C:\windows\system32\fservice.exe wurde nicht gefunden

#0
17.06.2005, 00:40
...neu hier

Beiträge: 1
#1 Hallo,

ich habe mich eben mal im Forum umgesehen und habe das mit Rokop-Security ausgeführt. Hier mein HiJack Logfile.

Logfile of HijackThis v1.99.1
Scan saved at 00:40:53, on 17.06.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ad_elmd.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINNT\system32\crypserv.exe
C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\MSN Apps\Updater\01.02.3000.1001\de\msnappau.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\vsnpstd3.exe
C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
C:\WINNT\system32\stisvc.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\internat.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\Spyware Doctor\spydoctor.exe
C:\Programme\Messenger\ymsgr_tray.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\LAVASOFT\AD-AWA~1\AD-AWARE.EXE
C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\Rar$EX01.173\HijackThis.exe
C:\WINNT\System32\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.yahoo.de
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uni-hannover.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yoursearch.ws/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:4001
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\system32\fservice.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Common\ycomp5_1_5_0.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programme\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: (no name) - {A9BA4F33-E9C9-489C-B6DB-B2917F3410F8} - C:\WINNT\System32\lmbe.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\MSN Apps\MSN Toolbar\01.02.3000.1001\de\msntb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Common\ycomp5_1_5_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\MSN Apps\MSN Toolbar\01.02.3000.1001\de\msntb.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [msnappau] "C:\Programme\MSN Apps\Updater\01.02.3000.1001\de\msnappau.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [snpstd3] C:\WINNT\vsnpstd3.exe
O4 - HKLM\..\Run: [SpionFrei] "C:\Programme\SinEspias\no-spy.exe" /autorun
O4 - HKLM\..\Run: [load32] C:\WINNT\System32\winldra.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programme\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programme\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Programme\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Programme\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programme\Messenger\yhexbmesde.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programme\Messenger\yhexbmesde.dll
O9 - Extra button: Recherche-Assistent - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Programme\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {185F0ED4-7648-4D0A-8924-3243C8C6DDD8} (MpExtWinCtrl) - http://asp1.meetingplaza.com/pre_release_cabs/MpExtWinCtrl.cab
O16 - DPF: {2F29658D-FB92-4A4F-8FFF-0D1BC1BA52C5} (GlassRoomVoice Control) - http://141.30.230.30:8080/GlassRoom/GlassRoomVoice.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Programme\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2863247eb89a52695d17/netzip/RdxIE601_de.cab
O16 - DPF: {67C1FA99-7563-415F-83C0-341CA4B8E85F} (MpPlayer Control) - http://asp1.meetingplaza.com/pre_release_cabs/MpPlayer.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {9D0A9D98-5221-430A-A02D-76F0827C82D1} (ADialer Class) - http://www.dialer-shop.com/b035/celebrita-sexy.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {F31E00A8-AFC1-11D4-884B-00A0C9E22778} (MeetingPlaza_2D_Control) - http://asp1.meetingplaza.com/pre_release_cabs/MP2D.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O18 - Filter: text/html - {CDCA9428-CF29-4566-BAF6-C85F8B8449EE} - C:\WINNT\System32\lmbe.dll
O18 - Filter: text/plain - {CDCA9428-CF29-4566-BAF6-C85F8B8449EE} - C:\WINNT\System32\lmbe.dll
O21 - SSODL: jXlXsiW - {006442CB-AACE-E861-20B6-608649C82437} - C:\WINNT\System32\qomgvkf.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: Autodesk License Manager (AdLM) - Unknown owner - C:\WINNT\System32\ad_elmd.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Programme\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: Configuration Loader - Unknown owner - C:\WINNT\System32\scvhost.exe" -service (file missing)
O23 - Service: Crypkey License - Unknown owner - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: McShield - Network Associates, Inc. - C:\Programme\Gemeinsame Dateien\Network Associates\McShield\Mcshield.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\System32\r_server.exe" /service (file missing)
Seitenanfang Seitenende
17.06.2005, 16:01
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#2 Hallo@ loai

•Download Registry Search Tool :
http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip
Doppelklick:regsrch.vbs

reinkopieren:

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)

.NET Connection Service

jXlXsiW

{9D0A9D98-5221-430A-A02D-76F0827C82D1}

r_server



Start< schreib rein: cmd

kopiere rein:
sc stop Configuration Loader
klicke "enter"

und warte ein bisschen,
dann kopiere rein:

sc delete Configuration Loader
klicke "enter"

kopiere rein:
del C:\WINNT\System32\scvhost.exe
Klicke "enter"

kopiere rein:
sc stop .NET Connection Service
klicke "enter"



scannen:
Hijacker about:blank - se.dll\sp.html
http://www.trojaner-info.de/anleitungen/hijackthis/about_blank.html

#öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yoursearch.ws/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:4001
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\system32\fservice.exe
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programme\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O4 - HKLM\..\Run: [snpstd3] C:\WINNT\vsnpstd3.exe
O4 - HKLM\..\Run: [SpionFrei] "C:\Programme\SinEspias\no-spy.exe" /autorun
O4 - HKLM\..\Run: [load32] C:\WINNT\System32\winldra.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\se.dll,DllInstall
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {9D0A9D98-5221-430A-A02D-76F0827C82D1} (ADialer Class) - http://www.dialer-shop.com/b035/celebrita-sexy.cab (DIALER !!!!!!!!)
O18 - Filter: text/html - {CDCA9428-CF29-4566-BAF6-C85F8B8449EE} - C:\WINNT\System32\lmbe.dll
O18 - Filter: text/plain - {CDCA9428-CF29-4566-BAF6-C85F8B8449EE} - C:\WINNT\System32\lmbe.dll
O21 - SSODL: jXlXsiW - {006442CB-AACE-E861-20B6-608649C82437} - C:\WINNT\System32\qomgvkf.dll
O23 - Service: Configuration Loader - Unknown owner - C:\WINNT\System32\scvhost.exe" -service (file missing)
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINNT\svchost.exe (file missing)

PC neustarten

•KillBox
http://bilder.informationsarchiv.net/Nikitas_Tools/KillBox.zip
Anleitung: (bebildert)
http://virus-protect.org/killbox.html

•Delete File on Reboot <--anhaken

und klicke auf das rote Kreuz,
wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes"

C:\WINNT\System32\qomgvkf.dll
C:\WINNT\System32\scvhost.exe
C:\WINNT\vsnpstd3.exe
C:\WINNT\System32\lmbe.dll
C:\Programme\SinEspias\no-spy.exe

C:\WINNT\System32\winldra.exe
C:\WINNT\System32\dvpd.dll
C:\WINNT\System32\netdx.dat
C:\WINNT\System32\socks.dat
C:\WINNT\System32\prntsvra.dll
C:\WINNT\TEMP\fa4537ef.tmp

C:\WINNT\svchost.exe
C:\winnt\system32\fservice.exe.bat
C:\winnt\services.exe
C:\winnt\system32\sservice.exe
C:\winnt\system32\fservice.exe
C:\winnt\system32\wininv.dll
C:\WINNT\System32\reginv.dll
C:\winnt\system32\winkey.dll

PC neustarten

arbeite das bitte ab: (poste alles)

http://virus-protect.org/escan.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende