Startseite ändert sich immer von alleine auf about:blank

#16 Hier die Ergebnisse von Virustotal:

C:\WINDOWS1\UNNMP.exe

Antivirus Version Update Result
AntiVir 6.32.0.3 09.16.2005 no virus found
Avast 4.6.695.0 09.16.2005 no virus found
AVG 718 09.16.2005 no virus found
Avira 6.32.0.3 09.16.2005 no virus found
BitDefender 7.2 09.17.2005 no virus found
CAT-QuickHeal 8.00 09.17.2005 no virus found
ClamAV devel-20050725 09.17.2005 no virus found
DrWeb 4.32b 09.17.2005 no virus found
eTrust-Iris 7.1.194.0 09.16.2005 no virus found
eTrust-Vet 11.9.1.0 09.16.2005 no virus found
Fortinet 2.41.0.0 09.07.2005 no virus found
F-Prot 3.16c 09.16.2005 no virus found
Ikarus 0.2.59.0 09.16.2005 no virus found
Kaspersky 4.0.2.24 09.17.2005 no virus found
McAfee 4583 09.16.2005 no virus found
NOD32v2 1.1219 09.16.2005 no virus found
Norman 5.70.10 09.16.2005 no virus found
Panda 8.02.00 09.17.2005 no virus found
Sophos 3.97.0 09.17.2005 no virus found
Symantec 8.0 09.17.2005 no virus found
TheHacker 5.8.2.108 09.16.2005 no virus found
VBA32 3.10.4 09.16.2005 no virus found


C:\WINDOWS1\tuerkei.exe.exe

Antivirus Version Update Result
AntiVir 6.32.0.3 09.16.2005 DIAL/Generic
Avast 4.6.695.0 09.16.2005 no virus found
AVG 718 09.16.2005 Dialer.22.AQ
Avira 6.32.0.3 09.16.2005 DIAL/Generic
BitDefender 7.2 09.17.2005 no virus found
CAT-QuickHeal 8.00 09.17.2005 no virus found
ClamAV devel-20050725 09.17.2005 Dialer-203
DrWeb 4.32b 09.17.2005 no virus found
eTrust-Iris 7.1.194.0 09.16.2005 no virus found
eTrust-Vet 11.9.1.0 09.16.2005 no virus found
Fortinet 2.41.0.0 09.07.2005 Dial/Platform.B
F-Prot 3.16c 09.16.2005 no virus found
Ikarus 0.2.59.0 09.16.2005 Dialer
Kaspersky 4.0.2.24 09.17.2005 not-a-virusorn-Dialer.Win32.Intexdial
McAfee 4583 09.16.2005 potentially unwanted program Dialer-192
NOD32v2 1.1219 09.16.2005 a variant of Win32/Dialer.StarDialer
Norman 5.70.10 09.16.2005 no virus found
Panda 8.02.00 09.17.2005 Dialer.Gen
Sophos 3.97.0 09.17.2005 Dial/Intex-B
Symantec 8.0 09.17.2005 no virus found
TheHacker 5.8.2.108 09.16.2005 no virus found
VBA32 3.10.4 09.16.2005 suspected of Porn-Dialer.MainpeanGmbH.Star.1


tuerkei.exe41.exe

Antivirus Version Update Result
AntiVir 6.32.0.3 09.16.2005 DIAL/Generic
Avast 4.6.695.0 09.16.2005 no virus found
AVG 718 09.16.2005 Dialer.22.AQ
Avira 6.32.0.3 09.16.2005 DIAL/Generic
BitDefender 7.2 09.17.2005 no virus found
CAT-QuickHeal 8.00 09.17.2005 no virus found
ClamAV devel-20050725 09.17.2005 Dialer-203
DrWeb 4.32b 09.17.2005 no virus found
eTrust-Iris 7.1.194.0 09.16.2005 no virus found
eTrust-Vet 11.9.1.0 09.16.2005 no virus found
Fortinet 2.41.0.0 09.07.2005 Dial/Platform.B
F-Prot 3.16c 09.16.2005 no virus found
Ikarus 0.2.59.0 09.16.2005 Dialer
Kaspersky 4.0.2.24 09.17.2005 not-a-virusorn-Dialer.Win32.Intexdial
McAfee 4583 09.16.2005 potentially unwanted program Dialer-192
NOD32v2 1.1219 09.16.2005 a variant of Win32/Dialer.StarDialer
Norman 5.70.10 09.16.2005 no virus found
Panda 8.02.00 09.17.2005 Dialer.Gen
Sophos 3.97.0 09.17.2005 Dial/Intex-B
Symantec 8.0 09.17.2005 no virus found
TheHacker 5.8.2.108 09.16.2005 no virus found
VBA32 3.10.4 09.16.2005 suspected of Porn-Dialer.MainpeanGmbH.Star.1

#17 o.k. dann arbeite alles weitere ab und berichte
__________
MfG Sabina

rund um die PC-Sicherheit

#18 Ergebnis vom Silentrunner: (Ergebnisse von Virustotal sind in dem vorherigen Post)

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NBJ" = ""C:\Programme\Ahead\Nero BackItUp\nbj.exe"" ["Ahead Software AG"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"Dit" = "Dit.exe" ["ICSI Technology Ltd."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"CHotkey" = "mHotkey.exe" ["Chicony"]
"ledpointer" = "CNYHKey.exe" ["Chicony"]
"Prism_Utility" = "Prismsta.exe" ["Intersil Americas Inc."]
"InstantAccess" = "C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h" [null data]
"RegisterDropHandler" = "C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [empty string]
"HotKey" = "C:\WINDOWS\Twain_32\FlatBed\HotKey.exe" ["Primax Electronics Ltd."]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"Microsoft Works Update Detection" = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"]
"InCD" = "C:\Programme\Ahead\InCD\InCD.exe" ["Ahead Software AG"]
"PCMService" = ""C:\Programme\Home Cinema\PowerCinema\PCMService.exe"" [empty string]
"WinampAgent" = "C:\Programme\Winamp\winampa.exe" [null data]
"PCSuiteTrayApplication" = "C:\Programme\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray" ["Nokia"]
"DataLayer" = "C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE" ["Nokia Mobile Phones Ltd."]
"AVSCHED32" = "C:\Programme\AVPersonal\AVSched32.EXE /min" ["H+BEDV Datentechnik GmbH"]
"AVGCtrl" = ""C:\Programme\AVPersonal\AVGNT.EXE" /min" ["H+BEDV Datentechnik GmbH"]
"ICQ Lite" = "C:\Programme\ICQLite\ICQLite.exe -minimize" [file not found]
"SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_03\bin\jusched.exe" ["Sun Microsystems, Inc."]
"iTunesHelper" = ""C:\Programme\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Zone Labs Client" = "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshellext.dll" ["RealNetworks"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\ProgramFiles\Microsoft Office\Office\soa800.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Explode"
-> {CLSID}\InProcServer32\(Default) = "C:\ProgramFiles\Microsoft Office\Office\UNBIND.DLL" [MS]

#19 amadeus5000

mit der Killbox loeschen:

C:\WINDOWS\tuerkei.exe41.exe
C:\WINDOWS\tuerkei.exe.exe
C:\WINDOWS\radiofox.exe.exe
C:\WINDOWS\radiofox.exe41.exe

dann poste das Log vom Silentrunner noch mal komplett
__________
MfG Sabina

rund um die PC-Sicherheit

#20 Log vom Silentrunner:

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NBJ" = ""C:\Programme\Ahead\Nero BackItUp\nbj.exe"" ["Ahead Software AG"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"Dit" = "Dit.exe" ["ICSI Technology Ltd."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"CHotkey" = "mHotkey.exe" ["Chicony"]
"ledpointer" = "CNYHKey.exe" ["Chicony"]
"Prism_Utility" = "Prismsta.exe" ["Intersil Americas Inc."]
"InstantAccess" = "C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h" [null data]
"RegisterDropHandler" = "C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [empty string]
"HotKey" = "C:\WINDOWS\Twain_32\FlatBed\HotKey.exe" ["Primax Electronics Ltd."]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"Microsoft Works Update Detection" = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"]
"InCD" = "C:\Programme\Ahead\InCD\InCD.exe" ["Ahead Software AG"]
"PCMService" = ""C:\Programme\Home Cinema\PowerCinema\PCMService.exe"" [empty string]
"WinampAgent" = "C:\Programme\Winamp\winampa.exe" [null data]
"PCSuiteTrayApplication" = "C:\Programme\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray" ["Nokia"]
"DataLayer" = "C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE" ["Nokia Mobile Phones Ltd."]
"AVSCHED32" = "C:\Programme\AVPersonal\AVSched32.EXE /min" ["H+BEDV Datentechnik GmbH"]
"AVGCtrl" = ""C:\Programme\AVPersonal\AVGNT.EXE" /min" ["H+BEDV Datentechnik GmbH"]
"ICQ Lite" = "C:\Programme\ICQLite\ICQLite.exe -minimize" [file not found]
"SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_03\bin\jusched.exe" ["Sun Microsystems, Inc."]
"iTunesHelper" = ""C:\Programme\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Zone Labs Client" = "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshellext.dll" ["RealNetworks"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\ProgramFiles\Microsoft Office\Office\soa800.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Explode"
-> {CLSID}\InProcServer32\(Default) = "C:\ProgramFiles\Microsoft Office\Office\UNBIND.DLL" [MS]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Ahead\InCD\incdshx.dll" ["Ahead Software AG"]
"{ED65AB21-B24F-11d3-BA80-00C0CA16AA37}" = "Mobile"
-> {CLSID}\InProcServer32\(Default) = "C:\Private\Siemens_CF62\DES\DESShellExt.dll" ["Siemens AG"]
"{ED65AB22-B24F-11d3-BA80-00C0CA16AA37}" = "Mobile ContextMenuHandler"
-> {CLSID}\InProcServer32\(Default) = "C:\Private\Siemens_CF62\DES\DESShellExt.dll" ["Siemens AG"]
"{ED65AB23-B24F-11d3-BA80-00C0CA16AA37}" = "Mobile PropertySheetHandler"
-> {CLSID}\InProcServer32\(Default) = "C:\Private\Siemens_CF62\DES\DESShellExt.dll" ["Siemens AG"]
"{40950107-FEA6-4d53-A65F-B2DCBA57DD58}" = "Nokia Phone Browser"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]
"{FBFE7864-D495-41f0-B7DC-4BB601CC295E}" = "Contact View"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\ContactView.dll" ["Nokia"]
"{C0C4375A-5B72-4efe-929D-3B848C3A1E91}" = "Message View"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\MessageView.dll" ["Nokia"]
"{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Eigene Telefone"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Sony Ericsson\Mobile\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "Shell" = "explorer.exe, msmsgs.exe" [MS], [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido\security suite\context.dll" ["ewido networks"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido\security suite\context.dll" ["ewido networks"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Thommes\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Startup items in "Thommes" & "All Users" startup folders:
---------------------------------------------------------

C:\Dokumente und Einstellungen\Thommes\Startmenü\Programme\Autostart
"Sélecteur de Fond d’Ecran" -> shortcut to: "C:\Programme\ffcc_wpc\wpc.exe" [null data]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Programme\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}" = "ICQ Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}" = "ICQ Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{36ECAF82-3300-8F84-092E-AFF36D6C7040}\
"ButtonText" = "Run WinHTTrack"
"MenuText" = "Launch WinHTTrack"
"CLSIDExtension" = "{86529161-034E-4F8A-88D2-3C625E612E04}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinHTTrack\WinHTTrackIEBar.dll" [null data]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\MSMSGS.EXE" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.pt.lu

Missing lines (compared with English-language version):
[Strings]: 1 line

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
"{855F3B16-6D32-4fe6-8A56-BBB695989046}" = "ICQ Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir Update, AVWUpSrv, ""C:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
Bonjour Service, Bonjour Service, "C:\Programme\Bonjour\mDNSResponder.exe" ["Apple Computer, Inc."]
ClipInc 001, ClipInc001, "C:\PROGRA~1\TOBITC~1\Server\ClipInc-Server.exe 001" [null data]
Ereignisprotokoll-Überwachung, LogWatch, "C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe" ["Computer Associates"]
ewido security suite control, ewido security suite control, "C:\Programme\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Programme\ewido\security suite\ewidoguard.exe" ["ewido networks"]
InCD Helper, InCDsrv, "C:\Programme\Ahead\InCD\InCDsrv.exe" ["Ahead Software AG"]
iPodService, iPodService, "C:\Programme\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]
X10 Device Network Service, x10nets, "C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe" ["X10"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 178 seconds, including 14 seconds for message boxes)

Die soebengenannten Dateien habe ich mit der Killbox geloescht, warte noch auf das Ergebnis von Kaspersky

Und nachträglich der Log von Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 16:18:06, on 17.09.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\System32\Prismsta.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\Programme\Winamp\winampa.exe
C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Programme\Java\jre1.5.0_03\bin\jusched.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\GEMEIN~1\PCSuite\Services\SERVIC~1.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\ewido\security suite\ewidoctrl.exe
C:\Programme\ewido\security suite\ewidoguard.exe
C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\PROGRA~1\TOBITC~1\Server\ClipInc-Server.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\AVPersonal\AVSched32.EXE
C:\Dokumente und Einstellungen\Thommes\Desktop\Hijackthis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.lu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pt.lu
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [Prism_Utility] Prismsta.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programme\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [AVSCHED32] C:\Programme\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [NBJ] "C:\Programme\Ahead\Nero BackItUp\nbj.exe"
O4 - Startup: Sélecteur de Fond d’Ecran.lnk = C:\Programme\ffcc_wpc\wpc.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programme\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programme\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\programme\bonjour\mdnsnsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pt.lu
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1805FC36-3A1C-421D-A115-CEA9CA759821}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1805FC36-3A1C-421D-A115-CEA9CA759821}: NameServer = 192.168.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: CA-Lizenz-Client (CA_LIC_CLNT) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA-Lizenzserver (CA_LIC_SRVR) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: ClipInc 001 (ClipInc001) - Unknown owner - C:\PROGRA~1\TOBITC~1\Server\ClipInc-Server.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programme\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Ereignisprotokoll-Überwachung (LogWatch) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

So und noch der kapersky:

------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, September 17, 2005 17:40:21
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 17/09/2005
Kaspersky Anti-Virus database records: 140659
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan Statistics:
Total number of scanned objects: 125510
Number of viruses found: 4
Number of infected objects: 13
Number of suspicious objects: 0
Duration of the scan process: 5110 sec

Infected Object Name - Virus Name
C:\Programme\AVPersonal\INFECTED\WININET.DLL.VIR Infected: Virus.Win32.Nsag.b
C:\System Volume Information\_restore{C0D98CBA-6672-47B1-9E43-2A9DE301BFBF}\RP246\A0081429.exe Infected: Trojan.Win32.Favadd.aj
C:\System Volume Information\_restore{C0D98CBA-6672-47B1-9E43-2A9DE301BFBF}\RP246\A0081438.exe Infected: Trojan-Downloader.Win32.Zlob.an
C:\System Volume Information\_restore{C0D98CBA-6672-47B1-9E43-2A9DE301BFBF}\RP247\A0081600.exe Infected: Trojan.Win32.Favadd.aj
C:\System Volume Information\_restore{C0D98CBA-6672-47B1-9E43-2A9DE301BFBF}\RP247\A0081606.exe Infected: Trojan-Downloader.Win32.Zlob.an
C:\System Volume Information\_restore{C0D98CBA-6672-47B1-9E43-2A9DE301BFBF}\RP247\A0082086.exe Infected: Trojan.Win32.Favadd.aj
C:\System Volume Information\_restore{C0D98CBA-6672-47B1-9E43-2A9DE301BFBF}\RP247\A0082103.exe Infected: Trojan-Downloader.Win32.Zlob.an
C:\WINDOWS\system32\clonzips.ssc/message_text.txt .pif Infected: Email-Worm.Win32.Sober.i
C:\WINDOWS\system32\clonzips.ssc Infected: Email-Worm.Win32.Sober.i
C:\WINDOWS\system32\clsobern.isc Infected: Email-Worm.Win32.Sober.i
C:\WINDOWS\system32\nonzipsr.noz Infected: Email-Worm.Win32.Sober.i
C:\WINDOWS\system32\zippedsr.piz/message_text.txt .pif Infected: Email-Worm.Win32.Sober.i
C:\WINDOWS\system32\zippedsr.piz Infected: Email-Worm.Win32.Sober.i

Scan process completed.

Das Volume....Trojanische Pferd meldet auch mein AntiVir, allerdings kann er sie nicht löschen, sitzen jetzt in Quarantäne...
Hoffe bloß es wird einfacher die zu löschen.

Und ich muß dir wirklich für deine Engelsgeduld und Hilfsbereitschaft danken..Gibt es nur noch selten heutzutage...Danke

#21 amadeus5000

#öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe

PC neustarten

loesche mit der Killbox:

C:\WINDOWS\system32\msmsgs.exe
C:\WINDOWS\system32\disclogexpoler.exe
C:\WINDOWS\system32\winexerun.dal
C:\WINDOWS\system32\winroot64.dal
C:\WINDOWS\system32\sb2run.dii
C:\WINDOWS\system32\winmprot.dal
C:\WINDOWS\system32\winsend32.dal
C:\WINDOWS\system32\dgssxy.yoi
C:\WINDOWS\system32\cvqaikxt.apk
C:\WINDOWS\system32\sysmms32.lla
C:\WINDOWS\system32\Odin-Anon.Ger
C:\WINDOWS\system32\clonzips.ssc/message_text.txt .pif
C:\WINDOWS\system32\clonzips.ssc
C:\WINDOWS\system32\zippedsr.piz/message_text.txt .pif
C:\WINDOWS\system32\zippedsr.piz
C:\WINDOWS\system32\nonzipsr.noz
C:\WINDOWS\system32\clsobern.isc

PC neustarten

smitRem TOOL (Entfernungstool)
http://noahdfear.geekstogo.com/
öffne smitRem folder,Doppelklick: RunThis.bat
warte, bis der Scan beendet ist (der Bildschirm wird blau werden. das ist normal)
suche smitfiles.txt und poste die Textdatei in den Thread

Symantec /RemovaltoolW32.Sober.I@mm )-->scanne
http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.i@mm.html

Deaktivieren Wiederherstellung
«XP
Arbeitsplatz-->rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.

dann aktiviere sie wieder
__________
MfG Sabina

rund um die PC-Sicherheit

#22 amadeus5000

mal ueberpruefen lassen, ob das "boese" ist....(Virustotal

C:\s1l0.9f

25.12.2004 12:10 63 C:\s1l0.9d
25.12.2004 12:09 207 C:\s1l0.98
25.12.2004 12:09 250 C:\s1l0.97
25.12.2004 11:59 233 C:\s1l0.91
25.12.2004 11:26 328 C:\s1l0.2j
25.12.2004 11:05 122 C:\s1l0.1i

dann mache unbedingt die Windowsupdates...lade SP2
__________
MfG Sabina

rund um die PC-Sicherheit

#23 So hier die Smitfile:


smitRem log file
version 2.3

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN!

Analyse von Virustotal:


s1l0.9f Date: 09/18/2005 11:00:27 (CET)
----
AntiVir 6.32.0.3/20050916 found nothing
Avast 4.6.695.0/20050916 found nothing
AVG 718/20050916 found nothing
Avira 6.32.0.3/20050916 found nothing
BitDefender 7.2/20050918 found nothing
CAT-QuickHeal 8.00/20050918 found nothing
ClamAV devel-20050725/20050917 found nothing
DrWeb 4.32b/20050917 found nothing
eTrust-Iris 7.1.194.0/20050916 found nothing
eTrust-Vet 11.9.1.0/20050916 found nothing
Fortinet 2.41.0.0/20050907 found nothing
F-Prot 3.16c/20050916 found nothing
Ikarus 0.2.59.0/20050916 found nothing
Kaspersky 4.0.2.24/20050918 found nothing
McAfee 4583/20050916 found nothing
NOD32v2 1.1219/20050916 found nothing
Norman 5.70.10/20050916 found nothing
Panda 8.02.00/20050917 found nothing
Sophos 3.97.0/20050917 found nothing
Symantec 8.0/20050917 found nothing
TheHacker 5.8.2.108/20050916 found nothing
VBA32 3.10.4/20050918 found nothing


s1l0.9d
Antivirus Version Update Result
AntiVir 6.32.0.3 09.16.2005 no virus found
Avast 4.6.695.0 09.16.2005 no virus found
AVG 718 09.16.2005 no virus found
Avira 6.32.0.3 09.16.2005 no virus found
BitDefender 7.2 09.18.2005 no virus found
CAT-QuickHeal 8.00 09.18.2005 no virus found
ClamAV devel-20050725 09.17.2005 no virus found
DrWeb 4.32b 09.17.2005 no virus found
eTrust-Iris 7.1.194.0 09.16.2005 no virus found
eTrust-Vet 11.9.1.0 09.16.2005 no virus found
Fortinet 2.41.0.0 09.07.2005 no virus found
F-Prot 3.16c 09.16.2005 no virus found
Ikarus 0.2.59.0 09.16.2005 no virus found
Kaspersky 4.0.2.24 09.18.2005 no virus found
McAfee 4583 09.16.2005 no virus found
NOD32v2 1.1219 09.16.2005 no virus found
Norman 5.70.10 09.16.2005 no virus found
Panda 8.02.00 09.17.2005 no virus found
Sophos 3.97.0 09.17.2005 no virus found
Symantec 8.0 09.17.2005 no virus found
TheHacker 5.8.2.108 09.16.2005 no virus found
VBA32 3.10.4 09.18.2005 no virus found


s1l0.98
Antivirus Version Update Result
AntiVir 6.32.0.3 09.16.2005 no virus found
Avast 4.6.695.0 09.16.2005 no virus found
AVG 718 09.16.2005 no virus found
Avira 6.32.0.3 09.16.2005 no virus found
BitDefender 7.2 09.18.2005 no virus found
CAT-QuickHeal 8.00 09.18.2005 no virus found
ClamAV devel-20050725 09.17.2005 no virus found
DrWeb 4.32b 09.17.2005 no virus found
eTrust-Iris 7.1.194.0 09.16.2005 no virus found
eTrust-Vet 11.9.1.0 09.16.2005 no virus found
Fortinet 2.41.0.0 09.07.2005 no virus found
F-Prot 3.16c 09.16.2005 no virus found
Ikarus 0.2.59.0 09.16.2005 no virus found
Kaspersky 4.0.2.24 09.18.2005 no virus found
McAfee 4583 09.16.2005 no virus found
NOD32v2 1.1219 09.16.2005 no virus found
Norman 5.70.10 09.16.2005 no virus found
Panda 8.02.00 09.17.2005 no virus found
Sophos 3.97.0 09.17.2005 no virus found
Symantec 8.0 09.17.2005 no virus found
TheHacker 5.8.2.108 09.16.2005 no virus found
VBA32 3.10.4 09.18.2005 no virus found


s1l0.97
Antivirus Version Update Result
AntiVir 6.32.0.3 09.16.2005 no virus found
Avast 4.6.695.0 09.16.2005 no virus found
AVG 718 09.16.2005 no virus found
Avira 6.32.0.3 09.16.2005 no virus found
BitDefender 7.2 09.18.2005 no virus found
CAT-QuickHeal 8.00 09.18.2005 no virus found
ClamAV devel-20050725 09.17.2005 no virus found
DrWeb 4.32b 09.17.2005 no virus found
eTrust-Iris 7.1.194.0 09.16.2005 no virus found
eTrust-Vet 11.9.1.0 09.16.2005 no virus found
Fortinet 2.41.0.0 09.07.2005 no virus found
F-Prot 3.16c 09.16.2005 no virus found
Ikarus 0.2.59.0 09.16.2005 no virus found
Kaspersky 4.0.2.24 09.18.2005 no virus found
McAfee 4583 09.16.2005 no virus found
NOD32v2 1.1219 09.16.2005 no virus found
Norman 5.70.10 09.16.2005 no virus found
Panda 8.02.00 09.17.2005 no virus found
Sophos 3.97.0 09.17.2005 no virus found
Symantec 8.0 09.17.2005 no virus found
TheHacker 5.8.2.108 09.16.2005 no virus found
VBA32 3.10.4 09.18.2005 no virus found

s1l0.91
Antivirus Version Update Result
AntiVir 6.32.0.3 09.16.2005 no virus found
Avast 4.6.695.0 09.16.2005 no virus found
AVG 718 09.16.2005 no virus found
Avira 6.32.0.3 09.16.2005 no virus found
BitDefender 7.2 09.18.2005 no virus found
CAT-QuickHeal 8.00 09.18.2005 no virus found
ClamAV devel-20050725 09.17.2005 no virus found
DrWeb 4.32b 09.17.2005 no virus found
eTrust-Iris 7.1.194.0 09.16.2005 no virus found
eTrust-Vet 11.9.1.0 09.16.2005 no virus found
Fortinet 2.41.0.0 09.07.2005 no virus found
F-Prot 3.16c 09.16.2005 no virus found
Ikarus 0.2.59.0 09.16.2005 no virus found
Kaspersky 4.0.2.24 09.18.2005 no virus found
McAfee 4583 09.16.2005 no virus found
NOD32v2 1.1219 09.16.2005 no virus found
Norman 5.70.10 09.16.2005 no virus found
Panda 8.02.00 09.17.2005 no virus found
Sophos 3.97.0 09.17.2005 no virus found
Symantec 8.0 09.17.2005 no virus found
TheHacker 5.8.2.108 09.16.2005 no virus found
VBA32 3.10.4 09.18.2005 no virus found


s1l0.2j
Antivirus Version Update Result
AntiVir 6.32.0.3 09.16.2005 no virus found
Avast 4.6.695.0 09.16.2005 no virus found
AVG 718 09.16.2005 no virus found
Avira 6.32.0.3 09.16.2005 no virus found
BitDefender 7.2 09.18.2005 no virus found
CAT-QuickHeal 8.00 09.18.2005 no virus found
ClamAV devel-20050725 09.17.2005 no virus found
DrWeb 4.32b 09.17.2005 no virus found
eTrust-Iris 7.1.194.0 09.16.2005 no virus found
eTrust-Vet 11.9.1.0 09.16.2005 no virus found
Fortinet 2.41.0.0 09.07.2005 no virus found
F-Prot 3.16c 09.16.2005 no virus found
Ikarus 0.2.59.0 09.16.2005 no virus found
Kaspersky 4.0.2.24 09.18.2005 no virus found
McAfee 4583 09.16.2005 no virus found
NOD32v2 1.1219 09.16.2005 no virus found
Norman 5.70.10 09.16.2005 no virus found
Panda 8.02.00 09.17.2005 no virus found
Sophos 3.97.0 09.17.2005 no virus found
Symantec 8.0 09.17.2005 no virus found
TheHacker 5.8.2.108 09.16.2005 no virus found
VBA32 3.10.4 09.18.2005 no virus found


s1l0.1i
Antivirus Version Update Result
AntiVir 6.32.0.3 09.16.2005 no virus found
Avast 4.6.695.0 09.16.2005 no virus found
AVG 718 09.16.2005 no virus found
Avira 6.32.0.3 09.16.2005 no virus found
BitDefender 7.2 09.18.2005 no virus found
CAT-QuickHeal 8.00 09.18.2005 no virus found
ClamAV devel-20050725 09.17.2005 no virus found
DrWeb 4.32b 09.17.2005 no virus found
eTrust-Iris 7.1.194.0 09.16.2005 no virus found
eTrust-Vet 11.9.1.0 09.16.2005 no virus found
Fortinet 2.41.0.0 09.07.2005 no virus found
F-Prot 3.16c 09.16.2005 no virus found
Ikarus 0.2.59.0 09.16.2005 no virus found
Kaspersky 4.0.2.24 09.18.2005 no virus found
McAfee 4583 09.16.2005 no virus found
NOD32v2 1.1219 09.16.2005 no virus found
Norman 5.70.10 09.16.2005 no virus found
Panda 8.02.00 09.17.2005 no virus found
Sophos 3.97.0 09.17.2005 no virus found
Symantec 8.0 09.17.2005 no virus found
TheHacker 5.8.2.108 09.16.2005 no virus found
VBA32 3.10.4 09.18.2005 no virus found

Symantec hat nichts gefunden, installiere soeben SP2
Danke für deine unverzichtbare Hilfe!!! :o)

#24 Hallo@amadeus5000

nun, der Sober muesste nun geloescht sein, die Dialer auch und der ganze Rest an Malware.
SP2 ist eine gute Option

Alles Gute fuer dich + PC
__________
MfG Sabina

rund um die PC-Sicherheit

#25 Danke nochmal, erstaunlich wieviel man an Müll im PC wiederfindet!

#26 Hallo habe dasselbe Problem Für Ratschläge was ich löschen sol und vor allem wie wäre ich dankbar. Jan
hier mein logfile
Logfile of HijackThis v1.99.1
Scan saved at 15:08:47, on 09/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Programme\Card Reader\shwicon.exe
D:\multimedia\Quicktime\qttask.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Steganos AntiSpyware 7\aspy7.exe
D:\tools\Spyware Doctor\swdoctor.exe
C:\Programme\AOL 9.0a\aoltray.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Programme\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\tools\winrar\WinRAR.exe
C:\DOKUME~1\JK882E~1.HAS\LOKALE~1\Temp\RarExe04.f30\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web.de
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = fritz.box
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\tools\norton\Norton Antivirus\NavShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\tools\norton\Norton Antivirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ShowIcon_The Company_USB Storage Device Ver. 1.3] "C:\Programme\Card Reader\shwicon.exe" -t"The Company\USB Storage Device Ver. 1.3"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [dlexport] C:\Programme\Windows Media Player\dlexport.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\multimedia\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cbcf71cc1c2] C:\WINDOWS\System32\cbcf71cc1c2.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AntiSpyware7] "C:\Programme\Steganos AntiSpyware 7\aspy7.exe" /0
O4 - HKCU\..\Run: [Spyware Doctor] "D:\tools\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [cbcf71cc1c2] C:\WINDOWS\System32\cbcf71cc1c2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.40noopt/SpySpotterCabInstall.cab
O23 - Service: WindowInstallSystem (cbcf71cc1c2svr) - Unknown owner - C:\WINDOWS\cbcf71cc1c2.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Unknown owner - D:\tools\norton\Norton Antivirus\navapsvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe

#27 Hallo@jaka

CCleaner--> loesche alle *temp-Datein
http://virus-protect.org/temp.html

poste alle 4 Logs (mit pfadangabe)
http://virus-protect.org/datfindbat.html
__________
MfG Sabina

rund um die PC-Sicherheit

#28 Hallo Sabina habe die temp-Dateien gelöscht.

Wenn ich aber datfindbat doppelckicke öffnet sich hijackthis und nicht das notepad. Habe ich eine falsche Version? So komme ich jedenfalls nicht an die Logs ran. ????????

Danke erstmal für die Rückmeldung

#29 versuche es noch mal: (Erklaerung liegt bei )
http://virus-protect.org/virusprotect/datfindbat.html
__________
MfG Sabina

rund um die PC-Sicherheit

#30 Hey bin doch nicht doof. Hier die LOG Dateien von datfindbat

Datentr„ger in Laufwerk C: ist MAIN
Volumeseriennummer: 7D8F-961E

Verzeichnis von C:\WINDOWS\system32

09/21/2005 20:39 721.390 PerfStringBackup.INI
09/21/2005 20:39 48.156 perfc007.dat
09/21/2005 20:39 39.992 perfc009.dat
09/21/2005 20:39 316.594 perfh007.dat
09/21/2005 20:39 311.604 perfh009.dat
09/21/2005 11:57 2.262 wpa.dbl
08/29/2005 22:38 16.832 amcompat.tlb
08/29/2005 22:38 23.392 nscompat.tlb
08/23/2005 19:34 180.240 FNTCACHE.DAT
07/21/2005 00:07 0 kavsvc.dmp
07/21/2005 00:07 244 kavsvc.exception.log
07/19/2005 23:39 1.806 ModemLog_AVM ISDN FAX (G3).txt
07/19/2005 23:39 1.834 ModemLog_AVM ISDN Analog Modem (V.32bis).txt
07/19/2005 23:39 1.796 ModemLog_AVM ISDN BTX.txt
07/19/2005 23:39 1.816 ModemLog_AVM ISDN Custom Config.txt
07/19/2005 23:39 1.818 ModemLog_AVM ISDN Mailbox (X.75).txt


Datentr„ger in Laufwerk C: ist MAIN
Volumeseriennummer: 7D8F-961E

Verzeichnis von C:\DOKUME~1\JK882E~1.HAS\LOKALE~1\Temp

09/21/2005 19:58 16.384 Perflib_Perfdata_728.dat
09/21/2005 19:57 1.454 e1b13f08a.html
09/21/2005 19:56 0 c59b3463519.d46
09/15/2005 05:16 109 DFC5A2B2.TMP
4 Datei(en) 17.947 Bytes
0 Verzeichnis(se), 2.224.451.584 Bytes frei


Datentr„ger in Laufwerk C: ist MAIN
Volumeseriennummer: 7D8F-961E

Verzeichnis von C:\WINDOWS

09/21/2005 20:49 1.187 win.ini
09/21/2005 20:49 1.187 win.tmp
09/21/2005 20:40 53.695 iis6.log
09/21/2005 20:40 29.252 ocgen.log
09/21/2005 20:40 9.149 comsetup.log
09/21/2005 20:40 7.148 ntdtcsetup.log
09/21/2005 20:40 5.345 netfxocm.log
09/21/2005 20:40 1.433 ocmsn.log
09/21/2005 20:40 933 tabletoc.log
09/21/2005 20:40 1.814 msgsocm.log
09/21/2005 20:40 1.917 imsins.log
09/21/2005 20:40 17.331 tsoc.log
09/21/2005 20:40 24.496 FaxSetup.log
09/21/2005 20:40 12.704 msmqinst.log
09/21/2005 20:40 379 wsdu.log
09/21/2005 20:40 2.518 WINNT32.LOG
09/21/2005 20:40 964 UPGRADE.TXT
09/21/2005 20:39 54 setupact.log
09/21/2005 20:39 178 DHCPUPG.LOG
09/21/2005 20:39 4.566 imsins.BAK
09/21/2005 20:21 0 setuperr.log
09/21/2005 19:57 0 0.log
09/21/2005 19:56 159 wiadebug.log
09/21/2005 19:56 2.048 bootstat.dat
09/21/2005 17:29 50 wiaservc.log
09/21/2005 17:29 32.618 SchedLgU.Txt
09/16/2005 23:48 3.241 mozver.dat
09/16/2005 22:15 99.970 UninstallFirefox.exe
09/11/2005 15:32 633 aolback.exe.lnk
08/29/2005 22:37 316.640 WMSysPr9.prx
08/15/2005 14:05 306 mpsettings.ini

Datentr„ger in Laufwerk C: ist MAIN
Volumeseriennummer: 7D8F-961E

Verzeichnis von C:\

09/21/2005 20:53 0 sys.txt
09/21/2005 20:52 6.995 system.txt
09/21/2005 20:52 458 systemtemp.txt
09/21/2005 20:49 102.635 system32.txt
09/21/2005 19:56 402.653.184 pagefile.sys
09/21/2005 19:56 267.964.416 hiberfil.sys
09/21/2005 14:25 6 AVPCallback.log
09/21/2005 13:35 391 abc.lnk
09/17/2005 11:02 488 hpfr5550.xml
09/16/2005 22:12 397 vlist.log
09/11/2005 15:29 440 INSTALL.LOG
07/10/2005 18:50 189 w32_API.cab
05/09/2005 21:40 11.616 ascserv.log
05/09/2005 06:11 2.371 TDSLCheck.txt
01/31/2005 06:37 10.250 move_before.xml
01/31/2005 06:37 10.250 move_after.xml
01/21/2005 02:32 0 mssys.com
01/21/2005 02:32 0 q.exe
01/21/2005 02:32 0 m.exe
01/21/2005 02:32 0 ntldr.exe
01/21/2005 02:32 0 p.exe
01/21/2005 02:32 0 winspec.dat
01/21/2005 02:32 0 q250204.exe