|
Hilfe ich blick hier nicht mehr durch! Hallo zusammen erstmal! Ich habe ein Problem! Mein CA Etrust hat mir heute ein paar Viren erkannt welche er auch entfernen konnte! Daruafhin wurde ich stutzig und habe Hijackthis laufen lassen ebenso habe ich einen Escan mit Microworld AntiVirus Toolkit gemacht bei dem ich nicht so wirklich durchblicke! Ich glaube stell das am besten mal hier rein: Wäre nett wenn ihr mal drüberschauen könnt! |
File C:\WINDOWS\system32\affhba.dll//PE_Patch.PECompact//PecBundle//PECompact tagged as "not-a-virus:AdWare.Win32.PurityScan.ak". Action Taken: No Action Taken. Object "clickspring Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "smitfraud Browser Hijacker" found in File System! Action Taken: No Action Taken. Object "elite toolbar Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "Possible Fujacks-type Worm" found in File System! Action Taken: No Action Taken. Object "Possible Fujacks-type Worm" found in File System! Action Taken: No Action Taken. Object "Possible Fujacks-type Worm" found in File System! Action Taken: No Action Taken. Object "Possible Fujacks-type Worm" found in File System! Action Taken: No Action Taken. Object "Possible Fujacks-type Worm" found in File System! Action Taken: No Action Taken. Entry "HKCR\DirectAnimation.PathControl" refers to invalid object "{D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}". Action Taken: No Action Taken. Entry "HKCR\DirectAnimation.Sequence" refers to invalid object "{4F241DB1-EE9F-11D0-9824-006097C99E51}". Action Taken: No Action Taken. Entry "HKCR\DirectAnimation.SequencerControl" refers to invalid object "{B0A6BAE2-AAF0-11D0-A152-00A0C908DB96}". Action Taken: No Action Taken. Entry "HKCR\DirectAnimation.SpriteControl" refers to invalid object "{FD179533-D86E-11D0-89D6-00A0C90833E6}". Action Taken: No Action Taken. Entry "HKCR\DirectAnimation.StructuredGraphicsControl" refers to invalid object "{369303C2-D7AC-11D0-89D5-00A0C90833E6}". Action Taken: No Action Taken. Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken. Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken. Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken. Entry "HKCR\NMUIEngine.NMUIResourceLoaderHarddisk" refers to invalid object "{03DC5606-EA66-4f02-AB52-2065524B03821}". Action Taken: No Action Taken. Entry "HKCR\TSLV.TSLV" refers to invalid object "{612DE685-FCC5-11D1-8A36-00A0C9B82ABC}". Action Taken: No Action Taken. Entry "HKCR\TSLV.TSLV.1" refers to invalid object "{612DE685-FCC5-11D1-8A36-00A0C9B82ABC}". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\System.Windows.Forms.tlb". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\System.EnterpriseServices.tlb". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Microsoft.JScript.tlb". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Microsoft.Vsa.tlb". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\System.Drawing.tlb". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\mscoree.tlb". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\mscorlib.tlb". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\System.tlb". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Microsoft.Vsa.Vb.CodeDOMProcessor.tlb". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\DIMM.DLL". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\zip32.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\unzip32.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\scrrun.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\MSINET.OCX". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\comdlg32.ocx". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\COMDLG32.DLL". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "D:\Mscomctl.ocx". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\ScanSoft\PaperPort\". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\KONICA MINOLTA\PageScope Net Care\". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\KONICA MINOLTA\PageScope Net Care\html\". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\KONICA MINOLTA\PageScope Net Care\logs\". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\KONICA MINOLTA\PageScope Net Care\state\". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\KONICA MINOLTA\PageScope Net Care\state\events\". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\KONICA MINOLTA\PageScope Net Care\state\log\". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\KONICA MINOLTA\PageScope Net Care\state\maps\". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\KONICA MINOLTA\PageScope Net Care\state\objects\". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\KONICA MINOLTA\PageScope Net Care\temp\". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\KONICA MINOLTA\PageScope Net Care\WebSvr\". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\KONICA MINOLTA\PageScope Net Care\WebSvr\etc\". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Sierra Wireless\MC5720\HP\USBMUX_DRIVERS\". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".asc". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".deb". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".kp_". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".part". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".php". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".PR2". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".settings". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB888111WXPSP2". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB917283.T1_1ToU93_1". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB922770.T1_1ToU168_1". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{2D7D9D86-923A-41A8-919F-437332AB1031}". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{AC76BA86-7AD7-1031-7B44-A80000000002}". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{B1916B99-23C0-49FE-A473-95425695655A}". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{BCF28641-16C3-4566-B00A-380BFA861031}". Action Taken: No Action Taken. File C:\WINDOWS\system32\affhba.dll//PE_Patch.PECompact//PecBundle//PECompact tagged as "not-a-virus:AdWare.Win32.PurityScan.ak". Action Taken: No Action Taken. File C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\NERO13346\Toolbar.exe tagged as "not-a-virus:AdTool.Win32.MyWebSearch". Action Taken: No Action Taken. File C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temp\NERO13346\Toolbar.exe tagged as "not-a-virus:AdTool.Win32.MyWebSearch". Action Taken: No Action Taken. File C:\Programme\Outerinfo\OiUninstaller.exe//data0002//PE_Patch.UPX//UPX tagged as "not-a-virus:AdWare.Win32.PurityScan.bu". Action Taken: No Action Taken. File C:\RECYCLER\S-1-5-21-1708537768-1450960922-839522115-500\Dc17\OiUninstaller.exe//data0002//PE_Patch.UPX//UPX tagged as "not-a-virus:AdWare.Win32.PurityScan.bu". Action Taken: No Action Taken. File C:\WINDOWS\system32\affhba.dll//PE_Patch.PECompact//PecBundle//PECompact tagged as "not-a-virus:AdWare.Win32.PurityScan.ak". Action Taken: No Action Taken. |
Logfile of HijackThis v1.99.1 Scan saved at 10:45:47, on 18.07.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe d:\cachesys\bin\cservice.exe C:\Programme\Nero\Nero 7\InCD\InCDsrv.exe C:\Programme\CA\eTrust Antivirus\InoRpc.exe d:\cachesys\bin\cache.exe C:\Programme\CA\eTrust Antivirus\InoRT.exe d:\cachesys\bin\cache.exe d:\cachesys\bin\cache.exe d:\cachesys\bin\cache.exe d:\cachesys\bin\cache.exe C:\Programme\CA\eTrust Antivirus\InoTask.exe C:\WINDOWS\system32\kmcsicsv.exe C:\Programme\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe C:\WINDOWS\system32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe d:\cachesys\bin\cache.exe C:\WINDOWS\system32\cmd.exe d:\cachesys\bin\cache.exe C:\WINDOWS\Explorer.EXE d:\cachesys\BIN\ctelnetd.exe C:\Programme\Analog Devices\Core\smax4pnp.exe C:\Programme\Analog Devices\SoundMAX\Smax4.exe C:\Programme\Gemeinsame Dateien\AOL\1167735075\ee\AOLSoftware.exe C:\Programme\ATI Technologies\ATI.ACE\CLI.EXE C:\Programme\Java\jre1.6.0_01\bin\jusched.exe C:\PROGRA~1\CA\ETRUST~1\realmon.exe C:\Programme\QuickTime\qttask.exe C:\Programme\pdf24\PDF24Updater.exe C:\Programme\Nero\Nero 7\InCD\InCD.exe C:\Programme\TrayPhone\Trayphone.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\DrvMon.exe C:\WINDOWS\?asks\w?nspool.exe C:\Programme\Gemeinsame Dateien\Cycos\Service Provider\Msp.exe D:\CacheSys\Bin\csystray.exe C:\Programme\ATI Technologies\ATI.ACE\cli.exe C:\Programme\ATI Technologies\ATI.ACE\cli.exe C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe C:\Program Files\Attachmate\KEA! VT\keavt.exe C:\Program Files\Attachmate\KEA! VT\KEASYS.EXE C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\mexe.com C:\Programme\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Attachmate\KEA! VT\keavt.exe C:\WINDOWS\REGEDIT.com C:\Dokumente und Einstellungen\Administrator\Desktop\hijackthis_199\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rink-elektro.de/index.php?id=1 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.boinksearch.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.9.222:3128 O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {136B6BF1-8F17-829C-1E14-F98DBA578FCA} - C:\WINDOWS\system32\affhba.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Programme\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [HostManager] C:\Programme\Gemeinsame Dateien\AOL\1167735075\ee\AOLSoftware.exe O4 - HKLM\..\Run: [IPHSend] C:\Programme\Gemeinsame Dateien\AOL\IPHSend\IPHSend.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [PDFPrint] "C:\Programme\pdf24\PDF24Updater.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Programme\Nero\Nero 7\InCD\InCD.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [TrayPhone] C:\Programme\TrayPhone\Trayphone.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe O4 - HKCU\..\Run: [Mjx] C:\WINDOWS\?asks\w?nspool.exe O4 - Global Startup: CACHE.lnk = D:\CacheSys\Bin\csystray.exe O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166547630385 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{97EDEE6A-0AC7-498A-8321-F6E6A4DD0AF8}: NameServer = 195.226.69.5,195.226.80.25 O17 - HKLM\System\CS2\Services\Tcpip\..\{97EDEE6A-0AC7-498A-8321-F6E6A4DD0AF8}: NameServer = 195.226.69.5,195.226.80.25 O17 - HKLM\System\CS3\Services\Tcpip\..\{97EDEE6A-0AC7-498A-8321-F6E6A4DD0AF8}: NameServer = 195.226.69.5,195.226.80.25 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Caché Controller für CACHE (Cache_d-_cachesys) - Unknown owner - d:\cachesys\bin\cservice.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programme\Nero\Nero 7\InCD\InCDsrv.exe O23 - Service: eTrust Antivirus-RPC-Server (InoRPC) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRpc.exe O23 - Service: eTrust Antivirus-Echtzeitserver (InoRT) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRT.exe O23 - Service: eTrust Antivirus-Jobserver (InoTask) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoTask.exe O23 - Service: KMCSIC SERVICE (kmcsicsv) - Unknown owner - C:\WINDOWS\system32\kmcsicsv.exe O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Programme\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing) O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Programme\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing) Das ist der Logfile von Hijackthis |
Ist ja interessant, doch poste mal ein Hjt-Logfile (Anleitung unten in meiner Signatur) Und was e-scan angeht; Lies dir mal diese Anleitung durch und poste es so, wie dort beschrieben;) E-scan LG, Terayaki |
Ok Sorry scan gerade mal neu so wie in der Anleitung und mach das mit der Find.bat mal! Hjt-Logfile siehe unten! :) EDIT: oh man dat dauert ^^ |
@micha020983 Zitat:
|
Also lass mal bitte das hier Zitat:
Zitat:
Und das mit dem Escan machst du einfach noch;) Komisch das kann auch mit den 2 Partitionen zusammenhängen...hm....mach einfach mal den Scan mit escan und die Auswertungen von den Online viren scannern postest du bitte auch hier. LG, Terayaki |
C:\Program Files\Attachmate\KEA! VT\keavt.exe C:\Program Files\Attachmate\KEA! VT\KEASYS.EXE C:\Program Files\Attachmate\KEA! VT\keavt.exe C:\WINDOWS\REGEDIT.com (sorry hat grad den Regeditor offen) Diese einträge sind ok... die anderen kenn ich jetzt auch nicht direkt! |
Ah gut @ReneGad, Da es scheint, dass du dich hiermit besser befassen kannst als ich, schwinde ich wieder langsam hier hinaus;) LG, Terayaki |
d:\cachesys\BIN\ctelnetd.exe und d:\cachesys\bin\cservice.exe ist auch in Ordnung :) |
Zitat:
|
ooohhh... wie kommt das? hab den Regeditor jetzt geschlossen und erneut mit HJT gescannt jetzt ist der entry weg... hmmmm..... |
so hier endlich der e-scan ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Header ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Microsoft Windows XP [Version 5.1.2600] Wed Jul 18 10:52:17 2007 => Version 9.3.1 (C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\mexe.com) Wed Jul 18 11:31:08 2007 => Virus Database Date: 7/17/2007 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Infektionsmeldungen ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wed Jul 18 10:53:00 2007 => System found infected with elite toolbar Spyware/Adware (toolbar.exe)! Action taken: No Action Taken. ~~~~~~~~~~~ Dateien ~~~~~~~~~~~ ~~~~ Infected files ~~~~~~~~~~~ ~~~~~~~~~~~ ~~~~ Tagged files ~~~~~~~~~~~ Wed Jul 18 10:52:45 2007 => File C:\WINDOWS\system32\affhba.dll//PE_Patch.PECompact//PecBundle//PECompact tagged as "not-a-virus:AdWare.Win32.PurityScan.ak". Action Taken: No Action Taken. Wed Jul 18 10:59:42 2007 => File C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temp\NERO13346\Toolbar.exe tagged as "not-a-virus:AdTool.Win32.MyWebSearch". Action Taken: No Action Taken. Wed Jul 18 11:16:07 2007 => File C:\RECYCLER\S-1-5-21-1708537768-1450960922-839522115-500\Dc17\OiUninstaller.exe//data0002//PE_Patch.UPX//UPX tagged as "not-a-virus:AdWare.Win32.PurityScan.bu". Action Taken: No Action Taken. Wed Jul 18 11:22:47 2007 => File C:\WINDOWS\system32\affhba.dll//PE_Patch.PECompact//PecBundle//PECompact tagged as "not-a-virus:AdWare.Win32.PurityScan.ak". Action Taken: No Action Taken. ~~~~~~~~~~~ ~~~~ Offending files ~~~~~~~~~~~ Wed Jul 18 10:53:00 2007 => Offending file found: C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\temp\nero13346\toolbar.exe ~~~~~~~~~~~ Ordner ~~~~~~~~~~~ ~~~~~~~~~~~ Registry ~~~~~~~~~~~ Wed Jul 18 10:52:55 2007 => Offending Key found: HKLM\Software\clickspring !!! Wed Jul 18 10:53:03 2007 => Offending Key found: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E !!! Wed Jul 18 10:53:03 2007 => Offending Key found: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I !!! Wed Jul 18 10:53:03 2007 => Offending Key found: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{05a00516-23cb-11dc-91d2-0017316c2b09} !!! Wed Jul 18 10:53:03 2007 => Offending Key found: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{93d7ae79-8d12-11db-b704-806d6172696f} !!! Wed Jul 18 10:53:06 2007 => Offending Key found: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c3adcea4-8f81-11db-919d-806d6172696f} !!! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Statistiken: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
Zitat:
EDIT: Mir fällt grad nochwas ein! ich habe seit heute morgen noch sowas hier drauf: ADVERTISEMENT BY OUTERINFO Das Sch***ding macht ständig Explorer-Fenster mit Werbung auf! Dieses Outerinfo war auch in der Systemsteuerung unter Software drin! Dort hab ich es gelöscht aber es kommt immer noch! |
'Win32/Clspring.GS' wurde in C:\DOKUMENTE UND EINSTELLUNGEN\ADMINISTRATOR\LOKALE EINSTELLUNGEN\TEMPORARY INTERNET FILES\CONTENT.IE5\1UQXC2SY\!UPDATE-4395[1].0000 entdeckt. Computer: WZ06-90, Benutzer: WZ06-90\Administrator. Dateistatus: Datei wurde bereinigt; Systembereinigung wurde durchgeführt. Diese meldung kommt von CA nach jedem Booten!!! |
| Alle Zeitangaben in WEZ +1. Es ist jetzt 07:33 Uhr. |
Copyright ©2000-2025, Trojaner-Board