easy-search.biz und konsorten..

#1 Hallo,

ich hab sämtliche /adspyware detektoren und vernichter ausprobiert. und hab versucht schon aus einige threads die tips zu befolgen, jedoch hat das alles nicht gereicht. jetzt will ich mich direkt an euch wenden. hier meine log file:

Logfile of HijackThis v1.97.7
Scan saved at 20:20:35, on 15.08.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\netgt32.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\windows\dllhlp.exe
C:\WINDOWS\runwin32.exe
C:\Programme\M-Audio Audiophile USB\Dmn\ma003dmn.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\runwin32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\wininet32.exe
C:\WINDOWS\dialup.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\kwapu.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kwapu.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O2 - BHO: (no name) - {705AF3C3-2AF7-A829-0D6E-3F1C89AED034} - C:\WINDOWS\system32\mfczz.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Multimedia Codecs] C:\WINDOWS\System32\mcc.exe
O4 - HKLM\..\Run: [PCMService] C:\Programme\Medion Home CinemaXL\PowerCinema\PCMService.exe
O4 - HKLM\..\Run: [netgt32.exe] C:\WINDOWS\netgt32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [windll32.exe] C:\WINDOWS\System32\windll32.exe
O4 - HKCU\..\Run: [dllhelp] c:\windows\dllhlp.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - Startup: ASE Scheduler.lnk = C:\Programme\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: MA003DMN.LNK = C:\Programme\M-Audio Audiophile USB\Dmn\ma003dmn.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: MedionShop (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.google.de
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.google.de
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://arcade.icq.com/multiplayer/odyssey_web8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EE5B674-B09F-48FB-8BA4-C6F81AD4A0F2}: NameServer = 192.168.2.1


Danke schon mal im vorraus.

#2 hi,
dann mache doch selbst erst mal hier eine auswertung
http://www.hijackthis.de/

#3 Hi,

hab ich kurz nach dem beitrag gemacht und die als böse oder eventuell böse gekennzeichneten gefixt.

diese kommen z.b. immer wieder :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz

O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe

O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe

#4 hier ist mal ne richtig gute anleitung.

http://www.computerhilfen.de/hilfen-17-30578-0.html

#5 @ Raseem

Poste nochmal ein aktuelles Log-File.
__________
Das Wertvollste im Leben ist die Zeit. Leben heißt, mit der Zeit richtig umzugehen.
Neuaufsetzen des Systems/Absicherung! HJT Anleitung

#6 von heute mittag:

Logfile of HijackThis v1.97.7
Scan saved at 13:31:26, on 16.08.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\apicg32.exe
C:\windows\dllhlp.exe
C:\WINDOWS\runwin32.exe
C:\WINDOWS\wininet32.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\apivl.exe
C:\Programme\M-Audio Audiophile USB\Dmn\ma003dmn.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kwapu.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kwapu.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\kwapu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kwapu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kwapu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kwapu.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\kwapu.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O2 - BHO: (no name) - {705AF3C3-2AF7-A829-0D6E-3F1C89AED034} - C:\WINDOWS\system32\mfczz.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [apicg32.exe] C:\WINDOWS\system32\apicg32.exe
O4 - HKCU\..\Run: [dllhelp] c:\windows\dllhlp.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - Global Startup: MA003DMN.LNK = C:\Programme\M-Audio Audiophile USB\Dmn\ma003dmn.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: MedionShop (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://arcade.icq.com/multiplayer/odyssey_web8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EE5B674-B09F-48FB-8BA4-C6F81AD4A0F2}: NameServer = 192.168.2.1

#7 Fix:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kwapu.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kwapu.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\kwapu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\kwapu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kwapu.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kwapu.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\kwapu.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O2 - BHO: (no name) - {705AF3C3-2AF7-A829-0D6E-3F1C89AED034} - C:\WINDOWS\system32\mfczz.dll
O4 - HKLM\..\Run: [apicg32.exe] C:\WINDOWS\system32\apicg32.exe
O4 - HKCU\..\Run: [dllhelp] c:\windows\dllhlp.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe

Schick mir bitte C:\WINDOWS\system32\apicg32.exe an

Spam-Email@gmx.net

MFG
DAFRA

#8 ok. erledigt.

jedoch kreuzen "http://easy-search.biz" & "res://C:\WINDOWS\system32\kwapu.dll/sp.html#37049" immer wieder auf.

ebenfalls auch:

O4 - HKLM\..\Run: [apicg32.exe] C:\WINDOWS\system32\apicg32.exe
O4 - HKCU\..\Run: [dllhelp] c:\windows\dllhlp.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe

#9 Hallo @Raseem

fixe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O4 - HKLM\..\Run: [apicg32.exe] C:\WINDOWS\system32\apicg32.exe
O4 - HKCU\..\Run: [dllhelp] c:\windows\dllhlp.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
neustarten

Deaktiviere die Wiederherstellung
http://service1.symantec.com/SUPPORT/INTER/tsgeninfointl.nsf/gdocid/20030807105707924

<eScan< (in C:\base entpacken)
http://www.mwti.net/antivirus/free_utilities.asp
# "kavupd.exe" suchen und anklicken.
Es oeffnet sich ein DOS-Fenster und es wird ein Update ausgeführt(dauert ein bisschen)
#den Scanner mit der "mwav.exe starten. Alle Häkchen setzen und "Clean-Scan" klicken.
Poste dann, ob was geloescht wurde(Logview).Und das neue Log vom HijackThis

mfg
Sabina

Tip:
Lade Antivirus (free)
http://www.free-av.de/
#aktiviere den Guard und stelle ein:<alle Dateien<
und <Heuristik:mittel
#Dann gehe in den abgesicherten Modus
http://www.bsi.de/av/texte/winsave.htm
und mache einen Komplettscann
__________
MfG Sabina

rund um die PC-Sicherheit

#10

Zitat

Sabina postete
Hallo @Raseem

fixe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O4 - HKLM\..\Run: [apicg32.exe] C:\WINDOWS\system32\apicg32.exe
O4 - HKCU\..\Run: [dllhelp] c:\windows\dllhlp.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
neustarten

Deaktiviere die Wiederherstellung
http://service1.symantec.com/SUPPORT/INTER/tsgeninfointl.nsf/gdocid/20030807105707924

<eScan< (in C:\base entpacken)
http://www.mwti.net/antivirus/free_utilities.asp
# "kavupd.exe" suchen und anklicken.
Es oeffnet sich ein DOS-Fenster und es wird ein Update ausgeführt(dauert ein bisschen)
#den Scanner mit der "mwav.exe starten. Alle Häkchen setzen und "Clean-Scan" klicken.
Poste dann, ob was geloescht wurde(Logview).Und das neue Log vom HijackThis

mfg
Sabina

Hammer wieviel er entdeckt hat, hätte ich nicht erwartet, hier die LogView:

Zitat

LogView von eScan
File C:\WINDOWS\runwin32.exe infected by "Trojan.Win32.StartPage.ky" Virus. Action Taken: File Deleted.
File C:\WINDOWS\wininet32.exe infected by "TrojanProxy.Win32.Agent.ad" Virus. Action Taken: File Deleted.
File C:\WINDOWS\system32\apivl.exe infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\dialup.exe infected by "Trojan.Win32.Dialer.u" Virus. Action Taken: File Deleted.
File C:\WINDOWS\apilp.exe infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\apisi32.dll infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\appzl.dll infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\atlub.exe infected by "TrojanDownloader.Win32.Agent.bc" Virus. Action Taken: File Deleted.
File C:\WINDOWS\crgm32.dll infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\CyberxHacking-cyberxhacking.exe tagged as not-a-virusornWare.Dialer.Star. No Action Taken.
File C:\WINDOWS\d3ff32.exe infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\d3ht.dll infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\dllhlp.exe infected by "Trojan.Win32.Bizten.gen" Virus. Action Taken: File Deleted.
File C:\WINDOWS\dup.dll infected by "Trojan.Win32.Dialer.u" Virus. Action Taken: File Deleted.
File C:\WINDOWS\htpatch.exe.bak tagged as not-a-virus:Tool.Win32.HTPatch.a. No Action Taken.
File C:\WINDOWS\ieaj.dll infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\iewin32.dll infected by "TrojanProxy.Win32.Agent.ad" Virus. Action Taken: File Deleted.
File C:\WINDOWS\mserv.exe infected by "Trojan.Win32.Killav.be" Virus. Action Taken: File Deleted.
File C:\WINDOWS\msie32.dll infected by "Trojan.Win32.StartPage.ky" Virus. Action Taken: File Deleted.
File C:\WINDOWS\msopt.dll infected by "TrojanDownloader.Win32.Small.kq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\mssys.com infected by "TrojanDropper.DOS.Rute" Virus. Action Taken: File Deleted.
File C:\WINDOWS\netgt32.exe infected by "TrojanDownloader.Win32.Agent.bc" Virus. Action Taken: File Deleted.
File C:\WINDOWS\ntov.dll infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\Satfilez-sfz-10027.exe tagged as not-a-virusornWare.Dialer.Star. No Action Taken.
File C:\WINDOWS\sysbj32.exe infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sysyc32.exe infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\winqs.dll infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\winza32.dll infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\wlxr.exe infected by "Trojan.Win32.StartPage.kp" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\addaq32.exe infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\addrz.exe infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\addww32.exe infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\apiru32.exe infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\apizm32.exe infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\appff.dll infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\atlin.exe infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\atltf32.exe infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\crsq.dll infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\hooks.dll infected by "Trojan.Win32.Hooker.b" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\html.vbs infected by "TrojanDownloader.VBS.Iwill.t" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\iplx32.dll infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\javamc32.exe infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\javamk.dll infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\mcc.exe infected by "TrojanDownloader.Win32.Small.rk" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\mdv_32.dll infected by "not-a-virus:AdvWare.ToolBar.BHO.e" Virus. Action Taken: File Renamed.
File C:\WINDOWS\System32\msconfd.exe infected by "Trojan.Win32.StartPage.au" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\mshb2.exe infected by "not-a-virus:AdvWare.Manifold" Virus. Action Taken: File Renamed.
File C:\WINDOWS\System32\mslz32.exe infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\q8k0fsv0.exe infected by "TrojanDropper.Win32.Small.cu" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\Saks.exe infected by "not-a-virus:AdvWare.Puper.b" Virus. Action Taken: File Renamed.
File C:\WINDOWS\System32\scrnsize.exe infected by "TrojanDownloader.Win32.Crypter" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\sdkdt32.dll infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\sdkkw32.exe infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\Shell32.exe infected by "Backdoor.Lithium.10" Virus. Action Taken: File Renamed.
File C:\WINDOWS\System32\srv_capture.dll infected by "Backdoor.Lithium.103" Virus. Action Taken: File Renamed.
File C:\WINDOWS\System32\srv_funstuff.dll infected by "Backdoor.Lithium.102" Virus. Action Taken: File Renamed.
File C:\WINDOWS\System32\srv_pwinfo.dll infected by "Backdoor.Lithium.102" Virus. Action Taken: File Renamed.
File C:\WINDOWS\System32\System32.exe infected by "Backdoor.SdBot.aa" Virus. Action Taken: File Renamed.
File C:\WINDOWS\System32\win32info-uninstall.exe infected by "TrojanDownloader.Win32.Dluca.f" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\wingua.exe infected by "TrojanDropper.Win32.Small.ck" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\winxv.dll infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\winzx32.dll infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\Xcite.dll infected by "not-a-virus:AdvWare.Toolbar.MyWay.e" Virus. Action Taken: File Renamed.
File C:\WINDOWS\System32\Xcite.exe infected by "not-a-virus:AdvWare.Toolbar.MyWay.e" Virus. Action Taken: File Renamed.
File C:\WINDOWS\System32\xms32.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\autoexec.exe tagged as not-a-virusornWare.Dialer.Generic. No Action Taken.
File C:\dlltmp.exe infected by "Trojan.Win32.Bizten.gen" Virus. Action Taken: File Deleted.
File C:\mdmhelpv.exe infected by "TrojanDownloader.Win32.Femad.k" Virus. Action Taken: File Deleted.
File C:\Programme\Aluria Software\ASE\Backup\15826251.ase infected by "TrojanProxy.Win32.Mitglieder.bi" Virus. Action Taken: File Deleted.
File C:\Programme\Outlook Express\outl32c.exe infected by "Backdoor.Jeemp.c" Virus. Action Taken: File Renamed.
File C:\Programme\Outlook Express\outlkl.exe infected by "TrojanDropper.Win32.Small.cn" Virus. Action Taken: File Deleted.
File C:\Programme\Windows Media Player\wmplayer.exe.tmp infected by "TrojanProxy.Win32.Mitglieder.bi" Virus. Action Taken: File Deleted.
File C:\Programme\Wyns\wyns.dll infected by "not-a-virus:AdvWare.Puper.b" Virus. Action Taken: File Renamed.
File C:\Q20604.exe infected by "TrojanDownloader.Win32.WinShow.af" Virus. Action Taken: File Deleted.
File C:\win.com.exe infected by "TrojanDownloader.Win32.Small.rk" Virus. Action Taken: File Deleted.
File C:\WINDOWS\appta32.dll infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\CyberxHacking-cyberxhacking.exe tagged as not-a-virusornWare.Dialer.Star. No Action Taken.
File C:\WINDOWS\htpatch.exe.bak tagged as not-a-virus:Tool.Win32.HTPatch.a. No Action Taken.
File C:\WINDOWS\Satfilez-sfz-10027.exe tagged as not-a-virusornWare.Dialer.Star. No Action Taken.
File C:\WINDOWS\sCache32\2 Find MP3 8.2.0.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\AC3-MP3 converter.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\ACDSee 5.5b.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\ACDSee Classic 2.79.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\Ad-aware 6.5 (new)Download Accelerator Plus 6.3.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\Adobe PhotoShop 7.1 crack.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\All Editor 3.0b.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\AOL Instant Messenger 6.1.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\Auction Sentry (new).exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\AudioLabel CD Labeler 3.0 (+crack).exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\Battlefied1942 Pack4 (crack+bloodpatch).exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\BearShare 5.1.1.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\C&C Generals Pack2 (new patch).exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\Complete UK Music Database 4.2.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\DirectDVD 4.9.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\DivX edit (new).exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\DvD Rip guide (+tools) st0rm.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\Dynamite Downloads.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\Easy CD Creator Software Update.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\Find 1.0.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\FlashFXP (keyg*hier nicht*).exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\FreeRip 4.30.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\Genie Stream 3.2.4.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\Gothic 2 (m-patch).exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\Hacker Tutorial (by ph3Akz).exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\Half-Life keyg*hier nicht* (+ogc hack).exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\HL keys (working).exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\I.G.I. 2 (new crack).exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\ICQ Lite beta (b2253).exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\ICQ Pro 2003a beta (b4600).exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\iMesh 4.1 beta.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\iSnipeIt 5.0c.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\James Bond 007 Nightfire crack.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\Kazaa Media Desktop 2.5.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\Kazaa Skins 1.8.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\Medal Of Honor (Allied Assault) crack.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\mIRC 6.x addon patch.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\mIRC s3th war-script.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\MP3 cut pro 3.0.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\Need for Speed 6 (new cars + crack).exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\NeoNapster 3.92.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\New Nvidia (geForce) drivers (beta).exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\Operation Flashpoint (bloopatch).exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\Patch Creator 3.5a.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\PhotoShow 3.1.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\Ps2 to Pc tutorial (+tool).exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\Raven Shield 5.32 crack.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\RemoteSpy 1.5.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\Sim City 4 crack.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\Splinter Cell crack.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\TitJiggle (flash game).exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\Trillian 0.8 + plugins.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\UniversalFlood (4.8b).exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\Unreal2 (2.8) crack.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\UT2003 multi-crack (new).exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\Warcraft3 battle.net(2.5) crack.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\WinZip 8.3b (crack).exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\WinZip 9.0 SR-1.exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\sCache32\Wippit 2.1 (beta).exe infected by "Worm.P2P.SdDrop.d" Virus. Action Taken: File Deleted.
File C:\WINDOWS\system\sysapp.exe infected by "TrojanDownloader.Win32.Donn.m" Virus. Action Taken: File Deleted.
File C:\WINDOWS\system32\d3dh32.dll infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File E:\Driver\SIS_AGP_1.13\AGP\htpatch\htpatch.exe tagged as not-a-virus:Tool.Win32.HTPatch.a. No Action Taken.

---------------------------------------------------------------------------

Zitat

Log von HijackThis direkt nach dem CleanScan
Logfile of HijackThis v1.97.7
Scan saved at 15:24:42, on 16.08.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\apicg32.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\M-Audio Audiophile USB\Dmn\ma003dmn.exe
C:\Programme\Xi\NetTransport 2\NetTransport.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\apiba.exe:ighha
C:\WINDOWS\System32\ctfmon.exe
D:\Downloads\Progs\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\avive.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\avive.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\avive.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\avive.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\avive.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\avive.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\avive.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: (no name) - {26286E09-CF52-4BFA-ACBF-184990967DFA} - C:\WINDOWS\apint.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [apicg32.exe] C:\WINDOWS\system32\apicg32.exe
O4 - HKLM\..\RunOnce: [ighha] C:\WINDOWS\apiba.exe:ighha
O4 - Global Startup: MA003DMN.LNK = C:\Programme\M-Audio Audiophile USB\Dmn\ma003dmn.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://arcade.icq.com/multiplayer/odyssey_web8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EE5B674-B09F-48FB-8BA4-C6F81AD4A0F2}: NameServer = 192.168.2.1

#11 @Raseem

#Zuerst loescht du manuell:
Sind alles Dialer:
C:\WINDOWS\CyberxHacking-cyberxhacking.exe
C:\WINDOWS\Satfilez-sfz-10027.exe
C:\autoexec.exe
C:\WINDOWS\CyberxHacking-cyberxhacking.exe
C:\WINDOWS\Satfilez-sfz-10027.exe

Ueberpruefe mit Kaspersky
C:\WINDOWS\system32\apicg32.exe
C:\WINDOWS\apiba.exe:ighha
http://www.kaspersky.com/remoteviruschk.html

Dann fixe mit dem HijackThisdanach sofort booten )
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\avive.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\avive.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\avive.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\avive.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\avive.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\avive.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\avive.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: (no name) - {26286E09-CF52-4BFA-ACBF-184990967DFA} - C:\WINDOWS\apint.dll
O4 - HKLM\..\Run: [apicg32.exe] C:\WINDOWS\system32\apicg32.exe
O4 - HKLM\..\RunOnce: [ighha] C:\WINDOWS\apiba.exe:ighha

neustarten


#AdAware free ...updaten und <alle Dateien< scannen
http://www.lavasoft.de/support/download/

#Lade Antivirus (free)
http://www.free-av.de/
#aktiviere den Guard und stelle ein:<alle Dateien<
und <Heuristik:hoch
#Dann gehe in den abgesicherten Modus (ist wichtig !!)
http://www.bsi.de/av/texte/winsave.htm
und mache einen Komplettscann


#scanne auch mit der mwav.exe noch mal im abgesicherten Modus.

#Dann Loesche unter <Internetoptionen< die TemporaryInternetfiles, stelle eine neue Startseite ein und poste das Log noch mal.(und berichte, was Kaspersky angezeigt hat)

mfg
Sabina
__________
MfG Sabina

rund um die PC-Sicherheit

#12

Zitat

Sabina postete
Tip:
Lade Antivirus (free)
http://www.free-av.de/
#aktiviere den Guard und stelle ein:<alle Dateien<
und <Heuristik:mittel
#Dann gehe in den abgesicherten Modus
http://www.bsi.de/av/texte/winsave.htm
und mache einen Komplettscann

Erst mal sorry, dass ich deine aller letzten tips noch nicht befolgt hab, denn ich hab die ganze zeit für die hier^^ gebraucht. Nach dem ich mit AntiVirXP alles gescannt und nach Möglichkeit beseitigt hatte und nochmal mit HijackThis die üblichen verdächitgen gefixt hatte, kamen sie auch nicht mehr.

und so sieht die LogFile momentan bei HijackThis aus :

Zitat

LogFile HijackThis
Logfile of HijackThis v1.97.7
Scan saved at 17:36:59, on 16.08.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\M-Audio Audiophile USB\Dmn\ma003dmn.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Downloads\Progs\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {26286E09-CF52-4BFA-ACBF-184990967DFA} - C:\WINDOWS\apint.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - Global Startup: MA003DMN.LNK = C:\Programme\M-Audio Audiophile USB\Dmn\ma003dmn.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://arcade.icq.com/multiplayer/odyssey_web8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EE5B674-B09F-48FB-8BA4-C6F81AD4A0F2}: NameServer = 192.168.2.1

Laut der automatischen Erkennung sind keine bösartigen daten mehr vorhanden.

#13 Hallo @Raseem

So richtig sauber ist das Log aber noch nicht.

Fixe
O2 - BHO: (no name) - {26286E09-CF52-4BFA-ACBF-184990967DFA} - C:\WINDOWS\apint.dll (file missing)
neustarten

#suche diese C:\WINDOWS\apint.dll im abgesicherten Modus,(!) oder andere, die ploetzlich neu dazugekommen sind , seit das Problem mit der verstellten Startseite besteht.
Dann scanne noch einmal mit dem Antivirus, aber stelle ein: <alle Dateien
und <Heuristik:hoch (!)

normal neustarten

#Dann musst du beim Antivirus den Guard aktivieren.(muss dann unter 04 erscheinen)

#Stelle unter <Internetoptionen< eine Startseite ein, surfe ein bisschen und poste das Log mit der Startseite noch mal.
mfg
Sabina
__________
MfG Sabina

rund um die PC-Sicherheit

#14 so war ein paar tage weg.

hier das log:

Logfile of HijackThis v1.97.7
Scan saved at 20:48:00, on 19.08.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\rundll32.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\M-Audio Audiophile USB\Dmn\ma003dmn.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\ICQ\Icq.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Downloads\Progs\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCMService] C:\Programme\Medion Home CinemaXL\PowerCinema\PCMService.exe
O4 - Global Startup: MA003DMN.LNK = C:\Programme\M-Audio Audiophile USB\Dmn\ma003dmn.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://arcade.icq.com/multiplayer/odyssey_web8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EE5B674-B09F-48FB-8BA4-C6F81AD4A0F2}: NameServer = 192.168.2.1

#15 @Raseem

Lade noch den Firefox und surfe nur mit ihm ...sicherer als der IE
http://www.firebird-browser.de/


Das Log ist sauber.

Sabina
__________
MfG Sabina

rund um die PC-Sicherheit