So viele System Prozesse am laufen! |
||
---|---|---|
#0
| ||
15.04.2005, 06:59
Moderator
Beiträge: 6466 |
||
|
||
15.04.2005, 12:34
Ehrenmitglied
Beiträge: 29434 |
#17
Hallo@StreetDogg
Bequeme dich bitte und mache die WindowsUpdates (lade SP2) Fixe mit dem HijackThis: O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) neustarten %ProgramFiles%\WinPcap\rpcapd.ini<--loeschen •Online-Scann (Panda) http://www.pandasoftware.com/activescan/com/activescan_principal.htm •Online-Scann <f-secure< http://support.f-secure.com/enu/home/ols.shtml berichte von den Onlinescanns. deinstalliere den Antivirus/free Lade Avast/Home (nach der installation akzeptiere, dass ein Boots-Scan durchgefuehrt wird) Berichte bitte von dem Scann http://www.avast.com/eng/avast_4_home.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
16.04.2005, 18:23
...neu hier
Themenstarter Beiträge: 10 |
#18
So habe das AntiVirus laufen laasen und hier das ergebniss:
http://www.picupload.net/image/8dc6f8a04be1e45d4604fcd32.jpg aber nachdem ich die neuen Updates gemacht habe und das AntiVirus durchlaufen gelassen habe sind wieder ein Parr Prosesse dazu gekommen. Hier das log von hijackthis: Logfile of HijackThis v1.99.1 Scan saved at 18:01:12, on 16.04.2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\System32\ctfmon.exe C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe D:\Programme\Alwil Software\Avast4\aswUpdSv.exe D:\Programme\Alwil Software\Avast4\ashServ.exe C:\Programme\AVPersonal\AVWUPSRV.EXE C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe C:\WINDOWS\System32\GEARSec.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe C:\Programme\Symantec\Ghost\ngserver.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Gemeinsame Dateien\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\wanmpsvc.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe C:\Programme\Symantec\Ghost\bin\dbserv.exe C:\Programme\Symantec\Ghost\bin\rteng6.exe D:\Programme\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\imapi.exe D:\Programme\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\explorer.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\taskmgr.exe C:\Dokumente und Einstellungen\Patrick\Desktop\Desktop\hijackthis\HijackThis.exe C:\teamspeak2_RC2\TeamSpeak.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O10 - Broken Internet access because of LSP provider 'xfire_lsp_8742.dll' missing O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Programme\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: avast! Antivirus - Unknown owner - D:\Programme\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - D:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - D:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe O23 - Service: SE Watch (cmpService) - Unknown owner - C:\WINDOWS\System32\NAFL900X.EXE (file missing) O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing) O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing) O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing) O23 - Service: Symantec Ghost Database Service (ngdbserv) - Symantec New Zealand Limited - C:\Programme\Symantec\Ghost\bin\dbserv.exe O23 - Service: Symantec Ghost Configuration Server (NGServer) - Symantec New Zealand Limited - C:\Programme\Symantec\Ghost\ngserver.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Programme\TuneUp Utilities 2004\WinStylerThemeSvc.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programme\Gemeinsame Dateien\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe Dieser Beitrag wurde am 16.04.2005 um 18:26 Uhr von StreetDogg editiert.
|
|
|
||
16.04.2005, 21:04
Ehrenmitglied
Beiträge: 29434 |
#19
Hallo@StreetDogg
nun deinstalliere alle Virenscanner, die du mittlerweile geladen hast und bleibe nur mit dem , der urspruenglich drauf war. dann vergiss nicht und lade: SP2 L2mfix 1. Laden Sie L2mfix von hier : 2. http://bilder.informationsarchiv.net/Nikitas_Tools/l2mfix.exe 3. Speichern Sie die Datei auf Ihren Desktop und doppel-klicken Sie click l2mfix.exe. 4. Klicken Sie auf Installieren um die Dateien zu extrahieren und folgen Sie den Anweisungen während der Installation. 5. Dann öffnen Sie den auf Ihrem Desktop neuerstellten Ordner l2mfix 6. Doppel-klicken Sie die Datei l2mfix.bat und tippen sie eine 1 und drücken Sie [Enter], um Find log laufen zu lassen. Dies wird Ihren Computer scannen. Es kann sein, das es so aussieht als ob nichts passiert, aber nach 1 oder 2 Minuten wird sich Notepad mit einem Log öffnen. 7. Kopieren Sie den Inhalt durch Strg+A und fügen Sie den Inhalt in Ihren Thread durch Strg+V...oder einfach mit der Maus abkopieren Wink WICHTIG:Nutzen Sie nicht Option 2, oder jegliche andere Dateien aus dem l2mfix Ordner, bis Sie dazu aufgefordert werden! 8. Schließen Sie alle offenen Programme , da der nächste Schritt einen Neustart erfordert. Klicken Sie erneut auf l2mfix.bat und tippen Sie 2 ein --> [Enter]. 9. Drücken Sie eine beliebige Taste um einen Systemneustart einzuleiten. 10. Nach dem Neustart, werden Ihre Icons auf dem Desktop kurz erscheinen und kurz verschwinden - dies ist NORMAL. 11. L2mfix wird den Systemscan fortsetzen und wenn es fertig ist, wird sich Notepad öffnen und einen Log anzeigen. Kopieren Sie auch diesen hier in den Thread rein (Strg+C & Strg+V). Posten Sie ausserdem einen aktuellen HijackThis Log. WICHTIG: Nutzen Sie nicht Option 2, oder jegliche andere Dateien aus dem l2mfix Ordner, bis Sie dazu aufgefordert werden! 12. Doppel-klicken Sie erneut auf l2mfix.bat und geben Sie 4 ein. Bestätigen Sie mit [Enter]. 13. Dies stellt die Winlogon Standardeinstellungen wieder her. 14. Posten Sie einen aktuellen HijackThis Log __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
17.04.2005, 19:48
...neu hier
Themenstarter Beiträge: 10 |
#20
Der erste Log:
L2MFIX find log 1.02b These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent] "DLLName"="Ati2evxx.dll" "Asynchronous"=dword:00000000 "Impersonate"=dword:00000001 "Lock"="AtiLockEvent" "Logoff"="AtiLogoffEvent" "Logon"="AtiLogonEvent" "Disconnect"="AtiDisConnectEvent" "Reconnect"="AtiReConnectEvent" "Safe"=dword:00000000 "Shutdown"="AtiShutdownEvent" "StartScreenSaver"="AtiStartScreenSaverEvent" "StartShell"="AtiStartShellEvent" "Startup"="AtiStartupEvent" "StopScreenSaver"="AtiStopScreenSaverEvent" "Unlock"="AtiUnLockEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Nach Personen..." "{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer" "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu" "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu" "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension" "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension" "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders" "{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler" "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler" "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler" "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler" "{57C51AF9-DEF7-11D3-A801-00C04F163490}"="Ghost Shell Extension" "{E8D43C7E-EFA1-41A2-9AD9-0CFECD1678B7}"="SafeErase" "{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache" "{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper" "{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class" "{33D0B7CC-535E-4CD0-B33A-934372B1AEFD}"="WISE-FTP Verbindungen" "{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx" "{DEE12703-6333-4D4E-8F34-738C4DCC2E04}"="RecordNow! SendToExt" "{04FCE839-A658-4E32-8C8D-8B012AFF78B1}"="SecretEXE Context" "{F802F260-519B-11D1-BB5D-0060974C6013}"="ICQ Shell Extension" "{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices" "{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu" "{E0D79304-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79305-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79306-84BE-11CE-9641-444553540000}"="WinZip" "{E0D79307-84BE-11CE-9641-444553540000}"="WinZip" @="" "{6af09ec9-b429-11d4-a1fb-0090960218cb}"="My Bluetooth Places" "{2F860D81-AF3C-11D4-BDB3-00E0987D8540}"="UltimateZip Shell Extension" "{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}"="My Logitech Pictures" "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"="TuneUp Shredder Shell Context Menu Extension" "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"="ICQ Lite Shell Extension" "{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler" "CLSID\\{EBDF1F20-C829-14D1-8234-1420AF3E97A9}"="LeechGet \"Copy Here\" Shell Extension" "{0E6C58A9-F592-4862-B35F-CA45E24003B3}"="CloneCD" "{F367BD78-D2B5-459A-B775-9C14E06FCC3D}"="Miranda Contact" "{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL" "{472083B0-C522-11CF-8763-00608CC02F24}"="avast" ********************************************************************************** HKEY ROOT CLASSIDS: ********************************************************************************** Files Found are not all bad files: C:\WINDOWS\SYSTEM32\ 83h5s6q.dll Fri 28 Jan 2005 21:26:54 A.... 13 0,01 K authz.dll Wed 2 Mar 2005 20:21:04 A.... 53.760 52,50 K browseui.dll Fri 18 Feb 2005 17:35:00 A.... 1.017.856 994,00 K cmdlin~1.dll Sat 16 Apr 2005 21:18:44 A.... 43.520 42,50 K commcoss.dll Fri 18 Mar 2005 16:17:08 A.... 413.696 404,00 K iepeers.dll Fri 18 Feb 2005 17:35:00 ..... 236.032 230,50 K mshtml.dll Thu 24 Feb 2005 14:02:00 A.... 2.811.904 2,68 M msi.dll Mon 21 Mar 2005 15:00:20 A.... 2.890.240 2,75 M msihnd.dll Mon 21 Mar 2005 15:00:22 A.... 271.360 265,00 K msimsg.dll Mon 21 Mar 2005 15:00:22 A.... 884.736 864,00 K msisip.dll Mon 21 Mar 2005 15:00:22 A.... 15.360 15,00 K msrating.dll Thu 24 Feb 2005 14:02:02 A.... 132.096 129,00 K msxml3a.dll Fri 18 Mar 2005 16:17:06 A.... 24.576 24,00 K nsb3d.dll Wed 30 Mar 2005 19:51:26 A.... 151.552 148,00 K nsf3a.dll Wed 30 Mar 2005 19:51:26 A.... 151.552 148,00 K nsgb6.dll Tue 5 Apr 2005 21:36:04 A.... 151.552 148,00 K rtneg2.dll Sat 19 Mar 2005 17:58:56 A.... 151.552 148,00 K rtneg3.dll Tue 22 Mar 2005 20:47:28 A.... 151.552 148,00 K shdocvw.dll Fri 18 Feb 2005 17:35:02 A.... 1.337.344 1,27 M shell32.dll Sat 12 Mar 2005 3:51:22 A.... 8.389.632 8,00 M spmsg.dll Thu 24 Feb 2005 19:34:56 ..... 15.584 15,22 K user32.dll Wed 2 Mar 2005 20:21:04 A.... 562.688 549,50 K wininet.dll Fri 18 Feb 2005 17:35:02 A.... 597.504 583,50 K winsrv.dll Wed 2 Mar 2005 20:21:04 A.... 278.016 271,50 K xpsp2res.dll Sat 12 Mar 2005 0:07:48 A.... 611.840 597,50 K 25 items found: 25 files, 0 directories. Total of file sizes: 21.345.517 bytes 20,36 M Locate .tmp files: No matches found. ********************************************************************************** Directory Listing of system files: Datentr„ger in Laufwerk C: ist Interne Festplatte Volumeseriennummer: 10A7-9050 Verzeichnis von C:\WINDOWS\System32 16.04.2005 17:55 <DIR> dllcache 01.04.2005 19:41 91.136 nulware.exe 28.01.2005 22:29 12.518 KGyGaAvL.sys 12.10.2004 13:28 7.168 Thumbs.db 17.04.2004 16:38 <DIR> Microsoft 3 Datei(en) 110.822 Bytes 2 Verzeichnis(se), 519.528.448 Bytes frei Der 2 Log: C:\ C:\ System Rebooted! Running From: C:\ killing explorer and rundll32.exe Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Killing PID 1000 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Error, Cannot find a process with an image name of rundll32.exe Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! Zipping up files for submission: adding: clear.reg (188 bytes security) (deflated 2%) adding: synReal.ini (188 bytes security) (deflated 62%) adding: UT2004.ini (188 bytes security) (deflated 75%) adding: DebugLOG.txt adding: DMF2_WKLog.txt adding: DV.txt (188 bytes security) (deflated 61%) adding: lo2.txt (188 bytes security) (deflated 87%) adding: paklog.txt (188 bytes security) (deflated 88%) adding: test.txt (188 bytes security) (stored 0%) adding: test2.txt (188 bytes security) (stored 0%) adding: test3.txt (188 bytes security) (stored 0%) adding: test5.txt (188 bytes security) (stored 0%) Restoring Registry Permissions: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Revoking access for really "Everyone" Registry permissions set too: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (ID-NI) ALLOW Read VORDEFINIERT\Benutzer (ID-IO) ALLOW Read VORDEFINIERT\Benutzer (ID-NI) ALLOW Full access VORDEFINIERT\Administratoren (ID-IO) ALLOW Full access VORDEFINIERT\Administratoren (ID-NI) ALLOW Full access NT-AUTORITŽT\SYSTEM (ID-IO) ALLOW Full access NT-AUTORITŽT\SYSTEM (ID-IO) ALLOW Full access ERSTELLER-BESITZER Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332 The following Is the Current Export of the Winlogon notify key: **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent] "DLLName"="Ati2evxx.dll" "Asynchronous"=dword:00000000 "Impersonate"=dword:00000001 "Lock"="AtiLockEvent" "Logoff"="AtiLogoffEvent" "Logon"="AtiLogonEvent" "Disconnect"="AtiDisConnectEvent" "Reconnect"="AtiReConnectEvent" "Safe"=dword:00000000 "Shutdown"="AtiShutdownEvent" "StartScreenSaver"="AtiStartScreenSaverEvent" "StartShell"="AtiStartShellEvent" "Startup"="AtiStartupEvent" "StopScreenSaver"="AtiStopScreenSaverEvent" "Unlock"="AtiUnLockEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 The following are the files found: **************************************************************************** Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. **************************************************************************** REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "SV1"="" **************************************************************************** Desktop.ini Contents: **************************************************************************** **************************************************************************** Der 3 Log: Logfile of HijackThis v1.99.1 Scan saved at 19:48:30, on 17.04.2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\System32\ctfmon.exe D:\Programme\Alwil Software\Avast4\aswUpdSv.exe C:\Programme\AVPersonal\AVWUPSRV.EXE C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe C:\WINDOWS\System32\GEARSec.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe C:\Programme\Symantec\Ghost\ngserver.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Gemeinsame Dateien\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\wanmpsvc.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe C:\Programme\Symantec\Ghost\bin\dbserv.exe C:\Programme\Symantec\Ghost\bin\rteng6.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\System32\taskmgr.exe C:\Programme\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Dokumente und Einstellungen\Patrick\Desktop\Desktop\hijackthis\HijackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O10 - Broken Internet access because of LSP provider 'xfire_lsp_8742.dll' missing O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Programme\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe O23 - Service: SE Watch (cmpService) - Unknown owner - C:\WINDOWS\System32\NAFL900X.EXE (file missing) O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing) O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing) O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing) O23 - Service: Symantec Ghost Database Service (ngdbserv) - Symantec New Zealand Limited - C:\Programme\Symantec\Ghost\bin\dbserv.exe O23 - Service: Symantec Ghost Configuration Server (NGServer) - Symantec New Zealand Limited - C:\Programme\Symantec\Ghost\ngserver.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Programme\TuneUp Utilities 2004\WinStylerThemeSvc.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programme\Gemeinsame Dateien\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe Dieser Beitrag wurde am 17.04.2005 um 19:49 Uhr von StreetDogg editiert.
|
|
|
||
18.04.2005, 11:32
Ehrenmitglied
Beiträge: 29434 |
#21
Hallo@StreetDogg
Fixe mit dem HijackTHis: O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Programme\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: SE Watch (cmpService) - Unknown owner - C:\WINDOWS\System32\NAFL900X.EXE (file missing) O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing) O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing) O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing) neustarten deinstalliere:McAfee + avast! stelle den Antivirus so ein, dass der Guard im Systemstart erscheint . (kleiner aufgespannter Regenschirm in der rechten Taskleiste) __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
Fast jede Software , die man heutzutage installiert, besitzt die Unart etwas in O4 - HKLM\..\Run: zu schreiben.
Von daher ist es kein Fehler das nach Installationen zu überprüfen.
__________
Durchsuchen --> Aussuchen --> Untersuchen