schwarzer desktop nach virenbekämpfung...

#0
12.06.2005, 12:27
...neu hier

Beiträge: 4
#31 Also die meisten R1 dinger (bis aud das aldi) waren komsicherweiße schon weg ... das aldi hab ich dann gefixed, jetzt sieht das Logfile so aus:

Logfile of HijackThis v1.99.1
Scan saved at 21:54:06, on 03.01.2003
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\system32\Prismsta.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\ICQLite\ICQLite.exe
C:\Programme\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\MSN Apps\Updater\01.02.3000.1001\de\msnappau.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Mousometer\mousometer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\Netscape\Netscape\Netscp.exe
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\Basti\LOKALE~1\Temp\Rar$EX10.672\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\MSN Apps\MSN Toolbar\01.02.3000.1001\de\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\MSN Apps\MSN Toolbar\01.02.3000.1001\de\msntb.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [Prism_Utility] Prismsta.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [mmtask] C:\Programme\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [msnappau] "C:\Programme\MSN Apps\Updater\01.02.3000.1001\de\msnappau.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programme\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Programme\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "d:\lalalala\steam.exe" -silent
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Startup: Mousometer.lnk = C:\Programme\Mousometer\mousometer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/04a30f04300bfbf27206/netzip/RdxIE601_de.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://playroom.icq.com/odyssey_web11.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: CA-Lizenz-Client (CA_LIC_CLNT) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA-Lizenzserver (CA_LIC_SRVR) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Ereignisprotokoll-Überwachung (LogWatch) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe


dieses Silentrunners hat auch funktioniert ... heir das Log:

"Silent Runners.vbs", revision 37, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Mozilla Quick Launch" = ""C:\Programme\Netscape\Netscape\Netscp.exe" -turbo" ["Mozilla, Netscape"]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"STYLEXP" = "C:\Programme\TGTSoft\StyleXP\StyleXP.exe -Hide" [file not found]
"Skype" = ""C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"Steam" = ""d:\lalalala\steam.exe" -silent" ["Valve Corporation"]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"ICQ Lite" = "C:\Programme\ICQLite\ICQLite.exe -trayboot" ["ICQ Ltd."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"Dit" = "Dit.exe" ["ICSI Technology Ltd."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"CHotkey" = "mHotkey.exe" ["Chicony"]
"ledpointer" = "CNYHKey.exe" ["Chicony"]
"Prism_Utility" = "Prismsta.exe" ["Intersil Americas Inc."]
"PCMService" = ""C:\Programme\Home Cinema\PowerCinema\PCMService.exe"" [empty string]
"Microsoft Works Update Detection" = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"ICQ Lite" = "C:\Programme\ICQLite\ICQLite.exe -minimize" ["ICQ Ltd."]
"mmtask" = "C:\Programme\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" ["TODO: <Company name>"]
"AVGCtrl" = "C:\Programme\AVPersonal\AVGNT.EXE /min" ["H+BEDV Datentechnik GmbH"]
"msnappau" = ""C:\Programme\MSN Apps\Updater\01.02.3000.1001\de\msnappau.exe"" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = "MSNToolBandBHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\MSN Apps\MSN Toolbar\01.02.3000.1001\de\msntb.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{DCED20BE-3645-11D4-BC95-00C04F0E0588}" = "InoShell"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\CA\eTrust Antivirus\InoShell.dll" [file not found]
"{15362FA5-C983-41ed-B7AC-5B9BEAF56929}" = "AOL"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\aolshare\shell\de\shellext.dll" ["America Online, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshellext.dll" ["RealNetworks"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]


Enabled Active Desktop and Wallpaper:
-------------------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Startup items in "Basti" & "All Users" startup folders:
-------------------------------------------------------

C:\Dokumente und Einstellungen\Basti\Startmenü\Programme\Autostart
"Mousometer" -> shortcut to: "C:\Programme\Mousometer\mousometer.exe" [null data]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Gamma Loader" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {CLSID}\(Default) = "MSN"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\MSN Apps\MSN Toolbar\01.02.3000.1001\de\msntb.dll" [MS]

"{855F3B16-6D32-4FE6-8A56-BBB695989046}"
-> {CLSID}\(Default) = "ICQ Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {CLSID}\(Default) = "MSN"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\MSN Apps\MSN Toolbar\01.02.3000.1001\de\msntb.dll" [MS]

"{855F3B16-6D32-4FE6-8A56-BBB695989046}"
-> {CLSID}\(Default) = "ICQ Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\
-> {CLSID}\(Default) = "Real.com"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir Service, AntiVirService, "C:\Programme\AVPersonal\AVGUARD.EXE" ["H+BEDV Datentechnik GmbH"]
AntiVir Update, AVWUpSrv, ""C:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"]
Ereignisprotokoll-Überwachung, LogWatch, "C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe" ["Computer Associates"]
Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

Ich hab da noch ein Problem, nach diesem sp.html neustart ging mein internetexplorer nich mehr, ich habe zum glück noch Netscape ... hab ich was flasch gemacht? ... wer auch immer das geamcht hat böse, böse ...

Vielen Dank für die nette hilfe,

Basti
Seitenanfang Seitenende
12.06.2005, 13:01
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#32 Hallo@Ba.sti

CCleaner--> loesche alle *temp-Datein(die urls brauchst du nicht anzuhaken, sind die Favoriten)
http://virus-protect.org/temp.html



#neue Startseite
gehe zur Systemsteuerung --> Internetoptionen --> auf dem Reiter Allgemein bei Temporäre Internetdateien klickst du Dateien löschen --> auch bei Alle Offlineinhalte löschen das Häkchen setzen und mit OK bestätigen --> Auf den Reiter Programme gehen und dort auf Webeinstellungen zurücksetzen klicken, mit Ja bestätigen, fall Nachfrage kommt --> auf Übernehmen und abschließend auf OK klicken und stelle eine neue Startseite ein

arbeite das bitte ab und poste alles:
http://virus-protect.org/escan.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.06.2005, 13:31
...neu hier

Beiträge: 4
#33 Ich habe da n problem, der CCleaner hat 2.005,085 MB gelöscht ... (lol??) bin 2. mal hat er weitere 0.85 MB gelöscht, aber ... der verlauf in Netscape is noch da, ich kann den internetexplorer immernoch nich öffnen ... is dann der CCleaner kaputt oder mein pc? ich mache dann mal das andere ...

mfg basti

___________________________________________________________________
langsam sind mir Viren unsympatisch

Edit: der inetexplorer funzt wieder, es war die startseite ??? dann massig Quadrate und dann wieder ?? eingestellt, jetzt gehts wieder
Dieser Beitrag wurde am 12.06.2005 um 13:34 Uhr von Ba.sti editiert.
Seitenanfang Seitenende
12.06.2005, 13:35
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#34 vielleicht scannst du noch mal mit dem se.dll-Tool, suchst dann das log vom Scan (oder , falls du findest, das Log vom 1.Scan) und postest es mir ;)
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.06.2005, 13:46
...neu hier

Beiträge: 4
#35 se.dll tool war doch silentrunners oder? der log wäre denn:

"Silent Runners.vbs", revision 37, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Mozilla Quick Launch" = ""C:\Programme\Netscape\Netscape\Netscp.exe" -turbo" ["Mozilla, Netscape"]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"STYLEXP" = "C:\Programme\TGTSoft\StyleXP\StyleXP.exe -Hide" [file not found]
"Skype" = ""C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"Steam" = ""d:\lalalala\steam.exe" -silent" ["Valve Corporation"]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"ICQ Lite" = "C:\Programme\ICQLite\ICQLite.exe -trayboot" ["ICQ Ltd."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"Dit" = "Dit.exe" ["ICSI Technology Ltd."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"CHotkey" = "mHotkey.exe" ["Chicony"]
"ledpointer" = "CNYHKey.exe" ["Chicony"]
"Prism_Utility" = "Prismsta.exe" ["Intersil Americas Inc."]
"PCMService" = ""C:\Programme\Home Cinema\PowerCinema\PCMService.exe"" [empty string]
"Microsoft Works Update Detection" = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"ICQ Lite" = "C:\Programme\ICQLite\ICQLite.exe -minimize" ["ICQ Ltd."]
"mmtask" = "C:\Programme\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" ["TODO: <Company name>"]
"AVGCtrl" = "C:\Programme\AVPersonal\AVGNT.EXE /min" ["H+BEDV Datentechnik GmbH"]
"msnappau" = ""C:\Programme\MSN Apps\Updater\01.02.3000.1001\de\msnappau.exe"" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = "MSNToolBandBHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\MSN Apps\MSN Toolbar\01.02.3000.1001\de\msntb.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{DCED20BE-3645-11D4-BC95-00C04F0E0588}" = "InoShell"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\CA\eTrust Antivirus\InoShell.dll" [file not found]
"{15362FA5-C983-41ed-B7AC-5B9BEAF56929}" = "AOL"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\aolshare\shell\de\shellext.dll" ["America Online, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshellext.dll" ["RealNetworks"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]


Enabled Active Desktop and Wallpaper:
-------------------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Startup items in "Basti" & "All Users" startup folders:
-------------------------------------------------------

C:\Dokumente und Einstellungen\Basti\Startmenü\Programme\Autostart
"Mousometer" -> shortcut to: "C:\Programme\Mousometer\mousometer.exe" [null data]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Gamma Loader" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {CLSID}\(Default) = "MSN"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\MSN Apps\MSN Toolbar\01.02.3000.1001\de\msntb.dll" [MS]

"{855F3B16-6D32-4FE6-8A56-BBB695989046}"
-> {CLSID}\(Default) = "ICQ Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {CLSID}\(Default) = "MSN"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\MSN Apps\MSN Toolbar\01.02.3000.1001\de\msntb.dll" [MS]

"{855F3B16-6D32-4FE6-8A56-BBB695989046}"
-> {CLSID}\(Default) = "ICQ Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\
-> {CLSID}\(Default) = "Real.com"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir Service, AntiVirService, "C:\Programme\AVPersonal\AVGUARD.EXE" ["H+BEDV Datentechnik GmbH"]
AntiVir Update, AVWUpSrv, ""C:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"]
Ereignisprotokoll-Überwachung, LogWatch, "C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe" ["Computer Associates"]
Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
Edit:

So ... Hier die Statistik mienes ersten eScans:


--------------------------------------------------
-------------------- INFECTED --------------------
--------------------------------------------------

1: Fri Jan 03 04:27:59 2003 => File C:\WINDOWS\system32\wldr.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: File Deleted.
2: Fri Jan 03 04:31:58 2003 => File C:\Dokumente und Einstellungen\Basti\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-1d01f676.zip infected by "Trojan-Downloader.Java.OpenStream.t" Virus. Action Taken: File Deleted.
3: Fri Jan 03 04:57:40 2003 => File C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temp\se.dll infected by "Trojan.Win32.StartPage.gv" Virus. Action Taken: File Deleted.
4: Fri Jan 03 04:58:51 2003 => File C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1R8GKDTO\main[1].htm infected by "Trojan-Clicker.HTML.IFrame.a" Virus. Action Taken: File Deleted.
5: Fri Jan 03 04:58:52 2003 => File C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1R8GKDTO\myform[1].php infected by "Trojan-Clicker.HTML.IFrame.a" Virus. Action Taken: File Deleted.
6: Fri Jan 03 04:59:00 2003 => File C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1R8GKDTO\tbd_web[1].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: File Renamed.
7: Fri Jan 03 04:59:00 2003 => File C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1R8GKDTO\tbd_web[2].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: File Renamed.
8: Fri Jan 03 04:59:03 2003 => File C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1R8GKDTO\ysb_prompt[1].php infected by "Trojan-Downloader.JS.IstBar.j" Virus. Action Taken: File Deleted.
9: Fri Jan 03 04:59:07 2003 => Scanning File C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\4DQFCHYJ\infected6xz[1].gif [**]
10: Fri Jan 03 04:59:24 2003 => File C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\FC7EILF3\main[2].htm infected by "Trojan-Clicker.HTML.IFrame.a" Virus. Action Taken: File Deleted.
11: Fri Jan 03 04:59:25 2003 => File C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\FC7EILF3\myform[1].htm infected by "Trojan-Clicker.HTML.IFrame.a" Virus. Action Taken: File Deleted.
12: Fri Jan 03 04:59:37 2003 => File C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\T1MXJ0C3\in[1].htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
13: Fri Jan 03 04:59:53 2003 => File C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\YHHKSZD3\prompt[1].php infected by "Trojan-Downloader.JS.IstBar.j" Virus. Action Taken: File Deleted.
14: Fri Jan 03 04:59:58 2003 => File C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\YHHKSZD3\tbd_web[1].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: File Renamed.
15: Fri Jan 03 05:00:12 2003 => File C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ZMQLOUE5\in[1].htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
16: Fri Jan 03 05:00:14 2003 => File C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ZMQLOUE5\myform[1].htm infected by "Trojan-Clicker.HTML.IFrame.a" Virus. Action Taken: File Deleted.
17: Fri Jan 03 05:00:20 2003 => File C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ZMQLOUE5\tab1[1].htm infected by "Trojan-Clicker.HTML.IFrame.a" Virus. Action Taken: File Deleted.
18: Fri Jan 03 05:00:22 2003 => File C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ZMQLOUE5\ttt[1].exe infected by "Trojan-Dropper.Win32.Small.oy" Virus. Action Taken: File Deleted.
19: Fri Jan 03 05:00:23 2003 => File C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ZMQLOUE5\wow[1].htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
20: Fri Jan 03 05:06:49 2003 => Scanning Folder: C:\Programme\AVPersonal\INFECTED\*.*
21: Fri Jan 03 05:08:45 2003 => Scanning File C:\Programme\Blitz2DDemo\help\resources\samples\music\Warning_Infected!.mod
22: Fri Jan 03 06:08:32 2003 => Total Number of Disinfected Files: 0

--------------------------------------------------
--------------------- TAGGED ---------------------
--------------------------------------------------

***

--------------------------------------------------
--------------------- ERRORS ---------------------
--------------------------------------------------

1: Fri Jan 03 04:26:00 2003 => ERROR!!! Invalid Entry System32\Drivers\iiusbisp.sys in SYSTEM\CurrentControlSet\Services\IIUSBISP...
2: Fri Jan 03 05:40:25 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB824141$\user32.dll
3: Fri Jan 03 05:40:26 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe
4: Fri Jan 03 05:40:26 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll
5: Fri Jan 03 05:40:26 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll
6: Fri Jan 03 05:40:26 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826939$\html32.cnv
7: Fri Jan 03 05:40:26 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826939$\locator.exe
8: Fri Jan 03 05:40:26 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826939$\magnify.exe
9: Fri Jan 03 05:40:26 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe
10: Fri Jan 03 05:40:26 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys
11: Fri Jan 03 05:40:26 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll
12: Fri Jan 03 05:40:27 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826939$\narrator.exe
13: Fri Jan 03 05:40:27 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826939$\newdev.dll
14: Fri Jan 03 05:40:27 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll
15: Fri Jan 03 05:40:27 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826939$\osk.exe
16: Fri Jan 03 05:40:27 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll
17: Fri Jan 03 05:40:27 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys
18: Fri Jan 03 05:40:27 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll
19: Fri Jan 03 05:40:27 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll
20: Fri Jan 03 05:40:27 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826939$\srv.sys
21: Fri Jan 03 05:40:27 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826939$\user32.dll
22: Fri Jan 03 05:40:27 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll
23: Fri Jan 03 05:40:27 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll
24: Fri Jan 03 05:40:27 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826942$\dhcpcsvc.dll
25: Fri Jan 03 05:40:27 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826942$\ndis.sys
26: Fri Jan 03 05:40:27 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys
27: Fri Jan 03 05:40:27 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll
28: Fri Jan 03 05:40:27 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll
29: Fri Jan 03 05:40:27 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll
30: Fri Jan 03 05:40:27 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB826942$\xpsp2res.dll
31: Fri Jan 03 05:40:27 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll
32: Fri Jan 03 05:40:28 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll
33: Fri Jan 03 05:40:28 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll
34: Fri Jan 03 05:40:28 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll
35: Fri Jan 03 05:40:28 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll
36: Fri Jan 03 05:40:28 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll
37: Fri Jan 03 05:40:28 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll
38: Fri Jan 03 05:40:28 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB828741$\colbact.dll
39: Fri Jan 03 05:40:28 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll
40: Fri Jan 03 05:40:28 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe
41: Fri Jan 03 05:40:28 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB828741$\comuid.dll
42: Fri Jan 03 05:40:28 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB828741$\es.dll
43: Fri Jan 03 05:40:28 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe
44: Fri Jan 03 05:40:28 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll
45: Fri Jan 03 05:40:28 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll
46: Fri Jan 03 05:40:28 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll
47: Fri Jan 03 05:40:28 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll
48: Fri Jan 03 05:40:28 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll
49: Fri Jan 03 05:40:28 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll
50: Fri Jan 03 05:40:28 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll
51: Fri Jan 03 05:40:29 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB828741$\txflog.dll
52: Fri Jan 03 05:40:29 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB833330$\Blastcln\blastcln.exe
53: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB835732$\callcont.dll
54: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll
55: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB835732$\h323.tsp
56: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll
57: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe
58: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll
59: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll
60: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll
61: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll
62: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB835732$\msgina.dll
63: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB835732$\mst120.dll
64: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll
65: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll
66: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll
67: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB835732$\schannel.dll
68: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB835732$\xpsp2res.dll
69: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB837001$\dao360.dll
70: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll
71: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll
72: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll
73: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB837001$\msjetol1.dll
74: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll
75: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll
76: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll
77: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll
78: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll
79: Fri Jan 03 05:40:31 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll
80: Fri Jan 03 05:40:32 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll
81: Fri Jan 03 05:40:32 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll
82: Fri Jan 03 05:40:32 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll
83: Fri Jan 03 05:40:32 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll
84: Fri Jan 03 05:40:32 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll
85: Fri Jan 03 05:40:32 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll
86: Fri Jan 03 05:40:32 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll
87: Fri Jan 03 05:40:32 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll
88: Fri Jan 03 05:40:33 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB839645$\fldrclnr.dll
89: Fri Jan 03 05:40:33 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB839645$\sxs.dll
90: Fri Jan 03 05:40:33 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallKB839645$\xpsp2res.dll
91: Fri Jan 03 05:40:40 2003 => ERROR!!! ScanFile fails for C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx

--------------------------------------------------
-------- DATEIEN ZUM LÖSCHEN HINZUGEFÜGT ---------
--------------------------------------------------

1: C:\WINDOWS\system32\wldr.dll => Trojan-Downloader.Win32.Agent.le
2: C:\Dokumente und Einstellungen\Basti\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-1d01f676.zip => Trojan-Downloader.Java.OpenStream.t
3: C:\Dokumente und Einstellungen\Basti\Desktop\Verküpfungen\Rise of nation\imsdox-ron.exe => tagged:CrackTool.Win32.HotHook.
4: C:\Dokumente und Einstellungen\Basti\Eigene Dateien\lalal\Cs\hltv.exe => tagged:Server-Proxy.Win32.3proxy.Hltv.
5: C:\Dokumente und Einstellungen\Basti\Eigene Dateien\lalal\Cs\Quake 3\Check for Quake III Arena Updates.exe => tagged:Tool.Win32.Reboot.
6: C:\Dokumente und Einstellungen\Basti\Eigene Dateien\lalal\Sheep.exe => tagged:Effect.Win16.Sheep.
7: C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temp\se.dll => Trojan.Win32.StartPage.gv
8: C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1R8GKDTO\main[1].htm => Trojan-Clicker.HTML.IFrame.a
9: C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1R8GKDTO\myform[1].php => Trojan-Clicker.HTML.IFrame.a
10: C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1R8GKDTO\tbd_web[1].htm => Exploit.HTML.CodeBaseExec
11: C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1R8GKDTO\tbd_web[2].htm => Exploit.HTML.CodeBaseExec
12: C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\1R8GKDTO\ysb_prompt[1].php => Trojan-Downloader.JS.IstBar.j
13: C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\FC7EILF3\main[2].htm => Trojan-Clicker.HTML.IFrame.a
14: C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\FC7EILF3\myform[1].htm => Trojan-Clicker.HTML.IFrame.a
15: C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\T1MXJ0C3\in[1].htm => Exploit.HTML.Mht
16: C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\YHHKSZD3\prompt[1].php => Trojan-Downloader.JS.IstBar.j
17: C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\YHHKSZD3\tbd_web[1].htm => Exploit.HTML.CodeBaseExec
18: C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ZMQLOUE5\in[1].htm => Exploit.HTML.Mht
19: C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ZMQLOUE5\myform[1].htm => Trojan-Clicker.HTML.IFrame.a
20: C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ZMQLOUE5\tab1[1].htm => Trojan-Clicker.HTML.IFrame.a
21: C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ZMQLOUE5\ttt[1].exe => Trojan-Dropper.Win32.Small.oy
22: C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ZMQLOUE5\wow[1].htm => Exploit.HTML.Mht

--------------------------------------------------
-------------------- Statistik -------------------
--------------------------------------------------



Muss ich den jetzt nochmalmachen?
Dieser Beitrag wurde am 12.06.2005 um 14:14 Uhr von Ba.sti editiert.
Seitenanfang Seitenende
12.06.2005, 14:14
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#36 Hijacker about:blank - se.dll\sp.html
http://www.trojaner-info.de/anleitungen/hijackthis/about_blank.html

ich moechte gern das Log von diesem Scan ;)

denn der Hijacker ist noch nicht geloescht

Zitat

7: C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temp\se.dll => Trojan.Win32.StartPage.gv
---------------------------

Trojan-Clicker.HTML.IFrame.a
loeschen

C:\Dokumente und Einstellungen\Basti\Lokale Einstellungen\Temporary Internet Files\Content.IE5\<---alles leeren (lasse nur die index.dat)

dann: PC neustarten+
dann scanne bitte noch einmal mit escan und poste alles
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
29.08.2005, 17:46
Member

Beiträge: 20
#37 Hallo, habe auch Probleme... --> schwarzer Bildschirm mit "Warning"-Hinweis und ab und an werde ich aus dem I-Net automatisch rausgekickt...


Hier meine HiJackThis Logfile

Was kann ich als nächstes machen um das Problem zu beheben?
Danke schonmal für die Mühe/Hilfe...


Logfile of HijackThis v1.99.1
Scan saved at 17:43:22, on 29.08.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\0900 Alarm\0900Alarm.exe
C:\WINDOWS\System32\intmonp.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\intmon.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\shnlog.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\ArcorOnline\Arcor.exe
C:\Programme\Microsoft Office\Office\WINWORD.EXE
C:\Programme\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\SICHERHEIT\hijackthis_199_1\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.search-control.com/srh/151/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-control.com/srh/151/
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.search-control.com/srh/151/
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-control.com/srh/151/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestwebslinks.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bestwebslinks.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bestwebslinks.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.arcor.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.arcor.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.arcor.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arcor.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bestwebslinks.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestwebslinks.com/search.php?qq=%1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-control.com/srh/151/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-control.com/srh/151/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.bestwebslinks.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.bestwebslinks.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.google.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Arcor AG & Co. KG
R3 - URLSearchHook: (no name) - {FDE3577A-6254-181C-4E11-339E4F746BD3} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp8372.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [StorageGuard] "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AVSCHED32] C:\Programme\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Trojancheck 6 Guard] C:\Programme\SICHERHEIT\Trojancheck 6\tcguard.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LiveMonitor] C:\Programme\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [UIWatcher] C:\Programme\Ashampoo\Ashampoo UnInstaller 2002-2003\UIWatcher.exe
O4 - HKCU\..\Run: [0900 Alarm] C:\Programme\0900 Alarm\0900Alarm.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - Startup: 0900Alarm.exe.lnk = C:\Programme\0900 Alarm\0900Alarm.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: Browser-Anpassung für Outpost Firewall - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra button: Connector - {FFB51760-344E-4FFB-BFFF-4B18C7AC1D63} - C:\WINDOWS\System32\Winx\SRS.EXE
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\trash.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\trash.exe (file missing) (HKCU)
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O16 - DPF: {DF6504AC-3EFE-4287-B259-FB299B069C95} (WEBDE Fotoalbum Upload Control) - https://img.web.de/v/fotoalbum/activex/upload_11110.cab
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://www.a99b.com/videochat.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{CCE5CFD3-FCE5-48BD-90CA-D7C26A44ACE5}: NameServer = 195.50.140.252 145.253.2.75
O20 - Winlogon Notify: style2 - C:\WINDOWS\q710406_disk.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Seitenanfang Seitenende
29.08.2005, 17:53
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#38 boris77

öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.search-control.com/srh/151/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-control.com/srh/151/
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.search-control.com/srh/151/
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-control.com/srh/151/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestwebslinks.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bestwebslinks.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bestwebslinks.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bestwebslinks.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestwebslinks.com/search.php?qq=%1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-control.com/srh/151/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-control.com/srh/151/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.bestwebslinks.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.bestwebslinks.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp8372.tmp
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O20 - Winlogon Notify: style2 - C:\WINDOWS\q710406_disk.dll

pc neustarten

KillBox
http://bilder.informationsarchiv.net/Nikitas_Tools/KillBox.zip
Anleitung: (bebildert)
http://virus-protect.org/killbox.html

Delete File on Reboot (anhaken)

C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\q710406_disk.dll
C:\WINDOWS\System32\hp8372.tmp
C:\WINDOWS\System32\msmsgs.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\shnlog.exe

und klicke auf das rote Kreuz,
wenn gefragt wird, ob "Do you want to reboot? " ---- klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes"

PC neustarten

CCleaner--> loesche alle *temp-Datein
http://virus-protect.org/temp.html



smitRem TOOL (Entfernungstool)
http://noahdfear.geekstogo.com/

öffne smitRem folder,Doppelklick: RunThis.bat
warte, bis der Scan beendet ist (der Bildschirm wird blau werden. das ist normal)
suche smitfiles.txt und poste die Textdatei in den Thread

*reg-Datei
oben im Browser: Datei -- Seite speichern unter.. -- wähle "Desktop" -- speichern

http://www.bleepingcomputer.com/files/reg/smitfraud.reg

dann erscheint eine smitfraud.reg auf dem Desktop

Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "smitfraud.reg" auf dem Desktop doppelklicken und mit "ja" bestätigen, damit die reg*-Datei der Registry beigefügt wird und sofort den PC neustarten

ClaerProg..lade die neuste Version
http://virus-protect.org/temp.html

und reinige den Browser.
Das Programm löscht die Surfspuren des Internet Explorers ab Version 5.0, des Netscape/Mozilla und des Opera:
- Verlauf
- Temporäre Internetfiles (Cache)
- URLs
- index.dat

Lade Ewido von dieser Seite -- poste mir den scanreport
http://virus-protect.org/ewido.html
+
#neue Startseite
gehe zur Systemsteuerung --> Internetoptionen --> auf dem Reiter Allgemein bei Temporäre Internetdateien klickst du Dateien löschen --> auch bei Alle Offlineinhalte löschen das Häkchen setzen und mit OK bestätigen --> Auf den Reiter Programme gehen und dort auf Webeinstellungen zurücksetzen klicken, mit Ja bestätigen, fall Nachfrage kommt --> auf Übernehmen und abschließend auf OK klicken und stelle eine neue Startseite ein

poste dann auch das neue Log vom HijackTHis

__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
29.08.2005, 22:27
Member

Beiträge: 20
#39 Hallo Sabina,

anbei die SMITFILES.TXT -Datei.






smitRem log file
version 2.3

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ShudderLTD key present! Running LTDFix!

ShudderLTD key was successfully removed! ;)


Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

wppp.html
intmonp.exe
ole32vbs.exe
hp***.tmp
intmon.exe
hhk.dll
logfiles


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~

sites.ini


~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

wininet.dll INFECTED!! ;) Starting replacement procedure.


~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~


~~~~ C:\WINDOWS\system32\dllcache\wininet.dll Present! ~~~~


~~~~ Checking dllcache\wininet.dll for infection ~~~~


~~~~ dllcache\wininet.dll Clean! ~~~~

~~~ Replaced wininet.dll from dllcache ~~~
Seitenanfang Seitenende
29.08.2005, 22:29
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#40 boris77

nun arbeite Schritt fuer Schritt alles weitere ab ;)
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
29.08.2005, 23:33
Member

Beiträge: 20
#41 Hallo Sabina,

hier nun endlich der EWIDO Scanreport - nach getätigter Säuberung...


---------------------------------------------------------
ewido security suite - Scan Report
---------------------------------------------------------

+ Erstellt am: 23:32:11, 29.08.2005
+ Report-Checksumme: 9424985

+ Scanergebnis:

HKLM\SOFTWARE\Classes\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000} -> Spyware.URLBlaze : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj -> Spyware.CoolWebSearch : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer -> Spyware.CoolWebSearch : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\IELoaderCtl.IELoaderCtl -> Dialer.Generic : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\Interface\{0F4A7B40-A295-11CF-A3A9-00A0C9034920} -> Dialer.Generic : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\Interface\{20F13844-04BC-4987-9964-2502F0DA54D3} -> Spyware.PurityScan : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\Interface\{3E43040C-73C1-4898-A4F8-E2C9428B1167} -> Spyware.PurityScan : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\Interface\{B88A3AF1-4F1B-4400-8FFB-3FCB108CE115} -> Spyware.BlazeFind : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\Interface\{C60BC918-ABBA-0704-0B53-2C8830E9FAEC} -> Dialer.Generic : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000} -> Spyware.WurldMedia : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\Jao.jao -> Spyware.BlazeFind : Gesäubert mit Backup
HKLM\SOFTWARE\ClickSpring -> Spyware.PurityScan : Gesäubert mit Backup
HKLM\SOFTWARE\IntexusDial -> Dialer.Generic : Gesäubert mit Backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Gesäubert mit Backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Yun -> Spyware.CoolWebSearch : Gesäubert mit Backup
HKU\S-1-5-21-3174505522-3035045854-1967465239-1005\Software\IST -> Spyware.ISTBar : Gesäubert mit Backup
HKU\S-1-5-21-3174505522-3035045854-1967465239-1005\Software\Microsoft\Windows\CurrentVersion\Yun -> Spyware.CoolWebSearch : Gesäubert mit Backup
C:\Dokumente und Einstellungen\Boris\Cookies\boris@as1.falkag[2].txt -> Spyware.Cookie.Falkag : Gesäubert mit Backup
C:\Dokumente und Einstellungen\Boris\Cookies\boris@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Gesäubert mit Backup
C:\Dokumente und Einstellungen\Boris\Cookies\boris@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Gesäubert mit Backup
C:\Programme\AVPersonal\INFECTED\QZUQPHF.EXE.VIR -> TrojanDownloader.PurityScan.d : Gesäubert mit Backup
C:\Programme\AVPersonal\INFECTED\qzuqphf.VIR -> TrojanDownloader.PurityScan.d : Gesäubert mit Backup
C:\Programme\SICHERHEIT\hijackthis_199_1\backups\backup-20050829-181441-211.dll -> Trojan.Puper.g : Gesäubert mit Backup
C:\WINDOWS\odbc.hta -> Spyware.Hijacker.Generic : Gesäubert mit Backup
C:\WINDOWS\odbs.log -> Spyware.Hijacker.Generic : Gesäubert mit Backup
C:\WINDOWS\system32\Winx\SRS.EXE -> Spyware.Hijacker.Generic : Gesäubert mit Backup
C:\WINDOWS\system32\Winx\SYS.EXE -> Spyware.Hijacker.Generic : Gesäubert mit Backup


::Report Ende






Und hier der HIJACKTHIS-Logfile:



Logfile of HijackThis v1.99.1
Scan saved at 23:36:49, on 29.08.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\Programme\AVPersonal\AVSched32.EXE
C:\Programme\SICHERHEIT\Trojancheck 6\tcguard.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Dit.exe
C:\Programme\MSI\Live Update 3\LMonitor.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\QuickTime\qttask.exe
C:\Programme\Ashampoo\Ashampoo UnInstaller 2002-2003\UIWatcher.exe
C:\WINDOWS\DitExp.exe
C:\Programme\0900 Alarm\0900Alarm.exe
C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Programme\ArcorOnline\Arcor.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\ewido\security suite\ewidoguard.exe
C:\Programme\ewido\security suite\ewidoctrl.exe
C:\Programme\SICHERHEIT\hijackthis_199_1\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestwebslinks.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arcor.de/content/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.arcor.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arcor.de
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bestwebslinks.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestwebslinks.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.bestwebslinks.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.google.de
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Arcor AG & Co. KG
R3 - URLSearchHook: (no name) - {FDE3577A-6254-181C-4E11-339E4F746BD3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [StorageGuard] "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AVSCHED32] C:\Programme\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [Trojancheck 6 Guard] C:\Programme\SICHERHEIT\Trojancheck 6\tcguard.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LiveMonitor] C:\Programme\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [UIWatcher] C:\Programme\Ashampoo\Ashampoo UnInstaller 2002-2003\UIWatcher.exe
O4 - HKCU\..\Run: [0900 Alarm] C:\Programme\0900 Alarm\0900Alarm.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - Startup: 0900Alarm.exe.lnk = C:\Programme\0900 Alarm\0900Alarm.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: Browser-Anpassung für Outpost Firewall - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra button: Connector - {FFB51760-344E-4FFB-BFFF-4B18C7AC1D63} - C:\WINDOWS\System32\Winx\SRS.EXE (file missing)
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\trash.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\trash.exe (file missing) (HKCU)
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O16 - DPF: {DF6504AC-3EFE-4287-B259-FB299B069C95} (WEBDE Fotoalbum Upload Control) - https://img.web.de/v/fotoalbum/activex/upload_11110.cab
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://www.a99b.com/videochat.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{CCE5CFD3-FCE5-48BD-90CA-D7C26A44ACE5}: NameServer = 195.50.140.252 145.253.2.75
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programme\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe



Und, muss ich noch was machen? Ich hoffe nicht, andererseits, mit der Hilfe, die ich bisher hatte ;-)
Dieser Beitrag wurde am 29.08.2005 um 23:40 Uhr von boris77 editiert.
Seitenanfang Seitenende
29.08.2005, 23:49
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#42 Hallo@boris77

Fixe mit dem HijackThis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestwebslinks.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bestwebslinks.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestwebslinks.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.bestwebslinks.com/
R3 - URLSearchHook: (no name) - {FDE3577A-6254-181C-4E11-339E4F746BD3} - (no file)

PC neustarten

bitte abarbeiten und alles posten (mit Pfadangabe)
http://virus-protect.org/datfindbat.html

escan , bitte abarbeiten und alles posten
+ das neue Log vom HijackThis
http://virus-protect.org/escan.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
30.08.2005, 00:14
Member

Beiträge: 20
#43 Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: 48AC-4ADA

Verzeichnis von C:\WINDOWS\system32

29.08.2005 15:51 16.896 checkIn.dll
29.08.2005 15:00 766 spyware.ico
29.08.2005 15:00 4.286 spam.ico
29.08.2005 15:00 2.238 network.ico
28.08.2005 21:14 1.374 wpa.dbl
09.08.2005 11:24 493 WebPlayerInstaller.log
14.07.2005 21:07 16.832 amcompat.tlb
14.07.2005 21:07 23.392 nscompat.tlb
08.07.2005 11:53 366.510 perfh009.dat
08.07.2005 11:53 46.920 perfc009.dat
08.07.2005 11:53 398.034 perfh007.dat
08.07.2005 11:53 63.610 perfc007.dat
08.07.2005 11:53 884.724 PerfStringBackup.INI
07.05.2005 21:30 72.192 taskkill.exe
14.04.2005 19:01 8 ntP2.trk
12.03.2005 00:48 56.832 pxcpya64.exe
12.03.2005 00:48 109.568 pxinsi64.exe
12.03.2005 00:48 56.320 pxinsa64.exe
12.03.2005 00:48 61.440 pxhpinst.exe
12.03.2005 00:48 108.544 pxcpyi64.exe
12.03.2005 00:28 28.672 VXBLOCK.dll
12.03.2005 00:28 339.968 pxwave.dll
12.03.2005 00:28 405.504 pxdrv.dll
12.03.2005 00:28 172.032 pxmas.dll
12.03.2005 00:28 339.968 px.dll
27.01.2005 15:39 466.944 capicom.dll
26.01.2005 20:48 1.895 qtplugin.log
11.08.2004 20:45 228.352 wmerror.dll
11.08.2004 20:45 9.216 asferror.dll
11.08.2004 20:45 3.407.872 wmploc.dll
11.08.2004 20:45 86.016 wmpshell.dll
11.08.2004 20:45 311.808 MSWMDM.dll
11.08.2004 20:45 482.816 Audiodev.dll
11.08.2004 01:39 2.362.104 wmvcore.dll
11.08.2004 01:39 773.368 wmsdmod.dll
11.08.2004 01:38 871.160 wmvdmod.dll
11.08.2004 01:38 1.181.944 wmvadvd.dll
11.08.2004 01:38 531.192 wmspdmod.dll
11.08.2004 01:38 380.144 wmadmod.dll
11.08.2004 01:38 360.176 MSSCP.dll
11.08.2004 01:38 253.688 drmclien.dll
11.08.2004 01:37 290.816 WMDRMNet.dll
11.08.2004 01:37 344.064 WMDRMdev.dll
11.08.2004 01:36 527.360 drmv2clt.dll
11.08.2004 01:36 233.472 blackbox.dll
11.08.2004 01:36 95.232 drmstor.dll
11.08.2004 01:36 141.312 msnetobj.dll
11.08.2004 00:45 221.184 qasf.dll
11.08.2004 00:45 1.509.376 WMVADVE.DLL
11.08.2004 00:45 34.304 WMDMPS.dll
11.08.2004 00:45 30.208 WMDMLOG.dll
11.08.2004 00:45 25.088 MsPMSNSv.dll
11.08.2004 00:45 169.472 MsPMSP.dll
11.08.2004 00:45 282.624 wmpdxm.dll
11.08.2004 00:45 161.792 cewmdm.dll
11.08.2004 00:45 135.168 wmpasf.dll
11.08.2004 00:45 712.704 wmadmoe.dll
11.08.2004 00:45 999.424 wmvdmoe2.dll
11.08.2004 00:45 175.104 wmpsrcwp.dll
11.08.2004 00:45 1.589.760 wmpencen.dll
11.08.2004 00:45 1.116.160 wmsdmoe2.dll
11.08.2004 00:45 936.960 wmspdmoe.dll
11.08.2004 00:41 5.550.080 wmp.dll
11.08.2004 00:41 1.027.072 wmnetmgr.dll
11.08.2004 00:41 229.376 wmasf.dll
10.08.2004 22:07 150.016 wmidx.dll
10.08.2004 22:07 6.656 laprxy.dll
10.08.2004 22:05 38.912 wpd_ci.dll
10.08.2004 22:05 327.680 wpdsp.dll
10.08.2004 22:05 331.776 wpdmtpdr.dll
10.08.2004 22:05 114.176 wpdmtp.dll
10.08.2004 22:05 66.560 wpdmtpus.dll
10.08.2004 22:05 61.952 wpdconns.dll
10.08.2004 22:05 10.752 wpdtrace.dll
10.08.2004 22:05 47.104 uwdf.exe
10.08.2004 22:05 38.912 wdfmgr.exe
10.08.2004 22:05 15.872 wdfapi.dll
10.08.2004 21:52 360.448 l3codecp.acm
10.08.2004 21:52 20.480 wmpcd.dll
10.08.2004 21:52 20.480 wmpui.dll
10.08.2004 21:52 20.480 wmpcore.dll
10.08.2004 21:52 20.480 wmp.ocx
10.08.2004 21:46 96.768 logagent.exe
23.07.2004 16:09 13.368 FlashVxd.vxd



Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: 48AC-4ADA

Verzeichnis von C:\DOKUME~1\Boris\LOKALE~1\Temp

29.08.2005 22:40 16.384 ~DFDBB3.tmp
29.08.2005 22:32 534 pcf2.tmp
29.08.2005 22:29 534 pcf1.tmp
3 Datei(en) 17.452 Bytes
0 Verzeichnis(se), 17.361.891.328 Bytes frei



Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: 48AC-4ADA

Verzeichnis von C:\WINDOWS

29.08.2005 22:38 0 0.log
29.08.2005 22:38 525 ODBC.INI
29.08.2005 22:38 4.210 ModemLog_Creatix V.9X DSP Data Fax Modem.txt
29.08.2005 22:38 49 transp.gif
29.08.2005 22:38 50 wiaservc.log
29.08.2005 22:38 157 wiadebug.log
29.08.2005 22:37 54.156 QTFont.qfn
29.08.2005 22:37 2.048 bootstat.dat
29.08.2005 22:36 105.272 ntbtlog.txt
29.08.2005 22:34 32.506 SchedLgU.Txt
29.08.2005 22:22 71.025 setupact.log
29.08.2005 22:22 0 setuperr.log
29.08.2005 16:40 1.593 uninstall.ini
29.08.2005 16:01 1.409 QTFont.for
29.08.2005 10:56 54.325 CDPLAYER.INI
29.08.2005 00:31 155 winamp.ini
25.08.2005 01:06 363.337 wmsetup.log
22.08.2005 23:43 20 SIERRA.INI
19.08.2005 12:01 1.023.471 setupapi.log
16.08.2005 19:49 228 MP32WAV.INI
17.07.2005 19:46 32 mscpt.dat



Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: 48AC-4ADA

Verzeichnis von C:\

30.08.2005 00:13 0 sys.txt
30.08.2005 00:12 9.812 system.txt
30.08.2005 00:11 375 systemtemp.txt
30.08.2005 00:11 97.679 system32.txt
29.08.2005 22:37 805.306.368 pagefile.sys
29.08.2005 22:29 1.526 smitfiles.txt
29.08.2005 18:09 488 hpfr5550.xml
Seitenanfang Seitenende
30.08.2005, 01:32
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#44 Hallo@boris77

•KillBox
http://bilder.informationsarchiv.net/Nikitas_Tools/KillBox.zip
Anleitung: (bebildert)
http://virus-protect.org/killbox.html

•Delete File on Reboot <--anhaken

und klicke auf das rote Kreuz,
wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes"

C:\WINDOWS\system32\spyware.ico
C:\WINDOWS\system32\spam.ico
C:\WINDOWS\system32\network.ico
C:\WINDOWS\system32\pxcpya64.exe
C:\WINDOWS\system32\pxwma.dll
C:\WINDOWS\system32\pxsfs.dll
C:\WINDOWS\system32\pxinsi64.exe
C:\WINDOWS\system32\pxinsa64.exe
C:\WINDOWS\system32\pxhpinst.exe
C:\WINDOWS\system32\pxcpyi64.exe

PC neustarten

#neue Startseite
gehe zur Systemsteuerung --> Internetoptionen --> auf dem Reiter Allgemein bei Temporäre Internetdateien klickst du Dateien löschen --> auch bei Alle Offlineinhalte löschen das Häkchen setzen und mit OK bestätigen --> Auf den Reiter Programme gehen und dort auf Webeinstellungen zurücksetzen klicken, mit Ja bestätigen, fall Nachfrage kommt --> auf Übernehmen und abschließend auf OK klicken und stelle eine neue Startseite ein

poste dann auch das neue Log vom HijackTHis
+
escan , bitte abarbeiten und alles posten
+ das neue Log vom HijackThis
http://virus-protect.org/escan.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
30.08.2005, 01:57
Member

Beiträge: 20
#45 So - der escan ist inzwischen endlich fertig - und komme dann zu dem, was Du "eben" gepostet hast...

Hier das escan-Ergebnis:


--------------------------------------------------
-------------------- INFECTED --------------------
--------------------------------------------------

1: Tue Aug 30 00:29:08 2005 => System found infected with alexa Spyware/Adware ({c95fe080-8f5d-11d2-a20b-00aa003c157a})! Action taken: No Action Taken.
2: Tue Aug 30 00:29:08 2005 => System found infected with BDHelper Spyware/Adware ({ce7c3ce2-4b15-11d1-abed-709549c10000})! Action taken: No Action Taken.
3: Tue Aug 30 00:29:11 2005 => System found infected with Infotel srl Spyware/Adware ({ffff0003-0001-101a-a3c9-08002b2f49fb})! Action taken: No Action Taken.
4: Tue Aug 30 00:30:29 2005 => Offending file found: C:\WINDOWS\uninstall.ini
5: Tue Aug 30 00:30:29 2005 => System found infected with WhistleSoftware Spyware/Adware (uninstall.ini)! Action taken: No Action Taken.
6: Tue Aug 30 00:31:35 2005 => File C:\WINDOWS\System32\checkIn.dll infected by "Trojan.Win32.Dialer.ks" Virus! Action Taken: No Action Taken.
7: Tue Aug 30 01:07:38 2005 => Scanning Folder: C:\Programme\AVPersonal\INFECTED\*.*
8: Tue Aug 30 01:07:39 2005 => Scanning File C:\Programme\AVPersonal\INFECTED\LOAD[1].HTM.VIR [**]
9: Tue Aug 30 01:25:55 2005 => File C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP205\A0077033.exe infected by "Trojan.Win32.Small.ev" Virus! Action Taken: No Action Taken.
10: Tue Aug 30 01:25:55 2005 => File C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP205\A0077034.exe infected by "Trojan.Win32.Puper.au" Virus! Action Taken: No Action Taken.
11: Tue Aug 30 01:25:56 2005 => File C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP205\A0077049.exe infected by "Trojan.Win32.Zapchast" Virus! Action Taken: No Action Taken.
12: Tue Aug 30 01:25:56 2005 => File C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP205\A0077050.exe infected by "Trojan-Downloader.Win32.Small.air" Virus! Action Taken: No Action Taken.
13: Tue Aug 30 01:25:56 2005 => File C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP205\A0077051.exe infected by "Trojan.Win32.Zapchast" Virus! Action Taken: No Action Taken.
14: Tue Aug 30 01:25:56 2005 => File C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP205\A0077057.exe infected by "Trojan.Win32.Puper.au" Virus! Action Taken: No Action Taken.
15: Tue Aug 30 01:25:56 2005 => File C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP205\A0077058.exe infected by "Trojan.Win32.Small.ev" Virus! Action Taken: No Action Taken.
16: Tue Aug 30 01:26:02 2005 => File C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP206\A0077137.exe infected by "Trojan-Downloader.Win32.Small.bct" Virus! Action Taken: No Action Taken.
17: Tue Aug 30 01:26:02 2005 => File C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP206\A0077138.exe infected by "Trojan.Win32.Small.ev" Virus! Action Taken: No Action Taken.
18: Tue Aug 30 01:26:02 2005 => File C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP206\A0077139.exe infected by "Trojan.Win32.Puper.au" Virus! Action Taken: No Action Taken.
19: Tue Aug 30 01:26:02 2005 => File C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP206\A0077144.exe infected by "Trojan.Win32.Puper.au" Virus! Action Taken: No Action Taken.
20: Tue Aug 30 01:26:02 2005 => File C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP206\A0077155.exe infected by "Trojan.Win32.Small.ev" Virus! Action Taken: No Action Taken.
21: Tue Aug 30 01:26:09 2005 => File C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP206\A0077211.dll infected by "Trojan.Win32.Small.ev" Virus! Action Taken: No Action Taken.
22: Tue Aug 30 01:26:09 2005 => File C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP206\A0077227.dll infected by "Trojan-Downloader.Win32.Delf.lh" Virus! Action Taken: No Action Taken.
23: Tue Aug 30 01:26:10 2005 => File C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP206\A0077233.exe infected by "Trojan.Win32.Puper.au" Virus! Action Taken: No Action Taken.
24: Tue Aug 30 01:26:51 2005 => File C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP206\A0078057.exe infected by "Trojan.Win32.Puper.au" Virus! Action Taken: No Action Taken.
25: Tue Aug 30 01:26:52 2005 => File C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP206\A0078071.old infected by "Virus.Win32.Nsag.b" Virus! Action Taken: No Action Taken.
26: Tue Aug 30 01:26:53 2005 => File C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP206\A0078117.hta infected by "Trojan.VBS.StartPage.x" Virus! Action Taken: No Action Taken.
27: Tue Aug 30 01:26:53 2005 => File C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP206\A0078118.EXE infected by "Trojan.Win32.StartPage.yn" Virus! Action Taken: No Action Taken.
28: Tue Aug 30 01:26:53 2005 => File C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP206\A0078119.EXE infected by "Trojan.Win32.StartPage.yn" Virus! Action Taken: No Action Taken.
29: Tue Aug 30 01:34:52 2005 => File C:\WINDOWS\system32\checkIn.dll infected by "Trojan.Win32.Dialer.ks" Virus! Action Taken: No Action Taken.

--------------------------------------------------
--------------------- ERRORS ---------------------
--------------------------------------------------

1: Tue Aug 30 00:27:50 2005 => ERROR!!! Invalid Entry {B212D577-05B7-4963-911E-4A8588160DFA} = C:\WINDOWS\q710406_disk.dll (in key Software\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler). No Action Taken.
2: Tue Aug 30 00:29:00 2005 => ERROR!!! Invalid Entry \??\C:\DOKUME~1\Boris\LOKALE~1\Temp\iMSPCLOj.sys in SYSTEM\CurrentControlSet\Services\iMSPCLOj...
3: Tue Aug 30 00:29:02 2005 => ERROR!!! Invalid Entry \??\C:\Programme\NewTech Infosystems\NTI CD-Maker 2000 Standard\NTIDrvr.sys in SYSTEM\CurrentControlSet\Services\NTIDrvr...
4: Tue Aug 30 00:30:43 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ieloader.dll". Action Taken: No Action Taken.
5: Tue Aug 30 00:30:47 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Hewlett-Packard\Digital Imaging\{7C8BB31C-E09E-4c7d-BBF1-45E33B467FE1}\Drivers\Scanner\hpqgends.tmp". Action Taken: No Action Taken.
6: Tue Aug 30 00:30:48 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\pxsfs.dll". Action Taken: No Action Taken.
7: Tue Aug 30 00:30:48 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\movgear.exe" refers to invalid object "C:\Programme\GIF Movie Gear\moviegear.exe". Action Taken: No Action Taken.
8: Tue Aug 30 00:30:49 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\RecordNow\". Action Taken: No Action Taken.
9: Tue Aug 30 00:30:49 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\RecordNow\Media\". Action Taken: No Action Taken.
10: Tue Aug 30 00:30:49 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\RecordNow\System\". Action Taken: No Action Taken.
11: Tue Aug 30 00:30:49 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\RecordNow\Explain\". Action Taken: No Action Taken.
12: Tue Aug 30 00:30:49 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\RecordNow\". Action Taken: No Action Taken.
13: Tue Aug 30 00:30:49 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\WINDOWS\Installer\{8214CC02-6271-4DC8-B8DD-779933450264}\". Action Taken: No Action Taken.
14: Tue Aug 30 00:30:49 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Norton AntiVirus\". Action Taken: No Action Taken.
15: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".". Action Taken: No Action Taken.
16: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".000". Action Taken: No Action Taken.
17: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".001". Action Taken: No Action Taken.
18: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".002". Action Taken: No Action Taken.
19: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".abm". Action Taken: No Action Taken.
20: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".av". Action Taken: No Action Taken.
21: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".bak". Action Taken: No Action Taken.
22: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".bckp". Action Taken: No Action Taken.
23: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".cfg". Action Taken: No Action Taken.
24: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".cgi?action=". Action Taken: No Action Taken.
25: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".cl3". Action Taken: No Action Taken.
26: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".clb". Action Taken: No Action Taken.
27: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".cue". Action Taken: No Action Taken.
28: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".DIG". Action Taken: No Action Taken.
29: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".doc?Log=1". Action Taken: No Action Taken.
30: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".DSC". Action Taken: No Action Taken.
31: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".FEC". Action Taken: No Action Taken.
32: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".gpk". Action Taken: No Action Taken.
33: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".HDR". Action Taken: No Action Taken.
34: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".hzml". Action Taken: No Action Taken.
35: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".IE5". Action Taken: No Action Taken.
36: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".jnlp". Action Taken: No Action Taken.
37: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".jsp". Action Taken: No Action Taken.
38: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".MRK". Action Taken: No Action Taken.
39: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".Mtx". Action Taken: No Action Taken.
40: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ovw". Action Taken: No Action Taken.
41: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".PDL". Action Taken: No Action Taken.
42: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".php3?bname=newslettercontent&parent_id=567&parent_bname=newsletter&genre=All". Action Taken: No Action Taken.
43: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".php3?nlid=567&ktext=NEWSLETTER+01+%2F+2005". Action Taken: No Action Taken.
44: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".pk". Action Taken: No Action Taken.
45: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".qfs". Action Taken: No Action Taken.
46: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sav". Action Taken: No Action Taken.
47: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".scn". Action Taken: No Action Taken.
48: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".set". Action Taken: No Action Taken.
49: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".simpatia". Action Taken: No Action Taken.
50: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".stb". Action Taken: No Action Taken.
51: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".TEM". Action Taken: No Action Taken.
52: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".TMP". Action Taken: No Action Taken.
53: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".torrent". Action Taken: No Action Taken.
54: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".VIR". Action Taken: No Action Taken.
55: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".viv". Action Taken: No Action Taken.
56: Tue Aug 30 00:30:49 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".VOB". Action Taken: No Action Taken.
57: Tue Aug 30 00:30:50 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".yst". Action Taken: No Action Taken.
58: Tue Aug 30 00:30:50 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".~av". Action Taken: No Action Taken.
59: Tue Aug 30 00:30:50 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Adobe Acrobat 5.0". Action Taken: No Action Taken.
60: Tue Aug 30 00:30:50 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Bundesliga Stars 2001". Action Taken: No Action Taken.
61: Tue Aug 30 00:30:50 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Download-Central". Action Taken: No Action Taken.
62: Tue Aug 30 00:30:50 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Football Game". Action Taken: No Action Taken.
63: Tue Aug 30 00:30:50 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB823980". Action Taken: No Action Taken.
64: Tue Aug 30 00:30:50 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB824105". Action Taken: No Action Taken.
65: Tue Aug 30 00:30:50 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB824141". Action Taken: No Action Taken.
66: Tue Aug 30 00:30:50 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB824146". Action Taken: No Action Taken.
67: Tue Aug 30 00:30:50 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB828028". Action Taken: No Action Taken.
68: Tue Aug 30 00:30:50 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "NTI CD-Maker 2000 Standard". Action Taken: No Action Taken.
69: Tue Aug 30 00:30:50 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q327979". Action Taken: No Action Taken.
70: Tue Aug 30 00:30:50 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "q329256". Action Taken: No Action Taken.
71: Tue Aug 30 00:30:50 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329909". Action Taken: No Action Taken.
72: Tue Aug 30 00:30:50 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "q330638". Action Taken: No Action Taken.
73: Tue Aug 30 00:30:50 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q331060". Action Taken: No Action Taken.
74: Tue Aug 30 00:30:50 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q811789". Action Taken: No Action Taken.
75: Tue Aug 30 00:30:50 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Silent-Bob 1.8". Action Taken: No Action Taken.
76: Tue Aug 30 00:30:50 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Virtua Fighter PC". Action Taken: No Action Taken.
77: Tue Aug 30 00:30:50 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Zak McKracken 2 ". Action Taken: No Action Taken.
78: Tue Aug 30 00:30:50 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "ZoneAlarm". Action Taken: No Action Taken.
79: Tue Aug 30 00:30:50 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{0A5B72C1-E598-445C-8EEE-BC7D517922C4}". Action Taken: No Action Taken.
80: Tue Aug 30 00:30:50 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{EDCD4CE3-DE92-49A9-87F9-FE09B2FBA16C}". Action Taken: No Action Taken.
81: Tue Aug 30 00:30:51 2005 => Entry "HKCR\CLSID\{15DC7116-E58E-4395-A45A-A1C99B17C030}" refers to invalid object "C:\Programme\PSGuard\WndSystem.dll". Action Taken: No Action Taken.
82: Tue Aug 30 00:30:51 2005 => Entry "HKCR\CLSID\{17E02586-A91D-4A9D-A74E-187B05DFFE6F}" refers to invalid object "C:\Programme\PSGuard\Core.dll". Action Taken: No Action Taken.
83: Tue Aug 30 00:30:51 2005 => Entry "HKCR\CLSID\{1BD98DFD-2DA9-4C54-85D7-BE03A0F9C487}" refers to invalid object "C:\Programme\PSGuard\Core.dll". Action Taken: No Action Taken.
84: Tue Aug 30 00:30:51 2005 => Entry "HKCR\CLSID\{1C94EA51-3800-4F08-B5DC-A5B67823FFEA}" refers to invalid object "C:\Programme\PSGuard\Core.dll". Action Taken: No Action Taken.
85: Tue Aug 30 00:30:51 2005 => Entry "HKCR\CLSID\{20D1AF34-6E19-42D8-AF9F-BDFBE45C2454}" refers to invalid object "C:\Programme\PSGuard\Core.dll". Action Taken: No Action Taken.
86: Tue Aug 30 00:30:51 2005 => Entry "HKCR\CLSID\{21E132C9-1F98-4151-BDAD-7D9B49C60A8E}" refers to invalid object "C:\Programme\PSGuard\Core.dll". Action Taken: No Action Taken.
87: Tue Aug 30 00:30:51 2005 => Entry "HKCR\CLSID\{23F7AD29-F51A-4BA1-BE70-143B1CB25BD1}" refers to invalid object "C:\Programme\PSGuard\Core.dll". Action Taken: No Action Taken.
88: Tue Aug 30 00:30:52 2005 => Entry "HKCR\CLSID\{2C59D5EC-6B91-4896-BD6F-5F121D87A7F8}" refers to invalid object "C:\Programme\PSGuard\Core.dll". Action Taken: No Action Taken.
89: Tue Aug 30 00:30:52 2005 => Entry "HKCR\CLSID\{2F34E0E0-F0BB-477F-AFB8-509262FA0AD1}" refers to invalid object "C:\Programme\PSGuard\Core.dll". Action Taken: No Action Taken.
90: Tue Aug 30 00:30:52 2005 => Entry "HKCR\CLSID\{35ED274E-3F42-4A78-BBDC-3B7D73E85578}" refers to invalid object "C:\Programme\PSGuard\Core.dll". Action Taken: No Action Taken.
91: Tue Aug 30 00:30:52 2005 => Entry "HKCR\CLSID\{3D74D140-F780-4AE3-8D6D-F8DC39107213}" refers to invalid object "C:\Programme\PSGuard\Core.dll". Action Taken: No Action Taken.
92: Tue Aug 30 00:30:53 2005 => Entry "HKCR\CLSID\{49443D6E-CE4E-47A9-8DEB-F5774CE14984}" refers to invalid object "C:\Programme\PSGuard\Core.dll". Action Taken: No Action Taken.
93: Tue Aug 30 00:30:53 2005 => Entry "HKCR\CLSID\{52034AD2-914C-4634-B375-9299631E5525}" refers to invalid object "C:\Programme\PSGuard\Core.dll". Action Taken: No Action Taken.
94: Tue Aug 30 00:30:54 2005 => Entry "HKCR\CLSID\{7702C521-76AE-42C0-A181-3B5A96C2EEF7}" refers to invalid object "C:\Programme\PSGuard\Core.dll". Action Taken: No Action Taken.
95: Tue Aug 30 00:30:54 2005 => Entry "HKCR\CLSID\{7ADDA344-1D36-4446-9F4B-B2351FB19EFD}" refers to invalid object "C:\Programme\PSGuard\Core.dll". Action Taken: No Action Taken.
96: Tue Aug 30 00:30:54 2005 => Entry "HKCR\CLSID\{7D98221E-AF8F-4D29-8BB1-1DFABC288173}" refers to invalid object "C:\Programme\PSGuard\Core.dll". Action Taken: No Action Taken.
97: Tue Aug 30 00:30:54 2005 => Entry "HKCR\CLSID\{7E752AAA-5A32-40AD-B150-4A2E85768E4D}" refers to invalid object "F:\BIN\WIN32\omgdwrap.dll". Action Taken: No Action Taken.
98: Tue Aug 30 00:30:55 2005 => Entry "HKCR\CLSID\{9746B450-6064-4EC8-9480-72A289AA2237}" refers to invalid object "C:\Programme\PSGuard\Core.dll". Action Taken: No Action Taken.
99: Tue Aug 30 00:30:56 2005 => Entry "HKCR\CLSID\{B212D577-05B7-4963-911E-4A8588160DFA}" refers to invalid object "C:\WINDOWS\q710406_disk.dll". Action Taken: No Action Taken.
100: Tue Aug 30 00:30:56 2005 => Entry "HKCR\CLSID\{C5A40FCE-0A0F-40CA-985E-661C28B5B431}" refers to invalid object "C:\Programme\PSGuard\Core.dll". Action Taken: No Action Taken.
101: Tue Aug 30 00:30:57 2005 => Entry "HKCR\CLSID\{C7F22879-7151-4C71-8C50-9557AFDA66C6}" refers to invalid object "C:\Programme\PSGuard\Core.dll". Action Taken: No Action Taken.
102: Tue Aug 30 00:30:57 2005 => Entry "HKCR\CLSID\{CA5E7959-60B5-47B7-80AC-1606309733F3}" refers to invalid object "C:\Programme\PSGuard\Core.dll". Action Taken: No Action Taken.
103: Tue Aug 30 00:30:57 2005 => Entry "HKCR\CLSID\{CEABF027-6CDC-4D47-ADF6-AC5D065826A6}" refers to invalid object "C:\Programme\PSGuard\Core.dll". Action Taken: No Action Taken.
104: Tue Aug 30 00:30:57 2005 => Entry "HKCR\CLSID\{D95DEB2F-4A47-467C-A78B-5D3038D089D5}" refers to invalid object "F:\BIN\WIN32\omgdbp.ocx". Action Taken: No Action Taken.
105: Tue Aug 30 00:30:57 2005 => Entry "HKCR\CLSID\{D98E820F-6ACD-4dc0-921E-9841E3D8B4A7}" refers to invalid object "F:\player\WMMP.EXE". Action Taken: No Action Taken.
106: Tue Aug 30 00:30:57 2005 => Entry "HKCR\CLSID\{E0AA0493-C410-4CBD-B1DB-1723374FA8E0}" refers to invalid object "C:\Programme\PSGuard\WndSystem.dll". Action Taken: No Action Taken.
107: Tue Aug 30 00:30:57 2005 => Entry "HKCR\CLSID\{E5D78BD8-3874-4AA0-9D45-CFB79382C484}" refers to invalid object "C:\Programme\PSGuard\WndSystem.dll". Action Taken: No Action Taken.
108: Tue Aug 30 00:30:58 2005 => Entry "HKCR\CLSID\{F4C6D6E0-A8FB-4281-BE24-1662D646FE2B}" refers to invalid object "F:\player\WMMP.EXE". Action Taken: No Action Taken.
109: Tue Aug 30 00:30:58 2005 => Entry "HKCR\CLSID\{FBE840E5-13A5-4cff-B2A9-4D1E64A17FF2}" refers to invalid object "F:\player\WMMP.EXE". Action Taken: No Action Taken.
110: Tue Aug 30 00:30:59 2005 => Entry "HKCR\TypeLib\{02BA2DB5-3BFE-4863-B539-4F80312D5230}" refers to invalid object "C:\DOKUME~1\Boris\LOKALE~1\Temp\Word8.0\ShockwaveFlashObjects.exd". Action Taken: No Action Taken.
111: Tue Aug 30 00:30:59 2005 => Entry "HKCR\TypeLib\{982392F9-9C65-48B4-B667-3459C46630D1}" refers to invalid object "C:\Programme\PSGuard\WndSystem.dll". Action Taken: No Action Taken.
112: Tue Aug 30 00:31:00 2005 => Entry "HKCR\TypeLib\{F9DA8852-CD01-4259-8D99-731CD0EA09BF}" refers to invalid object "C:\DOKUME~1\Boris\LOKALE~1\Temp\Word8.0\MSForms.exd". Action Taken: No Action Taken.
113: Tue Aug 30 00:31:00 2005 => Entry "HKCR\.cmo" refers to invalid object "VirtoolsComposition". Action Taken: No Action Taken.
114: Tue Aug 30 00:31:00 2005 => Entry "HKCR\.MVB\shell\open\command" refers to invalid object "MVIEWER2.EXE %1". Action Taken: No Action Taken.
115: Tue Aug 30 00:31:01 2005 => Entry "HKCR\.xlc\shell\open\command" refers to invalid object "C:\MSOFFICE\EXCEL\excel.exe %1". Action Taken: No Action Taken.
116: Tue Aug 30 00:31:01 2005 => Entry "HKCR\.xls\shell\open\command" refers to invalid object "C:\MSOFFICE\EXCEL\excel.exe %1". Action Taken: No Action Taken.
117: Tue Aug 30 00:31:01 2005 => Entry "HKCR\.xlt\shell\open\command" refers to invalid object "C:\MSOFFICE\EXCEL\excel.exe %1". Action Taken: No Action Taken.
118: Tue Aug 30 00:31:04 2005 => Entry "HKCR\HP" refers to invalid object "{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}". Action Taken: No Action Taken.
119: Tue Aug 30 00:31:04 2005 => Entry "HKCR\HP.1" refers to invalid object "{a4f5768a-9fc4-40d6-95a6-315ac1bd220e}". Action Taken: No Action Taken.
120: Tue Aug 30 00:31:05 2005 => Entry "HKCR\IEHlprObj.IEHlprObj.1" refers to invalid object "{CE7C3CF0-4B15-11D1-ABED-709549C10000}". Action Taken: No Action Taken.

--------------------------------------------------
-------- DATEIEN ZUM LÖSCHEN HINZUGEFÜGT ---------
--------------------------------------------------

1: C:\WINDOWS\System32\checkIn.dll => Trojan.Win32.Dialer.ks
2: C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP205\A0077033.exe => Trojan.Win32.Small.ev
3: C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP205\A0077034.exe => Trojan.Win32.Puper.au
4: C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP205\A0077049.exe => Trojan.Win32.Zapchast
5: C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP205\A0077050.exe => Trojan-Downloader.Win32.Small.air
6: C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP205\A0077051.exe => Trojan.Win32.Zapchast
7: C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP205\A0077057.exe => Trojan.Win32.Puper.au
8: C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP205\A0077058.exe => Trojan.Win32.Small.ev
9: C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP206\A0077137.exe => Trojan-Downloader.Win32.Small.bct
10: C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP206\A0077138.exe => Trojan.Win32.Small.ev
11: C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP206\A0077139.exe => Trojan.Win32.Puper.au
12: C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP206\A0077144.exe => Trojan.Win32.Puper.au
13: C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP206\A0077155.exe => Trojan.Win32.Small.ev
14: C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP206\A0077211.dll => Trojan.Win32.Small.ev
15: C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP206\A0077227.dll => Trojan-Downloader.Win32.Delf.lh
16: C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP206\A0077233.exe => Trojan.Win32.Puper.au
17: C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP206\A0078057.exe => Trojan.Win32.Puper.au
18: C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP206\A0078071.old => Virus.Win32.Nsag.b
19: C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP206\A0078117.hta => Trojan.VBS.StartPage.x
20: C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP206\A0078118.EXE => Trojan.Win32.StartPage.yn
21: C:\System Volume Information\_restore{68E377ED-413B-49AD-A74A-A4931EA59283}\RP206\A0078119.EXE => Trojan.Win32.StartPage.yn
22: C:\WINDOWS\system32\checkIn.dll => Trojan.Win32.Dialer.ks

--------------------------------------------------
-------------------- Statistik -------------------
--------------------------------------------------

Tue Aug 30 01:45:38 2005 => Total Objects Scanned: 143477
Tue Aug 30 01:45:38 2005 => Total Virus(es) Found: 26
Tue Aug 30 01:45:39 2005 => Total Errors: 120
Tue Aug 30 01:45:39 2005 => Virus Database Date: 2005/08/30
Tue Aug 30 01:45:39 2005 => Virus Database Count: 146178







AUSSERDEM:

HIJACKTHIS-Logfile - nach dem KillBox-Anwendung



Logfile of HijackThis v1.99.1
Scan saved at 02:05:33, on 30.08.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe
C:\Programme\AVPersonal\AVSched32.EXE
C:\Programme\SICHERHEIT\Trojancheck 6\tcguard.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Dit.exe
C:\Programme\MSI\Live Update 3\LMonitor.exe
C:\WINDOWS\DitExp.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\QuickTime\qttask.exe
C:\Programme\Ashampoo\Ashampoo UnInstaller 2002-2003\UIWatcher.exe
C:\Programme\0900 Alarm\0900Alarm.exe
C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\ewido\security suite\ewidoctrl.exe
C:\Programme\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Programme\ArcorOnline\Arcor.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\SICHERHEIT\hijackthis_199_1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arcor.de/content/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.arcor.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arcor.de
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.google.de
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Arcor AG & Co. KG
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [StorageGuard] "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AVSCHED32] C:\Programme\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [Trojancheck 6 Guard] C:\Programme\SICHERHEIT\Trojancheck 6\tcguard.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LiveMonitor] C:\Programme\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [UIWatcher] C:\Programme\Ashampoo\Ashampoo UnInstaller 2002-2003\UIWatcher.exe
O4 - HKCU\..\Run: [0900 Alarm] C:\Programme\0900 Alarm\0900Alarm.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - Startup: 0900Alarm.exe.lnk = C:\Programme\0900 Alarm\0900Alarm.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: Browser-Anpassung für Outpost Firewall - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra button: Connector - {FFB51760-344E-4FFB-BFFF-4B18C7AC1D63} - C:\WINDOWS\System32\Winx\SRS.EXE (file missing)
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\trash.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\trash.exe (file missing) (HKCU)
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O16 - DPF: {DF6504AC-3EFE-4287-B259-FB299B069C95} (WEBDE Fotoalbum Upload Control) - https://img.web.de/v/fotoalbum/activex/upload_11110.cab
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://www.a99b.com/videochat.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{CCE5CFD3-FCE5-48BD-90CA-D7C26A44ACE5}: NameServer = 195.50.140.252 145.253.2.75
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programme\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Dieser Beitrag wurde am 30.08.2005 um 02:07 Uhr von boris77 editiert.
Seitenanfang Seitenende