#1
Ich habe mich gerade bei meinem Nachbarn eingeloggt, da mein Rechner SUPERLANGSAM geworden ist, denn auch mich hat es erwischt. Habe schon so einige Dinge mir im Forum durchgelesen und auch schon mal mir eine Log-Datei mit hijack gezogen, dann auch noch mit silent runners gearbeit poste beides gleich unten ab. Seit ich mich infiziert habe, läuft mein Rechner total langsam, kann eigentlich nur noch im abgesicherten Modus arbeiten ansonsten hat mein Rechner eine Reaktionszeit von einer geschlagenen halben STUNDE. Er sagt mir über F-Secure, das ich folgende böse Code auf dem Rechner habe: mscornet.exe, dgprpsetup.exe und zusätzlich auch noch a0030734.exe.
Anbei die Logs: Logfile of HijackThis v1.99.1 Scan saved at 21:23:46, on 15.12.2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Silent Runner: "Silent Runners.vbs", revision 41, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry: ---------------------------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\ Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."] Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 38 seconds, including 12 seconds for message boxes)
Ich hoffe, mir kann jemand helfen!!! Ach ja, und kann ich alles im abgesicherten Modus machen??? BESTEN DANK, für eure Hilfe.
Um auf dieses Thema zu ANTWORTEN bitte erst » hier kostenlos registrieren!!
Seit ich mich infiziert habe, läuft mein Rechner total langsam, kann eigentlich nur noch im abgesicherten Modus arbeiten ansonsten hat mein Rechner eine Reaktionszeit von einer geschlagenen halben STUNDE.
Er sagt mir über F-Secure, das ich folgende böse Code auf dem Rechner habe:
mscornet.exe, dgprpsetup.exe und zusätzlich auch noch a0030734.exe.
Anbei die Logs:
Logfile of HijackThis v1.99.1
Scan saved at 21:23:46, on 15.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\IZArc\IZArc.exe
C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\ARC28D\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.medion.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aldi.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Medion Home Cinema XL II\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE START
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [routcnf] C:\Programme\Telekom\Eumex 404PC\routcnf.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [mspd] C:\WINDOWS\system32\mspd.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ALDI_NORD_FotoSuite_Download] "C:\Programme\ALDI Foto Service Nord\ALDI_Foto_Service\FotoSuite.exe" /autorun
O4 - HKLM\..\Run: [PrcIdle] WTFCTF.exe
O4 - HKLM\..\Run: [srbho] LOPTCON.exe
O4 - HKLM\..\Run: [NAVNet] "C:\WINDOWS\system32\dgprpsetup.exe" /m
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programme\F-Secure Anti-Virus\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programme\F-Secure Anti-Virus\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Programme\F-Secure Anti-Virus\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [dmpsn.exe] C:\WINDOWS\system32\dmpsn.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AOLMIcon] C:\Programme\Gemeinsame Dateien\aolshare\AOLMIcon.exe
O4 - Global Startup: Adobe Acrobat - Schnellstart.lnk = ?
O4 - Global Startup: Kontrollfeld für die kabellose Tastatur.lnk = C:\WINDOWS\CNYHKey.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinManager.lnk = C:\Programme\PC-TV\WinManager\WinManager.exe
O4 - Global Startup: Zahlungserinnerung.lnk = C:\PROFI\wzed.exe
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: MedionShop - {84FAA847-1400-4400-BC93-D338EF03127B} - http://www.medionshop.de/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} - http://www.errorguard.com/installation/Install.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{090D9F7F-9CCC-4719-8C0A-9113711C062A}: NameServer = 85.255.114.20,85.255.112.82
O17 - HKLM\System\CCS\Services\Tcpip\..\{1889C7C1-6647-4AA4-B196-6E9F71F21ED6}: NameServer = 85.255.114.20,85.255.112.82
O17 - HKLM\System\CCS\Services\Tcpip\..\{49831CA8-3C1B-4189-8D39-4D4E774FA205}: NameServer = 85.255.114.20,85.255.112.82
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B489D31-7FC5-4ABC-9E6E-13ED0FE7B2C3}: NameServer = 85.255.114.20,85.255.112.82
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F5C54B2-DFB4-4C48-AD3E-E22FEBAB23F1}: NameServer = 85.255.114.20,85.255.112.82
O17 - HKLM\System\CCS\Services\Tcpip\..\{E930C08E-BD49-4845-874A-03BB4018A8F8}: NameServer = 85.255.114.20,85.255.112.82
O17 - HKLM\System\CS1\Services\Tcpip\..\{090D9F7F-9CCC-4719-8C0A-9113711C062A}: NameServer = 85.255.114.20,85.255.112.82
O17 - HKLM\System\CS2\Services\Tcpip\..\{090D9F7F-9CCC-4719-8C0A-9113711C062A}: NameServer = 85.255.114.20,85.255.112.82
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: F-Secure Anti-Virus 2005 - WEB.DE Edition (BackWeb Plug-in - 154149) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\154149\Program\SERVIC~1.EXE
O23 - Service: CA-Lizenz-Client (CA_LIC_CLNT) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA-Lizenzserver (CA_LIC_SRVR) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programme\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Programme\F-Secure Anti-Virus\backweb\154149\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programme\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programme\F-Secure Anti-Virus\Common\FSMA32.EXE
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoTask.exe
O23 - Service: License Management Service ESD - element5 - C:\Programme\Gemeinsame Dateien\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Ereignisprotokoll-Überwachung (LogWatch) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
Silent Runner:
"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"AOLMIcon" = "C:\Programme\Gemeinsame Dateien\aolshare\AOLMIcon.exe" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"wininet.dll" = "mscornet.exe" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"Dit" = "Dit.exe" [null data]
"Realtime Monitor" = "C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s" ["Computer Associates International, Inc."]
"CHotkey" = "mHotkey.exe" ["Chicony"]
"PCMService" = ""C:\Programme\Medion Home Cinema XL II\PowerCinema\PCMService.exe"" [empty string]
"PRISMSTA.EXE" = "PRISMSTA.EXE START" ["Intersil Americas Inc."]
"PinnacleDriverCheck" = "C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg" [empty string]
"Microsoft Works Update Detection" = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"routcnf" = "C:\Programme\Telekom\Eumex 404PC\routcnf.exe" [file not found]
"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"Acrobat Assistant 7.0" = ""C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"" ["Adobe Systems Inc."]
"(Default)" = (empty string)
"mspd" = "C:\WINDOWS\system32\mspd.exe" [null data]
"QuickTime Task" = ""D:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"ALDI_NORD_FotoSuite_Download" = ""C:\Programme\ALDI Foto Service Nord\ALDI_Foto_Service\FotoSuite.exe" /autorun" ["MAGIX AG"]
"PrcIdle" = "WTFCTF.exe" [file not found]
"srbho" = "LOPTCON.exe" [file not found]
"NAVNet" = ""C:\WINDOWS\system32\dgprpsetup.exe" /m" [null data]
"F-Secure Manager" = ""C:\Programme\F-Secure Anti-Virus\Common\FSM32.EXE" /splash" ["F-Secure Corporation"]
"F-Secure TNB" = ""C:\Programme\F-Secure Anti-Virus\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW" ["F-Secure Corporation"]
"F-Secure Startup Wizard" = ""C:\Programme\F-Secure Anti-Virus\FSGUI\FSSW.EXE" /reboot" ["F-Secure Corporation"]
"dmpsn.exe" = "C:\WINDOWS\system32\dmpsn.exe" [null data]
HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\(Default) = "Themes Setup"
\StubPath = "C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall C:\WINDOWS\system32\themeui.dll" [MS]
{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "Microsoft Outlook Express 6"
\StubPath = ""C:\Programme\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install" [MS]
{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\(Default) = "NetMeeting 3.01"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT" [MS]
{5945c046-1e7d-11d1-bc44-00c04fd912be}\(Default) = "Windows Messenger 4.7"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser" [MS]
{6BF52A52-394A-11d3-B153-00C04F79FAA6}\(Default) = "Microsoft Windows Media Player"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub" [MS]
{7790769C-0471-11d2-AF11-00C04FA35D02}\(Default) = "Adressbuch 6"
\StubPath = ""C:\Programme\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install" [MS]
{89820200-ECBD-11cf-8B85-00AA005B4340}\(Default) = "Windows Desktop-Update"
\StubPath = "regsvr32.exe /s /n /i:U shell32.dll" [MS]
{89820200-ECBD-11cf-8B85-00AA005B4383}\(Default) = "Internet Explorer 6"
\StubPath = "C:\WINDOWS\system32\ie4uinit.exe" [MS]
{89B4C1CD-B018-4511-B0A1-5476DBF70820}\(Default) = (no title provided)
\StubPath = "C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install" [MS]
{8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = "AcroIEToolbarHelper Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{DCED20BE-3645-11D4-BC95-00C04F0E0588}" = "InoShell"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\CA\eTrust Antivirus\InoShell.dll" ["Computer Associates International, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS]
"{F5D92341-0A64-11D0-9956-0000E8096023}" = "CD Copy Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shellext\CDWshext.dll" ["Pinnacle Systems, Inc."]
"{F5D92342-0A64-11D0-9956-0000E8096023}" = "CD Wizard Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shellext\CDWshext.dll" ["Pinnacle Systems, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshellext.dll" ["RealNetworks"]
"{C56C4E21-706D-11d0-AFC5-444553540002}" = "Meine Digitalkamera"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\PhotoDeluxe HE 3.0\FotoNation Explorer\camview.dll" ["FotoNation Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csava.exe" [file not found]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\CA\eTrust Antivirus\InoShell.dll" ["Computer Associates International, Inc."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\CA\eTrust Antivirus\InoShell.dll" ["Computer Associates International, Inc."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\MEDION 1.bmp"
Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Acrobat - Schnellstart" -> shortcut to: "C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat.exe" [null data]
"Kontrollfeld für die kabellose Tastatur" -> shortcut to: "C:\WINDOWS\CNYHKey.exe" ["Chicony"]
"Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"WinManager" -> shortcut to: "C:\Programme\PC-TV\WinManager\WinManager.exe" [empty string]
"Zahlungserinnerung" -> shortcut to: "C:\PROFI\wzed.exe" [null data]
Enabled Scheduled Tasks:
------------------------
"Scheduled scanning task" -> launches: "C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exe /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=C:\PROGRA~1\F-SECU~1\ANTI-V~1\report.txt " ["F-Secure Corporation"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 26
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = "Adobe PDF" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\ = "Adobe PDF" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKCU\Software\Microsoft\Internet Explorer\Extensions\
{84FAA847-1400-4400-BC93-D338EF03127B}\
"ButtonText" = "MedionShop"
"Exec" = "http://www.medionshop.de/" [file not found]
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Mobilen Favoriten erstellen"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Mobilen Favoriten erstellen..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.aldi.com
Missing lines (compared with English-language version):
[Strings]: 1 line
All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------
Adobe LM Service, Adobe LM Service, ""C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe"" ["Adobe Systems"]
Anwendungsverwaltung, AppMgmt, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\appmgmts.dll" [file not found]}
ASP.NET State Service, aspnet_state, "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe" [MS]
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
CA-Lizenz-Client, CA_LIC_CLNT, "C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe" ["Computer Associates"]
CA-Lizenzserver, CA_LIC_SRVR, "C:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe" ["Computer Associates"]
Dienst für Seriennummern der tragbaren Medien, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\MsPMSNSv.dll" [MS]}
Ereignisprotokoll-Überwachung, LogWatch, "C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe" ["Computer Associates"]
eTrust Antivirus Job Server, InoTask, ""C:\Programme\CA\eTrust Antivirus\InoTask.exe"" ["Computer Associates International, Inc."]
eTrust Antivirus Realtime Server, InoRT, ""C:\Programme\CA\eTrust Antivirus\InoRT.exe"" ["Computer Associates International, Inc."]
eTrust Antivirus RPC Server, InoRPC, ""C:\Programme\CA\eTrust Antivirus\InoRpc.exe"" ["Computer Associates International, Inc."]
F-Secure Anti-Virus 2005 - WEB.DE Edition, BackWeb Plug-in - 154149, "C:\PROGRA~1\F-SECU~1\backweb\154149\Program\SERVIC~1.EXE" [null data]
F-Secure Anti-Virus Firewall Daemon, FSDFWD, ""C:\Programme\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe"" ["F-Secure Corporation"]
F-Secure Gatekeeper Handler Starter, F-Secure Gatekeeper Handler Starter, ""C:\Programme\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe"" ["F-Secure Corp."]
F-Secure Management Agent, FSMA, ""C:\Programme\F-Secure Anti-Virus\Common\FSMA32.EXE"" ["F-Secure Corporation"]
Fax, Fax, "C:\WINDOWS\system32\fxssvc.exe" [MS]
fsbwsys, fsbwsys, ""C:\Programme\F-Secure Anti-Virus\backweb\154149\program\fsbwsys.exe"" ["F-Secure Corp."]
HTTP-SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
License Management Service ESD, License Management Service ESD, ""C:\Programme\Gemeinsame Dateien\element5 Shared\Service\Licence Manager ESD.exe"" ["element5"]
Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Netzwerkversorgungsdienst, xmlprov, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\xmlprov.dll" [MS]}
Verwaltungsdienst für die Verwaltung logischer Datenträger, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
WMI-Leistungsadapter, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]
X10 Device Network Service, x10nets, "C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe" ["X10"]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 38 seconds, including 12 seconds for message boxes)
Ich hoffe, mir kann jemand helfen!!! Ach ja, und kann ich alles im abgesicherten Modus machen??? BESTEN DANK, für eure Hilfe.