Home » Viren, Trojaner & Malware Forum » O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} » Themenansicht
O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} |
||
|---|---|---|
| #0
| ||
|
10.10.2005, 21:47
Member
Beiträge: 14 |
||
 
|
|
|
|
11.10.2005, 05:24
Member
 Beiträge: 4730 |
#2
Fixe (Häkchen setzen, "fix checked" anklicken) folgende Einträge:
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpFE26.tmp (file missing) O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{598F570E-F14A-4F31-8CDC-B000D2796536}: NameServer = 85.255.113.146,85.255.112.19 O17 - HKLM\System\CCS\Services\Tcpip\..\{CEAB4976-0A54-4EB5-AC23-9A643BF12228}: NameServer = 85.255.113.146,85.255.112.19 O17 - HKLM\System\CCS\Services\Tcpip\..\{E5F4A22A-08B0-4EBF-AB76-AF259DAA3BFB}: NameServer = 85.255.113.146,85.255.112.19 O17 - HKLM\System\CS1\Services\Tcpip\..\{598F570E-F14A-4F31-8CDC-B000D2796536}: NameServer = 85.255.113.146,85.255.112.19 O17 - HKLM\System\CS3\Services\Tcpip\..\{598F570E-F14A-4F31-8CDC-B000D2796536}: NameServer = 85.255.113.146,85.255.112.19 Lösche mit Hilfe von Killbox (http://managor.de/killbox.htm) folgende Dateien: C:\WINDOWS\System32\msmsgs.exe C:\WINDOWS\System32\ole32vbs.exe C:\WINDOWS\popuper.exe C:\WINDOWS\System32\shnlog.exe C:\WINDOWS\System32\intmonp.exe C:\WINDOWS\System32\intmon.exe Mache einen Scan mit eScanCheck (http://managor.de/escan.htm) und poste das Ergebnis. Außerdem fertige nach der Anleitung auf folgender Seite vier Log-Dateien an, aus denen Du alle Einträge der vergangenen drei Wochen hier ins Forum kopierst (mit Pfadangabe; vor jedem Eintrag steht ein Datum). http://virus-protect.org/datfindbat.html __________ Dies ist eine Signatur! Persönlicher Service: Du kommst aus Berlin? Dann melde Dich per PN bei mir, evtl. können wir einen Termin vereinbaren. Der Grabsteinschubser |
|
|
|
|
|
|
11.10.2005, 09:27
Member
Themenstarter Beiträge: 14 |
#3
Hallo Managor
Vielen Dank für Deine schnelle Antwort. Ich habe Deine Anweisungen von oben nach unten befolgt und hoffe ich habe keine Fehler gemacht. Ein Problem hatte ich allerdings mit dem Programm escan, da ich nicht weiß wie ich einen Scan ausführen soll. Ein dementsprechenden Punkt habe ich in dem Programm nicht gefunden. Alles andere hat bis jetzt problemlos funktioniert. Die Logdateien poste ich nun: Volume in Laufwerk C: hat keine Bezeichnung. Volumeseriennummer: 3037-2160 Verzeichnis von C:\WINDOWS\system32 11.10.2005 09:02 31.766 vsconfig.xml 11.10.2005 09:02 288 DVCStateBkp-{00000000-00000000-0000000A-00001102-00000002-100A1102}.dat 11.10.2005 09:02 288 DVCState-{00000000-00000000-0000000A-00001102-00000002-100A1102}.dat 11.10.2005 09:02 1.080 settings.sfm 11.10.2005 09:02 1.080 settingsbkup.sfm 11.10.2005 09:02 24.144 BMXBkpCtrlState-{00000000-00000000-0000000A-00001102-00000002-100A1102}.rfx 11.10.2005 09:02 16.376 BMXStateBkp-{00000000-00000000-0000000A-00001102-00000002-100A1102}.rfx 11.10.2005 09:02 16.376 BMXState-{00000000-00000000-0000000A-00001102-00000002-100A1102}.rfx 11.10.2005 09:02 24.144 BMXCtrlState-{00000000-00000000-0000000A-00001102-00000002-100A1102}.rfx 11.10.2005 08:54 4.608 hhk.dll 11.10.2005 08:52 53.248 hp58CE.tmp 11.10.2005 08:46 53.248 hp608E.tmp 11.10.2005 08:40 53.248 hp5A06.tmp 11.10.2005 08:28 53.248 hp4B03.tmp 10.10.2005 21:19 15.360 dgprpsetup.exe 10.10.2005 21:09 39.992 perfc009.dat 10.10.2005 21:09 311.604 perfh009.dat 10.10.2005 21:09 48.156 perfc007.dat 10.10.2005 21:09 316.594 perfh007.dat 10.10.2005 21:09 723.744 PerfStringBackup.INI 10.10.2005 21:07 302.621 SetupCarnival.exe 10.10.2005 21:06 155.648 lpfpy.dll 10.10.2005 21:05 4.286 ot.ico 10.10.2005 21:05 4.286 ts.ico 10.10.2005 21:03 7.297 msole32.exe 10.10.2005 21:03 6.656 intell32.exe 10.10.2005 21:03 155.648 hqxzy.dll 10.10.2005 21:01 2.184 wpa.dbl 10.10.2005 21:01 162.728 FNTCACHE.DAT 14.09.2005 07:17 4.212 zllictbl.dat 29.08.2005 19:09 71.424 zlcommdb.dll 29.08.2005 19:09 79.616 zlcomm.dll 29.08.2005 19:09 100.096 vsxml.dll 29.08.2005 19:09 382.720 vsutil.dll 29.08.2005 19:09 71.424 vsregexp.dll 29.08.2005 19:08 227.072 vspubapi.dll 29.08.2005 19:08 104.192 vsmonapi.dll 29.08.2005 19:08 141.056 vsinit.dll 29.08.2005 19:08 368.256 vsdatant.sys 29.08.2005 19:08 83.712 vsdata.dll 29.08.2005 18:52 54.960 vsutil_loc0407.dll 29.08.2005 13:27 520.968 LegitCheckControl.DLL 29.08.2005 13:27 23.304 GWFSPidGen.DLL 17.08.2005 13:13 2.957 jupdate-1.5.0_01-b08.log 17.08.2005 10:16 16.832 amcompat.tlb 17.08.2005 10:16 23.392 nscompat.tlb 16.08.2005 11:22 0 h323log.txt 16.08.2005 10:36 0 TFTP1984 16.08.2005 10:36 0 TFTP2016 16.08.2005 10:34 25.065 wmpscheme.xml 16.08.2005 10:32 7.680 TFTP2004 16.08.2005 10:30 261 $winnt$.inf 16.08.2005 10:28 2.951 CONFIG.NT 16.08.2005 10:27 488 WindowsLogon.manifest 16.08.2005 10:27 488 logonui.exe.manifest 16.08.2005 10:26 749 cdplayer.exe.manifest 16.08.2005 10:26 749 sapi.cpl.manifest 16.08.2005 10:26 749 wuaucpl.cpl.manifest 16.08.2005 10:26 749 nwc.cpl.manifest 16.08.2005 10:26 749 ncpa.cpl.manifest 16.08.2005 10:25 21.740 emptyregdb.dat Volume in Laufwerk C: hat keine Bezeichnung. Volumeseriennummer: 3037-2160 Verzeichnis von C:\DOKUME~1\Ralf\LOKALE~1\Temp 11.10.2005 09:14 780 WcesView.log 11.10.2005 09:02 224 WCESCOMM.LOG 11.10.2005 09:02 1.428 jusched.log 11.10.2005 09:01 447 kb.log 11.10.2005 09:01 16.384 ~DF92A.tmp 11.10.2005 08:57 16.384 ~DFF5E.tmp 11.10.2005 08:54 16.384 ~DFE886.tmp 11.10.2005 08:50 16.384 ~DFE500.tmp 11.10.2005 08:43 16.384 ~DF45F1.tmp 11.10.2005 08:35 16.384 ~DFAF1F.tmp 10 Datei(en) 101.183 Bytes 0 Verzeichnis(se), 56.076.152.832 Bytes frei Volume in Laufwerk C: hat keine Bezeichnung. Volumeseriennummer: 3037-2160 Verzeichnis von C:\WINDOWS 11.10.2005 09:02 0 0.log 11.10.2005 09:02 159 wiadebug.log 11.10.2005 09:02 50 wiaservc.log 11.10.2005 09:02 2.048 bootstat.dat 11.10.2005 09:02 32.546 SchedLgU.Txt 11.10.2005 08:28 1.640 sites.ini 10.10.2005 21:06 6.400 balloon.wav 10.10.2005 21:04 1.868.288 x74ca5e40.tmp 10.10.2005 21:03 3.072 uninstIU.exe 10.10.2005 21:03 1.668 warnhp.html 09.10.2005 08:14 929 win.ini 06.10.2005 19:00 355 GSSBProPlusSE.INI 06.10.2005 14:08 12.862 EPISMG00.SWB 23.09.2005 08:25 3.375.681 {00000000-00000000-0000000A-00001102-00000002-100A1102}.CDF 07.09.2005 09:03 0 distlib.ini 29.08.2005 14:43 29 DEBUGSM.INI 17.08.2005 11:56 316.640 WMSysPr9.prx 16.08.2005 14:18 2.510 Microsoft.MIF 16.08.2005 14:17 2.464 $_hpcst$.hpc 16.08.2005 11:21 0 Sti_Trace.log 16.08.2005 11:19 231 system.ini 16.08.2005 11:14 307 SBWIN.INI 16.08.2005 11:11 299.552 WMSysPrx.prx 16.08.2005 11:04 26 tsctv.ini 16.08.2005 10:54 403 ODBC.INI 16.08.2005 10:54 63 mdm.ini 16.08.2005 10:54 0 NSREX.INI 16.08.2005 10:54 59 vbaddin.ini 16.08.2005 10:30 8.192 REGLOCS.OLD 16.08.2005 10:28 0 control.ini 16.08.2005 10:27 4.161 ODBCINST.INI 16.08.2005 10:26 749 WindowsShell.Manifest 16.08.2005 10:25 36 vb.ini Volume in Laufwerk C: hat keine Bezeichnung. Volumeseriennummer: 3037-2160 Verzeichnis von C:\ 11.10.2005 09:23 0 sys.txt 11.10.2005 09:22 4.649 system.txt 11.10.2005 09:22 727 systemtemp.txt 11.10.2005 09:21 103.436 system32.txt 11.10.2005 09:02 805.306.368 pagefile.sys 10.10.2005 18:57 47.580 NTDETECT.COM 10.10.2005 18:57 235.296 ntldr 09.10.2005 10:56 13.030 PDOXUSRS.NET 14.09.2005 07:33 205 boot.ini 16.08.2005 11:04 10.012 pltemp.ini 16.08.2005 10:28 0 CONFIG.SYS 16.08.2005 10:28 0 IO.SYS 16.08.2005 10:28 0 MSDOS.SYS 16.08.2005 10:28 0 AUTOEXEC.BAT 16.08.2005 10:28 1.152 zv6ja6zo.sys --> ???????? 23.08.2001 14:00 4.952 bootfont.bin 16 Datei(en) 805.727.407 Bytes 0 Verzeichnis(se), 56.076.144.640 Bytes frei Bis später und danke Ralf Nun doch die Escan Log. Ich hatte zuerst nicht gründlich genug gelesen. Hat ja nun doch funktioniert. Hier nun die Esan Auswertung: -------------------------------------------------- -------------------- INFECTED -------------------- -------------------------------------------------- 1: Tue Oct 11 09:51:54 2005 => System found infected with alexa Spyware/Adware ({c95fe080-8f5d-11d2-a20b-00aa003c157a})! Action taken: No Action Taken. 2: Tue Oct 11 09:51:54 2005 => System found infected with alexa Spyware/Adware ({c95fe080-8f5d-11d2-a20b-00aa003c157a})! Action taken: No Action Taken. 3: Tue Oct 11 09:51:55 2005 => System found infected with alexa Spyware/Adware ({c95fe080-8f5d-11d2-a20b-00aa003c157a})! Action taken: No Action Taken. 4: Tue Oct 11 09:51:56 2005 => Offending file found: C:\WINDOWS\sites.ini 5: Tue Oct 11 09:51:56 2005 => System found infected with smitfraud Spyware/Adware (sites.ini)! Action taken: No Action Taken. 6: Tue Oct 11 09:51:57 2005 => Offending file found: C:\WINDOWS\System32\msole32.exe 7: Tue Oct 11 09:51:57 2005 => System found infected with smitfraud Spyware/Adware (msole32.exe)! Action taken: No Action Taken. 8: Tue Oct 11 09:51:57 2005 => Offending file found: C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\temporary internet files\content.ie5\0c5nfqj6\ads[1].htm 9: Tue Oct 11 09:51:57 2005 => System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken. 10: Tue Oct 11 09:51:57 2005 => Offending file found: C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\temporary internet files\content.ie5\dg6bk4om\ads[1].htm 11: Tue Oct 11 09:51:57 2005 => System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken. 12: Tue Oct 11 09:51:57 2005 => Offending file found: C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\temporary internet files\content.ie5\e5qb6bch\ads[1].htm 13: Tue Oct 11 09:51:57 2005 => System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken. 14: Tue Oct 11 09:51:57 2005 => Offending file found: C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\temporary internet files\content.ie5\e5qb6bch\ads[2].htm 15: Tue Oct 11 09:51:57 2005 => System found infected with whenu.savenow Spyware/Adware (ads[2].htm)! Action taken: No Action Taken. 16: Tue Oct 11 09:51:57 2005 => Offending file found: C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\temporary internet files\content.ie5\m92lahof\ads[1].htm 17: Tue Oct 11 09:51:57 2005 => System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken. 18: Tue Oct 11 09:51:57 2005 => Offending file found: C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\temporary internet files\content.ie5\m92lahof\ads[2].htm 19: Tue Oct 11 09:51:57 2005 => System found infected with whenu.savenow Spyware/Adware (ads[2].htm)! Action taken: No Action Taken. 20: Tue Oct 11 09:51:57 2005 => Offending file found: C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\temporary internet files\content.ie5\olorm78j\stylesheet[1].css 21: Tue Oct 11 09:51:57 2005 => System found infected with whenu.savenow Spyware/Adware (stylesheet[1].css)! Action taken: No Action Taken. 22: Tue Oct 11 09:51:57 2005 => Offending file found: C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\temporary internet files\content.ie5\otebs1en\ads[1].htm 23: Tue Oct 11 09:51:57 2005 => System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken. 24: Tue Oct 11 09:51:57 2005 => Offending file found: C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\temporary internet files\content.ie5\qtibi1af\ads[1].htm 25: Tue Oct 11 09:51:57 2005 => System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken. 26: Tue Oct 11 09:51:57 2005 => Offending file found: C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\temporary internet files\content.ie5\x3vd7dzs\show_ads[2].js 27: Tue Oct 11 09:51:57 2005 => System found infected with whenu.savenow Spyware/Adware (show_ads[2].js)! Action taken: No Action Taken. 28: Tue Oct 11 09:51:57 2005 => Offending file found: C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\Temporary Internet Files\content.ie5\0c5nfqj6\ads[1].htm 29: Tue Oct 11 09:51:57 2005 => System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken. 30: Tue Oct 11 09:51:57 2005 => Offending file found: C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\Temporary Internet Files\content.ie5\dg6bk4om\ads[1].htm 31: Tue Oct 11 09:51:57 2005 => System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken. 32: Tue Oct 11 09:51:57 2005 => Offending file found: C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\Temporary Internet Files\content.ie5\e5qb6bch\ads[1].htm 33: Tue Oct 11 09:51:57 2005 => System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken. 34: Tue Oct 11 09:51:57 2005 => Offending file found: C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\Temporary Internet Files\content.ie5\e5qb6bch\ads[2].htm 35: Tue Oct 11 09:51:57 2005 => System found infected with whenu.savenow Spyware/Adware (ads[2].htm)! Action taken: No Action Taken. 36: Tue Oct 11 09:51:57 2005 => Offending file found: C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\Temporary Internet Files\content.ie5\m92lahof\ads[1].htm 37: Tue Oct 11 09:51:57 2005 => System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken. 38: Tue Oct 11 09:51:57 2005 => Offending file found: C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\Temporary Internet Files\content.ie5\m92lahof\ads[2].htm 39: Tue Oct 11 09:51:57 2005 => System found infected with whenu.savenow Spyware/Adware (ads[2].htm)! Action taken: No Action Taken. 40: Tue Oct 11 09:51:57 2005 => Offending file found: C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\Temporary Internet Files\content.ie5\olorm78j\stylesheet[1].css 41: Tue Oct 11 09:51:57 2005 => System found infected with whenu.savenow Spyware/Adware (stylesheet[1].css)! Action taken: No Action Taken. 42: Tue Oct 11 09:51:57 2005 => Offending file found: C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\Temporary Internet Files\content.ie5\otebs1en\ads[1].htm 43: Tue Oct 11 09:51:57 2005 => System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken. 44: Tue Oct 11 09:51:57 2005 => Offending file found: C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\Temporary Internet Files\content.ie5\qtibi1af\ads[1].htm 45: Tue Oct 11 09:51:57 2005 => System found infected with whenu.savenow Spyware/Adware (ads[1].htm)! Action taken: No Action Taken. 46: Tue Oct 11 09:51:57 2005 => Offending file found: C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\Temporary Internet Files\content.ie5\x3vd7dzs\show_ads[2].js 47: Tue Oct 11 09:51:57 2005 => System found infected with whenu.savenow Spyware/Adware (show_ads[2].js)! Action taken: No Action Taken. 48: Tue Oct 11 09:53:46 2005 => File C:\WINDOWS\System32\hhk.dll infected by "Trojan-Clicker.Win32.Agent.dj" Virus! Action Taken: No Action Taken. 49: Tue Oct 11 09:53:52 2005 => File C:\WINDOWS\System32\intell32.exe infected by "Trojan-Downloader.Win32.Small.vu" Virus! Action Taken: No Action Taken. 50: Tue Oct 11 09:55:23 2005 => File C:\WINDOWS\System32\msole32.exe infected by "Trojan-Clicker.Win32.Agent.cr" Virus! Action Taken: No Action Taken. 51: Tue Oct 11 09:56:01 2005 => File C:\WINDOWS\System32\TFTP2004 infected by "Backdoor.Win32.Rbot.xe" Virus! Action Taken: No Action Taken. 52: Tue Oct 11 09:56:21 2005 => File C:\!Submit\shnlog.exe infected by "Trojan.Win32.Puper.bf" Virus! Action Taken: No Action Taken. 53: Tue Oct 11 09:58:50 2005 => Scanning Folder: C:\Programme\AVPersonal\INFECTED\*.* 54: Tue Oct 11 09:58:50 2005 => Scanning File C:\Programme\AVPersonal\INFECTED\msmsgs.VIR 55: Tue Oct 11 09:58:50 2005 => File C:\Programme\AVPersonal\INFECTED\msmsgs.VIR infected by "Trojan-Downloader.Win32.Zlob.ak" Virus! Action Taken: No Action Taken. 56: Tue Oct 11 09:58:50 2005 => Scanning File C:\Programme\AVPersonal\INFECTED\msmsgs.VIR00 57: Tue Oct 11 09:58:50 2005 => File C:\Programme\AVPersonal\INFECTED\msmsgs.VIR00 infected by "Trojan-Downloader.Win32.Zlob.ak" Virus! Action Taken: No Action Taken. 58: Tue Oct 11 09:58:50 2005 => Scanning File C:\Programme\AVPersonal\INFECTED\msmsgs.VIR01 59: Tue Oct 11 09:58:50 2005 => File C:\Programme\AVPersonal\INFECTED\msmsgs.VIR01 infected by "Trojan-Downloader.Win32.Zlob.ak" Virus! Action Taken: No Action Taken. 60: Tue Oct 11 09:58:50 2005 => Scanning File C:\Programme\AVPersonal\INFECTED\msmsgs.VIR02 61: Tue Oct 11 09:58:50 2005 => File C:\Programme\AVPersonal\INFECTED\msmsgs.VIR02 infected by "Trojan-Downloader.Win32.Zlob.ak" Virus! Action Taken: No Action Taken. 62: Tue Oct 11 10:08:40 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP62\A0020689.exe infected by "Trojan.Win32.DNSChanger.ab" Virus! Action Taken: No Action Taken. 63: Tue Oct 11 10:08:40 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP62\A0020697.exe infected by "Trojan.Win32.DNSChanger.ab" Virus! Action Taken: No Action Taken. 64: Tue Oct 11 10:08:40 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP62\A0020705.exe infected by "Trojan.Win32.DNSChanger.ab" Virus! Action Taken: No Action Taken. 65: Tue Oct 11 10:08:40 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP62\A0020713.exe infected by "Trojan.Win32.DNSChanger.ab" Virus! Action Taken: No Action Taken. 66: Tue Oct 11 10:08:40 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP62\A0020721.exe infected by "Trojan.Win32.DNSChanger.ab" Virus! Action Taken: No Action Taken. 67: Tue Oct 11 10:08:40 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP62\A0020729.exe infected by "Trojan.Win32.DNSChanger.ab" Virus! Action Taken: No Action Taken. 68: Tue Oct 11 10:08:41 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP62\A0020737.exe infected by "Trojan.Win32.DNSChanger.ab" Virus! Action Taken: No Action Taken. 69: Tue Oct 11 10:08:41 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP62\A0020745.exe infected by "Trojan.Win32.DNSChanger.ab" Virus! Action Taken: No Action Taken. 70: Tue Oct 11 10:08:41 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP62\A0020754.exe infected by "Trojan.Win32.DNSChanger.ab" Virus! Action Taken: No Action Taken. 71: Tue Oct 11 10:08:41 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP62\A0020762.exe infected by "Trojan.Win32.DNSChanger.ab" Virus! Action Taken: No Action Taken. 72: Tue Oct 11 10:13:04 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0024690.exe infected by "Trojan.Win32.DNSChanger.ab" Virus! Action Taken: No Action Taken. 73: Tue Oct 11 10:13:04 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025567.exe infected by "Trojan.Win32.Puper.bd" Virus! Action Taken: No Action Taken. 74: Tue Oct 11 10:13:05 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025568.exe infected by "Trojan.Win32.DNSChanger.ab" Virus! Action Taken: No Action Taken. 75: Tue Oct 11 10:14:18 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025572.exe infected by "Trojan-Clicker.Win32.Agent.dj" Virus! Action Taken: No Action Taken. 76: Tue Oct 11 10:14:18 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025573.dll infected by "Trojan-Clicker.Win32.Agent.dj" Virus! Action Taken: No Action Taken. 77: Tue Oct 11 10:14:20 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025588.exe infected by "Trojan.Win32.Puper.bd" Virus! Action Taken: No Action Taken. 78: Tue Oct 11 10:14:20 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025589.exe infected by "Trojan-Clicker.Win32.Agent.dj" Virus! Action Taken: No Action Taken. 79: Tue Oct 11 10:14:20 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025590.dll infected by "Trojan-Clicker.Win32.Agent.dj" Virus! Action Taken: No Action Taken. 80: Tue Oct 11 10:14:21 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025592.exe infected by "Trojan.Win32.Puper.bf" Virus! Action Taken: No Action Taken. 81: Tue Oct 11 10:14:21 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025600.exe infected by "Trojan.Win32.Favadd.aj" Virus! Action Taken: No Action Taken. 82: Tue Oct 11 10:14:21 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025606.exe infected by "Trojan-Clicker.Win32.Agent.dj" Virus! Action Taken: No Action Taken. 83: Tue Oct 11 10:14:21 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025607.dll infected by "Trojan-Clicker.Win32.Agent.dj" Virus! Action Taken: No Action Taken. 84: Tue Oct 11 10:14:22 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025619.exe infected by "Trojan-Clicker.Win32.Agent.dj" Virus! Action Taken: No Action Taken. 85: Tue Oct 11 10:14:22 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025620.dll infected by "Trojan-Clicker.Win32.Agent.dj" Virus! Action Taken: No Action Taken. 86: Tue Oct 11 10:14:22 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025631.exe infected by "Trojan-Clicker.Win32.Agent.dj" Virus! Action Taken: No Action Taken. 87: Tue Oct 11 10:14:22 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025632.dll infected by "Trojan-Clicker.Win32.Agent.dj" Virus! Action Taken: No Action Taken. 88: Tue Oct 11 10:14:22 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025638.exe infected by "Trojan.Win32.Puper.bf" Virus! Action Taken: No Action Taken. 89: Tue Oct 11 10:14:23 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025658.exe infected by "Trojan-Clicker.Win32.Agent.dj" Virus! Action Taken: No Action Taken. 90: Tue Oct 11 10:44:29 2005 => File C:\WINDOWS\system32\hhk.dll infected by "Trojan-Clicker.Win32.Agent.dj" Virus! Action Taken: No Action Taken. 91: Tue Oct 11 10:44:40 2005 => File C:\WINDOWS\system32\intell32.exe infected by "Trojan-Downloader.Win32.Small.vu" Virus! Action Taken: No Action Taken. 92: Tue Oct 11 10:44:51 2005 => File C:\WINDOWS\system32\LogFiles\OD0080400.so infected by "Trojan-Downloader.Win32.Small.bqx" Virus! Action Taken: No Action Taken. 93: Tue Oct 11 10:48:19 2005 => File C:\WINDOWS\system32\msole32.exe infected by "Trojan-Clicker.Win32.Agent.cr" Virus! Action Taken: No Action Taken. 94: Tue Oct 11 10:49:22 2005 => File C:\WINDOWS\system32\TFTP2004 infected by "Backdoor.Win32.Rbot.xe" Virus! Action Taken: No Action Taken. 95: Tue Oct 11 10:53:50 2005 => File D:\Download\eMule_Tmp\Incoming\Navigon Mobile Navigator Mn5 Update v5.1(2).zip infected by "Email-Worm.VBS.Gedza" Virus! Action Taken: No Action Taken. -------------------------------------------------- --------------------- TAGGED --------------------- -------------------------------------------------- 1: Tue Oct 11 10:14:18 2005 => File C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025571.exe tagged as "not-a-virus:AdWare.Win32.Msnagent.b". Action Taken: No Action Taken. 2: Tue Oct 11 10:55:03 2005 => File D:\Download\Videobearbeitung\artisan player\artisan player.exe tagged as "not-a-virus:AdWare.Win32.SaveNow.z". Action Taken: No Action Taken. -------------------------------------------------- --------------------- ERRORS --------------------- -------------------------------------------------- 1: Tue Oct 11 09:51:38 2005 => ERROR!!! Invalid Entry = C:\WINDOWS\System32\hp58CE.tmp (in key Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}). No Action Taken. 2: Tue Oct 11 09:51:46 2005 => ERROR!!! Invalid Entry notepad.exe = msmsgs.exe (in key SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run). No Action Taken. 3: Tue Oct 11 09:51:46 2005 => ERROR!!! Invalid Entry notepad2.exe = popuper.exe (in key SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run). No Action Taken. 4: Tue Oct 11 09:51:46 2005 => ERROR!!! Invalid Entry paint.exe = shnlog.exe (in key SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run). No Action Taken. 5: Tue Oct 11 09:51:48 2005 => ERROR!!! Invalid Entry System32\drivers\ctdvda2k.sys in SYSTEM\CurrentControlSet\Services\ctdvda2k... 6: Tue Oct 11 09:52:06 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".03E". Action Taken: No Action Taken. 7: Tue Oct 11 09:52:06 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".CCD". Action Taken: No Action Taken. 8: Tue Oct 11 09:52:06 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".dxf". Action Taken: No Action Taken. 9: Tue Oct 11 09:52:06 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".pac". Action Taken: No Action Taken. 10: Tue Oct 11 09:52:06 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".pf". Action Taken: No Action Taken. 11: Tue Oct 11 09:52:06 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sbexp". Action Taken: No Action Taken. 12: Tue Oct 11 09:52:06 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".tla". Action Taken: No Action Taken. 13: Tue Oct 11 09:52:06 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{40F6B238-8379-4ECD-8F62-811A1C0F2DAC}". Action Taken: No Action Taken. 14: Tue Oct 11 09:52:06 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{7342DC58-09FD-4B25-B8CE-3891137730E4}". Action Taken: No Action Taken. 15: Tue Oct 11 09:52:06 2005 => Entry "HKCR\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}" refers to invalid object "C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx". Action Taken: No Action Taken. 16: Tue Oct 11 09:52:07 2005 => Entry "HKCR\CLSID\{601ED020-FB6C-11D3-87D8-0050DA59922B}" refers to invalid object "D:\Programme\Ipswitch\WS_FTP Pro\wsbho2k0.dll". Action Taken: No Action Taken. 17: Tue Oct 11 09:52:07 2005 => Entry "HKCR\CLSID\{B5326945-FC55-11D3-87D8-0050DA59922B}" refers to invalid object "D:\Programme\Ipswitch\WS_FTP Pro\wsbho2k0.dll". Action Taken: No Action Taken. 18: Tue Oct 11 09:52:08 2005 => Entry "HKCR\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}" refers to invalid object "C:\WINDOWS\System32\hp58CE.tmp". Action Taken: No Action Taken. 19: Tue Oct 11 09:52:08 2005 => Entry "HKCR\TypeLib\{1A3E76E1-27C2-4C0D-85BB-A64A1DFFCB25}" refers to invalid object "C:\DOKUME~1\Ralf\LOKALE~1\Temp\Word8.0\MSForms.exd". Action Taken: No Action Taken. 20: Tue Oct 11 09:52:08 2005 => Entry "HKCR\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}" refers to invalid object "C:\WINDOWS\System32\hp58CE.tmp". Action Taken: No Action Taken. 21: Tue Oct 11 09:52:08 2005 => Entry "HKCR\TypeLib\{5F226421-415D-408D-9A09-0DCD94E25B48}" refers to invalid object "C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx". Action Taken: No Action Taken. 22: Tue Oct 11 09:52:08 2005 => Entry "HKCR\TypeLib\{601ED012-FB6C-11D3-87D8-0050DA59922B}" refers to invalid object "D:\Programme\Ipswitch\WS_FTP Pro\wsbho2k0.dll". Action Taken: No Action Taken. 23: Tue Oct 11 09:52:10 2005 => Entry "HKCR\HP.1" refers to invalid object "{76b17cf3-3e51-4d69-a5e6-3fbed70f3481}". Action Taken: No Action Taken. 24: Tue Oct 11 09:52:11 2005 => Entry "HKCR\ppifile\shell\open\command" refers to invalid object "%SystemRoot%\System32\msppcnfg.exe /Config %1". Action Taken: No Action Taken. -------------------------------------------------- -------- DATEIEN ZUM LÖSCHEN HINZUGEFÜGT --------- -------------------------------------------------- 1: C:\WINDOWS\System32\hhk.dll => Trojan-Clicker.Win32.Agent.dj 2: C:\WINDOWS\System32\intell32.exe => Trojan-Downloader.Win32.Small.vu 3: C:\WINDOWS\System32\msole32.exe => Trojan-Clicker.Win32.Agent.cr 4: C:\WINDOWS\System32\TFTP2004 => Backdoor.Win32.Rbot.xe 5: C:\!Submit\shnlog.exe => Trojan.Win32.Puper.bf 6: C:\Programme\AVPersonal\INFECTED\msmsgs.VIR => Trojan-Downloader.Win32.Zlob.ak 7: C:\Programme\AVPersonal\INFECTED\msmsgs.VIR00 => Trojan-Downloader.Win32.Zlob.ak 8: C:\Programme\AVPersonal\INFECTED\msmsgs.VIR01 => Trojan-Downloader.Win32.Zlob.ak 9: C:\Programme\AVPersonal\INFECTED\msmsgs.VIR02 => Trojan-Downloader.Win32.Zlob.ak 10: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP62\A0020689.exe => Trojan.Win32.DNSChanger.ab 11: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP62\A0020697.exe => Trojan.Win32.DNSChanger.ab 12: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP62\A0020705.exe => Trojan.Win32.DNSChanger.ab 13: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP62\A0020713.exe => Trojan.Win32.DNSChanger.ab 14: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP62\A0020721.exe => Trojan.Win32.DNSChanger.ab 15: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP62\A0020729.exe => Trojan.Win32.DNSChanger.ab 16: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP62\A0020737.exe => Trojan.Win32.DNSChanger.ab 17: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP62\A0020745.exe => Trojan.Win32.DNSChanger.ab 18: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP62\A0020754.exe => Trojan.Win32.DNSChanger.ab 19: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP62\A0020762.exe => Trojan.Win32.DNSChanger.ab 20: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0024690.exe => Trojan.Win32.DNSChanger.ab 21: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025567.exe => Trojan.Win32.Puper.bd 22: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025568.exe => Trojan.Win32.DNSChanger.ab 23: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025572.exe => Trojan-Clicker.Win32.Agent.dj 24: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025573.dll => Trojan-Clicker.Win32.Agent.dj 25: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025588.exe => Trojan.Win32.Puper.bd 26: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025589.exe => Trojan-Clicker.Win32.Agent.dj 27: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025590.dll => Trojan-Clicker.Win32.Agent.dj 28: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025592.exe => Trojan.Win32.Puper.bf 29: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025600.exe => Trojan.Win32.Favadd.aj 30: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025606.exe => Trojan-Clicker.Win32.Agent.dj 31: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025607.dll => Trojan-Clicker.Win32.Agent.dj 32: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025619.exe => Trojan-Clicker.Win32.Agent.dj 33: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025620.dll => Trojan-Clicker.Win32.Agent.dj 34: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025631.exe => Trojan-Clicker.Win32.Agent.dj 35: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025632.dll => Trojan-Clicker.Win32.Agent.dj 36: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025638.exe => Trojan.Win32.Puper.bf 37: C:\System Volume Information\_restore{FADA30EE-40EF-400F-9FBC-6FE3A726EF93}\RP64\A0025658.exe => Trojan-Clicker.Win32.Agent.dj 38: C:\WINDOWS\system32\hhk.dll => Trojan-Clicker.Win32.Agent.dj 39: C:\WINDOWS\system32\intell32.exe => Trojan-Downloader.Win32.Small.vu 40: C:\WINDOWS\system32\LogFiles\OD0080400.so => Trojan-Downloader.Win32.Small.bqx 41: C:\WINDOWS\system32\msole32.exe => Trojan-Clicker.Win32.Agent.cr 42: C:\WINDOWS\system32\TFTP2004 => Backdoor.Win32.Rbot.xe 43: D:\Download\eMule_Tmp\Incoming\Navigon Mobile Navigator Mn5 Update v5.1(2).zip => Email-Worm.VBS.Gedza -------------------------------------------------- -------------------- Statistik ------------------- -------------------------------------------------- Tue Oct 11 11:36:04 2005 => Total Objects Scanned: 225383 Tue Oct 11 11:36:04 2005 => Total Virus(es) Found: 78 Tue Oct 11 11:36:04 2005 => Total Errors: 24 Tue Oct 11 11:36:04 2005 => Virus Database Date: 2005/10/11 Tue Oct 11 11:36:04 2005 => Virus Database Count: 153395 Tue Oct 11 12:24:29 2005 => Total Objects Scanned: 225383 Tue Oct 11 12:24:29 2005 => Total Virus(es) Found: 78 Tue Oct 11 12:24:29 2005 => Total Errors: 24 Dieser Beitrag wurde am 11.10.2005 um 12:37 Uhr von Pfifferling editiert.
|
|
|
|
|
|
|
11.10.2005, 13:14
Ehrenmitglied
 Beiträge: 29434 |
#4
Pfifferling
poste das Log vom Silentrunner http://virus-protect.org/silentrunner.html CCleaner (loesche alle temp-Dateien) http://virus-protect.org/temp.html *reg-Datei oben im Browser: Datei -- Seite speichern unter.. -- wähle "Desktop" -- speichern http://www.bleepingcomputer.com/files/reg/smitfraud.reg dann erscheint eine smitfraud.reg auf dem Desktop Computer in den abgesicherten Modus neustarten[/b] (F8 beim Starten drücken). Die Datei "smitfraud.reg" auf dem Desktop doppelklicken und mit "ja" bestätigen, damit die reg*-Datei der Registry beigefügt wird und sofort den PC neustarten. Deaktivieren Wiederherstellung «XP Arbeitsplatz-->rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren. --------------------------- mit dem CCleaner muss du alle temporaeren Dateien loeschen...oder manuell: C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\temporary internet files\content.ie5\0c5nfqj6\ads[1].htm C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\temporary internet files\content.ie5\dg6bk4om\ads[1].htm C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\temporary internet files\content.ie5\e5qb6bch\ads[1].htm C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\temporary internet files\content.ie5\e5qb6bch\ads[2].htm C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\temporary internet files\content.ie5\m92lahof\ads[1].htm C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\temporary internet files\content.ie5\m92lahof\ads[2].htm C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\temporary internet files\content.ie5\olorm78j\stylesheet[1].css C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\temporary internet files\content.ie5\otebs1en\ads[1].htm usw.... __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
11.10.2005, 13:32
Member
Themenstarter Beiträge: 14 |
#5
Hallo Sabina
Danke für die Antwort. Silent Runner habe ich laufen lassen. Die Reg Datei poste ich dann nach dieser Message. das mit *.reg-Datei habe ich allerdings nicht verstanden. Ich lösche jetzt erst einmal die besagten Dateien mit der Killbox und warte auf weitere Infos. Gruß und Danke Ralf "Silent Runners.vbs", revision 41, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS] "NVIEW" = "rundll32.exe nview.dll,nViewLoadHook" [MS] "H/PC Connection Agent" = ""C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++} "notepad.exe" = "msmsgs.exe" [MS] "notepad2.exe" = "popuper.exe" [file not found] "paint.exe" = "shnlog.exe" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "AVGCtrl" = ""C:\Programme\AVPersonal\AVGNT.EXE" /min" ["H+BEDV Datentechnik GmbH"] "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."] "EPSON Stylus CX3200" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"" ["SEIKO EPSON CORPORATION"] "SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_01\bin\jusched.exe" ["Sun Microsystems, Inc."] "Zone Labs Client" = "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"] "NeroCheck" = "C:\WINDOWS\System32\\NeroCheck.exe" ["Ahead Software Gmbh"] "dmkjr.exe" = "C:\WINDOWS\System32\dmkjr.exe" [null data] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided) \StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Programme\Messenger\msgsc.dll",ShowIconsUser" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\(Default) = "HP Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hp58CE.tmp" [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1031\UNBIND.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop-Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] "{C3F24159-A5D9-4779-862B-345D3418CAF0}" = "Context Menu Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Mwtrns10.dll" [empty string] "{330417E8-EF62-4047-82BE-D8305CEFF572}" = "AMEncShlExt extension" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\4MUSIC~1\amshellext.dll" ["4Musics, Inc."] "{0A082D00-EC93-11D0-B1E6-80580BC10627}" = "Corel Media Folder Root Menu Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" [empty string] "{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}" = "Folder To Corel Media Folder Menu Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" [empty string] "{854AF161-1AE1-11D1-AB9B-00C0F00683EB}" = "Corel Media Folder" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" [empty string] "{E856F161-1AE5-11d1-AB9B-00C0F00683EB}" = "Corel Media Folder" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" [empty string] "{CDB89701-262F-11D1-AB9C-00C0F00683EB}" = "Corel Media Find Folder" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" [empty string] "{F8152501-455F-11D1-B1E6-444553540000}" = "Corel Media Folder Copy Hook Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" [empty string] "{8E524B0D-04F0-11D1-B74A-00A0C90646A4}" = "IconFactTemp.NSIconHandlerFactory" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CNSFlt80.dll" [null data] "{A2AC368A-F883-11D0-B745-00A0C90646A4}" = "NSFiltManDll.FiltManCom" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CNSFlt80.dll" [null data] "{B63FCD5A-2396-11D1-B762-00A0C90646A4}" = "*W" (unwritable string) -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFnd80.dll" ["Corel Corporation"] "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension" -> {CLSID}\InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2004\sdshelex.dll"" ["TuneUp Software GmbH"] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ INFECTION WARNING! "System" = "cseai.exe" [null data] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] MP3 to WAVE Transformer\(Default) = "{C3F24159-A5D9-4779-862B-345D3418CAF0}" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Mwtrns10.dll" [empty string] TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" -> {CLSID}\InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2004\sdshelex.dll"" ["TuneUp Software GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\Ipswitch\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ FolderToCorelMediaFolder\(Default) = "{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" [empty string] TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" -> {CLSID}\InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2004\sdshelex.dll"" ["TuneUp Software GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\Ipswitch\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Dokumente und Einstellungen\Ralf\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Enabled Scheduled Tasks: ------------------------ "1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2004\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll" ["Sun Microsystems, Inc."] {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\ "ButtonText" = "Mobilen Favoriten erstellen" "CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft ActiveSync\inetrepl.dll" [MS] {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\ "MenuText" = "Mobilen Favoriten erstellen..." "CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft ActiveSync\inetrepl.dll" [MS] Miscellaneous IE Hijack Points ------------------------------ HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ Missing lines (compared with English-language version): HIJACK WARNING! "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir Service, AntiVirService, ""C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE"" ["H+BEDV Datentechnik GmbH"] AntiVir Update, AVWUpSrv, ""C:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"] Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.exe" ["Creative Technology Ltd"] EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"] EpsonBidirectionalService, EpsonBidirectionalService, "C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\eEBSVC.exe" [null data] NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"] TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"] WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 37 seconds, including 13 seconds for message boxes) |
|
|
|
|
|
|
11.10.2005, 13:34
Ehrenmitglied
Beiträge: 29434 |
#6
*reg-Datei
oben im Browser: Datei -- Seite speichern unter.. -- wähle "Desktop" -- speichern http://www.bleepingcomputer.com/files/reg/smitfraud.reg dann erscheint eine smitfraud.reg auf dem Desktop Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "smitfraud.reg" auf dem Desktop doppelklicken und mit "ja" bestätigen, damit die reg*-Datei der Registry beigefügt wird und sofort den PC neustarten. __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
11.10.2005, 13:38
Ehrenmitglied
Beiträge: 29434 |
#7
loesche mit der Killbox: (ist noch was dazu gekommen....)..es sind drei verschiedene Verseuchungen und ein Backdoor....
C:\WINDOWS\System32\shnlog.exe C:\WINDOWS\System32\intmonp.exe C:\WINDOWS\System32\ole32vbs.exe C:\WINDOWS\system32\intell32.exe C:\WINDOWS\system32\LogFiles\OD0080400.so C:\WINDOWS\system32\msole32.exe C:\WINDOWS\system32\hhk.dll C:\WINDOWS\system32\hp58CE.tmp C:\WINDOWS\system32\hp608E.tmp C:\WINDOWS\system32\hp5A06.tmp C:\WINDOWS\system32\hp4B03.tmp C:\WINDOWS\system32\dgprpsetup.exe C:\WINDOWS\system32\SetupCarnival.exe C:\WINDOWS\system32\lpfpy.dll C:\WINDOWS\System32\dmkjr.exe C:\WINDOWS\System32\cseai.exe C:\WINDOWS\System32\msmsgs.exe C:\WINDOWS\system32\ot.ico C:\WINDOWS\system32\ts.ico C:\WINDOWS\system32\hqxzy.dll C:\WINDOWS\system32\wpa.dbl C:\WINDOWS\system32\TFTP1984 C:\WINDOWS\system32\TFTP2016 C:\WINDOWS\system32\TFTP2004 D:\Download\eMule_Tmp\Incoming\Navigon Mobile Navigator Mn5 Update v5.1(2).zip C:\!Submit\shnlog.exe C:\Programme\AVPersonal\INFECTED\msmsgs.VIR C:\Programme\AVPersonal\INFECTED\msmsgs.VIR00 C:\Programme\AVPersonal\INFECTED\msmsgs.VIR01 C:\Programme\AVPersonal\INFECTED\msmsgs.VIR02 C:\WINDOWS\popuper.exe C:\WINDOWS\sites.ini C:\WINDOWS\balloon.wav C:\WINDOWS\x74ca5e40.tmp C:\WINDOWS\uninstIU.exe C:\WINDOWS\warnhp.html C:\zv6ja6zo.sys Download f-secure-Beta Trial http://www.f-secure.com/blacklight/ doppelklick: blbeta.exe nach dem Check klicke -- next nun findet man eine Textdatei auf dem Desktop: kopiere sie in deinen Thread smitRem TOOL (Entfernungstool) http://noahdfear.geekstogo.com/ öffne smitRem folder,Doppelklick: RunThis.bat warte, bis der Scan beendet ist (der Bildschirm wird blau werden. das ist normal) suche smitfiles.txt und poste die Textdatei in den Thread es gibt dann noch mehr zu loeschen und ich muss dir auch noch eine andere reg-Datei erstellen... erst danach beginnen die Virenscans  __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
11.10.2005, 14:55
Member
Themenstarter Beiträge: 14 |
#8
Hallöchen
So, ich habe nun die Schritte befolgt. Allerdings konnte ich folgende Dateien nicht deleten, da sie nicht vorhanden waren: C:\WINDOWS\system32\hp58CE.tmp C:\WINDOWS\system32\hp608E.tmp C:\WINDOWS\system32\hp5A06.tmp C:\WINDOWS\system32\hp4B03.tmp C:\WINDOWS\system32\wpa.dbl C:\WINDOWS\popuper.exe C:\WINDOWS\x74ca5e40.tmp C:\zv6ja6zo.sys C:\WINDOWS\System32\dmkjr.exe C:\WINDOWS\System32\cseai.exe C:\WINDOWS\System32\msmsgs.exe Die anderen habe ich wie gesagt alle gelöscht. Hier nun die Logdateien: 10/11/05 14:24:43 [Info]: BlackLight Engine 1.0.23 initialized 10/11/05 14:24:43 [Info]: OS: 5.1 build 2600 (Service Pack 1) 10/11/05 14:24:43 [Note]: 4019 4 10/11/05 14:24:43 [Note]: 4005 0 10/11/05 14:24:47 [Note]: 4006 0 10/11/05 14:24:47 [Note]: 4011 1296 10/11/05 14:24:48 [Note]: FSRAW library version 1.7.1011 10/11/05 14:25:27 [Info]: Hidden file: C:\WINDOWS\system32\wbem\wbemtest.exe 10/11/05 14:25:27 [Note]: 10002 1 10/11/05 14:25:40 [Info]: Hidden file: C:\WINDOWS\system32\dmuxd.exe 10/11/05 14:25:40 [Note]: 4002 32 10/11/05 14:25:40 [Note]: 4003 1 10/11/05 14:25:40 [Note]: 10002 1 10/11/05 14:25:50 [Info]: Hidden file: C:\WINDOWS\system32\hlmicro.exe 10/11/05 14:25:50 [Note]: 10002 1 10/11/05 14:26:00 [Info]: Hidden file: C:\WINDOWS\system32\hwiper.exe 10/11/05 14:26:00 [Note]: 10002 1 10/11/05 14:26:12 [Info]: Hidden file: C:\WINDOWS\system32\cspef.exe 10/11/05 14:26:12 [Note]: 4002 32 10/11/05 14:26:12 [Note]: 4003 1 10/11/05 14:26:12 [Note]: 10002 1 10/11/05 14:26:38 [Note]: 4007 0 smitRem log file version 2.6 by noahdfear ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD key ShudderLTD key not present! checking for PSGuard.com key PSGuard.com key not present! Pre-run Files Present ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ oleext.dll logfiles ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Post-run Files Present ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ oleext.dll logfiles ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet.dll ~~~ wininet.dll is missing!! Gruß Ralf |
|
|
|
|
|
|
11.10.2005, 15:14
Ehrenmitglied
Beiträge: 29434 |
#9
loesche das auch noch mit der Killbox:
C:\WINDOWS\system32\dmuxd.exe C:\WINDOWS\system32\hlmicro.exe C:\WINDOWS\system32\hwiper.exe C:\WINDOWS\system32\oleext.dll C:\WINDOWS\system32\cspef.exe Start -- alle Programme -- Zubehör -- Editor und kopiere folgenden Text rein: dir %Systemdrive%\wininet.dll /a h /s > files.txt start notepad files.txt - Speichern als: wininet.bat - abspeichern unter : Dateityp: alle Dateien - speichere auf dem Desktop - Locate wininet.bat -- doppelklick auf die bat-Datei , der Editor öffnet sich -- poste den Text ---------------------------------------------------------------------------- und noch mal die 4 datfind-Logs und das Log vom Silenrunner __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
11.10.2005, 15:49
Member
Themenstarter Beiträge: 14 |
#10
Die folgenden Dateien waren alle nicht vorhanden, deshalb konnte ich sie nicht löschen:
C:\WINDOWS\system32\dmuxd.exe C:\WINDOWS\system32\hlmicro.exe C:\WINDOWS\system32\hwiper.exe C:\WINDOWS\system32\oleext.dll C:\WINDOWS\system32\cspef.exe Ich hoffe ich habe jetzt die richtigen Scanns ausgeführt: "Silent Runners.vbs", revision 41, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS] "NVIEW" = "rundll32.exe nview.dll,nViewLoadHook" [MS] "H/PC Connection Agent" = ""C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "AVGCtrl" = ""C:\Programme\AVPersonal\AVGNT.EXE" /min" ["H+BEDV Datentechnik GmbH"] "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."] "EPSON Stylus CX3200" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"" ["SEIKO EPSON CORPORATION"] "SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_01\bin\jusched.exe" ["Sun Microsystems, Inc."] "Zone Labs Client" = "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"] "NeroCheck" = "C:\WINDOWS\System32\\NeroCheck.exe" ["Ahead Software Gmbh"] "dmpip.exe" = "C:\WINDOWS\System32\dmpip.exe" [null data] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided) \StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Programme\Messenger\msgsc.dll",ShowIconsUser" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1031\UNBIND.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop-Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] "{C3F24159-A5D9-4779-862B-345D3418CAF0}" = "Context Menu Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Mwtrns10.dll" [empty string] "{330417E8-EF62-4047-82BE-D8305CEFF572}" = "AMEncShlExt extension" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\4MUSIC~1\amshellext.dll" ["4Musics, Inc."] "{0A082D00-EC93-11D0-B1E6-80580BC10627}" = "Corel Media Folder Root Menu Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" [empty string] "{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}" = "Folder To Corel Media Folder Menu Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" [empty string] "{854AF161-1AE1-11D1-AB9B-00C0F00683EB}" = "Corel Media Folder" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" [empty string] "{E856F161-1AE5-11d1-AB9B-00C0F00683EB}" = "Corel Media Folder" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" [empty string] "{CDB89701-262F-11D1-AB9C-00C0F00683EB}" = "Corel Media Find Folder" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" [empty string] "{F8152501-455F-11D1-B1E6-444553540000}" = "Corel Media Folder Copy Hook Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" [empty string] "{8E524B0D-04F0-11D1-B74A-00A0C90646A4}" = "IconFactTemp.NSIconHandlerFactory" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CNSFlt80.dll" [null data] "{A2AC368A-F883-11D0-B745-00A0C90646A4}" = "NSFiltManDll.FiltManCom" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CNSFlt80.dll" [null data] "{B63FCD5A-2396-11D1-B762-00A0C90646A4}" = "*W" (unwritable string) -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFnd80.dll" ["Corel Corporation"] "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension" -> {CLSID}\InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2004\sdshelex.dll"" ["TuneUp Software GmbH"] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ INFECTION WARNING! "System" = "csfky.exe" [null data] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] MP3 to WAVE Transformer\(Default) = "{C3F24159-A5D9-4779-862B-345D3418CAF0}" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Mwtrns10.dll" [empty string] TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" -> {CLSID}\InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2004\sdshelex.dll"" ["TuneUp Software GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\Ipswitch\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ FolderToCorelMediaFolder\(Default) = "{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" [empty string] TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" -> {CLSID}\InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2004\sdshelex.dll"" ["TuneUp Software GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\Ipswitch\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Enabled Scheduled Tasks: ------------------------ "1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2004\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll" ["Sun Microsystems, Inc."] {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\ "ButtonText" = "Mobilen Favoriten erstellen" "CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft ActiveSync\inetrepl.dll" [MS] {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\ "MenuText" = "Mobilen Favoriten erstellen..." "CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft ActiveSync\inetrepl.dll" [MS] Miscellaneous IE Hijack Points ------------------------------ HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ Missing lines (compared with English-language version): HIJACK WARNING! "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir Service, AntiVirService, ""C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE"" ["H+BEDV Datentechnik GmbH"] AntiVir Update, AVWUpSrv, ""C:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"] Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.exe" ["Creative Technology Ltd"] EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"] EpsonBidirectionalService, EpsonBidirectionalService, "C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\eEBSVC.exe" [null data] NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"] TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"] WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 25 seconds, including 8 seconds for message boxes) Volume in Laufwerk C: hat keine Bezeichnung. Volumeseriennummer: 3037-2160 Verzeichnis von C:\Programme\EPSON\ScanToWeb 05.03.2002 21:53 480.528 WININET.DLL 1 Datei(en) 480.528 Bytes Verzeichnis von C:\WINDOWS\$NtServicePackUninstall$ 29.08.2002 09:32 590.848 wininet.dll 1 Datei(en) 590.848 Bytes Verzeichnis von C:\WINDOWS\ServicePackFiles\i386 29.08.2002 03:43 604.672 wininet.dll 1 Datei(en) 604.672 Bytes Verzeichnis von C:\WINDOWS\system32 29.08.2002 03:43 604.672 wininet.dll 1 Datei(en) 604.672 Bytes smitRem log file version 2.6 by noahdfear ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD key ShudderLTD key not present! checking for PSGuard.com key PSGuard.com key not present! Pre-run Files Present ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ oleext.dll logfiles ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Post-run Files Present ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ ~~~ Favorites ~~~ ~~~ system32 folder ~~~ oleext.dll logfiles ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet.dll ~~~ wininet.dll is missing!! Bis dann Ralf |
|
|
|
|
|
|
12.10.2005, 00:34
Ehrenmitglied
Beiträge: 29434 |
#11
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fix.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.
Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "fix.reg" auf dem Desktop doppelklicken Zitat REGEDIT4------------------------------------------------------------ loeschen: C:\WINDOWS\system32\LogFiles C:\WINDOWS\System32\dmpip.exe C:\WINDOWS\System32\oleext.dll -->rechtsklick-->umbennen in dl, dann loeschen C:\WINDOWS\System32\csfky.exe Spybot (scannen + berichte) http://www.safer-networking.org/de/download/index.html Download f-secure-Beta Trial http://www.f-secure.com/blacklight/ doppelklick: blbeta.exe nach dem Check klicke -- next nun findet man eine Textdatei auf dem Desktop: kopiere sie in deinen Thread scanne mit kaspersky und panda + berichte von den scanns http://virus-protect.org/onlinescan.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
12.10.2005, 12:29
Member
Themenstarter Beiträge: 14 |
#12
Hallo und Guten Morgen
Zu den zu löschenden Dateien: Soweit durchgeführt. Allerdings waren die Dateien dmpip.exe und csfky.exe nicht vorhanden. Neben der Oleext habe ich auch noch eine Oleext32.dll im System32. Wenn ich diese anklicke schlägt sofort Antivir Alarm. Muss ich diese auch löschen?? Spybot: Durchgeführt. Ergebnis: Gratulation, es wurden keine Spione gefunden. F-secure Ergebnis: 10/12/05 10:38:45 [Info]: BlackLight Engine 1.0.23 initialized 10/12/05 10:38:45 [Info]: OS: 5.1 build 2600 (Service Pack 1) 10/12/05 10:38:45 [Note]: 4019 4 10/12/05 10:38:45 [Note]: 4005 0 10/12/05 10:38:49 [Note]: 4006 0 10/12/05 10:38:49 [Note]: 4011 1232 10/12/05 10:38:49 [Note]: FSRAW library version 1.7.1011 10/12/05 10:48:40 [Note]: 4007 0 ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Wednesday, October 12, 2005 12:27:51 Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 12/10/2005 Kaspersky Anti-Virus database records: 144308 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ Scan Statistics: Total number of scanned objects: 185040 Number of viruses found: 11 Number of infected objects: 19 Number of suspicious objects: 2 Duration of the scan process: 3584 sec Infected Object Name - Virus Name C:\!Submit\hhk.dll Infected: Trojan-Clicker.Win32.Agent.dj C:\!Submit\msmsgs.VIR Infected: Trojan-Downloader.Win32.Zlob.ak C:\!Submit\msmsgs.VIR00 Infected: Trojan-Downloader.Win32.Zlob.ak C:\!Submit\msmsgs.VIR01 Infected: Trojan-Downloader.Win32.Zlob.ak C:\!Submit\msmsgs.VIR02 Infected: Trojan-Downloader.Win32.Zlob.ak C:\!Submit\Navigon Mobile Navigator Mn5 Update v5.1(2).zip/FILE.VBS Infected: Email-Worm.VBS.Gedza C:\!Submit\Navigon Mobile Navigator Mn5 Update v5.1(2).zip Infected: Email-Worm.VBS.Gedza C:\!Submit\OD0080400.so Infected: Trojan-Downloader.Win32.Small.bqx C:\!Submit\popuper.exe Infected: Trojan.Win32.Puper.bg D:\Daten\Sicherungen\Outlook\backup.pst/Persönliche Ordner/Gelöschte Objekte/12 Aug 2005 21:53 from PostBankAccount  as neue System des Schut.html Infected: Trojan-Spy.HTML.Bankfraud.ifD:\Daten\Sicherungen\Outlook\backup.pst/Persönliche Ordner/Gelöschte Objekte/12 Aug 2005 23:56 from Ralf:/To_reduce_the_tax.zip/Taxes.exe Infected: Email-Worm.Win32.Bagle.cl D:\Daten\Sicherungen\Outlook\backup.pst/Persönliche Ordner/Gelöschte Objekte/12 Aug 2005 23:56 from Ralf:/To_reduce_the_tax.zip Infected: Email-Worm.Win32.Bagle.cl D:\Daten\Sicherungen\Outlook\backup.pst/Persönliche Ordner/Gelöschte Objekte/13 Aug 2005 00:17 from Deutsche Telekom AG:Rechnung Online/rechnung.pdf.zl9 Infected: Trojan-Downloader.Win32.Small.bgp D:\Daten\Sicherungen\Outlook\backup.pst/Persönliche Ordner/Gelöschte Objekte/13 Aug 2005 00:17 from Deutsche Telekom AG:Rechnung/rechnung.pdf.zl9 Infected: Trojan-Downloader.Win32.Small.bgp D:\Daten\Sicherungen\Outlook\backup.pst/Persönliche Ordner/Gelöschte Objekte/14 Aug 2005 00:50 from PostBankPolice as neue System des Schutz.html Infected: Trojan-Spy.HTML.Bankfraud.ifD:\Daten\Sicherungen\Outlook\backup.pst/Persönliche Ordner/Gelöschte Objekte/26 Aug 2005 00:36 from Deutsche Telekom:Rechnung Online Monat Au/rechnung.pdf.exe Infected: Trojan-Downloader.Win32.Pechkin.a D:\Daten\Sicherungen\Outlook\backup.pst/Persönliche Ordner/Gelöschte Objekte/26 Aug 2005 00:36 from Deutsche Telekom:Rechnung Online [5673243/rechnung.pdf.exe Infected: Trojan-Downloader.Win32.Pechkin.a D:\Daten\Sicherungen\Outlook\backup.pst/Persönliche Ordner/Posteingang/05 Aug 2005 03:37 from Deutsche Bank eutsche Bank.html Infected: Trojan-Spy.HTML.Bankfraud.ihD:\Daten\Sicherungen\Outlook\backup.pst Infected: Trojan-Spy.HTML.Bankfraud.ih D:\Download\Bild Bearbeitung\Auto Grafics Album\ag_d.exe/uninstall.exe Suspicious: Type_Win32 D:\Download\Bild Bearbeitung\Auto Grafics Album\ag_d.exe Suspicious: Type_Win32 Scan process completed. Gruß Ralf |
|
|
|
|
|
|
12.10.2005, 13:43
Ehrenmitglied
Beiträge: 29434 |
#13
loesche:
C:\!Submit und alles andere, was der kaspersky angezeigt hat. und loesche: Oleext32.dll im System32 (hatte ich dir eigentlich schon mehrmals geschrieben...) Onlinescan Panda-->wenn der Antivirus "meckert"--> nicht beachten http://virus-protect.org/onlinescan.html --------------- verzichte in Zukunft auf den Outlook..... http://virus-protect.org/mailprogs.html http://virus-protect.org/phishing1.html + ein neues Log vom Silentrunner __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
12.10.2005, 22:25
Member
Themenstarter Beiträge: 14 |
#14
Hallo
Ich denke ich habe alles gelöscht. Zitat: verzichte in Zukunft auf den Outlook..... http://virus-protect.org/mailprogs.html http://virus-protect.org/phishing1.html Zitat Ende. Gibt es keine Möglichkeit den Outlook sicherer zu machen. Ich habe da eine Menge an Adressen etc. drin. Silent Runner Log: "Silent Runners.vbs", revision 41, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS] "NVIEW" = "rundll32.exe nview.dll,nViewLoadHook" [MS] "H/PC Connection Agent" = ""C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "AVGCtrl" = ""C:\Programme\AVPersonal\AVGNT.EXE" /min" ["H+BEDV Datentechnik GmbH"] "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."] "EPSON Stylus CX3200" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"" ["SEIKO EPSON CORPORATION"] "SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_01\bin\jusched.exe" ["Sun Microsystems, Inc."] "Zone Labs Client" = "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"] "NeroCheck" = "C:\WINDOWS\System32\\NeroCheck.exe" ["Ahead Software Gmbh"] "dmkwo.exe" = "C:\WINDOWS\System32\dmkwo.exe" [null data] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided) \StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Programme\Messenger\msgsc.dll",ShowIconsUser" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1031\UNBIND.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop-Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] "{C3F24159-A5D9-4779-862B-345D3418CAF0}" = "Context Menu Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Mwtrns10.dll" [empty string] "{330417E8-EF62-4047-82BE-D8305CEFF572}" = "AMEncShlExt extension" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\4MUSIC~1\amshellext.dll" ["4Musics, Inc."] "{0A082D00-EC93-11D0-B1E6-80580BC10627}" = "Corel Media Folder Root Menu Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" [empty string] "{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}" = "Folder To Corel Media Folder Menu Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" [empty string] "{854AF161-1AE1-11D1-AB9B-00C0F00683EB}" = "Corel Media Folder" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" [empty string] "{E856F161-1AE5-11d1-AB9B-00C0F00683EB}" = "Corel Media Folder" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" [empty string] "{CDB89701-262F-11D1-AB9C-00C0F00683EB}" = "Corel Media Find Folder" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" [empty string] "{F8152501-455F-11D1-B1E6-444553540000}" = "Corel Media Folder Copy Hook Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" [empty string] "{8E524B0D-04F0-11D1-B74A-00A0C90646A4}" = "IconFactTemp.NSIconHandlerFactory" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CNSFlt80.dll" [null data] "{A2AC368A-F883-11D0-B745-00A0C90646A4}" = "NSFiltManDll.FiltManCom" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CNSFlt80.dll" [null data] "{B63FCD5A-2396-11D1-B762-00A0C90646A4}" = "*_" (unwritable string) -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFnd80.dll" ["Corel Corporation"] "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension" -> {CLSID}\InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2004\sdshelex.dll"" ["TuneUp Software GmbH"] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] MP3 to WAVE Transformer\(Default) = "{C3F24159-A5D9-4779-862B-345D3418CAF0}" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Mwtrns10.dll" [empty string] TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" -> {CLSID}\InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2004\sdshelex.dll"" ["TuneUp Software GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\Ipswitch\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ FolderToCorelMediaFolder\(Default) = "{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}" -> {CLSID}\InProcServer32\(Default) = "C:\Corel\Graphics8\programs\CMFFld80.dll" [empty string] TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" -> {CLSID}\InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2004\sdshelex.dll"" ["TuneUp Software GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\Ipswitch\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Enabled Scheduled Tasks: ------------------------ "1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2004\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll" ["Sun Microsystems, Inc."] {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\ "ButtonText" = "Mobilen Favoriten erstellen" "CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft ActiveSync\inetrepl.dll" [MS] {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\ "MenuText" = "Mobilen Favoriten erstellen..." "CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft ActiveSync\inetrepl.dll" [MS] Miscellaneous IE Hijack Points ------------------------------ HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ Missing lines (compared with English-language version): HIJACK WARNING! "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir Service, AntiVirService, ""C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE"" ["H+BEDV Datentechnik GmbH"] AntiVir Update, AVWUpSrv, ""C:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"] Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.exe" ["Creative Technology Ltd"] EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"] EpsonBidirectionalService, EpsonBidirectionalService, "C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\eEBSVC.exe" [null data] NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"] TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"] WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 28 seconds, including 10 seconds for message boxes) Gruß Ralf |
|
|
|
|
|
|
12.10.2005, 22:40
Ehrenmitglied
Beiträge: 29434 |
#15
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixneu.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.
Zitat REGEDIT4loesche mit der Killbox + PC neustarten C:\WINDOWS\System32\dmkwo.exe Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "fixneu.reg" auf dem Desktop doppelklicken fuehre den scan mit Panda durch und poste mir den Scanreport + den neuen Silentrunner + das neue Log vom HijackThis...ich muss sehen, was mit dem 017-Eintrag ist.... __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!
bitte erst » hier kostenlos registrieren!!
Folgende Themen könnten Dich auch interessieren:
Copyright © 2024, Protecus.de - Protecus Team - Impressum / Mediadaten
Leider hatte ich der Vergangenheit schon öfter Probleme mit Viren, Trojaner etc, was weiß ich was es da alles gibt.
Schon öfter habe ich deshalb eine Neuinstallation machen müssen, da ich mir sonst keine Rat wusste.
Nun will ich es mal hier im Forum versuchen. Wie ich in anderen "Themen" in diesem Forum gesehen habe gibt es hier ja eine Menge User die wirklich viel Ahnung haben. Dafür mienen Hut ab, das finde ich wirklich klasse.
Nun zum Problem. Wie ich gesehen habe wollt Ihr meist als erstes einen Report von HighJackThis.
Also habe ich diesen gemacht und poste den Bericht jetzt hier.
Logfile of HijackThis v1.99.1
Scan saved at 21:41:03, on 10.10.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ole32vbs.exe
C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\eEBSVC.exe
C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\shnlog.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\intmonp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programme\Java\jre1.5.0_01\bin\jusched.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\intmon.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\Ralf\LOKALE~1\Temp\Rar$EX00.734\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/webhp?hl=de
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpFE26.tmp (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus
CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft
ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft
ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -
C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{598F570E-F14A-4F31-8CDC-B000D2796536}: NameServer =
85.255.113.146,85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEAB4976-0A54-4EB5-AC23-9A643BF12228}: NameServer =
85.255.113.146,85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5F4A22A-08B0-4EBF-AB76-AF259DAA3BFB}: NameServer =
85.255.113.146,85.255.112.19
O17 - HKLM\System\CS1\Services\Tcpip\..\{598F570E-F14A-4F31-8CDC-B000D2796536}: NameServer =
85.255.113.146,85.255.112.19
O17 - HKLM\System\CS3\Services\Tcpip\..\{598F570E-F14A-4F31-8CDC-B000D2796536}: NameServer =
85.255.113.146,85.255.112.19
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programme\Gemeinsame
Dateien\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp
Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Vielen Dank schon mal im Voraus für Eure Bemühungen.
Gruß aus Dülmen
Ralf