Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Anleitungen, FAQs & Links (https://www.trojaner-board.de/anleitungen-faqs-links/)
-   -   Windows Protection Suite entfernen (https://www.trojaner-board.de/81006-windows-protection-suite-entfernen.html)

AdminBot 30.12.2009 11:26
Windows Protection Suite entfernen
 
Liste der Anhänge anzeigen (Anzahl: 6)
Windows Protection Suite entfernen


Was ist Windows Protection Suite?
Windows Protection Suite ist eine weitere gefälschte Scan-Software, die mittels eines trojanischen Pferdes in den PC eindringt und weissmacht, den PC nach Malware abzusuchen. Diese Software ist ein Fake und selbst eine Schadsoftware und sollte nicht gekauft werden.

Verbreitet wird Windows Protection Suite nicht mehr ausschliesslich über 'dubiose Seiten' für Cracks, KeyGens und Warez, sondern auch seriöse Seiten werden zunehmend für die Verbreitung dieser mißbraucht (http://www.trojaner-board.de/90880-d...tallation.html).


http://www.trojaner-board.de/attachm...1&d=1266433979 http://www.trojaner-board.de/attachm...1&d=1266433979
http://www.trojaner-board.de/attachm...1&d=1266433979

Symptome von Windows Protection Suite:
  • Ständige Virenfalschmeldungen
  • PC ist langsamer als sonst
http://www.trojaner-board.de/attachm...1&d=1266433979
http://www.trojaner-board.de/attachm...1&d=1266433979 http://www.trojaner-board.de/attachm...1&d=1266433979

Dateien von Windows Protection Suite:
Code:
c:\ADWARE_LOG
c:\Documents and Settings\All Users\Application Data\345d567
c:\Documents and Settings\All Users\Application Data\345d567\285.mof
c:\Documents and Settings\All Users\Application Data\345d567\mozcrt19.dll
c:\Documents and Settings\All Users\Application Data\345d567\sqlite3.dll
c:\Documents and Settings\All Users\Application Data\345d567\WI345d.exe
c:\Documents and Settings\All Users\Application Data\345d567\WINPS.ico
c:\Documents and Settings\All Users\Application Data\345d567\working.log
c:\Documents and Settings\All Users\Application Data\345d567\WINSPSys
c:\Documents and Settings\All Users\Application Data\345d567\WINSPSys\vd952342.bd
c:\Documents and Settings\All Users\Application Data\WINSPSys
c:\Documents and Settings\All Users\Application Data\WINSPSys\winps.cfg
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Protection Suite.lnk
%UserProfile%\Application Data\Windows Protection Suite
%UserProfile%\Application Data\Windows Protection Suite\cookies.sqlite
%UserProfile%\Application Data\Windows Protection Suite\Instructions.ini
%UserProfile%\Desktop\Windows Protection Suite.lnk
%UserProfile%\Recent\cb.sys
%UserProfile%\Recent\cid.dll
%UserProfile%\Recent\cid.tmp
%UserProfile%\Recent\CLSV.dll
%UserProfile%\Recent\CLSV.tmp
%UserProfile%\Recent\DBOLE.sys
%UserProfile%\Recent\ddv.dll
%UserProfile%\Recent\eb.sys
%UserProfile%\Recent\eb.tmp
%UserProfile%\Recent\energy.drv
%UserProfile%\Recent\energy.sys
%UserProfile%\Recent\exec.tmp
%UserProfile%\Recent\kernel32.drv
%UserProfile%\Recent\PE.drv
%UserProfile%\Recent\PE.tmp
%UserProfile%\Recent\ppal.exe
%UserProfile%\Recent\runddlkey.drv
%UserProfile%\Recent\snl2w.sys
%UserProfile%\Recent\tempdoc.dll
%UserProfile%\Start Menu\Windows Protection Suite.lnk
%UserProfile%\Start Menu\Programs\Windows Protection Suite.lnk
c:\Program Files\Mozilla Firefox\searchplugins\search.xml

Registry-Einträge von Windows Protection Suite:
Code:
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_CLASSES_ROOT\WI345d.DocHostUIHandler
HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes "URL" = "http://search-gala.com/?&uid=7&q={searchTerms}"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "9877034603"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Windows Protection Suite"

Windows Protection Suite im HijackThis-Log:
Code:
O4 - HKCU\..\Run: [Windows Protection Suite] "C:\Documents and Settings\All Users\Application Data\345d567\WI345d.exe" /s /d

AdminBot 30.12.2009 11:27
Windows Protection Suite entfernen
 
Liste der Anhänge anzeigen (Anzahl: 1)
Windows Protection Suite entfernen

  • Starte einen vollständigen Scan mit Malwarebytes Anti-Malware
Achtung: Diese Fake Software wird versuchen, den Einsatz von Malwarebytes zu verhindern. Benenne das Setup vor dem speichern in etwas anderes um (z.B. Herbert.exe).

Falls es vorher nicht funktioniert hat, sollte das Setup jetzt starten.

Wenn das Programm nach der Installation nicht starten sollte, dann benenne die "mbam.exe" in "herbert.exe" um und versuche es erneut.


http://www.trojaner-board.de/attachm...ntfernen-2.png


http://www.trojaner-board.de/attachm...1&d=1266434263


Code:
Infizierte Speicherprozesse: 1
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 42
Infizierte Registrierungswerte: 1
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 1
Infizierte Dateien: 6
Infizierte Speicherprozesse:
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\843f\WindowsPS.exe (Rogue.WindowsProtectionSuite) -> Unloaded process successfully.
Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\init32.exe  (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsGui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adwareprj.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirus_pro.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusplus (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusplus.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxp (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av360.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcare.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cl.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\savedefense.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frmwrk32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\homeav2010.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\malwareremoval.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pc_antispyware2010.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\peravir.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\quick heal.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\savekeep.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\security center.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartdefender.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartprotector.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smrtdefp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w3asbas.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpdeluxe.exe (Security.Hijack) -> Quarantined and deleted successfully.
Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows protection suite (Rogue.WindowsProtectionSuite) -> Quarantined and deleted successfully.
Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)
Infizierte Verzeichnisse:
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\WINSPSys (Rogue.WindowsProtectionSuite) -> Quarantined and deleted successfully.
Infizierte Dateien:
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\843f\WindowsPS.exe (Rogue.WindowsProtectionSuite) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\WINSPSys\winps.cfg (Rogue.WindowsProtectionSuite) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\User\Desktop\Windows Protection Suite.lnk (Rogue.WindowsProtectionSuite) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\User\Startmenü\Programme\Windows Protection Suite.lnk (Rogue.WindowsProtectionSuite) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\User\Anwendungsdaten\Microsoft\Internet Explorer\Quick Launch\Windows Protection Suite.lnk (Rogue.WindowsProtectionSuite) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\User\Startmenü\Windows Protection Suite.lnk (Rogue.WindowsProtectionSuite) -> Quarantined and deleted successfully.

Da GuRu 17.02.2010 19:50
Windows Protection Suite entfernen
 

Windows Protection Suite immer noch nicht entfernt?

OTH - OTHelper - Kill All Processes


Mit aktualisiertem (!!) Malwarebytes Anti-Malware nach Ausführen von OTH nochmal QUICKSCAN ausführen.

Bitte alle temporären Dateien löschen und Speicherplatz freigeben.


Weitergehende Prüfung

Das System könnte noch nicht vollständig sauber sein.

Daher unbedingt ein Thema erstellen: Für alle Hilfesuchenden! Was muss ich vor der Eröffnung eines Themas beachten?

Nicht vergessen mit FRST-Logfiles wie in der Anleitung beschrieben.

Wie man Hilfe bekommt steht auch hier.


Alle Zeitangaben in WEZ +1. Es ist jetzt 06:31 Uhr.

Copyright ©2000-2024, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129