Files löschen?

Anne21 · 20.04.2004

Hallo,
ich weiß nicht, welche files ich löschen kann, die das Programm zum erkennen von hijackern auflistet?

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http: //www.the-exit.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http: //www.the-exit.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http: //iucwng.t.muxa.cc/s.php?aid=586 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http: //iucwng.t.muxa.cc/s.php?aid=586 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http: //www.the-exit.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http: //iucwng.t.muxa.cc/s.php?aid=586 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http: //www.the-exit.com/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http: //iucwng.t.muxa.cc/h.php?aid=586 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http: //iucwng.t.muxa.cc/s.php?aid=586 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http: //iucwng.t.muxa.cc/s.php?aid=586 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http: //iucwng.t.muxa.cc/s.php?aid=586 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http: //www.the-exit.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http: //www.the-exit.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http: //iucwng.t.muxa.cc/h.php?aid=586 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http: //www.the-exit.com/search
O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NavErrRedir Class - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\Typhoon\Typhoon Unplugged Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [b3dupdate] C:\WINDOWS\BDE\b3dsetup.Exe -silent -p C:\WINDOWS\BDE -s setup.cab
O4 - HKLM\..\Run: [MediaLoads Installer] C:\Programme\DownloadWare\dw.exe /H
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\AVG\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] D:\PROGRA~1\AVG\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [RjLyraInstaller] G:\setup.exe G:\
O4 - HKLM\..\Run: [Wupdate driver] WUPDADTE.EXE
O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\System32\MSZTCE.EXE
O4 - HKLM\..\Run: [sys] regedit -s sys.reg
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] D:\Corel\Versions\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Programme\ICQLitealt\ICQLite.exe -trayboot
O4 - HKCU\..\RunOnce: [L04DDXRC_727405] D:\Microsoft Encarta\Encarta Enzyklopädie Professional 2004\EDICT.EXE -m
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = D:\Programme\Corel\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\COREL\VERSIONS\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: >>> HENTAI MOVIES <<< - javascript:{document.location='http://www.archivehentai.com/ah/004/getpassword.html';}
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra->Tools' menuitem: Sun Java Konsole (HKLM)
O9 - Extra button: Recherche-Assistent (HKLM)
O9 - Extra button: Locators.com Search Bar (HKLM)
O9 - Extra->Tools' menuitem: Locators.com Search Bar (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra->Tools' menuitem: ICQ Lite (HKLM)
O12 - Plugin for .avi: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freenet.de
O16 - DPF: {1D9EFA3B-4E85-41A8-9092-14012CD447C9} (NetCamPlayerWeb Control) - http://lh225.mine.nu:1223/img/NetCamPlayerWeb.ocx
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://arcade.icq.com/multiplayer/odyssey_web8.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37871.3302777778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E0B795B4-FD95-4ABD-A375-27962EFCE8CF} (StarInstall Control) - http://www.service-url.de/install/StarInstall.ocx

Links editiert

Flöckchen · 20.04.2004

In Zukunft bitte immer das komplette Logfile posten, dann kann man sofort deinen Patchstand ablesen und auch in den Running Processes nach Auffälligkeiten suchen.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http: //www.the-exit.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http: //www.the-exit.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http: //iucwng.t.muxa.cc/s.php?aid=586 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http: //iucwng.t.muxa.cc/s.php?aid=586 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http: //www.the-exit.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http: //iucwng.t.muxa.cc/s.php?aid=586 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http: //www.the-exit.com/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http: //iucwng.t.muxa.cc/h.php?aid=586 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http: //iucwng.t.muxa.cc/s.php?aid=586 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http: //iucwng.t.muxa.cc/s.php?aid=586 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http: //iucwng.t.muxa.cc/s.php?aid=586 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http: //www.the-exit.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http: //www.the-exit.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http: //iucwng.t.muxa.cc/h.php?aid=586 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http: //www.the-exit.com/search

Alles fixen

O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O2 - BHO: NavErrRedir Class - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file)

weg

O4 - HKLM\..\Run: [b3dupdate] C:\WINDOWS\BDE\b3dsetup.Exe -silent -p C:\WINDOWS\BDE -s setup.cab

Fixen
http://www.pestpatrol.com/pestinfo/b/brilliantdigital.asp
http://www.answersthatwork.com/Tasklist_pages/tasklist_b.htm

O4 - HKLM\..\Run: [MediaLoads Installer] C:\Programme\DownloadWare\dw.exe /H

Lies hier: http://www.spy-bot.net/DownloadWare.asp

O4 - HKLM\..\Run: [RjLyraInstaller] G:\setup.exe G:\

Sagt mir nichts.

O4 - HKLM\..\Run: [Wupdate driver] WUPDADTE.EXE

siehe hier: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT.B&VSect=T

O4 - HKLM\..\Run: [sys] regedit -s sys.reg

weg

O8 - Extra context menu item: >>> HENTAI MOVIES <<< - javascript:{document.location='http://www.archivehentai.com/ah/004/getpassword.html';}

Ob du den Eintrag wirklich nachvollziehen kannst, das musst du selber wissen.

O9 - Extra button: Locators.com Search Bar (HKLM)
O9 - Extra->Tools' menuitem: Locators.com Search Bar (HKLM)

Brauchst du die? Willst du die?

O16 - DPF: {E0B795B4-FD95-4ABD-A375-27962EFCE8CF} (StarInstall Control) - http://www.service-url.de/install/StarInstall.ocx

=Mainpean-Dialer

bl4ckic3 · 20.04.2004

Was übersehen wurde:

O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\System32\MSZTCE.EXE

Weg.

PCDpan_fee · 20.04.2004

bl4ckic3 schrieb:
Was übersehen wurde:

O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\System32\MSZTCE.EXE

Weg.

und zur welcher Malware gehört sie? ???
Interessiert mich nur mal so :

pan_fee

bl4ckic3 · 21.04.2004

Schau dir den Dateinamen an. Was fällt auf? Recht willkürliche Aneinanderreihung von Buchstaben.
Ort: Systemordner, aber nachweislich keine Systemdatei (Google mal)-> Ergo: Unbekannt -> Ergo: Unerwünscht.
WELCHE konkrete Malware das ist, könnte man BESTENFALLS mit einem Online-Scan klären (falls das Teil überhaupt erkannt wird).

Files löschen?

Anne21

Flöckchen

bl4ckic3

PCDpan_fee

bl4ckic3

Files löschen?

ANGEBOTE & SPONSOREN

Neueste Themen

Statistik des Forums