|
Log-Analyse und Auswertung: trojan-spy.win32.greenscreenWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
14.10.2008, 09:29 | #1 |
| trojan-spy.win32.greenscreen Hallo Trojanerexperten, ich habe mir den trojaner trojan-spy.win32.greenscreen eingefangen. oder auch dieses xp antispy 2009. es meldet zumindest ein weißes kreuz in rotem kreis in der symbolleiste. ich habe antivir, a-squared, spybot, adaware und pestpatrol das system checken lassen und alles gefundene entfernt. auch habe ich den hier empfohlenen CCleaner angewendet.(tolles programm für shareware!) da ich aber im forum einen ähnlichen fall entdeckt habe, http://www.trojaner-board.de/59949-t...grundbild.html und dieser user berichtet, dass meine verwendeten programme nicht ausreichend wären, würd ich euch bitten einen kurzen blick auf mein log file zu werfen, ob das system wirklich sauber ist; ich also ein wiederherstellungspunkt setzten kann. viel dank für das tolle engagement auf dieser seite system: MS XP professinal version 2002 service pack 2 2.51GHz (Core Duo), 3.25 GB RAM Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:56:31, on 14.10.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) [edit] Bitte editiere zukünftig deine Links, wie es dir u.a. hier angezeigt wird: http://www.trojaner-board.de/22771-a...tml#post171958 Danke. Sunny [/edit] Geändert von MarcusLehman (14.10.2008 um 09:59 Uhr) |
14.10.2008, 11:21 | #2 |
| trojan-spy.win32.greenscreen Hi,
__________________Du hast Dich nicht an die Boardregeln gehalten und Deine Links/pers. Infos nicht "unkenntlich" gemacht! Aktive Links und persönliche Informationen in HJT Log-Files (http://www.trojaner-board.de/22771-aktive-links-und-persoenliche-informationen-hjt-log-files.html#post171958) Das hier sieht interessant aus: O20 - AppInit_DLLs: 72.dll Das File sollte in C:\WINDOWS\system32 liegen, sonst suchen! Bitte folgendes File prüfen: Dateien Online überprüfen lassen:
Code:
ATTFilter C:\WINDOWS\system32\72.dll
chris
__________________ |
15.10.2008, 10:54 | #3 |
| trojan-spy.win32.greenscreen hey chris,
__________________vielen dank für die schnelle antwort, verzeihung für die unachtsamkeit mit den links, kommt nicht mehr vor. leider ist diese datei nicht zufinden, im ordner selber und mit der such funktion, ich habe auch C danach durchsuchen lassen, leider nichts. im logfile ist sie aber immer noch vorhanden wie soll ich nun weiter vorgehn? und wie genau erhalte ich die Hashwerte? ist das einer der werte unter filesize bei virus total? MD5...: SHA1..: SHA256: SHA512: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:53:23, on 15.10.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe c:\programme\a-squared free\a2service.exe C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe C:\Programme\Dassault Systemes\CatiaV5\intel_a\code\bin\CATSysDemon.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Gemeinsame Dateien\Acronis\Fomatik\TrueImageTryStartService.exe C:\WINDOWS\system32\UAService.exe C:\WINDOWS\Explorer.EXE C:\Programme\Gemeinsame Dateien\TerraTec\Remote\TTTVRC.exe C:\Programme\Java\jre1.6.0_07\bin\jusched.exe C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe C:\Programme\PowerISO\PWRISOVM.EXE C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Programme\Creative\Sync Manager Unicode\CTSyncU.exe C:\Programme\Spybot - Search & Destroy\TeaTimer.exe C:\Programme\Logitech\SetPoint\SetPoint.exe C:\Programme\OpenOffice.org 2.4\program\soffice.exe C:\Programme\OpenOffice.org 2.4\program\soffice.BIN C:\Programme\Gemeinsame Dateien\Logitech\KHAL\KHALMNPR.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\CTPdeSrv.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Programme\VideoLAN\VLC\vlc.exe C:\Programme\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.microsoft.com/default.aspx?scid=kb;en-us;281336 O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TerraTec Remote Control] "C:\Programme\Gemeinsame Dateien\TerraTec\Remote\TTTVRC.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Programme\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe O4 - HKLM\..\RunOnce: [InstallShieldSetup] C:\PROGRA~1\INSTAL~1\{315AC~1\setup.exe -rebootC:\PROGRA~1\INSTAL~1\{315AC~1\reboot.ini -l0x7 O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Programme\Creative\Sync Manager Unicode\CTSyncU.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [Veoh] "C:\Programme\Veoh Networks\Veoh\VeohClient.exe" /VeohHide O4 - HKCU\..\RunOnce: [StartMSu] C:\Programme\Creative\MediaSource5\Startmsu.exe /s O4 - HKCU\..\RunOnce: [CMSRegOu] C:\Programme\Creative\MediaSource5\CMSRegOu.exe /r O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\RunOnce: [3DxAssociateFileExts] C:\Programme\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-20\..\RunOnce: [3DxAssociateFileExts] C:\Programme\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [3DxAssociateFileExts] C:\Programme\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [3DxAssociateFileExts] C:\Programme\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'Default user') O4 - Startup: OpenOffice.org 2.4.lnk = C:\Programme\OpenOffice.org 2.4\program\quickstart.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://www.creative.com/su2/CTL_V02002/ocx/15033/CTPID.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{76422F0F-5D23-47AF-B9A0-DAA3185B0E75}: NameServer = 192.168.178.1 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: 72.dll O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\programme\a-squared free\a2service.exe O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Programme\Dassault Systemes\CatiaV5\intel_a\code\bin\CATSysDemon.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Programme\Gemeinsame Dateien\Acronis\Fomatik\TrueImageTryStartService.exe O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe -- End of file - 7973 bytes |
15.10.2008, 15:35 | #4 |
| trojan-spy.win32.greenscreen Hi, abgesicherter Modus (F8 beim Booten), dort mit HJ den Eintrag: O20 - AppInit_DLLs: 72.dll fixen: Öffne das HijackThis -- Button "scan" -- vor den unten genannten Einträge(n) Häkchen setzen -- Button "Fix checked" -- PC neustarten Achtung: Alle Anwendungen bis auf HJ müssen geschlossen sein, ein eventuell aktiver Teatimer von Spybot muss unbedingt deaktiviert sein!) Dann normal booten, neues HJ-Log und prüfen ob der Eintrag weg ist; MAM (Malwarebytes Antimalware) Anleitung&Download hier: http://www.trojaner-board.de/51187-malwarebytes-anti-malware.html Fullscan und alles bereinigen lassen, Log posten... chris
__________________ Don't bring me down Vor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
16.10.2008, 18:04 | #5 |
| trojan-spy.win32.greenscreen hey chirs, danke für die anleitung, habe alles befolgt und hat funktioniert, punkt 20 im log ist weg nur nach dem scan im abgesicherten modus und neustart, war der admin bei den benutzern dabei und in meinem benutzer war das desgin auf klassik gestellt und die netzwerk nicht mehr vorhanden(auch kein internet) auch nach erneutem start das gleich, also habe ich "das letzte funktionierene" system gestartet, war da noch irgendwie der abgesicherte modus aktiv vielen dank für die hilfe:aplaus::aplaus: Malwarebytes' Anti-Malware 1.28 Datenbank Version: 1263 Windows 5.1.2600 Service Pack 2 16.10.2008 18:52:19 mbam-log-2008-10-16 (18-52-19).txt Scan-Methode: Vollständiger Scan (C:\|) Durchsuchte Objekte: 260981 Laufzeit: 1 hour(s), 0 minute(s), 1 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 2 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: C:\WINDOWS\system32\brastk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wini104552663.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:55:47, on 16.10.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe c:\programme\a-squared free\a2service.exe C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe C:\Programme\Dassault Systemes\CatiaV5\intel_a\code\bin\CATSysDemon.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Gemeinsame Dateien\Acronis\Fomatik\TrueImageTryStartService.exe C:\WINDOWS\system32\UAService.exe C:\WINDOWS\Explorer.EXE C:\Programme\Gemeinsame Dateien\TerraTec\Remote\TTTVRC.exe C:\Programme\Java\jre1.6.0_07\bin\jusched.exe C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe C:\Programme\PowerISO\PWRISOVM.EXE C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\issch.exe C:\Programme\Creative\Sync Manager Unicode\CTSyncU.exe C:\Programme\Logitech\SetPoint\SetPoint.exe C:\Programme\OpenOffice.org 2.4\program\soffice.exe C:\Programme\OpenOffice.org 2.4\program\soffice.BIN C:\Programme\Gemeinsame Dateien\Logitech\KHAL\KHALMNPR.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\CTPdeSrv.exe c:\progra~1\gemein~1\instal~1\update~1\isuspm.exe C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\agent.exe C:\Programme\Malwarebytes' Anti-Malware\mbam.exe C:\Programme\Microsoft Visual Studio 8\Common7\IDE\devenv.exe C:\Programme\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.microsoft.com/default.aspx?scid=kb;en-us;281336 O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TerraTec Remote Control] "C:\Programme\Gemeinsame Dateien\TerraTec\Remote\TTTVRC.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Programme\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\issch.exe" -start O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Programme\Creative\Sync Manager Unicode\CTSyncU.exe" O4 - HKCU\..\Run: [Veoh] "C:\Programme\Veoh Networks\Veoh\VeohClient.exe" /VeohHide O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\RunOnce: [3DxAssociateFileExts] C:\Programme\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-20\..\RunOnce: [3DxAssociateFileExts] C:\Programme\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [3DxAssociateFileExts] C:\Programme\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [3DxAssociateFileExts] C:\Programme\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'Default user') O4 - Startup: OpenOffice.org 2.4.lnk = C:\Programme\OpenOffice.org 2.4\program\quickstart.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://www.creative.com/su2/CTL_V02002/ocx/15033/CTPID.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{76422F0F-5D23-47AF-B9A0-DAA3185B0E75}: NameServer = 192.168.178.1 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\programme\a-squared free\a2service.exe O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Programme\Dassault Systemes\CatiaV5\intel_a\code\bin\CATSysDemon.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Programme\Gemeinsame Dateien\Acronis\Fomatik\TrueImageTryStartService.exe O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe -- End of file - 7405 bytes |
17.10.2008, 06:35 | #6 |
| trojan-spy.win32.greenscreen Hi, das Log sieht soweit gut aus. Wir schauen noch mal etwas tiefer in's System: SilentRunner: Ziparchive in ein Verzeichnis auspacken, mit Doppelklick starten, "ja" auswählen. Die erstellte Datei findet sich im gleichen Verzeichnis wo das Script hinkopiert wurde, bitte in Editor laden und posten. http://www.silentrunners.org/Silent%20Runners.zip Die brastk.exe ist ein Trojaner-Downloader/Backdoor und war nicht in den Logs zu finden, da gibt es jetzt zwei Möglichkeiten: - ist neu nach den Logs draufgekommen - ein Rootkit ist aktiv Aktualisiere Antivir, stelle dein Antivir ein, wie hier beschrieben: http://www.trojaner-board.de/54192-a...tellungen.html und führe einen Fullscan durch... Avira-Antirootkit Downloade Avira Antirootkit und Scanne dein system, poste das logfile. http://dl.antivir.de/down/windows/antivir_rootkit.zip Poste die Logs; chris
__________________ --> trojan-spy.win32.greenscreen |
18.10.2008, 13:20 | #7 |
| trojan-spy.win32.greenscreen hey chirs, danke für die anleitung! ich habe die von antivir gefungen objekte in quarantäne gestellt, welche davon sind nun zu löschen? beste grüße marcus antivir root kit hat nichts gefungen. "Silent Runners.vbs", revision 58, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "CTSyncU.exe" = ""C:\Programme\Creative\Sync Manager Unicode\CTSyncU.exe"" [empty string] "(Default)" = "(empty string)" [file not found] "Veoh" = ""C:\Programme\Veoh Networks\Veoh\VeohClient.exe" /VeohHide" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "TerraTec Remote Control" = ""C:\Programme\Gemeinsame Dateien\TerraTec\Remote\TTTVRC.exe"" ["TerraTec Electronic GmbH"] "SunJavaUpdateSched" = ""C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"" ["Sun Microsystems, Inc."] "avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"] "PWRISOVM.EXE" = "C:\Programme\PowerISO\PWRISOVM.EXE" ["PowerISO Computing, Inc."] "Adobe Reader Speed Launcher" = ""C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"] "RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."] "Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."] "pdfSaver3" = "(empty string)" [file not found] "ISUSPM Startup" = "C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup" ["InstallShield Software Corporation"] "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS] "ASUSGamerOSD" = "C:\Program Files\ASUS\GamerOSD\GamerOSD.exe" [file not found] "ISUSScheduler" = ""C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\issch.exe" -start" ["InstallShield Software Corporation"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] "{A68865DD-EE3C-4442-9BE9-1BAB2576E3FA}" = "NOMAD Explorer" -> {HKLM...CLSID} = "NOMAD Explorer" \InProcServer32\(Default) = "C:\Programme\Creative\Creative Zen Touch\NOMAD Explorer\CTJBNS.DLL" ["Creative Technology Ltd"] "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO" -> {HKLM...CLSID} = "PowerISO" \InProcServer32\(Default) = "C:\Programme\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."] "{8932AEFE-9DB6-4f43-AFB2-5682F55E773A}" = "VPCHostCopyHook" -> {HKLM...CLSID} = "VPCHostCopyHook" \InProcServer32\(Default) = "C:\Programme\Microsoft Virtual PC\VPCShExH.DLL" [MS] "{4AFB2C17-9D16-4478-AEF4-C3FC539961E4}" = "ZEN Media Explorer" -> {HKLM...CLSID} = "ZEN Media Explorer" \InProcServer32\(Default) = "C:\Programme\Creative\Creative ZEN\ZEN Media Explorer\SHCTMTP.dll" ["Creative Technology Ltd"] "{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk-Zeichnungsvorschau" -> {HKLM...CLSID} = "ACTHUMBNAIL" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk, Inc."] "{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "Symbol-Overlay-Steuerprogramm fE AutoCAD Digitale Signaturen" -> {HKLM...CLSID} = "AcSignIcon" \InProcServer32\(Default) = "C:\WINDOWS\system32\AcSignIcon.dll" ["Autodesk, Inc."] "{8A0BC933-7552-42E2-A228-3BE055777227}" = "AutoCAD-DWG-Spalten-Steuerprogramm" -> {HKLM...CLSID} = "AcColumnHandler" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Autodesk Shared\AcShellEx\AcShellExtension.dll" ["Autodesk"] "{5800AD5B-72C1-477B-9A08-CA112DF06D97}" = "AutoCAD-DWG-InfoTipp-Steuerprogramm" -> {HKLM...CLSID} = "AcInfoTipHandler" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Autodesk Shared\AcShellEx\AcShellExtension.dll" ["Autodesk"] "{ADC46291-D8A1-4486-A24C-86FFB392AEFA}" = "Autodesk Dgn File Preview" -> {HKLM...CLSID} = "AcDgnImageExtractor" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Autodesk Shared\AcDgnCOM17.dll" ["Autodesk"] "{C539A15A-3AF9-4c92-B771-50CB78F5C751}" = "Acronis True Image Shell Context Menu Extension" -> {HKLM...CLSID} = "Acronis True Image Shell Context Menu Extension" \InProcServer32\(Default) = "C:\Programme\Acronis\TrueImageHome\tishell.dll" ["Acronis"] "{C539A15B-3AF9-4c92-B771-50CB78F5C751}" = "Acronis True Image Shell Extension" -> {HKLM...CLSID} = "Acronis True Image Shell Extension" \InProcServer32\(Default) = "C:\Programme\Acronis\TrueImageHome\tishell.dll" ["Acronis"] "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {HKLM...CLSID} = "Desktop Explorer" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {HKLM...CLSID} = "nView Desktop Context Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -> {HKLM...CLSID} = "WPDShServiceObj Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Aedebug\ <<!>> "Debugger" = ""C:\WINDOWS\system32\vsjitdebugger.exe" -p %ld -e %ld" [MS] HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ <<!>> "Authentication Packages" = "msv1_0"|"relog_ap" HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\ <<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {8A0BC933-7552-42E2-A228-3BE055777227}\(Default) = "AutoCAD DWG column info" -> {HKLM...CLSID} = "AcColumnHandler" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Autodesk Shared\AcShellEx\AcShellExtension.dll" ["Autodesk"] {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ Autodesk.DWF.ContextMenu\(Default) = "{6C18531F-CA85-45F7-8278-FF33CF0A5964}" -> {HKLM...CLSID} = "DWFShellExt Class" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Autodesk Shared\Dwf Common\DWFShellExtension.dll" ["Autodesk, Inc."] CTMTPMediaExplorer\(Default) = "{7895F317-A125-42CC-BD3E-5830765CE577}" -> {HKLM...CLSID} = "CtMtpContextMenu Class" \InProcServer32\(Default) = "C:\PROGRA~1\Creative\SHARED~1\CtCmeCtx.dll" ["Creative Technology Ltd"] HexWorkshopContextMenu\(Default) = "{DB34D5DC-D41A-482E-A5EF-8FA0F88761DA}" -> {HKLM...CLSID} = "Hex Workshop Shell Extension" \InProcServer32\(Default) = "C:\Programme\BreakPoint Software\Hex Workshop 4.2\hwext.dll" ["BreakPoint Software, Inc."] moveonboot_delete\(Default) = "{12B23346-6BD8-4812-BF8C-75E7C386ACB8}" -> {HKLM...CLSID} = "MoveOnBootBootPopupMenuShlExt Class" \InProcServer32\(Default) = "C:\Programme\GiPo@Utilities\GiPo@MoveOnBoot\mboot.dll" ["Gibin Software House (http://www.gibinsoft.net)"] PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" -> {HKLM...CLSID} = "PowerISO" \InProcServer32\(Default) = "C:\Programme\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."] Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" -> {HKLM...CLSID} = "PowerISO" \InProcServer32\(Default) = "C:\Programme\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ CTMTPMediaExplorer\(Default) = "{7895F317-A125-42CC-BD3E-5830765CE577}" -> {HKLM...CLSID} = "CtMtpContextMenu Class" \InProcServer32\(Default) = "C:\PROGRA~1\Creative\SHARED~1\CtCmeCtx.dll" ["Creative Technology Ltd"] InventorMenu\(Default) = "{6FDE7A70-351B-11d6-988B-0010B57A8BB7}" -> {HKLM...CLSID} = "Autodesk Inventor Part" \InProcServer32\(Default) = "C:\Programme\Autodesk\Inventor 2008\Bin\DT.dll" ["Autodesk, Inc."] MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" -> {HKLM...CLSID} = "MBAMShlExt Class" \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"] PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" -> {HKLM...CLSID} = "PowerISO" \InProcServer32\(Default) = "C:\Programme\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."] Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" -> {HKLM...CLSID} = "MBAMShlExt Class" \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"] Default executables: -------------------- <<!>> HKCU\Software\Classes\.scr\(Default) = "AutoCADScriptFile" <<!>> HKCU\Software\Classes\AutoCADScriptFile\shell\open\command\(Default) = ""C:\WINDOWS\system32\notepad.exe" "%1"" [MS] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Dokumente und Einstellungen\Studium\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\system32\scrnsave.scr" [MS] Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ CTMTPHandler\ "Provider" = "Creative Media Explorer" "ProgID" = "CTMtpAut.CTMtpEventHandler" "InitCmdLine" = "OrganizeUsingZME" HKLM\SOFTWARE\Classes\CTMtpAut.CTMtpEventHandler\CLSID\(Default) = "{9F40AC21-F4D1-477C-AC95-7A935224220F}" -> {HKLM...CLSID} = "CTMtpEventHandler Class" \LocalServer32\(Default) = "C:\PROGRA~1\Creative\SHARED~1\CTMtpAut.exe" ["Creative Technology Ltd."] CTPlayAudioOnArrival\ "Provider" = "@C:\Programme\Creative\MediaSource\CTCMS.CRL,-14345" "InvokeProgID" = "CTAutoPL.AudioCDPlayer.1" "InvokeVerb" = "open" HKLM\SOFTWARE\Classes\CTAutoPL.AudioCDPlayer.1\shell\open\command\(Default) = ""C:\Programme\Creative\MediaSource\CTCMS.exe" /T=CLASSKEY_AudioCD IN %L PlayNow" ["Creative Technology Ltd"] CTPlayAudioOnArrivalu\ "Provider" = "Creative MediaSource 5 Player" "InvokeProgID" = "CTAutoPLu.AudioCDPlayer.1" "InvokeVerb" = "open" HKLM\SOFTWARE\Classes\CTAutoPLu.AudioCDPlayer.1\shell\open\command\(Default) = ""C:\Programme\Creative\MediaSource5\CTCMSu.exe" /T=CLASSKEY_AudioCD IN %L PlayNow" ["Creative Technology Ltd"] CTPlayMusicFilesOnArrival\ "Provider" = "@C:\Programme\Creative\MediaSource\CTCMS.CRL,-14345" "InvokeProgID" = "CTAutoPL.MusicFilesPlayer.1" "InvokeVerb" = "open" HKLM\SOFTWARE\Classes\CTAutoPL.MusicFilesPlayer.1\shell\open\command\(Default) = ""C:\Programme\Creative\MediaSource\CTCMS.exe" /Organizer" ["Creative Technology Ltd"] CTPlayMusicFilesOnArrivalu\ "Provider" = "Creative MediaSource 5 Player" "InvokeProgID" = "CTAutoPLu.MusicFilesPlayer.1" "InvokeVerb" = "open" HKLM\SOFTWARE\Classes\CTAutoPLu.MusicFilesPlayer.1\shell\open\command\(Default) = ""C:\Programme\Creative\MediaSource5\CTCMSu.exe" /PlayNow "%L"" ["Creative Technology Ltd"] DVDDecrypterPlayDVDMovieOnArrival\ "Provider" = "DVD Decrypter" "InvokeProgID" = "DVDDecrypter" "InvokeVerb" = "PlayDVDMovieOnArrival_Decrypt" HKLM\SOFTWARE\Classes\DVDDecrypter\shell\PlayDVDMovieOnArrival_Decrypt\Command\(Default) = ""C:\Programme\DVD Decrypter\DVDDecrypter.exe" /MODE READ /SOURCE "%1"" ["LIGHTNING UK!"] MSPictureItViewOnArrival\ "Provider" = "Microsoft Picture It! Express 7.0" "InvokeProgID" = "Microsoft.Picture.It.7.AutoPlay" "InvokeVerb" = "AutoPlay" HKLM\SOFTWARE\Classes\Microsoft.Picture.It.7.AutoPlay\shell\AutoPlay\Command\(Default) = ""C:\Programme\Microsoft Picture It! 7\pip.exe" /invoke={D0551EC1-5A78-11cf-9DBE-00AA00A70BB5}" [MS] MSWPDShellNamespaceHandler\ "Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501" "CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}" "InitCmdLine" = " " -> {HKLM...CLSID} = "WPDShextAutoplay" \LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS] VLCPlayCDAudioOnArrival\ "Provider" = "VideoLAN VLC media player" "InvokeProgID" = "VLC.CDAudio" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --one-instance-when-started-from-file cdda:%1" ["VideoLAN Team"] VLCPlayDVDMovieOnArrival\ "Provider" = "VideoLAN VLC media player" "InvokeProgID" = "VLC.DVDMovie" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --one-instance-when-started-from-file dvd:%1" ["VideoLAN Team"] WinampPlayMediaOnArrival\ "Provider" = "Winamp" "InvokeProgID" = "Winamp.File" "InvokeVerb" = "Play" HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Programme\Winamp\winamp.exe" "%1"" ["Nullsoft"] HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}" -> {HKLM...CLSID} = (no title provided) \LocalServer32\(Default) = ""C:\Programme\Winamp\winamp.exe"" ["Nullsoft"] Startup items in "Studium" & "All Users" startup folders: --------------------------------------------------------- C:\Dokumente und Einstellungen\Studium\Startmenü\Programme\Autostart "OpenOffice.org 2.4" -> shortcut to: "C:\Programme\OpenOffice.org 2.4\program\quickstart.exe" [null data] C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "Logitech SetPoint" -> shortcut to: "C:\Programme\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."] Enabled Scheduled Tasks: ------------------------ "Uniblue SpyEraser Nag" -> launches: "C:\Programme\Uniblue\SpyEraser\SpyEraser.exe -ynag" [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.6.0_07" \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.6.0_07" \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\npjpi160_07.dll" ["Sun Microsystems, Inc."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ a-squared Free Service, a2free, ""c:\programme\a-squared free\a2service.exe"" ["Emsi Software GmbH"] Acronis Scheduler2 Service, AcrSch2Svc, ""C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe"" ["Acronis"] Acronis Try And Decide Service, TryAndDecideService, ""C:\Programme\Gemeinsame Dateien\Acronis\Fomatik\TrueImageTryStartService.exe"" [null data] AntiVir PersonalEdition Classic Guard, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["Avira GmbH"] AntiVir PersonalEdition Classic Scheduler, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"] Autodesk Licensing Service, Autodesk Licensing Service, ""C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe"" ["Autodesk"] Backbone Service, BBDemon, "C:\Programme\Dassault Systemes\CatiaV5\intel_a\code\bin\CATSysDemon.exe -service" ["Dassault Systemes"] Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\system32\CTsvcCDA.EXE" ["Creative Technology Ltd"] Lavasoft Ad-Aware Service, aawservice, "C:\Programme\Lavasoft\Ad-Aware\aawservice.exe" ["Lavasoft"] NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"] PnkBstrA, PnkBstrA, "C:\WINDOWS\system32\PnkBstrA.exe" [null data] SecuROM User Access Service, UserAccess, "C:\WINDOWS\system32\UAService.exe" [null data] SQL Server (SQLEXPRESS), MSSQL$SQLEXPRESS, ""C:\Programme\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS" [MS] Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]} Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ PDF-XChange\Driver = "C:\WINDOWS\system32\pxc25pm.dll" ["Tracker Software"] ---------- (launch time: 2008-10-17 12:19:58) <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 32 seconds, including 11 seconds for message boxes) |
18.10.2008, 13:24 | #8 |
| trojan-spy.win32.greenscreen Avira AntiVir Personal Report file date: Samstag, 18. Oktober 2008 12:50 Scanning for 1692263 virus strains and unwanted programs. Licensed to: Avira AntiVir PersonalEdition Classic Serial number: 0000149996-ADJIE-0001 Platform: Windows XP Windows version: (Service Pack 2) [5.1.2600] Boot mode: Normally booted Username: SYSTEM Computer name: CYBER-CARL Version information: BUILD.DAT : 8.1.0.331 16934 Bytes 12.08.2008 11:46:00 AVSCAN.EXE : 8.1.4.7 315649 Bytes 17.07.2008 21:26:38 AVSCAN.DLL : 8.1.4.0 40705 Bytes 17.07.2008 21:26:38 LUKE.DLL : 8.1.4.5 164097 Bytes 17.07.2008 21:26:38 LUKERES.DLL : 8.1.4.0 12033 Bytes 17.07.2008 21:26:38 ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18.07.2007 09:26:13 ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 24.06.2008 21:51:16 ANTIVIR2.VDF : 7.0.7.12 4066816 Bytes 08.10.2008 18:04:25 ANTIVIR3.VDF : 7.0.7.58 315904 Bytes 17.10.2008 10:49:34 Engineversion : 8.2.0.5 AEVDF.DLL : 8.1.0.6 102772 Bytes 17.10.2008 09:23:32 AESCRIPT.DLL : 8.1.1.9 319867 Bytes 17.10.2008 09:23:31 AESCN.DLL : 8.1.1.3 123252 Bytes 17.10.2008 09:23:30 AERDL.DLL : 8.1.1.2 438644 Bytes 19.09.2008 07:27:00 AEPACK.DLL : 8.1.2.4 369014 Bytes 17.10.2008 09:23:30 AEOFFICE.DLL : 8.1.0.28 196987 Bytes 17.10.2008 09:23:28 AEHEUR.DLL : 8.1.0.59 1438071 Bytes 19.09.2008 07:26:58 AEHELP.DLL : 8.1.1.2 115062 Bytes 17.10.2008 09:23:27 AEGEN.DLL : 8.1.0.41 319861 Bytes 17.10.2008 09:23:27 AEEMU.DLL : 8.1.0.9 393588 Bytes 17.10.2008 09:23:25 AECORE.DLL : 8.1.2.6 172406 Bytes 17.10.2008 09:23:24 AEBB.DLL : 8.1.0.3 53618 Bytes 17.10.2008 09:23:23 AVWINLL.DLL : 1.0.0.12 15105 Bytes 17.07.2008 21:26:38 AVPREF.DLL : 8.0.2.0 38657 Bytes 17.07.2008 21:26:38 AVREP.DLL : 8.0.0.2 98344 Bytes 02.08.2008 08:44:10 AVREG.DLL : 8.0.0.1 33537 Bytes 17.07.2008 21:26:38 AVARKT.DLL : 1.0.0.23 307457 Bytes 21.04.2008 22:04:35 AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 17.07.2008 21:26:38 SQLITE3.DLL : 3.3.17.1 339968 Bytes 21.04.2008 22:04:35 SMTPLIB.DLL : 1.2.0.23 28929 Bytes 17.07.2008 21:26:38 NETNT.DLL : 8.0.0.1 7937 Bytes 21.04.2008 22:04:35 RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 17.07.2008 21:26:37 RCTEXT.DLL : 8.0.52.0 86273 Bytes 17.07.2008 21:26:37 Configuration settings for the scan: Jobname..........................: Complete system scan Configuration file...............: c:\programme\antivir personaledition classic\sysscan.avp Logging..........................: low Primary action...................: interactive Secondary action.................: ignore Scan master boot sector..........: on Scan boot sector.................: on Boot sectors.....................: C:, Process scan.....................: on Scan registry....................: on Search for rootkits..............: off Scan all files...................: All files Scan archives....................: on Recursion depth..................: off Smart extensions.................: on Deviating archive types..........: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox, Macro heuristic..................: on File heuristic...................: high Deviating risk categories........: +APPL,+GAME,+JOKE,+PCK,+SPR, Start of the scan: Samstag, 18. Oktober 2008 12:50 The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'LingoPad.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'CTPdeSrv.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'UAService.exe' - '1' Module(s) have been scanned Scan process 'TrueImageTryStartService.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned Scan process 'sqlservr.exe' - '1' Module(s) have been scanned Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned Scan process 'CATSysDemon.exe' - '1' Module(s) have been scanned Scan process 'AdskScSrv.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'schedul2.exe' - '1' Module(s) have been scanned Scan process 'a2service.exe' - '1' Module(s) have been scanned Scan process 'KHALMNPR.EXE' - '1' Module(s) have been scanned Scan process 'soffice.bin' - '1' Module(s) have been scanned Scan process 'soffice.exe' - '1' Module(s) have been scanned Scan process 'SetPoint.exe' - '1' Module(s) have been scanned Scan process 'CTSyncU.exe' - '1' Module(s) have been scanned Scan process 'issch.exe' - '1' Module(s) have been scanned Scan process 'rundll32.exe' - '1' Module(s) have been scanned Scan process 'RTHDCPL.exe' - '1' Module(s) have been scanned Scan process 'Reader_SL.exe' - '1' Module(s) have been scanned Scan process 'PWRISOVM.EXE' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'jusched.exe' - '1' Module(s) have been scanned Scan process 'TTTVRC.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'aawservice.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 45 processes with 45 modules were scanned Starting master boot sector scan: Master boot sector HD0 [INFO] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [INFO] No virus was found! Starting to scan the registry. The registry was scanned ( '52' files ). Starting the file scan: Begin scan in 'C:\' <Lokaler Datenträger Eugen> C:\pagefile.sys [WARNING] The file could not be opened! C:\RECYCLER\S-1-5-21-1645522239-602609370-682003330-1006\Dc7\Reboot.exe [DETECTION] Contains recognition pattern of the SPR/Tool.Reboot.F program [NOTE] The file was moved to '495bcdc6.qua'! C:\RECYCLER\S-1-5-21-1645522239-602609370-682003330-1006\Dc7\restart.exe [DETECTION] Contains recognition pattern of the SPR/Tool.Hardoff.A program [NOTE] The file was moved to '496ccdc9.qua'! C:\System Volume Information\_restore{2A48531F-BB7A-46F7-AEA4-74DDAC9A1257}\RP290\A0080408.exe [DETECTION] Is the TR/Pakes.kzv Trojan [NOTE] The file was moved to '4929ce5a.qua'! C:\System Volume Information\_restore{2A48531F-BB7A-46F7-AEA4-74DDAC9A1257}\RP290\A0080617.exe [DETECTION] Is the TR/FraudPack.alk Trojan [NOTE] The file was moved to '4929ce61.qua'! C:\System Volume Information\_restore{2A48531F-BB7A-46F7-AEA4-74DDAC9A1257}\RP292\A0082324.exe [DETECTION] Is the TR/Trash.Gen Trojan [NOTE] The file was moved to '4929ce76.qua'! C:\System Volume Information\_restore{2A48531F-BB7A-46F7-AEA4-74DDAC9A1257}\RP292\A0082325.exe [DETECTION] Is the TR/Trash.Gen Trojan [NOTE] The file was moved to '4929ce78.qua'! C:\System Volume Information\_restore{2A48531F-BB7A-46F7-AEA4-74DDAC9A1257}\RP293\A0082358.exe [DETECTION] Is the TR/Dldr.Obfuscated.dtl Trojan [NOTE] The file was moved to '4929ce7d.qua'! C:\System Volume Information\_restore{2A48531F-BB7A-46F7-AEA4-74DDAC9A1257}\RP293\A0082360.exe [0] Archive type: RAR SFX (self extracting) --> SmitfraudFix\Reboot.exe [DETECTION] Contains recognition pattern of the SPR/Tool.Reboot.F program --> SmitfraudFix\restart.exe [DETECTION] Contains recognition pattern of the SPR/Tool.Hardoff.A program [NOTE] The file was moved to '4929ce81.qua'! C:\System Volume Information\_restore{2A48531F-BB7A-46F7-AEA4-74DDAC9A1257}\RP293\A0082379.exe [DETECTION] Contains recognition pattern of the SPR/Tool.Reboot.F program [NOTE] The file was moved to '4929ce85.qua'! C:\System Volume Information\_restore{2A48531F-BB7A-46F7-AEA4-74DDAC9A1257}\RP293\A0082380.exe [DETECTION] Contains recognition pattern of the SPR/Tool.Hardoff.A program [NOTE] The file was moved to '4929ce87.qua'! C:\WINDOWS\system32\sdenavyp.exe [DETECTION] Is the TR/Obfuscated.GX.2662 Trojan [NOTE] The file was moved to '495ecfc4.qua'! C:\WINDOWS\system32\drivers\dtscsi.sys [WARNING] The file could not be opened! C:\WINDOWS\system32\drivers\sptd.sys [WARNING] The file could not be opened! C:\WINDOWS\system32\drivers\sptd4461.sys [WARNING] The file could not be opened! End of the scan: Samstag, 18. Oktober 2008 13:59 Used time: 1:08:58 Hour(s) The scan has been done completely. 17869 Scanning directories 904446 Files were scanned 12 viruses and/or unwanted programs were found 0 Files were classified as suspicious: 0 files were deleted 0 files were repaired 11 files were moved to quarantine 0 files were renamed 4 Files cannot be scanned 904430 Files not concerned 8220 Archives were scanned 6 Warnings 11 Notes |
18.10.2008, 23:41 | #9 |
| trojan-spy.win32.greenscreen Hi, einige Sachen die Avira gefunden hat, gehören zu den benutzten Tools, andere sind in der Systemwiederherstellung ... Daher: Systemwiederherstellung löschen http://www.systemwiederherstellung-deaktivieren.de/windows-xp.html Wenn der Rechner einwandfrei läuft abschließend alle Systemwiederherstellungspunkte löschen lassen(das sind die: C:\System Volume Information\_restore - Dateien die gefunden wurden, d.h. der Trojaner wurde mit gesichert und wenn Du auf einen Restorepunkt zurück gehen solltest, dann ist er wieder da) wie folgt: Arbeitsplatz ->rechte Maus -> Eigenschaften -> Systemwiederherstellung -> anhaken: "Systemwiederherstellung auf allen Laufwerken deaktivieren" -> Übernehmen -> Sicherheitsabfrage OK -> Fenster mit OK schliessen -> neu Booten; Dann das gleiche nochmal nur das Häkchen entfernen (dann läuft sie wieder). Einen ersten Restorepunkt setzten: Start->Programme->Zubehör->Systemprogramme->Systemwiederherstellung->einen Wiederherstellungspunkt erstellen->weiter, Beschreibung ausdenken->Erstellen Die Quarantäne von Avira würde ich erstmal bestehen lassen, wenn sicher ist dass alles Läuft kann immer noch gelöscht werden! chris
__________________ Don't bring me down Vor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
Themen zu trojan-spy.win32.greenscreen |
adaware, antivir, ccleaner, checken, file, forum, hijack, hijackthis, links, log, log file, mein log, micro, programm, programme, screen, seite, service, sp2, spybot, system, trend, version, windows, windows xp, xp antispy |