O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe fixen ..

4 beiträge in 2 min muhaha xD

Zitat:

Zitat von ballermann

O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe fixen ..

4 beiträge in 2 min muhaha xD

Mit Fixen ist es nicht getan!!!

Auch wenn ich glaube das das eher kein Schädling ist lad die Datei mal probeweise bei Virustotal
hoch und poste das vollständige Ergebnis.

hmm wie kommt ihr jetz auf schowwnd.exe? naja hab sie mal bei virustotal getestet:

AhnLab-V3 2007.5.9.0 05.08.2007 no virus found
AntiVir 7.4.0.15 05.08.2007 no virus found
Authentium 4.93.8 05.07.2007 no virus found
Avast 4.7.997.0 05.07.2007 no virus found
AVG 7.5.0.467 05.08.2007 no virus found
BitDefender 7.2 05.08.2007 no virus found
CAT-QuickHeal 9.00 05.08.2007 no virus found
ClamAV devel-20070416 05.08.2007 no virus found
DrWeb 4.33 05.08.2007 no virus found
eSafe 7.0.15.0 05.07.2007 no virus found
eTrust-Vet 30.7.3618 05.08.2007 no virus found
Ewido 4.0 05.08.2007 no virus found
FileAdvisor 1 05.08.2007 No threat detected
Fortinet 2.85.0.0 05.08.2007 no virus found
F-Prot 4.3.2.48 05.07.2007 no virus found
F-Secure 6.70.13030.0 05.08.2007 no virus found
Ikarus T3.1.1.7 05.08.2007 no virus found
Kaspersky 4.0.2.24 05.08.2007 no virus found
McAfee 5025 05.07.2007 no virus found
Microsoft 1.2503 05.07.2007 no virus found
NOD32v2 2249 05.08.2007 no virus found
Norman 5.80.02 05.08.2007 no virus found
Panda 9.0.0.4 05.07.2007 no virus found
Prevx1 V2 05.08.2007 no virus found
Sophos 4.17.0 05.07.2007 no virus found
Sunbelt 2.2.907.0 05.05.2007 no virus found
Symantec 10 05.08.2007 no virus found
TheHacker 6.1.6.109 05.08.2007 no virus found
VBA32 3.12.0 05.08.2007 no virus found
VirusBuster 4.3.7:9 05.08.2007 no virus found
Webwasher-Gateway 6.0.1 05.08.2007 no virus

ausserdem hab ich nochmal mit eScan gescannt:

Object "smitfraud Browser Hijacker" found in File System! Action Taken: Entries Removed.
Object "Possible Fujacks-type Worm" found in File System! Action Taken: Entries Removed.
Object "Possible Fujacks-type Worm" found in File System! Action Taken: Entries Removed.
Object "Possible Fujacks-type Worm" found in File System! Action Taken: Entries Removed.
Object "Possible Fujacks-type Worm" found in File System! Action Taken: Entries Removed.
Object "Possible Fujacks-type Worm" found in File System! Action Taken: Entries Removed.
Entry "HKCR\ATLPlugin.ATL3DPage_d2.1" refers to invalid object "{cc10ddda-2452-4598-a6c4-f9f2f0b6a758
}". Action Taken: Entries Removed.
Entry "HKCR\Automap.Map.EU" refers to invalid object "{A49EEA01-9231-4C77-AA9E-2F89D72B4804}". Action Taken: Entries Removed.
Entry "HKCR\Automap.Map.EU.11" refers to invalid object "{A49EEA01-9231-4C77-AA9E-2F89D72B4804}". Action Taken: Entries Removed.
Entry "HKCR\Automap.Template.EU.11" refers to invalid object "{A49EEA01-9231-4C77-AA9E-2F89D72B4804}". Action Taken: Entries Removed.
Entry "HKCR\CDDBControlApple.CddbFullName.1" refers to invalid object "{63338267-37c4-44cf-8e46-756fbe9c8fdc}". Action Taken: Entries Removed.
Entry "HKCR\CDDBControlApple.FullName" refers to invalid object "{63338267-37c4-44cf-8e46-756fbe9c8fdc}". Action Taken: Entries Removed.
Entry "HKCR\DirectAnimation.PathControl" refers to invalid object "{D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}". Action Taken: Entries Removed.
Entry "HKCR\DirectAnimation.Sequence" refers to invalid object "{4F241DB1-EE9F-11D0-9824-006097C99E51}". Action Taken: Entries Removed.
Entry "HKCR\DirectAnimation.SequencerControl" refers to invalid object "{B0A6BAE2-AAF0-11D0-A152-00A0C908DB96}". Action Taken: Entries Removed.
Entry "HKCR\DirectAnimation.SpriteControl" refers to invalid object "{FD179533-D86E-11D0-89D6-00A0C90833E6}". Action Taken: Entries Removed.
Entry "HKCR\DirectAnimation.StructuredGraphicsControl" refers to invalid object "{369303C2-D7AC-11D0-89D5-00A0C90833E6}". Action Taken: Entries Removed.
Entry "HKCR\MISB.DhtmlPluginWrapper" refers to invalid object "{8D18DFF4-0943-4347-8BCA-0C57033F6820}". Action Taken: Entries Removed.
Entry "HKCR\MXtra.DhtmlWrapper" refers to invalid object "{8D18DFF4-0943-4347-8BCA-0C57033F6820}". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\SBSCMP10.DLL". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\hdr_register_1.gif". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\hdr_register_3.gif". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\hdr_register_4.gif". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\hdr_register_5.gif". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\hdr_register_6.gif". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\hdr_register_7.gif". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\logo.jpg". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\px_cl.gif". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\redbullet.gif". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\register-CHS.html". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\register-CHT.html". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\register-CSY.html". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\register-DAN.html". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\register-DEU.html". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\register-ENG.html". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\register-ENU.html". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\register-ESP.html". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\register-FIN.html". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\register-FRA.html". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\register-ITA.html". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\register-JPN.html". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\register-KOR.html". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\register-NLD.html". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\register-NON.html". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\register-POL.html". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\register-PTG.html". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\register-RUS.html". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Pinnacle\Shared Files\Pixie\RegisterTrial\register-SVE.html". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Dokumente und Einstellungen\Administrator\Eigene Dateien\Eigene Bilder\Picture1.jpg". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Dokumente und Einstellungen\Administrator\Eigene Dateien\Eigene Bilder\Picture2.jpg". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\DIMM.DLL". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\PrintMe Internet Printing\". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\InstantCD+DVD\Tools\". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".002". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".008". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".1". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".part". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".torrent". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{09DA4F91-2A09-4232-AB8C-6BC740096DE3}". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{7B802DE5-84E5-4503-965B-2ABFFC78506A}". Action Taken: Entries Removed.
File E:\AUTORUN.INF infected by "Fujack" Virus! Action Taken: Deleted.

was soll mir das jetz sagen alles trojaner viren was da aufgelistet wird?
Das dumme ist das ich sonen kack recovery system habe sonst würd ich die platte einfach komplett löschen....

Leere mal auf der externen den Ordner:

Zitat:

L:\Recycler

Ansonsten sehe ich keine Auffäligkeiten.

wenn ich den pfad eingebe finde ich zwar den ordner er ist allerdings leer bzw unter eigenschaften wird er als versteckt angezeigt. komisch ist allerdings das bei den benutzern die zugriff auf diesen ordner haben S-1-5-21-1129303390-319747316-2448360696-1006 diese nummer als benutzer mit fragezeichen angezeigt wird was hat das zu bedeuten?

www.winhilfe.info/Windows_XP/XP_Problemloesungen/Versteckte_Ordner_sichtbar_machen_20050530101/

alles klar hab diesen recycler papier korb jetz gelöscht.. funzt soweit alles.. danke für die hilfe