Trojanische Pferd TR/LowZones.A.2

Thema ist geschlossen!
Thema ist geschlossen!
#0
28.09.2004, 14:20
...neu hier

Beiträge: 1
#1 ich mein virenprogramm zeigt mir dieses Trojanische Pferd TR/LowZones.A.2 an.

kann mir jemand sagen wie ich den los werde??
Seitenanfang Seitenende
28.09.2004, 15:43
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#2 Hallo @blue-magic ;)

HijackThis:
http://www.wintotal.de/softw/?id=2022
Lade das Tool, scann, save und kopiere das Log ins Forum
________________________________________________________________
Ansonsten scanne mit deinem Antivirus im abgesicherten Modus,
<gehe in den abgesicherten Modus
http://www.bsi.de/av/texte/winsave.htm

#deaktiviere vor dem Scannen die Wiederherstellung , falls du XP hast)
http://service1.symantec.com/SUPPORT/INTER/tsgeninfointl.nsf/gdocid/20030807105707924

mfg
Sabina
__________
MfG Sabina

rund um die PC-Sicherheit
Dieser Beitrag wurde am 28.09.2004 um 15:52 Uhr von Sabina editiert.
Seitenanfang Seitenende
21.10.2004, 05:07
...neu hier

Beiträge: 5
#3 hallo, ich habe auch dieses trojanische pferd könnt ihr mir bitte helfen dieses wegzubekommen, hier mein log:

Logfile of HijackThis v1.98.2
Scan saved at 04:43:26, on 21.10.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wmplayer612.exe
C:\Program Files\Win Comm\WinComm.exe
C:\Program Files\Win Comm\WinLock.exe
C:\Programme\Web_Rebates\WebRebates1.exe
C:\Programme\Web_Rebates\WebRebates0.exe
C:\Dokumente und Einstellungen\Juri\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web.de/
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [Windows Media Player 6.1.2] wmplayer612.exe
O4 - HKLM\..\Run: [Start Upping] qtask.exe
O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Programme\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\RunServices: [Windows Media Player 6.1.2] wmplayer612.exe
O4 - HKLM\..\RunServices: [Start Upping] qtask.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOKUME~1\Juri\LOKALE~1\Temp\djtopr1150.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Media Player 6.1.2] wmplayer612.exe
O4 - HKCU\..\Run: [Start Upping] qtask.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Web Rebates - file://C:\Programme\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=3669f00b266159f9
1d5a5e5f7d6c7fe45a212eca0eb53d155f7f2d75349fd95cf44b264f2c38b3fa
227dc8071b2b0dfdd561eaa0398dd574e24fccdf5dd61755:e71668d3bfa7fc19043f7497194f6505
O17 - HKLM\System\CCS\Services\Tcpip\..\{1460C76E-FA91-42BC-B7FB-C8779880A5B8}: NameServer = 192.168.122.252,192.168.122.253



danke im voraus :;)

mfG Cheers
Seitenanfang Seitenende
21.10.2004, 11:21
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#4 Hallo @Cheers

Sichere die Registry
http://www.chip.de/artikel/c_artikelunterseite_8817258.html?tid1=&tid2=

Gehe in die Registry
Start<Ausfuehren<regedit
Loesche diese Eintraege rechts in der Registry
Creates value "Start Upping"="qtask.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates value "Start Upping"="qtask.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
* Creates value "Start Upping"="qtask.exe" in key

#Aendere die Werte:
* Sets value "restrictanonymous"="" in key "HKLM\System\CurrentControlSet\Control\Lsa". wenn eine "1" dasteht, aendere in "0"
* Sets value "restrictanonymoussam"="" in key "HKLM\System\CurrentControlSet\Control\Lsa". von "0 " in "1"

Gib in die Suchfunktion der Registry (oben links ein)..loesche alles, was du findest rechts in der Registry :p

zum Beispiel:

HKLM\Software\Microsoft\Shared Tools\MSCOnfig\startupreg\
loeschen:
<Windows SyncroAd

<SyncroAd
<wmplayer612
<WinComm
<WebRebates
<djtopr1150
<Elite

Oeffne das HijackThis, hake an, was ich schreibe, <fix< und neustarten

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [Windows Media Player 6.1.2] wmplayer612.exe
O4 - HKLM\..\Run: [Start Upping] qtask.exe
O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Programme\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\RunServices: [Windows Media Player 6.1.2] wmplayer612.exe
O4 - HKLM\..\RunServices: [Start Upping] qtask.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOKUME~1\Juri\LOKALE~1\Temp\djtopr1150.exe"
O4 - HKCU\..\Run: [Windows Media Player 6.1.2] wmplayer612.exe
O4 - HKCU\..\Run: [Start Upping] qtask.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=3669f00b266159f91d
5a5e5f7d6c7fe45a212eca0eb53d155f7f2d75349fd95cf44b264f2c3

PC neustarten

#Windows Explorer -> "Extras/Ordneroptionen" -> "Ansicht" -> Haken entfernen bei "Geschützte Systemdateien ausblenden (empfohlen)" und "Alle Dateien und Ordner anzeigen" aktivieren -> "OK"

Suchfunktion von Windows:
1. "Bevorzugte Einstellungen ändern | Datei- und Ordnersuchverhalten
ändern | Erweitert [...] Empfohlen für fortgeschrittene Benutzer"
2. Über "OK" auf "Weitere Optionen" gehen und die folgenden Optionen
auswählen:
[x] Systemordner durchsuchen
[x] Versteckte Elemente durchsuchen
[x] Unterordner durchsuchen

#Loesche:
<C:\WINDOWS\SYSTEM\qtask.exe. [166815 bytes.]
<C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll
<C:\Program Files\Windows SyncroAd\SyncroAd.exe
<C:\WINDOWS\System32\wmplayer612.exe
<C:\Program Files\Win Comm\WinComm.exe
<C:\Program Files\Win Comm\WinLock.exe
<C:\Programme\Web_Rebates\WebRebates1.exe
<C:\Programme\Web_Rebates\WebRebates0.exe

Start<Ausfuehren < reinkopieren: %temp%
loesche:djtopr1150.exe
[C:\DOKUME~1\Juri\LOKALE~1\Temp\djtopr1150.exe]

Datentraegerbereinigung: und Loeschen der Temporary-Dateien
1. Start<Ausfuehren<cleanmgr
#Click Temporary Internet Files, O.K
#Temporary Files

#Deinstalliere fuer 15 Tage deinen Antivirus und lade:
#Testversion "Antivirus Personal 5.0"
http://www.kaspersky.com/trials
#deaktiviere die Wiederherstellung und poste das Log noch mal.

mfg
Sabina
__________
MfG Sabina

rund um die PC-Sicherheit
Dieser Beitrag wurde am 21.10.2004 um 11:33 Uhr von Sabina editiert.
Seitenanfang Seitenende
14.03.2005, 20:00
...neu hier

Beiträge: 1
#5 Hi,

das Thema ist zwar schon was älter, aber handelt sich genau um den gleichen Trojaner (Version ist nur normal .A, nicht .A.2) und da ich mir nicht sicher bin, was ich alles löschen muss, poste ich hier lieber nochmal.

Hab die Registry gesaved und mir HijackThis runtergeladen, hier das Log:

Logfile of HijackThis v1.99.1
Scan saved at 19:38:19, on 15.03.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\nvraidservice.exe
C:\Programme\Antivir\AVGNT.EXE
C:\Internet\ICQLite\ICQLite.exe
C:\WINDOWS\System32\msmq2inst.exe
C:\WINDOWS\System32\trmupdate.exe
C:\Programme\Antivir\AVGUARD.EXE
C:\Programme\Antivir\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Internet\Firefox\firefox.exe
c:\supdatesp991.exe
c:\supdate282.exe
C:\Programme\Antivir\GUARDGUI.EXE
C:\Programme\Antivir\GUARDGUI.EXE
E:\Setup\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.de/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\Antivir\AVGNT.EXE" /min
O4 - HKLM\..\Run: [ICQ Lite] C:\Internet\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [MS Unix Binary] trmupdate.exe
O4 - HKLM\..\Run: [SYSTRAY] C:\UNMT.EXE
O4 - HKLM\..\RunServices: [MS Unix Binary] trmupdate.exe
O4 - HKCU\..\Run: [MS Unix Binary] trmupdate.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Internet\ICQLite\ICQLite.exe -trayboot
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Internet\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Internet\ICQLite\ICQLite.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110483061218
O17 - HKLM\System\CCS\Services\Tcpip\..\{E19C0642-6C59-4C7D-B368-47666F4B18A6}: NameServer = 217.237.151.225 217.237.150.225
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\Antivir\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\Antivir\AVWUPSRV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Programme\SiSoft Sandra\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Programme\SiSoft Sandra\RpcSandraSrv.exe

---

Mir ist schon klar, dass
c:\supdatesp991.exe
c:\supdate282.exe
die Dateien sind, die das Teil immer neu installieren, aber simples Löschen bringt natürlich nix und ich weiß eben auch nicht, was da noch anderes zugehört...


Danke schonmal im Vorraus für eure Hilfe ;)


MfG
zwirni
Dieser Beitrag wurde am 14.03.2005 um 21:56 Uhr von zwirni editiert.
Seitenanfang Seitenende
14.03.2005, 23:38
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#6 Hallo@zwirni

Jotti's malware scan 2.4
- einzelne "exe" ueberpruefen
http://virusscan.jotti.org/

Oben auf der Seite auf Durchsuchen klicken --> Datei aussuchen --> Doppelklick auf die zu prüfende Datei --> klick auf Submit...
jetzt abwarten und danach das Ergebnis abkopieren und hier im Beitrag posten

C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\System32\msmq2inst.exe
C:\WINDOWS\System32\trmupdate.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
c:\supdatesp991.exe
c:\supdate282.exe
C:\UNMT.EXE

#öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten

O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [MS Unix Binary] trmupdate.exe
O4 - HKLM\..\Run: [SYSTRAY] C:\UNMT.EXE <--W32/Sdbot.worm
O4 - HKLM\..\RunServices: [MS Unix Binary] trmupdate.exe
O4 - HKCU\..\Run: [MS Unix Binary] trmupdate.exe

PC neustarten

•KillBox
http://www.bleepingcomputer.com/files/killbox.php

•Delete File on Reboot <--anhaken

C:\WINDOWS\System32\nvraidservice.exe (? selber installiert wegen meinem SATA Raid 0 (war beim Treiber dabei ????.C:\WINDOWS\System32\nvraidservice.exe
gehört zu Nvidia NForce Chipsatz basierten Boards...dann nicht loeschen !!!)


C:\WINDOWS\System32\msmq2inst.exe
C:\WINDOWS\System32\trmupdate.exe
c:\supdatesp991.exe
c:\supdate282.exe
C:\UNMT.EXE

und klick auf das rote Kreuz,
wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes"

PC neustarten

DCOM RPC vulnerability -http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx

WEBDAV vulnerability - http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx

LSASS vulnerability - http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Windows Worms Doors Cleaner erlaubt Ihnen die Dienste auf die die Würmer angewiesen sind, zu schließen
http://www.firewallleaktester.com/wwdc.htm

•Trend-Micro (Online)
http://de.trendmicro-europe.com/consumer/products/housecall_launch.php
http://de.trendmicro-europe.com/enterprise/products/housecall_pre.php

panda
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

•eScan-Erkennungstool
eSan ist hier unter dem Namen Free eScan Antivirus Toolkit Utility kostenlos erhältlich:
http://www.mwti.net/antivirus/free_utilities.asp
oeffne den Scanner--> noch nicht scannen--> gehe in Start<Ausfuehren< schreib rein: %temp% und suche
kavupd.exe, die klickst du an--> (Update- in DOS) ausführen

-->mwav.exe oeffnen-->alle Haekchen setzen-->scannen-->View Log anklicken--> Bearbeiten anklicken--> "infected" reinschreiben
und nun alles rauskopieren, was angezeigt wird-->

silentrunners
http://www.silentrunners.org/sr_download.html
gehe auf:

Click here to download a zip file.
hier die Erklaerung:
http://www.silentrunners.org/sr_scriptuse.html

**
***
SDBOT WORM!
http://vil.nai.com/vil/content/v_100454.htm
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
17.03.2005, 11:38
Member

Beiträge: 12
#7 Hallo ich habe auch den Low Zones.A und brauch dringend Hilfe um
den loszuwerden.
Kann mir jemand sagen, was genau dieser Trojaner eigentlich alles schädliches
anstellt?

ich habe bereits im abgesicherten Modus mit Antivir gescannt

hier das Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:19:47, on 17.03.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ad_elmd.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\HP\HP Software Update\HPWuSchd.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\WINDOWS\Dit.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\AVPersonal\AVSched32.EXE
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\ISTsvc\istsvc.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\System32\msmq2inst.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\DitExp.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Besitzer\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.architekt-thomas-gross.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startseite.de/searchbar
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: WinSurferHelper - {C52CBAEC-D969-4635-9F50-426CC15CE463} - C:\WINDOWS\System32\42393730.dll
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programme\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVSCHED32] C:\Programme\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IST Service] C:\Programme\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [WebRebates0] "C:\Programme\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [Power Scan] C:\Programme\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzî[8C:\Programme\ISTsvc\istsvc.exe] C:\WINDOWS\ugmkhs.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]­ú"ü‰üžiC:\Programme\ISTsvc\istsvc.exe] C:\WINDOWS\ugmkhs.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]­ú"ü‰¸u0C:\Programme\ISTsvc\istsvc.exe] C:\WINDOWS\ugmkhs.exe
O4 - HKLM\..\Run: [¢‰¸u0ÔÁß]­ú"ü‰üžigÝC:\Programme\ISTsvc\istsvc.exe] C:\WINDOWS\ugmkhs.exe
O4 - HKLM\..\Run: [MS Unix Binary] msmq2inst.exe
O4 - HKLM\..\Run: [SYSTRAY] C:\UNMT.EXE
O4 - HKLM\..\RunServices: [MS Unix Binary] msmq2inst.exe
O4 - HKLM\..\RunServices: [Virus Protect] vrsprtc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MS Unix Binary] msmq2inst.exe
O4 - Startup: OnlineCounter 2002-Autostart.lnk = C:\Programme\OnlineCounter 2002\OnlineCounter-Autostart.exe
O4 - Startup: MP3DownloadHQ.lnk = C:\WINDOWS\MP3DownloadHQ.exe
O4 - Global Startup: Erinnerungen in Microsoft Works-Kalender.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe-Gamma-Lader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Programme\Google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Programme\Google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Programme\Google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Web Rebates - file://C:\Programme\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Programme\SideFind\sidefind.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Trennen - {1FB507B3-841F-4ed4-BED8-E11F0E5E47A1} - C:\Programme\OnlineCounter 2002\OCHangUp.exe (file missing) (HKCU)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: v3cab - http://searchmiracle.com/cab/5.cab
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_pop.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {505098FD-5D61-4BC2-9B82-F969D0E932A2} (EGEGAUTH Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1036_EN_XP.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21fde7b4e791577ec322/netzip/RdxIE601_de.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111008775341
O16 - DPF: {6D15BD40-CCA6-11D2-A6A0-0060089A0EFF} (RWSO_IHB) - https://banking.rwso.de/sparkasse-rottweil/srwso1801.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} (VacPro.internazionale_ver10) - http://advnt01.com/dialer/internazionale_ver10.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2B0D8EF-901C-4008-A1FF-7AEBE9405F94}: NameServer = 213.73.108.140 212.59.141.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{F325EFC9-6341-496F-8DA4-A6B8F1B4CBF2}: NameServer = 192.168.120.252,192.168.120.253
O23 - Service: Autodesk License Manager (AdLM) - Unknown owner - C:\WINDOWS\System32\ad_elmd.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe


Vielen Dank für alle Tipps schon mal im Voraus

Gruß

Engelbert
Seitenanfang Seitenende
17.03.2005, 12:02
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#8 Hallo@engelbert

Deaktivieren Wiederherstellung

«XP
Arbeitsplatz-->rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.
(dann aktiviere sie wieder)

Laden (aber erst im abgesicherten Modus scannen)
FxIstbar.exe
http://bilder.informationsarchiv.net/Nikitas_Tools/

•Download Registry Search Tool :
http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip
Doppelklick:regsrch.vbs

kopiere rein:

u0Ô@ÔÁß]­ú"ü‰üži

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)

das machst du ebenfalls mit.

{386A771C-E96A-421F-8BA7-32F1B706892F}
{825CF5BD-8862-4430-B771-0C15C5CA8DEF}
{C52CBAEC-D969-4635-9F50-426CC15CE463}
{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
{AD0B8220-7DA4-4C0A-8532-B25A9F631D3D}
{7C559105-9ECF-42B8-B3F7-832E75EDD959}

#öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startseite.de/searchbar
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: WinSurferHelper - {C52CBAEC-D969-4635-9F50-426CC15CE463} - C:\WINDOWS\System32\42393730.dll
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O4 - HKLM\..\Run: [IST Service] C:\Programme\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [WebRebates0] "C:\Programme\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [Power Scan] C:\Programme\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [¢‰¸u0–4C
}ïÁzî[8C:\Programme\ISTsvc\istsvc.exe] C:\WINDOWS\ugmkhs.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]­ú"ü‰üžiC:\Programme\ISTsvc\istsvc.exe] C:\WINDOWS\ugmkhs.exe
O4 - HKLM\..\Run: [¢‰¸u0Ô@ÔÁß]­ú"ü‰¸u0C:\Programme\ISTsvc\istsvc.exe] C:\WINDOWS\ugmkhs.exe
O4 - HKLM\..\Run: [¢‰¸u0ÔÁß]­ú"ü‰üžigÝC:\Programme\ISTsvc\istsvc.exe] C:\WINDOWS\ugmkhs.exe
O4 - HKLM\..\Run: [MS Unix Binary] msmq2inst.exe
O4 - HKLM\..\Run: [SYSTRAY] C:\UNMT.EXE <--- SDBOT WORM!
O4 - HKLM\..\RunServices: [MS Unix Binary] msmq2inst.exe
O4 - HKLM\..\RunServices: [Virus Protect] vrsprtc.exe
O4 - HKCU\..\Run: [MS Unix Binary] msmq2inst.exe
O8 - Extra context menu item: Web Rebates - file://C:\Programme\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Programme\SideFind\sidefind.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_pop.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} (VacPro.internazionale_ver10) - http://advnt01.com/dialer/internazionale_ver10.CAB

PC neustarten

•KillBox
http://www.bleepingcomputer.com/files/killbox.php

•Delete File on Reboot <--anhaken

und klick auf das rote Kreuz,
wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes"

C:\WINDOWS\System32\42393730.dll
C:\Programme\ISTsvc\istsvc.exe
C:\WINDOWS\Downloaded Program Files\ISTactivex.dll
C:\WINDOWS\optimize.exe
C:\program files\Internet Optimizer\update\optimize312.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Programme\Web_Rebates\WebRebates0.exe
C:\Programme\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
C:\Programme\Power Scan\powerscan.exe
C:\WINDOWS\ugmkhs.exe
C:\WINDOWS\System32\msmq2inst.exe
C:\WINDOWS\System32\vrsprtc.exe
C:\WINDOWS\Downloaded Program Files\internazionale_ver10.ocx
C:\WINDOWS\System32\objsafe.tlb
C:\Programme\SideFind\sidefind.dll
C:\UNMT.EXE

PC neustarten--> in den abgesicherten Modus (F8 druecken, wenn der PC hochfaehrt)

Loeschen temporaere Dateien --> loesche die Dateien in den Ordnern, nicht die ordner selbst
C:\WINDOWS\Temp\
C:\Temp\
C:\Dokumente und Einstellungen\username\Lokale Einstellungen\Temp\
C:\Dokumente und Einstellungen\user\Lokale Einstellungen\Temporary Internet Files\Content.IE5 [loesche nicht die index.dat)

C:\Program Files\Internet Optimizer<--loeschen
C:\Programme\Web_Rebates<--loeschen
C:\Programme\Power Scan<--loeschen
C:\Programme\SideFind <--loeschen

scanne mit:
Adware.Istbar Removal Tool

GEhe wieder in den normalmodus.

•eScan-Erkennungstool
eSan ist hier unter dem Namen Free eScan Antivirus Toolkit Utility kostenlos erhältlich:
http://www.mwti.net/antivirus/free_utilities.asp
oeffne den Scanner--> noch nicht scannen--> gehe in Start<Ausfuehren< schreib rein: %temp% und suche
kavupd.exe, die klickst du an--> (Update- in DOS) ausführen

-->mwav.exe oeffnen-->alle Haekchen setzen-->scannen-->View Log anklicken--> Bearbeiten anklicken--> "infected" reinschreiben
und nun alles rauskopieren, was angezeigt wird-->

dann alles "infected" mit der Killbox oder manuell loeschen

#ClaerProg..lade die neuste Version <1.4.1
http://www.clearprog.de/downloads.php
<und saeubere den Browser.
Das Programm löscht die Surfspuren des Internet Explorers ab Version 5.0, des Netscape/Mozilla und des Opera:
- Cookies
- Verlauf
- Temporäre Internetfiles (Cache)


#TuneUp2004 (30 Tage free)
http://www.tuneup.de/products/tuneup-utilities/
Cleanup repair -->TuneUp Diskcleaner
Cleanup repair -->Registry Cleaner


#Ad-aware SE Personal 1.05 Updated
http://fileforum.betanews.com/detail/965718306/1
Laden--> Updaten-->scannen-->PC neustarten--> noch mal scannen--> poste das Log vom Scann

#neue Startseite
gehe zur Systemsteuerung --> Internetoptionen --> auf dem Reiter Allgemein bei Temporäre Internetdateien klickst du Dateien löschen --> auch bei Alle Offlineinhalte löschen das Häkchen setzen und mit OK bestätigen --> Auf den Reiter Programme gehen und dort auf Webeinstellungen zurücksetzen klicken, mit Ja bestätigen, fall Nachfrage kommt --> auf Übernehmen und abschließend auf OK klicken und stelle eine neue Startseite ein

Windows Worms Doors Cleaner erlaubt Ihnen die Dienste auf die die Würmer angewiesen sind, zu schließen
http://www.firewallleaktester.com/wwdc.htm

DCOM RPC vulnerability -http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx

WEBDAV vulnerability - http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx

LSASS vulnerability - http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

+
poste das neue Log vom HijackThis
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
17.03.2005, 14:08
Member

Beiträge: 12
#9 Vielen Dank für die superschnelle Antwort
hier die RegSrch Ergebnisse

die erste Suche war ohne Ergebnis,
die anderen kommen hier:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "{386A771C-E96A-421F-8BA7-32F1B706892F}" 17.03.2005 13:58:58

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{386A771C-E96A-421f-8BA7-32F1B706892F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{386A771C-E96A-421f-8BA7-32F1B706892F}\Control]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{386A771C-E96A-421f-8BA7-32F1B706892F}\InprocServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{386A771C-E96A-421f-8BA7-32F1B706892F}\MiscStatus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{386A771C-E96A-421f-8BA7-32F1B706892F}\MiscStatus\1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{386A771C-E96A-421f-8BA7-32F1B706892F}\ProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{386A771C-E96A-421f-8BA7-32F1B706892F}\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{386A771C-E96A-421f-8BA7-32F1B706892F}\ToolboxBitmap32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{386A771C-E96A-421f-8BA7-32F1B706892F}\TypeLib]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{386A771C-E96A-421f-8BA7-32F1B706892F}\Version]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{386A771C-E96A-421f-8BA7-32F1B706892F}\VersionIndependentProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ISTactivex.Installer\CLSID]
@="{386A771C-E96A-421f-8BA7-32F1B706892F}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ISTactivex.Installer.2\CLSID]
@="{386A771C-E96A-421f-8BA7-32F1B706892F}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{386A771C-E96A-421F-8BA7-32F1B706892F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{386A771C-E96A-421F-8BA7-32F1B706892F}\Contains]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{386A771C-E96A-421F-8BA7-32F1B706892F}\Contains\Files]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{386A771C-E96A-421F-8BA7-32F1B706892F}\DownloadInformation]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{386A771C-E96A-421F-8BA7-32F1B706892F}\InstalledVersion]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll]
".Owner"="{386A771C-E96A-421F-8BA7-32F1B706892F}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll]
"{386A771C-E96A-421F-8BA7-32F1B706892F}"=""
Seitenanfang Seitenende
18.03.2005, 12:51
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#10 Hallo@engelbert

arbeite bitte alle Punkte ab !!!! ;)
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
18.03.2005, 17:02
Member

Beiträge: 12
#11 Hallo Sabina

vielen Dank für den Hinweis. Ich hatte keine Ahnung wie lange die ganze
Prozedur dauern wird.
Hier das neue Log vom HijackThis und vom Ad-aware SE 1.05.
Bin ich den Trojaner jetzt los?

Logfile of HijackThis v1.99.1
Scan saved at 16:53:38, on 18.03.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ad_elmd.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\Userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\HP\HP Software Update\HPWuSchd.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\WINDOWS\Dit.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\AVPersonal\AVSched32.EXE
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\msmq2inst.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\msmq2inst.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\DitExp.exe
C:\Programme\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\rundll32.exe
C:\Dokumente und Einstellungen\Besitzer\Desktop\AntiVirTools\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.architekt-thomas-gross.de/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programme\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVSCHED32] C:\Programme\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [MS Unix Binary] msmq2inst.exe
O4 - HKLM\..\RunServices: [MS Unix Binary] msmq2inst.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MS Unix Binary] msmq2inst.exe
O4 - Global Startup: Erinnerungen in Microsoft Works-Kalender.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe-Gamma-Lader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Programme\Google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Programme\Google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Programme\Google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Trennen - {1FB507B3-841F-4ed4-BED8-E11F0E5E47A1} - C:\Programme\OnlineCounter 2002\OCHangUp.exe (file missing) (HKCU)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: v3cab - http://searchmiracle.com/cab/5.cab
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {505098FD-5D61-4BC2-9B82-F969D0E932A2} (EGEGAUTH Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1036_EN_XP.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21fde7b4e791577ec322/netzip/RdxIE601_de.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111008775341
O16 - DPF: {6D15BD40-CCA6-11D2-A6A0-0060089A0EFF} (RWSO_IHB) - https://banking.rwso.de/sparkasse-rottweil/srwso1801.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F325EFC9-6341-496F-8DA4-A6B8F1B4CBF2}: NameServer = 192.168.120.252,192.168.120.253
O23 - Service: Autodesk License Manager (AdLM) - Unknown owner - C:\WINDOWS\System32\ad_elmd.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2004\WinStylerThemeSvc.exe









Ad-Aware SE Build 1.05
Logfile Created on:Freitag, 18. März 2005 15:00:04
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R33 16.03.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
180Solutions(TAC index:6):13 total references
Alexa(TAC index:5):11 total references
BroadCastPC(TAC index:7):4 total references
Claria(TAC index:7):19 total references
ClickSpring(TAC index:6):8 total references
Crontel Ltd(TAC index:5):2 total references
Dialer(TAC index:5):4 total references
DialPass(TAC index:5):4 total references
DyFuCA(TAC index:3):6 total references
eAcceleration(TAC index:7):7 total references
EGroup Dialer(TAC index:5):18 total references
Elitum.ElitebarBHO(TAC index:5):7 total references
istbar.dotcomToolbar(TAC index:5):5 total references
MagicControl(TAC index:7):36 total references
MainPean Dialer(TAC index:5):11 total references
MediaCharger(TAC index:5):2 total references
MRU List(TAC index:0):43 total references
Possible Browser Hijack attempt(TAC index:3):4 total references
Search Miracle(TAC index:5):7 total references
StarInstall(MainPean)(TAC index:5):4 total references
TopMoxie(TAC index:3):3 total references
Tracking Cookie(TAC index:3):5 total references
TS Cash(TAC index:5):10 total references
WhenU(TAC index:3):2 total references
Win32.Wintrim.Trojan.B(TAC index:7):9 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


18.03.2005 15:00:04 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\microsoft\office\9.0\excel\recent files
Description : list of recent files used by microsoft excel


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\microsoft\internet explorer\main
Description : last save directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\ahead\nero - burning rom\recent file list
Description : list of recently used files in nero burning rom


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\microsoft\mediaplayer\player\settings
Description : last save as directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\google\navclient\1.1\history
Description : list of recently used search terms in the google toolbar


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\microsoft\mediaplayer\preferences
Description : last cd record path used in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\adobe\acrobat reader\5.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\realnetworks\realplayer\6.0\preferences
Description : list of recent clips in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-19\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-20\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\ahead\cover designer\recent file list
Description : list of recently used files in ahead cover designer


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\microsoft\ntbackup\log files
Description : list of recent logfiles in microsoft backup


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\realnetworks\realplayer\6.0\preferences
Description : last login time in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\microsoft\office\9.0\powerpoint\recent typeface list
Description : list of recently used typefaces in microsoft powerpoint


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\winrar\dialogedithistory\extrpath
Description : winrar "extract-to" history


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-3588590466-2801439982-1300003180-1004\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : C:\Dokumente und Einstellungen\Besitzer\recent
Description : list of recently opened documents


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 400
ThreadCreationTime : 18.03.2005 13:54:21
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 548
ThreadCreationTime : 18.03.2005 13:54:23
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 572
ThreadCreationTime : 18.03.2005 13:54:24
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 616
ThreadCreationTime : 18.03.2005 13:54:25
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Anwendung für Dienste und Controller
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 628
ThreadCreationTime : 18.03.2005 13:54:25
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 796
ThreadCreationTime : 18.03.2005 13:54:26
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 820
ThreadCreationTime : 18.03.2005 13:54:27
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [incdsrv.exe]
FilePath : C:\Programme\Ahead\InCD\
ProcessID : 836
ThreadCreationTime : 18.03.2005 13:54:27
BasePriority : Normal
FileVersion : 4, 2, 2, 1
ProductVersion : 4, 2, 2, 1
ProductName : Ahead Software AG incdsrv
CompanyName : Ahead Software AG
FileDescription : incdsrv
InternalName : incdsrv
LegalCopyright : Copyright 1995-2004 Ahead Software AG and its licensors. All Rights Reserved.
LegalTrademarks : InCD is a trademark of Ahead Software AG
OriginalFilename : incdsrv.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 988
ThreadCreationTime : 18.03.2005 13:54:28
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1012
ThreadCreationTime : 18.03.2005 13:54:28
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1160
ThreadCreationTime : 18.03.2005 13:54:29
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [ad_elmd.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1264
ThreadCreationTime : 18.03.2005 13:54:29
BasePriority : Normal


#:13 [avwupsrv.exe]
FilePath : C:\Programme\AVPersonal\
ProcessID : 1380
ThreadCreationTime : 18.03.2005 13:54:30
BasePriority : Normal


#:14 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1480
ThreadCreationTime : 18.03.2005 13:54:30
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:15 [wdfmgr.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1520
ThreadCreationTime : 18.03.2005 13:54:30
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:16 [wuauclt.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1712
ThreadCreationTime : 18.03.2005 13:55:17
BasePriority : Normal
FileVersion : 5.4.3790.2182 built by: srv03_rtm(ntvbl04)
ProductVersion : 5.4.3790.2182
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Automatische Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : wuauclt.exe

#:17 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 252
ThreadCreationTime : 18.03.2005 13:59:21
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : EXPLORER.EXE

#:18 [atiptaxx.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 384
ThreadCreationTime : 18.03.2005 13:59:22
BasePriority : Normal
FileVersion : 6.13.2519
ProductVersion : 6.13.2519
ProductName : ATI Desktop Component
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Desktop Control Panel
InternalName : Atiptaxx.exe
LegalCopyright : Copyright (C) 1998-2001 ATI Technologies Inc.
OriginalFilename : Atiptaxx.exe

#:19 [fpassist.exe]
FilePath : C:\Programme\FreePDF_XP\
ProcessID : 428
ThreadCreationTime : 18.03.2005 13:59:22
BasePriority : Normal
FileVersion : 3.00.0148
ProductVersion : 3.00.0148
ProductName : FreePDF_Assistant
CompanyName : shbox.de
FileDescription : FreePDF Assistent für FreePDF3
InternalName : fpAssist
LegalCopyright : Stefan Heinz - shbox.de
LegalTrademarks : FreePDF
OriginalFilename : fpAssist.exe

#:20 [hpwuschd.exe]
FilePath : C:\Programme\HP\HP Software Update\
ProcessID : 436
ThreadCreationTime : 18.03.2005 13:59:22
BasePriority : Normal
FileVersion : 1, 0, 0, 3
ProductVersion : 1, 0, 0, 3
ProductName : Hewlett-Packard hpwuSchd
CompanyName : Hewlett-Packard
FileDescription : hpwuSchd
InternalName : hpwuSchd
LegalCopyright : Copyright © 2003
OriginalFilename : hpwuSchd.exe

#:21 [hpcmpmgr.exe]
FilePath : C:\Programme\HP\hpcoretech\
ProcessID : 444
ThreadCreationTime : 18.03.2005 13:59:22
BasePriority : Normal
FileVersion : 2.1.1.0
ProductVersion : 2.1.4
ProductName : hp coretech (COmponent REuse TECHnology)
CompanyName : Hewlett-Packard Company
FileDescription : HP Framework Component Manager Service
InternalName : HPComponentManagerService module
LegalCopyright : Copyright (C) Hewlett-Packard. 2002-2003
OriginalFilename : HpCmpMgr.exe

#:22 [incd.exe]
FilePath : C:\Programme\Ahead\InCD\
ProcessID : 468
ThreadCreationTime : 18.03.2005 13:59:23
BasePriority : Normal
FileVersion : 4, 2, 2, 1
ProductVersion : 4, 2, 2, 1
ProductName : Ahead Software AG InCD
CompanyName : Ahead Software AG
FileDescription : InCD
InternalName : InCD
LegalCopyright : Copyright 1995-2004 Ahead Software AG and its licensors. All Rights Reserved.
LegalTrademarks : InCD is a trademark of Ahead Software AG
OriginalFilename : InCD.exe

#:23 [dit.exe]
FilePath : C:\WINDOWS\
ProcessID : 476
ThreadCreationTime : 18.03.2005 13:59:23
BasePriority : Normal


#:24 [qttask.exe]
FilePath : C:\Programme\QuickTime\
ProcessID : 484
ThreadCreationTime : 18.03.2005 13:59:23
BasePriority : Normal
FileVersion : 6.5.1
ProductVersion : QuickTime 6.5.1
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe

#:25 [avsched32.exe]
FilePath : C:\Programme\AVPersonal\
ProcessID : 492
ThreadCreationTime : 18.03.2005 13:59:23
BasePriority : Normal
FileVersion : 6.30.00.00
ProductVersion : 6.30.00.00
ProductName : AVSched32
CompanyName : H+BEDV Datentechnik GmbH
FileDescription : AVSched32
InternalName : AVSched32
LegalCopyright : Copyright © 1998-2005 H+BEDV Datentechnik GmbH. All rights reserved.
LegalTrademarks : AntiVir® is a registered trademark of H+BEDV Datentechnik GmbH, Germany
OriginalFilename : AVSched32.exe

#:26 [ituneshelper.exe]
FilePath : C:\Programme\iTunes\
ProcessID : 500
ThreadCreationTime : 18.03.2005 13:59:23
BasePriority : Normal
FileVersion : 4.7.1.30
ProductVersion : 4.7.1.30
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2004 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe

#:27 [realsched.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Real\Update_OB\
ProcessID : 508
ThreadCreationTime : 18.03.2005 13:59:23
BasePriority : Normal
FileVersion : 0.1.0.3208
ProductVersion : 0.1.0.3208
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004
LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:28 [point32.exe]
FilePath : C:\Programme\Microsoft IntelliPoint\
ProcessID : 372
ThreadCreationTime : 18.03.2005 13:59:23
BasePriority : Normal


#:29 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 536
ThreadCreationTime : 18.03.2005 13:59:23
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:30 [msmq2inst.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 532
ThreadCreationTime : 18.03.2005 13:59:23
BasePriority : Normal


#:31 [wkcalrem.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\
ProcessID : 348
ThreadCreationTime : 18.03.2005 13:59:23
BasePriority : Normal
FileVersion : 6.00.1911.0
ProductVersion : 6.00.1911.0
ProductName : Microsoft® Works 6.0
CompanyName : Microsoft® Corporation
FileDescription : Microsoft® Works Calendar Reminder Service
InternalName : WkCalRem
LegalCopyright : Copyright © Microsoft Corporation 1987-2000. All rights reserved.
OriginalFilename : WKCALREM.EXE

#:32 [hpqtra08.exe]
FilePath : C:\Programme\HP\Digital Imaging\bin\
ProcessID : 868
ThreadCreationTime : 18.03.2005 13:59:23
BasePriority : Normal
FileVersion : 5.35.0.035
ProductVersion : 005.035.000.035
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP Digital Imaging Monitor (CUE)
InternalName : HPQTRA00
LegalCopyright : Copyright (C) Hewlett-Packard Co. 1995-2001
OriginalFilename : HPQTRA00.EXE
Comments : HP Digital Imaging Monitor (CUE)

#:33 [ipodservice.exe]
FilePath : C:\Programme\iPod\bin\
ProcessID : 1100
ThreadCreationTime : 18.03.2005 13:59:25
BasePriority : Normal
FileVersion : 4.7.1.30
ProductVersion : 4.7.1.30
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2004 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iPodService.exe

#:34 [ditexp.exe]
FilePath : C:\WINDOWS\
ProcessID : 2120
ThreadCreationTime : 18.03.2005 13:59:30
BasePriority : Normal


#:35 [hpzipm12.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2468
ThreadCreationTime : 18.03.2005 13:59:37
BasePriority : Normal
FileVersion : 7, 0, 0, 0
ProductVersion : 7, 0, 0, 0
ProductName : HP PML
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
LegalCopyright : Copyright © 1998, 1999 Hewlett-Packard Company
OriginalFilename : PmlDrv.exe

#:36 [ad-aware.exe]
FilePath : C:\Programme\Lavasoft\Ad-Aware SE Personal\
ProcessID : 2576
ThreadCreationTime : 18.03.2005 13:59:50
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 43


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

180Solutions Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\app management\arpcache\ncase

180Solutions Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\app management\arpcache\ncase
Value : SlowInfoCache

180Solutions Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\app management\arpcache\ncase
Value : Changed

180Solutions Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\180solutions\msbb

180Solutions Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\180solutions\msbb
Value : did

180Solutions Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\180solutions\msbb
Value : duid

180Solutions Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\180solutions\msbb
Value : partner_id

180Solutions Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\180solutions\msbb
Value : product_id

180Solutions Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\180solutions\msbb
Value : boom

180Solutions Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\180solutions

Alexa Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuText

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuStatusBar

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Script

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : clsid

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Icon

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : HotIcon

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : ButtonText

ClickSpring Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : mediaticketsinstaller.mediaticketsinstallerctrl.1

ClickSpring Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : mediaticketsinstaller.mediaticketsinstallerctrl.1
Value :

ClickSpring Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{3e4c3e0b-6bbe-4c94-86ca-6f055a989693}

ClickSpring Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{3e4c3e0b-6bbe-4c94-86ca-6f055a989693}
Value :

ClickSpring Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{9eb320ce-be1d-4304-a081-4b4665414bef}

ClickSpring Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{9eb320ce-be1d-4304-a081-4b4665414bef}
Value :

ClickSpring Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{81eb72d7-3949-450f-b035-de599959814f}

ClickSpring Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{81eb72d7-3949-450f-b035-de599959814f}
Value :

Crontel Ltd Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\diallerprogram

Dialer Object Recognized!
Type : Regkey
Data :
Category : Dialer
Comment : Proclaim Telcom
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{da9a0b1f-9b7b-11d3-b8a4-00c04f79641c}

Dialer Object Recognized!
Type : RegValue
Data :
Category : Dialer
Comment : Proclaim Telcom
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{da9a0b1f-9b7b-11d3-b8a4-00c04f79641c}
Value :

DialPass Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : egauth.egegauth.1

DialPass Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : egauth.egegauth.1
Value :

DialPass Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : egauth.egegauth

DialPass Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : egauth.egegauth
Value :

eAcceleration Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{f073d8a5-c4ac-4ddc-9204-b1c032b4bd72}

eAcceleration Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{f073d8a5-c4ac-4ddc-9204-b1c032b4bd72}
Value :

eAcceleration Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : mseaid.gd\glsid

eAcceleration Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : mseaid.gd\glsid
Value :

EGroup Dialer Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{2f668a6d-2ec7-4e3a-a485-819e210738d6}

EGroup Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{2f668a6d-2ec7-4e3a-a485-819e210738d6}
Value :

EGroup Dialer Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3588590466-2801439982-1300003180-1004\software\egdhtml

EGroup Dialer Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\code store database\distribution units\{486e48b5-abf2-42bb-a327-2679df3fb822}

EGroup Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\code store database\distribution units\{486e48b5-abf2-42bb-a327-2679df3fb822}
Value : SystemComponent

EGroup Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\code store database\distribution units\{486e48b5-abf2-42bb-a327-2679df3fb822}
Value : Installer

Elitum.ElitebarBHO Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\elitebar internet explorer toolbar

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\elitebar internet explorer toolbar
Value : UninstallString

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\elitebar internet explorer toolbar
Value : DisplayName

Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\elitebar internet explorer toolbar
Value : DisplayIcon

istbar.dotcomToolbar Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : istactivex.installer

istbar.dotcomToolbar Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : istactivex.installer
Value :

MagicControl Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{19068197-6f58-4e8a-8007-7155a68ca967}

MagicControl Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{19068197-6f58-4e8a-8007-7155a68ca967}
Value :

MagicControl Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{75a603e7-8bb7-4272-abbe-9846ff1241c1}

MagicControl Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{75a603e7-8bb7-4272-abbe-9846ff1241c1}
Value :

MagicControl Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{d7a82a12-05f5-42d8-b30d-6ef995075d2d}

MagicControl Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{d7a82a12-05f5-42d8-b30d-6ef995075d2d}
Value :

MagicControl Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{1ef28cc5-8d97-4310-b71b-ca34ee15b897}

MagicControl Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{1ef28cc5-8d97-4310-b71b-ca34ee15b897}
Value :

MagicControl Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{43cdad65-aa0d-4701-8108-117f86613b69}

MagicControl Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{43cdad65-aa0d-4701-8108-117f86613b69}
Value :

MagicControl Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{6d3f48f4-b40a-4c3f-a95c-85e23c3a8a91}

MagicControl Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{6d3f48f4-b40a-4c3f-a95c-85e23c3a8a91}
Value :

MagicControl Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : magiccontrol.magiccomponent

MagicControl Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : magiccontrol.magiccomponent
Value :

MagicControl Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : magiccontrol.magiccomponent.1

MagicControl Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : magiccontrol.magiccomponent.1
Value :

MagicControl Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : plugin_mc.mcplugin

MagicControl Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : plugin_mc.mcplugin
Value :

MagicControl Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : plugin_mc.mcplugin.1

MagicControl Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : plugin_mc.mcplugin.1
Value :

MagicControl Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : component.mc.1

MagicControl Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : component.mc.1
Value :

MagicControl Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : component.mc

MagicControl Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : component.mc
Value :

MainPean Dialer Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\intexusdial

MainPean Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\intexusdial
Value : Pre

MainPean Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\intexusdial
Value : PreNumber

MainPean Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\intexusdial
Value : DeviceName

MainPean Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\intexusdial
Value : Country

MainPean Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\intexusdial
Value : Language

MainPean Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\intexusdial
Value : Machine

MainPean Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\intexusdial
Value : InstallFlags

MainPean Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\intexusdial
Value : PassFlags

MainPean Dialer Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\intexusdial
Value : Password

MediaCharger Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3588590466-2801439982-1300003180-1004\software\mediacharger

MediaCharger Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-3588590466-2801439982-1300003180-1004\\software\mediacharger

Search Miracle Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{02c20140-76f8-4763-83d5-b660107babcd}

Search Miracle Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{02c20140-76f8-4763-83d5-b660107babcd}
Value :

StarInstall(MainPean) Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{b0ce21c5-6a79-45b7-ab9c-0008e75f2dbf}

StarInstall(MainPean) Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{b0ce21c5-6a79-45b7-ab9c-0008e75f2dbf}
Value :

StarInstall(MainPean) Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{cd6b926c-903f-46a4-9c7d-f3839f081788}

StarInstall(MainPean) Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{cd6b926c-903f-46a4-9c7d-f3839f081788}
Value :

TS Cash Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c8ff3068-13d5-4f20-add0-ec149a3b3417}

TS Cash Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c8ff3068-13d5-4f20-add0-ec149a3b3417}
Value :

TS Cash Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : winad2.advertiser

TS Cash Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : winad2.advertiser
Value :

Win32.Wintrim.Trojan.B Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c13fa88a-d264-4bc8-92ed-52eb8181e209}\proxystubclsid32

Win32.Wintrim.Trojan.B Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c13fa88a-d264-4bc8-92ed-52eb8181e209}\proxystubclsid32
Value :

Win32.Wintrim.Trojan.B Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c13fa88a-d264-4bc8-92ed-52eb8181e209}\typelib

Win32.Wintrim.Trojan.B Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c13fa88a-d264-4bc8-92ed-52eb8181e209}\typelib
Value :

Win32.Wintrim.Trojan.B Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c13fa88a-d264-4bc8-92ed-52eb8181e209}\typelib
Value : Version

Win32.Wintrim.Trojan.B Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c13fa88a-d264-4bc8-92ed-52eb8181e209}

Win32.Wintrim.Trojan.B Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c13fa88a-d264-4bc8-92ed-52eb8181e209}
Value :

Win32.Wintrim.Trojan.B Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c13fa88a-d264-4bc8-92ed-52eb8181e209}\proxystubclsid

Win32.Wintrim.Trojan.B Object Recognized!
Type : RegValue
Data :
Category
Seitenanfang Seitenende
18.03.2005, 18:59
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#12 Hallo@engelbert

Das ist ein Backdoor, der uneingeschraenkten Zugang zu deinem PC hat...und zu allen Daten....

W32/Rbot-YF
Allows others to access the computer
Reduces system security
Installs itself in the Registry
W32/Rbot-YF is a worm which attempts to spread to remote network shares. It also contains backdoor functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-YF moves itself to the Windows system folder as msmq2inst.exe and creates entries in the registry to run on system startup.
http://www.sophos.com/virusinfo/analyses/w32rbotyf.html

Gehe in die Registry

Start-Ausfuehren<regedit

Bearbeiten--> suchen

v3cab <--loeschen

SOFTWARE\Microsoft\Code Store Database\Distribution Units\v3cab
SOFTWARE\Microsoft\Code Store Database\Distribution Units\v3cab
SOFTWARE\Microsoft\Code Store Database\Distribution Units\v3cab "SystemComponent"
SOFTWARE\Microsoft\Code Store Database\Distribution Units\v3cab "Installer"

#öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten

O4 - HKLM\..\Run: [MS Unix Binary] msmq2inst.exe
O4 - HKLM\..\RunServices: [MS Unix Binary] msmq2inst.exe
O4 - HKCU\..\Run: [MS Unix Binary] msmq2inst.exe
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: v3cab - http://searchmiracle.com/cab/5.cab

PC neustarten

loeschen:
C:\WINDOWS\System32\msmq2inst.exe
C:\WINDOWS\Downloaded Program Files\v3.dll
-------------------------------------------------------------------------

•Online-Scann (Panda)
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

•Trend-Micro (Online)
http://de.trendmicro-europe.com/consumer/products/housecall_launch.php
http://de.trendmicro-europe.com/enterprise/products/housecall_pre.php





-->>berichte bitte von den Onlinscanns !!!

----------------------------------------------------------------------------
download the trial version of[color=blue] tds-3 anti trojan[/color] from here:
http://www.diamondcs.com.au/tds/downloads/tds3setup.exe
install it, but do not launch it yet

update it: right click the link below, select "save as"
http://www.diamondcs.com.au/tds/radius.td3

save it to the directory where you installed tds-3, overwriting the previous radius.td3.

then launch tds-3. in the top bar of tds window click system testing> full system scan.
detections will appear in the lower pane of tds window. after the scan is finished ( it'll take a while ) right click the list> select save as txt. save it and post the contents of the scandump.txt here

After posting the scanlog go ahead and right click the list again, this time select delete! Delete everything labelled positive identification







--------------------------------------------------------------------------

eScan-Erkennungstool
eSan ist hier unter dem Namen Free eScan Antivirus Toolkit Utility kostenlos erhältlich:
http://www.mwti.net/antivirus/free_utilities.asp
oeffne den Scanner--> noch nicht scannen--> gehe in Start<Ausfuehren< schreib rein: %temp% und suche
kavupd.exe, die klickst du an--> (Update- in DOS) ausführen

-->mwav.exe oeffnen-->alle Haekchen setzen-->scannen-->View Log anklicken--> Bearbeiten anklicken--> "infected" reinschreiben
und nun alles rauskopieren, was angezeigt wird-->
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
19.03.2005, 10:15
Member

Beiträge: 12
#13 hallo sabina
hier der scandump.txt

Scan Control Dumped @ 10:10:23 19-03-05
Positive identification: DDoS.RAT.rBot.bgy
File: c:\windows\system32\msmq2inst.exe

Live trojan found (in process memory): DCOM RPC Exploit
File: C:\WINDOWS\System32\msmq2inst.exe

RegVal Trace: DDoS.RAT.rBot: HKEY_CURRENT_USER
File: Software\Microsoft\Windows\CurrentVersion\Run [MS Unix Binary=msmq2inst.exe]

RegVal Trace: DDoS.RAT.rBot: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [MS Unix Binary=msmq2inst.exe]

RegVal Trace: DDoS.RAT.rBot: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\RunServices [MS Unix Binary=msmq2inst.exe]

Positive identification: DDoS.RAT.rBot.bgy
File: c:\windows\system32\msmq2inst.exe

Positive identification: DDoS.RAT.rBot.bjt
File: c:\windows\system32\trmupdate.exe

Positive identification: DDoS.RAT.rBot.bgy
File: c:\system volume information\_restore{525c47e3-beec-48d1-9d1a-801a5e50ccb0}\rp1\a0000009.exe

Suspicious Filename: Dual extensions
File: c:\projekte\schwartzkopff\doc-xls\datenauszug aus dokument 'architekturbüro ...'.shs

Positive identification: DDoS.RAT.rBot.bjt
File: c:\!submit\trmupdate.exe

Positive identification (DLL): Adware.ToolBar.EliteBar.s1 (dll)
File: c:\!submit\v3.dll

Positive identification (DLL): Adware.MediaTickets.d (dll)
File: c:\!submit\mediaticketsinstaller.ocx

Positive identification (DLL): Adware.ToolBar.EliteBar.z (dll)
File: c:\!submit\elitetoolbar version 59.dll

Positive identification (DLL): Adware.ToolBar.EliteBar.z1 (dll)
File: c:\!submit\elitesidebar 08.dll

Positive identification (DLL): TrojanDownloader.Win32.IstBar.hz (dll)
File: c:\!submit\backup-20050317-160357-853.dll

Positive identification (DLL): TrojanDownloader.Win32.IstBar.hz (dll)
File: c:\!submit\backup-20050317-160358-108.dll

Positive identification: Adware.Gator.5017.a
File: c:\!submit\gmt.exe

Positive identification: Adware.Gator.4126
File: c:\!submit\cmesys.exe

Positive identification: DDoS.RAT.rBot.bgy
File: c:\!submit\a0000064.exe

Positive identification (DLL): Adware.ToolBar.SideFind.a (dll)
File: c:\!submit\a0000066.dll

Positive identification: Adware.WebRebates.c
File: c:\!submit\a0000085.exe

Positive identification: Adware.WebRebates.d1
File: c:\!submit\a0000086.exe

Positive identification: DDoS.RAT.rBot.bgy
File: c:\!submit\msmq2inst.exe

Positive identification <Adv>: Possible keylogger
File: c:\adlm\ipx\winadmin.exe

Positive identification <Adv>: Possible keylogger
File: c:\adlm\ipx\wincntrl.exe

Positive identification <Adv>: Possible keylogger
File: c:\adlm\ipx\winquery.exe


MFG

engelbert
Seitenanfang Seitenende
19.03.2005, 15:47
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#14 Hallo@engelbert

Start<Ausfuehren--> regedit

Bearbeiten--> suchen-->msmq2inst

loesche alles mit rechtsklick, was du findest


•KillBox

http://www.bleepingcomputer.com/files/killbox.php

•Delete File on Reboot <--anhaken

und klick auf das rote Kreuz,
wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes"

C:\WINDOWS\System32\msmq2inst.exe
c:\windows\system32\trmupdate.exe
c:\system volume information\_restore{525c47e3-beec-48d1-9d1a-801a5e50ccb0}\rp1\a0000009.exe
c:\!submit\trmupdate.exe
c:\!submit\v3.dll
c:\!submit\mediaticketsinstaller.ocx
c:\!submit\elitetoolbar version 59.dll
c:\!submit\elitesidebar 08.dll
c:\!submit\backup-20050317-160357-853.dll
c:\!submit\backup-20050317-160358-108.dll
c:\!submit\gmt.exe
c:\!submit\cmesys.exe
c:\!submit\a0000064.exe
c:\!submit\a0000066.dll
c:\!submit\a0000085.exe
c:\!submit\a0000086.exe
c:\!submit\msmq2inst.exe
c:\adlm\ipx\winadmin.exe
c:\adlm\ipx\wincntrl.exe
c:\adlm\ipx\winquery.exe

neustarten

#ClaerProg..lade die neuste Version <1.4.1
http://www.clearprog.de/downloads.php
<und saeubere den Browser.
Das Programm löscht die Surfspuren des Internet Explorers ab Version 5.0, des Netscape/Mozilla und des Opera:
- Cookies
- Verlauf
- Temporäre Internetfiles (Cache)


#TuneUp2004 (30 Tage free)
http://www.tuneup.de/products/tuneup-utilities/
Cleanup repair -->TuneUp Diskcleaner
Cleanup repair -->Registry Cleaner

scanne noch mal mit dem Tool
tds-3 anti trojan

Windows Worms Doors Cleaner erlaubt Ihnen die Dienste auf die die Würmer angewiesen sind, zu schließen
http://www.firewallleaktester.com/wwdc.htm




und dann poste das neue Log vom HijackTHis
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
20.03.2005, 15:38
Member

Beiträge: 14
#15 Hallo Sabina!

ich hab ein ähnliche problem wie die leute hier. mein antivir zeigt mir auch den TR/Lowzones.A an. allerdings will er dateien in archiven nicht löschen und reparieren.

hab hier oben das allesmal gelesen. komme damit aber nicht so ganz klar. bin bei sowas total unerfahren. ich hab mir mal das hijackthis programm geladen was du hier angefüht hattest und hab das system gescannt und gesaved. dabei kam das hier im normalen win xp modus heraus:

Logfile of HijackThis v1.99.1
Scan saved at 15:35:06, on 20.03.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\S3hotkey.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Programme\ICQLite\ICQLite.exe
C:\Programme\FRITZ!DSL\Awatch.exe
C:\WINDOWS\System32\msnupdate.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\TelWell\TelWell.exe
C:\Programme\Yahoo!\Messenger\ypager.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\slserv.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Dokumente und Einstellungen\Tim Schorsch\Lokale Einstellungen\Temp\Temporäres Verzeichnis 3 für hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://de.rd.yahoo.com/customize/ie/defaults/sb/ymsgr6/us/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://de.rd.yahoo.com/customize/ie/defaults/sp/ymsgr6/us/*http://www.yahoo.de
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://de.rd.yahoo.com/customize/ie/defaults/stp/ymsgr6/us/*http://www.yahoo.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://de.rd.yahoo.com/customize/ie/defaults/su/ymsgr6/us/*http://www.yahoo.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://de.rd.yahoo.com/customize/ie/defaults/sb/ymsgr6/us/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://de.rd.yahoo.com/customize/ie/defaults/sp/ymsgr6/us/*http://www.yahoo.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://de.rd.yahoo.com/customize/ie/defaults/stp/ymsgr6/us/*http://www.yahoo.de
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://de.rd.yahoo.com/customize/ie/defaults/su/ymsgr6/us/*http://www.yahoo.de
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aol.de/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_18_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_18_0.dll
O4 - HKLM\..\Run: [S3hotkey] S3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [AWatch] C:\Programme\FRITZ!DSL\Awatch.exe
O4 - HKLM\..\Run: [MS Unix Binary] msnupdate.exe
O4 - HKLM\..\Run: [SYSTRAY] C:\UNMT.EXE
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\RunServices: [MS Unix Binary] msnupdate.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [TelWell] C:\Programme\TelWell\TelWell.exe starttray
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programme\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MS Unix Binary] msnupdate.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programme\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programme\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O17 - HKLM\System\CCS\Services\Tcpip\..\{BADD00AB-523A-45C3-BACB-FD84B4AAEC9E}: NameServer = 192.168.122.252,192.168.122.253
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe



ich bin sowas ein totaler anfänger. wäre super lieb wenn du mir schritt für schritt und Idoit beschreiben könntest was ich tun muss bis ich das blöde ding endlich los bin.


hab noch ne frage: ich habe auch dauernd das problem das ich zwar ins internet komme aber sich die seiten nicht aufbauen. meine messenger sind dann zwar online, aber es baut sich keien seite auf. hängt das auch damit zusammen? manchmal komme ich auch gar nicht online.

dank dir shcon mal im voraus.

liebe grüsse...
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren: