Home » Spyware & Browser Hijacker Support Forum » Hijackthis-logfile nach Auswertung: jetzt OK ??? » Themenansicht
Hijackthis-logfile nach Auswertung: jetzt OK ??? |
||
|---|---|---|
| #0
| ||
|
02.12.2005, 20:24
...neu hier
Beiträge: 2 |
||
 
|
|
|
|
03.12.2005, 03:23
Member
 Beiträge: 4730 |
#2
Weißt Du noch, welche drei bösen Prozesse Du gefixt hast? Das wäre für mich auch wichtig zu wissen.
Häkchen setzen und "fix checked" anklicken: O1 - Hosts: om O4 - HKLM\..\Run: [{59-94-4E-EA-ZN}] C:\windows\system32\rkdsrego.exe DREU02 O4 - HKCU\..\Run: [zroq] C:\PROGRA~1\GEMEIN~1\zroq\zroqm.exe O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\qwinlsaz.exe O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\gp86l3ls1.dll O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWFydGluYQ\command.exe Start -> Ausführen -> cmd gib folgendes in die Kommandozeile ein: sc stop cmdService (Enter drücken) sc delete cmdService (Enter drücken) jetzt kannst Du die Eingabeaufforderung wieder schließen. Deinstalliere Avast oder AntiVir. Zwei Virenscanner sind manchmal schlechter als überhaupt kein Virenscanner... Lösche mit Killbox folgende Dateien (Anleitung und Download: http://managor.de/killbox.htm) C:\WINDOWS\TWFydGluYQ\command.exe C:\WINDOWS\system32\dwdsregt.exe C:\WINDOWS\system32\qwinlsaz.exe C:\PROGRA~1\GEMEIN~1\zroq\zroqm.exe C:\windows\system32\rkdsrego.exe Wichtig ist jetzt, dass Du entgegen meiner Anleitung bei der letzten Datei bitte nicht mit "Ja" auf die Frage "Reboot now?" antwortest, da noch folgender Schritt ausgeführt werden muss: L2mfix: http://www.downloads.subratam.org/l2mfix.exe Herunterladen und entpacken. Alle Programme schließen, die geöffnet sind. Im l2mfix-Ordner die l2mfix.bat aufrufen (keine andere, es sei denn, Du wirst dazu aufgefordert). Wähle Option 2. Wenn nach einem Passwort gefragt wird, gib bye ein und drücke Enter. Desktop und Icons werden jetzt verschwinden (das ist normal). Wenn l2mfix fertig ist, dann wird der PC neugestartet (evtl. musst Du noch Enter drücken). Wenn der PC neugestartet ist, wird sich Notepad mit dem Log öffnen. Das poste hier. Außerdem ein neues HJT-Log und am besten noch einen Scan mit eScanCheck (http://managor.de/escan.htm) __________ Dies ist eine Signatur! Persönlicher Service: Du kommst aus Berlin? Dann melde Dich per PN bei mir, evtl. können wir einen Termin vereinbaren. Der Grabsteinschubser Dieser Beitrag wurde am 03.12.2005 um 03:37 Uhr von Managor editiert.
|
|
|
|
|
|
|
27.12.2005, 12:45
...neu hier
Themenstarter Beiträge: 2 |
#3
Hallo,
hier ist das l2mfix-logfile und danach noch hijackthis-file Habe leider aus Versehen bei killbox statt "delete on reboot" "standard delete" angeklickt. Ist das sehr schlimm??? L2mfix Beta 121605 Creating Account. Der Befehl wurde erfolgreich ausgefhrt. Adding Administrative privleges. Checking for L2MFix account(0=no 1=yes): 1 Granting SeDebugPrivilege to L2MFIX ... successful Running From: C:\WINDOWS\system32 Killing Processes! Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 612 'smss.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 704 'winlogon.exe' Killing PID 704 'winlogon.exe' Killing PID 704 'winlogon.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 144 'explorer.exe' Killing PID 144 'explorer.exe' Killing PID 144 'explorer.exe' Killing PID 144 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1856 'rundll32.exe' Killing PID 3732 'rundll32.exe' Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332 Granting SeDebugPrivilege to Administrateurs ... failed (GetAccountSid(Administrateurs)=1332 Granting SeDebugPrivilege to Administrat÷rer ... failed (GetAccountSid(Administrat÷rer)=1332 Granting SeDebugPrivilege to Administradores ... failed (GetAccountSid(Administradores)=1332 Granting SeDebugPrivilege to Amministratore ... failed (GetAccountSid(Amministratore)=1332 Granting SeDebugPrivilege to Administratoren ... successful Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! moving: C:\WINDOWS\system32\cpmpatui.dll Successfully Moved: C:\WINDOWS\system32\cpmpatui.dll moving: C:\WINDOWS\system32\desec.dll Successfully Moved: C:\WINDOWS\system32\desec.dll moving: C:\WINDOWS\system32\dunmpntw.dll Successfully Moved: C:\WINDOWS\system32\dunmpntw.dll moving: C:\WINDOWS\system32\iwuninst.dll Successfully Moved: C:\WINDOWS\system32\iwuninst.dll moving: C:\WINDOWS\system32\mlglibnt.dll Successfully Moved: C:\WINDOWS\system32\mlglibnt.dll moving: C:\WINDOWS\system32\mpdxmlc.dll Successfully Moved: C:\WINDOWS\system32\mpdxmlc.dll moving: C:\WINDOWS\system32\MTVCR71.dll Successfully Moved: C:\WINDOWS\system32\MTVCR71.dll moving: C:\WINDOWS\system32\mv46l9hs1.dll Successfully Moved: C:\WINDOWS\system32\mv46l9hs1.dll moving: C:\WINDOWS\system32\r4p80e7ueh.dll Successfully Moved: C:\WINDOWS\system32\r4p80e7ueh.dll moving: C:\WINDOWS\system32\suellstyle.dll Successfully Moved: C:\WINDOWS\system32\suellstyle.dll moving: C:\WINDOWS\system32\sundcmsg.dll Successfully Moved: C:\WINDOWS\system32\sundcmsg.dll moving: C:\WINDOWS\system32\t0r8la9u1d.dll Successfully Moved: C:\WINDOWS\system32\t0r8la9u1d.dll moving: C:\WINDOWS\system32\tprmmgr.dll Successfully Moved: C:\WINDOWS\system32\tprmmgr.dll moving: C:\WINDOWS\system32\uurcntra.dll Successfully Moved: C:\WINDOWS\system32\uurcntra.dll moving: C:\WINDOWS\system32\wdpns.dll Successfully Moved: C:\WINDOWS\system32\wdpns.dll moving: C:\WINDOWS\system32\wkhbth.dll Successfully Moved: C:\WINDOWS\system32\wkhbth.dll moving: C:\WINDOWS\system32\guard.tmp Successfully Moved: C:\WINDOWS\system32\guard.tmp Restoring Windows Update Certificates.: The following Is the Current Export of the Winlogon notify key: **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OemStartMenuData] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\r4p80e7ueh.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 The following are the files found: **************************************************************************** C:\WINDOWS\system32\cpmpatui.dll C:\WINDOWS\system32\desec.dll C:\WINDOWS\system32\dunmpntw.dll C:\WINDOWS\system32\iwuninst.dll C:\WINDOWS\system32\mlglibnt.dll C:\WINDOWS\system32\mpdxmlc.dll C:\WINDOWS\system32\MTVCR71.dll C:\WINDOWS\system32\mv46l9hs1.dll C:\WINDOWS\system32\r4p80e7ueh.dll C:\WINDOWS\system32\suellstyle.dll C:\WINDOWS\system32\sundcmsg.dll C:\WINDOWS\system32\t0r8la9u1d.dll C:\WINDOWS\system32\tprmmgr.dll C:\WINDOWS\system32\uurcntra.dll C:\WINDOWS\system32\wdpns.dll C:\WINDOWS\system32\wkhbth.dll C:\WINDOWS\system32\guard.tmp Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{584A9555-83E2-4EDC-B6EA-B26EB6EAF076}] @="" [HKEY_CLASSES_ROOT\CLSID\{584A9555-83E2-4EDC-B6EA-B26EB6EAF076}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{584A9555-83E2-4EDC-B6EA-B26EB6EAF076}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{584A9555-83E2-4EDC-B6EA-B26EB6EAF076}\InprocServer32] @="C:\\WINDOWS\\system32\\suellstyle.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{431E7F50-9A5A-40D5-AE71-A74CF6D88DA9}] @="" [HKEY_CLASSES_ROOT\CLSID\{431E7F50-9A5A-40D5-AE71-A74CF6D88DA9}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{431E7F50-9A5A-40D5-AE71-A74CF6D88DA9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{431E7F50-9A5A-40D5-AE71-A74CF6D88DA9}\InprocServer32] @="C:\\WINDOWS\\system32\\guard.tmp" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{05905245-AA7E-43FE-933C-7D24B34B29B6}] @="" [HKEY_CLASSES_ROOT\CLSID\{05905245-AA7E-43FE-933C-7D24B34B29B6}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{05905245-AA7E-43FE-933C-7D24B34B29B6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{05905245-AA7E-43FE-933C-7D24B34B29B6}\InprocServer32] @="C:\\WINDOWS\\system32\\mlglibnt.dll" "ThreadingModel"="Apartment" REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{584A9555-83E2-4EDC-B6EA-B26EB6EAF076}"=- "{431E7F50-9A5A-40D5-AE71-A74CF6D88DA9}"=- "{05905245-AA7E-43FE-933C-7D24B34B29B6}"=- [-HKEY_CLASSES_ROOT\CLSID\{584A9555-83E2-4EDC-B6EA-B26EB6EAF076}] [-HKEY_CLASSES_ROOT\CLSID\{431E7F50-9A5A-40D5-AE71-A74CF6D88DA9}] [-HKEY_CLASSES_ROOT\CLSID\{05905245-AA7E-43FE-933C-7D24B34B29B6}] REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" **************************************************************************** Desktop.ini Contents: **************************************************************************** **************************************************************************** Checking for L2MFix account(0=no 1=yes): 0 adding: dlls/cpmpatui.dll (124 bytes security) (deflated 5%) adding: dlls/desec.dll (124 bytes security) (deflated 5%) adding: dlls/dunmpntw.dll (124 bytes security) (deflated 5%) adding: dlls/guard.tmp (124 bytes security) (deflated 5%) adding: dlls/iwuninst.dll (124 bytes security) (deflated 5%) adding: dlls/mlglibnt.dll (124 bytes security) (deflated 5%) adding: dlls/mpdxmlc.dll (124 bytes security) (deflated 5%) adding: dlls/MTVCR71.dll (124 bytes security) (deflated 5%) adding: dlls/mv46l9hs1.dll (124 bytes security) (deflated 5%) adding: dlls/r4p80e7ueh.dll (124 bytes security) (deflated 5%) adding: dlls/suellstyle.dll (124 bytes security) (deflated 5%) adding: dlls/sundcmsg.dll (124 bytes security) (deflated 5%) adding: dlls/t0r8la9u1d.dll (124 bytes security) (deflated 5%) adding: dlls/tprmmgr.dll (124 bytes security) (deflated 5%) adding: dlls/uurcntra.dll (124 bytes security) (deflated 5%) adding: dlls/wdpns.dll (124 bytes security) (deflated 5%) adding: dlls/wkhbth.dll (124 bytes security) (deflated 5%) adding: backregs/05905245-AA7E-43FE-933C-7D24B34B29B6.reg (188 bytes security) (deflated 70%) adding: backregs/431E7F50-9A5A-40D5-AE71-A74CF6D88DA9.reg (188 bytes security) (deflated 70%) adding: backregs/584A9555-83E2-4EDC-B6EA-B26EB6EAF076.reg (188 bytes security) (deflated 71%) adding: backregs/notibac.reg (188 bytes security) (deflated 87%) adding: backregs/shell.reg (188 bytes security) (deflated 73%) Und hier das HJT-logfile: Logfile of HijackThis v1.99.1 Scan saved at 12:32:59, on 27.12.2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\mHotkey.exe C:\Office51\SOINTGR.EXE C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe C:\Programme\AVPersonal\AVGNT.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Programme\Spybot - Search & Destroy\TeaTimer.exe C:\Programme\AVPersonal\AVGUARD.EXE C:\Programme\Alwil Software\Avast4\aswUpdSv.exe C:\Programme\Alwil Software\Avast4\ashServ.exe C:\Programme\AVPersonal\AVWUPSRV.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Corel\WordPerfect Office 2000\programs\alarm.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Programme\Corel\WordPerfect Office 2000\programs\dad9.exe C:\lotus\wordpro\ltsstart.exe C:\lotus\smartctr\suitest.exe C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\kernel.exe C:\WINDOWS\system32\wuauclt.exe C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\sc_watch.exe C:\Dokumente und Einstellungen\Martina\Desktop\Virenschutz & Co\hijackthis\HijackThis.exe C:\Programme\Alwil Software\Avast4\ashMaiSv.exe C:\Programme\Alwil Software\Avast4\ashWebSv.exe C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\PROFIL~1.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\PROGRAMME\MOZILLA FIREFOX\FIREFOX.EXE C:\Programme\Alwil Software\Avast4\setup\avast.setup R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hyrican.de R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [CHotKey] mHotkey.exe O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\Office51\SOINTGR.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe O4 - HKLM\..\Run: [ToADiMon.exe] C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Zone Labs Client] C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [{59-94-4E-EA-ZN}] C:\windows\system32\rkdsrego.exe DREU02 O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [zroq] C:\PROGRA~1\GEMEIN~1\zroq\zroqm.exe O4 - Startup: Lotus Schnellstart.lnk = C:\lotus\wordpro\ltsstart.exe O4 - Startup: Lotus SuiteStart 97.lnk = C:\lotus\smartctr\suitest.exe O4 - Global Startup: CorelCENTRAL-Benachrichtigungsfunktionen.LNK = C:\Programme\Corel\WordPerfect Office 2000\programs\alarm.exe O4 - Global Startup: Desktop Application Director 9.LNK = C:\Programme\Corel\WordPerfect Office 2000\programs\dad9.exe O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Recherche-Assistent - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Reference 2001\EROProj.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.hyrican.de O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030625/qtinstall.info.apple.com/abarth/de/win/QuickTimeInstaller.exe O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{61BB11F1-9D40-4E43-898C-98D1FE64C8CB}: NameServer = 192.168.121.252,192.168.121.253 O17 - HKLM\System\CCS\Services\Tcpip\..\{A05200C0-F598-4A17-80FE-F3A8140CF94B}: NameServer = 217.237.149.225 217.237.151.97 O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe danke für die Hilfe |
|
|
|
|
|
|
27.12.2005, 14:51
Ehrenmitglied
 Beiträge: 29434 |
#4
janali
Gehe in die Registry Start-->Ausfuehren--> regedit bearbeiten--> suchen--> CMDSERVICE Klicke auf Bearbeiten -- Berechtigung und klicke dann auf Vollzugriff -- [Übernehmen] und auf [OK]. Erneuter [Rechtsklick] auf den Schlüssel und versuche diesen zu löschen. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService fixe mit dem HijackThis: O4 - HKLM\..\Run: [{59-94-4E-EA-ZN}] C:\windows\system32\rkdsrego.exe DREU02 O4 - HKCU\..\Run: [zroq] C:\PROGRA~1\GEMEIN~1\zroq\zroqm.exe PC neustarten Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten --> kopiere das Ergebnis in das Sicherheitsforum http://www.virustotal.com/flash/index_en.html C:\windows\system32\rkdsrego.exe C:\PROGRA~1\GEMEIN~1\zroq\zroqm.exe ----------------------------------------------------------------------- kopiere hier die 4 Textdateien (3 Monate vom Datum her genuegen) http://virus-protect.org/datfindbat.html scanne mit kaspersky und poste hier den scanreport http://virus-protect.org/onlinescan.html ------------------------------------------------------------------------ Info: http://virus-protect.org/artikel/spyware/command.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!
bitte erst » hier kostenlos registrieren!!
Folgende Themen könnten Dich auch interessieren:
Seite(n): 1
Copyright © 2024, Protecus.de - Protecus Team - Impressum / Mediadaten
habe mein logfile bei hijackthis auswerten lassen und 3 "böse" Prozesse
gefixt. Kann sich das mal bitte jemand anschauen und mir sagen,ob
noch irgendetwas anderes böses übrig ist???
Danke im vorraus
Janali
Logfile of HijackThis v1.99.1
Scan saved at 20:22:34, on 02.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\TWFydGluYQ\command.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\mHotkey.exe
C:\Office51\SOINTGR.EXE
C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe
C:\windows\system32\rkdsrego.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Corel\WordPerfect Office 2000\programs\alarm.exe
C:\Programme\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\lotus\wordpro\ltsstart.exe
C:\lotus\smartctr\suitest.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\kernel.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\sc_watch.exe
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\PROFIL~1.EXE
C:\PROGRAMME\MOZILLA FIREFOX\FIREFOX.EXE
C:\Programme\Skype\Phone\Skype.exe
C:\Dokumente und Einstellungen\Martina\Desktop\Virenschutz & Co\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hyrican.de
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O1 - Hosts: om
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [CHotKey] mHotkey.exe
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\Office51\SOINTGR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ToADiMon.exe] C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart
O4 - HKLM\..\Run: [{59-94-4E-EA-ZN}] C:\windows\system32\rkdsrego.exe DREU02
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [zroq] C:\PROGRA~1\GEMEIN~1\zroq\zroqm.exe
O4 - Startup: Lotus Schnellstart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Startup: Lotus SuiteStart 97.lnk = C:\lotus\smartctr\suitest.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\qwinlsaz.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: CorelCENTRAL-Benachrichtigungsfunktionen.LNK = C:\Programme\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Programme\Corel\WordPerfect Office 2000\programs\dad9.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Recherche-Assistent - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hyrican.de
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030625/qtinstall.info.apple.com/abarth/de/win/QuickTimeInstaller.exe
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{61BB11F1-9D40-4E43-898C-98D1FE64C8CB}: NameServer = 192.168.121.252,192.168.121.253
O17 - HKLM\System\CCS\Services\Tcpip\..\{A05200C0-F598-4A17-80FE-F3A8140CF94B}: NameServer = 217.237.149.225 217.237.151.97
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\gp86l3ls1.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWFydGluYQ\command.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe