Rotes X /Start Page = http://www.newgenlook.info/ad/ad0278/

#16 Hallo@korano

Please download DllCompare from here
http://www.atribune.org/downloads/DllCompare.exe
<klick: Locate.com button.
wenn der Scan beendet ist
<klick:Compare button
<klick: und erstelle das Log--->bitte posten

•eScan-Erkennungstool
eSan ist hier unter dem Namen Free eScan Antivirus Toolkit Utility kostenlos erhältlich:
http://www.mwti.net/antivirus/free_utilities.asp

-->mwav.exe oeffnen-->alle Haekchen setzen-->scannen-->View Log anklicken--> Bearbeiten anklicken--> "infected" reinschreiben
und nun alles rauskopieren, was angezeigt wird-->
__________
MfG Sabina

rund um die PC-Sicherheit

#17 Schonmal vielen Dank!

Hier das Log von Dll Compare!


* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found "
________________________________________________

1.030 items found: 1.030 files, 0 directories.
Total of file sizes: 203.733.771 bytes 194,29 M

--------------------End log---------------------



und hier das Log von mwav


File C:\WINDOWS\System32\param32.dll tagged as "not-a-virus:AdWare.Serpo.k". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\MSOWS409.DLL". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\MSOWS407.DLL". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\MSONSEXT.DLL". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\RAGENT.DLL". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{BDEADE7A-C265-11D0-BCED-00A0C90AB50F}" refers to invalid object "C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\RAGENT.DLL". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{27395F89-0C0C-101B-A3C9-08002B2F49FB}" refers to invalid object "F:\SAMPLER\PICCLP32.OCX". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{D3B1DE00-6B94-1069-8754-08002B2BD64F}" refers to invalid object "C:\WINDOWS\SYSTEM\disktool.dll". Action Taken: No Action Taken.

Entry "HKCR\ACDSee.PSD" refers to invalid object "{5F246A9A-A919-11d3-AB60-00C04FA3014E}". Action Taken: No Action Taken.

Entry "HKCR\Overview.Document" refers to invalid object "{DA23B9C9-6893-11D0-8534-00C04FD7AD0C}". Action Taken: No Action Taken.

File C:\WINDOWS\loadclean.exe infected by "Trojan-Downloader.Win32.Delf.cb" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM\izxczxcr.exe infected by "Trojan-Downloader.Win32.Delf.lf" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM\intrcxzcxzcon.exe infected by "Trojan-Downloader.Win32.Small.aut" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM\intfsdffdsronsad.exe tagged as "not-a-virus:AdWare.ToolBar.ISearch.d". Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM\izxxzdsafsafczxcr.exe infected by "Trojan-Downloader.Win32.Small.aqt" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM\us3432xzcb.exe infected by "Trojan.Win32.StartPage.yf" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM\lpzxcz324534xct.exe infected by "Trojan.Win32.LowZones.y" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM\izxczxcr.exe infected by "Trojan-Downloader.Win32.Delf.lf" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM\intrcxzcxzcon.exe infected by "Trojan-Downloader.Win32.Small.aut" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM\intfsdffdsronsad.exe tagged as "not-a-virus:AdWare.ToolBar.ISearch.d". Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM\izxxzdsafsafczxcr.exe infected by "Trojan-Downloader.Win32.Small.aqt" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM\us3432xzcb.exe infected by "Trojan.Win32.StartPage.yf" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM\lpzxcz324534xct.exe infected by "Trojan.Win32.LowZones.y" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\SYSTEM32\guninst.exe tagged as "not-a-virus:AdWare.Serpo.j". Action Taken: No Action Taken.

File C:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.ZeroedAndDeleted.Restart. No Action Taken.

File C:\WINDOWS\Downloaded Program Files\msits.exe infected by "Trojan-Downloader.Win32.Delf.cb" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\loadclean.exe infected by "Trojan-Downloader.Win32.Delf.cb" Virus! Action Taken: No Action Taken.

#18 Hallo@korano

http://virus-protect.org/killbox.html
Loesche mit der Killbox:

C:\WINDOWS\loadclean.exe
C:\WINDOWS\System32\param32.dll
C:\WINDOWS\SYSTEM\izxczxcr.exe
C:\WINDOWS\SYSTEM\intrcxzcxzcon.exe
C:\WINDOWS\SYSTEM\intfsdffdsronsad.exe
C:\WINDOWS\SYSTEM\izxxzdsafsafczxcr.exe
C:\WINDOWS\SYSTEM\us3432xzcb.exe
C:\WINDOWS\SYSTEM\lpzxcz324534xct.exe
C:\WINDOWS\SYSTEM32\guninst.exe
C:\WINDOWS\Downloaded Program Files\msits.exe

PC neustarten

Lade Ad-aware SE Personal-->konfigurieren-->scannen-->poste den Report
http://virus-protect.org/antispywaretools.html

+
poste das neue Log vom HijackThis
__________
MfG Sabina

rund um die PC-Sicherheit

#19 Scheint weg zu sein, aber hier trotzdem nochmal die Logs


Ad-Aware SE Build 1.05
Logfile Created onienstag, 24. Mai 2005 20:04:07
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R45 13.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):9 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


24.05.05 20:04:07 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\doc find spec mru
Description : list of recently used search terms for locating files using the microsoft windows operating system


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : .DEFAULT\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [KERNEL32.DLL]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293853799
Threads : 8
Priority : High
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Betriebssystem Microsoft(R) Windows(R)
CompanyName : Microsoft Corporation
FileDescription : Kernkomponente des Win32-Kernel
InternalName : KERNEL32
LegalCopyright : Copyright (C) Microsoft Corp. 1991-1999
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294918535
Threads : 1
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Betriebssystem Microsoft(R) Windows(R)
CompanyName : Microsoft Corporation
FileDescription : Windows 32-Bit-VxD-Meldungsserver
InternalName : MSGSRV32
LegalCopyright : Copyright (C) Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [MPREXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294921239
Threads : 1
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft(R) Windows(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright (C) Microsoft Corp. 1993-1998
OriginalFilename : MPREXE.EXE

#:4 [MDM.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294942287
Threads : 2
Priority : Normal
FileVersion : 6.00.8149
ProductVersion : 6.00.8149
ProductName : Microsoft (R) Visual Studio
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1997-1998
OriginalFilename : mdm.exe

#:5 [MSTASK.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294848691
Threads : 2
Priority : Normal
FileVersion : 4.71.1959.1
ProductVersion : 4.71.1959.1
ProductName : Taskplaner für Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Taskplaner-Engine
InternalName : TaskScheduler
LegalCopyright : Copyright (C) Microsoft Corp. 1997
OriginalFilename : mstask.exe

#:6 [NPROTECT.EXE]
FilePath : C:\PROGRAMME\NORTON UTILITIES\
ProcessID : 4294942359
Threads : 5
Priority : Normal
FileVersion : 12.00.0.40
ProductVersion : 12.00.0.40
ProductName : Norton Utilities
CompanyName : Symantec Corporation
FileDescription : Norton Protection Status
InternalName : NPROTECT
LegalCopyright : Copyright (C) 1992-1999 Symantec Corporation
LegalTrademarks : Norton Utilities
OriginalFilename : NPROTECT.EXE

#:7 [PELMICED.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294964991
Threads : 1
Priority : Normal
FileVersion : 1, 0, 3, 2
ProductVersion : 1.0.0.0
ProductName : MouseSuite 98
CompanyName : Primax Electronics Ltd.
FileDescription : Mouse Suite 98 Daemon
InternalName : pelmiced.exe
LegalCopyright : Copyright (c) 1997, Primax Electronics Ltd.
LegalTrademarks : Primax Electronics Ltd.

#:8 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294874111
Threads : 1
Priority : Normal
FileVersion : 4.03.1998
ProductVersion : 4.03.1998
ProductName : Microsoft Windows
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
LegalCopyright : Copyright © Microsoft Corp. 1991-1998
OriginalFilename : mmtask.tsk

#:9 [EXPLORER.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294872883
Threads : 7
Priority : Normal
FileVersion : 4.72.3110.1
ProductVersion : 4.72.3110.1
ProductName : Betriebssystem Microsoft(R) Windows NT(R)
CompanyName : Microsoft Corporation
FileDescription : Windows-Explorer
InternalName : explorer
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1997
OriginalFilename : EXPLORER.EXE

#:10 [TASKMON.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294550319
Threads : 1
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft(R) Windows(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : Task Monitor
InternalName : TaskMon
LegalCopyright : Copyright (C) Microsoft Corp. 1998
OriginalFilename : TASKMON.EXE

#:11 [SYSTRAY.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294552263
Threads : 3
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Betriebssystem Microsoft(R) Windows(R)
CompanyName : Microsoft Corporation
FileDescription : Systemanwendung für Taskleiste
InternalName : SYSTRAY
LegalCopyright : Copyright (C) Microsoft Corp. 1993-1998
OriginalFilename : SYSTRAY.EXE

#:12 [ATIPTAAA.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294523103
Threads : 1
Priority : Normal
FileVersion : 4.11.2428
ProductName : ATI Technologies, Inc.
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Task Icon
InternalName : ATIPDSXX
LegalCopyright : Copyright © ATI Technologies Inc. 1998
OriginalFilename : ATIPTAXX.DLL

#:13 [STIMON.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294566899
Threads : 3
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Betriebssystem Microsoft(R) Windows(R)
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
LegalCopyright : Copyright (C) Microsoft Corp. 1996-1998
OriginalFilename : STIMON.EXE

#:14 [WCMDMGR.EXE]
FilePath : C:\WINDOWS\WT\
ProcessID : 4294564947
Threads : 2
Priority : Idle
FileVersion : 1.2.5.0
ProductVersion : 1.2.5.0
ProductName : WildTangent wcmdmgr
CompanyName : WildTangent, Inc.
FileDescription : wcmdmgr
InternalName : wcmdmgr
LegalCopyright : Copyright (C) WildTangent Inc. 1999-2000
LegalTrademarks : WildTangent, Inc.
OriginalFilename : wcmdmgr.exe

#:15 [AVGCTRL.EXE]
FilePath : C:\PROGRAMME\AVPERSONAL\
ProcessID : 4294454619
Threads : 3
Priority : Normal


#:16 [WLANCFG5.EXE]
FilePath : C:\PROGRAMME\NETGEAR WG311V2 ADAPTER\
ProcessID : 4294471199
Threads : 1
Priority : Normal
FileVersion : 1, 0, 1, 7
ProductVersion : 1, 0, 1, 7
ProductName : NetgearCUv2 Application
FileDescription : NetgearCUv2 MFC Application
InternalName : NETGEAR WG311 v2 Smart Configuration
LegalCopyright : Copyright (C) 2003
OriginalFilename : NetgearCUv2.EXE

#:17 [WMIEXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294471451
Threads : 3
Priority : Normal
FileVersion : 5.00.1755.1
ProductVersion : 5.00.1755.1
ProductName : Microsoft(R) Windows NT(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1998
OriginalFilename : wmiexe.exe

#:18 [DDHELP.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294445459
Threads : 3
Priority : Realtime
FileVersion : 4.06.03.0518
ProductVersion : 4.06.03.0518
ProductName : Microsoft® DirectX for Windows® 95 and 98
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : ddhelp.exe
LegalCopyright : Copyright © Microsoft Corp. 1994-1999
OriginalFilename : ddhelp.exe

#:19 [AD-AWARE.EXE]
FilePath : C:\PROGRAMME\LAVASOFT\AD-AWARE SE PERSONAL\
ProcessID : 4294664327
Threads : 2
Priority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 9


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 9


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 9


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 9



Deep scanning and examining files (c
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for c:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 9


Deep scanning and examining files (d
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for d:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 9


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 9

20:14:07 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:10:00.280
Objects scanned:77318
Objects identified:0
Objects ignored:0
New critical objects:0






Und hier von HijackThis



Logfile of HijackThis v1.99.1
Scan saved at 20:35:28, on 24.05.05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAMME\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAAA.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\WT\WCMDMGR.EXE
C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAMME\NETGEAR WG311V2 ADAPTER\WLANCFG5.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MP3-KAI\PROG\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von ONLINE TODAY
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAMME\CANON\EASY-WEBPRINT\TOOLBAND.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Programme\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [Voodoo2] rundll32.exe 3dfxv2ps.dll,UpdateRegSettings
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Programme\Norton Utilities\NPROTECT.EXE
O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Programme\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\PROGRAMME\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\PROGRAMME\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\PROGRAMME\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\PROGRAMME\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .pcg: C:\Programme\Internet Explorer\Plugins\nppcgplg.dll
O12 - Plugin for .pca: C:\PROGRA~1\INTERN~1\Plugins\nppcaplg.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)

#20 fixe mit dem HijackThis:

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)

neustarten

scanne bitte noch eimal mit escan+ berichte

+

mache einen Onlinescan mit panda+ berichte
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#21 O15 bekomm ich mit Hijackthis nicht gefixt!

Hier der Log von EScan

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\MSOWS409.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\MSOWS407.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\MSONSEXT.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\RAGENT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BDEADE7A-C265-11D0-BCED-00A0C90AB50F}" refers to invalid object "C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\RAGENT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{27395F89-0C0C-101B-A3C9-08002B2F49FB}" refers to invalid object "F:\SAMPLER\PICCLP32.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D56A1203-1452-EBA1-7294-EE3377770000}" refers to invalid object "C:\WINDOWS\System32\param32.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D3B1DE00-6B94-1069-8754-08002B2BD64F}" refers to invalid object "C:\WINDOWS\SYSTEM\disktool.dll". Action Taken: No Action Taken.
Entry "HKCR\ACDSee.PSD" refers to invalid object "{5F246A9A-A919-11d3-AB60-00C04FA3014E}". Action Taken: No Action Taken.
Entry "HKCR\Overview.Document" refers to invalid object "{DA23B9C9-6893-11D0-8534-00C04FD7AD0C}". Action Taken: No Action Taken.
File C:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.ZeroedAndDeleted.Restart. No Action Taken.
File C:\!Submit\loadclean.exe infected by "Trojan-Downloader.Win32.Delf.cb" Virus! Action Taken: No Action Taken.
File C:\!Submit\param32.dll tagged as "not-a-virus:AdWare.Serpo.k". Action Taken: No Action Taken.
File C:\!Submit\izxczxcr.exe infected by "Trojan-Downloader.Win32.Delf.lf" Virus! Action Taken: No Action Taken.
File C:\!Submit\intrcxzcxzcon.exe infected by "Trojan-Downloader.Win32.Small.aut" Virus! Action Taken: No Action Taken.
File C:\!Submit\intfsdffdsronsad.exe tagged as "not-a-virus:AdWare.ToolBar.ISearch.d". Action Taken: No Action Taken.
File C:\!Submit\izxxzdsafsafczxcr.exe infected by "Trojan-Downloader.Win32.Small.aqt" Virus! Action Taken: No Action Taken.
File C:\!Submit\us3432xzcb.exe infected by "Trojan.Win32.StartPage.yf" Virus! Action Taken: No Action Taken.
File C:\!Submit\lpzxcz324534xct.exe infected by "Trojan.Win32.LowZones.y" Virus! Action Taken: No Action Taken.
File C:\!Submit\guninst.exe tagged as "not-a-virus:AdWare.Serpo.j". Action Taken: No Action Taken.
File C:\!Submit\msits.exe infected by "Trojan-Downloader.Win32.Delf.cb" Virus! Action Taken: No Action Taken.


Wenn ich panda starte schmiert mir der rechner ab!

#22 Gehe in die Registry

Start-->Ausfuehren--> regedit

HKCR\CLSID\{D56A1203-1452-EBA1-7294-EE3377770000}<---mit rechtsklick loeschen

HKEY_CLASSES_ROOT\CLSID\{D3B1DE00-6B94-1069-8754-08002B2BD64F}<---mit rechtsklick loeschen

loesche mit der Killbox:

C:\!Submit\loadclean.exe
C:\WINDOWS\System32\param32.dll
C:\!Submit\param32.dll
C:\!Submit\izxczxcr.exe
C:\!Submit\intrcxzcxzcon.exe
C:\!Submit\intfsdffdsronsad.exe
C:\!Submit\izxxzdsafsafczxcr.exe
C:\!Submit\us3432xzcb.exe
C:\!Submit\lpzxcz324534xct.exe
C:\!Submit\guninst.exe
C:\!Submit\msits.exe

PC neustarten

1. Öffne den Editor (Start -> Programme -> Zubehör) und kopiere den Inhalt des folgenden Zitats in das Editorfenster. Speichere die Datei anschließend unter dem Namen DelDomains.inf mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.
2. Schließe den InternetExplorer.
3. Klicke die Datei DelDomains.inf mit der rechten Maustaste an und dann auf 'Installieren'.
---------------------------------------------------------------------------------------------------------

[version]
signature="$CHICAGO$"

[DefaultInstall]
DelReg=DelTemps
AddReg=AddTemps

[DelTemps]
HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"

; Recreate the keys to avoid a restart

[AddTemps]
HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"
HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"

------------------------------------------------------------------------------------
•1) lade remv3.zip
lade rem3v.zip
http://bilder.informationsarchiv.net/Nikitas_Tools/remv3.zip

2) entpacke es im verzeichnis C:\WINDOWS\System32\
(es ist wichtig, dass es in diesem verzeichnis ist!)
3) starte den rechner im abgesicherten modus.
http://www.tu-berlin.de/www/software/virus/savemode.shtml
4) starte die datei rem.bat, scannen lassen.
5) starte den rechner anschließend im normalen modus.
6) unter C:\ sollte nun eine datei namens log.txt und bad1.txt zu finden sein.
7) markiere den inhalt und füge ihn hier ein.
Cool erstelle ein aktuelles HijackThis log und poste es mit der log.txt von rem.
wurde eine malware entfernt, sollten noch zusätzlich zur log.txt unter C:\ die Dateien bad.reg und bad.zip erstellt worden sein.
Bitte diese Dateien zunächst so belassen, nicht öffnen !
+
poste das neue Log vom HijackTHis
__________
MfG Sabina

rund um die PC-Sicherheit

#23 Logfile of HijackThis v1.99.1
Scan saved at 13:12:03, on 27.05.05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAMME\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAAA.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\WT\WCMDMGR.EXE
C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAMME\NETGEAR WG311V2 ADAPTER\WLANCFG5.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAMME\MOZILLA FIREFOX\FIREFOX.EXE
C:\MP3-KAI\PROG\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von ONLINE TODAY
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAMME\CANON\EASY-WEBPRINT\TOOLBAND.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Programme\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [Voodoo2] rundll32.exe 3dfxv2ps.dll,UpdateRegSettings
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Programme\Norton Utilities\NPROTECT.EXE
O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Programme\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\PROGRAMME\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\PROGRAMME\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\PROGRAMME\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\PROGRAMME\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
O12 - Plugin for .pcg: C:\Programme\Internet Explorer\Plugins\nppcgplg.dll
O12 - Plugin for .pca: C:\PROGRA~1\INTERN~1\Plugins\nppcaplg.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab


ECHO ist eingeschaltet (ON)
Checking for version 1 Files.......
"Files found"
---------------------------------------------------------------------

deleting files........
---------------------------------------------------------

"Files Not Deleted"
---------------------------------------------------------------------

Checking for version 2 files..........
Files Found
------------------------------------------------------------

deleting files........
---------------------------------------------------------

Files Not deleted
------------------------------------------------------------


Checking version 3 Files...................
Files Found ..................
----------------------------------------

Files not Deleted.............
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------


Other bad files to be Manually deleted.. Please Note that This might also list Legit Files, be careful while Deleting
-----------------------------------------------------------------
Finished



Weder bad1.txt, bad.reg noch bad.zip sind vorhanden!

#24 Hallo@korano

es scheint, dass alles in Ordnung ist
Alles Gute fuer dich + PC

(P.S. du kannst ja noch mal mit panda scannen und ueberpruefen, ob der pC clean ist)
__________
MfG Sabina

rund um die PC-Sicherheit

#25 Hallo Sabina,

hier ist das besagte Log.

Logfile of HijackThis v1.99.1
Scan saved at 11:10:12, on 12.06.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
c:\programme\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Programme\FRITZ!DSL\FritzDSL.exe
C:\Programme\Opera\Opera.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
D:\Internet\Tools\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgoods.info/ad/ad0422/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?iiehf
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
O1 - Hosts: 1159680172 auto.search.msn.com
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\INTERNET\MESSEN~1\YAHOO\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\INTERNET\MESSEN~1\YAHOO\MESSEN~1\YPAGER.EXE
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{330665B8-FAC5-415B-B704-1BD8FDD15412}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{895ED79E-7318-45A0-80FA-7A0ADBA820BA}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{A69AFF8F-7B0B-4015-838F-246EB7F54203}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{B24038E9-0741-46BA-A524-7433B2E9DD14}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDB0FCFB-6D5C-498C-82B9-D542EC11011F}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{330665B8-FAC5-415B-B704-1BD8FDD15412}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS3\Services\Tcpip\..\{330665B8-FAC5-415B-B704-1BD8FDD15412}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

so, das wäre geschafft:-)

Und jetzt?:-)

Gruss Eddy

#26 Hallo@Eddy72

im Log kann man nur an den

Zitat

O17 - HKLM\System\CS2\Services\Tcpip\..\{330665B8-FAC5-415B-B704-1BD8FDD15412}: NameServer = 69.50.184.84,195.225.176.37

O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

O1 - Hosts: 1159680172 auto.search.msn.com

Eintraegen und den Startseiten sehen, dass der PC verseucht ist.
Wir muessen die Dateien finden , deshalb:

silentrunners
http://www.silentrunners.org/sr_download.html
gehe auf:
Zitat:
Click here to download a zip file.
hier die Erklaerung:
http://www.silentrunners.org/sr_scriptuse.html
klicke: output file is in text format. --> Doppelklick und es oeffnet sich der Editor-->
und poste alles, was angezeigt wird.


eventuell musst du nach dem Fixen dieser Sachen und nach dem Neustart eine neue Internetverbindung erstellen.

#öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgoods.info/ad/ad0422/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?iiehf
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
O1 - Hosts: 1159680172 auto.search.msn.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{330665B8-FAC5-415B-B704-1BD8FDD15412}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{895ED79E-7318-45A0-80FA-7A0ADBA820BA}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{A69AFF8F-7B0B-4015-838F-246EB7F54203}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{B24038E9-0741-46BA-A524-7433B2E9DD14}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDB0FCFB-6D5C-498C-82B9-D542EC11011F}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{330665B8-FAC5-415B-B704-1BD8FDD15412}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS3\Services\Tcpip\..\{330665B8-FAC5-415B-B704-1BD8FDD15412}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

PC neustarten

#neue Startseite
gehe zur Systemsteuerung --> Internetoptionen --> auf dem Reiter Allgemein bei Temporäre Internetdateien klickst du Dateien löschen --> auch bei Alle Offlineinhalte löschen das Häkchen setzen und mit OK bestätigen --> Auf den Reiter Programme gehen und dort auf Webeinstellungen zurücksetzen klicken, mit Ja bestätigen, fall Nachfrage kommt --> auf Übernehmen und abschließend auf OK klicken und stelle eine neue Startseite ein

HOSTFILE:
öffne das HijackThis
"Do a system scan only"-->Config--> Misc Tools-->Open Hosts file Manager--> delet line(s)
lösche alles , lasse nur stehen:
127.0.0.1 localhost

loeschen: 1159680172 auto.search.msn.com

Lade: rkfiles.zip
http://bilder.informationsarchiv.net/Nikitas_Tools/rkfiles.zip
-->entpacken-->
gehe in den abgesicherten Modus
http://www.tu-berlin.de/www/software/virus/savemode.shtml
-->Doppelklick(Ausfuehren)-->rkfiles.bat--> warten bis sich
das DOS-Fenster schliesst--->poste C:\log.txt

abarbeiten+ alles posten
http://virus-protect.org/L2mfix.html

abarbeiten+ alles posten
http://virus-protect.org/escan.html

-------------------------------------------------------------------------------

INFO:....ist nur fuer mich, als Anhaltspunkt...
Rotes X/Start Page=http://www.newgenlook.info/ad/ad0278?

Adware:Adware/Hotoffers
C:\WINNT\System32\param32.dll

Spyware:Spyware/Spyblocs
C:\Dokumente und Einstellungen\user\Desktop\Remove Spyware.url

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM\azhTools.dll: OnCloseUpx!C

Files Found in all users startup Folder............
------------------------
C:\WINDOWS\SYSTEM\azhTools.dll: OnCloseUpx!C
Files Found in all users windows Folder............
------------------------

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{D56A1203-1452-EBA1-7294-EE3377770000}" = "Interlinking Memory Support"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\param32.dll" [null data]
__________
MfG Sabina

rund um die PC-Sicherheit

#27 Hallo Sabina,

das weisse X ist weg. Sogar die blöden Icons auf dem Bildschirm. Freu...

was mich stutzig macht, das ich nicht den silentrunner starten konnte, und nun nicht weiss ob das alles seine Richtigkeit hat. Die Hostfile 1159680172auto.seasch.msn.com konnte ich nicht löschen.Hm.??

Und nun?:-)

Gruss Eddy72

#28 Hallo@Eddy72

Zitat

HOSTFILE:
öffne das HijackThis
"Do a system scan only"-->Config--> Misc Tools-->Open Hosts file Manager--> delet line(s)
lösche alles , lasse nur stehen:
127.0.0.1 localhost

loeschen: 1159680172 auto.search.msn.com

wieso konntest du das nicht loeschen ?????

Lade: rkfiles.zip
http://bilder.informationsarchiv.net/Nikitas_Tools/rkfiles.zip
-->entpacken-->
gehe in den abgesicherten Modus
http://www.tu-berlin.de/www/software/virus/savemode.shtml
-->Doppelklick(Ausfuehren)-->rkfiles.bat--> warten bis sich
das DOS-Fenster schliesst--->poste C:\log.txt


Poste bitte das neue Log vom HijackTHis, vorher aber mache das:
http://virus-protect.org/escan.html
und poste alles
__________
MfG Sabina

rund um die PC-Sicherheit

#29 Hallo Sabina,

ich hoffe du erinnerst dich noch...
irgendwas ist immer noch auf meinem Rechner.

Logfile of HijackThis v1.99.1
Scan saved at 21:44:43, on 22.06.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Programme\Babylon\Babylon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
c:\programme\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MpfTray.exe
c:\programme\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Programme\FRITZ!DSL\FritzDSL.exe
C:\bases_x\mwavscan.com
C:\bases_x\kavss.exe
C:\Dokumente und Einstellungen\Casper\Eigene Dateien\Escan\eScanCheck110.exe
C:\Programme\Opera\Opera.exe
D:\Internet\Tools\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?iiehf
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - HKCU\..\Run: [Babylon Translator] C:\Programme\Babylon\Babylon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\INTERNET\MESSEN~1\YAHOO\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\INTERNET\MESSEN~1\YAHOO\MESSEN~1\YPAGER.EXE
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{330665B8-FAC5-415B-B704-1BD8FDD15412}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{895ED79E-7318-45A0-80FA-7A0ADBA820BA}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{A69AFF8F-7B0B-4015-838F-246EB7F54203}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{B24038E9-0741-46BA-A524-7433B2E9DD14}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDB0FCFB-6D5C-498C-82B9-D542EC11011F}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{330665B8-FAC5-415B-B704-1BD8FDD15412}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS3\Services\Tcpip\..\{330665B8-FAC5-415B-B704-1BD8FDD15412}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe





--------------------------------------------------
-------------------- INFECTED --------------------
--------------------------------------------------

1: Wed Jun 22 20:48:05 2005 => System found infected with Alexa Spyware/Adware ({c95fe080-8f5d-11d2-a20b-00aa003c157a})! Action taken: No Action Taken.
2: Wed Jun 22 20:51:12 2005 => File C:\WINNT\system32\audissrp.exe infected by "Trojan-Clicker.Win32.Agent.cn" Virus! Action Taken: No Action Taken.
3: Wed Jun 22 20:53:29 2005 => File C:\DOKUME~1\Casper\LOKALE~1\Temp\sysD401.tmp infected by "Trojan.Win32.Agent.do" Virus! Action Taken: No Action Taken.
4: Wed Jun 22 20:55:40 2005 => File C:\WINNT\system32\audissrp.exe infected by "Trojan-Clicker.Win32.Agent.cn" Virus! Action Taken: No Action Taken.
5: Wed Jun 22 21:07:23 2005 => File C:\Dokumente und Einstellungen\Casper\Lokale Einstellungen\Temp\sysD401.tmp infected by "Trojan.Win32.Agent.do" Virus! Action Taken: No Action Taken.
6: Wed Jun 22 21:19:57 2005 => Scanning Folder: C:\Programme\AVPersonal\INFECTED\*.*

--------------------------------------------------
--------------------- TAGGED ---------------------
--------------------------------------------------

1: Wed Jun 22 20:50:58 2005 => File C:\WINNT\htpatch.exe tagged as not-a-virus:Tool.Win32.HTPatch.a. No Action Taken.
2: Wed Jun 22 20:51:02 2005 => File C:\WINNT\_MSRSTRT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
3: Wed Jun 22 20:51:36 2005 => File C:\WINNT\system32\fixmapirs.exe tagged as "not-a-virus:AdWare.FindSpy.a". Action Taken: No Action Taken.
4: Wed Jun 22 20:52:14 2005 => File C:\WINNT\system32\guninst.exe tagged as "not-a-virus:AdWare.Serpo.j". Action Taken: No Action Taken.
5: Wed Jun 22 20:56:04 2005 => File C:\WINNT\system32\fixmapirs.exe tagged as "not-a-virus:AdWare.FindSpy.a". Action Taken: No Action Taken.
6: Wed Jun 22 20:56:43 2005 => File C:\WINNT\system32\guninst.exe tagged as "not-a-virus:AdWare.Serpo.j". Action Taken: No Action Taken.
7: Wed Jun 22 21:02:42 2005 => File C:\WINNT\htpatch.exe tagged as not-a-virus:Tool.Win32.HTPatch.a. No Action Taken.
8: Wed Jun 22 21:06:42 2005 => File C:\WINNT\_MSRSTRT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
9: Wed Jun 22 21:32:12 2005 => File D:\Marcus\Startdisk\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.
10: Wed Jun 22 21:32:16 2005 => File D:\Marcus\Transfer\Paket2\windvd_crack.exe tagged as not-a-virus:FalseAlarm.DrWeb.Backdoor.Theef.111. No Action Taken.
11: Wed Jun 22 21:32:30 2005 => File D:\Marcus\WinTV\w2kdrv311.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
12: Wed Jun 22 21:32:35 2005 => File D:\Marcus\start98.zip tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.

--------------------------------------------------
--------------------- ERRORS ---------------------
--------------------------------------------------

1: Wed Jun 22 20:47:51 2005 => ERROR!!! Invalid Entry System32\DRIVERS\cdawdm.sys in SYSTEM\CurrentControlSet\Services\cdawdm...
2: Wed Jun 22 20:47:53 2005 => ERROR!!! Invalid Entry \??\E:\INSTALL\GMSIPCI.SYS in SYSTEM\CurrentControlSet\Services\GMSIPCI...
3: Wed Jun 22 20:47:57 2005 => ERROR!!! Invalid Entry \??\E:\NTACCESS.sys in SYSTEM\CurrentControlSet\Services\NTACCESS...
4: Wed Jun 22 20:48:00 2005 => ERROR!!! Invalid Entry \??\E:\NTGLM7X.sys in SYSTEM\CurrentControlSet\Services\SetupNTGLM7X...
5: Wed Jun 22 20:50:04 2005 => Entry "HKCR\CLSID\{92FA2C24-253C-11d2-90FB-006008A1F441}" refers to invalid object "a3dapi.dll". Action Taken: No Action Taken.
6: Wed Jun 22 20:50:04 2005 => Entry "HKCR\CLSID\{99180163-DA16-101A-935C-444553540000}" refers to invalid object "recncl.dll". Action Taken: No Action Taken.
7: Wed Jun 22 20:50:11 2005 => Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken.
8: Wed Jun 22 20:50:11 2005 => Entry "HKCR\BrowserEngine.FEBrowserEngine2" refers to invalid object "{2B2CC8B0-2DC0-48c6-B6FD-C07820A6477E}". Action Taken: No Action Taken.
9: Wed Jun 22 20:50:11 2005 => Entry "HKCR\BrowserEngine.FEBrowserEngine2.1" refers to invalid object "{2B2CC8B0-2DC0-48c6-B6FD-C07820A6477E}". Action Taken: No Action Taken.
10: Wed Jun 22 20:50:14 2005 => Entry "HKCR\Etcera.PluggableProtocol" refers to invalid object "{A479F961-CC9E-11D0-A220-000000000000}". Action Taken: No Action Taken.
11: Wed Jun 22 20:50:14 2005 => Entry "HKCR\Etcera.PluggableProtocol.1" refers to invalid object "{A479F961-CC9E-11D0-A220-000000000000}". Action Taken: No Action Taken.
12: Wed Jun 22 20:50:15 2005 => Entry "HKCR\IDMLibrary.nnprotocol" refers to invalid object "{03DD44A4-30AD-4CBB-BFAF-D65D3AB6FD2B}". Action Taken: No Action Taken.
13: Wed Jun 22 20:50:16 2005 => Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
14: Wed Jun 22 20:50:16 2005 => Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
15: Wed Jun 22 20:50:16 2005 => Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
16: Wed Jun 22 20:50:17 2005 => Entry "HKCR\Microsoft.DirectSoundCaptureAecDMO.1" refers to invalid object "{1C22C56D-9879-4F5B-A389-27996DDC2810}". Action Taken: No Action Taken.
17: Wed Jun 22 20:50:17 2005 => Entry "HKCR\Microsoft.DirectSoundCaptureAgcDMO.1" refers to invalid object "{950E55B9-877C-4C67-BE08-E47B5611130A}". Action Taken: No Action Taken.
18: Wed Jun 22 20:50:17 2005 => Entry "HKCR\Microsoft.DirectSoundCaptureNoiseSuppressDMO.1" refers to invalid object "{5AB0882E-7274-4516-877D-4EEE99BA4FD0}". Action Taken: No Action Taken.
19: Wed Jun 22 20:50:20 2005 => Entry "HKCR\QuickTime.QuickTime" refers to invalid object "{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}". Action Taken: No Action Taken.
20: Wed Jun 22 20:50:20 2005 => Entry "HKCR\QuickTime.QuickTime.4" refers to invalid object "{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}". Action Taken: No Action Taken.
21: Wed Jun 22 20:50:20 2005 => Entry "HKCR\SekureL0gin.SekureKontrol" refers to invalid object "{0F9B4CA4-A30F-480A-841D-69B45C50A8F8}". Action Taken: No Action Taken.
22: Wed Jun 22 20:50:21 2005 => Entry "HKCR\ToolBand.ToolBandObj" refers to invalid object "{08BEC6AA-49FC-4379-3587-4B21E286C19E}". Action Taken: No Action Taken.
23: Wed Jun 22 20:50:21 2005 => Entry "HKCR\ToolBand.ToolBandObj.1" refers to invalid object "{08BEC6AA-49FC-4379-3587-4B21E286C19E}". Action Taken: No Action Taken.
24: Wed Jun 22 21:02:13 2005 => Result: ERROR!!! File C:\WINNT\Temp\mcu6B.tmp\agentins.cab is Not Scanned
25: Wed Jun 22 21:02:13 2005 => Result: ERROR!!! File C:\WINNT\Temp\mcu6B.tmp\vsoins.cab is Not Scanned
26: Wed Jun 22 21:02:15 2005 => Result: ERROR!!! File C:\WINNT\Temp\mcu3D.tmp\agentins.cab is Not Scanned
27: Wed Jun 22 21:02:15 2005 => Result: ERROR!!! File C:\WINNT\Temp\mcu3D.tmp\vsoins.cab is Not Scanned
28: Wed Jun 22 21:02:16 2005 => Result: ERROR!!! File C:\WINNT\Temp\mcu3D.tmp\shared\agentcfg.cab is Not Scanned
29: Wed Jun 22 21:02:18 2005 => Result: ERROR!!! File C:\WINNT\Temp\mcu4C.tmp\agentins.cab is Not Scanned
30: Wed Jun 22 21:02:19 2005 => Result: ERROR!!! File C:\WINNT\Temp\mcu4C.tmp\vsoins.cab is Not Scanned
31: Wed Jun 22 21:02:20 2005 => Result: ERROR!!! File C:\WINNT\Temp\mcu4C.tmp\shared\agentcfg.cab is Not Scanned
32: Wed Jun 22 21:02:22 2005 => Result: ERROR!!! File C:\WINNT\Temp\mcu2D.tmp\agentins.cab is Not Scanned
33: Wed Jun 22 21:02:22 2005 => Result: ERROR!!! File C:\WINNT\Temp\mcu2D.tmp\vsoins.cab is Not Scanned
34: Wed Jun 22 21:02:24 2005 => Result: ERROR!!! File C:\WINNT\Temp\mcu2D.tmp\shared\agentcfg.cab is Not Scanned
35: Wed Jun 22 21:02:27 2005 => Result: ERROR!!! File C:\WINNT\Temp\mcu46.tmp\agentins.cab is Not Scanned
36: Wed Jun 22 21:02:27 2005 => Result: ERROR!!! File C:\WINNT\Temp\mcu46.tmp\vsoins.cab is Not Scanned
37: Wed Jun 22 21:02:29 2005 => Result: ERROR!!! File C:\WINNT\Temp\mcu4F.tmp\agentins.cab is Not Scanned
38: Wed Jun 22 21:02:29 2005 => Result: ERROR!!! File C:\WINNT\Temp\mcu4F.tmp\vsoins.cab is Not Scanned
39: Wed Jun 22 21:02:30 2005 => Result: ERROR!!! File C:\WINNT\Temp\mcu26.tmp\agentins.cab is Not Scanned
40: Wed Jun 22 21:02:30 2005 => Result: ERROR!!! File C:\WINNT\Temp\mcu26.tmp\vsoins.cab is Not Scanned
41: Wed Jun 22 21:02:31 2005 => Result: ERROR!!! File C:\WINNT\Temp\mcu30.tmp\agentins.cab is Not Scanned
42: Wed Jun 22 21:02:32 2005 => Result: ERROR!!! File C:\WINNT\Temp\mcu30.tmp\vsoins.cab is Not Scanned
43: Wed Jun 22 21:02:33 2005 => Result: ERROR!!! File C:\WINNT\Temp\mcu1E.tmp\agentins.cab is Not Scanned
44: Wed Jun 22 21:02:33 2005 => Result: ERROR!!! File C:\WINNT\Temp\mcu1E.tmp\vsoins.cab is Not Scanned
45: Wed Jun 22 21:02:35 2005 => Result: ERROR!!! File C:\WINNT\Temp\mcu4D.tmp\agentins.cab is Not Scanned
46: Wed Jun 22 21:02:35 2005 => Result: ERROR!!! File C:\WINNT\Temp\mcu4D.tmp\vsoins.cab is Not Scanned
47: Wed Jun 22 21:02:36 2005 => Result: ERROR!!! File C:\WINNT\Temp\mcu1.tmp\agentins.cab is Not Scanned
48: Wed Jun 22 21:02:36 2005 => Result: ERROR!!! File C:\WINNT\Temp\mcu1.tmp\vsoins.cab is Not Scanned
49: Wed Jun 22 21:20:09 2005 => Result: ERROR!!! File C:\Programme\McAfee QuickClean 4.01 Install\MSC\shared\agentcfg.cab is Not Scanned

--------------------------------------------------
-------- DATEIEN ZUM LÖSCHEN HINZUGEFÜGT ---------
--------------------------------------------------

1: C:\WINNT\htpatch.exe => tagged:Tool.Win32.HTPatch.a.
2: C:\WINNT\_MSRSTRT.EXE => tagged:Tool.Win32.Reboot.
3: C:\WINNT\system32\audissrp.exe => Trojan-Clicker.Win32.Agent.cn
4: C:\DOKUME~1\Casper\LOKALE~1\Temp\sysD401.tmp => Trojan.Win32.Agent.do
5: C:\Dokumente und Einstellungen\Casper\Lokale Einstellungen\Temp\sysD401.tmp => Trojan.Win32.Agent.do
6: D:\Marcus\Startdisk\EBD.CAB => tagged:Tool.DOS.Restart.
7: D:\Marcus\Transfer\Paket2\windvd_crack.exe => tagged:FalseAlarm.DrWeb.Backdoor.Theef.111.
8: D:\Marcus\WinTV\w2kdrv311.exe => tagged:Tool.Win32.Reboot.
9: D:\Marcus\start98.zip => tagged:Tool.DOS.Restart.

--------------------------------------------------
-------------------- Statistik -------------------
--------------------------------------------------

Wed Jun 22 21:33:15 2005 => Total Objects Scanned: 50618
Wed Jun 22 21:33:15 2005 => Total Virus(es) Found: 18
Wed Jun 22 21:33:16 2005 => Total Errors: 49
Wed Jun 22 21:33:16 2005 => Virus Database Date: 2005/06/22
Wed Jun 22 21:33:16 2005 => Virus Database Count: 135965

gar nicht so einfach das alles hier...
Sabina, nicht schlecht...

Grüsse Eddy72

#30 Hallo@Eddy72

Geh in die Registry

Start-->Ausfuehren--> regedit

suche + loesche:

bearbeiten-->suchen

SekureL0gin.SekureKontrol
{0F9B4CA4-A30F-480A-841D-69B45C50A8F8}

ToolBand.ToolBandObj
{08BEC6AA-49FC-4379-3587-4B21E286C19E}



Loesche mit der Killbox:

C:\WINNT\system32\guninst.exe
C:\Dokumente und Einstellungen\Casper\Lokale Einstellungen\Temp\sysD401.tmp
C:\WINNT\system32\fixmapirs.exe
C:\WINNT\system32\guninst.exe
C:\WINNT\system32\audissrp.exe

Fixe mit dem HijackThis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?iiehf
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O1 - Hosts: 1159680172 auto.search.msn.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{330665B8-FAC5-415B-B704-1BD8FDD15412}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{895ED79E-7318-45A0-80FA-7A0ADBA820BA}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{A69AFF8F-7B0B-4015-838F-246EB7F54203}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{B24038E9-0741-46BA-A524-7433B2E9DD14}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDB0FCFB-6D5C-498C-82B9-D542EC11011F}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{330665B8-FAC5-415B-B704-1BD8FDD15412}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS3\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS3\Services\Tcpip\..\{330665B8-FAC5-415B-B704-1BD8FDD15412}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37

PC neustarten

abarbeiten+ alles posten
http://virus-protect.org/L2mfix.html

poste das neue log vom HijackThis
__________
MfG Sabina

rund um die PC-Sicherheit