| |
| |||||||
Log-Analyse und Auswertung: mein logfile! was nun?Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML |
 |
03.10.2005, 16:17
| #1 |
 |  mein logfile! was nun? -------------------------------------------------- -------------------- INFECTED -------------------- -------------------------------------------------- 1: Mon Oct 03 16:57:48 2005 => System found infected with edonkey2000 Spyware/Adware ({320154bb-d666-48f6-990e-172b32954620})! Action taken: No Action Taken. 2: Mon Oct 03 16:57:48 2005 => System found infected with bearshare Spyware/Adware ({558ec983-bedb-9168-b2de-31dbf0ee543e})! Action taken: No Action Taken. 3: Mon Oct 03 16:57:48 2005 => System found infected with stylexp Spyware/Adware ({c333cf63-767f-4831-94ac-e683d962c63c})! Action taken: No Action Taken. 4: Mon Oct 03 16:57:52 2005 => Offending file found: C:\DOKUME~1\TOSTAM~1\LOKALE~1\Temp\insthelp.dll 5: Mon Oct 03 16:57:52 2005 => System found infected with redv Spyware/Adware (insthelp.dll)! Action taken: No Action Taken. 6: Mon Oct 03 16:57:55 2005 => Offending file found: C:\Dokumente und Einstellungen\tostamistica\Eigene Dateien\downloads\lame\index.html 7: Mon Oct 03 16:57:55 2005 => System found infected with easysearch Spyware/Adware (index.html)! Action taken: No Action Taken. 8: Mon Oct 03 16:58:09 2005 => Offending file found: C:\Dokumente und Einstellungen\tostamistica\Lokale Einstellungen\temp\insthelp.dll 9: Mon Oct 03 16:58:09 2005 => System found infected with redv Spyware/Adware (insthelp.dll)! Action taken: No Action Taken. 10: Mon Oct 03 16:58:09 2005 => Offending file found: C:\Dokumente und Einstellungen\tostamistica\Lokale Einstellungen\temp\temporary internet files\content.ie5\2o497fu1\common[1].js 11: Mon Oct 03 16:58:09 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken. 12: Mon Oct 03 16:58:09 2005 => Offending file found: C:\Dokumente und Einstellungen\tostamistica\Lokale Einstellungen\temp\temporary internet files\content.ie5\5v5rhldz\common[1].js 13: Mon Oct 03 16:58:09 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken. 14: Mon Oct 03 16:58:09 2005 => Offending file found: C:\Dokumente und Einstellungen\tostamistica\Lokale Einstellungen\temp\temporary internet files\content.ie5\aum9yr5q\common[1].js 15: Mon Oct 03 16:58:09 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken. 16: Mon Oct 03 16:58:10 2005 => Offending file found: C:\Dokumente und Einstellungen\tostamistica\Lokale Einstellungen\temp\temporary internet files\content.ie5\vj9if48w\common[1].js 17: Mon Oct 03 16:58:10 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken. 18: Mon Oct 03 16:58:10 2005 => Offending file found: C:\Dokumente und Einstellungen\tostamistica\Lokale Einstellungen\temporary internet files\content.ie5\9yexszcm\common[1].js 19: Mon Oct 03 16:58:10 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken. 20: Mon Oct 03 16:58:10 2005 => Offending file found: C:\Dokumente und Einstellungen\tostamistica\Lokale Einstellungen\temporary internet files\content.ie5\o1a161or\common[1].js 21: Mon Oct 03 16:58:10 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken. 22: Mon Oct 03 16:58:10 2005 => Offending file found: C:\Dokumente und Einstellungen\tostamistica\Lokale Einstellungen\temporary internet files\content.ie5\ulc98fmn\common[1].js 23: Mon Oct 03 16:58:10 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken. 24: Mon Oct 03 16:58:10 2005 => Offending file found: C:\Dokumente und Einstellungen\tostamistica\Lokale Einstellungen\Temporary Internet Files\content.ie5\9yexszcm\common[1].js 25: Mon Oct 03 16:58:10 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken. 26: Mon Oct 03 16:58:10 2005 => Offending file found: C:\Dokumente und Einstellungen\tostamistica\Lokale Einstellungen\Temporary Internet Files\content.ie5\o1a161or\common[1].js 27: Mon Oct 03 16:58:10 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken. 28: Mon Oct 03 16:58:10 2005 => Offending file found: C:\Dokumente und Einstellungen\tostamistica\Lokale Einstellungen\Temporary Internet Files\content.ie5\ulc98fmn\common[1].js 29: Mon Oct 03 16:58:10 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken. 30: Mon Oct 03 16:58:11 2005 => Offending file found: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\cyberlink\powerdvd\ipower\index.html 31: Mon Oct 03 16:58:11 2005 => System found infected with easysearch Spyware/Adware (index.html)! Action taken: No Action Taken. 32: Mon Oct 03 16:58:12 2005 => Offending file found: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\spybot - search & destroy\backups\wbemess.lo_ 33: Mon Oct 03 16:58:12 2005 => System found infected with hotbar Spyware/Adware (wbemess.lo_)! Action taken: No Action Taken. -------------------------------------------------- --------------------- ERRORS --------------------- -------------------------------------------------- 1: Mon Oct 03 16:57:21 2005 => ERROR!!! Invalid Entry \??\C:\WINDOWS\system32\drivers\chcAcpi.sys in SYSTEM\CurrentControlSet\Services\chcAcpi_driver... 2: Mon Oct 03 16:57:21 2005 => ERROR!!! Invalid Entry \??\C:\WINDOWS\system32\drivers\chcNT.sys in SYSTEM\CurrentControlSet\Services\chcNT_driver... 3: Mon Oct 03 16:57:27 2005 => ERROR!!! Invalid Entry C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe in SYSTEM\CurrentControlSet\Services\mcupdmgr.exe... 4: Mon Oct 03 16:57:29 2005 => ERROR!!! Invalid Entry \??\C:\WINDOWS\system32\NSNDIS5.SYS in SYSTEM\CurrentControlSet\Services\NSNDIS5... 5: Mon Oct 03 16:57:37 2005 => ERROR!!! Invalid Entry system32\DRIVERS\VClone.sys in SYSTEM\CurrentControlSet\Services\VClone... 6: Mon Oct 03 16:58:18 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Dokumente und Einstellungen\Besitzer\Anwendungsdaten\Jasc Software Inc\Paint Shop Pro 8\Cache\". Action Taken: No Action Taken. 7: Mon Oct 03 16:58:18 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Dokumente und Einstellungen\Besitzer\Anwendungsdaten\Jasc Software Inc\Paint Shop Pro 8\". Action Taken: No Action Taken. 8: Mon Oct 03 16:58:18 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Dokumente und Einstellungen\Besitzer\Anwendungsdaten\Jasc Software Inc\". Action Taken: No Action Taken. 9: Mon Oct 03 16:58:18 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Dokumente und Einstellungen\Besitzer\Eigene Dateien\My PSP8 Files\Skripts (eingeschränkt)\". Action Taken: No Action Taken. 10: Mon Oct 03 16:58:18 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Dokumente und Einstellungen\Besitzer\Eigene Dateien\My PSP8 Files\". Action Taken: No Action Taken. 11: Mon Oct 03 16:58:18 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\". Action Taken: No Action Taken. 12: Mon Oct 03 16:58:18 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Alcohol Soft\Alcohol 120\". Action Taken: No Action Taken. 13: Mon Oct 03 16:58:18 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Alcohol Soft\". Action Taken: No Action Taken. 14: Mon Oct 03 16:58:20 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Genius DTV\". Action Taken: No Action Taken. 15: Mon Oct 03 16:58:20 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Genius DTV\ini\". Action Taken: No Action Taken. 16: Mon Oct 03 16:58:20 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Dokumente und Einstellungen\All Users\Documents\My Pictures\Image Editor\Default archive\". Action Taken: No Action Taken. 17: Mon Oct 03 16:58:20 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Dokumente und Einstellungen\All Users\Documents\My Pictures\Image Editor\". Action Taken: No Action Taken. 18: Mon Oct 03 16:58:20 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Dokumente und Einstellungen\All Users\Documents\My Pictures\". Action Taken: No Action Taken. 19: Mon Oct 03 16:58:21 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ccd". Action Taken: No Action Taken. 20: Mon Oct 03 16:58:21 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".image". Action Taken: No Action Taken. 21: Mon Oct 03 16:58:21 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ldif". Action Taken: No Action Taken. 22: Mon Oct 03 16:58:21 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".MRK". Action Taken: No Action Taken. 23: Mon Oct 03 16:58:21 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".tmp". Action Taken: No Action Taken. 24: Mon Oct 03 16:58:21 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".vdj". Action Taken: No Action Taken. 25: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "AC3Filter". Action Taken: No Action Taken. 26: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Ad-aware 6 Personal". Action Taken: No Action Taken. 27: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Cubes". Action Taken: No Action Taken. 28: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "dlatray.exe". Action Taken: No Action Taken. 29: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "eMule". Action Taken: No Action Taken. 30: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Hard Drive Inspector". Action Taken: No Action Taken. 31: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "kazaalite202_is1". Action Taken: No Action Taken. 32: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB873339". Action Taken: No Action Taken. 33: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB885835". Action Taken: No Action Taken. 34: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB888310". Action Taken: No Action Taken. 35: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB890175". Action Taken: No Action Taken. 36: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB892627". Action Taken: No Action Taken. 37: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB893056". Action Taken: No Action Taken. 38: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "McAfee Personal Firewall Plus". Action Taken: No Action Taken. 39: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "McAfee SpamKiller". Action Taken: No Action Taken. 40: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mozilla Firefox (1.0.3)". Action Taken: No Action Taken. 41: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mozilla Firefox (1.0.6)". Action Taken: No Action Taken. 42: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "PartitionExpert". Action Taken: No Action Taken. 43: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Supreme Auction - DeskStart_is1". Action Taken: No Action Taken. 44: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "VirusScan Online". Action Taken: No Action Taken. 45: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "xp-AntiSpy". Action Taken: No Action Taken. 46: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}". Action Taken: No Action Taken. 47: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{7585478E9D9B42108671C12F8714CEFE}". Action Taken: No Action Taken. 48: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{7B63B2922B174135AFC0E1377DD81EC2}". Action Taken: No Action Taken. 49: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{8ADFC4160D694100B5B8A22DE9DCABD9}". Action Taken: No Action Taken. 50: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{AC76BA86-0000-0000-0000-6028747ADE01}". Action Taken: No Action Taken. 51: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{AC76BA86-7AD7-1031-7B44-A00000000001}". Action Taken: No Action Taken. 52: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}". Action Taken: No Action Taken. 53: Mon Oct 03 16:58:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{E9F81423-211E-46B6-9AE0-38568BC5CF6F}". Action Taken: No Action Taken. 54: Mon Oct 03 16:58:27 2005 => Entry "HKCR\img_auto_file\shell\open\command" refers to invalid object ""C:\Programme\Adobe\Acrobat 6.0\Reader\AcroRd32.exe" "%1"". Action Taken: No Action Taken. -------------------------------------------------- -------------------- Statistik ------------------- -------------------------------------------------- Mon Oct 03 16:58:30 2005 => Total Objects Scanned: 21509 Mon Oct 03 16:58:30 2005 => Total Virus(es) Found: 25 Mon Oct 03 16:58:30 2005 => Total Errors: 54 Mon Oct 03 16:58:30 2005 => Virus Database Date: 2005/10/03 Mon Oct 03 16:58:30 2005 => Virus Database Count: 152199 Mon Oct 03 16:58:38 2005 => Virus Database Date: 2005/10/03 Mon Oct 03 16:58:38 2005 => Virus Database Count: 152199 |
|
03.10.2005, 16:29
| #2 |
  | mein logfile! was nun? Hi,
__________________leere erst mal mit clearprog 1.4.1 final alle temp-files (clicke auf "alles Löschen", wenn fertig auf beenden), dann sind von den 25 Funden schon mal 17 weg. Dann solltest du z.B. mit Regseeker die Registry säubern, dann sollte der REst auch weg sein. Zur Kontrolle danach einen neuen eScan durchführen. Übrigens: clearprog sollte man nach jeder I-Net-Sitzung laufen lassen. cacatoa
__________________ |
|
03.10.2005, 18:36
| #3 |
| | mein logfile! was nun? hab ich gemacht, danke für den tip! sind jetzt zumindest weniger gefährliche objekte! wie krieg ich jetzt den rest weg?
__________________ |
|
03.10.2005, 18:39
| #4 |
| | mein logfile! was nun? Was ist denn noch da? Meine Glaskugel ist momentan verkratzt, ich sehe somit dein neues Logfile nicht.  cacatoa
__________________ Der Mensch sollte eine Hundeseele haben |
|
03.10.2005, 18:50
| #5 |
| | mein logfile! was nun? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Funde für "infected" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mon Oct 03 18:06:00 2005 => System found infected with edonkey2000 Spyware/Adware ({320154bb-d666-48f6-990e-172b32954620})! Action taken: No Action Taken. Mon Oct 03 18:06:00 2005 => System found infected with bearshare Spyware/Adware ({558ec983-bedb-9168-b2de-31dbf0ee543e})! Action taken: No Action Taken. Mon Oct 03 18:06:00 2005 => System found infected with stylexp Spyware/Adware ({c333cf63-767f-4831-94ac-e683d962c63c})! Action taken: No Action Taken. Mon Oct 03 18:06:06 2005 => System found infected with easysearch Spyware/Adware (index.html)! Action taken: No Action Taken. Mon Oct 03 18:06:16 2005 => System found infected with easysearch Spyware/Adware (index.html)! Action taken: No Action Taken. Mon Oct 03 18:06:17 2005 => System found infected with hotbar Spyware/Adware (wbemess.lo_)! Action taken: No Action Taken. Mon Oct 03 19:01:32 2005 => Total Disinfected Files: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Funde für "tagged" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Funde für "offending" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mon Oct 03 18:06:02 2005 => Offending Key found: HKLM\Software\mm !!! Mon Oct 03 18:06:02 2005 => Offending Key found: HKCU\Software\mm !!! Mon Oct 03 18:06:02 2005 => Offending value found in HKLM\Software\Licenses: {i56b3cf0d9ab991e1} !!! Mon Oct 03 18:06:02 2005 => Offending value found in HKLM\Software\Licenses: {056b3cf0d9ab991e1} !!! Mon Oct 03 18:06:06 2005 => Offending file found: C:\Dokumente und Einstellungen\tostamistica\Eigene Dateien\downloads\lame\index.html Mon Oct 03 18:06:12 2005 => Offending Folder found: C:\Dokumente und Einstellungen\tostamistica\Eigene Dateien\eigene musik\midnight oil Mon Oct 03 18:06:14 2005 => Offending Folder found: C:\Dokumente und Einstellungen\tostamistica\Eigene Dateien\kazaa Mon Oct 03 18:06:16 2005 => Offending Folder found: C:\Dokumente und Einstellungen\tostamistica\Eigene Dateien\Eigene Musik\midnight oil Mon Oct 03 18:06:16 2005 => Offending file found: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\cyberlink\powerdvd\ipower\index.html Mon Oct 03 18:06:17 2005 => Offending file found: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\spybot - search & destroy\backups\wbemess.lo_ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Statistiken: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mon Oct 03 19:01:32 2005 => Total Virus(es) Found: 13 Mon Oct 03 19:01:33 2005 => Total Errors: 114 Mon Oct 03 19:01:33 2005 => Time Elapsed: 00:56:01 Mon Oct 03 19:01:32 2005 => Total Objects Scanned: 23934 Mon Oct 03 18:04:29 2005 => Virus Database Date: 2005/10/03 Mon Oct 03 19:01:33 2005 => Virus Database Date: 2005/10/03 Mon Oct 03 19:01:39 2005 => Virus Database Date: 2005/10/03 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~ © Haui ;-) ~~~~~~~ ~~~~~~~ Dank an Cidre ~~~~~~~ |
|
03.10.2005, 18:52
| #6 |
| | mein logfile! was nun? Hattest Du Regseeker eingesetzt? cacatoa edit: und immer dran denken: die mwav.log erst löschen, dann neu scannen.
__________________ --> mein logfile! was nun? |
|
03.10.2005, 18:55
| #7 |
| | mein logfile! was nun? hab ich alles gemacht! haste noch ne idee? |
|
03.10.2005, 19:02
| #8 |
| | mein logfile! was nun? Ja, Du kannst die Registry-Schlüssel suchen und löschen. Probier´s aber mal mit Spybot S&D 1.4 und mit AdAware SE. Beide im abgesicherten Modus laufen lassen. cacatoa Edit: Beide Progs zuerst updaten!!
__________________ Der Mensch sollte eine Hundeseele haben Geändert von cacatoa (03.10.2005 um 19:10 Uhr) |
|
03.10.2005, 19:41
| #9 |
| | mein logfile! was nun? so, hab ich alles gemacht! und nochmal gescant! rausgekommen ist folgendes logfile: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Funde für "infected" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mon Oct 03 20:27:08 2005 => System found infected with edonkey2000 Spyware/Adware ({320154bb-d666-48f6-990e-172b32954620})! Action taken: No Action Taken. Mon Oct 03 20:27:08 2005 => System found infected with bearshare Spyware/Adware ({558ec983-bedb-9168-b2de-31dbf0ee543e})! Action taken: No Action Taken. Mon Oct 03 20:27:08 2005 => System found infected with stylexp Spyware/Adware ({c333cf63-767f-4831-94ac-e683d962c63c})! Action taken: No Action Taken. Mon Oct 03 20:27:12 2005 => System found infected with easysearch Spyware/Adware (index.html)! Action taken: No Action Taken. Mon Oct 03 20:27:14 2005 => System found infected with easysearch Spyware/Adware (index.html)! Action taken: No Action Taken. Mon Oct 03 20:27:14 2005 => System found infected with hotbar Spyware/Adware (wbemess.lo_)! Action taken: No Action Taken. Mon Oct 03 20:27:27 2005 => Total Disinfected Files: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Funde für "tagged" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Funde für "offending" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mon Oct 03 20:27:10 2005 => Offending Key found: HKLM\Software\mm !!! Mon Oct 03 20:27:10 2005 => Offending Key found: HKCU\Software\mm !!! Mon Oct 03 20:27:10 2005 => Offending value found in HKLM\Software\Licenses: {i56b3cf0d9ab991e1} !!! Mon Oct 03 20:27:10 2005 => Offending value found in HKLM\Software\Licenses: {056b3cf0d9ab991e1} !!! Mon Oct 03 20:27:12 2005 => Offending file found: C:\Dokumente und Einstellungen\tostamistica\Eigene Dateien\downloads\lame\index.html Mon Oct 03 20:27:13 2005 => Offending Folder found: C:\Dokumente und Einstellungen\tostamistica\Eigene Dateien\eigene musik\midnight oil Mon Oct 03 20:27:13 2005 => Offending Folder found: C:\Dokumente und Einstellungen\tostamistica\Eigene Dateien\kazaa Mon Oct 03 20:27:14 2005 => Offending Folder found: C:\Dokumente und Einstellungen\tostamistica\Eigene Dateien\Eigene Musik\midnight oil Mon Oct 03 20:27:14 2005 => Offending file found: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\cyberlink\powerdvd\ipower\index.html Mon Oct 03 20:27:14 2005 => Offending file found: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\spybot - search & destroy\backups\wbemess.lo_ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Statistiken: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mon Oct 03 20:27:27 2005 => Total Virus(es) Found: 13 Mon Oct 03 20:27:27 2005 => Total Errors: 0 Mon Oct 03 20:27:27 2005 => Time Elapsed: 00:00:44 Mon Oct 03 20:27:27 2005 => Total Objects Scanned: 21168 Mon Oct 03 20:26:29 2005 => Virus Database Date: 2005/10/03 Mon Oct 03 20:27:27 2005 => Virus Database Date: 2005/10/03 Mon Oct 03 20:27:33 2005 => Virus Database Date: 2005/10/03 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~ © Haui ;-) ~~~~~~~ ~~~~~~~ Dank an Cidre ~~~~~~~ |
|
03.10.2005, 20:07
| #10 |
| | mein logfile! was nun? habe jetzt mal ein hjt file erstellt! Logfile of HijackThis v1.99.1 Scan saved at 21:03:42, on 03.10.2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Intel\Wireless\Bin\EvtEng.exe C:\Programme\Intel\Wireless\Bin\S24EvMon.exe C:\Programme\Intel\Wireless\Bin\WLKeeper.exe C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\AVPersonal\AVGUARD.EXE C:\Programme\FRITZ!DSL\IGDCTRL.EXE C:\Programme\AVPersonal\AVWUPSRV.EXE C:\Programme\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\Programme\Intel\Wireless\Bin\RegSrvc.exe C:\Programme\Gemeinsame Dateien\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\system32\wdfmgr.exe C:\Programme\Raxco\PerfectDisk\PDSched.exe C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe C:\Programme\Apoint\Apoint.exe C:\Programme\CyberLink\PowerDVD\PDVDServ.exe C:\Programme\SlySoft\AnyDVD\AnyDVD.exe C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe C:\Programme\Spybot - Search & Destroy\TeaTimer.exe C:\Programme\Apoint\Apntex.exe C:\Programme\Digital Line Detect\DLG.exe C:\Programme\FRITZ!DSL\FwebProt.exe C:\Programme\FRITZ!DSL\StCenter.EXE C:\WINDOWS\System32\alg.exe C:\Programme\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\svchost.exe C:\Programme\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/at/dea/gen/default.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.de/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\system32\sfg.dll O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Programme\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll O3 - Toolbar: Barra do SAPO - {D02BA59A-9A8E-4B25-8145-E068B7A7A715} - C:\WINDOWS\DOWNLO~1\SAPOBr.dll O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Programme\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint\Apoint.exe O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\system32\sfg.dll" O4 - HKLM\..\Run: [AnyDVD] C:\Programme\SlySoft\AnyDVD\AnyDVD.exe O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Programme\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\system32\sfg.dll" O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe" O4 - HKCU\..\Run: [Kaspersky Anti-Virus GUI Part] C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: FRITZ!DSL Protect.lnk = C:\Programme\FRITZ!DSL\FwebProt.exe O4 - Global Startup: Digital Line Detect.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/de/4,0,0,90/mcinsctl.cab O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,8/McUpdatePortal.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121293923972 O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/de/1,0,0,23/mcgdmgr.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{51213E1E-9294-455C-BF19-7ACD285F2D7C}: NameServer = 192.168.178.1,194.25.2.130 O17 - HKLM\System\CS1\Services\Tcpip\..\{51213E1E-9294-455C-BF19-7ACD285F2D7C}: NameServer = 192.168.178.1,194.25.2.130 O20 - Winlogon Notify: IntelWireless - C:\Programme\Intel\Wireless\Bin\LgNotify.dll O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: kavsvc - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - (no file) O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Programme\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Programme\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Programme\Raxco\PerfectDisk\PDSched.exe O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programme\Gemeinsame Dateien\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: WLANKEEPER - Intel® Corporation - C:\Programme\Intel\Wireless\Bin\WLKeeper.exe _____________ Anm. Aktive Links editiert! Beachte zukünftig die Hinweise dieser Anleitung: HiJackThis. LG Cidre S-Mod TB |
|
03.10.2005, 20:30
| #11 |
| | mein logfile! was nun? Folgendes mit HJT im abgesicherten Modus bei deaktivierter Systemwiederherstellung fixen: O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\system32\sfg.dll O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Programme\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll O3 - Toolbar: Barra do SAPO - {D02BA59A-9A8E-4B25-8145-E068B7A7A715} - C:\WINDOWS\DOWNLO~1\SAPOBr.dll O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Programme\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\system32\sfg.dll" O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\system32\sfg.dll" O4 - Global Startup: Digital Line Detect.lnk = ? O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1...datePortal.cab Dann manuell löschen: C:\WINDOWS\system32\sfg.dll C:\Programme\BitComet Toolbar\v2.0.0.1\BitComet_Toolbar.dll C:\WINDOWS\DOWNLO~1\SAPOBr.dll Dann neues Logfile im Normal-Modus erstellen. cacatoa
__________________ Der Mensch sollte eine Hundeseele haben |
|
04.10.2005, 00:18
| #12 |
| | mein logfile! was nun? hab ich jetzt gemacht! hjt sagt zum schluss allerdings was von unexpected error und ich soll irgendnen report zu irgendwem schicken! daraufhin hab ich versucht die 3 dateien manuell zu löschen, konnte sie aber nirgends finden! |
|
04.10.2005, 10:47
| #13 |
| | mein logfile! was nun? versuche gerade im normalmodus neues escan-log zu erstellen, scan hängt sich allerdings schon mehrfach bei folgender datei auf: Tue Oct 04 11:38:17 2005 => Scanning Folder: C:\Dokumente und Einstellungen\tostamistica\Anwendungsdaten\Thunderbird\Profiles\3l9ddlf6.default\Mail\Local Folders\*.* |
|
04.10.2005, 10:57
| #14 | |
 | mein logfile! was nun? @tostamistica Zitat:
|
|
04.10.2005, 11:00
| #15 |
| | mein logfile! was nun? aha! hab ich jetzt abgebrochen! was meinte denn dann cacatoa in seinem letzten beitrag? |
|
| Themen zu mein logfile! was nun? |
| acrobat, ad-aware, adobe, agent, besitzer, content.ie5, cyberlink, dateien, drivers, einstellungen, explorer, file, firefox, firewall, infected, internet, logfile, microsoft, mozilla, mozilla firefox, object, online, programme, software, spybot, system, system32, temp, virusscan, windows, windows\system32\drivers |
Linear-Darstellung
