explorer öffnet weiterhin seiten hijackthis schon durchgeführt

#0
24.01.2006, 12:02
...neu hier

Beiträge: 4
#1 Logfile of HijackThis v1.99.1
Scan saved at 11:55:51, on 24.01.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Novosoft\Handy Backup 3.5\hbagent.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\Telefonauskunft für den PC\Telefonauskunft für den PC 2004\KSTART32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Winamp\winamp.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programme\WinRAR\WinRAR.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\DOKUME~1\Dursun\LOKALE~1\Temp\Rar$EX07.343\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\system32\search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\system32\search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.immobilienscout24.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\system32\search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\system32\search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MBGroup] C:\BSA\VPMSRun\dll.32\MBGroup.exe C:\BSA\VPMSRun\VFrame32\Menu\MenuBera.ini C:\BSA\VPMSRun\dll.32\mb.log
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Programme\Gemeinsame Dateien\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20099\winlogon.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\system32\efsdfgxg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\GEMEIN~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [Handy Backup 3.5] C:\Programme\Novosoft\Handy Backup 3.5\hbagent.exe /logon
O4 - HKCU\..\Run: [rmkw] C:\PROGRA~1\GEMEIN~1\rmkw\rmkwm.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programme\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20099\winlogon.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AdwareFilter Background Protection.lnk = C:\Programme\AdwareFilter\adwarefilter.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Telefonauskunft für den PC 2004 - Schnellstarter.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programme\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programme\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137757568129
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137757545941
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://de.bigfishgames.com/games/en_luxor/online/2/mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4677/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{521674B7-A14F-4362-92A6-DE51C1E80C45}: NameServer = 192.168.121.252,192.168.121.253
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\dnr8019ue.dll
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programme\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe





werd das teil einfach nicht los! wäre nett wenn mir einer weiterhilft und mir sagt welche kästchen ich bei hijackthis anklicken muss



Logfile of HijackThis v1.99.1
Scan saved at 12:48:52, on 24.01.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Novosoft\Handy Backup 3.5\hbagent.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Spyware Doctor\swdoctor.exe
C:\Programme\Telefonauskunft für den PC\Telefonauskunft für den PC 2004\KSTART32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Dokumente und Einstellungen\Dursun\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.immobilienscout24.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MBGroup] C:\BSA\VPMSRun\dll.32\MBGroup.exe C:\BSA\VPMSRun\VFrame32\Menu\MenuBera.ini C:\BSA\VPMSRun\dll.32\mb.log
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Programme\Gemeinsame Dateien\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\GEMEIN~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [Handy Backup 3.5] C:\Programme\Novosoft\Handy Backup 3.5\hbagent.exe /logon
O4 - HKCU\..\Run: [rmkw] C:\PROGRA~1\GEMEIN~1\rmkw\rmkwm.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programme\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AdwareFilter Background Protection.lnk = C:\Programme\AdwareFilter\adwarefilter.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Telefonauskunft für den PC 2004 - Schnellstarter.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programme\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programme\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137757568129
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137757545941
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://de.bigfishgames.com/games/en_luxor/online/2/mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4677/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{521674B7-A14F-4362-92A6-DE51C1E80C45}: NameServer = 192.168.121.252,192.168.121.253
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\gp2sl3f71.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programme\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

hier die neue logdatei...hab paar sachen selbst gelöscht
aber das problem is leider immer noch da...es öffnen sich weiterhin seiten ;)




Datentr„ger in Laufwerk C: ist HDD
Volumeseriennummer: 24B7-9BCF

Verzeichnis von C:\WINDOWS\system32

24.01.2006 12:48 237.233 guard.tmp
24.01.2006 12:46 237.233 FmleProcess.dll
24.01.2006 12:44 346.648 kspydoc.log
24.01.2006 12:44 0 Sweeper.cfg
24.01.2006 12:34 233.933 q6nulg5916.dll
24.01.2006 12:23 237.233 gp2sl3f71.dll
23.01.2006 13:40 2.550 Uninstall.ico
23.01.2006 13:40 1.406 Help.ico
23.01.2006 13:40 30.590 pavas.ico

23.01.2006 10:38 1.170 wpa.dbl
20.01.2006 14:44 329.434 perfh009.dat
20.01.2006 14:44 47.506 perfc009.dat
20.01.2006 14:44 339.230 perfh007.dat
20.01.2006 14:44 58.262 perfc007.dat
20.01.2006 14:44 782.960 PerfStringBackup.INI
20.01.2006 14:38 371.280 FNTCACHE.DAT
20.01.2006 10:41 827.392 FLASH.OCX
20.01.2006 10:41 14.622 muzika.xm
19.01.2006 09:13 636 search.html
18.01.2006 14:11 68.096 msctl32.dll
18.01.2006 14:09 210 z14.exe

04.01.2006 19:46 2.836.320 MRT.exe
29.12.2005 03:54 280.064 gdi32.dll
05.12.2005 15:26 135.168 snapapi.dll
01.12.2005 04:31 1.492.480 shdocvw.dll
24.11.2005 00:58 1.022.464 browseui.dll
24.11.2005 00:58 3.013.632 mshtml.dll
05.11.2005 04:16 606.208 urlmon.dll
05.11.2005 04:16 1.056.256 danim.dll
21.10.2005 04:40 664.064 wininet.dll
21.10.2005 04:40 474.112 shlwapi.dll
21.10.2005 04:40 530.944 mstime.dll
21.10.2005 04:40 146.432 msrating.dll
21.10.2005 04:40 448.512 mshtmled.dll
21.10.2005 04:40 39.424 pngfilt.dll
21.10.2005 04:40 96.768 inseng.dll
21.10.2005 04:40 251.392 iepeers.dll
21.10.2005 04:40 205.312 dxtrans.dll
21.10.2005 04:40 55.808 extmgr.dll
21.10.2005 04:40 152.064 cdfview.dll
20.10.2005 23:25 1.094.144 esent.dll
17.10.2005 22:20 118.272 t2embed.dll
17.10.2005 22:20 80.896 fontsub.dll
13.10.2005 00:11 15.584 spmsg.dll
06.10.2005 04:08 1.839.616 win32k.sys

Datentr„ger in Laufwerk C: ist HDD
Volumeseriennummer: 24B7-9BCF

Verzeichnis von C:\DOKUME~1\Dursun\LOKALE~1\Temp

24.01.2006 13:05 16.384 Perflib_Perfdata_20c.dat
24.01.2006 13:04 16.384 ~DFA134.tmp
17.01.2006 22:24 104 DFC5A2B2.TMP
3 Datei(en) 32.872 Bytes
0 Verzeichnis(se), 51.498.496.000 Bytes frei

Datentr„ger in Laufwerk C: ist HDD
Volumeseriennummer: 24B7-9BCF

Verzeichnis von C:\WINDOWS

24.01.2006 13:04 900.525 WindowsUpdate.log
24.01.2006 12:46 0 0.log
24.01.2006 12:45 2.048 bootstat.dat
24.01.2006 12:43 32.630 SchedLgU.Txt
24.01.2006 12:18 155 winamp.ini
23.01.2006 14:09 712.079 setupapi.log
23.01.2006 14:02 410 KTEL.INI
23.01.2006 13:57 1.081 win.tmp
23.01.2006 13:57 1.081 win.ini
20.01.2006 13:54 99.654 comsetup.log
20.01.2006 13:54 42.762 iis6.log
20.01.2006 13:54 109.108 tsoc.log
20.01.2006 13:54 1.374 imsins.log
20.01.2006 13:54 15.158 ocmsn.log
20.01.2006 13:54 59.670 ntdtcsetup.log
20.01.2006 13:54 32.929 KB899587.log
20.01.2006 13:54 143.642 ocgen.log
20.01.2006 13:54 13.795 msgsocm.log
20.01.2006 13:54 263.756 FaxSetup.log
20.01.2006 13:53 15.268 updspapi.log
20.01.2006 13:53 1.374 imsins.BAK
20.01.2006 13:53 32.429 KB896422.log
20.01.2006 13:52 32.191 KB885835.log
20.01.2006 13:51 30.850 KB885836.log
20.01.2006 13:51 31.850 KB885250.log
20.01.2006 13:51 31.910 KB901017.log
20.01.2006 13:50 32.066 KB899591.log
20.01.2006 13:50 32.440 KB896424.log
20.01.2006 13:50 32.638 KB893756.log
20.01.2006 13:49 29.675 KB896423.log
20.01.2006 13:49 29.905 KB873339.log
20.01.2006 13:49 29.907 KB888113.log
20.01.2006 13:48 30.534 KB887742.log
20.01.2006 13:48 32.604 KB896358.log
20.01.2006 13:48 25.144 KB910437.log
20.01.2006 13:47 20.979 KB898458.log
20.01.2006 13:47 39.857 KB905915.log
20.01.2006 13:45 24.513 KB891781.log
20.01.2006 13:45 35.699 KB902400.log
20.01.2006 13:43 2.068 vminst.log
20.01.2006 13:42 21.619 KB890046.log
20.01.2006 13:41 20.872 KB893066.log
20.01.2006 13:41 21.195 KB905414.log
20.01.2006 13:41 20.421 KB901214.log
20.01.2006 13:41 19.445 KB888302.log
20.01.2006 13:40 22.034 KB900725.log
20.01.2006 13:40 18.533 KB912919.log
20.01.2006 13:40 12.669 KB886185.log
20.01.2006 13:40 9.802 KB885884.log
20.01.2006 13:40 17.725 KB904706.log
20.01.2006 13:40 18.190 KB905749.log
20.01.2006 13:40 17.157 KB896428.log
20.01.2006 13:38 18.442 KB894391.log
20.01.2006 13:38 16.285 KB908519.log
20.01.2006 13:37 19.807 KB890859.log
20.01.2006 12:54 9.043 KB898461.log
20.01.2006 12:53 12.362 KB893803v2.log
20.01.2006 12:53 1.239 avmcoins.log
19.01.2006 10:26 282 system.ini
19.01.2006 10:26 282 system.tmp
19.01.2006 09:14 0 winsysupd1.dat

19.01.2006 09:13 8.928 ModemLog_Aztech CNR V.92 Modem.txt
18.01.2006 14:13 43 drsmartload.dat
18.01.2006 14:11 74.752 tool1.exe
18.01.2006 14:09 0 uniq

18.01.2006 13:29 449 wiadebug.log
18.01.2006 13:28 50 wiaservc.log
12.01.2006 10:35 107.132 UninstallFirefox.exe
12.01.2006 10:34 4.793 mozver.dat
09.01.2006 11:49 116 NeroDigital.ini
03.01.2006 17:45 1.989 uninstall_nmon.vbs
15.12.2005 13:57 6.363 wmsetup.log
14.12.2005 09:34 125 cdplayer.ini
14.11.2005 10:39 0 nsreg.dat
29.08.2005 09:09 241 BUHL.INI
05.08.2005 15:56 206.518 setupact.log
05.08.2005 10:31 395 DINFO.INI
27.07.2005 12:55 712 ODBC.INI
27.07.2005 08:26 6.124 KB887472.log
27.05.2005 00:22 10.752 hh.exe


Datentr„ger in Laufwerk C: ist HDD
Volumeseriennummer: 24B7-9BCF

Verzeichnis von C:\

24.01.2006 13:18 0 sys.txt
24.01.2006 13:17 27.397 system.txt
24.01.2006 13:17 395 systemtemp.txt
24.01.2006 13:17 115.601 system32.txt
24.01.2006 12:45 267.964.416 hiberfil.sys
24.01.2006 12:45 188.743.680 pagefile.sys
18.01.2006 14:11 12.288 drsmartload1.exe
12.10.2004 13:26 30.024 dLib.log
11.10.2004 12:32 1.244.929 rckseite.jpg
11.10.2004 09:52 1.119.205 visiten-front.jpg

cleanup wurde vorher auch durchgeführt....hab das hijackthis log übrigens mit www.hijackthis.de ausgewertet weiss nich ob ich da was vergessen hab!
Dieser Beitrag wurde am 24.01.2006 um 13:28 Uhr von anand editiert.
Seitenanfang Seitenende
24.01.2006, 14:47
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#2 anand

Gehe in die Registry
Start-->Ausfuehren--> regedit
bearbeiten--> suchen--> CMDSERVICE

Klicke auf Bearbeiten -- Berechtigung und klicke dann auf Vollzugriff -- [Übernehmen] und auf [OK]. Erneuter [Rechtsklick] auf den Schlüssel und versuche diesen zu löschen.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService


öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKCU\..\Run: [rmkw] C:\PROGRA~1\GEMEIN~1\rmkw\rmkwm.exe
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\gp2sl3f71.dll

KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html

Options: Delete on Reboot --> anhaken
reinkopieren:
...
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"

C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\FmleProcess.dll
C:\WINDOWS\system32\gp2sl3f71.dll
C:\WINDOWS\system32\kspydoc.log
C:\WINDOWS\system32\Sweeper.cfg
C:\WINDOWS\system32\q6nulg5916.dll
C:\WINDOWS\system32\gp2sl3f71.dll
C:\WINDOWS\system32\Uninstall.ico
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\search.html
C:\WINDOWS\system32\msctl32.dll
C:\WINDOWS\system32\z14.exe
C:\WINDOWS\inet20099\winlogon.exe
C:\WINDOWS\inet20099\services.exe
C:\WINDOWS\inet20099\socks.exe
C:\windows\winsysupd.exe
C:\windows\winsysban.exe
C:\WINDOWS\system32\cmd32.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\system32\efsdfgxg.exe
C:\WINDOWS\winsysupd1.dat
C:\WINDOWS\drsmartload.dat
C:\WINDOWS\tool1.exe
C:\WINDOWS\uniq
C:\winstall.exe
C:\drsmartload1.exe

PC neustarten

loesche:
C:\PROGRAMME\GEMEINSAME DATEIEN\rmkw
C:\WINDOWS\inet20099

loesche, falls du es findest:
C:\Dokumente und Einstellungen\All Users\Dokumente\bcvsrv32.exe
C:\Dokumente und Einstellungen\All Users\Dokumente\CRSS.EXE
C:\Dokumente und Einstellungen\All Users\Dokumente\install.exe
C:\Dokumente und Einstellungen\All Users\Dokumente\ip.exe
C:\Dokumente und Einstellungen\All Users\Dokumente\nvagNT.exe
C:\Dokumente und Einstellungen\All Users\Dokumente\scvsrv32.exe
C:\Dokumente und Einstellungen\All Users\Dokumente\stone.exe
C:\Dokumente und Einstellungen\All Users\Dokumente\wiinsvc.exe
C:\Dokumente und Einstellungen\All Users\Dokumente\Xi.exe

Download win32delfkil.exe: http://users.telenet.be/marcvn/tools/win32delfkil.exe
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil Close all windows, open the win32delfkil folder and double click on fix.bat.

arbeite das bitte ab
http://virus-protect.org/artikel/tools/smitfrautfix.html

Hoster.zip
http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK' Exit Program.

L2mfix --> arbeite Option 2 ab und nach Neustart und scan poste den scanreport
http://virus-protect.org/l2mfix.html

-----------------------------------------------------------------------------------
Information:
http://virus-protect.org/artikel/spyware/delf.html
http://virus-protect.org/artikel/spyware/inet20002.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
24.01.2006, 15:40
...neu hier

Themenstarter

Beiträge: 4
#3 SmitFraudFix v2.15

Rapport fait à 15:38:43,65 le 24.01.2006
Executé à partir de C:\Dokumente und Einstellungen\Dursun\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Recherche C:\


»»»»»»»»»»»»»»»»»»»»»»»» Recherche C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» Recherche C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» Recherche C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» Recherche C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» Recherche C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» Recherche C:\Dokumente und Einstellungen\Dursun\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Recherche Menu Démarrer


»»»»»»»»»»»»»»»»»»»»»»»» Recherche Bureau


»»»»»»»»»»»»»»»»»»»»»»»» Recherche C:\Programme


»»»»»»»»»»»»»»»»»»»»»»»» Recherche présence de clés corrompues


»»»»»»»»»»»»»»»»»»»»»»»» Recherche éléments du bureau

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"


»»»»»»»»»»»»»»»»»»»»»»»» Recherche Sharedtaskscheduler

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

»»»»»»»»»»»»»»»»»»»»»»»» Recherche infection wininet.dll


»»»»»»»»»»»»»»»»»»»»»»»» Fin du rapport
Seitenanfang Seitenende
24.01.2006, 15:41
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#4 ich habe noch was veraendert...schaue noch mal alles durch und arbeite alles ab.

das LOG von L2mfix postest du dann
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
24.01.2006, 16:06
...neu hier

Themenstarter

Beiträge: 4
#5 L2mfix 010406
Creating Account.
Der Befehl wurde erfolgreich ausgefhrt.

Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 596 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 668 'winlogon.exe'
Killing PID 668 'winlogon.exe'
Killing PID 668 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 3620 'explorer.exe'
Killing PID 3620 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administratoren ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Desktop.ini sucessfully removed




Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OemStartMenuData]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\q6nulg5916.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DB998F0C-A986-4C93-91B5-1C3EC5D96CB7}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DB998F0C-A986-4C93-91B5-1C3EC5D96CB7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DB998F0C-A986-4C93-91B5-1C3EC5D96CB7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DB998F0C-A986-4C93-91B5-1C3EC5D96CB7}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{DB998F0C-A986-4C93-91B5-1C3EC5D96CB7}"=-
[-HKEY_CLASSES_ROOT\CLSID\{DB998F0C-A986-4C93-91B5-1C3EC5D96CB7}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/DB998F0C-A986-4C93-91B5-1C3EC5D96CB7.reg (188 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)









und hier das hijacklog

Logfile of HijackThis v1.99.1
Scan saved at 16:06:17, on 24.01.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\htpatch.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Novosoft\Handy Backup 3.5\hbagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Spyware Doctor\swdoctor.exe
C:\Programme\Telefonauskunft für den PC\Telefonauskunft für den PC 2004\KSTART32.EXE
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Dursun\Desktop\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MBGroup] C:\BSA\VPMSRun\dll.32\MBGroup.exe C:\BSA\VPMSRun\VFrame32\Menu\MenuBera.ini C:\BSA\VPMSRun\dll.32\mb.log
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Programme\Gemeinsame Dateien\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\GEMEIN~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [Handy Backup 3.5] C:\Programme\Novosoft\Handy Backup 3.5\hbagent.exe /logon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programme\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AdwareFilter Background Protection.lnk = C:\Programme\AdwareFilter\adwarefilter.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Telefonauskunft für den PC 2004 - Schnellstarter.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programme\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programme\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137757568129
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137757545941
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://de.bigfishgames.com/games/en_luxor/online/2/mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4677/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{521674B7-A14F-4362-92A6-DE51C1E80C45}: NameServer = 192.168.121.252,192.168.121.253
O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\system32\q6nulg5916.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programme\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Seitenanfang Seitenende
24.01.2006, 23:53
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#6

Zitat

192.168.121.252,192.168.121.253
Suchbegriff: 192.168.121.252
Adresse: whois.arin.net

Suchergebnis:

OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US
fixe mit dem HijackThis...damit wird deine Internetverbindung geloescht...du musst dann eine neue erstellen

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{521674B7-A14F-4362-92A6-DE51C1E80C45}: NameServer = 192.168.121.252,192.168.121.253
O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\system32\q6nulg5916.dll (file missing)

pc neustarten


Download FixWareout:
http://swandog46.geekstogo.com/Fixwareout.exe
Fixwareout.exe --> next --> Install --> Run fixit --> Finish / der PC wird neustarten --> C:\fixwareout\report.txt

Winpfind
http://virus-protect.org/winpfind.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
25.01.2006, 10:09
...neu hier

Themenstarter

Beiträge: 4
#7 Fixwareout ver 1.003
Last edited 1/12/2006
Post this report in the forums please

Reg Entries that were deleted

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool



WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
aspack 05.10.2004 16:00:00 116224 C:\WINDOWS\FMDUn.EXE
ad-w-a-r-e.com 23.01.2006 14:09:40 712079 C:\WINDOWS\setupapi.log

Checking %System% folder...
PEC2 29.08.2002 11:00:00 41118 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 09.06.2005 21:32:28 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 09.06.2005 21:32:28 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PTech 12.07.2005 18:04:22 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 04.01.2006 19:46:40 2836320 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04.01.2006 19:46:40 2836320 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 03.08.2004 23:57:10 733696 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 03.08.2004 23:57:34 686592 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 30.10.2005 20:49:02 42496 C:\WINDOWS\SYSTEM32\swreg.exe
PEC2 20.07.1995 R 1371436 C:\WINDOWS\SYSTEM32\VBAR2132.DLL
winsync 29.08.2002 11:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
25.01.2006 09:53:12 S 2048 C:\WINDOWS\bootstat.dat
20.01.2006 12:46:52 H 0 C:\WINDOWS\inf\oem16.inf
20.01.2006 12:48:48 H 0 C:\WINDOWS\inf\oem17.inf
01.12.2005 04:44:42 S 21633 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
02.12.2005 01:12:38 S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
03.01.2006 00:09:26 S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
25.01.2006 09:53:42 H 1024 C:\WINDOWS\system32\config\default.LOG
25.01.2006 09:53:24 H 1024 C:\WINDOWS\system32\config\SAM.LOG
25.01.2006 09:53:42 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
25.01.2006 10:00:20 H 1024 C:\WINDOWS\system32\config\software.LOG
25.01.2006 09:58:48 H 1024 C:\WINDOWS\system32\config\system.LOG
20.01.2006 13:52:24 H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
23.01.2006 10:22:00 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\8254c256-9404-4fb0-9d77-0929b1bca14b
23.01.2006 10:22:00 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
25.01.2006 09:53:12 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 03.08.2004 23:58:24 70656 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 03.08.2004 23:58:24 555008 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 03.08.2004 23:58:24 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 03.08.2004 23:58:24 138240 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 03.08.2004 23:58:24 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 03.08.2004 23:58:24 157184 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 03.08.2004 23:58:24 359424 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 03.08.2004 23:58:24 133120 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 03.08.2004 23:58:24 381440 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 03.08.2004 23:58:24 69632 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 29.08.2002 11:00:00 189440 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 03.08.2004 23:58:24 625152 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 29.08.2002 11:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 03.08.2004 23:58:24 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 03.08.2004 23:58:24 260096 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 03.03.2003 08:44:00 139264 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 03.08.2004 23:58:24 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 03.08.2004 23:58:24 117248 C:\WINDOWS\SYSTEM32\powercfg.cpl
29.11.2001 15:09:44 475136 C:\WINDOWS\SYSTEM32\slcpappl.cpl
Microsoft Corporation 03.08.2004 23:58:24 303104 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 29.08.2002 11:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 03.08.2004 23:58:24 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 03.08.2004 23:58:24 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26.05.2005 04:16:22 174872 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 29.08.2002 11:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 29.08.2002 11:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 26.05.2005 04:16:22 174872 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
24.02.2005 13:03:12 1939 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Gamma Loader.lnk
28.04.2005 08:40:36 665 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\AdwareFilter Background Protection.lnk
16.12.2002 17:16:44 HS 84 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
27.07.2005 12:55:18 1717 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk
05.10.2004 10:34:18 921 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Telefonauskunft für den PC 2004 - Schnellstarter.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
16.12.2002 17:05:44 HS 62 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
16.12.2002 17:16:44 HS 84 C:\Dokumente und Einstellungen\Dursun\Startmenü\Programme\Autostart\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
16.12.2002 17:05:44 HS 62 C:\Dokumente und Einstellungen\Dursun\Anwendungsdaten\desktop.ini
30.11.2005 16:16:00 102184 C:\Dokumente und Einstellungen\Dursun\Anwendungsdaten\GDIPFONTCACHEV1.DAT
20.01.2006 09:48:10 68458 C:\Dokumente und Einstellungen\Dursun\Anwendungsdaten\wklnhst.dat

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AntiVir/Win
{a7cda720-84ee-11d0-b5c0-00001b3ca278} = C:\Programme\AVPersonal\AVShlExt.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\EasyCryptoMenu
{A0752120-6D75-D111-B5B1-0800095A2318} = C:\WINDOWS\System32\tsseCryp.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Handy Backup
{F70E776E-E75D-444D-B982-ADA472624D8E} = C:\Programme\Novosoft\Handy Backup 3.5\hbshell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Programme\ICQLite\ICQLiteShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AntiVir/Win
{a7cda720-84ee-11d0-b5c0-00001b3ca278} = C:\Programme\AVPersonal\AVShlExt.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EasyCryptoMenu
{A0752120-6D75-D111-B5B1-0800095A2318} = C:\WINDOWS\System32\tsseCryp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Handy Backup
{F70E776E-E75D-444D-B982-ADA472624D8E} = C:\Programme\Novosoft\Handy Backup 3.5\hbshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Programme\ICQLite\ICQLiteShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
PCTools Site Guard = C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B56A7D7D-6927-48C8-A975-17DF180C71AC}
PCTools Browser Monitor = C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tipps und Tricks = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\programme\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}
ButtonText = Spyware Doctor :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B863453A-26C3-4e1f-A54D-A2CD196348E9}
ButtonText = ICQ Lite : C:\Programme\ICQLite\ICQLite.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Programme\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer-Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\programme\google\googletoolbar2.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\programme\google\googletoolbar2.dll
{51CE7A05-9C90-433B-8BEC-73973997F6F2} = :
{1028F737-81E7-452B-A860-E50CAD90A08C} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz nwiz.exe /installquiet
HTpatch C:\WINDOWS\htpatch.exe
EM_EXEC C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
VOBRegCheck C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
Microsoft Works Update Detection C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
MBGroup C:\BSA\VPMSRun\dll.32\MBGroup.exe C:\BSA\VPMSRun\VFrame32\Menu\MenuBera.ini C:\BSA\VPMSRun\dll.32\mb.log
TkBellExe "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
IMPALARM
FreePDF Assistant C:\Programme\FreePDF_XP\fpassist.exe
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
OSSelectorReinstall C:\Programme\Gemeinsame Dateien\Acronis\Acronis Disk Director\oss_reinstall.exe
AVGCtrl "C:\Programme\AVPersonal\AVGNT.EXE" /min

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Programme\Messenger\msmsgs.exe" /background
Update Service C:\PROGRA~1\GEMEIN~1\TEKNUM~1\update.exe /startup
Handy Backup 3.5 C:\Programme\Novosoft\Handy Backup 3.5\hbagent.exe /logon
SpybotSD TeaTimer C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
Spyware Doctor "C:\Programme\Spyware Doctor\swdoctor.exe" /Q

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 25.01.2006 10:05:46






R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\system32\search.html

diese beiden einträge hab ich aus der hijackthis liste gelöscht nach dem winfix nochmal nen hijackthis gemacht hat! hoffe das war jetzt nicht falsch !

übrigens diese nervigen seiten die sich von selbst laden sind schon weg ;)
Seitenanfang Seitenende
25.01.2006, 12:47
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#8 loesche:
C:\WINDOWS\setupapi.log -->(ist vom Look2Me)

Hoster.zip

http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK' Exit Program.


Oben auf der Seite
--> auf Durchsuchen klicken --> Datei aussuchen --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten --> kopiere das Ergebnis in das Sicherheitsforum
http://www.virustotal.com/flash/index_en.html

C:\WINDOWS\FMDUn.EXE
C:\Dokumente und Einstellungen\Dursun\Anwendungsdaten\wklnhst.dat
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren:
  • »
  • »
  • »
  • »
  • »