Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Spyware und Würmer (https://www.trojaner-board.de/33071-spyware-wuermer.html)

Gunnarsen 23.10.2006 13:12
Spyware und Würmer
 
Guten Morgen,

ich habe mit eScan einen sehr intensiven Scan durchgeführt (zugegebenermaßen nicht nach der Anleitung von hier :heilig: ), weil ich das Gefühl hatte, dass ich unerwünschte Sachen auf meinem PC habe. Der Scan hat das auch bestätigt.
Hier das eScan Log (er hat jede Datei aufgelistet, die er gescannt hat und ich hoffe, dass ich jetzt nicht zu viel oder zu wenig davon gelöscht habe):

Code:
Mon Oct 23 01:16:03 2006 => Source: C:\DOKUME~1\***\Desktop\mwav.exe
Mon Oct 23 01:16:03 2006 => Version 8.5.7 (C:\DOKUME~1\***\LOKALE~1\Temp\mexe.com)
Mon Oct 23 01:16:03 2006 => Log File: C:\DOKUME~1\***\LOKALE~1\Temp\MWAV.LOG
Mon Oct 23 01:16:03 2006 => Last Scan Date and Time: 22.10.2006 13:02:36
Mon Oct 23 01:16:03 2006 => MWAV Registered: FALSE.
Mon Oct 23 01:16:03 2006 => OS Type: Windows Workstation
Mon Oct 23 01:16:03 2006 => OS: Windows XP
Mon Oct 23 01:16:03 2006 => Ver: Service Pack 2 (Build 2600)
Mon Oct 23 01:16:03 2006 => Windows Root  Folder: C:\WINDOWS
Mon Oct 23 01:16:03 2006 => Windows Sys32 Folder: C:\WINDOWS\system32
Mon Oct 23 01:16:03 2006 => Local Fixed Drives: c:\,d:\
Mon Oct 23 01:16:03 2006 => MWAV Mode: Only Scan files.
Mon Oct 23 01:16:03 2006 => Latest Date of files inside MWAV: 22 Oct 2006  12:34:48.
Mon Oct 23 01:16:05 2006 => AV Library Loaded...
Mon Oct 23 01:16:05 2006 => MWAV doing self scanning...
Mon Oct 23 01:16:05 2006 => MWAV files are clean.
Mon Oct 23 01:16:05 2006 => Virus Database Date: 10/22/2006
Mon Oct 23 01:16:05 2006 => Virus Database Count: 233834
Mon Oct 23 01:16:23 2006 => Downloading AntiVirus and Anti-Spyware Databases...
Mon Oct 23 01:16:32 2006 => Downloads Successful...
Mon Oct 23 01:16:35 2006 => Reload of AntiVirus Signatures successfully done.
Mon Oct 23 01:16:35 2006 => Virus Database Date: 10/23/2006
Mon Oct 23 01:16:35 2006 => Virus Database Count: 233865

Mon Oct 23 01:16:37 2006 => Version 8.5.7 (C:\DOKUME~1\***\LOKALE~1\Temp\mexe.com)
Mon Oct 23 01:16:37 2006 => Log File: C:\DOKUME~1\***\LOKALE~1\Temp\MWAV.LOG
Mon Oct 23 01:16:37 2006 => User Account: ***
Mon Oct 23 01:16:37 2006 => Windows Root  Folder: C:\WINDOWS
Mon Oct 23 01:16:37 2006 => Windows Sys32 Folder: C:\WINDOWS\system32
Mon Oct 23 01:16:37 2006 => OS: Windows XP
Mon Oct 23 01:16:37 2006 => Ver: Service Pack 2 (Build 2600)
Mon Oct 23 01:16:37 2006 => Latest Date of files inside MWAV: 23 Oct 2006  01:04:58.
 
Mon Oct 23 01:16:37 2006 => Options Selected by User:
Mon Oct 23 01:16:37 2006 => Memory Check: Enabled
Mon Oct 23 01:16:37 2006 => Registry Check: Enabled
Mon Oct 23 01:16:37 2006 => StartUp Folder Check: Enabled
Mon Oct 23 01:16:37 2006 => System Folder Check: Enabled
Mon Oct 23 01:16:37 2006 => System Area Check: Disabled
Mon Oct 23 01:16:37 2006 => Services Check: Enabled
Mon Oct 23 01:16:37 2006 => Drive Check Option Disabled
Mon Oct 23 01:16:37 2006 => Folder Check: Disabled
 
Mon Oct 23 01:17:21 2006 => Scanning File C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
Mon Oct 23 01:17:21 2006 => ERROR!!! Invalid Entry \??\F:\INSTALL\GMSIPCI.SYS in SYSTEM\CurrentControlSet\Services\GMSIPCI...
Mon Oct 23 01:17:21 2006 => Scanning File C:\WINDOWS\system32\DRIVERS\msgpc.sys
 
Mon Oct 23 01:17:27 2006 => Offending Key found: HKLM\Software\microsoft\downloadmanager !!!
Mon Oct 23 01:17:27 2006 => Object "istbar Spyware/Adware" found in File System! Action Taken: No Action Taken.

Mon Oct 23 01:17:28 2006 => Offending file found: C:\WINDOWS\system32\empty.exe
Mon Oct 23 01:17:28 2006 => System found infected with conducent flexpak Spyware/Adware (empty.exe)! Action taken: No Action Taken.
 
Mon Oct 23 01:17:28 2006 => Offending file found: C:\WINDOWS\system32\instsrv.exe
Mon Oct 23 01:17:28 2006 => System found infected with ezula Spyware/Adware (instsrv.exe)! Action taken: No Action Taken.
 
Mon Oct 23 01:17:28 2006 => Offending file found: C:\DOKUME~1\***\LOKALE~1\Temp\cmdlineext02.dll
Mon Oct 23 01:17:28 2006 => System found infected with whenu.savenow Spyware/Adware (cmdlineext02.dll)! Action taken: No Action Taken.
 
Mon Oct 23 01:17:57 2006 => Offending Folder found: C:\Dokumente und Einstellungen\***\Lokale Einstellungen\temp\7zeea.tmp\m\midnight oil
Mon Oct 23 01:17:57 2006 => Object "midnight oil Spyware/Adware" found in File System! Action Taken: No Action Taken.

Mon Oct 23 01:18:19 2006 => Offending file found: C:\Dokumente und Einstellungen\***\Lokale Einstellungen\temp\cmdlineext02.dll
Mon Oct 23 01:18:19 2006 => System found infected with whenu.savenow Spyware/Adware (cmdlineext02.dll)! Action taken: No Action Taken.
 
Mon Oct 23 01:18:22 2006 => Offending file found: C:\WINDOWS\system32\pslist.exe
Mon Oct 23 01:18:22 2006 => System found infected with rohbot Worm (C:\WINDOWS\system32\pslist.exe)! Action taken: No Action Taken.
 
Mon Oct 23 01:18:23 2006 => Checking CLSID Reference Entries...
Mon Oct 23 01:18:24 2006 => Entry "HKCR\YServer.Component.1" refers to invalid object "{B26DA9C0-7921-11D4-B0F2-0050DA2B3579}". Action Taken: No Action Taken.

Mon Oct 23 01:18:24 2006 => Checking Module Usage Entries...
Mon Oct 23 01:18:24 2006 => Checking User Trusted External App Entries...
Mon Oct 23 01:18:24 2006 => Checking Shared DLL Entries...
Mon Oct 23 01:18:24 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Gemeinsame Dateien\Microsoft Shared\TEXTCONV\MSWRD832.CNV". Action Taken: No Action Taken.

Mon Oct 23 01:18:24 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\DOKUME~1\***\LOKALE~1\Temp\_ISTMP1.DIR\_ISTMP0.DIR\FileGrp\Msvcrt10.dll". Action Taken: No Action Taken.

Mon Oct 23 01:18:25 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\pxwma.dll". Action Taken: No Action Taken.

Mon Oct 23 01:18:25 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\pxinsi64.exe". Action Taken: No Action Taken.

Mon Oct 23 01:18:25 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\pxcpyi64.exe". Action Taken: No Action Taken.

Mon Oct 23 01:18:25 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\asinst.dll". Action Taken: No Action Taken.

Mon Oct 23 01:18:25 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Equation\eqnedt32.exe". Action Taken: No Action Taken.

Mon Oct 23 01:18:25 2006 => Checking Installer Entries...
Mon Oct 23 01:18:26 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\VentSrv\". Action Taken: No Action Taken.

Mon Oct 23 01:18:26 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Dokumente und Einstellungen\***\Startmenü\Programme\CSE Demoplayer\". Action Taken: No Action Taken.

Mon Oct 23 01:18:26 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\ATI Technologies\ATI.ACE\". Action Taken: No Action Taken.

Mon Oct 23 01:18:26 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\ATI Technologies\ATI.ACE\skins\". Action Taken: No Action Taken.

Mon Oct 23 01:18:26 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\ATI Technologies\ATI.ACE\skins\CATALYST_SteelBlue\". Action Taken: No Action Taken.

Mon Oct 23 01:18:26 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Adobe\Adobe Photoshop CS2\". Action Taken: No Action Taken.

Mon Oct 23 01:18:26 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Adobe\Adobe Photoshop CS2\Required\". Action Taken: No Action Taken.

Mon Oct 23 01:18:26 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Adobe\Adobe Bridge\". Action Taken: No Action Taken.

Mon Oct 23 01:18:26 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\ESL Upper\". Action Taken: No Action Taken.

Mon Oct 23 01:18:26 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\ESL Upper\upload\". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Checking Shared Tools Entries...
Mon Oct 23 01:18:27 2006 => Checking File Extension Entries...
Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".15/addons/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".15/addons/metamod/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".15/gfx/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".46/cstrike/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".46/cstrike/addons/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".46/cstrike/addons/hlguard/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".46/cstrike/addons/hlguard/config/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".46/cstrike/addons/hlguard/dlls/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".46/cstrike/addons/metamod/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".46/cstrike/addons/metamod/dlls/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".46/cstrike/addons/soundcheck/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".afw". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".blob". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".c4d". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".dat". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/gbook/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/ugly/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/v2/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/v2/gbook/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/v2/gbook/images/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/v2/gbook/images/smilies/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/v2/gfx/". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".dmg". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".gsm". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".mdl". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".met". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".msf". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".net_IMG_15189". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".popupskin". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ram". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".rmm". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".so". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".spr". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".wad". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".wba". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object "OpenWithList". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Checking Application Cache Entries...
Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Aston". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "ffdshow". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "InstallShield_{3868A8EE-5051-4DB0-8DF6-4F4B8A98D083}". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "InstallShield_{872653C6-5DDC-488B-B7C2-CF9E4D9335E5}". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Miranda IM_is1". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "MSI Live Update 2". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "MSI Live Update 3". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "NVIDIA Audio Driver". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "NVIDIAnForce". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Opera". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Serious Samurize". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "SSUtils". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Works2003Setup". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{0049F6AE-4FE2-4C43-A039-60FCE98A1986}". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{7B802DE5-84E5-4503-965B-2ABFFC78506A}". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{8270831B-8F2F-4B65-8E2C-9712054C38D1}". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{CB2D95C7-189C-4596-B071-CE99C309573D}". Action Taken: No Action Taken.

Mon Oct 23 01:18:27 2006 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{E51B4CD9-A0A6-4324-B26A-31B3F2DE26CE}". Action Taken: No Action Taken.
 
 
Mon Oct 23 01:36:02 2006 => ***** Scanning complete. *****
 
Mon Oct 23 01:36:02 2006 => Total Objects Scanned: 69192
Mon Oct 23 01:36:02 2006 => Total Critical Objects: 9
Mon Oct 23 01:36:02 2006 => Total Disinfected Objects: 0
Mon Oct 23 01:36:02 2006 => Total Objects Renamed: 0
Mon Oct 23 01:36:02 2006 => Total Deleted Objects: 0
Mon Oct 23 01:36:02 2006 => Total Errors: 73
Mon Oct 23 01:36:02 2006 => Time Elapsed: 00:19:24
Mon Oct 23 01:36:02 2006 => Virus Database Date: 10/23/2006
Mon Oct 23 01:36:02 2006 => Virus Database Count: 233865
 
Mon Oct 23 01:36:02 2006 => Scan Completed.
 
Mon Oct 23 04:11:07 2006 => Virus Database Date: 10/23/2006
Mon Oct 23 04:11:07 2006 => Virus Database Count: 233865
Mon Oct 23 04:11:10 2006 => AV Library Unloaded (3)...
Und hier noch das HijackThis-Log:
Code:
Logfile of HijackThis v1.99.1
Scan saved at 14:05:08, on 23.10.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\Programme\Ray Adams\ATI Tray Tools\atitray.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\Programme\Miranda IM\miranda32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\Opera\Opera.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Dokumente und Einstellungen\***\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Programme\Ray Adams\ATI Tray Tools\atitray.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programme\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programme\Yahoo!\Messenger\YahooMessenger.exe
O14 - IERESET.INF: START_PAGE_URL=about:blank
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - h**p://w*w.johannrain-softwareentwicklung.de/DE/scan8/oscan8.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\smc.exe
Ich weiß immer nicht, ob ich böse Dateien einfach löschen kann und sowas. :heulen: Ich hoffe, ihr könnt mir helfen.
Danke im Voraus!

Groove,
Gunnarsen

Edit: Hatte vergessen eine URL zu "zensieren". Und hier noch ein paar Informationen:
Firewall: Router, und Sygate Personal Firewall
AntiVirus: AntiVir (findet aber nichts)
Gestern habe ich schon die Datei "psKill.exe" im System32 Ordner gelöscht, weil sie laut diversen Seiten nicht erwünscht sei.

Gunnarsen 24.10.2006 13:43
Sorry wegen Doppelpost, aber kann mir denn keiner helfen?

theRealMcFly 24.10.2006 13:57
EScan scannt nur, löscht aber nichts (No Action Taken.)

Aber das sollte dir weiterhelfen:
http://www.derbilk.de/malware/1_anleitungen_escan.php

Gunnarsen 25.10.2006 14:36
Erstmal danke für die Antwort. :)

Hier nun das Log mit der find.bat
Code:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Funde für "infected"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Mon Oct 23 01:17:28 2006 => System found infected with conducent flexpak Spyware/Adware (empty.exe)! Action taken: No Action Taken.
Mon Oct 23 01:17:28 2006 => System found infected with ezula Spyware/Adware (instsrv.exe)! Action taken: No Action Taken.
Mon Oct 23 01:17:28 2006 => System found infected with whenu.savenow Spyware/Adware (cmdlineext02.dll)! Action taken: No Action Taken.
Mon Oct 23 01:18:19 2006 => System found infected with whenu.savenow Spyware/Adware (cmdlineext02.dll)! Action taken: No Action Taken.
Mon Oct 23 01:18:22 2006 => System found infected with rohbot Worm (C:\WINDOWS\system32\pslist.exe)! Action taken: No Action Taken.
Mon Oct 23 01:36:02 2006 => Total Disinfected Objects: 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Funde für "tagged"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Mon Oct 23 01:19:34 2006 => File C:\WINDOWS\system32\psexec.exe tagged as not-a-virus:RiskTool.Win32.PsExec.153. No Action Taken.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Funde für "offending"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Mon Oct 23 01:17:27 2006 => Offending Key found: HKLM\Software\microsoft\downloadmanager !!!
Mon Oct 23 01:17:28 2006 => Offending file found: C:\WINDOWS\system32\empty.exe
Mon Oct 23 01:17:28 2006 => Offending file found: C:\WINDOWS\system32\instsrv.exe
Mon Oct 23 01:17:28 2006 => Offending file found: C:\DOKUME~1\***\LOKALE~1\Temp\cmdlineext02.dll
Mon Oct 23 01:17:57 2006 => Offending Folder found: C:\Dokumente und Einstellungen\***\Lokale Einstellungen\temp\7zeea.tmp\m\midnight oil
Mon Oct 23 01:18:19 2006 => Offending file found: C:\Dokumente und Einstellungen\***\Lokale Einstellungen\temp\cmdlineext02.dll
Mon Oct 23 01:18:22 2006 => Offending file found: C:\WINDOWS\system32\pslist.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Mon Oct 23 01:36:02 2006 => Total Objects Scanned: 69192
Mon Oct 23 01:36:02 2006 => Total Critical Objects: 9
Mon Oct 23 01:36:02 2006 => Total Disinfected Objects: 0
Mon Oct 23 01:36:02 2006 => Total Deleted Objects: 0
Mon Oct 23 01:36:02 2006 => Total Errors: 73
Mon Oct 23 01:36:02 2006 => Time Elapsed: 00:19:24
Mon Oct 23 01:16:05 2006 => Virus Database Date: 10/22/2006
Mon Oct 23 01:16:35 2006 => Virus Database Date: 10/23/2006
Mon Oct 23 01:36:02 2006 => Virus Database Date: 10/23/2006
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
~~~~~~~ © Haui ;-) ~~~~~~~
~~~~~~~ Dank an Cidre ~~~~~~~
Was kann ich nun gegen den ganzen Kram machen? :S

Groove,
Gunnarsen

irrlicht 25.10.2006 16:43
Hallo,
erstens könntest du bei deinem nächsten Post den "Code" weglassen und kopieren wie alle anderen User auch...
Zweitens könntest du selbst googeln,dann hättest du das gefunden :
http://www.sophos.com/security/analyses/w32rohbota.html
Bei "Effects" steht was er macht.
Das heißt Neuaufsetzen und unbedingt alle Passwärter ändern. Ändern ,nicht einfach nur vertauschen !
Irrlicht


Alle Zeitangaben in WEZ +1. Es ist jetzt 05:31 Uhr.

Copyright ©2000-2024, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129