Brauche Unterstützung beim Entfernen von adtoolskeep.exe & Co.

#1 Hallo!
Ich selbst bin ein Laie was das Auslesen von HiJack Logs und das Entfernen "unerwünschter" Programme angeht.

Deshalb hoffe ich, daß sich hier jemand findet, der mir dabei hilft..

Ich vermute, daß ich einen ganzen Zoo von unerwünschten Besuchern auf meinem System habe und auch wenn das Entfernen zeitintensiv sein sollte würde ich doch gerne erst diesen Weg versuchen und eine Neuinstallation möglichst umgehen.

Vielen Dank im Voraus

Und hier mein HiJack Log (um aktive Links zu vermeiden wurden alle http durch h**p ersetzt):

Logfile of HijackThis v1.99.1
Scan saved at 20:18:00, on 16.10.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\pupxpman.exe
F:\Programme\QuickTime\qttask.exe
C:\Program Files\AdTools Service\AdTools.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
D:\Programme\AVPersonal\AVGNT.EXE
C:\Program Files\AdTools Service\AdToolsKeep.exe
C:\Programme\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
D:\PROGRAMME\AVPERSONAL\AVGUARD.EXE
d:\Programme\AVPersonal\AVWUPSRV.EXE
d:\Programme\CPUCooL\CooLSrv.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
D:\Programme\Yahoo!\Messenger\Messenger\ymsgr_tray.exe
C:\DOKUME~1\***\LOKALE~1\Temp\Temporäres Verzeichnis 1 für hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = h**p://rd.yahoo.com/customize/ymsgr/defaults/sb/*h**p://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://rd.yahoo.com/customize/ymsgr/defaults/sp/*h**p://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.t-online.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://rd.yahoo.com/customize/ymsgr/defaults/*h**p://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://rd.yahoo.com/customize/ymsgr/defaults/su/*h**p://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = h**p://rd.yahoo.com/customize/ymsgr/defaults/sb/*h**p://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://rd.yahoo.com/customize/ymsgr/defaults/sp/*h**p://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://rd.yahoo.com/customize/ymsgr/defaults/*h**p://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = h**p://www.exactsearch.net/sidesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = h**p://rd.yahoo.com/customize/ymsgr/defaults/su/*h**p://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = h**p=proxy.btx.dtag.de:80;ftp=ftp-proxy.btx.dtag.de:80
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IDN Helper Object - {118CE65F-5D86-4AEA-A9BD-94F92B89119F} - C:\WINDOWS\DOWNLO~1\CNSMIN~1.DLL
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] d:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] d:\Programme\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Ad-aware] "D:\Programme\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [mspwr] C:\WINDOWS\System32\pupxpman.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVGCtrl] "d:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???????\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Programme\Yahoo!\Messenger\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Programme\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O8 - Extra context menu item: Visit &japanese keywords - res://C:\WINDOWS\DOWNLO~1\CnsMin.dll/203
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Programme\Yahoo!\Messenger\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Programme\Yahoo!\Messenger\Messenger\yhexbmes0819.dll
O9 - Extra button: D-Info - {5baf1db0-1d34-11d6-bf3c-005056303009} - D:\Programme\D\D-Info\html\toolbarscript.html
O9 - Extra 'Tools' menuitem: D-Info - {5baf1db0-1d34-11d6-bf3c-005056303009} - D:\Programme\D\D-Info\html\toolbarscript.html
O9 - Extra button: Web-Eintrag - {B4E30F61-16D9-11D3-85D1-005004229569} - D:\PROGRAMME\BüRO\LOTUS\ORGANIZE\BANDOBJS.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Backgammon - h**p://download.games.yahoo.com/games/clients/y/at0_x.cab
O16 - DPF: Yahoo! Gin - h**p://download.games.yahoo.com/games/clients/y/ns0_x.cab
O16 - DPF: Yahoo! Pool 2 - h**p://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - h**p://static.windupdates.com/cab/CDT/ie/Bridge-c135.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - h**p://www.cult3d.com/download/cult.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - h**p://www.ysbweb.com/ist/softwares/v4.0/ysb_1002245.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - h**p://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - h**p://software-dl.real.com/24cf9e1854944d117b21/netzip/RdxIE601_de.cab
O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} - h**p://advnt01.com/dialer/internazionale_ver10.CAB
O16 - DPF: {BAE85C97-2CD4-45C3-A1ED-E4CEF7C6AA52} - h**p://www.online1net.com/kool/coolstuff4.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - h**p://download.abacast.com/download/files/abasetup130f3.cab
O18 - Filter: text/html - {3DE493CA-C59B-4B9E-ACA4-84E1DA021396} - C:\WINDOWS\Local Settings\Anwendungsdaten\microsoft\internet explorer\V0.34.dat
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - D:\PROGRAMME\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - d:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - d:\Programme\CPUCooL\CooLSrv.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#2 Hallo@niftybee

öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = h**p://rd.yahoo.com/customize/ymsgr/defaults/sb/*h**p://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://rd.yahoo.com/customize/ymsgr/defaults/sp/*h**p://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://rd.yahoo.com/customize/ymsgr/defaults/*h**p://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://rd.yahoo.com/customize/ymsgr/defaults/su/*h**p://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = h**p://rd.yahoo.com/customize/ymsgr/defaults/sb/*h**p://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://rd.yahoo.com/customize/ymsgr/defaults/sp/*h**p://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://rd.yahoo.com/customize/ymsgr/defaults/*h**p://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = h**p://www.exactsearch.net/sidesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = h**p://rd.yahoo.com/customize/ymsgr/defaults/su/*h**p://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

O2 - BHO: IDN Helper Object - {118CE65F-5D86-4AEA-A9BD-94F92B89119F} - C:\WINDOWS\DOWNLO~1\CNSMIN~1.DLL
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll

O4 - HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???????\WkDetect.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - h**p://static.windupdates.com/cab/CDT/ie/Bridge-c135.cab
O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} - h**p://advnt01.com/dialer/internazionale_ver10.CAB
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - h**p://download.abacast.com/download/files/abasetup130f3.cab
O18 - Filter: text/html - {3DE493CA-C59B-4B9E-ACA4-84E1DA021396} - C:\WINDOWS\Local Settings\Anwendungsdaten\microsoft\internet explorer\V0.34.dat

PC neustarten

CCleaner (loesche alle temp-Dateien)
http://virus-protect.org/temp.html

scanne mit kaspersky und poste den scanreport
http://virus-protect.org/onlinescan.html

counterspy
http://virus-protect.org/counterspy.html
Klicke: "Run a Spyware Scan Now"
- nach dem Scan muss man sich entscheiden für:
*Ignore
*Remove
*Quarantaine
wähle immer Remove und starte den PC neu (poste den scanreport)

poste den scanreport von ewido
http://virus-protect.org/ewido.html
__________
MfG Sabina

rund um die PC-Sicherheit