> d-------- C:\Programme\MSXML 6.0 2008-08-10 17:37 . 2008-08-10 17:37 <DIR> d-------- C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ICQ Toolbar 2008-08-09 18:47 . 2008-08-26 20:09 <DIR> d-------- C:\Programme\ICQToolbar 2008-08-09 18:46 . 2008-08-09 18:51 <DIR> d-------- C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ICQ 2008-08-09 18:44 . 2008-08-09 18:51 <DIR> d-------- C:\Programme\ICQ6 2008-08-04 12:46 . 2008-08-04 12:46 <DIR> d-------- C:\Programme\1964 2008-08-02 16:01 . 2008-08-02 16:01 <DIR> d-------- C:\Programme\weblin 2008-08-02 16:00 . 2008-08-02 16:02 <DIR> d-------- C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\zweitgeist 2008-08-02 14:58 . 2008-08-03 22:06 <DIR> d-------- C:\Programme\mupen64 0.5 2008-07-27 18:57 . 2008-07-27 18:57 <DIR> d-------- C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\Xilisoft Corporation 2008-07-27 18:54 . 2008-07-27 18:54 <DIR> d-------- C:\Programme\Xilisoft . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-27 16:08 17,408 ----a-w C:\WINDOWS\system32\drivers\USBCRFT.SYS 2008-08-26 10:42 --------- d-----w C:\Programme\Windows Live 2008-08-25 15:47 9,248 ----a-w C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\wklnhst.dat 2008-08-24 15:09 --------- d---a-w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP 2008-08-22 17:51 --------- d--h--w C:\Programme\InstallShield Installation Information 2008-08-10 17:02 --------- d-----w C:\Programme\eMule 2008-08-01 13:24 --------- d-----w C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\temp 2008-07-28 19:06 --------- d-----w C:\Programme\DivX 2008-07-23 14:27 --------- d-----w C:\Programme\Gemeinsame Dateien\DVDVideoSoft 2008-07-23 14:26 --------- d-----w C:\Programme\DVDVideoSoft 2008-07-19 18:14 22,004 ----a-w C:\WINDOWS\system32\winwizard.dll 2008-07-18 18:39 587,776 ----a-w C:\WINDOWS\WLXPGSS.SCR 2008-07-18 14:40 --------- d-----w C:\Programme\AOL 9.0 2008-07-10 16:09 --------- d-----w C:\Programme\Freecorder 2008-07-09 21:13 --------- d-----w C:\Programme\Fox 2008-07-09 17:18 --------- d-----w C:\Programme\Eidos Interactive 2008-07-09 17:14 --------- d-----w C:\Programme\Infogrames 2008-07-08 11:15 --------- d-----w C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\DivX 2008-07-07 20:30 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-07-01 15:06 35,328 ----a-w C:\WINDOWS\system32\cygz.dll 2008-07-01 15:06 35,328 ----a-w C:\WINDOWS\cygz.dll 2008-07-01 15:06 1,126,281 ----a-w C:\WINDOWS\system32\cygwin1.dll 2008-07-01 15:06 1,126,281 ----a-w C:\WINDOWS\cygwin1.dll 2008-06-24 16:22 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-23 15:38 665,088 ----a-w C:\WINDOWS\system32\wininet.dll 2008-06-20 17:39 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-18 17:52 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe 2008-06-11 00:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe 2008-06-11 00:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2008-06-11 00:07 129,784 ------w C:\WINDOWS\system32\pxafs.dll 2008-06-11 00:07 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe 2008-06-11 00:07 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe 2008-06-11 00:04 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2008-06-11 00:04 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2008-05-21 09:52 4,500,672 ----a-w C:\Programme\FLV PlayerRCATSetup.exe 2008-05-21 09:52 2,725,048 ----a-w C:\Programme\FLV PlayerFCSetup.exe 2008-05-21 09:51 411,248 ----a-w C:\Programme\FLV PlayerRCSetup.exe 2008-02-27 20:26 59,456 ----a-w C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\GDIPFONTCACHEV1.DAT 2005-03-15 14:17 8 --sh--r C:\WINDOWS\system32\2976313739.sys . (((((((((((((((((((((((((((( Autostart Punkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt. REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "C:\Programme\Freecorder\tbFre1.dll" [2008-07-10 18:09 1569304] "{ad55c869-668e-457c-b270-0cfb2f61116f}"= "C:\Programme\livetvbar\tblive.dll" [2008-07-10 14:04 1600024] [HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}] [HKEY_CLASSES_ROOT\clsid\{ad55c869-668e-457c-b270-0cfb2f61116f}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}] 2008-07-10 18:09 1569304 --a------ C:\Programme\Freecorder\tbFre1.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ad55c869-668e-457c-b270-0cfb2f61116f}] 2008-07-10 14:04 1600024 --a------ C:\Programme\livetvbar\tblive.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "C:\Programme\Freecorder\tbFre1.dll" [2008-07-10 18:09 1569304] "{ad55c869-668e-457c-b270-0cfb2f61116f}"= "C:\Programme\livetvbar\tblive.dll" [2008-07-10 14:04 1600024] [HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}] [HKEY_CLASSES_ROOT\clsid\{ad55c869-668e-457c-b270-0cfb2f61116f}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "C:\Programme\Freecorder\tbFre1.dll" [2008-07-10 18:09 1569304] "{AD55C869-668E-457C-B270-0CFB2F61116F}"= "C:\Programme\livetvbar\tblive.dll" [2008-07-10 14:04 1600024] [HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}] [HKEY_CLASSES_ROOT\clsid\{ad55c869-668e-457c-b270-0cfb2f61116f}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360] "WMPNSCFG"="C:\Programme\Windows Media Player\WMPNSCFG.exe" [2006-11-03 09:56 204288] "ICQ"="C:\Programme\ICQ6\ICQ.exe" [2008-04-01 12:40 172280] "Veoh"="C:\Programme\Veoh Networks\Veoh\VeohClient.exe" [2008-04-01 18:35 3587120] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-02-24 08:32 5537792] "AOLDialer"="C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe" [2007-06-21 14:42 70952] "PCMService"="C:\Programme\Home Cinema\PowerCinema\PCMService.exe" [2004-11-09 06:14 81920] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648] "AntivirusRegistration"="C:\Programme\CA\Etrust Antivirus\Register.exe" [2005-01-31 16:09 458752] "Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-06-26 01:17 504080] "Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "HostManager"="C:\Programme\Gemeinsame Dateien\AOL\1203702677\ee\AOLSoftware.exe" [2006-09-26 02:52 50736] "LogitechCommunicationsManager"="C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe" [2007-05-17 10:52 505368] "LogitechQuickCamRibbon"="C:\Programme\Logitech\QuickCam10\QuickCam10.exe" [2007-05-17 10:53 780312] "RealTray"="C:\Programme\Real\RealPlayer\RealPlay.exe" [2008-05-24 10:19 26112] "Remote Control Pro"="C:\Programme\Remote Control Pro\RCPServer.exe" [2007-09-17 10:57 491520] "AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 11:50 88363 C:\WINDOWS\AGRSMMSG.exe] "nwiz"="nwiz.exe" [2005-02-24 08:32 1495040 C:\WINDOWS\system32\nwiz.exe] "CHotkey"="mHotkey.exe" [2004-02-24 15:05 508416 C:\WINDOWS\mHotkey.exe] "ledpointer"="CNYHKey.exe" [2004-02-03 18:15 5794816 C:\WINDOWS\CNYHKey.exe] "Dit"="Dit.exe" [2004-07-20 19:18 90112 C:\WINDOWS\Dit.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2008-03-05 19:12 68856 C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\WINDOWS\\system32\\sessmgr.exe"= "C:\\Programme\\Messenger\\msmsgs.exe"= "C:\\Programme\\AOL 9.0\\AOL.exe"= "C:\\Programme\\AOL 9.0\\WAOL.exe"= "C:\\Programme\\Gemeinsame Dateien\\AOL\\ACS\\AOLACSD.exe"= "C:\\Programme\\Gemeinsame Dateien\\AOL\\ACS\\AOLDIAL.exe"= "C:\\WINDOWS\\system32\\fxsclnt.exe"= "C:\\Programme\\CA\\eTrust Antivirus\\InocIT.exe"= "C:\\Programme\\CA\\eTrust Antivirus\\Realmon.exe"= "C:\\Programme\\CA\\eTrust Antivirus\\InoRpc.exe"= "C:\\Programme\\NetMeeting\\Conf.exe"= "C:\\Programme\\eMule\\emule.exe"= "C:\\WINDOWS\\system32\\java.exe"= "C:\\Programme\\Gemeinsame Dateien\\aol\\1203702677\\ee\\aolsoftware.exe"= "C:\\Programme\\Reality Pump\\World War III Black Gold\\Setup.exe"= "C:\\WINDOWS\\system32\\dpvsetup.exe"= "D:\\Programme\\BearShare\\BearShare.exe"= "C:\\Dokumente und Einstellungen\\Medion\\Desktop\\Spiele\\Warcraft III.exe"= "D:\\Warcraft III\\Warcraft III.exe"= "D:\\Warcraft III\\War3.exe"= "C:\\Programme\\Opera\\Opera.exe"= "%windir%\\system32\\sessmgr.exe"= "C:\\Programme\\ICQ6\\ICQ.exe"= "C:\\Programme\\Veoh Networks\\Veoh\\VeohClient.exe"= "C:\\Programme\\Remote Control Pro\\RCPServer.exe"= "C:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programme\\Windows Live\\Messenger\\livecall.exe"= "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"= R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-02-22 11:19] R2 RCPServer;Remote Control Pro;C:\Programme\Remote Control Pro\rcpserver.exe [2007-09-17 10:57] R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2004-10-06 15:10] R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2004-10-01 14:58] R3 PRISM_A00;CREATIX 802.11g Driver;C:\WINDOWS\system32\DRIVERS\PRISMA00.sys [2004-01-16 10:31] R3 Rcphook;Rcphook;C:\WINDOWS\system32\DRIVERS\rcpmini.sys [2007-02-23 04:19] R3 UKBFLT;UKBFLT;C:\WINDOWS\system32\DRIVERS\UKBFLT.sys [2003-12-19 18:13] S3 CardReaderFilter;Card Reader Filter;C:\WINDOWS\system32\Drivers\USBCRFT.SYS [2008-08-27 18:08] . Inhalt des "geplante Tasks" Ordners . - - - - Entfernte verwaiste Registrierungseintr„ge - - - - HKLM-Run-Cmaudio - cmicnfg.cpl MSConfigStartUp-Felix - C:\Program Files\ScreenMates\felix2.exe MSConfigStartUp-scvhost - mirc.exe . ------- Zus„tzlicher Scan ------- . FireFox -: Profile - C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\Mozilla\Firefox\Profiles\io3igo61.default\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1576177&SearchSource=3&q= FF -: plugin - C:\Programme\Java\jre1.5.0_01\bin\NPJava11.dll FF -: plugin - C:\Programme\Java\jre1.5.0_01\bin\NPJava12.dll FF -: plugin - C:\Programme\Java\jre1.5.0_01\bin\NPJava13.dll FF -: plugin - C:\Programme\Java\jre1.5.0_01\bin\NPJava14.dll FF -: plugin - C:\Programme\Java\jre1.5.0_01\bin\NPJava32.dll FF -: plugin - C:\Programme\Java\jre1.5.0_01\bin\NPJPI150_01.dll FF -: plugin - C:\Programme\Java\jre1.5.0_01\bin\NPOJI610.dll FF -: plugin - C:\Programme\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll FF -: plugin - C:\Programme\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-27 18:08:42 Windows 5.1.2600 Service Pack 2 NTFS Scanne versteckte Prozesse... Scanne versteckte Autostart Eintr„ge... Scanne versteckte Dateien... Scan erfolgreich abgeschlossen versteckte Dateien: 0 ************************************************************************** . ------------------------ Weitere, laufende Prozesse ------------------------ . C:\Programme\Lavasoft\Ad-Aware\aawservice.exe C:\Programme\Gemeinsame Dateien\logishrd\LVMVFM\LVPrcSrv.exe C:\Programme\Gemeinsame Dateien\aol\ACS\AOLacsd.exe C:\Programme\CA\Etrust Antivirus\InoRpc.exe C:\Programme\CA\Etrust Antivirus\InoRT.exe C:\Programme\Gemeinsame Dateien\logishrd\LVCOMSER\LVComSer.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe C:\Programme\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe C:\WINDOWS\system32\nvsvc32.exe C:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\rundll32.exe C:\Programme\Windows Media Player\wmpnetwk.exe C:\PROGRA~1\COMMON~1\X10\Common\X10nets.exe C:\Programme\Gemeinsame Dateien\logishrd\LVCOMSER\LVComSer.exe C:\Programme\Gemeinsame Dateien\logishrd\LQCVFX\COCIManager.exe . ************************************************************************** . Zeit der Fertigstellung: 2008-08-27 18:12:21 - PC wurde neu gestartet ComboFix-quarantined-files.txt 2008-08-27 16:12:15 Pre-Run: 14 Verzeichnis(se), 189,837,086,720 Bytes frei Post-Run: 18 Verzeichnis(se), 190,295,973,888 Bytes frei 284 --- E O F --- 2008-08-22 08:25:10 |
28.08.2008, 10:47 | #8 |
| pc installiert und startet eigenständig Anwendungen nochmals HijackThis log: Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:46:47, on 28.08.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\mHotkey.exe C:\WINDOWS\Dit.exe C:\PROGRA~1\CA\ETRUST~1\realmon.exe C:\Programme\Gemeinsame Dateien\AOL\1203702677\ee\AOLSoftware.exe C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Windows Media Player\WMPNSCFG.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe C:\WINDOWS\System32\svchost.exe C:\Programme\CA\eTrust Antivirus\InoRpc.exe C:\Programme\CA\eTrust Antivirus\InoRT.exe C:\Programme\CA\eTrust Antivirus\InoTask.exe C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe c:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\Programme\Gemeinsame Dateien\Logishrd\LQCVFX\COCIManager.exe C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe C:\WINDOWS\system32\wuauclt.exe C:\Programme\Picture It! Premium 10\pi.exe C:\Programme\Opera\Opera.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Programme\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Programme\Freecorder\tbFre1.dll R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll R3 - URLSearchHook: livetvbar Toolbar - {ad55c869-668e-457c-b270-0cfb2f61116f} - C:\Programme\livetvbar\tblive.dll O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Programme\Freecorder\tbFre1.dll O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll O2 - BHO: livetvbar Toolbar - {ad55c869-668e-457c-b270-0cfb2f61116f} - C:\Programme\livetvbar\tblive.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Programme\Freecorder\tbFre1.dll O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Programme\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O3 - Toolbar: livetvbar Toolbar - {ad55c869-668e-457c-b270-0cfb2f61116f} - C:\Programme\livetvbar\tblive.dll O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [CHotkey] mHotkey.exe O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe O4 - HKLM\..\Run: [Dit] Dit.exe O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AntivirusRegistration] C:\Programme\CA\Etrust Antivirus\Register.exe O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [HostManager] C:\Programme\Gemeinsame Dateien\AOL\1203702677\ee\AOLSoftware.exe O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Programme\Logitech\QuickCam10\QuickCam10.exe" /hide O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [Veoh] "C:\Programme\Veoh Networks\Veoh\VeohClient.exe" /VeohHide O4 - HKCU\..\Run: [ICQ] "C:\Programme\ICQ6\ICQ.exe" silent O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &Windows Live Search - res://C:\Programme\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: Download with Xilisoft Download YouTube Video - C:\Programme\Xilisoft\Download YouTube Video\upod_link.HTM O8 - Extra context menu item: In neuer Registerkarte im Hintergrund öffnen - res://C:\Programme\Windows Live Toolbar\Components\de-de\msntabres.dll.mui/229?d8f2a52997324421b577ad1c5966fda3 O8 - Extra context menu item: In neuer Registerkarte im Vordergrund öffnen - res://C:\Programme\Windows Live Toolbar\Components\de-de\msntabres.dll.mui/230?d8f2a52997324421b577ad1c5966fda3 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: In Windows Live Writer in &Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {0e921e80-267a-42aa-aee4-60b9a1222a44} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU) O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {0e921e80-267a-42aa-aee4-60b9a1222a44} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110880546187 O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{A9AE2FF8-35DF-4C5B-B467-B5938B4EE82E}: NameServer = 195.50.140.252 195.50.140.114 O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRpc.exe O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRT.exe O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoTask.exe O23 - Service: LVCOMSer - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\SrvLnch\SrvLnch.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe -- End of file - 10367 bytes danke für alles, scheint eigentlich jetzt alles prima zu funktionieren ist noch etwas nötig? internet funktioniert ohne probleme, hintergrund kann geändert werden, keine software mehr die starten und sorry wenn ich zweimal hintereinander poste; forum zeigt mir an dass meine nachricht zu lang war. mbam log hab ich auch aber den kann ich nicht auch nicht posten, weil der allein 65000 zeichen enthält. 25000 sind erlaubt wie ich gerade gesehen habe... |
28.08.2008, 13:23 | #9 | |
| pc installiert und startet eigenständig Anwendungen Hi, Achtung! ComboFix zeigt noch eine Datei (Treiber!) an, die zu einem Rootkit gehören könnte: C:\WINDOWS\system32\drivers\oreans32.sys ->http://virus-protect.org/artikel/dienste/oreans32.html Bitte umgehend online prüfen lassen, kann aber sein das MAM sie erwischt hat (log liegt nicht vor, poste einfach nur die Funde von MAM)... Das HJ-Log sieht gut aus, bitte noch kurz den MBR prüfen: MBR-Rootkit Lade den MBR-Rootkitscanner von GMER auf Deine Bootplatte: http://www2.gmer.net/mbr/mbr.exe Merke Dir das Verzeichnis wo Du ihn runtergeladen hast; Start->Ausführen->cmd Wechsle in das Verzeichnis des Downloads und starte durch Eingabe von mbr das Programm... Das Ergebnis sollte so aussehen: Zitat:
poste es im Thread; chris
__________________ Don't bring me down Vor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
28.08.2008, 14:24 | #10 |
| pc installiert und startet eigenständig Anwendungen mam log: Infizierte Registrierungsschlüssel: Code:
ATTFilter HKEY_CLASSES_ROOT\e404.e404mgr (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\e404.e404mgr.1 (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.hbax (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.hbax.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.hbinfoband (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.hbinfoband.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.iebutton (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.iebutton.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.iebuttona (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.iebuttona.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.rprtctrl (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.rprtctrl.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\whiehelperobj.whiehelperobj.1 (Adware.WebHancer) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{0ec085a8-9818-43b7-b975-ec7555eda4d2} (Rogue.VirusHeat) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{1a74c41c-0837-4fbe-ba50-621eb70f01ce} (Rogue.VirusHeat) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{25297614-1b76-4c2c-82c6-62738aa0e8f0} (Rogue.VirusHeat) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{37f89457-1208-4670-9245-58c62bd6d870} (Rogue.VirusHeat) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{45477032-abd0-454d-9ce4-ea34c10322f8} (Rogue.VirusHeat) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{69e34747-0b27-4b30-ae20-1023bf29e246} (Rogue.VirusHeat) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{79be5b3b-80b2-4b77-a042-efc90f6e0de7} (Rogue.VirusHeat) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{7c0ec6bf-81b9-4fe0-9447-4ed29a36bf5d} (Rogue.VirusHeat) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{7ebb34cf-1728-4136-a968-48f231dad1b4} (Rogue.VirusHeat) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{88daa291-b413-4c46-b378-3be66f65369e} (Rogue.VirusHeat) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{8ad9ad05-36be-4e40-ba62-5422eb0d02fb} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{936a2f4a-53f8-4d2f-92aa-2f9de889841c} (Rogue.VirusHeat) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{aebf09e2-0c15-43c8-99bf-928c645d98a0} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{afcc3fa7-82a9-42d5-a405-78711e97a5d6} (Rogue.VirusHeat) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{c89435b0-cdfe-11d3-976a-00e02913a9e0} (Adware.WebHancer) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{cc05a4a3-7b28-488f-ab02-6aaedb86accf} (Rogue.VirusHeat) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{d8560ac2-21b5-4c1a-bdd4-bd12bc83b082} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{e80114aa-6653-4952-9e97-5f1dc63bee0f} (Rogue.VirusHeat) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{f9109a2a-432b-4add-a6fa-06ba22dcd2d9} (Rogue.VirusHeat) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{fca3958a-8d38-4d14-8b81-ccd7f68a8a01} (Rogue.VirusHeat) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{E94EB13E-D78F-0857-7734-5E67A49FFFF1} (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{74f7db6b-86e9-4b91-9d9f-b0d954d7aa5b} (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{c9ccbb35-d123-4a31-affc-9b2933132116} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{a16ad1e9-f69a-45af-9462-b1c286708842} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{20ea9658-6bc3-4599-a87d-6371fe9295fc} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{c8cb3870-cdfe-11d3-976a-00e02913a9e0} (Adware.WebHancer) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{cdca70d8-c6a6-49ee-9bed-7429d6c477a2} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{d136987f-e1c4-4ccc-a220-893df03ec5df} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{e343edfc-1e6c-4cb5-aa29-e9c922641c80} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{cbd02e9b-37ef-47d2-96b0-3abbb2eb92bf} (Rogue.VirusHeat) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} (Adware.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74f7db6b-86e9-4b91-9d9f-b0d954d7aa5b} (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcjr5j0ej2n (Rogue.Multiple) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\rhcjr5j0ej2n (Rogue.Multiple) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\NetProject (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\whiehelperobj.whiehelperobj (Adware.WebHancer) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent (Adware.WebHancer) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\webHancer (Adware.WebHancer) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully. Infizierte Registrierungswerte: Code:
ATTFilter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysrest32.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully. Infizierte Dateiobjekte der Registrierung: Code:
ATTFilter HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. |
28.08.2008, 14:25 | #11 |
| pc installiert und startet eigenständig Anwendungen Infizierte Verzeichnisse: Code:
ATTFilter C:\Programme\Instant Access (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Center (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1004882125 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1004882125\es6-external-api.dlv4.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1004882125\es6-external-api.dlv4.com\js (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1004882125\es6-www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1004882125\es6-www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1004882125\es6-www.0texkax7c6hzuidk.com\custom (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1004882125\es6-www.0texkax7c6hzuidk.com\custom\4160 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1004882125\es6-www.0texkax7c6hzuidk.com\custom\4160\EN (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1004882125\www.rapid-pass.net (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\es6-external-api.dlv4.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\es6-external-api.dlv4.com\js (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\es6-www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\es6-www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\es6-www.0texkax7c6hzuidk.com\custom (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\es6-www.0texkax7c6hzuidk.com\custom\4239 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\es6-www.0texkax7c6hzuidk.com\custom\4239\EN (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\fp.pc-on-internet.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\fp.pc-on-internet.com\50240 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\fp.pc-on-internet.com\50240\images (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\fp.pc-on-internet.com\50240\images\EN (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\www.rapid-pass.net (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\es6-external-api.dlv4.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\es6-external-api.dlv4.com\js (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\es6-www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\es6-www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\es6-www.0texkax7c6hzuidk.com\custom (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\es6-www.0texkax7c6hzuidk.com\custom\4239 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\es6-www.0texkax7c6hzuidk.com\custom\4239\EN (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\fp.pc-on-internet.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\fp.pc-on-internet.com\50310 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\fp.pc-on-internet.com\50310\images (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\fp.pc-on-internet.com\50310\images\EN (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\www.rapid-pass.net (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\es6-external-api.dlv4.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\es6-external-api.dlv4.com\js (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\es6-www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\es6-www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\es6-www.0texkax7c6hzuidk.com\custom (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\es6-www.0texkax7c6hzuidk.com\custom\4282 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\es6-www.0texkax7c6hzuidk.com\custom\4282\EN (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\fp.pc-on-internet.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\fp.pc-on-internet.com\50214 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\fp.pc-on-internet.com\50214\images (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\fp.pc-on-internet.com\50214\images\EN (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\www.rapid-pass.net (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\es6-external-api.dlv4.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\es6-external-api.dlv4.com\js (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\es6-scripts.nccgateway.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\es6-scripts.nccgateway.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\es6-scripts.nccgateway.com\custom (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\es6-scripts.nccgateway.com\custom\3423 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\es6-scripts.nccgateway.com\custom\3423\DE (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com\enter (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com\enter\2 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com\enter\2\en (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\www.waypointcash.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\www.waypointcash.com\conversion (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\www.waypointcash.com\images (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\es6-external-api.dlv4.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\es6-external-api.dlv4.com\js (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\es6-www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\es6-www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\es6-www.0texkax7c6hzuidk.com\custom (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\es6-www.0texkax7c6hzuidk.com\custom\4239 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\es6-www.0texkax7c6hzuidk.com\custom\4239\EN (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\fp.pc-on-internet.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\fp.pc-on-internet.com\50240 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\fp.pc-on-internet.com\50240\images (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\fp.pc-on-internet.com\50240\images\EN (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\www.rapid-pass.net (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\686377647 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\686377647\es6-external-api.dlv4.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\686377647\es6-external-api.dlv4.com\js (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\686377647\es6-www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\686377647\es6-www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\686377647\es6-www.0texkax7c6hzuidk.com\custom (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\686377647\es6-www.0texkax7c6hzuidk.com\custom\4282 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\686377647\es6-www.0texkax7c6hzuidk.com\custom\4282\EN (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\686377647\fp.pc-on-internet.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\686377647\fp.pc-on-internet.com\50214 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\686377647\fp.pc-on-internet.com\50214\images (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\686377647\fp.pc-on-internet.com\50214\images\EN (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\686377647\www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\686377647\www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\697300669 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\697300669\es6-external-api.dlv4.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\697300669\es6-external-api.dlv4.com\js (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\697300669\es6-www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\697300669\es6-www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\697300669\es6-www.0texkax7c6hzuidk.com\custom (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\697300669\es6-www.0texkax7c6hzuidk.com\custom\4282 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\697300669\es6-www.0texkax7c6hzuidk.com\custom\4282\EN (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\697300669\www.rapid-pass.net (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\es6-external-api.dlv4.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\es6-external-api.dlv4.com\js (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\es6-www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\es6-www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\es6-www.0texkax7c6hzuidk.com\custom (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\es6-www.0texkax7c6hzuidk.com\custom\4160 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\es6-www.0texkax7c6hzuidk.com\custom\4160\EN (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\EN (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\es6-external-api.dlv4.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\es6-external-api.dlv4.com\js (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\es6-www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\es6-www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\es6-www.0texkax7c6hzuidk.com\custom (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\es6-www.0texkax7c6hzuidk.com\custom\4239 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\es6-www.0texkax7c6hzuidk.com\custom\4239\EN (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\fp.pc-on-internet.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\fp.pc-on-internet.com\50289 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\fp.pc-on-internet.com\50289\images (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\fp.pc-on-internet.com\50289\images\EN (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\es6-external-api.dlv4.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\es6-external-api.dlv4.com\js (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\es6-www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\es6-www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\es6-www.0texkax7c6hzuidk.com\custom (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\es6-www.0texkax7c6hzuidk.com\custom\4239 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\es6-www.0texkax7c6hzuidk.com\custom\4239\EN (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\fp.pc-on-internet.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\fp.pc-on-internet.com\50285 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\fp.pc-on-internet.com\50285\images (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\fp.pc-on-internet.com\50285\images\EN (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\www.rapid-pass.net (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\WINDOWS\system32\375013 (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ShoppingReport\cs\res1 (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\rhcjr5j0ej2n (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\rhcjr5j0ej2n\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\rhcjr5j0ej2n\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\rhcjr5j0ej2n\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\rhcjr5j0ej2n\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\rhcjr5j0ej2n\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\rhcjr5j0ej2n\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\rhcjr5j0ej2n\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\rhcjr5j0ej2n\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\rhcjr5j0ej2n\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\rhcjr5j0ej2n\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully. |
28.08.2008, 14:27 | #12 |
| pc installiert und startet eigenständig Anwendungen Infizierte Dateien: part1 Code:
ATTFilter C:\Avenger\375013.dll (Trojan.BHO) -> Quarantined and deleted successfully. C:\Avenger\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (Adware.Shopper) -> Quarantined and deleted successfully. C:\Avenger\webHancer\whAgent_update.exe (Adware.Webhancer) -> Quarantined and deleted successfully. C:\Avenger\webHancer\Programs\whinstaller.exe (Adware.Webhancer) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\ShprInstaller.exe (Adware.Shopper) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mirc.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Center\Crazy Girls.upd (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Center\GAMES-DESKTOP.COM.upd (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Center\NoCreditCard.upd (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Center\SERIALPLAYERS.upd (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Center\tray1.ico (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1004882125\es6-external-api.dlv4.com\js\9929ec563323f5ceac29c2322fcf5448 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1004882125\es6-www.0texkax7c6hzuidk.com\Common\57f0b682532374280e3060e40d979931.html (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1004882125\es6-www.0texkax7c6hzuidk.com\Common\57f0b682532374280e3060e40d979931.html_0.loginvis (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1004882125\es6-www.0texkax7c6hzuidk.com\custom\4160\4160_dialer.ico (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1004882125\es6-www.0texkax7c6hzuidk.com\custom\4160\EN\button1.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1004882125\es6-www.0texkax7c6hzuidk.com\custom\4160\EN\button2.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1004882125\es6-www.0texkax7c6hzuidk.com\custom\4160\EN\button3.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1004882125\es6-www.0texkax7c6hzuidk.com\custom\4160\EN\button4.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1004882125\www.rapid-pass.net\472bbe77dffbe6b3c6719420a65b2af4 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\es6-external-api.dlv4.com\js\7635c85abc78b057c79a2da8d4102715 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\es6-www.0texkax7c6hzuidk.com\Common\539b9a5ee7256bdec05490088b05f09b.html (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\es6-www.0texkax7c6hzuidk.com\custom\4239\4239_dialer.ico (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button1.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button2.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button3.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button4.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\fp.pc-on-internet.com\4679f5172fb0650bf4c57b98af103a24.html (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\fp.pc-on-internet.com\4679f5172fb0650bf4c57b98af103a24.html_0.loginvis (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\fp.pc-on-internet.com\50240\images\background.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\fp.pc-on-internet.com\50240\images\index_02.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\fp.pc-on-internet.com\50240\images\index_03.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\fp.pc-on-internet.com\50240\images\index_05.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\fp.pc-on-internet.com\50240\images\index_06.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\fp.pc-on-internet.com\50240\images\EN\index_01.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\1034914229\www.rapid-pass.net\77054f311e0bcccb48f8f8b6dcad5147 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\Crazy Girls.lnk (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\es6-external-api.dlv4.com\js\59c27f4241eb59d6a79e36cbf79aa4ea (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\es6-www.0texkax7c6hzuidk.com\Common\1d3d21fe1af6ddff012e8c9913c24087.html (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\es6-www.0texkax7c6hzuidk.com\custom\4239\4239_dialer.ico (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button1.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button2.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button3.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button4.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\fp.pc-on-internet.com\a72e3b78bf5fa5498dd72cc5fa015e73.html (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\fp.pc-on-internet.com\a72e3b78bf5fa5498dd72cc5fa015e73.html_0.loginvis (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\fp.pc-on-internet.com\50310\images\index_02.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\fp.pc-on-internet.com\50310\images\index_05.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\fp.pc-on-internet.com\50310\images\index_07.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\fp.pc-on-internet.com\50310\images\EN\index_01.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\fp.pc-on-internet.com\50310\images\EN\index_03.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\fp.pc-on-internet.com\50310\images\EN\index_06.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\106594365\www.rapid-pass.net\c3d15f128cbf70612e4e917e01d03ef1 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\SERIALPLAYERS.lnk (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\es6-external-api.dlv4.com\js\0a892e7975b9125f0170b1032a84950f (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\es6-www.0texkax7c6hzuidk.com\Common\9a92b5efdefde64ecdc6854e957a50d8.html (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\es6-www.0texkax7c6hzuidk.com\custom\4282\EN\button1.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\es6-www.0texkax7c6hzuidk.com\custom\4282\EN\button2.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\es6-www.0texkax7c6hzuidk.com\custom\4282\EN\button3.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\es6-www.0texkax7c6hzuidk.com\custom\4282\EN\button4.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\fp.pc-on-internet.com\4b944aab33bdf096511ca2557a259f93.html (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\fp.pc-on-internet.com\4b944aab33bdf096511ca2557a259f93.html_0.loginvis (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\fp.pc-on-internet.com\50214\images\index_02.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\fp.pc-on-internet.com\50214\images\index_04.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\fp.pc-on-internet.com\50214\images\EN\index_01.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\247277506\www.rapid-pass.net\a4a70b22b8556df7681dd57b2e524977 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\NoCreditCard.lnk (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\es6-external-api.dlv4.com\js\b830d28dcbd21e27168b26b1d0a7d995 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\es6-scripts.nccgateway.com\Common\8ad12a29c1d434a475ac973813e182f0.html (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\es6-scripts.nccgateway.com\custom\3423\DE\button1.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\es6-scripts.nccgateway.com\custom\3423\DE\button2.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\es6-scripts.nccgateway.com\custom\3423\DE\button3.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\es6-scripts.nccgateway.com\custom\3423\DE\button4.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\bcc54009de2268c98be4ba8ae65126cd.html (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\bcc54009de2268c98be4ba8ae65126cd.html_0.loginvis (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com\enter\2\en\avatars_01.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com\enter\2\en\avatars_02.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com\enter\2\en\avatars_03.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com\enter\2\en\avatars_04.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com\enter\2\en\avatars_05.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com\enter\2\en\avatars_08.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com\enter\2\en\avatars_09.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com\enter\2\en\avatars_10.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com\enter\2\en\avatars_11.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com\enter\2\en\avatars_12.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\www.waypointcash.com\conversion\2c179372da6c88c98ab6faa72752a5f4 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\380672410\www.waypointcash.com\images\waypointlogo.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\Crazy Girls.lnk (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\es6-external-api.dlv4.com\js\48df84da4b77ecf6924632fcc818843a (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\es6-www.0texkax7c6hzuidk.com\Common\1b51321b6e8a12496893fc0de4b3b1a7.html (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\es6-www.0texkax7c6hzuidk.com\custom\4239\4239_dialer.ico (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button1.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button2.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button3.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button4.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\fp.pc-on-internet.com\4679f5172fb0650bf4c57b98af103a24.html (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\fp.pc-on-internet.com\4679f5172fb0650bf4c57b98af103a24.html_0.loginvis (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\fp.pc-on-internet.com\50240\images\background.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\fp.pc-on-internet.com\50240\images\index_02.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\fp.pc-on-internet.com\50240\images\index_03.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\fp.pc-on-internet.com\50240\images\index_05.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\fp.pc-on-internet.com\50240\images\index_06.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\fp.pc-on-internet.com\50240\images\EN\index_01.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\445847055\www.rapid-pass.net\9ef61a8670423bb3ff98a81724a791b1 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\686377647\SERIALPLAYERS.lnk (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\686377647\es6-external-api.dlv4.com\js\0a892e7975b9125f0170b1032a84950f (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\686377647\es6-www.0texkax7c6hzuidk.com\Common\9a92b5efdefde64ecdc6854e957a50d8.html (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\686377647\es6-www.0texkax7c6hzuidk.com\custom\4282\EN\button1.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\686377647\es6-www.0texkax7c6hzuidk.com\custom\4282\EN\button2.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\686377647\es6-www.0texkax7c6hzuidk.com\custom\4282\EN\button3.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\686377647\es6-www.0texkax7c6hzuidk.com\custom\4282\EN\button4.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\686377647\fp.pc-on-internet.com\4b944aab33bdf096511ca2557a259f93.html (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\686377647\fp.pc-on-internet.com\4b944aab33bdf096511ca2557a259f93.html_0.loginvis (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\686377647\fp.pc-on-internet.com\50214\images\index_02.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\686377647\fp.pc-on-internet.com\50214\images\index_04.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\686377647\fp.pc-on-internet.com\50214\images\EN\index_01.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\697300669\es6-external-api.dlv4.com\js\0ce2b669c62b5774d02ea575cd62e2ca (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\697300669\es6-www.0texkax7c6hzuidk.com\Common\de508d2db454349e88ca85a1d0f14161.html (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\697300669\es6-www.0texkax7c6hzuidk.com\Common\de508d2db454349e88ca85a1d0f14161.html_0.loginvis (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\697300669\es6-www.0texkax7c6hzuidk.com\custom\4282\4282_dialer.ico (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\697300669\es6-www.0texkax7c6hzuidk.com\custom\4282\EN\button1.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\697300669\es6-www.0texkax7c6hzuidk.com\custom\4282\EN\button2.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\697300669\es6-www.0texkax7c6hzuidk.com\custom\4282\EN\button3.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\697300669\es6-www.0texkax7c6hzuidk.com\custom\4282\EN\button4.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\697300669\www.rapid-pass.net\ce179c3bc7e9bf830fb8356f04656799 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\es6-external-api.dlv4.com\js\74250fa7fb4bb8c3c57a077689965be4 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\es6-www.0texkax7c6hzuidk.com\Common\9634e9b170f1ba239f184cdc9b70edff.html (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\es6-www.0texkax7c6hzuidk.com\custom\4160\EN\button1.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\es6-www.0texkax7c6hzuidk.com\custom\4160\EN\button2.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\es6-www.0texkax7c6hzuidk.com\custom\4160\EN\button3.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\es6-www.0texkax7c6hzuidk.com\custom\4160\EN\button4.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\e75806ffaf4bc15271fe4b6bf0bde9da.html (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\e75806ffaf4bc15271fe4b6bf0bde9da.html_0.loginvis (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\00.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\bando.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\bando_bas.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\bando_haut.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. |
28.08.2008, 14:28 | #13 |
| pc installiert und startet eigenständig Anwendungen Infizierte Dateien: part2 Code:
ATTFilter C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\bas.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\d.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\g.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\EN\fun1.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\EN\fun2.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\EN\fun3.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\EN\fun4.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\EN\jeu1.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\EN\jeu2.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\EN\jeu3.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\EN\titre.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\es6-external-api.dlv4.com\js\aad489aac54d0b29e73883640085dc0f (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\es6-www.0texkax7c6hzuidk.com\Common\63885fa5bec2f3fb6a6c07d33647a12b.html (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button1.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button2.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button3.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button4.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\fp.pc-on-internet.com\7b41db1988d377317bd9c144ee5484a1.html (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\fp.pc-on-internet.com\7b41db1988d377317bd9c144ee5484a1.html_0.loginvis (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\fp.pc-on-internet.com\50289\images\background.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\fp.pc-on-internet.com\50289\images\index_03.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\fp.pc-on-internet.com\50289\images\index_04.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\fp.pc-on-internet.com\50289\images\index_06.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\fp.pc-on-internet.com\50289\images\index_07.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\fp.pc-on-internet.com\50289\images\EN\index_01.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\876173103\fp.pc-on-internet.com\50289\images\EN\index_02.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\Crazy Girls.lnk (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\es6-external-api.dlv4.com\js\524e8a29aa9e313e8f33665b30c634d5 (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\es6-www.0texkax7c6hzuidk.com\Common\6c24ac195839b644a21431eb28d4b3cc.html (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\es6-www.0texkax7c6hzuidk.com\custom\4239\4239_dialer.ico (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button1.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button2.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button3.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button4.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\fp.pc-on-internet.com\e0db83b4abfc4c7879316854addaae3b.html (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\fp.pc-on-internet.com\e0db83b4abfc4c7879316854addaae3b.html_0.loginvis (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\fp.pc-on-internet.com\50285\images\index_03.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\fp.pc-on-internet.com\50285\images\index_04.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\fp.pc-on-internet.com\50285\images\index_06.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\fp.pc-on-internet.com\50285\images\index_07.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\fp.pc-on-internet.com\50285\images\EN\index_01.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\fp.pc-on-internet.com\50285\images\EN\index_02.gif (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Programme\Instant Access\Dialer\961592046\www.rapid-pass.net\4344b8e5b6a324bd6e124d535f34199d (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ShoppingReport\cs\res1\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sysrest32.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\blphcnr5j0ej2n.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\phcnr5j0ej2n.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\pphcnr5j0ej2n.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\nvs2.inf (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Desktop\Antivirus XP 2008.lnk (Rogue.Antivirus) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.tt15.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.ttE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. [CODE]Malwarebytes' Anti-Malware 1.25 Datenbank Version: 1062 Windows 5.1.2600 Service Pack 2 17:58:21 27.08.2008 mbam-log-08-27-2008 (17-58-21).txt Scan-Methode: Vollständiger Scan (C:\|D:\|E:\|) Durchsuchte Objekte: 291063 Laufzeit: 34 minute(s), 56 second(s) Infizierte Speicherprozesse: 1 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 66 Infizierte Registrierungswerte: 5 Infizierte Dateiobjekte der Registrierung: 2 Infizierte Verzeichnisse: 172 Infizierte Dateien: 217 Infizierte Speicherprozesse: C:\WINDOWS\system32\sysrest32.exe (Rootkit.Agent) -> Unloaded process successfully. |
28.08.2008, 14:35 | #14 | |
| pc installiert und startet eigenständig Anwendungen C:\WINDOWS\system32\drivers\oreans32.sys Code:
ATTFilter Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 - - - AntiVir - - - Authentium - - - Avast - - - AVG - - - BitDefender - - - CAT-QuickHeal - - Rootkit.Agent.ad ClamAV - - - DrWeb - - - eSafe - - - eTrust-Vet - - - Ewido - - - F-Prot - - - F-Secure - - - Fortinet - - - GData - - - Ikarus - - - K7AntiVirus - - Backdoor.Win32.SdBot.AEFU Kaspersky - - - McAfee - - - Microsoft - - - NOD32v2 - - - Norman - - - Panda - - - PCTools - - Rootkit.Agent Prevx1 - - - Rising - - - Sophos - - - Sunbelt - - - Symantec - - - TheHacker - - - TrendMicro - - - VBA32 - - - ViRobot - - Trojan.Win32.NTRootkit.33952 VirusBuster - - - Webwasher-Gateway - - - mbr log Zitat:
|
28.08.2008, 15:27 | #15 |
| pc installiert und startet eigenständig Anwendungen Hi, ich denke wir killen das Teil... Zieh Deinem Bruder die Ohren lang, so ein verseuchtes Teil... Also: Anleitung Avenger (by swandog46) 1.) Lade dir das Tool Avenger und speichere es auf dem Desktop: 2.) Das Programm so einstellen wie es auf dem Bild zu sehen ist. Kopiere nun folgenden Text in das weiße Feld: (bei -> "input script here") Code:
ATTFilter Files to delete: C:\WINDOWS\system32\drivers\oreans32.sys registry keys to delete: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\oreans32 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oreans32 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32 4.) Um den Avenger zu starten klicke auf -> Execute Dann bestätigen mit "Yes" das der Rechner neu startet! 5.) Nachdem das System neu gestartet ist, findest du hier einen Report vom Avenger -> C:\avenger.txt Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board. chris
__________________ Don't bring me down Vor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
Themen zu pc installiert und startet eigenständig Anwendungen |
.com, ad aware, ad-aware, adobe, antivir, antivirus, bho, browser, compare, components, computer, einstellungen, google, handel, hijack, hijackthis, hkus\s-1-5-18, home, internet, internet explorer, logfile, monitor, plug-in, problem, programm, remote control, rundll, sicherheit, system, temp, urlsearchhook, windows, windows xp, ändern |