topantispyware.com läßt sich nicht entfernen

#1 Hiho,

ich hab hier einen besonders hartnäckigen Gesellen, der mich wahlweise mit nervigen in "bluescreen"-artigen Popus oder ActiveDesktops nervt.

Das Prog weist mich darauf hin, daß Windows Spyware auf meinem Rechner gefunden hätte (ach?) und will mich zur Seite topantispyware.com leiten.

Dort bietet man auch ein kleines Removal-Tool an, was aber nicht hilft.

Adaware und Spybot sind mehrmals drüber (ausgeblendete Ordner und Systemdateien wurden vorher eingeblendet) und angeblich ist alles sauber.

HiJackThis hat dann noch ein paar Sachen gefunden (ausgewertet mit hijackthis.de ), die ich gefixt habe (ein paar Sachen werden weiterhin moniert, sind aber anscheinend ok, da sich dahinter Programme verstecken, die die Seite wohl nicht kennt).

Mir gehen langsam die Ideen aus, zumal die wenigen Tips aus dem Netz auch nicht geholfen haben (da soll man z..B. einen Regestry-Eintrag löschen, der aber immer wieder angelegt wird, wenn der ActiveDesktop von der Nervensäge wieder aktiviert wurde).

Der AktiveDesktop wird im abstand von 30 Minuten aktiviert, wobei eine Datei "c:\winnt\web\desktop.html" angezeigt wird; löschen der Datei taugt nichts, da diese spätestens nach dem nächsten Neustart wieder da ist.

Hier mal der Log vom HiJacker:

Logfile of HijackThis v1.99.0
Scan saved at 15:48:47, on 03.01.2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\CA\SharedComponents\Alert\ALERT.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Programme\CA\eTrust Antivirus\InoRpc.exe
C:\Programme\CA\eTrust Antivirus\InoRT.exe
C:\Programme\CA\eTrust Antivirus\InoTask.exe
C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Programme\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Programme\UltraVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\rsvp.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\RunDll32.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe
C:\Programme\LeechGet 2004\LeechGet.exe
C:\WINNT\System32\w?nlogon.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Programme\PrintKey2000\Printkey2000.exe
C:\Programme\SwyxIt! Fax\Faxclient.exe
C:\Programme\SwyxIt!\SwyxIt!.exe
C:\PROGRA~1\SwyxIt!\CLMgr.exe
C:\PROGRA~1\GEMEIN~1\Swyx\ClCache.exe
C:\PROGRA~1\SwyxIt!\ODialer.exe
C:\PROGRA~1\NETMEE~1\conf.exe
C:\PROGRA~1\ULTIMA~1\uzip.exe
C:\DOKUME~1\APOHL\LOKALE~1\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zdnet.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer zur Verfügung gestellt von Heinz Jansen TG
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://HERMES:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *new-search.net*;*x-google.net*
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINNT\DOWNLO~1\ALTAVI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINNT\DOWNLO~1\ALTAVI~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [WinVNC] "C:\Programme\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [HP Software Update] "C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [UIWatcher] C:\Programme\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe
O4 - HKCU\..\Run: [LeechGet] "C:\Programme\LeechGet 2004\LeechGet.exe" -intray
O4 - HKCU\..\Run: [Rpw] C:\WINNT\System32\w?nlogon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe
O4 - Global Startup: Dienst-Manager.lnk = C:\Programme\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Printkey2000.lnk = C:\Programme\PrintKey2000\Printkey2000.exe
O4 - Global Startup: SwyxIt! Fax.lnk = C:\Programme\SwyxIt! Fax\Faxclient.exe
O4 - Global Startup: SwyxIt!.lnk = C:\Programme\SwyxIt!\SwyxIt!.exe
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Mit dem LeechGet Wizard laden - file://C:\Programme\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Mit LeechGet herunterladen - file://C:\Programme\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Mit LeechGet parsen - file://C:\Programme\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Selektierte Rufnummer wählen - C:\Programme\SwyxIt!\IEDial.htm
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Übersetzen - file://C:\Programme\ALTAVISTA Toolbar\Cache\SelectedContextTranslation.htm
O9 - Extra button: SwyxIt! Wählhilfe - {f8e553c6-4c00-11d3-80bc-00105a653379} - C:\Programme\SwyxIt!\IEDial.htm
O9 - Extra 'Tools' menuitem: SwyxIt! Wählhilfe - {f8e553c6-4c00-11d3-80bc-00105a653379} - C:\Programme\SwyxIt!\IEDial.htm
O9 - Extra button: @C:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} (AltaVista Toolbar) - http://toolbar.altavista.com/static/toolbar/altavista.cab?r=1099033433
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://proxy.guardster.com/cgi-bin/nph-proxy.cgi/111101A/687474702f646f776e6
c6f61642e6d6163726f6d656469612e636f6d2f7075622f73686f636b776176652f636162
732f666c6173682f7377666c6173682e636162
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hjtg.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{41209E78-07DF-4A88-AB63-4C64FE11A838}: NameServer = 192.168.1.3,131.220.16.220
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hjtg.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hjtg.local
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Programme\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Programme\CA\SharedComponents\Alert\ALERT.EXE
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: CA-Lizenz-Client - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA-Lizenzserver - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: eTrust Antivirus RPC Server - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Ereignisprotokoll-Überwachung - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: OpenVPN Service - Unknown - C:\Programme\OpenVPN\bin\openvpnserv.exe
O23 - Service: VNC Server - UltraVNC - C:\Programme\UltraVNC\WinVNC.exe

Die ganzen Swyx-Einträge gehören zu einer Telefonie-Software.

Danke schonmal für Eure Tips, André

#2 Hallo@apohl

#öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten

O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [Rpw] C:\WINNT\System32\w?nlogon.exe -->CoolWebSearch parasite variant
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe

neustarten

Lade die Killbox:
http://www.bleepingcomputer.com/files/killbox.php
<Delete File on Reboot

kopiere rein:

C:\r.exe
C:\WINNT\System32\w?nlogon.exe
C:\WINNT\System32\runsvc32.exe
C:\WINNT\System32\spoolsrv32.exe
C:\WINNT\System32\srpcsrv32.dll

und klick auf das rote Kreuz,
wenn gefragt wird, ob reboot-> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes"

PC neustarten

loeschen temporaere Dateien
C:\WINDOWS\Temp\
C:\Temp\
C:\Dokumente und Einstellungen\username\Lokale Einstellungen\Temp\

#Trend-Micro (Online)
http://de.trendmicro-europe.com/enterprise/products/housecall_pre.php

Poste das neue Log vom HijackThis, sowie das Scanlog von:
#Ad-aware SE Personal 1.05 Updated
http://fileforum.betanews.com/detail/965718306/1
+
Please download DllCompare from here
http://www.atribune.org/downloads/DllCompare.exe
klick: Locate.com button.
wenn der Scan beendet ist
klick:Compare button
klick: und erstelle das Log--->bitte posten
__________
MfG Sabina

rund um die PC-Sicherheit

#3 Hallo Sabina,

und danke erst mal für die schnelle Antwort :-)

Hier die Logs:

HiJackThis:

Logfile of HijackThis v1.99.0
Scan saved at 11:24:38, on 04.01.2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\CA\SharedComponents\Alert\ALERT.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Programme\CA\eTrust Antivirus\InoRpc.exe
C:\Programme\CA\eTrust Antivirus\InoRT.exe
C:\Programme\CA\eTrust Antivirus\InoTask.exe
C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Programme\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Programme\UltraVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\RunDll32.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe
C:\Programme\LeechGet 2004\LeechGet.exe
C:\Programme\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Programme\PrintKey2000\Printkey2000.exe
C:\Programme\SwyxIt! Fax\Faxclient.exe
C:\Programme\SwyxIt!\SwyxIt!.exe
C:\PROGRA~1\SwyxIt!\CLMgr.exe
C:\WINNT\System32\rsvp.exe
C:\PROGRA~1\GEMEIN~1\Swyx\ClCache.exe
C:\PROGRA~1\SwyxIt!\ODialer.exe
C:\PROGRA~1\NETMEE~1\conf.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\apohl\Desktop\DllCompare.exe
C:\Dokumente und Einstellungen\apohl\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zdnet.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer zur Verfügung gestellt von Heinz Jansen TG
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://HERMES:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *new-search.net*;*x-google.net*
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINNT\DOWNLO~1\ALTAVI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINNT\DOWNLO~1\ALTAVI~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [WinVNC] "C:\Programme\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [HP Software Update] "C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [UIWatcher] C:\Programme\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe
O4 - HKCU\..\Run: [LeechGet] "C:\Programme\LeechGet 2004\LeechGet.exe" -intray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Dienst-Manager.lnk = C:\Programme\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Printkey2000.lnk = C:\Programme\PrintKey2000\Printkey2000.exe
O4 - Global Startup: SwyxIt! Fax.lnk = C:\Programme\SwyxIt! Fax\Faxclient.exe
O4 - Global Startup: SwyxIt!.lnk = C:\Programme\SwyxIt!\SwyxIt!.exe
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: AltaVista Suche - file://C:\Programme\ALTAVISTA Toolbar\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Mit dem LeechGet Wizard laden - file://C:\Programme\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Mit LeechGet herunterladen - file://C:\Programme\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Mit LeechGet parsen - file://C:\Programme\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Selektierte Rufnummer wählen - C:\Programme\SwyxIt!\IEDial.htm
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Übersetzen - file://C:\Programme\ALTAVISTA Toolbar\Cache\SelectedContextTranslation.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: SwyxIt! Wählhilfe - {f8e553c6-4c00-11d3-80bc-00105a653379} - C:\Programme\SwyxIt!\IEDial.htm
O9 - Extra 'Tools' menuitem: SwyxIt! Wählhilfe - {f8e553c6-4c00-11d3-80bc-00105a653379} - C:\Programme\SwyxIt!\IEDial.htm
O9 - Extra button: @C:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} (AltaVista Toolbar) - http://toolbar.altavista.com/static/toolbar/altavista.cab?r=1099033433
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://proxy.guardster.com/cgi-bin/nph-proxy.cgi/111101A/687474702f646f776e6c
6f61642e6d6163726f6d656469612e636f6d2f7075622f73686f636b776176652f6361627
32f666c6173682f7377666c6173682e636162
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hjtg.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{41209E78-07DF-4A88-AB63-4C64FE11A838}: NameServer = 192.168.1.3,131.220.16.220
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hjtg.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hjtg.local
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Programme\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Programme\CA\SharedComponents\Alert\ALERT.EXE
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: CA-Lizenz-Client - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA-Lizenzserver - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: eTrust Antivirus RPC Server - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Ereignisprotokoll-Überwachung - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: OpenVPN Service - Unknown - C:\Programme\OpenVPN\bin\openvpnserv.exe
O23 - Service: VNC Server - UltraVNC - C:\Programme\UltraVNC\WinVNC.exe

AdAwareSE:


Ad-Aware SE Build 1.05
Logfile Created onienstag, 4. Januar 2005 11:17:48
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R24 29.12.2004
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):15 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


04.01.2005 11:17:48 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : S-1-5-21-1292428093-1592454029-839522115-1134\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-1592454029-839522115-1134\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-1592454029-839522115-1134\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-1592454029-839522115-1134\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-1592454029-839522115-1134\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-1592454029-839522115-1134\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-1592454029-839522115-1134\software\google\navclient\1.1\history
Description : list of recently used search terms in the google toolbar


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-1592454029-839522115-1134\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-1592454029-839522115-1134\software\adobe\acrobat reader\6.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-1592454029-839522115-1134\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-1592454029-839522115-1134\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : C:\Dokumente und Einstellungen\apohl\recent
Description : list of recently opened documents


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 144
ThreadCreationTime : 04.01.2005 09:39:18
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 168
ThreadCreationTime : 04.01.2005 09:39:32
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 188
ThreadCreationTime : 04.01.2005 09:39:34
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 216
ThreadCreationTime : 04.01.2005 09:39:35
BasePriority : Normal
FileVersion : 5.00.2195.3940
ProductVersion : 5.00.2195.3940
ProductName : Betriebssystem Microsoft(R) Windows (R) 2000
CompanyName : Microsoft Corporation
FileDescription : Anwendung für Dienste und Controller
InternalName : services.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 228
ThreadCreationTime : 04.01.2005 09:39:35
BasePriority : Normal
FileVersion : 5.00.2195.5430
ProductVersion : 5.00.2195.5430
ProductName : Betriebssystem Microsoft(R) Windows (R) 2000
CompanyName : Microsoft Corporation
FileDescription : LSA-Exe und Server-DLL
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 404
ThreadCreationTime : 04.01.2005 09:39:37
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:7 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 444
ThreadCreationTime : 04.01.2005 09:39:38
BasePriority : Normal
FileVersion : 5.00.2195.4299
ProductVersion : 5.00.2195.4299
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : spoolss.exe

#:8 [alert.exe]
FilePath : C:\Programme\CA\SharedComponents\Alert\
ProcessID : 512
ThreadCreationTime : 04.01.2005 09:39:53
BasePriority : Normal
FileVersion : 7.0.689.0
ProductVersion : 7.0.689.0
ProductName : Alert Service
CompanyName : Computer Associates International, Inc.
FileDescription : Alert Notification Server
InternalName : ALERT
LegalCopyright : Copyright (c) 1995 - 2003
OriginalFilename : ALERT.EXE

#:9 [ati2evxx.exe]
FilePath : C:\WINNT\System32\
ProcessID : 524
ThreadCreationTime : 04.01.2005 09:39:53
BasePriority : Normal


#:10 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 556
ThreadCreationTime : 04.01.2005 09:39:53
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:11 [hidserv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 580
ThreadCreationTime : 04.01.2005 09:39:54
BasePriority : Normal
FileVersion : 5.00.2195.4875
ProductVersion : 5.00.2195.4875
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : HID Audio Service
InternalName : hidserv
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : HIDSERV.EXE

#:12 [inorpc.exe]
FilePath : C:\Programme\CA\eTrust Antivirus\
ProcessID : 600
ThreadCreationTime : 04.01.2005 09:39:54
BasePriority : Normal
FileVersion : 7.0.139.0
ProductVersion : 7.0.139.0
ProductName : eTrust Antivirus
CompanyName : Computer Associates International, Inc.
InternalName : InoRpc.exe
LegalCopyright : Copyright 2003 Computer Associates International, Inc.
LegalTrademarks : InoculateIT (TM) is a trademark of Computer Associates Int'l, Inc.
OriginalFilename : InoRpc.exe
Comments : eTrust Antivirus English Version

#:13 [inort.exe]
FilePath : C:\Programme\CA\eTrust Antivirus\
ProcessID : 628
ThreadCreationTime : 04.01.2005 09:39:55
BasePriority : Normal
FileVersion : 7.0.139.0
ProductVersion : 7.0.139.0
ProductName : eTrust Antivirus
CompanyName : Computer Associates International, Inc.
InternalName : InoRT.dll
LegalCopyright : Copyright 2003 Computer Associates International, Inc.
LegalTrademarks : InoculateIT (TM) is a trademark of Computer Associates Int'l, Inc.
OriginalFilename : InoRT.dll
Comments : eTrust Antivirus English Version

#:14 [inotask.exe]
FilePath : C:\Programme\CA\eTrust Antivirus\
ProcessID : 644
ThreadCreationTime : 04.01.2005 09:39:55
BasePriority : Normal
FileVersion : 7.0.139.0
ProductVersion : 7.0.139.0
ProductName : eTrust Antivirus
CompanyName : Computer Associates International, Inc.
InternalName : InoTask.exe
LegalCopyright : Copyright 2003 Computer Associates International, Inc.
LegalTrademarks : InoculateIT (TM) is a trademark of Computer Associates Int'l, Inc.
OriginalFilename : InoTask.exe
Comments : eTrust Antivirus English Version

#:15 [logwatnt.exe]
FilePath : C:\Programme\CA\SharedComponents\CA_LIC\
ProcessID : 712
ThreadCreationTime : 04.01.2005 09:39:56
BasePriority : Normal
FileVersion : 1.52
ProductVersion : 1, 0, 0, 1
ProductName : Computer Associates LogWatNT
CompanyName : Computer Associates
FileDescription : LogWatNT
InternalName : LogWatNT
LegalCopyright : Copyright © 2002
OriginalFilename : LogWatNT.exe

#:16 [sqlservr.exe]
FilePath : C:\Programme\Microsoft SQL Server\MSSQL\Binn\
ProcessID : 748
ThreadCreationTime : 04.01.2005 09:39:57
BasePriority : Normal
FileVersion : 2000.080.0760.00
ProductVersion : 8.00.760
ProductName : Microsoft SQL Server
CompanyName : Microsoft Corporation
FileDescription : SQL Server Windows NT
InternalName : SQLSERVR
LegalCopyright : © 1988-2003 Microsoft Corp. All rights reserved.
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation. Windows(TM) is a trademark of Microsoft Corporation
OriginalFilename : SQLSERVR.EXE
Comments : NT INTEL X86

#:17 [regsvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 860
ThreadCreationTime : 04.01.2005 09:40:06
BasePriority : Normal
FileVersion : 5.00.2195.3649
ProductVersion : 5.00.2195.3649
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : REGSVC.EXE

#:18 [mstask.exe]
FilePath : C:\WINNT\system32\
ProcessID : 896
ThreadCreationTime : 04.01.2005 09:40:06
BasePriority : Normal
FileVersion : 4.71.2195.1
ProductVersion : 4.71.2195.1
ProductName : Taskplaner für Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Taskplaner-Engine
InternalName : TaskScheduler
LegalCopyright : Copyright (C) Microsoft Corp. 1997
OriginalFilename : mstask.exe

#:19 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ProcessID : 1000
ThreadCreationTime : 04.01.2005 09:40:09
BasePriority : Normal
FileVersion : 1.50.1085.0070
ProductVersion : 1.50.1085.0070
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows-Verwaltungsinstrumentation
InternalName : WINMGMT
LegalCopyright : Copyright (C) Microsoft Corp. 1995-1999

#:20 [winvnc.exe]
FilePath : C:\Programme\UltraVNC\
ProcessID : 1032
ThreadCreationTime : 04.01.2005 09:40:12
BasePriority : Normal
FileVersion : 1, 0, 0, 11
ProductVersion : 1, 0, 0, 11
ProductName : Ultravnc
CompanyName : UltraVNC
FileDescription : VNC server for Win32
InternalName : WinVNC
LegalCopyright : Copyright UltraVnc
LegalTrademarks : VNC
OriginalFilename : WinVNC.exe

#:21 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1060
ThreadCreationTime : 04.01.2005 09:40:13
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:22 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 1132
ThreadCreationTime : 04.01.2005 09:40:16
BasePriority : Normal
FileVersion : 5.00.3502.5321
ProductVersion : 5.00.3502.5321
ProductName : Betriebssystem Microsoft(R) Windows (R) 2000
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE

#:23 [rundll32.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1216
ThreadCreationTime : 04.01.2005 09:40:29
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Betriebssystem Microsoft(R) Windows (R) 2000
CompanyName : Microsoft Corporation
FileDescription : Eine DLL-Datei als Anwendung ausführen
InternalName : rundll
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : RUNDLL.EXE

#:24 [realmon.exe]
FilePath : C:\PROGRA~1\CA\ETRUST~1\
ProcessID : 732
ThreadCreationTime : 04.01.2005 09:40:30
BasePriority : Normal
FileVersion : 7.0.139.0
ProductVersion : 7.0.139.0
ProductName : eTrust Antivirus
CompanyName : Computer Associates International, Inc.
InternalName : Realmon.exe
LegalCopyright : Copyright 2003 Computer Associates International, Inc.
LegalTrademarks : InoculateIT (TM) is a trademark of Computer Associates Int'l, Inc.
OriginalFilename : Realmon.exe
Comments : eTrust Antivirus English Version

#:25 [hpwuschd.exe]
FilePath : C:\Programme\Hewlett-Packard\HP Software Update\
ProcessID : 1248
ThreadCreationTime : 04.01.2005 09:40:30
BasePriority : Normal
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 2
ProductName : Hewlett-Packard hpwuSchd
CompanyName : Hewlett-Packard
FileDescription : hpwuSchd
InternalName : hpwuSchd
LegalCopyright : Copyright © 2003
OriginalFilename : hpwuSchd.exe

#:26 [hpcmpmgr.exe]
FilePath : C:\Programme\HP\hpcoretech\
ProcessID : 772
ThreadCreationTime : 04.01.2005 09:40:31
BasePriority : Normal
FileVersion : 2.1.1
ProductVersion : 2.1.1
ProductName : hp coretech (COmponent REuse TECHnology)
CompanyName : Hewlett-Packard Company
FileDescription : HP Framework Component Manager Service
InternalName : HPComponentManagerService module
LegalCopyright : Copyright (C) Hewlett-Packard. 2002-2003
OriginalFilename : HPCmpMgr.exe

#:27 [hpztsb09.exe]
FilePath : C:\WINNT\System32\spool\drivers\w32x86\3\
ProcessID : 1320
ThreadCreationTime : 04.01.2005 09:40:32
BasePriority : Normal
FileVersion : 2.236.2.0
ProductVersion : 2.236.2.0
ProductName : HP DeskJet
CompanyName : HP
LegalCopyright : Copyright (c) Hewlett-Packard Company 1999-2003

#:28 [msmsgs.exe]
FilePath : C:\Programme\Messenger\
ProcessID : 1204
ThreadCreationTime : 04.01.2005 09:40:34
BasePriority : Normal
FileVersion : 5.0.0468
ProductVersion : Version 5.0
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Windows Messenger
InternalName : msmsgs
LegalCopyright : Copyright (c) Microsoft Corporation 1997-2003
LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:29 [uiwatcher.exe]
FilePath : C:\Programme\ashampoo\Ashampoo UnInstaller Suite\
ProcessID : 1236
ThreadCreationTime : 04.01.2005 09:40:36
BasePriority : Normal
FileVersion : 1.3.0.2
ProductVersion : 1.3.0.2
ProductName : ashampoo UnInstaller Watcher
CompanyName : ashampoo GmbH & Co. KG
FileDescription : UnInstaller Watcher
InternalName : UIWatcher
LegalCopyright : 1999-2002 ashampoo GmbH & Co. KG
LegalTrademarks : ashampoo GmbH & Co. KG
OriginalFilename : UIWatcher

#:30 [leechget.exe]
FilePath : C:\Programme\LeechGet 2004\
ProcessID : 1416
ThreadCreationTime : 04.01.2005 09:40:36
BasePriority : Normal
FileVersion : 1.1.1520.87
ProductVersion : 1.0.0.0
ProductName : LeechGet Download Manager
CompanyName : Cronosoft
FileDescription : LeechGet Download Manager
InternalName : LeechGet
LegalCopyright : Martin Albiez
OriginalFilename : LeechGet.exe

#:31 [sqlmangr.exe]
FilePath : C:\Programme\Microsoft SQL Server\80\Tools\Binn\
ProcessID : 1192
ThreadCreationTime : 04.01.2005 09:40:40
BasePriority : Normal
FileVersion : 2000.080.0760.00
ProductVersion : 8.00.760
ProductName : Microsoft SQL Server
CompanyName : Microsoft Corporation
FileDescription : SQL Server Service Manager
InternalName : SQLMANGR
LegalCopyright : © 1988-2003 Microsoft Corp. All rights reserved.
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation. Windows(TM) is a trademark of Microsoft Corporation
OriginalFilename : SQLMANGR.exe
Comments : NT INTEL X86

#:32 [printkey2000.exe]
FilePath : C:\Programme\PrintKey2000\
ProcessID : 1424
ThreadCreationTime : 04.01.2005 09:40:43
BasePriority : Normal
FileVersion : 5.1.0.0
ProductName : PrintKey
CompanyName : Fred's Software
InternalName : PrintKey
LegalCopyright : Copyright 1999 By Alfred Bolliger
Comments : Full Version

#:33 [faxclient.exe]
FilePath : C:\Programme\SwyxIt! Fax\
ProcessID : 1460
ThreadCreationTime : 04.01.2005 09:40:44
BasePriority : Normal
FileVersion : 1.3.0.12
ProductVersion : v1.30
ProductName : SwyxWare
CompanyName : Swyx Solutions GmbH
FileDescription : Fax Client Program
InternalName : faxclient.exe
LegalCopyright : © 2003 Swyx Solutions GmbH
OriginalFilename : faxclient.exe

#:34 [swyxit!.exe]
FilePath : C:\Programme\SwyxIt!\
ProcessID : 1496
ThreadCreationTime : 04.01.2005 09:40:46
BasePriority : High
FileVersion : 4.3.1.38
ProductVersion : 4.31
ProductName : SwyxWare
CompanyName : Swyx Solutions GmbH
FileDescription : Client
InternalName : Client
LegalCopyright : (c) 2004 Swyx Solutions GmbH
OriginalFilename : Client.exe

#:35 [clmgr.exe]
FilePath : C:\PROGRA~1\SwyxIt!\
ProcessID : 1588
ThreadCreationTime : 04.01.2005 09:40:53
BasePriority : High
FileVersion : 4.3.1.37
ProductVersion : 4.31
ProductName : SwyxWare
CompanyName : Swyx Solutions GmbH
FileDescription : SwyxIt! Line Manager
InternalName : CLMgr
LegalCopyright : (c) 2004 Swyx Solutions GmbH
OriginalFilename : CLMgr.exe

#:36 [rsvp.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1348
ThreadCreationTime : 04.01.2005 09:41:03
BasePriority : Normal
FileVersion : 5.00.2167.1
ProductVersion : 5.00.2167.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Microsoft RSVP 1.0
InternalName : rsvp.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : rsvp.exe

#:37 [clcache.exe]
FilePath : C:\PROGRA~1\GEMEIN~1\Swyx\
ProcessID : 1676
ThreadCreationTime : 04.01.2005 09:41:06
BasePriority : Normal
FileVersion : 4.3.0.2
ProductVersion : 4.31
ProductName : SwyxWare
CompanyName : Swyx Solutions GmbH
FileDescription : ClientCache
InternalName : ClientCache
LegalCopyright : (c) 2004 Swyx Solutions GmbH
OriginalFilename : ClCache.exe

#:38 [odialer.exe]
FilePath : C:\PROGRA~1\SwyxIt!\
ProcessID : 1648
ThreadCreationTime : 04.01.2005 09:41:07
BasePriority : High
FileVersion : 4.3.0.5
ProductVersion : 4.31
ProductName : SwyxWare
CompanyName : Swyx Solutions GmbH
FileDescription : Outlook Dialer Core
InternalName : ODialer
LegalCopyright : (c) 2004 Swyx Solutions GmbH
OriginalFilename : ODialer.exe

#:39 [conf.exe]
FilePath : C:\PROGRA~1\NETMEE~1\
ProcessID : 1780
ThreadCreationTime : 04.01.2005 09:41:09
BasePriority : Normal
FileVersion : 4.4.3385
ProductVersion : 3.01
ProductName : Windows® NetMeeting®
CompanyName : Microsoft Corporation
FileDescription : Windows® NetMeeting®
InternalName : conf
LegalCopyright : Copyright © Microsoft Corporation 1996-1999
LegalTrademarks : Microsoft®, Windows® und NetMeeting® sind eingetragene Marken der Microsoft Corporation in den USA und/oder anderen Ländern.
OriginalFilename : conf.exe

#:40 [iexplore.exe]
FilePath : C:\Programme\Internet Explorer\
ProcessID : 1552
ThreadCreationTime : 04.01.2005 09:41:42
BasePriority : Normal
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : IEXPLORE.EXE

#:41 [iexplore.exe]
FilePath : C:\Programme\Internet Explorer\
ProcessID : 992
ThreadCreationTime : 04.01.2005 09:55:24
BasePriority : Normal
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : IEXPLORE.EXE

#:42 [inocit.exe]
FilePath : C:\Programme\CA\eTrust Antivirus\
ProcessID : 1852
ThreadCreationTime : 04.01.2005 10:13:12
BasePriority : Normal
FileVersion : 7.0.139.0
ProductVersion : 7.0.139.0
ProductName : eTrust Antivirus
CompanyName : Computer Associates International, Inc.
InternalName : InocIT.exe
LegalCopyright : Copyright 2003 Computer Associates International, Inc.
LegalTrademarks : InoculateIT (TM) is a trademark of Computer Associates Int'l, Inc.
OriginalFilename : InocIT.exe
Comments : eTrust Antivirus English Version

#:43 [ad-aware.exe]
FilePath : C:\Programme\Lavasoft\Ad-Aware SE Personal\
ProcessID : 2016
ThreadCreationTime : 04.01.2005 10:14:09
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15



Deep scanning and examining files (C
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Deep scanning and examining files (D
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15

11:20:11 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:02:22.79
Objects scanned:68983
Objects identified:0
Objects ignored:0
New critical objects:0

DLL-Compare:

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found "
________________________________________________

1.103 items found: 1.103 files, 0 directories.
Total of file sizes: 209.343.897 bytes 199,64 M

Administrator Account = Wahr

--------------------End log---------------------

Trendmicro:

Hat ein paar Sachen gefunden, die es aber nicht bereinigen kann....
Was mich ein bischen stutzig macht, ist, daß weder der hier laufende CA eTrust (der sonst sogar dann anschlägt, wenn ich ne Grippe habe) noch der von mir herunter geladene Stinger was finden.

Ich habe danach mal den Bitdefender OnlineScan drüber laufen lassen, de wenigstens etwas tun konnte, hier das Log:

C:\WINNT\loadclean.exe: suspect BehavesLike:Trojan.Downloader
C:\WINNT\loadclean.exe: disinfection failed
C:\WINNT\mstasks3.exe: infected with Trojan.Downloader.Small.LX
C:\WINNT\mstasks3.exe: disinfection failed
C:\WINNT\system32\6.dat: infected with Trojan.Favadd.C
C:\WINNT\system32\6.dat: deleted
C:\WINNT\system32\dktibs.exe=>(FSG 2.0): infected with Trojan.Downloader.Delf.DG
C:\WINNT\system32\dktibs.exe=>(FSG 2.0): deleted
C:\WINNT\system32\intffdsronsad.exe: infected with Trojan.Favadd.C
C:\WINNT\system32\intffdsronsad.exe: deleted
C:\WINNT\system32\tksrv99.exe: infected with Trojan.Downloader.Esepor.AA
C:\WINNT\system32\tksrv99.exe: deleted
C:\WINNT\system32\tmksrvu.exe: infected with Adware.WUpd.A
C:\WINNT\system32\tmksrvu.exe: disinfection failed
C:\WINNT\system32\txfdb32.dll: infected with Trojan.Small.CR
C:\WINNT\system32\txfdb32.dll: deleted

Hast Du eine Ahnung, wie infektiös der Trojaner ist .... wenn der sich einschmuggeln konnte und der CA nicht angeschlagen hat, könnte er sich im Netzwerk verbreitet haben (wurghs).

Gruß, André

#4 Hallo@apohl

Dein System war so ziemlich verseucht (das was sichtbar war und was durch die Scanns entdeckt wurde)
Du solltest den Firefox laden und nicht mehr mit dem IE surfen.
Dazu sind keine Virenscanner "perfekt", deshalb sind Onlinescanns von verschiedenen Anbietern ein Muss.
Eine Firewall (Zonealarm oder Sygate) waere ebenfalls zu empfehlen)

Loesche mit der Killbox
C:\WINNT\system32\tmksrvu.exe
C:\WINNT\loadclean.exe
C:\WINNT\mstasks3.exe

neustarten und poste das neue Log vom HijackThis.
__________
MfG Sabina

rund um die PC-Sicherheit

#5 Hi Sabina,

also ... wir sitzen hinter einer Astaro, die nur HTTP und SMTP/POP, DNS und NTP durchläßt... der Rest ist geblockt.

Der CA läuft mit sowohl mit der Inoculate- als auch der VET-Engine (erstere als resistenter, wöchentlicher Scan mit beiden).

Hinzu kommt der Mailscan erst auf unserem Server im Rechenzentrum und snchließend hier im Exchange.

Auf den IE kann ich nicht verzichten, da wir hier intern eine browserbasierte Software einsetzen, die den IE benötigt (habs mit dem Fuchs probiert, funktioniert nicht).

Was mir aufällt: Alle Dateien tragen als Erstelldatum den 23.12.04.... ich erinnere mich genau, weil ich an dem Tag ein bischen Recherche im asiatischen Raum gemacht habe und auf einmal akute Probleme hatte, wieder Herr über meinen Bildschirm zu werden (Popup-Blocker wurde überlistet und es versuchten sich x Viren zu installieren, die aber alle samt geblockt wurden.

Scheinbar ist der eine oder andere aber am CA vorbei gekommen.

Anyway... ich hoffe mal, daß mein Rechner bald wieder sauber ist... die anderen nehme ich mir dann in den nächsten Tagen vor.

Hier das aktuelle Logfile:

Logfile of HijackThis v1.99.0
Scan saved at 14:02:52, on 04.01.2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\CA\SharedComponents\Alert\ALERT.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Programme\CA\eTrust Antivirus\InoRpc.exe
C:\Programme\CA\eTrust Antivirus\InoRT.exe
C:\Programme\CA\eTrust Antivirus\InoTask.exe
C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Programme\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Programme\UltraVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\RunDll32.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe
C:\Programme\LeechGet 2004\LeechGet.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Programme\PrintKey2000\Printkey2000.exe
C:\Programme\SwyxIt! Fax\Faxclient.exe
C:\Programme\SwyxIt!\SwyxIt!.exe
C:\PROGRA~1\SwyxIt!\CLMgr.exe
C:\WINNT\System32\rsvp.exe
C:\PROGRA~1\GEMEIN~1\Swyx\ClCache.exe
C:\PROGRA~1\SwyxIt!\ODialer.exe
C:\PROGRA~1\NETMEE~1\conf.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\apohl\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zdnet.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer zur Verfügung gestellt von Heinz Jansen TG
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://HERMES:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *new-search.net*;*x-google.net*
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINNT\DOWNLO~1\ALTAVI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINNT\DOWNLO~1\ALTAVI~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [WinVNC] "C:\Programme\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [HP Software Update] "C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [UIWatcher] C:\Programme\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe
O4 - HKCU\..\Run: [LeechGet] "C:\Programme\LeechGet 2004\LeechGet.exe" -intray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Dienst-Manager.lnk = C:\Programme\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Printkey2000.lnk = C:\Programme\PrintKey2000\Printkey2000.exe
O4 - Global Startup: SwyxIt! Fax.lnk = C:\Programme\SwyxIt! Fax\Faxclient.exe
O4 - Global Startup: SwyxIt!.lnk = C:\Programme\SwyxIt!\SwyxIt!.exe
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: AltaVista Suche - file://C:\Programme\ALTAVISTA Toolbar\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Mit dem LeechGet Wizard laden - file://C:\Programme\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Mit LeechGet herunterladen - file://C:\Programme\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Mit LeechGet parsen - file://C:\Programme\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Selektierte Rufnummer wählen - C:\Programme\SwyxIt!\IEDial.htm
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Übersetzen - file://C:\Programme\ALTAVISTA Toolbar\Cache\SelectedContextTranslation.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: SwyxIt! Wählhilfe - {f8e553c6-4c00-11d3-80bc-00105a653379} - C:\Programme\SwyxIt!\IEDial.htm
O9 - Extra 'Tools' menuitem: SwyxIt! Wählhilfe - {f8e553c6-4c00-11d3-80bc-00105a653379} - C:\Programme\SwyxIt!\IEDial.htm
O9 - Extra button: @C:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} (AltaVista Toolbar) - http://toolbar.altavista.com/static/toolbar/altavista.cab?r=1099033433
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.de/scan/Msie/bitdefender.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://proxy.guardster.com/cgi-bin/nph-proxy.cgi/111101A/687474702f646f776e6c6f6
1642e6d6163726f6d656469612e636f6d2f7075622f73686f636b776176652f636162732f66
6c6173682f7377666c6173682e636162
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hjtg.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{41209E78-07DF-4A88-AB63-4C64FE11A838}: NameServer = 192.168.1.3,131.220.16.220
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hjtg.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hjtg.local
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Programme\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Programme\CA\SharedComponents\Alert\ALERT.EXE
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: CA-Lizenz-Client - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA-Lizenzserver - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: eTrust Antivirus RPC Server - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Ereignisprotokoll-Überwachung - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: OpenVPN Service - Unknown - C:\Programme\OpenVPN\bin\openvpnserv.exe
O23 - Service: VNC Server - UltraVNC - C:\Programme\UltraVNC\WinVNC.exe

Danke für Deine intensive Hilfe ! @->->-

André

#6 Hallo@apohl

Hast du die von mir angegebenen Dateien mit der Killbox geloescht bekommen ?
Scanne noch mal mit Bitdefender und schau, ob noch was angegeben wird,

so kann man C:\WINDOWS\Web\desktop.html loeschen
Geht auf Start -> Einstellungen -> Systemsteuerung und klickt dort auf "Anzeige" Darin gibt es ein Register "Desktop" und die Möglichkeit "Desktop anpassen". Darin wiederum klickt ihr auf das Register "Web" und entfernt dort "Security" in der Liste

#eScan-Erkennungstool
http://www.rokop-security.de/board/index.php?showtopic=3867
erstelle den Ordner c:\bases
mwav.exe runterladen, die Datei in den Ordner c:\bases (wichtig!) entpacken und danach kavupd.exe (Update- in DOS) ausführen

gehe in den abgesicherten Modus
http://www.tu-berlin.de/www/software/virus/savemode.shtml

und den Scanner mit der "mwav.exe"[oder:MWAVSCAN.COM] starten. Alle Häkchen setzen :
Auswählen: "all files", Memory, Startup-Folders, Registry, System Folders,
Services, Drive/All Local drives, Folder [C:\WINDOWS], Include SubDirectory
-->und "Scan " klicken.

mache bitte folgendes:
nun öffnest du mit dem editor, die mwav.txt und gehst unter bearbeiten -> suchen, hier gibst du infected ein



jene zeile in der infected steht, markieren, und hier einfügen, weitersuchen usw.
und ganz unten steht die zusammenfassung, diese auch hier posten
__________
MfG Sabina

rund um die PC-Sicherheit

#7 @Sabina

hatte heute auch das Problem mit Topantispyware. Bin deinen Lösungsvorschlägen gefolgt und es hat hingehauen. Wollte mich nur dafür bedanken. Wäre schon fast verzweifelt

MfG Florian

#8 habe das selbe Problem nur halt windowsxp und das mit killbox hilft nicht
hier mla die ganzen log datein wäre nett wenn mir jemand helfen kann

HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 13:59:56, on 27.02.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programme\Microsoft Hardware\Mouse\point32.exe
C:\Programme\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\kernel.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\sc_watch.exe
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\PROFIL~1.EXE
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Java\JRE15~1.0_0\bin\java.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\abouj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\abouj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\abouj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\abouj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {01575B9F-13D1-712F-6453-1A4855B87338} - C:\WINDOWS\atlhs32.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Microsoft® VBScript® Console - {F742A3DB-431B-4975-B4E2-030FC1FDC850} - C:\WINDOWS\System32\vbterm.dll
O9 - Extra 'Tools' menuitem: VBScript Terminal - {F742A3DB-431B-4975-B4E2-030FC1FDC850} - C:\WINDOWS\System32\vbterm.dll
O9 - Extra button: Microsoft® VBScript® Terminal - {F742A3DB-431B-4975-B4E2-030FC1FDC850} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: VBScript Terminal - {F742A3DB-431B-4975-B4E2-030FC1FDC850} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} -
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/beta_reg/soesysinfo.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CCC2F2F-E91B-47D6-B560-6614841FEF72}: NameServer = 217.237.149.225 217.237.151.97
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe




Adaware SE:

Ad-Aware SE Build 1.05
Logfile Created on:Sonntag, 27. Februar 2005 13:22:43
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R28 16.02.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
ClickSpring(TAC index:6):1 total references
MRU List(TAC index:0):46 total references
Search Relevancy(TAC index:5):1 total references
Tracking Cookie(TAC index:3):1 total references
WindUpdates(TAC index:8):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


27.02.2005 13:22:43 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\nvidia corporation\global\nview\windowmanagement
Description : nvidia nview cached application window positions


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\adobe\photoshop\7.0\visiteddirs
Description : adobe photoshop 7 recent work folders


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\windows\currentversion\applets\paint\recent file list
Description : list of files recently opened using microsoft paint


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\office\10.0\powerpoint\recenttemplatelist
Description : list of recent templates used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\office\10.0\powerpoint\recentfolderlist
Description : list of recent folders used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\office\10.0\excel\recent files
Description : list of recent files used by microsoft excel


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\office\10.0\powerpoint\recent file list
Description : list of recent files used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\office\10.0\powerpoint\recent templates
Description : list of recent templates used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\internet explorer\main
Description : last save directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\mediaplayer\player\settings
Description : last save as directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\kazaa\search
Description : list of recent searches performed with sharman networks kazaa


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\office\10.0\powerpoint\recent typeface list
Description : list of recently used typefaces in microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\adobe\acrobat reader\5.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\realnetworks\realplayer\6.0\preferences
Description : list of recent clips in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-19\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-20\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\ahead\cover designer\recent file list
Description : list of recently used files in ahead cover designer


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\realnetworks\realplayer\6.0\preferences
Description : last login time in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\mediaplayer\preferences
Description : last search path used in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\winrar\dialogedithistory\extrpath
Description : winrar "extract-to" history


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-746137067-1326574676-682003330-1003\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : C:\Dokumente und Einstellungen\MIGHTYGUY\recent
Description : list of recently opened documents


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 448
ThreadCreationTime : 27.02.2005 12:21:44
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 504
ThreadCreationTime : 27.02.2005 12:21:47
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 528
ThreadCreationTime : 27.02.2005 12:21:52
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 572
ThreadCreationTime : 27.02.2005 12:21:52
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Anwendung für Dienste und Controller
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 584
ThreadCreationTime : 27.02.2005 12:21:52
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 764
ThreadCreationTime : 27.02.2005 12:21:52
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 812
ThreadCreationTime : 27.02.2005 12:21:52
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 960
ThreadCreationTime : 27.02.2005 12:21:53
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1020
ThreadCreationTime : 27.02.2005 12:21:53
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1196
ThreadCreationTime : 27.02.2005 12:21:53
BasePriority : Normal
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : EXPLORER.EXE

#:11 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1244
ThreadCreationTime : 27.02.2005 12:21:53
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [soundman.exe]
FilePath : C:\WINDOWS\
ProcessID : 1480
ThreadCreationTime : 27.02.2005 12:21:57
BasePriority : Normal
FileVersion : 5.0.02
ProductVersion : 5.0.02
ProductName : Avance Sound Manager
CompanyName : Avance Logic, Inc.
FileDescription : Avance Sound Manager
InternalName : ALSMTray
LegalCopyright : Copyright (c) 2001-2002 Avance Logic, Inc.
OriginalFilename : ALSMTray.exe
Comments : Avance AC97 Audio Sound Manager

#:13 [realsched.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Real\Update_OB\
ProcessID : 1488
ThreadCreationTime : 27.02.2005 12:21:57
BasePriority : Normal
FileVersion : 0.1.0.1622
ProductVersion : 0.1.0.1622
ProductName : RealOne Player (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2002
LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:14 [hpztsb04.exe]
FilePath : C:\WINDOWS\System32\spool\drivers\w32x86\3\
ProcessID : 1496
ThreadCreationTime : 27.02.2005 12:21:57
BasePriority : Normal
FileVersion : 2,80,0,0
ProductVersion : 2,80,0,0
ProductName : HP DeskJet
CompanyName : HP
LegalCopyright : Copyright (c) Hewlett-Packard Company 1999-2001

#:15 [rundll32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1528
ThreadCreationTime : 27.02.2005 12:21:57
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Eine DLL-Datei als Anwendung ausführen
InternalName : rundll
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : RUNDLL.EXE

#:16 [point32.exe]
FilePath : C:\Programme\Microsoft Hardware\Mouse\
ProcessID : 1536
ThreadCreationTime : 27.02.2005 12:21:57
BasePriority : Normal


#:17 [jusched.exe]
FilePath : C:\Programme\Java\jre1.5.0_01\bin\
ProcessID : 1556
ThreadCreationTime : 27.02.2005 12:21:57
BasePriority : Normal


#:18 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1564
ThreadCreationTime : 27.02.2005 12:21:57
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:19 [teatimer.exe]
FilePath : C:\Programme\Spybot - Search & Destroy\
ProcessID : 1576
ThreadCreationTime : 27.02.2005 12:21:57
BasePriority : Idle
FileVersion : 1, 3, 0, 12
ProductVersion : 1, 3, 0, 12
ProductName : Spybot - Search & Destroy
CompanyName : Safer Networking Limited
FileDescription : System settings protector
InternalName : TeaTimer
LegalCopyright : © 2000-2004 Patrick M. Kolla / Safer Networking Limited. Alle Rechte vorbehalten.
LegalTrademarks : "Spybot" und "Spybot - Search & Destroy" sind registrierte Warenzeichen.
OriginalFilename : TeaTimer.exe
Comments : Schützt Systemeinstellungen vor ungewollten Änderungen.

#:20 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1792
ThreadCreationTime : 27.02.2005 12:22:00
BasePriority : Normal
FileVersion : 6.14.10.6177
ProductVersion : 6.14.10.6177
ProductName : NVIDIA Driver Helper Service, Version 61.77
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 61.77
InternalName : NVSVC
LegalCopyright : (C) NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:21 [ad-aware.exe]
FilePath : C:\Programme\Lavasoft\Ad-Aware SE Personal\
ProcessID : 700
ThreadCreationTime : 27.02.2005 12:22:35
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 46


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

ClickSpring Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\code store database\distribution units\{9eb320ce-be1d-4304-a081-4b4665414bef}

Search Relevancy Object Recognized!
Type : Regkey
Data :
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{1d7e3b41-23ce-469b-be1b-a64b877923e1}

WindUpdates Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\code store database\distribution units\{15ad4789-cdb4-47e1-a9da-992ee8e6bad6}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 3
Objects found so far: 49


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 49


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : mightyguy@2o7[1].txt
Category : Data Miner
Comment : Hits:9
Value : Cookie:mightyguy@2o7.net/
Expires : 26.02.2010 13:19:12
LastSync : Hits:9
UseCount : 0
Hits : 9

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 50



Deep scanning and examining files (C
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 50

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
0 entries scanned.
New critical objects:0
Objects found so far: 50




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 50

13:30:21 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:07:37.391
Objects scanned:149188
Objects identified:4
Objects ignored:0
New critical objects:4

#9 Hallo@Durahan

•Information:
File: SPOOLSRV32.EXE
Status: INFECTED/MALWARE
Packers detected: UPX

AntiVir No viruses found (0.74 seconds taken)
Avast No viruses found (3.00 seconds taken)
•AVG Antivirus Downloader.Small.25.H (1.20 seconds taken)
•BitDefender Trojan.Downloader.Adload.C (0.85 seconds taken)
ClamAV No viruses found (1.17 seconds taken)
•Dr.Web Trojan.Promospy (1.66 seconds taken)
F-Prot Antivirus No viruses found (0.17 seconds taken)
•Fortinet W32/Nachi.fam (0.77 seconds taken)
•Kaspersky Anti-Virus Trojan-Downloader.Win32.Adload.c (1.07 seconds taken)
mks_vir No viruses found (0.25 seconds taken)
•NOD32 Win32/TrojanDownloader.Adload.C (0.51 seconds taken)
Norman Virus Control No viruses found (0.75 seconds taken)

KillBox (entpacke auf dem Desktop)
http://www.bleepingcomputer.com/files/killbox.php

•Download NOD32 Antivirus System (erst im abgesicherten Modus scannen !!!!)
http://www.nod32.de/download/download.php

•Deaktivieren Wiederherstellung
«XP
Arbeitsplatz-->rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.
(dann wieder aktivieren)

•RegistryStart<Ausfuehren<regedit )

+HKEY_CURRENT_USER\Software\Microsoft\Internet \Explorer\Desktop\Components
falls du es findest--> loesche auf der rechten Seite der Registry den Unterschluessel "0" mit Rechtsklick

Damit er jedes Mal gestartet wird, wenn sich ein Benutzer anmeldet erstellt Troj/Small-OY die folgenden Registrierungseinträge:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Srv32 spool service
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Srv32 spool service

•1. Öffne den Editor (Start -> Programme -> Zubehör) und kopiere den Inhalt des folgenden Zitats in das Editorfenster. Speichere die Datei anschließend unter dem Namen DelDomains.inf mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.
2. Schließe den InternetExplorer.
3. Klicke die Datei DelDomains.inf mit der rechten Maustaste an und dann auf 'Installieren'.
---------------------------------------------------------------------------------------------------------


[version]
signature="$CHICAGO$"

[DefaultInstall]
DelReg=DelTemps
AddReg=AddTemps

[DelTemps]
HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"

; Recreate the keys to avoid a restart

[AddTemps]
HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"


-----------------------------------------------------------------------------------------


#öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\abouj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\abouj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\abouj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\abouj.dll/sp.html#37049

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {01575B9F-13D1-712F-6453-1A4855B87338} - C:\WINDOWS\atlhs32.dll (file missing)
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O15 - Trusted IP range: 206.161.125.149
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} -
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/beta_reg/soesysinfo.cab

PC neustarten--> in den abgesicherten Modus

Der Trojaner versucht, Dateien von einem remoten Speicherort herunterzuladen und zu starten. Die Dateinamen der von dem Trojaner benutzten Komponenten sind runsvc32.exe, spoolsrv32.exe und srpcsrv32.dll. Die heruntergeladenen Dateien werden in C:\r.exe gespeichert.

falls du es findestloeschen)
<C:\Program Files\TopAntiSpyware
•C:\WINDOWS\desktop.html
•C:\WINDOWS\Web\desktop.html
•C:\WINDOWS\SSICO.ICO
• C:\Documents and Settings\<current user>\Desktop\! Protect Your Data.url
•C:\Documents and Settings\<current user>\Favorites\! Smart Security.url
• C:\Documents and Settings\<current user>\Recent\! Smart Security.url
• C:\Documents and Settings\<current user>\Start Menu\! Secure Yourself.url
•Speedy.bat

oeffne die Killbox:
KillBox
<Delete File on Reboot

und klick auf das rote Kreuz,
wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes"

C:\WINDOWS\System32\runsvc32.exe
C:\WINDOWS\system32\abouj.dll
C:\WINDOWS\atlhs32.dll
C:\WINDOWS\System32\srpcsrv32.dll
C:\WINDOWS\System32\spoolsrv32.exe
C:\WINDOWS\System32\runoledb32.exe
C:\r.exe

PC neustarten--> wieder in den abgesicherten Modus

#mache einen Komplettscann mit dem NOD32
Man sollte jedoch darauf achten, dass man die Einstellungen
dahingehend ändert das ALLE DATEIEN durchsucht werden.
Voreingestellt sind nur bestimmte Dateitypen.

gehe wieder in den Normalmodus:

#ClaerProg..lade die neuste Version <1.4.1
http://www.clearprog.de/downloads.php
<und saeubere den Browser.
Das Programm löscht die Surfspuren des Internet Explorers ab Version 5.0, des Netscape/Mozilla und des Opera:
- Cookies
- Verlauf
- Temporäre Internetfiles (Cache)
+
poste das neue Log vom HijackThis
__________
MfG Sabina

rund um die PC-Sicherheit

#10 hat super funktioniert vielen dank! ^^

hier noch die log datei von hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 15:48:08, on 27.02.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programme\Microsoft Hardware\Mouse\point32.exe
C:\Programme\Java\jre1.5.0_01\bin\jusched.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Eset\nod32kui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\kernel.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\sc_watch.exe
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\PROFIL~1.EXE
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\abouj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\abouj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\abouj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {01575B9F-13D1-712F-6453-1A4855B87338} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Programme\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Microsoft® VBScript® Console - {F742A3DB-431B-4975-B4E2-030FC1FDC850} - C:\WINDOWS\System32\vbterm.dll
O9 - Extra 'Tools' menuitem: VBScript Terminal - {F742A3DB-431B-4975-B4E2-030FC1FDC850} - C:\WINDOWS\System32\vbterm.dll
O9 - Extra button: Microsoft® VBScript® Terminal - {F742A3DB-431B-4975-B4E2-030FC1FDC850} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: VBScript Terminal - {F742A3DB-431B-4975-B4E2-030FC1FDC850} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} -
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CCC2F2F-E91B-47D6-B560-6614841FEF72}: NameServer = 217.237.149.225 217.237.151.97
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Programme\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#11 Hallo@Durahan

#öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\abouj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\abouj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\abouj.dll/sp.html#37049
O2 - BHO: (no name) - {01575B9F-13D1-712F-6453-1A4855B87338} - (no file)
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} -
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} -

PC neustarten

•eScan-Erkennungstool
eSan ist hier unter dem Namen Free eScan Antivirus Toolkit Utility kostenlos erhältlich:
http://www.mwti.net/antivirus/free_utilities.asp
oeffne den Scanner--> noch nicht scannen--> gehe in Start<Ausfuehren< schreib rein: %temp% und suche
kavupd.exe, die klickst du an--> (Update- in DOS) ausführen

-->mwav.exe oeffnen-->alle Haekchen setzen-->scannen-->View Log anklicken--> Bearbeiten anklicken--> "infected" reinschreiben
und nun alles rauskopieren, was angezeigt wird-->

im Prinzip dueftest du ziemlich viel finden ........)
__________
MfG Sabina

rund um die PC-Sicherheit

#12 hi ^^
mein netzteil hat sich diese woche verabschiedet also bin ich jetz an nem anderen comp
spywaremässig is der ziemlich leer jedoch hab ich mit eScan den win32.parite.b gefunden
habe auch schon den thread gefunden mit tips um den zu löschen usw.
werde mich jetz ersma darum kümmern dann post ich hier nochma logfiles
also danke für deine hilfe bisher sabina ^^

#13 Hallo,also ich habe auch diesen problem und versuche seit vier stunden diesen
problem zu beheben aber irgendwie kriege ich das nicht hin.Ich habe alles runtergeladen was man dafür braucht aber irgenwie bin ich zu blöd oder so.
Ich versuche alles so zu machen wie sabina es beschrieben hat aber ich krieg das einfach net hin.das ist das erste mal das ich so ein %§$%§ programm in meinem rechner habe. Ich Danke für jede kleine hilfe die ihr für ein dummy übrich habt!!

#14 Hallo@yari

HijackThis
http://www.downloads.subratam.org/hijackthis.zip
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Lade/entpacke HijackThis in einem Ordner -->None of the above,
just start the program --> Save--> Savelog -->es öffnet sich der
Editor -->

Do a system scan and save a logfile --> Save--> Savelog -->es öffnet sich der
Editor -->

nun das KOMPLETTE Log mit rechtem Mausklick abkopieren und ins
Forum mit rechtem Mausklick "einfügen"
__________
MfG Sabina

rund um die PC-Sicherheit

#15 moin ich hab auch das problem mit topantispyware hier mein log von hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 01:30:52, on 14.03.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ma44Pan.Exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\Logitech\iTouch\iTouch.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Programme\Mozzilla Firebird\MozillaFirebird\MozillaFirebird.exe
E:\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\_hp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\_hp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\_hp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\_hp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\_hp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\_hp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ls0.net/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\_sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ls0.net/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_hp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_hp.html
O1 - Hosts: 3466709097 auto.search.msn.com
O1 - Hosts: 3466709097 search.msn.com
O1 - Hosts: 3466709097 sitefinder.verisign.com
O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
O1 - Hosts: 3466709097 www.your.com your.com
O1 - Hosts: 3466709097 com.org
O1 - Hosts: 3466690378 ad.doubleclick.net
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Ma44Pan] Ma44Pan.Exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programme\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Download using Download &Express - file://C:\WINDOWS\System32\MetaProducts\Add_Url.htm
O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O9 - Extra button: Microsoft AntiSpyware helper - {B4F95D0F-B1E4-40AA-BDEA-122E15E850D8} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B4F95D0F-B1E4-40AA-BDEA-122E15E850D8} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {E63E1D0F-C042-4005-9416-2FB9888C2F54} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E63E1D0F-C042-4005-9416-2FB9888C2F54} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {82324A1C-7B7E-4AB7-B1EC-428B74535B75} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {82324A1C-7B7E-4AB7-B1EC-428B74535B75} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {AEAFFEF8-20AB-4A1B-A37A-A7EF7196AD91} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {AEAFFEF8-20AB-4A1B-A37A-A7EF7196AD91} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B4F95D0F-B1E4-40AA-BDEA-122E15E850D8} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B4F95D0F-B1E4-40AA-BDEA-122E15E850D8} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {E63E1D0F-C042-4005-9416-2FB9888C2F54} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E63E1D0F-C042-4005-9416-2FB9888C2F54} - C:\WINDOWS\System32\wldr.dll (HKCU)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {103DFAE7-50CC-41FC-9D57-1A4BCA0DFD87} (Upload Control) - https://img.web.de/v/mail/mms/activex/mms_upload_1104.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{05E0486E-EBBB-4D3E-B867-661C34C8DC13}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = pysnet.uni-hamburg.de
O17 - HKLM\System\CS1\Services\Tcpip\..\{05E0486E-EBBB-4D3E-B867-661C34C8DC13}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = pysnet.uni-hamburg.de
O17 - HKLM\System\CS2\Services\Tcpip\..\{05E0486E-EBBB-4D3E-B867-661C34C8DC13}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = pysnet.uni-hamburg.de
O20 - AppInit_DLLs: ,
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\GEMEIN~1\SONYSH~1\AVLib\Sptisrv.exe


ich kann damit leider nicht viel anfangen wenn jemand tips für mich hat bin ich sehr dankbar

und wenn dann noch jemand weis wie ich die svchost prozesse auf 3 reduzieren kann wäre das optimal