your computer is infected! was kann ich tun?

#1 Hallo ich bin erst neu hier und habe schon mal mit hijackthis die logfile erstellt, wie gehts jetzt weiter?
bin schon kurz davor format c: zu machen aber dann ist alles weg:-(

Logfile of HijackThis v1.99.1
Scan saved at 09:20:20, on 16.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\nvctrl.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
C:\WINDOWS\SOINTGR.EXE
C:\WINDOWS\soundman.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\Programme\AVPersonal\AVGNT.EXE
E:\Programme\D-Link\Air USB Utility\AirCFG.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Programme\AOL 9.0\aoltray.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programme\Microsoft Office\Office\OSA.EXE
C:\Programme\OnlineCounter 2004\OnlineCounter.exe
C:\Programme\Gemeinsame Dateien\AOL\1133287027\ee\AOLHostManager.exe
C:\Programme\Gemeinsame Dateien\AOL\1133287027\ee\AOLServiceHost.exe
c:\programme\gemeinsame dateien\aol\1133287027\ee\services\antiSpywareApp\ver2_0_13\AOLSP Scheduler.exe
C:\Programme\Gemeinsame Dateien\AOL\1133287027\ee\AOLServiceHost.exe
C:\Programme\AOL 9.0\waol.exe
C:\Programme\AOL 9.0\shellmon.exe
C:\Programme\mozilla\mozilla.exe
C:\DOKUME~1\Besitzer\LOKALE~1\Temp\Rar$EX00.993\HijackThis.exe

O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hpD633.tmp
O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [D-Link Air USB Utility] E:\Programme\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [HostManager] C:\Programme\Gemeinsame Dateien\AOL\1133287027\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [Status] C:\Programme\Intelligent\ISDN 2000 XP\Status.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - Startup: OnlineCounter 2004-Autostart.lnk = C:\Programme\OnlineCounter 2004\OnlineCounter-Autostart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = C:\Programme\AOL 9.0\aoltray.exe
O4 - Global Startup: Erinnerungen für Microsoft Works-Kalender.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Office-Start.lnk = C:\Programme\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.de/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C78C2A4-4C18-4BAB-9789-12094CE4E3A6}: NameServer = 205.188.146.145
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE






ich habe mal bei den anderen betroffenen gelesen und ccleaner laufen lassen.
zusätzlich hab ich schon gleich datfindbat ausgeführt.


datfindbat:


Datentr„ger in Laufwerk C: ist VOLUME
Volumeseriennummer: 14EB-1F4D

Verzeichnis von C:\WINDOWS\system32

16.12.2005 11:41 404 ncompat.tlb
16.12.2005 11:30 3.284 ANIWZCS{18DA6E96-D058-4553-AF40-99ECCB3784D8}
16.12.2005 11:29 9.937 hpEDEB.tmp
16.12.2005 11:29 24.064 ldEBF6.tmp
16.12.2005 06:06 4.286 ot.ico
16.12.2005 06:06 4.286 ts.ico
15.12.2005 21:49 8.192 Thumbs.db
15.12.2005 06:11 98.304 ioctrl.dll
15.12.2005 06:11 9.784 mssearchnet.exe
15.12.2005 06:11 15.508 nvctrl.exe
14.12.2005 12:55 14.680 mscornet.exe
12.12.2005 13:25 2.206 wpa.dbl
09.12.2005 01:21 2.723.680 MRT.exe
01.12.2005 14:18 7.006 jupdate-1.5.0_06-b05.log
01.12.2005 04:31 1.492.480 shdocvw.dll
26.11.2005 12:14 5.618 jupdate-1.5.0_05-b05.log
24.11.2005 00:58 1.022.464 browseui.dll
24.11.2005 00:58 3.013.632 mshtml.dll
10.11.2005 13:03 127.078 javaws.exe
10.11.2005 13:03 49.265 jpicpl32.cpl
10.11.2005 11:27 49.250 javaw.exe
10.11.2005 11:27 49.248 java.exe
09.11.2005 11:15 263.824 FNTCACHE.DAT
05.11.2005 04:16 606.208 urlmon.dll
05.11.2005 04:16 1.056.256 danim.dll
02.11.2005 09:53 311.938 perfh009.dat
02.11.2005 09:53 40.326 perfc009.dat
02.11.2005 09:53 317.168 perfh007.dat
02.11.2005 09:53 48.552 perfc007.dat


Datentr„ger in Laufwerk C: ist VOLUME
Volumeseriennummer: 14EB-1F4D

Verzeichnis von C:\DOKUME~1\Besitzer\LOKALE~1\Temp

16.12.2005 11:39 204 jusched.log
16.12.2005 11:30 32.768 ~DF9A16.tmp
16.12.2005 11:30 2.600.865 sa1.exe
16.12.2005 11:30 0 JET8.tmp
16.12.2005 11:30 16.384 ~DF99F2.tmp
16.12.2005 11:30 49.152 ~DF4308.tmp
16.12.2005 11:30 32.768 ~DF3550.tmp
16.12.2005 11:29 0 sa1.tmp
16.12.2005 11:23 32.768 ~DF398F.tmp
16.12.2005 11:23 32.768 ~DF9275.tmp
16.12.2005 11:23 16.384 ~DF8D9A.tmp
16.12.2005 11:23 49.152 ~DF4DCD.tmp
09.12.2005 20:50 118 0FD1A8EB.TMP
13 Datei(en) 2.863.331 Bytes
0 Verzeichnis(se), 6.868.238.336 Bytes frei




Datentr„ger in Laufwerk C: ist VOLUME
Volumeseriennummer: 14EB-1F4D

Verzeichnis von C:\WINDOWS

16.12.2005 11:29 1.876.333 WindowsUpdate.log
16.12.2005 11:29 159 wiadebug.log
16.12.2005 11:29 50 wiaservc.log
16.12.2005 11:29 0 0.log
16.12.2005 11:29 2.048 bootstat.dat
16.12.2005 11:28 32.618 SchedLgU.Txt
16.12.2005 09:53 25 popcinfo.dat
16.12.2005 09:13 646 win.ini
16.12.2005 06:31 253 SYSTEM.INI
25.11.2005 15:13 54.156 QTFont.qfn
21.11.2005 21:32 3.682 ModemLog_SoftV92 Data Fax Modem.txt
08.11.2005 11:27 56 setup.ini
08.11.2005 10:59 19.752 OmKsfilt.inf
07.11.2005 20:33 1.409 QTFont.for
07.11.2005 14:50 3.580 ModemLog_Intelligent PCMCIA ISDN TA ( modem ).txt
04.06.2005 11:00 266.240 Setup1.exe
04.06.2005 11:00 74.752 ST6UNST.EXE
27.05.2005 00:22 10.752 hh.exe
16.05.2005 15:36 100.482 UninstallThunderbird.exe
16.05.2005 15:36 19.346 mozver.dat
21.04.2005 19:49 1.125 ODBC.INI
06.04.2005 17:15 316.640 WMSysPr9.prx
16.02.2005 17:17 34 cdplayer.ini
08.02.2005 20:00 938 ModemLog_Conexant 56K Modem.txt
18.01.2005 00:07 326.656 opuc.dll
02.01.2005 19:21 15.348 Besitzer.acl
21.12.2004 17:38 4.348 ODBCINST.INI
21.12.2004 12:29 105.632 GREUninstall.exe
21.12.2004 07:32 36.864 uinst001.exe
19.12.2004 18:26 65 poolemup.ini
19.12.2004 13:44 731 aolback.exe.lnk
19.12.2004 13:40 335 nsreg.dat
19.12.2004 12:41 8.192 REGLOCS.OLD
19.12.2004 12:38 0 control.ini
19.12.2004 12:38 299.552 WMSysPrx.prx
19.12.2004 12:36 749 WindowsShell.Manifest
19.12.2004 12:34 37 vbaddin.ini
19.12.2004 12:34 36 vb.ini
19.12.2004 12:30 0 Sti_Trace.log
19.12.2004 12:27 231 SYSTEM.001
22.08.2004 17:04 69.120 daemon.dll
04.08.2004 00:58 288.768 winhlp32.exe
04.08.2004 00:58 32.866 slrundll.exe
04.08.2004 00:58 153.600 R.COM
04.08.2004 00:58 153.600 REGEDIT.COM
04.08.2004 00:58 153.600 regedit.exe
04.08.2004 00:58 70.144 notepad.exe
04.08.2004 00:57 1.035.264 explorer.exe
04.08.2004 00:57 50.688 twain_32.dll
18.09.2002 23:40 643 LEXSTAT.INI
23.07.2002 04:17 225.280 IRGX15phmgunin.exe
13.06.2002 10:00 1.369 Lexmark_ICM.ini
09.04.2002 10:21 173 X84-X85_DS.ini
17.01.2002 04:50 135.168 alcrmv.exe
17.01.2002 04:49 204.800 alcupd.exe
04.01.2002 13:40 147.456 AVM_cpdi.clr
02.01.2002 09:30 44.032 soundman.exe
03.10.2001 12:40 172.095 WaitPrintReg.exe
18.08.2001 13:00 65.978 Seifenblase.bmp
18.08.2001 13:00 17.062 Kaffeetasse.bmp
18.08.2001 13:00 257.568 winhelp.exe
18.08.2001 13:00 82.944 clock.avi
18.08.2001 13:00 26.582 Granit.bmp
18.08.2001 13:00 9.522 Zapotek.bmp
18.08.2001 13:00 26.680 F„cher.bmp
18.08.2001 13:00 1.405 msdfmap.ini
18.08.2001 13:00 65.832 Santa Fe-Stuck.bmp
18.08.2001 13:00 1.272 Blaue Spitzen 16.bmp
18.08.2001 13:00 15.872 TASKMAN.EXE
18.08.2001 13:00 17.362 Rhododendron.bmp
18.08.2001 13:00 94.800 twain.dll
18.08.2001 13:00 48.680 winnt256.bmp
18.08.2001 13:00 49.680 twunk_16.exe
18.08.2001 13:00 25.600 twunk_32.exe
18.08.2001 13:00 16.730 Feder.bmp
18.08.2001 13:00 17.336 Angler.bmp
18.08.2001 13:00 80 explorer.scf
18.08.2001 13:00 34.818 wmprfDEU.prx
18.08.2001 13:00 48.680 winnt.bmp
18.08.2001 13:00 65.954 Pr„riewind.bmp
18.08.2001 13:00 2 desktop.ini
18.08.2001 13:00 18.944 vmmreg32.dll
18.08.2001 13:00 707 _default.pif
06.07.2001 01:19 164 avrack.ini
18.09.2000 12:00 73.728 omcamdib.dll
18.09.2000 12:00 135.168 omcamcap.exe
08.05.2000 05:20 45.056 trayhook.dll
08.05.2000 05:20 20.480 sointgr.exe
08.02.2000 11:36 40.960 omniuns.exe
04.01.2000 22:20 86.016 unvise32qt.exe
02.04.1999 03:19 12.800 jrew.exe
02.04.1999 03:19 12.288 jre.exe
17.11.1998 12:44 328.704 IsUn0407.exe
29.10.1998 14:45 306.688 IsUninst.exe
19.10.1998 15:52 131.584 Ptlic32.exe
22.10.1997 00:00 15.348 MSO97.ACL
13.10.1997 20:55 299.008 unin0407.exe
18.01.1997 10:40 299.520 uninst.exe
98 Datei(en) 9.340.120 Bytes
0 Verzeichnis(se), 6.868.230.144 Bytes frei





Datentr„ger in Laufwerk C: ist VOLUME
Volumeseriennummer: 14EB-1F4D

Verzeichnis von C:\

16.12.2005 11:47 0 sys.txt
16.12.2005 11:47 5.158 system.txt
16.12.2005 11:46 866 systemtemp.txt
16.12.2005 11:42 104.045 system32.txt
16.12.2005 11:28 402.653.184 pagefile.sys
16.12.2005 08:57 3 AVPCallback.log
16.12.2005 06:31 211 boot.ini
20.12.2004 20:02 462 TOnlProt.log
19.12.2004 18:02 793 INSTALL.LOG
19.12.2004 12:55 47.564 NTDETECT.COM
19.12.2004 12:55 251.184 ntldr
19.12.2004 12:38 0 IO.SYS
19.12.2004 12:38 0 CONFIG.SYS
19.12.2004 12:38 0 AUTOEXEC.BAT
19.12.2004 12:38 0 MSDOS.SYS
18.08.2001 13:00 4.952 bootfont.bin
16 Datei(en) 403.068.422 Bytes
0 Verzeichnis(se), 6.868.238.336 Bytes frei




hier noch die logfile von silentrunner hinterher.


"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Steam" = (empty string)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"wininet.dll" = "mscornet.exe" [null data]
"kernel32.dll" = "C:\WINDOWS\system32\mssearchnet.exe" [null data]
"nvctrl.exe" = "nvctrl.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AOLDialer" = "C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe" ["America Online, Inc"]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"SO5 Integrator Pass Two" = "C:\WINDOWS\SOINTGR.EXE" [null data]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"SoundMan" = "soundman.exe" ["Avance Logic, Inc."]
"SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"SynTPLpr" = "C:\Programme\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Programme\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"IntelliPoint" = ""C:\Programme\Microsoft IntelliPoint\point32.exe"" [MS]
"AVGCtrl" = "C:\Programme\AVPersonal\AVGNT.EXE /min" ["H+BEDV Datentechnik GmbH"]
"D-Link Air USB Utility" = "E:\Programme\D-Link\Air USB Utility\AirCFG.exe" ["D-Link"]
"Lexmark X84-X85 Button Monitor" = "C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe" ["Jetsoft Development Company"]
"Lexmark X84-X85 Button Manager" = "C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe" ["Jetsoft Development Company"]
"PrinTray" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" ["Lexmark"]
"HostManager" = "C:\Programme\Gemeinsame Dateien\AOL\1133287027\ee\AOLHostManager.exe" ["America Online, Inc."]
"Status" = "C:\Programme\Intelligent\ISDN 2000 XP\Status.exe" [empty string]
"ANIWZCS2Service" = "C:\Programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe" ["Alpha Networks Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{1ca480cd-c0e5-4548-874e-b85b17905b3a}\(Default) = "HomepageBHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hpD633.tmp" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{20082881-FC36-4E47-9A7A-644C95FF749F}" = "IntelliPoint Wireless Control Panel Property Page"
-> {CLSID}\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplwir.dll"" [MS]
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}" = "IntelliPoint Wheel Control Panel Property Page"
-> {CLSID}\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplwhl.dll"" [MS]
"{653DCCC2-13DB-45B2-A389-427885776CFE}" = "IntelliPoint Activities Control Panel Property Page"
-> {CLSID}\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplact.dll"" [MS]
"{124597D8-850A-41AE-849C-017A4FA99CA2}" = "IntelliPoint Buttons Control Panel Property Page"
-> {CLSID}\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplbtn.dll"" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Besitzer\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssbezier.scr" [MS]


Startup items in "Besitzer" & "All Users" startup folders:
----------------------------------------------------------

C:\Dokumente und Einstellungen\Besitzer\Startmenü\Programme\Autostart
"OnlineCounter 2004-Autostart" -> shortcut to: "C:\Programme\OnlineCounter 2004\OnlineCounter-Autostart.exe" [null data]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Gamma Loader" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"AOL 9.0 Tray-Symbol" -> shortcut to: "C:\Programme\AOL 9.0\aoltray.exe -check" ["America Online, Inc."]
"Erinnerungen für Microsoft Works-Kalender" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe" ["Microsoft® Corporation"]
"Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"Office-Start" -> shortcut to: "C:\Programme\Microsoft Office\Office\OSA.EXE -b" [MS]


Enabled Scheduled Tasks:
------------------------

"XoftSpy" -> launches: "C:\Programme\XoftSpy\XoftSpy.exe -t" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 22
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir Service, AntiVirService, ""C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE"" ["H+BEDV Datentechnik GmbH"]
AntiVir Update, AVWUpSrv, ""C:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"]
AOL Connectivity Service, AOL ACS, ""C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe"" ["America Online, Inc."]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
HTTP-SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Lexmark X84-X85 Port\Driver = "lxboLMPM.DLL" ["Lexmark International, Inc."]
X84-X85 Monitor\Driver = "lxbo2kpm.dll" [null data]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 10 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 20 seconds.
---------- (total run time: 69 seconds)







wenn ich Ie6 starte kommt ein fenster vom IE und darin steht.



Warning!

your pc is infected with spyware.

browser version: 4.0 (compatible;MSIE6.0; Windows NT5.1; SV1)
spyware details: "stealthSWs114.h!dll" ver.4.442as18a.
access port:#33299

Your private data and information is in danger. you need to download security software to protect your system.

Click "OK" button to visit official anti-spyware website.



wenn ich dann auf ok drück komme ich auf die seite von Spyaxe, welches ja keiner wirklich haben will. ich übrigens auch nicht.

#2 Danfortesque

mit der rechten Maustaste auf den Link klicken und aus dem Auswahlmenü, Ziel speichern unter -> Desktop wählen -> dann erscheint eine mcor.reg auf dem Bildschirm

http://virus-protect.org/reg/mcor.reg

rechtsklick auf den Link --> Ziel speichern unter... --> wähle Desktop - dann erscheint eine spyaxe.reg auf dem Bildschirm.

http://virus-protect.org/reg/spyaxe.reg

------------------------------------------------------------------

KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html

Options: Delete on Reboot / Process all in List )--> anhaken
reinkopieren:
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"

C:\WINDOWS\system32\ncompat.tlb
C:\WINDOWS\system32\hpEDEB.tmp
C:\DOKUME~1\Besitzer\LOKALE~1\Temp\sa1.exe
C:\WINDOWS\system32\hpD633.tmp
C:\WINDOWS\system32\ldEBF6.tmp
C:\WINDOWS\system32\ot.ico
C:\WINDOWS\system32\ts.ico
C:\WINDOWS\system32\ioctrl.dll
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\system32\mscornet.exe

starten den PC neu --> in den abgesicherten Modus (F8 druecken, wenn der PC hochfaehrt , waehle abgesicherter Modus, melde dich als Administrator an
und klicke die

mcor.reg
spyaxe.reg

doppelt --> fuege sie mit "ja" oder "yes" der Registry bei

-----------------------------------------------------------------------

öffne das HijackThis --
-- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hpD633.tmp

PC neustarten

SmitRem2.8
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1

laden--> in den abgesicherten Modus booten --> öffne smitRem folder --> Doppelklick: RunThis.bat
warte, bis der Scan beendet ist (der Bildschirm wird blau werden. das ist normal)


deaktiviere die Systemwiederherstellung (XP) (dann aktiviere sie wieder)
http://virus-protect.org/systemwiederherstellung.html

scanne mit Kaspersky --> loesche dann manuell, was gefunden wird
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#3 Hallo, habe auch dieses Problem mit der Meldung "Your computer is infected!"
Wie es scheint kann man mir hier vielleicht helfen... Das wäre wirklich super nett!
Ich habe schon mal versucht etwas zu machen...
CleanUp angewendet und die 4 logs von datFind erstellt:


Verzeichnis von C:\WINDOWS\system32

23.12.2005 22:38 1 vx.tll
22.12.2005 23:04 53.098 perfc009.dat
22.12.2005 23:04 380.684 perfh009.dat
22.12.2005 23:04 391.574 perfh007.dat
22.12.2005 23:04 63.976 perfc007.dat
22.12.2005 23:04 897.142 PerfStringBackup.INI
18.12.2005 14:56 1.158 wpa.dbl
16.12.2005 01:11 6.529 kernels64.exe
10.12.2005 19:38 176.167 rmoc3260.dll
10.12.2005 19:38 5.632 pndx5032.dll
10.12.2005 19:38 6.656 pndx5016.dll
10.12.2005 19:38 278.528 pncrt.dll
01.12.2005 12:14 86.091 S32EVNT1.DLL
19.11.2005 18:25 1.919 AUTOEXEC.NT
15.11.2005 20:08 120.544 FNTCACHE.DAT
13.11.2005 19:49 1.162 qtplugin.log
13.11.2005 00:53 207 $winnt$.inf
26.05.2005 04:16 173.536 wuweb.dll
26.05.2005 04:16 1.343.768 wuaueng.dll


Verzeichnis von C:\DOKUME~1\Marvin\LOKALE~1\Temp

24.12.2005 22:55 24.332 tmp4B.tmp
24.12.2005 22:55 102.890 tmp48.tmp
24.12.2005 22:54 224 WCESCOMM.LOG
3 Datei(en) 127.446 Bytes
0 Verzeichnis(se), 72.307.970.048 Bytes frei


Verzeichnis von C:\WINDOWS

24.12.2005 21:18 0 0.log
24.12.2005 21:17 2.048 bootstat.dat
23.12.2005 23:25 30.068 SchedLgU.Txt
23.12.2005 23:25 1.029.781 WindowsUpdate.log
23.12.2005 22:38 1.999 desktop.html
23.12.2005 17:13 718 win.ini
23.12.2005 17:02 214.185 iis6.log
23.12.2005 17:02 39.512 comsetup.log
23.12.2005 17:02 25.867 ntdtcsetup.log
23.12.2005 17:02 54.142 tsoc.log
23.12.2005 17:02 3.782 tabletoc.log
23.12.2005 17:02 1.943 imsins.log
23.12.2005 17:02 5.789 ocmsn.log
23.12.2005 17:02 15.706 netfxocm.log
23.12.2005 17:02 7.832 MedCtrOC.log
23.12.2005 17:02 78.558 ocgen.log
23.12.2005 17:02 5.240 msgsocm.log
23.12.2005 17:02 76.856 FaxSetup.log
23.12.2005 16:48 47.928 msmqinst.log
23.12.2005 16:16 500.320 setupapi.log
22.12.2005 23:05 350 nsw.log
22.12.2005 23:04 4.757 imsins.BAK
21.12.2005 19:04 45.497 wmsetup.log
18.12.2005 16:16 331.227 hplj1300.his
18.12.2005 16:16 13.977 hplj1300.ini
18.12.2005 16:02 45.056 NCUNINST.EXE
18.12.2005 15:36 37.554 ModemLog_AC97 SoftV92 Data Fax Modem with SmartCP.txt
15.12.2005 18:16 210.860 setupact.log
12.12.2005 00:04 50 wiaservc.log
12.12.2005 00:04 411 wiadebug.log
10.12.2005 19:42 25 cdplayer.ini
06.12.2005 16:53 5.700 AceFTP 3 Freeware Setup Log.txt
06.12.2005 16:52 729.088 iun6002.exe
06.12.2005 16:37 1.211 wsftperr.log
02.12.2005 22:06 246 system.ini
25.11.2005 01:38 242 LEXSTAT.INI
22.11.2005 16:48 2.510 Microsoft.MIF
22.11.2005 16:48 2.464 $_hpcst$.hpc
21.11.2005 18:21 6.067 KB899587.log
21.11.2005 18:21 5.972 KB896422.log


Verzeichnis von C:\

24.12.2005 23:48 0 sys.txt
24.12.2005 23:47 7.943 system.txt
24.12.2005 23:45 388 systemtemp.txt
24.12.2005 22:59 99.097 system32.txt
24.12.2005 21:17 777.658.368 pagefile.sys
23.12.2005 22:37 32.256 winstall.exe
16.12.2005 01:24 6.144 w.exe
16.12.2005 01:11 6.529 boot.inx
11.12.2005 20:44 9.902 ldv.log
02.12.2005 22:06 211 boot.ini
19.01.2005 10:52 72 SWSTAMP.TXT
18.01.2005 12:41 0 IO.SYS
18.01.2005 12:41 0 CONFIG.SYS
18.01.2005 12:41 0 MSDOS.SYS
18.01.2005 12:41 0 AUTOEXEC.BAT
04.08.2004 14:00 4.952 bootfont.bin
04.08.2004 14:00 251.184 ntldr
04.08.2004 14:00 47.564 NTDETECT.COM
18 Datei(en) 778.124.610 Bytes
0 Verzeichnis(se), 72.307.793.920 Bytes frei


was muss ich als nächstes machen?
Danke schon mal im Voraus!!

#4 hitchhiker42

gehe in die registry
Start-->Ausfuehren--> regedit

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"Wallpaper" = "C:\WINDOWS\desktop.html"<---loeschen

KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html

Options: Delete on Reboot / Process all in List )--> anhaken
reinkopieren:
...
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"

C:\WINDOWS\system32\kernels64.exe
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\desktop.html
C:\WINDOWS\iun6002.exe
C:\winstall.exe
C:\boot.inx
C:\w.exe

PC neustarten

Hijackthis
http://computercops.biz/zx/Merijn/hijackthis.zip
http://virus-protect.org/hjtkurz.html
Lade/entpacke HijackThis in einem Ordner
--> None of the above just start the program --> Save--> Savelog -->es öffnet sich der Editor
nun das KOMPLETTE Log mit rechtem Mausklick abkopieren und ins Forum mit rechtem Mausklick "einfügen"

kopiere hier das log vom Silentrunner
http://virus-protect.org/silentrunner.html

scanne mit kaspersky und kopiere hier den scanreport
http://virus-protect.org/onlinescan.html

----------------

C:\boot.inx --> Adware:Adware/EShopper/Downloader.Delf.og
__________
MfG Sabina

rund um die PC-Sicherheit

#5 hier das HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 00:19:04, on 25.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Norton Internet Security\ISSVC.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Toshiba\Windows Utilities\Hotkey.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\TOSHIBA\Touch and Launch\PadExe.exe
C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe
C:\Programme\TOSHIBA\ConfigFree\NDSTray.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\system32\igfxext.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\Marvin\LOKALE~1\Temp\Rar$EX00.823\HijackThis.exe
C:\Programme\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\kernels64.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Programme\Toshiba\Windows Utilities\Hotkey.exe" /lang DE
O4 - HKLM\..\Run: [PadTouch] C:\Programme\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels64.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programme\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programme\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe


Silentrunner log:
"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"TOSCDSPD" = "C:\Programme\TOSHIBA\TOSCDSPD\toscdspd.exe" ["TOSHIBA"]
"H/PC Connection Agent" = ""C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"" [MS]
"Windows installer" = "C:\winstall.exe" [file not found]
"SpybotSD TeaTimer" = "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"SynTPLpr" = "C:\Programme\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Programme\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"Toshiba Hotkey Utility" = ""C:\Programme\Toshiba\Windows Utilities\Hotkey.exe" /lang DE" ["TOSHIBA Inc."]
"PadTouch" = "C:\Programme\TOSHIBA\Touch and Launch\PadExe.exe" ["TOSHIBA"]
"SmoothView" = "C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe" ["TOSHIBA Corporation"]
"NDSTray.exe" = "NDSTray.exe" ["TOSHIBA CORPORATION"]
"ccApp" = ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"iKeyWorks" = "C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe" ["A4Tech Co.,Ltd."]
"System" = "C:\WINDOWS\system32\kernels64.exe" [file not found]
"(Default)" = (empty string)

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{2F5AC606-70CF-461C-BFE1-6063670C3484}" = "Display CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Toshiba\TouchED\TouchED.DLL" ["TOSHIBA Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{F802F260-519B-11D1-BB5D-0060974C6013}" = "ICQ Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQ\ICQShExt.dll" ["ICQ"]
"{8e9d6600-f84a-11ce-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{e3f2bac0-099f-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{52c68510-09a0-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "Shell" = "Explorer.exe C:\WINDOWS\system32\kernels64.exe" [MS], [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
NetWareUNCMenu\(Default) = "{e3f2bac0-099f-11cf-8daa-00aa004a5691}"
-> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Group Policies [Description] {enabled Group Policy setting}:
------------------------------------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "ForceActiveDesktopOn"=dword:00000001
[enables Active Desktop and prevents disabling it]
{User Configuration|Administrative Templates|Desktop|Active Desktop|
Enable Active Desktop}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop enabled via Group Policy.

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\TOSHIBA1024x0768.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "Marvin" & "All Users" startup folders:
--------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Gamma Loader" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Meinen Computer prüfen - Marvin" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.EXE /task:"C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Programme\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 37
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0\bin\npjpi150.dll" ["Sun Microsystems, Inc."]

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Mobilen Favoriten erstellen"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft ActiveSync\INetRepl.dll" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Mobilen Favoriten erstellen..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft ActiveSync\INetRepl.dll" [MS]

{6224F700-CBA3-4071-B251-47CB894244CD}\
"ButtonText" = "ICQ Pro"
"MenuText" = "ICQ"
"Exec" = "C:\PROGRA~1\ICQ\ICQ.exe" ["ICQ Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ConfigFree Service, CFSvcs, "C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe" ["TOSHIBA CORPORATION"]
IPv6-Hilfsdienst, 6to4, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]}
ISSvc, ISSVC, ""C:\Programme\Norton Internet Security\ISSVC.exe"" ["Symantec Corporation"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Norton AntiVirus Auto-Protect-Dienst, navapsvc, ""C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
SymWMI Service, SymWSC, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe"" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 67 seconds, including 25 seconds for message boxes)


kaspersky scanreport:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, December 25, 2005 13:48:41
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 25/12/2005
Kaspersky Anti-Virus database records: 157191
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 45934
Number of viruses found: 5
Number of infected objects: 33
Number of suspicious objects: 1
Duration of the scan process: 1547 sec

Infected Object Name - Virus Name
C:\!KillBox\kernels64.exe Infected: Trojan-Downloader.Win32.Tibs.p
C:\!KillBox\winstall.exe Infected: not-virus:Hoax.Win32.Renos.aj
C:\boot.inx Infected: Trojan-Downloader.Win32.Tibs.p
C:\Dokumente und Einstellungen\Marvin\Lokale Einstellungen\Anwendungsdaten\Microsoft\Outlook\Outlook.pst/Persönliche Ordner/Posteingang/30 Sep 2005 13:57 from DEUTSCHE POSTBANK AG:[Norton AntiSpam] DI.rtf Suspicious: Trojan-Spy.HTML.Fraud.gen
C:\Dokumente und Einstellungen\Marvin\Lokale Einstellungen\Anwendungsdaten\Microsoft\Outlook\Outlook.pst/Persönliche Ordner/Posteingang/04 Dec 2005 03:38 from DEUTSCHE BANK AG:[Norton AntiSpam] DIE WI.rtf Infected: Trojan-Spy.HTML.Bankfraud.ky
C:\Dokumente und Einstellungen\Marvin\Lokale Einstellungen\Anwendungsdaten\Microsoft\Outlook\Outlook.pst Infected: Trojan-Spy.HTML.Bankfraud.ky
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\0678774D.exe Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\2721770F.exe Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\2721770F.qtd Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\29E76016.exe Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\29E76016.qtd Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\29EA0A13.qtd Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\2AAB373E.exe Infected: Trojan-Downloader.Win32.Small.bho
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\2AAB373E.qtd Infected: Trojan-Downloader.Win32.Small.bho
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\36E46A99.exe Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\36E46A99.qtd Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\40B0194E.qtd Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\4D092F25.exe Infected: Trojan-Downloader.Win32.Small.bho
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\4D0C5921.exe Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\4D0C5921.qtd Infected: Trojan-Downloader.Win32.Small.bho
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\4D10031E.exe Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\4D10031E.qtd Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\4D132D1A.qtd Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\632F1DE9.exe Infected: Trojan-Downloader.Win32.Small.bho
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\632F1DE9.qtd Infected: Trojan-Downloader.Win32.Small.bho
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\6B9060D9.exe Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\6B9060D9.qtd Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\7A900F18.exe Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\7FED4975.exe Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\7FED4975.qtd Infected: Trojan-Downloader.Win32.Tibs.p
C:\System Volume Information\_restore{79D14A90-279C-4330-992F-6678EFC5390E}\RP27\A0005761.exe Infected: not-virus:Hoax.Win32.Renos.aj
C:\System Volume Information\_restore{79D14A90-279C-4330-992F-6678EFC5390E}\RP27\A0005762.exe Infected: not-virus:Hoax.Win32.Renos.aj
C:\System Volume Information\_restore{79D14A90-279C-4330-992F-6678EFC5390E}\RP27\A0005870.exe Infected: Trojan-Downloader.Win32.Tibs.p
C:\System Volume Information\_restore{79D14A90-279C-4330-992F-6678EFC5390E}\RP27\A0005871.exe Infected: not-virus:Hoax.Win32.Renos.aj

Scan process completed.


C:\boot.inx habe ich gelöscht. das war doch was du gemeint hast, richtig!??

beim systemstart kommt jetzt immer die meldung, dass
C:\WINDOWS\system32\kernels64.exe
nicht gefunden werden kann... das habe ich doch vorhin gelöscht...was mache ich jetzt?

Danke für deinen Beistand!

#6 hitchhiker42

Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fix.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.

Zitat

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoViewContextMenu"=-
"NoActiveDesktop"=-
"ForceActiveDesktopOn"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows installer"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"System"=-

öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\kernels64.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels64.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

PC neustarten
Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "fix.reg" auf dem Desktop doppelklicken.


loesche:
C:\boot.inx

deaktiviere die systemwiederhestellung (dann aktiviere sie wieder)
http://virus-protect.org/systemwiederherstellung.html

so kann man die Mail
30 Sep 2005 13:57 from DEUTSCHE POSTBANK AG
restlos aus der Inbox zu entfernen:
1. Mail aus Inbox löschen
2. Mülleimer leeren
3. Inbox komprimieren (Datei-Menü)

Hintergrund: Die gesamte Inbox ist auf der Festplatte als eine einzige Datei abgelegt. Darin stehen alle Mails untereinander, und auch die "gelöschten" Mails bleiben stehen (nur sind sie als gelöscht markiert). Erst durch das Komprimieren werden tatsächlich Teile aus der Datei entfernt.

dann poste das neue Log vom HijackTHis und scanne noch mal mit kaspersky+ berichte
__________
MfG Sabina

rund um die PC-Sicherheit

#7 die hjt logfile:

Logfile of HijackThis v1.99.1
Scan saved at 17:46:55, on 25.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Norton Internet Security\ISSVC.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Toshiba\Windows Utilities\Hotkey.exe
C:\Programme\TOSHIBA\Touch and Launch\PadExe.exe
C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe
C:\Programme\TOSHIBA\ConfigFree\NDSTray.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\igfxext.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\Marvin\LOKALE~1\Temp\Rar$EX00.356\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Programme\Toshiba\Windows Utilities\Hotkey.exe" /lang DE
O4 - HKLM\..\Run: [PadTouch] C:\Programme\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels64.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programme\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programme\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, December 25, 2005 18:18:07
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 25/12/2005
Kaspersky Anti-Virus database records: 157251
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 46092
Number of viruses found: 3
Number of infected objects: 30
Number of suspicious objects: 0
Duration of the scan process: 1518 sec

Infected Object Name - Virus Name
C:\!KillBox\kernels64.exe Infected: Trojan-Downloader.Win32.Tibs.p
C:\!KillBox\winstall.exe Infected: not-virus:Hoax.Win32.Renos.aj
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\0678774D.exe Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\2721770F.exe Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\2721770F.qtd Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\29E76016.exe Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\29E76016.qtd Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\29EA0A13.qtd Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\2AAB373E.exe Infected: Trojan-Downloader.Win32.Small.bho
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\2AAB373E.qtd Infected: Trojan-Downloader.Win32.Small.bho
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\36E46A99.exe Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\36E46A99.qtd Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\40B0194E.qtd Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\4D092F25.exe Infected: Trojan-Downloader.Win32.Small.bho
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\4D0C5921.exe Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\4D0C5921.qtd Infected: Trojan-Downloader.Win32.Small.bho
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\4D10031E.exe Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\4D10031E.qtd Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\4D132D1A.qtd Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\632F1DE9.exe Infected: Trojan-Downloader.Win32.Small.bho
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\632F1DE9.qtd Infected: Trojan-Downloader.Win32.Small.bho
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\6B9060D9.exe Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\6B9060D9.qtd Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\7A900F18.exe Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\7FED4975.exe Infected: Trojan-Downloader.Win32.Tibs.p
C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\7FED4975.qtd Infected: Trojan-Downloader.Win32.Tibs.p
C:\System Volume Information\_restore{79D14A90-279C-4330-992F-6678EFC5390E}\RP27\A0005761.exe Infected: not-virus:Hoax.Win32.Renos.aj
C:\System Volume Information\_restore{79D14A90-279C-4330-992F-6678EFC5390E}\RP27\A0005762.exe Infected: not-virus:Hoax.Win32.Renos.aj
C:\System Volume Information\_restore{79D14A90-279C-4330-992F-6678EFC5390E}\RP27\A0005870.exe Infected: Trojan-Downloader.Win32.Tibs.p
C:\System Volume Information\_restore{79D14A90-279C-4330-992F-6678EFC5390E}\RP27\A0005871.exe Infected: not-virus:Hoax.Win32.Renos.aj

Scan process completed.



hat die postbank-phishing-mail irgendwas mit dem"infected"-problem zu tun??

danke nochmal für deine Hilfe, besonders jetzt während den freien Tagen!!
Weiß ich sehr zu schätzen!

#8 öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels64.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

PC neustarten

C:\!KillBox\kernels64.exe <--loeschen
C:\!KillBox\winstall.exe <--loeschen

deaktiviere die systemwiederhestellung (dann aktiviere sie wieder)
http://virus-protect.org/systemwiederherstellung.html

Zitat

Arbeitsplatz-->Rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.

poste das neue Log vom HijackThis
__________
MfG Sabina

rund um die PC-Sicherheit

#9 neues hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 18:40:04, on 25.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Norton Internet Security\ISSVC.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Toshiba\Windows Utilities\Hotkey.exe
C:\Programme\TOSHIBA\Touch and Launch\PadExe.exe
C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe
C:\Programme\TOSHIBA\ConfigFree\NDSTray.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\igfxext.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\Marvin\LOKALE~1\Temp\Rar$EX00.703\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Programme\Toshiba\Windows Utilities\Hotkey.exe" /lang DE
O4 - HKLM\..\Run: [PadTouch] C:\Programme\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels64.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programme\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programme\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe

THX

#10 ich verstehe das nicht.....wendest du das HijackThis richtig an??

Start-->Ausfuehren--> regedit

bearbeiten--> suchen

kernels64.exe
winstall.exe

loesche die Eintraege
[Windows installer] C:\winstall.exe
[System] C:\WINDOWS\system32\kernels64.exe

in der Registry, starte den pc neu und poste das neue Log vom HijacktHis
__________
MfG Sabina

rund um die PC-Sicherheit

#11

Zitat

ich mache "scan + save logfile"

dann mache zur Abwechslung mal das hier...ansonsten wird es langweilig.....

öffne das HijackThis -- Button "scan" -- vor die 2 Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels64.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

PC neustarten
__________
MfG Sabina

rund um die PC-Sicherheit

#12 wenn ich es richtig sehe, sind diese zwei hartnäckigen Einträge jetzt raus.
Ich glaube es lag an Spybot, der es irgendwie nicht erlauben wollte die Einträge zu löschen....
zur Sicherheit nochmal ein aktuelles HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 13:56:35, on 26.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Norton Internet Security\ISSVC.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Toshiba\Windows Utilities\Hotkey.exe
C:\Programme\TOSHIBA\Touch and Launch\PadExe.exe
C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe
C:\Programme\TOSHIBA\ConfigFree\NDSTray.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\igfxext.exe
C:\Programme\Messenger\msmsgs.exe
C:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Programme\Toshiba\Windows Utilities\Hotkey.exe" /lang DE
O4 - HKLM\..\Run: [PadTouch] C:\Programme\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programme\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programme\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe

Danke für alles!