"Warning! You're in danger!" - Desktop-Hintergrund unveraenderbar

#1 Hiho,

ich weiss, gerade dieses Thema gabs schon zig Tausend mal, aber ich weiss nicht mehr weiter.

Hab mir durch die leichtfertige Nutzung des IE 6.0 (normalerweise nehm ich den Firefox) paar Trojaner eingefangen. Mit Hilfe von AntiVir, der neuesten Version von Ad-Aware und einem online-Scan von Panda hab ich mein System jetzt wieder Malware-frei bekommen (hoffe ich zumindest).

Allerdings ist nach wie vor mein Desktophintergrund festgefroren, und zwar komplett schwarz mit einer zentrierten Box "Warning! You're in Danger!" und einem absatzlangen Text, wie wichtig doch eine Anti-SpyWare-Software ist und dass ich mich selbst schuetzen soll.

HiJack-Log:

Logfile of HijackThis v1.99.1
Scan saved at 19:41:06, on 24.06.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Winamp\winampa.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\AVPersonal\AVGNT.EXE
C:\PROGRA~1\ICQ\ICQ.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programme\Skype\Phone\Skype.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Dokumente und Einstellungen\Stefan Konrad\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpv.dll/asst.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0ACC261F-3022-46B1-B6C3-C3015EBF31D8} - C:\WINDOWS\mrhop.dll (file missing)
O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINDOWS\gds5.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Programme\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [FastStart] C:\WINDOWS\system32\svcnut32.exe home
O4 - HKCU\..\Run: [MainService] c:\windows\winman32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Programme\IrfanView\Ebay\Ebay.htm
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/DE/install.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - http://p1x.de/jinstall-1_4_2-windows-i586.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E6EFCEEC-D629-475D-946C-6A4B9B5BEDC8}: NameServer = 192.168.1.1
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


PS: Ja ich weiss, ich hab den IE im Autostart, habs nur beim letzten stoebern in der regedit vergessen rauszumachen. Sollte aber nicht das Problem sein.

#2 Am besten erst mal auf http://www.hijackthis.de automatisch auswerten lassen.

#3 Habs durch ein paar Tricks auch so schon geschafft, trotzdem danke!

#4 Hallo@Dr.Pschy

C:\Dokumente und Einstellungen\User\Favoriten

loeschen:
* ADULT STORE (a folder containing 10 shortcuts)
* Adult Super Store
* Arabic Girls Exposed
* Free Adult Personals
* Free Desktop Strippers
* Here Is Something For Everybody
* Horny Housewives
* Nasty Mature Women
* Your Online Privacy Is Under Attack!


-------------------------------------------------------
Start-->Ausfuehren--> regedit
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs

mit rechtsklick loeschen.

"url1" = "[Web site on the itasex-x.com domain]"
"url2" = "[Web site on the hardcore-sex-movies.com domain]"

Loesche: "Compatibility Flags" = "0x00000400" unter diesen Schluesseln:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000535-0000-0010-8000-00AA006D2EA4}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{13709620-C279-11CE-A49E-444553540000}

bearbeiten -- suchen-- shdocpe.dll
loesche alle Eintraege


Fixe mit dem HijackThis:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpv.dll/asst.htm
O2 - BHO: (no name) - {0ACC261F-3022-46B1-B6C3-C3015EBF31D8} - C:\WINDOWS\mrhop.dll (file missing)
O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINDOWS\gds5.dll
O4 - HKLM\..\Run: [FastStart] C:\WINDOWS\system32\svcnut32.exe home
O4 - HKCU\..\Run: [MainService] c:\windows\winman32.exe

neustarten

•KillBox
http://bilder.informationsarchiv.net/Nikitas_Tools/KillBox.zip
Anleitung: (bebildert)
http://virus-protect.org/killbox.html

•Delete File on Reboot <--anhaken

und klicke auf das rote Kreuz,
wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes"

C:\WINDOWS\mrhop.dll
C:\WINDOWS\gds5.dll
C:\WINDOWS\system32\svcnut32.exe
c:\windows\winman32.exe
C:\Windows\system32\shdocpl.dll
C:\Windows\system32\ntnut32.exe
C:\Windows\system32\svcnut.exe

neue Startseite
gehe zur Systemsteuerung -- Internetoptionen -- auf dem Reiter Allgemein bei Temporäre Internetdateien klickst du Dateien löschen -- auch bei Alle Offlineinhalte löschen das Häkchen setzen und mit OK bestätigen -- Auf den Reiter Programme gehen und dort auf Webeinstellungen zurücksetzen klicken, mit Ja bestätigen, fall Nachfrage kommt -- auf Übernehmen und abschließend auf OK klicken und stelle eine neue Startseite ein
------------------------------------------------------------------------------
http://virus-protect.org/verstellteStartseite.html#Trojan.StartPage
__________
MfG Sabina

rund um die PC-Sicherheit

#5 Logfile of HijackThis v1.99.1
Scan saved at 23:12:10, on 16.05.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Sygate\SPF\smc.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Programme\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Programme\VIA\RAID\raid_tool.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Winamp\winampa.exe
C:\Programme\ICQLite\ICQLite.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\QuickTime\qttask.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\Programme\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Programme\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Programme\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Spyware Doctor\swdoctor.exe
C:\Programme\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Programme\OpenOffice.org 2.0\program\soffice.exe
C:\Programme\OpenOffice.org 2.0\program\soffice.BIN
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\FABSEB~2.FAB\LOKALE~1\Temp\Rar$EX00.609\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [OpwareSE2] "C:\Programme\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [virtual-ie] winlogi.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Programme\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [RaidTool] C:\Programme\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Software Soft Stop] C:\Program Files\Spyware Soft Stop\Spyware Soft Stop.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [OfficeGuard RegChecker] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
O4 - HKLM\..\Run: [AVPCC] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /wait
O4 - HKLM\..\Run: [pccguide.exe] "C:\Programme\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Programme\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Programme\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Programme\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\System32\vxgame6.exe3584.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programme\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Programme\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: Xfire.lnk = C:\Programme\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: &Google-Suche - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://C:\Programme\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab
O20 - Winlogon Notify: 2014reg - C:\Dokumente und Einstellungen\All Users.WINDOWS\Dokumente\Settings\2014.dll
O20 - Winlogon Notify: 20242402reg - C:\Dokumente und Einstellungen\All Users.WINDOWS\Dokumente\Settings\20242402.dll
O20 - Winlogon Notify: s_reg - C:\WINDOWS\SYSTEM32\notifysb.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /service (file missing)
O23 - Service: Boonty Games - BOONTY - C:\Programme\Gemeinsame Dateien\BOONTY Shared\Service\Boonty.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KAV Monitor Service (KAVMonitorService) - Unknown owner - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Programme\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programme\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\smc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programme\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Programme\Trend Micro\PC-cillin 2002\Tmntsrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


ok ich hab auch des sch*** problem mit dem schwarzen desktop. ich hab jetzt mal des log teil gemacht und hoffe, dass mir geholfen wird.
Danke im Voraus!!

#6 Seffri

1.
stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

2.
Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html

3.
poste das log vom Silentrunner
http://virus-protect.org/silentrunner.html

4.
Download Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren)

Spyware Soft Stop

in edit und klicke "Ok".
Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn.
__________
MfG Sabina

rund um die PC-Sicherheit

#7 Verzeichnis von C:\WINDOWS\system32

16.05.2006 23:40 41.108 vsconfig.xml
16.05.2006 23:39 64.790 ikhcore.log
08.05.2006 15:01 4.212 zllictbl.dat
06.05.2006 19:11 17 dlh9jkdq8.exe
04.05.2006 15:31 74.360 wbc32.exe
04.05.2006 15:31 30.680 vindows32.exe
04.05.2006 15:31 81.900 _winlogon32.exe
04.05.2006 15:31 55.120 localhost32.exe
04.05.2006 15:31 29.380 ur72.dll
04.05.2006 14:31 16.896 notifysb.dll
02.05.2006 19:05 1 vx.tll

C:\Dokumente und Einstellungen\All Users.WINDOWS\Dokumente\Settings\2014.dll
C:\WINDOWS\desktop.html


edit Sabina

#8 nun poste die anderen Logs
__________
MfG Sabina

rund um die PC-Sicherheit

#9 ich habe geloescht, was du gepostet hattest...denn es war das gleiche log wie oben, ich brauche die anderen 3
http://virus-protect.org/datfindbat.html

1.Log Verzeichnis von C:\WINDOWS\system32
2.Log Verzeichnis von C:\DOKUME~1\Username\LOKALE~1\Temp
3.Log Verzeichnis von C:\WINDOWS
4.Log Verzeichnis von C:\

Zitat

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"Pop-Up-Blocker" = (empty string)
"TransparentIcons" = (empty string)
"BlockAds" = (empty string)
"Tweak-XP" = (empty string)
"STYLEXP" = "C:\Programme\TGTSoft\StyleXP\StyleXP.exe -Hide" [empty string]
"WinMedia" = "C:\WINDOWS\System32\vxgame6.exe3584.exe" [file not found]
"Spyware Doctor" = ""C:\Programme\Spyware Doctor\swdoctor.exe" /Q" ["PC Tools Research Pty Ltd"]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"ICQ Lite" = "C:\Programme\ICQLite\ICQLite.exe -trayboot" ["ICQ Ltd."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"OpwareSE2" = ""C:\Programme\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"" ["ScanSoft, Inc."]
"virtual-ie" = "winlogi.exe" [file not found]
"Ulead AutoDetector" = "C:\Programme\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" ["Ulead Systems, Inc."]
"RaidTool" = "C:\Programme\VIA\RAID\raid_tool.exe" ["VIA Technologies"]
"avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"WinampAgent" = "C:\Programme\Winamp\winampa.exe" [null data]
"ICQ Lite" = "C:\Programme\ICQLite\ICQLite.exe -minimize" ["ICQ Ltd."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Software Soft Stop" = "C:\Program Files\Spyware Soft Stop\Spyware Soft Stop.exe" [null data]
"Zone Labs Client" = "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"OfficeGuard RegChecker" = ""C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"" [null data]
"AVPCC" = ""C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /wait" ["Kaspersky Labs."]
"pccguide.exe" = ""C:\Programme\Trend Micro\PC-cillin 2002\pccguide.exe"" ["Trend Micro Inc."]
"PCCClient.exe" = ""C:\Programme\Trend Micro\PC-cillin 2002\PCCClient.exe"" ["Trend Micro Inc."]
"Pop3trap.exe" = ""C:\Programme\Trend Micro\PC-cillin 2002\Pop3trap.exe"" ["Trend Micro Inc."]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Programme\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = (no title provided)
-> {HKLM...CLSID} = "PCTools Site Guard"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll" ["PC Tools"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = (no title provided)
-> {HKLM...CLSID} = "PCTools Browser Monitor"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["PC Tools"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.11 Context Menu Shell Extension"
-> {HKLM...CLSID} = "WinAceContext Menu Extension"
\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.11 DragDrop Shell Extension"
-> {HKLM...CLSID} = "WinAceDrag-Drop Extension"
\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.11 Context Menu Shell Extension"
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension"
\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.11 Property Sheet Shell Extension"
-> {HKLM...CLSID} = "WinAceProperty Sheet Extension"
\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}" = "TMD Shell Extension"
-> {HKLM...CLSID} = "TMD Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Trend Micro\PC-cillin 2002\Tmdshell.dll" ["Trend Micro Inc."]
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}" = "VBPropSheet"
-> {HKLM...CLSID} = "VBPropSheet"
\InProcServer32\(Default) = "C:\Programme\Trend Micro\PC-cillin 2002\VBProp.dll" ["Trend Micro Inc."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! 2014reg\DLLName = "C:\Dokumente und Einstellungen\All Users.WINDOWS\Dokumente\Settings\2014.dll" [null data]
INFECTION WARNING! 20242402reg\DLLName = "C:\Dokumente und Einstellungen\All Users.WINDOWS\Dokumente\Settings\20242402.dll" [null data]
INFECTION WARNING! s_reg\DLLName = "notifysb.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\KAV Shared Files\AvpShlEx.dll" ["Kaspersky Labs."]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension"
\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension"
\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\KAV Shared Files\AvpShlEx.dll" ["Kaspersky Labs."]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Group Policies [Description] {enabled Group Policy setting}:
------------------------------------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "ForceActiveDesktopOn"=dword:00000001
[enables Active Desktop and prevents disabling it]
{User Configuration|Administrative Templates|Desktop|Active Desktop|
Enable Active Desktop}

HIJACK WARNING! "Wallpaper" = "C:\WINDOWS\desktop.html"
[disables the Display Properties|Desktop (tab) (except the "Customize
Desktop..." button); selects wallpaper if Active Desktop is enabled]
{User Configuration|Administrative Templates|Desktop|Active Desktop|
Active Desktop Wallpaper|Wallpaper Name:}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop enabled via Group Policy.

Wallpaper selected via Group Policy.


Startup items in "Fabseb" & "All Users" startup folders:
--------------------------------------------------------

C:\Dokumente und Einstellungen\Fabseb.FABSEB-UAZEAULB\Startmenü\Programme\Autostart
"OpenOffice.org 2.0" -> shortcut to: "C:\Programme\OpenOffice.org 2.0\program\quickstart.exe" [null data]
"Xfire" -> shortcut to: "C:\Programme\Xfire\Xfire.exe" ["Xfire Inc."]

C:\Dokumente und Einstellungen\All Users.WINDOWS\Startmenü\Programme\Autostart
"Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"WG111v2 Smart Wizard Wireless Setting" -> shortcut to: "C:\Programme\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe" [empty string]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}"
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{327C2873-E90D-4C37-AA9D-10AC9BABA46C}" = "Easy-WebPrint"
-> {HKLM...CLSID} = "Easy-WebPrint"
\InProcServer32\(Default) = "C:\Programme\Canon\Easy-WebPrint\Toolband.dll" [null data]
"{855F3B16-6D32-4FE6-8A56-BBB695989046}" = (no title provided)
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\
"ButtonText" = "Spyware Doctor"
"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"
-> {HKLM...CLSID} = "PCTools Browser Monitor"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["PC Tools"]

{B205A35E-1FC4-4CE3-818B-899DBBB3388C}\

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

Missing lines (compared with English-language version):
"{855F3B16-6D32-4fe6-8A56-BBB695989046}" = (no title provided)
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir PersonalEdition Classic Service, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["AVIRA GmbH"]
AntiVir Scheduler, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
AVP Control Centre Service, AVPCC, ""C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /service" ["Kaspersky Labs."]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
PC Tools Spyware Doctor, SDhelper, "C:\Programme\Spyware Doctor\sdhelp.exe" ["PC Tools Research Pty Ltd"]
Sygate Personal Firewall, SmcService, "C:\Programme\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]
Trend NT Realtime Service, Tmntsrv, ""C:\Programme\Trend Micro\PC-cillin 2002\Tmntsrv.exe"" ["Trend Micro Inc."]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor MP110\Driver = "CNMLM6f.DLL" ["CANON INC."]
Lexmark Print-2-Fax Port\Driver = "LXPRMON.DLL" [null data]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.

__________
MfG Sabina

rund um die PC-Sicherheit

#10 Verzeichnis von C:\DOKUME~1\FABSEB~2.FAB\LOKALE~1\Temp

17.05.2006 00:14 978 TmpICQMagic_{05736BBE-C20F-4F10-A6DE-4DB1E3564B0E}16566.html
17.05.2006 00:07 983 TmpICQMagic_{EC202595-1DFD-4301-A1EA-13C1E331B505}30446.html
17.05.2006 00:01 512 ~DF6117.tmp
17.05.2006 00:01 16.384 ~DF6100.tmp

08.03.2006 16:16 0 ~1D.tmp
02.03.2006 20:10 0 JET2D35.tmp

edit Sabina


Verzeichnis von C:\WINDOWS

16.05.2006 23:40 415 sss_main.ini
16.05.2006 23:40 0 0.log
16.05.2006 23:40 1.272.045 WindowsUpdate.log
16.05.2006 23:40 159 wiadebug.log
16.05.2006 23:40 50 wiaservc.log
16.05.2006 23:40 2.048 bootstat.dat
16.05.2006 23:36 32.548 SchedLgU.Txt
16.05.2006 23:35 106 TMFilter.log
16.05.2006 22:55 49 NeroDigital.ini
16.05.2006 22:04 282 wWë
16.05.2006 19:35 533 Ulead32.ini
16.05.2006 16:38 609.980 setupapi.log
16.05.2006 16:15 502 muma2003.INI
16.05.2006 15:49 28 sampler.INI
16.05.2006 15:49 783 beatbox.INI
14.05.2006 17:32 2.308 Ascd_tmp.ini
11.05.2006 17:23 535.355.392 MEMORY.DMP
06.05.2006 15:03 128.139 iis6.log
06.05.2006 15:03 64.185 comsetup.log
06.05.2006 15:03 33.700 ntdtcsetup.log
06.05.2006 15:03 37.779 tsoc.log
06.05.2006 15:03 3.334 tabletoc.log
06.05.2006 15:03 1.891 imsins.log
06.05.2006 15:03 4.376 ocmsn.log
06.05.2006 15:03 7.629 netfxocm.log
06.05.2006 15:03 52.990 ocgen.log
06.05.2006 15:03 3.355 msgsocm.log
06.05.2006 15:03 47.614 FaxSetup.log
06.05.2006 15:03 23.898 msmqinst.log
05.05.2006 14:25 1.999 desktop.html
04.05.2006 15:31 30.680 pasmew.dll
04.05.2006 15:31 66.040 logon032.dll
04.05.2006 15:31 30.940 keydsp.exe
01.05.2006 21:06 71 pex.INI
22.04.2006 16:49 500 GEARInstall.log
19.04.2006 22:12 9.446 Windows Update.log
07.04.2006 14:54 10 popcinfo.dat
04.04.2006 23:39 103.424 Thumbs.db
01.04.2006 11:39 2.223 OEWABLog.txt
30.03.2006 18:04 2.884 COM+.log
30.03.2006 16:22 90.679 DirectX.log

Verzeichnis von C:\

17.05.2006 00:20 0 sys.txt
17.05.2006 00:19 7.527 system.txt
17.05.2006 00:15 46.621 systemtemp.txt
17.05.2006 00:11 101.197 system32.txt
16.05.2006 23:40 535.351.296 hiberfil.sys
16.05.2006 23:40 805.306.368 pagefile.sys
04.05.2006 15:31 41.080 logic.sam
30.03.2006 16:11 194 boot.ini
26.03.2006 14:39 235.296 ntldr
26.03.2006 14:39 47.580 NTDETECT.COM
26.03.2006 14:36 4.952 bootfont.bin
09.03.2006 20:33 765.299 lxcgUNST.csv
09.03.2006 20:32 256 lxcg.log
09.03.2006 20:32 3.339 lxcgscan.log
03.02.2006 08:57 3.918.624 Feb2006_MDX1_x86_Archive.cab
03.02.2006 08:57 1.363.684 Feb2006_d3dx9_29_x64.cab
03.02.2006 08:57 179.247 Feb2006_xact_x64.cab
03.02.2006 08:57 917.376 Feb2006_MDX1_x86.cab
03.02.2006 08:57 133.297 Feb2006_xact_x86.cab
03.02.2006 08:57 1.085.608 Feb2006_d3dx9_29_x86.cab
03.02.2006 08:57 41.892 dxdllreg_x86.cab
03.02.2006 08:26 81.433 dxupdate.cab
03.02.2006 08:26 484.560 DXSETUP.exe
03.02.2006 08:26 1.065.813 Jun2005_d3dx9_26_x86.cab
03.02.2006 08:26 46.247 Oct2005_xinput_x86.cab
03.02.2006 08:26 2.248.400 dsetup32.dll
03.02.2006 08:26 86.925 Oct2005_xinput_x64.cab
03.02.2006 08:26 74.448 DSETUP.dll
03.02.2006 08:26 1.336.890 Jun2005_d3dx9_26_x64.cab
03.02.2006 08:26 1.014.113 Feb2005_d3dx9_24_x86.cab
03.02.2006 08:26 1.248.387 Feb2005_d3dx9_24_x64.cab
03.02.2006 08:26 1.358.864 Dec2005_d3dx9_28_x64.cab
03.02.2006 08:26 1.078.532 Aug2005_d3dx9_27_x86.cab
03.02.2006 08:26 1.080.344 Dec2005_d3dx9_28_x86.cab
03.02.2006 08:26 1.351.430 Aug2005_d3dx9_27_x64.cab
03.02.2006 08:26 1.079.850 Apr2005_d3dx9_25_x86.cab
03.02.2006 08:26 1.348.242 Apr2005_d3dx9_25_x64.cab
03.02.2006 08:26 13.265.040 dxnt.cab
03.02.2006 08:26 15.493.481 DirectX.cab
03.02.2006 08:26 703.080 BDA.cab
03.02.2006 08:26 1.156.363 BDANT.cab
03.02.2006 08:26 976.020 BDAXP.cab

danke für alles

#11 Seffri

spyware_soft_stop
http://virus-protect.org/artikel/spyware/spyware_soft_stop.html

-----------------------------------------------------------------------------------

Download Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren)

Spyware Soft Stop

in edit und klicke "Ok".
Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn.

---------------------------------------------------------------------------------


lade und entpacke auf dem Desktop:

*
smitfraud.fix
http://virus-protect.org/artikel/tools/smitfrautfix.html
doppelklick smitfraudfix.cmd
schreibe: 1 (es wird ein Report von den infizierten Dateien erstellt) --> poste dieses Log

*
KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html

*
CleanUp (anwenden !)
http://virus-protect.org/cleanup.html

------------------------------------------------------------------------

1.
klick Start -> Ausführen>> schreibe rein: Services.msc und Klick OK!
"Eigenschaften" >> klick "Stop" >> Starttyp "deaktiviert" -> VH4H

2.
Start --> Ausführen --> reinkopieren (wenn eine Fehlermeldung kommt...ignorieren) --> klicke O.K.

sc delete VH4H

-------------------------------------------------------------------
3.
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als sheriff.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.

Zitat

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Soft Stop_is1]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pop-Up-Blocker"=-
"TransparentIcons"=-
"BlockAds"=-
"Tweak-XP"=-
"WinMedia"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"virtual-ie"=-
"Software Soft Stop"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoActiveDesktopChanges"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSaveSettings"=-
"NoViewContextMenu"=-
"NoActiveDesktop"=-
"ForceActiveDesktopOn"=-
"ClassicShell"=-
"NoThemesTab"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoAddingComponents"=-
"NoComponents"=-
"NoDeletingComponents"=-
"NoEditingComponents"=-
"NoCloseDragDropBands"=-
"NoMovingBands"=-
"NoHTMLWallPaper"=-
"NoChangingWallPaper"=-

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

---------------------------------------------------------------------------------------------
4.
KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html

Options: Delete on Reboot --> anhaken
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"
reinkopieren: ............

C:\WINDOWS\system32\vsconfig.xml
C:\WINDOWS\System32\vxgame6.exe3584.exe
C:\WINDOWS\System32\vxgame6.exe
C:\WINDOWS\system32\ikhcore.log
C:\WINDOWS\system32\dlh9jkdq8.exe
C:\WINDOWS\system32\wbc32.exe
C:\WINDOWS\system32\vindows32.exe
C:\WINDOWS\system32\_winlogon32.exe
C:\WINDOWS\system32\localhost32.exe
C:\WINDOWS\system32\ur72.dll
C:\WINDOWS\system32\notifysb.dll
C:\WINDOWS\system32\vx.tll
C:\Dokumente und Einstellungen\All Users.WINDOWS\Dokumente\Settings\2014.dll
C:\Dokumente und Einstellungen\All Users.WINDOWS\Dokumente\Settings\20242402.dll
C:\WINDOWS\desktop.html
C:\WINDOWS\sss_main.ini
C:\WINDOWS\pasmew.dll
C:\WINDOWS\logon032.dll
C:\WINDOWS\wWë
C:\logic.sam
C:\WINDOWS\keydsp.exe

**
5.
Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken).

**
Die Datei "sheriff.reg" auf dem Desktop doppelklicken.

**
6.
Spyware Soft Stop deinstallieren

C:\Program Files\Spyware Soft Stop\ -> loeschen

-----

**
7.
Start - Ausfuehren --> schreib rein: cmd
dann kopiere rein:

del c:\ *.tmp

- bestaetige jedesmal mit "Y"

del %temp%\*.tmp /f
del %windir%\prefetch\*.*
del %windir%\temp\*.* /f
del C:\Dokumente und Einstellungen\*\Lokale Einstellungen\Temp\*.* /f
del %temp%

8.
doppelklick smitfraudfix.cmd

-----------------------------------------------------------------------
9.
boote wieder in den Normalmodus

10.
öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

O4 - HKLM\..\Run: [virtual-ie] winlogi.exe
O4 - HKLM\..\Run: [Software Soft Stop] C:\Program Files\Spyware Soft Stop\Spyware Soft Stop.exe
O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab
O20 - Winlogon Notify: 2014reg - C:\Dokumente und Einstellungen\All Users.WINDOWS\Dokumente\Settings\2014.dll
O20 - Winlogon Notify: 20242402reg - C:\Dokumente und Einstellungen\All Users.WINDOWS\Dokumente\Settings\20242402.dll
O20 - Winlogon Notify: s_reg - C:\WINDOWS\SYSTEM32\notifysb.dll

PC neustarten

**
11.
scanne mit kaspersky und poste den scanreport
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#12 SmitFraudFix v2.44

Scan done at 17:17:55,93, 19.05.2006
Run from C:\DOKUME~1\FABSEB~2.FAB\LOKALE~1\Temp\y5bPEy
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\desktop.html FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\dlh9jkdq?.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Fabseb.FABSEB-UAZEAULB\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOKUME~1\FABSEB~2.FAB\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programme


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

alles funktioniert wieder !!!! ::::::)))))))) vielen dank
und nochmal danke für die ganzen tipps >>> DANKEEEEEEEEE^^