Immer wieder 'se.dll/sp.html'

Sabina

Hier ein Bericht:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\JULIAS~1\LOKALE~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {A0A855D3-A4F5-456C-9638-2EB95E6F4F8A} - C:\WINDOWS\System32\obkp.dll (file missing)
O4 - HKLM\..\Run: [sp] rundll32 C:\DOKUME~1\JULIAS~1\LOKALE~1\Temp\se.dll,DllInstall
O18 - Filter: text/html - {C754C223-E3F8-4BBA-86D8-C3BC8304230F} - C:\WINDOWS\System32\obkp.dll
O18 - Filter: text/plain - {C754C223-E3F8-4BBA-86D8-C3BC8304230F} - C:\WINDOWS\System32\obkp.dll


AdAware
CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "HOMEOldSP"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : HOMEOldSP

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "sp"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\run
Value : sp

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : protocols\filter\text/plain

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : protocols\filter\text/plain
Value : CLSID

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : protocols\filter\text/html

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : protocols\filter\text/html
Value : CLSID

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment : CWS.About:Blank
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\searchassistant uninstall

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\search
Value : SearchAssistant

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Custom Search URL

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\protocols\filter\text/html
Value : CLSID

_______________________________________________________


REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "{C754C223-E3f8-4BBA-86D8-C3BC8304230F}" 24.02.2005 14:11:17

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C754C223-E3F8-4BBA-86D8-C3BC8304230F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C754C223-E3F8-4BBA-86D8-C3BC8304230F}\InProcServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html]
"CLSID"="{C754C223-E3F8-4BBA-86D8-C3BC8304230F}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain]
"CLSID"="{C754C223-E3F8-4BBA-86D8-C3BC8304230F}"



ESCAN:
Sun Feb 20 12:02:48 2005 => Scanning File C:\Programme\AVPersonal\INFECTED\SE.DLL.VIR

Sun Feb 20 12:02:48 2005 => Scanning File C:\Programme\AVPersonal\INFECTED\SE.DLL.001

regsvr32 /u c:\system32\obkp.dll
wenn ich das reinkopiere zeigt er was an von datei nicht gefunden und die anderen dateien, die ich löschen soll, findet er auch nicht



AboutBuster
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23

ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23

ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!


C:\Dokumente und Einstellungen\JULIAS~1\Lokale Einstellungen\Temp\se.dll
In meinem Benutzerkonto finde ich sie, kann sie aber nicht löschen und im abgesicherten Modus ist sie nicht sichtbar.
________________________

StartDreck (build 2.1.7 public stable) - 2005-03-06 @ 14:07:13 (GMT +01:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as Julia Steinbusch at WILLOW

»Registry
»Run Keys
»Current User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\ctfmon.exe
*MsnMsgr="C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
»RunOnce
»Default User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE
»RunOnce
»Local Machine
»Run
*nwiz=nwiz.exe /install
*CPLBTS88=C:\PROGRA~1\EzButton\CPLBTS88.EXE
*CeEKEY=C:\Programme\TOSHIBA\E-KEY\CeEKey.exe
*Apoint=C:\Programme\Apoint2K\Apoint.exe
*TPNF=C:\Programme\TOSHIBA\TouchPad\TPTray.exe
*CeEPOWER=C:\Programme\TOSHIBA\Power Management\CePMTray.exe
*HPDJ Taskbar Utility=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
*ezShieldProtector for Px=C:\WINDOWS\System32\ezSP_Px.exe
*Drag'n Drop CD=C:\Programme\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
*IMJPMIG8.1="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
*MSPY2002=C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
*PHIME2002ASync=C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
*PHIME2002A=C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
*Share-to-Web Namespace Daemon=C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
*QuickTime Task="C:\Programme\QuickTime\qttask.exe" -atboottime
*sp=rundll32 C:\DOKUME~1\JULIAS~1\LOKALE~1\Temp\se.dll,DllInstall
*NvCplDaemon=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Application specific


In der Dosbox kopiere bitte das
rundll32 C:\Dokumente und Einstellungen\Julia Steinbusch\Lokale Einstellungen\Temp\se.dll,DllUnregisterServer

Folgende Meldung kommt:
Fehler beim Laden von C:\Dokumente
Das angegebene Modul wurde nicht gefunden




* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found Smile"
________________________________________________

1.388 items found: 1.388 files, 0 directories.
Total of file sizes: 256.641.548 bytes 244,75 M

Administrator Account = True

--------------------End log---------------------




"Silent Runners.vbs", revision 32, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"MsnMsgr" = ""C:\Programme\MSN Messenger\MsnMsgr.Exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"CPLBTS88" = "C:\PROGRA~1\EzButton\CPLBTS88.EXE" ["Dritek System Inc."]
"CeEKEY" = "C:\Programme\TOSHIBA\E-KEY\CeEKey.exe" ["COMPAL ELECTRONIC INC."]
"Apoint" = "C:\Programme\Apoint2K\Apoint.exe" ["Alps Electric Co., Ltd."]
"TPNF" = "C:\Programme\TOSHIBA\TouchPad\TPTray.exe" ["COMPAL ELECTRONIC INC."]
"CeEPOWER" = "C:\Programme\TOSHIBA\Power Management\CePMTray.exe" ["COMPAL ELECTRONIC INC."]
"Default" = (no data)
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" ["HP"]
"ezShieldProtector for Px" = "C:\WINDOWS\System32\ezSP_Px.exe" ["Easy Systems Japan Ltd."]
"Drag'n Drop CD" = "C:\Programme\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp" [empty string]
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"MSPY2002" = "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC" [null data]
"PHIME2002ASync" = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"Share-to-Web Namespace Daemon" = "C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"sp" = "rundll32 C:\DOKUME~1\JULIAS~1\LOKALE~1\Temp\se.dll,DllInstall" [MS]
"NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Programme\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop-Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{9ED66769-A198-41FE-8615-601691C68846}" = "TouchPad Property Sheet"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\TPprop.dll" ["COMPAL ELECTRONIC INC."]
"{8FF43EAA-2BB1-4A53-8E18-D9221E56E593}" = "CePMTab Property Sheet"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\CePMTab.dll" ["Compal"]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universelle Plug & Play-Geräte"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\upnpui.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/html\CLSID = "{C754C223-E3F8-4BBA-86D8-C3BC8304230F}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\obkp.dll" [file not found]
INFECTION WARNING! text/plain\CLSID = "{C754C223-E3F8-4BBA-86D8-C3BC8304230F}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\obkp.dll" [file not found]

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssmypics.scr" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir Update, AVWUpSrv, ""C:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"]
Einfache TCP/IP-Dienste, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS]
Fax, Fax, "C:\WINDOWS\system32\fxssvc.exe" [MS]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
RIP-Überwachung, Iprip, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\iprip.dll" [MS]}
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06

This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.



Onlinescann mit Panda
Incident Status Location

Spyware:Spyware/Cydoor No disinfected Windows Registry
Adware:Adware/MyWay No disinfected C:\Programme\MyWay
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32a.sys
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\Temp\Adware
Adware:Adware/MyCustomIE No disinfected Windows Registry



Stand;

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [sp] rundll32 C:\DOKUME~1\JULIAS~1\LOKALE~1\Temp\se.dll,DllInstall
O18 - Filter: text/html - {C754C223-E3F8-4BBA-86D8-C3BC8304230F} - (no file)
O18 - Filter: text/plain - {C754C223-E3F8-4BBA-86D8-C3BC8304230F} - (no file)



SpSeHjfix

Die SpSeHjfix Datei kann ich nicht anzeigen, sie ist bschädigt. Aber es wurde nichts gefunden