SpyAxe entfernen?!

#1 Ich benütze folgende Anleitung:
http://virus-protect.org/artikel/spyware/spyaxe.html


Hier die Datei smitfiles.txt aus Schritt 3:

Zitat

smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SpyAxeFix © by noahdfear

spyaxe directory present

spyaxe uninstaller present

Starting spyaxe uninstaller

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{C1A8B6A1-2C81-1C3D-A3C6-A1CCDB10B47F}"="Windows Update"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 584 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN!

spyaxe.txt aus schritt 3
das popup ist übrigens immer noch da... :-(

Zitat

SpyAxeFix © by noahdfear


Microsoft Windows XP [Version 5.1.2600]

spyaxe directory present

spyaxe uninstaller present

Starting spyaxe uninstaller

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of spyaxe.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1388 'explorer.exe'


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 3336 'rundll32.exe'


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{C1A8B6A1-2C81-1C3D-A3C6-A1CCDB10B47F}"="Windows Update"

Zitat

Logfile of HijackThis v1.99.1
Scan saved at 20:11:34, on 11.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
C:\Apache\xampp\apache\bin\Apache.exe
C:\Programme\ewido\security suite\ewidoctrl.exe
C:\Apache\xampp\mysql\bin\mysqld-nt.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
C:\Programme\Java\jre1.5.0_04\bin\jusched.exe
C:\Apache\xampp\apache\bin\Apache.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programme\Konfabulator\Konfabulator.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Konfabulator\Konfabulator.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Messenger\msmsgs.exe
C:\Dokumente und Einstellungen\Tobi\Desktop\hijackthis\HijackThis.exe

O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hpBCF1.tmp (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (file missing)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Programme\Gemeinsame Dateien\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpyAxe] C:\Programme\SpyAxe\spyaxe.exe /h
O4 - HKCU\..\Run: [BirthdayRemember6] "C:\Programme\BirthdayRemember\BirthdayRemember.exe" "autostart"
O4 - HKCU\..\Run: [ObjectDock] C:\Programme\ObjectDock\ObjectDock.exe
O4 - HKCU\..\Run: [Yz Shadow] -
O4 - HKCU\..\Run: [WinRoll] -
O4 - Startup: Konfabulator.lnk = C:\Programme\Konfabulator\Konfabulator.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Programme\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: In Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: In vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134317040656
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://217.91.112.221/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5659E353-5CB1-4252-82BF-3E6EDD1F0915}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{5659E353-5CB1-4252-82BF-3E6EDD1F0915}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{5659E353-5CB1-4252-82BF-3E6EDD1F0915}: NameServer = 192.168.1.1
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Apache\xampp\apache\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:/Apache/xampp/mysql/bin/mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programme\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe

datfindbat aus schritt 3:

Zitat

Verzeichnis von C:\WINDOWS\system32

11.12.2005 20:07 21.828 nvapps.xml
11.12.2005 13:30 98.304 ioctrl.dll
11.12.2005 11:42 2.262 wpa.dbl
24.11.2005 11:00 237.264 GDIPFONTCACHEV1.DAT-->>
24.11.2005 10:59 664.552 FNTCACHE.DAT
11.11.2005 16:28 62 VGACOPY.CFG
30.10.2005 17:47 311.604 perfh009.dat
30.10.2005 17:47 39.992 perfc009.dat
30.10.2005 17:47 316.594 perfh007.dat
30.10.2005 17:47 48.156 perfc007.dat
30.10.2005 17:47 723.744 PerfStringBackup.INI
25.10.2005 22:06 4 proc1262767916.bin
18.08.2005 15:25 219.648 uxtheme.dll
13.08.2005 13:00 3.799 jupdate-1.5.0_04-b05.log





Verzeichnis von C:\DOKUME~1\Tobi\LOKALE~1\Temp

11.12.2005 20:10 2.601.592 sa1.exe
11.12.2005 20:08 0 ~2.tmp
11.12.2005 20:08 201 jusched.log
11.12.2005 20:07 0 sa1.tmp
11.12.2005 19:47 2.601.592 sa43.exe
11.12.2005 19:46 0 sa43.tmp
09.12.2005 00:09 122 0FD1A8EB.TMP
7 Datei(en) 5.203.507 Bytes
0 Verzeichnis(se), 7.469.137.920 Bytes frei





Verzeichnis von C:\WINDOWS

11.12.2005 20:27 3.799.962 ntbtlog.txt
11.12.2005 20:08 0 0.log
11.12.2005 20:07 159 wiadebug.log
11.12.2005 20:07 50 wiaservc.log
11.12.2005 20:06 2.048 bootstat.dat
11.12.2005 20:05 364.868 WindowsUpdate.log
11.12.2005 20:05 32.538 SchedLgU.Txt
11.12.2005 19:46 174.816 setupact.log
11.12.2005 19:07 12 clocked.ini
11.12.2005 18:45 970.327 setupapi.log
10.12.2005 21:17 8.296 SYMEVENT.LOG
10.12.2005 18:44 116 NeroDigital.ini
04.12.2005 21:47 81.321 SGTBox.INI
03.12.2005 12:13 107.132 UninstallFirefox.exe
03.12.2005 12:12 8.978 mozver.dat
22.11.2005 23:05 57 emule.INI
16.11.2005 00:07 14.740 wmsetup.log
12.11.2005 16:53 0 control.ini
25.10.2005 22:06 4 datanrvyqstwwqx.log
25.10.2005 22:06 799 win.ini
17.09.2005 11:40 17 Missing.ini
11.09.2005 14:00 32 wininit.ini






Verzeichnis von C:\

11.12.2005 20:31 0 sys.txt
11.12.2005 20:30 6.859 system.txt
11.12.2005 20:29 559 systemtemp.txt
11.12.2005 20:28 105.673 system32.txt
11.12.2005 20:06 804.495.360 pagefile.sys
11.12.2005 19:45 1.740 smitfiles.txt
11.12.2005 15:53 1.769 rapport.txt
11.12.2005 12:23 3.103 _audioscrobbler.log
30.08.2005 21:14 222 boot.bed
30.08.2005 21:14 222 boot.ini

welche dateien muss ich jetzt mit killbox löschen?!

#2 der PC ist mir Wareout verseucht, nicht nur mit SpyAxe.....

mit der rechten Maustaste auf den Link klicken und aus dem Auswahlmenü, Ziel speichern unter -> Desktop wählen -> dann erscheint eine mcor.reg auf dem Bildschirm

http://virus-protect.org/reg/mcor.reg

rechtsklick auf den Link --> Ziel speichern unter... --> wähle Desktop - dann erscheint eine spyaxe.reg auf dem Bildschirm.

http://virus-protect.org/reg/spyaxe.reg

------------------------------------------------------------------------

öffne das HijackThis -->
-- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hpBCF1.tmp (file missing)
O4 - HKLM\..\Run: [SpyAxe] C:\Programme\SpyAxe\spyaxe.exe /
O4 - HKCU\..\Run: [Yz Shadow] -
O4 - HKCU\..\Run: [WinRoll] -

PC neustarten

starten den PC neu --> in den abgesicherten Modus (F8 druecken, wenn der PC hochfaehrt , waehle abgesicherter Modus, melde dich als Administrator an
und klicke die

mcor.reg
spyaxe.reg

doppelt --> fuege sie mit "ja" oder "yes" der Registry bei

------------------------------------------------------------------

KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html

Options: Delete on Reboot / Process all in List )--> anhaken
reinkopieren:
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"

C:\DOKUME~1\Tobi\LOKALE~1\Temp\sa1.exe
C:\DOKUME~1\Tobi\LOKALE~1\Temp\sa1.tmp
C:\DOKUME~1\Tobi\LOKALE~1\Temp\sa43.exe
C:\WINDOWS\system32\ioctrl.dll

PC neustarten

SpyAxe deinstallieren

loeschefalls du es findest)
C:\Programme\SpyAxe
C:\Program Files\SpyAxe
C:\WINDOWS\system32\1024
C:\Dokumente und Einstellungen\All Users\Startmenü\Online Security Center.url

C:\Dokumente und Einstellungen\Username\Favoriten\Take It Here - Daily Updated Porn Links.url
C:\Dokumente und Einstellungen\Username\Favoriten\Free XXX Sites List.url
C:\Dokumente und Einstellungen\Username\Favoriten\Antivirus Test Online.url


wende CleanUp an (so, wie auf der Seite erklaert)
http://virus-protect.org/cleanup.html

poste das Log von WinPfind
http://virus-protect.org/winpfind.html
__________
MfG Sabina

rund um die PC-Sicherheit

#3 sodele...
danke für die hilfe :-)

hab alles so gemacht wie du gesagt hast, hab jetzt aber mal sicherheitshalber beim neustart meinen wlan-adapter raus, damits net gleich wieder irgendwas nachlädt...
hab die logs von winPfind und noch nen zusätzlichen log von hijackthis jetzt auf usb-stick gezogen und mich für den post hier an den rechner meiner eltern gesetzt....

werd den befallenen rechner also mal ne weile ohne internet laufen lassen, und von hier aus ab und zu vorbeischauen.

edit: übrigens: auf dem betroffenen rechner gabs keine popups mehr

hier jetzt mal die logs:

Zitat

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 28.12.2002 11:16:18 53248 C:\WINDOWS\daemon.dll

Checking %System% folder...
PEC2 18.08.2001 11:00:00 41118 C:\WINDOWS\SYSTEM32\dfrg.msc
aspack 03.08.2004 23:57:10 733696 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 03.08.2004 23:57:34 686592 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 18.08.2001 11:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 03.08.2004 21:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
13.12.2005 17:26:50 S 2048 C:\WINDOWS\bootstat.dat
09.12.2005 22:31:58 H 10820 C:\WINDOWS\Help\nocontnt.GID
11.12.2005 18:45:38 H 0 C:\WINDOWS\inf\oem17.inf
11.12.2005 23:04:02 H 4212 C:\WINDOWS\system32\zllictbl.dat
13.12.2005 17:36:50 H 1024 C:\WINDOWS\system32\config\default.LOG
13.12.2005 17:36:20 H 1024 C:\WINDOWS\system32\config\SAM.LOG
13.12.2005 17:27:48 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
13.12.2005 17:42:10 H 1024 C:\WINDOWS\system32\config\software.LOG
13.12.2005 17:37:08 H 1024 C:\WINDOWS\system32\config\system.LOG
13.12.2005 17:26:52 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 03.08.2004 23:58:24 70656 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 03.08.2004 23:58:24 555008 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 03.08.2004 23:58:24 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 03.08.2004 23:58:24 138240 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 03.08.2004 23:58:24 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 03.08.2004 23:58:24 157184 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 03.08.2004 23:58:24 359424 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 03.08.2004 23:58:24 133120 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 03.08.2004 23:58:24 381440 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 03.08.2004 23:58:24 69632 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 03.06.2005 02:52:54 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 18.08.2001 11:00:00 189440 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 03.08.2004 23:58:24 625152 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 18.08.2001 11:00:00 167936 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 03.08.2004 23:58:24 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 03.08.2004 23:58:24 260096 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 24.02.2005 06:32:00 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 18.08.2001 11:00:00 38400 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 03.08.2004 23:58:24 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 03.08.2004 23:58:24 117248 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 23.09.2004 17:57:40 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 03.08.2004 23:58:24 303104 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 18.08.2001 11:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 03.08.2004 23:58:24 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 03.08.2004 23:58:24 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26.05.2005 04:16:22 174872 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 03.08.2004 23:58:24 70656 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Adobe Systems, Inc. 24.08.2000 14:46:38 266240 C:\WINDOWS\SYSTEM32\dllcache\Adobe Gamma.cpl
Microsoft Corporation 03.08.2004 23:58:24 555008 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 03.08.2004 23:58:24 138240 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 03.08.2004 23:58:24 157184 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 03.08.2004 23:58:24 359424 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 03.08.2004 23:58:24 133120 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 03.08.2004 23:58:24 381440 C:\WINDOWS\SYSTEM32\dllcache\irprops.cpl
Microsoft Corporation 03.08.2004 23:58:24 69632 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Sun Microsystems, Inc. 03.06.2005 02:52:54 49265 C:\WINDOWS\SYSTEM32\dllcache\jpicpl32.cpl
Microsoft Corporation 18.08.2001 11:00:00 189440 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 03.08.2004 23:58:24 625152 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 18.08.2001 11:00:00 167936 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 03.08.2004 23:58:24 260096 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
NVIDIA Corporation 24.02.2005 06:32:00 73728 C:\WINDOWS\SYSTEM32\dllcache\nvtuicpl.cpl
Microsoft Corporation 18.08.2001 11:00:00 38400 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 03.08.2004 23:58:24 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 03.08.2004 23:58:24 117248 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Apple Computer, Inc. 23.09.2004 17:57:40 323072 C:\WINDOWS\SYSTEM32\dllcache\QuickTime.cpl
Symantec Corporation 27.01.2005 14:39:04 194144 C:\WINDOWS\SYSTEM32\dllcache\S32LUCP1.cpl
Microsoft Corporation 03.08.2004 23:58:24 159744 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 03.08.2004 23:58:24 303104 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 18.08.2001 11:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 03.08.2004 23:58:24 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 03.08.2004 23:58:24 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 26.05.2005 04:16:22 174872 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
03.04.2005 19:38:30 1941 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Gamma Loader.lnk
02.04.2005 20:35:46 HS 84 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
03.05.2005 17:31:38 1719 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
02.04.2005 21:23:48 HS 62 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
02.04.2005 20:35:46 HS 84 C:\Dokumente und Einstellungen\Tobi\Startmenü\Programme\Autostart\desktop.ini
18.08.2005 17:15:08 667 C:\Dokumente und Einstellungen\Tobi\Startmenü\Programme\Autostart\Konfabulator.lnk
18.08.2005 15:46:30 1553 C:\Dokumente und Einstellungen\Tobi\Startmenü\Programme\Autostart\Stardock ObjectDock.lnk

Checking files in %USERPROFILE%\Application Data folder...
02.04.2005 21:23:48 HS 62 C:\Dokumente und Einstellungen\Tobi\Anwendungsdaten\desktop.ini
24.11.2005 18:15:08 237264 C:\Dokumente und Einstellungen\Tobi\Anwendungsdaten\GDIPFONTCACHEV1.DAT
12.12.2005 23:00:08 110 C:\Dokumente und Einstellungen\Tobi\Anwendungsdaten\iScrobbler.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Programme\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programme\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programme\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\CMenuExtender
{ABC70703-32AF-11d4-90C4-D483A70F4825} = C:\Programme\iColorFolder\CMExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{182EC0BE-5110-49C8-A062-BEB1D02A220B}
Adobe PDF = C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tipps und Tricks = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Programme\Norton AntiVirus\NavShExt.dll
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} = Easy-WebPrint : C:\Programme\Canon\Easy-WebPrint\Toolband.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Konsole : C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer-Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Programme\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Cmaudio RunDll32 cmicnfg.cpl,CMICtrlWnd
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
anvshell anvshell.exe
ccApp "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
nwiz nwiz.exe /install
SunJavaUpdateSched C:\Programme\Java\jre1.5.0_04\bin\jusched.exe
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
CloneCDTray "C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s
pdfFactory Dispatcher v2 "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
Easy-PrintToolBox C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
Acrobat Assistant 7.0 "C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

NWEReboot
TkBellExe "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
BirthdayRemember6 "C:\Programme\BirthdayRemember\BirthdayRemember.exe" "autostart"
ObjectDock C:\Programme\ObjectDock\ObjectDock.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Dokumente und Einstellungen^Tobi^Startmenü^Programme^Autostart^WinMySQLadmin.lnk
path C:\Dokumente und Einstellungen\Tobi\Startmenü\Programme\Autostart\WinMySQLadmin.lnk
backup C:\WINDOWS\pss\WinMySQLadmin.lnkStartup
location Startup
command C:\Apache\xampp\mysql\bin\WINMYS~1.EXE
item WinMySQLadmin

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Acronis Scheduler2 Service
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item schedhlp
hkey HKLM
command "C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item schedhlp
hkey HKLM
command "C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AcronisTrueImage Monitor
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TrueImageMonitor
hkey HKLM
command "C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TrueImageMonitor
hkey HKLM
command "C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command C:\Programme\iTunes\iTunesHelper.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command C:\Programme\iTunes\iTunesHelper.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Programme\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Programme\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableTaskMgr 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoChangingWallPaper 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\comdlg32

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoActiveDesktop 0
NoSaveSettings 0
ClassicShell 0
NoThemesTab 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0
NoColorChoice 0
NoSizeChoice 0
NoDispScrSavPage 0
NoDispCPL 0
NoVisualStyleChoice 0
NoDispSettingsPage 0
NoDispAppearancePage 0
NoDispBackgroundPage 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


<<<<<<<<<< Checking for AddOn WareOut.def information >>>>>>>>>>
>>>>>>>>>> PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Parameter line : file=%sysdir%;*.exe;300;55304;;;
File C:\WINDOWS\SYSTEM32\*.exe for today - 300 days with a size of 55304 bytes was not found!
Parameter line : file=%sysdir%;*.exe;;43528;;;
File C:\WINDOWS\SYSTEM32\*.exe with a size of 43528 bytes was not found!
Parameter line : file=%sysdir%;*.exe;300;4096;;;
File C:\WINDOWS\SYSTEM32\*.exe for today - 300 days with a size of 4096 bytes was not found!
Parameter line : file=%sysdir%;*.exe;;43528;;;
File C:\WINDOWS\SYSTEM32\*.exe with a size of 43528 bytes was not found!
Parameter line : file=%sysdir%;*.exe;300;28680;;;
File C:\WINDOWS\SYSTEM32\*.exe for today - 300 days with a size of 28680 bytes was not found!
Parameter line : file=%sysdir%;*.exe;;11264;;;
03.08.2004 23:57:42 11264 C:\WINDOWS\SYSTEM32\atmadm.exe found!
18.08.2001 11:00:00 11264 C:\WINDOWS\SYSTEM32\attrib.exe found!
03.08.2004 23:57:44 11264 C:\WINDOWS\SYSTEM32\autolfn.exe found!
18.08.2001 11:00:00 11264 C:\WINDOWS\SYSTEM32\chkntfs.exe found!
Parameter line : file=%sysdir%;*.ren;300;43528;;;
File C:\WINDOWS\SYSTEM32\*.ren for today - 300 days with a size of 43528 bytes was not found!
Parameter line : file=%sysdir%;ntfsnlpa.exe;;;;;
File C:\WINDOWS\SYSTEM32\ntfsnlpa.exe was not found!
Parameter line : file=%sysdir%;cisvvc.exe;;;;;
File C:\WINDOWS\SYSTEM32\cisvvc.exe was not found!
Parameter line : file=%sysdir%;drv2cltr.dll;;;;;
File C:\WINDOWS\SYSTEM32\drv2cltr.dll was not found!
Parameter line : file=%sysdir%;hybsys32.dll;;;;;
File C:\WINDOWS\SYSTEM32\hybsys32.dll was not found!
Parameter line : file=%sysdir%;loadctr.exe;;;;;
File C:\WINDOWS\SYSTEM32\loadctr.exe was not found!
Parameter line : file=%sysdir%;rdsndin.exe;;;;;
File C:\WINDOWS\SYSTEM32\rdsndin.exe was not found!
Parameter line : file=%sysdir%;pxpcya64.exe;;;;;
File C:\WINDOWS\SYSTEM32\pxpcya64.exe was not found!
Parameter line : file=%windir%;*.exe;300;55304;;;
File C:\WINDOWS\*.exe for today - 300 days with a size of 55304 bytes was not found!
Parameter line : file=%windir%;*.exe;300;43528;;;
File C:\WINDOWS\*.exe for today - 300 days with a size of 43528 bytes was not found!
Parameter line : file=%windir%;*.exe;300;4096;;;
File C:\WINDOWS\*.exe for today - 300 days with a size of 4096 bytes was not found!
Parameter line : file=%windir%;rdt.ini;;;;;
File C:\WINDOWS\rdt.ini was not found!
Parameter line : file=%windir%;baloon.wav;;;;;
File C:\WINDOWS\baloon.wav was not found!
Parameter line : file=%allusers%\start menu\programs\startup;*.exe;;;;;
File C:\Dokumente und Einstellungen\All Users\start menu\programs\startup\*.exe was not found!
>>>>>>>>>>Registry keys to look for
Parameter line : regvalue=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon;system;;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon found!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\system found!
System
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins;;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins not found!
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WareOut;;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WareOut not found!
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\WareOut;;
HKEY_LOCAL_MACHINE\SOFTWARE\WareOut not found!
Parameter line : regkey=HKEY_CURRENT_USER\Software\WareOut;;
HKEY_CURRENT_USER\Software\WareOut not found!
Parameter line : regvalue=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer;NoBandCustomize;;
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer found!
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoBandCustomize not found!
Parameter line : regvalue=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion;Disabled;;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion found!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\\Disabled not found!
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\SearchToolbar;;
HKEY_LOCAL_MACHINE\SOFTWARE\SearchToolbar not found!
Parameter line : regkey=HKEY_CURRENT_USER\Software\SearchToolbar;;
HKEY_CURRENT_USER\Software\SearchToolbar not found!
Parameter line : regkey=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls;;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls not found!
Parameter line : regvalue=HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser;{08BEC6AA-49FC-4379-3587-4B21E286C19E};;
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser found!
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{08BEC6AA-49FC-4379-3587-4B21E286C19E} not found!

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 13.12.2005 17:44:04

Zitat

Logfile of HijackThis v1.99.1
Scan saved at 17:46:26, on 13.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
C:\Apache\xampp\mysql\bin\mysqld-nt.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Java\jre1.5.0_04\bin\jusched.exe
C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\ObjectDock\ObjectDock.exe
C:\Programme\Konfabulator\Konfabulator.exe
C:\Programme\ObjectDock\ObjectDock.exe
C:\Programme\Konfabulator\Konfabulator.exe
C:\Programme\Messenger\msmsgs.exe
C:\Dokumente und Einstellungen\Tobi\Desktop\hijackthis\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [BirthdayRemember6] "C:\Programme\BirthdayRemember\BirthdayRemember.exe" "autostart"
O4 - HKCU\..\Run: [ObjectDock] C:\Programme\ObjectDock\ObjectDock.exe
O4 - Startup: Konfabulator.lnk = C:\Programme\Konfabulator\Konfabulator.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Programme\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: In Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: In vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{5659E353-5CB1-4252-82BF-3E6EDD1F0915}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{5659E353-5CB1-4252-82BF-3E6EDD1F0915}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{5659E353-5CB1-4252-82BF-3E6EDD1F0915}: NameServer = 192.168.1.1
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:/Apache/xampp/mysql/bin/mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programme\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe

#4 toby86

Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten --> kopiere das Ergebnis in das Sicherheitsforum
http://www.virustotal.com/flash/index_en.html


C:\WINDOWS\SYSTEM32\atmadm.exe
C:\WINDOWS\SYSTEM32\attrib.exe
C:\WINDOWS\SYSTEM32\autolfn.exe
C:\WINDOWS\SYSTEM32\chkntfs.exe





Download f-secure-Beta Trial
http://www.f-secure.com/blacklight/
doppelklick: blbeta.exe
nach dem Check klicke -- next
nun findet man eine Textdatei auf dem Desktop: kopiere sie in deinen Thread
__________
MfG Sabina

rund um die PC-Sicherheit

#5

Zitat

This is a report processed by VirusTotal on 12/14/2005 at 15:25:27 (CET) after scanning the file "atmadm.exe" file.

Antivirus Version Update Result
AntiVir 6.33.0.61 12.14.2005 no virus found
Avast 4.6.695.0 12.14.2005 no virus found
AVG 718 12.14.2005 no virus found
Avira 6.33.0.61 12.14.2005 no virus found
BitDefender 7.2 12.14.2005 no virus found
CAT-QuickHeal 8.00 12.13.2005 no virus found
ClamAV devel-20051108 12.12.2005 no virus found
DrWeb 4.33 12.14.2005 no virus found
eTrust-Iris 7.1.194.0 12.14.2005 no virus found
eTrust-Vet 12.3.3.0 12.14.2005 no virus found
Fortinet 2.54.0.0 12.14.2005 no virus found
F-Prot 3.16c 12.13.2005 no virus found
Ikarus 0.2.59.0 12.14.2005 no virus found
Kaspersky 4.0.2.24 12.14.2005 no virus found
McAfee 4649 12.13.2005 no virus found
NOD32v2 1.1321 12.13.2005 no virus found
Norman 5.70.10 12.14.2005 no virus found
Panda 8.02.00 12.14.2005 no virus found
Sophos 4.00.0 12.14.2005 no virus found
Symantec 8.0 12.14.2005 no virus found
TheHacker 5.9.1.055 12.14.2005 no virus found
VBA32 3.10.5 12.13.2005 no virus found

Zitat

This is a report processed by VirusTotal on 12/14/2005 at 15:27:05 (CET) after scanning the file "attrib.exe" file.

no virus found (=> bei allen)

Zitat

This is a report processed by VirusTotal on 12/14/2005 at 15:28:54 (CET) after scanning the file "autolfn.exe" file.

no virus found (=> bei allen)

Zitat

This is a report processed by VirusTotal on 12/14/2005 at 15:30:58 (CET) after scanning the file "chkntfs.exe" file.

no virus found (=> bei allen)

Zitat

12/14/05 15:32:33 [Info]: BlackLight Engine 1.0.29 initialized
12/14/05 15:32:33 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/14/05 15:32:33 [Note]: 7019 4
12/14/05 15:32:33 [Note]: 7005 0
12/14/05 15:32:43 [Note]: 7006 0
12/14/05 15:32:43 [Note]: 7011 1208
12/14/05 15:32:43 [Note]: FSRAW library version 1.7.1013
12/14/05 15:33:38 [Note]: 7007 0

#6 http://virus-protect.org/cureit.html
scanne und berichte, ob noch was gefunden wurde
__________
MfG Sabina

rund um die PC-Sicherheit

#7 Prüfstatistiken
-----------------------------------------------------------------------------
Geprüfte Objekte: 294782
Infizierte Objekte gefunden: 7
Objekte mit Modifikation gefunden: 0
Verdächtige Objekte gefunden: 0
Adware-Programm gefunden: 0
Dialer-Programm gefunden: 0
Scherz-Programm gefunden: 0
Riskware programm gefunden: 0
Hacktool-Programm gefunden: 0
Desinfizierte Objekte: 0
Gelöschte Objekte: 7
Umbenannte Objekte: 0
Verschobene Objekte: 0
Ignorierte Objekte: 21
Leistung:: 166 Kb/s
Dauer:: 02:19:44




alle 7 gefunden in:

C:\System Volume Information\_restore{5A5DE906-18B0-4763-A26F-CF9C235F8F0E}\RP***\



Trojan.Fakealert (3x)
Trojan. Popuper (2x)
Spam.GhostMail
Trojan.MulDrop.3122



Wurden alle gelöscht.

#8 fein dann scanne noch mit panda und falls noch was gefunden wird, loesche es manuell.

Panda
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#9 wurde nichts mehr gefunden

tausend-dank für deine großartige hilfe!!!