Home » Viren, Trojaner & Malware Forum » Wie kriege ich den Winfixer weg? » Themenansicht

Firefox Tipp: Instantfox - Quick Search Add-On!

Seite(n): 1 2

Antworten

Wie kriege ich den Winfixer weg?

30.01.2006, 16:22

karolf

...neu hier

Beiträge: 10

#1 Ich habe Probleme mit dem Winfixer. Ich hoffe, ihr könnt mir helfen. Herzlichen Dank im Voraus Rolf

30.01.2006, 19:48

Sabina

Ehrenmitglied

Beiträge: 29434

#2 Hi karolf

Hijackthis
http://computercops.biz/zx/Merijn/hijackthis.zip
http://virus-protect.org/hjtkurz.html
Lade/entpacke HijackThis in einem Ordner
--> None of the above just start the program --> Save--> Savelog -->es öffnet sich der Editor
nun das KOMPLETTE Log mit rechtem Mausklick abkopieren und ins Forum mit rechtem Mausklick "einfügen"
__________
MfG Sabina

rund um die PC-Sicherheit

01.02.2006, 14:55

karolf

...neu hier

Themenstarter

Beiträge: 10

#3 Hallöchen, hier die gewünschten Infos aus der Log-Datei. Ich hoffe ich habe alles was benötigt wird kopiert und eingefügt.

Logfile of HijackThis v1.99.1
Scan saved at 14:50:26, on 01.02.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Dokumente und Einstellungen\Rolf\Desktop\hijackthis\HijackThis.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\System32\yayyy.dll
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\pmnlm.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ccleaner] "C:\Programme\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [Zonelap] C:\\Programme\\Zone Labs\\ZoneAlarm\\zonealarm.exe
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\l4r00e9meh.dll
O20 - Winlogon Notify: pmnlm - C:\WINDOWS\SYSTEM32\pmnlm.dll
O20 - Winlogon Notify: yayyy - C:\WINDOWS\System32\yayyy.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - H+BEDV Datentechnik GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Windows Disk Check (dskcheck) - Unknown owner - C:\WINDOWS\system32\dskcheck.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

01.02.2006, 17:09

Sabina

Ehrenmitglied

Beiträge: 29434

#4 karolf

nun...ein verseuchter PC ohne Windowsupdates...normalerweise verschwende ich auf so etwas keine Zeit..........

.....................................................................................................

stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

Kopiere diese 4 Textdateien. Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html

Download Registry Search by Bobbi Flekman
http://www.bleepingcomputer.com/files/regsearch.php
und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren)

Windows Disk Check

in edit und klicke "Ok".
Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn.
__________
MfG Sabina

rund um die PC-Sicherheit

02.02.2006, 16:29

karolf

...neu hier

Themenstarter

Beiträge: 10

#5 Zuerst einmal möchte ich dir dennoch für deine Mühen danken. Ich habe von PC absolut Null Ahnung. Der wurde mir eingerichtet und das war es dann auch gewesen. Daher weiss ich auchnicht warum sich bei mir immer wieder von alleine Internetseiten öffnen. Hab nur von Bekannten gehört das ich einen Trojaner habe und der nennt sich WinFixer.

Hier nun zu den gewünschten Daten.
datFind.bat hat folgendes ausgeworfen :

02.02.2006 16:06 406.175 yyyay.ini
02.02.2006 15:51 233.978 guard.tmp
02.02.2006 15:39 35.859 vsconfig.xml
02.02.2006 15:37 233.978 cnosys.dll
02.02.2006 15:37 234.192 f4j20e1oeh.dll
02.02.2006 15:37 2.184 wpa.dbl
01.02.2006 14:48 236.125 mowsock.dll
01.02.2006 14:48 233.978 en64l1jq1.dll
01.02.2006 14:39 4.212 zllictbl.dat
01.02.2006 14:38 236.125 clmmdlg.dll
01.02.2006 14:38 234.174 p2n8lc5u1f.dll
31.01.2006 19:15 405.687 yyyay.bak2
30.01.2006 17:51 235.825 ijfgnt5.dll
29.01.2006 21:28 237.077 l22slcf71f2.dll
29.01.2006 21:14 237.077 jnsd400.dll
29.01.2006 21:02 237.077 mmobjs.dll
29.01.2006 20:53 237.077 bgowsewm.dll
29.01.2006 20:53 234.058 en26l1fs1.dll
29.01.2006 16:10 237.077 insecsnp.dll
29.01.2006 14:24 311.604 perfh009.dat
29.01.2006 14:24 39.992 perfc009.dat
29.01.2006 14:24 316.594 perfh007.dat
29.01.2006 14:24 48.156 perfc007.dat
29.01.2006 14:24 721.390 PerfStringBackup.INI
29.01.2006 13:58 97 mcrh.tmp
29.01.2006 13:37 0 atmtd.dll.tmp
29.01.2006 13:36 234.691 mwhcp.dll
29.01.2006 13:03 235.756 bjowser.dll
29.01.2006 12:36 233.425 skfolder.dll
29.01.2006 10:41 234.721 EPFBCHAEE.DLL
29.01.2006 10:06 237.314 mdvcp50.dll
28.01.2006 19:41 233.996 zhpfldr.dll
28.01.2006 18:25 237.314 stbiop.dll
28.01.2006 17:38 236.768 dDdxof.dll
28.01.2006 17:28 237.314 mhvcp50.dll
27.01.2006 18:36 235.552 cbwmdm.dll
27.01.2006 18:18 154 AdService.bat
27.01.2006 18:18 16.896 AdService.dll
27.01.2006 18:18 234.272 dlrpsetu.dll
27.01.2006 18:17 35.853 jkkif.dll
27.01.2006 18:15 237.314 rIsppp.dll
27.01.2006 17:47 234.272 dsskperf.dll
27.01.2006 17:46 16.896 winhfp32.dll
27.01.2006 17:46 35.853 ljjjk.dll
27.01.2006 17:41 234.506 ihaksie.dll
27.01.2006 17:38 237.314 sqorage.dll
27.01.2006 17:36 234.506 muc42loc.dll
27.01.2006 16:09 35.853 khhed.dll
27.01.2006 16:07 235.758 dergres.dll
26.01.2006 15:41 234.272 mrw3prt.dll
26.01.2006 15:28 35.853 rqrsr.dll
26.01.2006 15:25 234.272 cwl3d32.dll
25.01.2006 19:26 235.928 hr6q05j5e.dll
25.01.2006 19:20 35.853 vtust.dll
25.01.2006 19:16 235.928 saorage.dll
25.01.2006 19:07 35.853 oppqo.dll
25.01.2006 19:07 1.037 info.txt
25.01.2006 19:00 234.272 dzgest.dll
25.01.2006 15:23 35.853 awtts.dll
24.01.2006 18:47 35.853 mllif.dll
18.01.2006 13:05 57.344 avsda.dll
14.01.2006 17:32 35.853 khfdc.dll
12.01.2006 17:51 35.853 pmnlm.dll
09.01.2006 16:18 215.420 yyyay.bak1
09.01.2006 16:17 565.300 yayyy.dll
08.01.2006 17:07 35.853 ursqp.dll
08.01.2006 17:05 94.272 FNTCACHE.DAT
08.01.2006 14:44 3.069 jupdate-1.5.0_02-b09.log
08.01.2006 14:41 35.853 efcba.dll
08.01.2006 14:33 0 REN5.tmp
08.01.2006 14:33 0 REN6.tmp
04.01.2006 18:03 7.006 jupdate-1.5.0_06-b05.log
19.12.2005 17:51 3.157 jupdate-1.4.2_03-b02.log
19.12.2005 17:05 0 eraseme_60420.exe
19.12.2005 17:05 72 i
19.12.2005 17:05 63 download.dat
19.12.2005 17:03 150.016 ExtraUpdate.exe
19.12.2005 17:02 0 TFTP2456
18.12.2005 16:36 25.065 wmpscheme.xml
18.12.2005 16:27 261 $winnt$.inf
18.12.2005 16:24 2.951 CONFIG.NT
18.12.2005 16:24 16.832 amcompat.tlb
18.12.2005 16:24 23.392 nscompat.tlb
18.12.2005 16:23 488 WindowsLogon.manifest
18.12.2005 16:23 488 logonui.exe.manifest
18.12.2005 16:23 749 wuaucpl.cpl.manifest
18.12.2005 16:23 749 cdplayer.exe.manifest
18.12.2005 16:23 749 nwc.cpl.manifest
18.12.2005 16:23 749 ncpa.cpl.manifest
18.12.2005 16:23 749 sapi.cpl.manifest
18.12.2005 16:21 21.740 emptyregdb.dat
18.12.2005 16:19 0 h323log.txt
15.11.2005 00:51 71.440 zlcommdb.dll
15.11.2005 00:51 79.624 zlcomm.dll
15.11.2005 00:51 100.104 vsxml.dll
15.11.2005 00:51 382.728 vsutil.dll
15.11.2005 00:51 71.440 vsregexp.dll
15.11.2005 00:50 227.088 vspubapi.dll
15.11.2005 00:50 104.208 vsmonapi.dll
15.11.2005 00:50 141.064 vsinit.dll
15.11.2005 00:50 372.816 vsdatant.sys
15.11.2005 00:50 83.720 vsdata.dll

und Registry Search warf folgendes aus :

REGEDIT4

; Registry Search by Bobbi Flekman © 2005
; Version: 1.0.2.4

; Results at 02.02.2006 16:18:12 for strings:
; 'windows disk check'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DSKCHECK\0000]
"DeviceDesc"="Windows Disk Check"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dskcheck]
"DisplayName"="Windows Disk Check"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DSKCHECK\0000]
"DeviceDesc"="Windows Disk Check"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\dskcheck]
"DisplayName"="Windows Disk Check"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DSKCHECK\0000]
"DeviceDesc"="Windows Disk Check"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dskcheck]
"DisplayName"="Windows Disk Check"

; End Of The Log...

Danke dir nochmals für deine Hilfe und Bemühungen.
MfG
karolf

03.02.2006, 00:36

Sabina

Ehrenmitglied

Beiträge: 29434

#6 leider hast du nicht die 4 Textdateien gepostet...sondern nur die erste...

Zitat

C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\cnosys.dll
C:\WINDOWS\System32\f4j20e1oeh.dll
C:\WINDOWS\System32\mowsock.dll
C:\WINDOWS\System32\en64l1jq1.dll
C:\WINDOWS\System32\clmmdlg.dll
C:\WINDOWS\System32\p2n8lc5u1f.dll
C:\WINDOWS\System32\ijfgnt5.dll
C:\WINDOWS\System32\l22slcf71f2.dll
C:\WINDOWS\System32\jnsd400.dll
C:\WINDOWS\System32\mmobjs.dll
C:\WINDOWS\System32\bgowsewm.dll
C:\WINDOWS\System32\en26l1fs1.dll
C:\WINDOWS\System32\insecsnp.dll
C:\WINDOWS\System32\mcrh.tmp
C:\WINDOWS\System32\atmtd.dll.tmp
C:\WINDOWS\System32\mwhcp.dll
C:\WINDOWS\System32\bjowser.dll
C:\WINDOWS\System32\skfolder.dll
C:\WINDOWS\System32\EPFBCHAEE.DLL
C:\WINDOWS\System32\mdvcp50.dll
C:\WINDOWS\System32\zhpfldr.dll
C:\WINDOWS\System32\stbiop.dll
C:\WINDOWS\System32\dDdxof.dll
C:\WINDOWS\System32\mhvcp50.dll
C:\WINDOWS\System32\cbwmdm.dll
C:\WINDOWS\System32\AdService.bat
C:\WINDOWS\System32\AdService.dll
C:\WINDOWS\System32\dlrpsetu.dll
C:\WINDOWS\System32\jkkif.dll
C:\WINDOWS\System32\rIsppp.dll
C:\WINDOWS\System32\dsskperf.dll
C:\WINDOWS\System32\winhfp32.dll
C:\WINDOWS\System32\ljjjk.dll
C:\WINDOWS\System32\ihaksie.dll
C:\WINDOWS\System32\sqorage.dll
C:\WINDOWS\System32\muc42loc.dll
C:\WINDOWS\System32\khhed.dll
C:\WINDOWS\System32\dergres.dll
C:\WINDOWS\System32\mrw3prt.dll
C:\WINDOWS\System32\rqrsr.dll
C:\WINDOWS\System32\cwl3d32.dll
C:\WINDOWS\System32\hr6q05j5e.dll
C:\WINDOWS\System32\vtust.dll
C:\WINDOWS\System32\saorage.dll
C:\WINDOWS\System32\oppqo.dll
C:\WINDOWS\System32\info.txt
C:\WINDOWS\System32\dzgest.dll
C:\WINDOWS\System32\awtts.dll
C:\WINDOWS\System32\mllif.dll
C:\WINDOWS\System32\avsda.dll
C:\WINDOWS\System32\khfdc.dll
C:\WINDOWS\System32\pmnlm.dll
C:\WINDOWS\System32\ursqp.dll
C:\WINDOWS\System32\efcba.dll
C:\WINDOWS\System32\REN5.tmp
C:\WINDOWS\System32\REN6.tmp
C:\WINDOWS\System32\eraseme_60420.exe
C:\WINDOWS\System32\i
C:\WINDOWS\System32\download.dat
C:\WINDOWS\System32\ExtraUpdate.exe
C:\WINDOWS\System32\TFTP2456

poste noch die anderen drei bitte

Verzeichnis von C:\WINDOWS\system32
Verzeichnis von C:\DOKUME~1\Username\LOKALE~1\Temp
Verzeichnis von C:\WINDOWS
Verzeichnis von C:\
__________
MfG Sabina

rund um die PC-Sicherheit

03.02.2006, 13:20

karolf

...neu hier

Themenstarter

Beiträge: 10

#7 Entschuldige bitte, hatte einen Fehler bei der Anwendung gemacht.Hier nun noch mal die 4 Dateien :

Verzeichnis von C:\WINDOWS\system32:
03.02.2006 13:14 406.583 yyyay.ini
03.02.2006 13:01 35.859 vsconfig.xml
03.02.2006 12:58 233.978 mtc42loc.dll
03.02.2006 12:58 234.538 n06q0aj5edo.dll
02.02.2006 15:51 233.978 e4200efmeh2a0.dll
02.02.2006 15:37 234.192 f4j20e1oeh.dll
02.02.2006 15:37 2.184 wpa.dbl
01.02.2006 14:48 236.125 mowsock.dll
01.02.2006 14:39 4.212 zllictbl.dat
01.02.2006 14:38 236.125 clmmdlg.dll
01.02.2006 14:38 234.174 p2n8lc5u1f.dll
31.01.2006 19:15 405.687 yyyay.bak2
30.01.2006 17:51 235.825 ijfgnt5.dll
29.01.2006 21:28 237.077 l22slcf71f2.dll
29.01.2006 21:14 237.077 jnsd400.dll
29.01.2006 21:02 237.077 mmobjs.dll
29.01.2006 20:53 237.077 bgowsewm.dll
29.01.2006 20:53 234.058 en26l1fs1.dll
29.01.2006 16:10 237.077 insecsnp.dll
29.01.2006 14:24 311.604 perfh009.dat
29.01.2006 14:24 39.992 perfc009.dat
29.01.2006 14:24 316.594 perfh007.dat
29.01.2006 14:24 48.156 perfc007.dat
29.01.2006 14:24 721.390 PerfStringBackup.INI
29.01.2006 13:58 97 mcrh.tmp
29.01.2006 13:37 0 atmtd.dll.tmp
29.01.2006 13:36 234.691 mwhcp.dll
29.01.2006 13:03 235.756 bjowser.dll
29.01.2006 12:36 233.425 skfolder.dll
29.01.2006 10:41 234.721 EPFBCHAEE.DLL
29.01.2006 10:06 237.314 mdvcp50.dll
28.01.2006 19:41 233.996 zhpfldr.dll
28.01.2006 18:25 237.314 stbiop.dll
28.01.2006 17:38 236.768 dDdxof.dll
28.01.2006 17:28 237.314 mhvcp50.dll
27.01.2006 18:36 235.552 cbwmdm.dll
27.01.2006 18:18 154 AdService.bat
27.01.2006 18:18 16.896 AdService.dll
27.01.2006 18:18 234.272 dlrpsetu.dll
27.01.2006 18:17 35.853 jkkif.dll
27.01.2006 18:15 237.314 rIsppp.dll
27.01.2006 17:47 234.272 dsskperf.dll
27.01.2006 17:46 16.896 winhfp32.dll
27.01.2006 17:46 35.853 ljjjk.dll
27.01.2006 17:41 234.506 ihaksie.dll
27.01.2006 17:38 237.314 sqorage.dll
27.01.2006 17:36 234.506 muc42loc.dll
27.01.2006 16:09 35.853 khhed.dll
27.01.2006 16:07 235.758 dergres.dll
26.01.2006 15:41 234.272 mrw3prt.dll
26.01.2006 15:28 35.853 rqrsr.dll
26.01.2006 15:25 234.272 cwl3d32.dll
25.01.2006 19:26 235.928 hr6q05j5e.dll
25.01.2006 19:20 35.853 vtust.dll
25.01.2006 19:16 235.928 saorage.dll
25.01.2006 19:07 35.853 oppqo.dll
25.01.2006 19:07 1.037 info.txt
25.01.2006 19:00 234.272 dzgest.dll
25.01.2006 15:23 35.853 awtts.dll
24.01.2006 18:47 35.853 mllif.dll
18.01.2006 13:05 57.344 avsda.dll
14.01.2006 17:32 35.853 khfdc.dll
12.01.2006 17:51 35.853 pmnlm.dll
09.01.2006 16:18 215.420 yyyay.bak1
09.01.2006 16:17 565.300 yayyy.dll
08.01.2006 17:07 35.853 ursqp.dll
08.01.2006 17:05 94.272 FNTCACHE.DAT
08.01.2006 14:44 3.069 jupdate-1.5.0_02-b09.log
08.01.2006 14:41 35.853 efcba.dll
08.01.2006 14:33 0 REN5.tmp
08.01.2006 14:33 0 REN6.tmp
04.01.2006 18:03 7.006 jupdate-1.5.0_06-b05.log
19.12.2005 17:51 3.157 jupdate-1.4.2_03-b02.log
19.12.2005 17:05 0 eraseme_60420.exe
19.12.2005 17:05 72 i
19.12.2005 17:05 63 download.dat
19.12.2005 17:03 150.016 ExtraUpdate.exe
19.12.2005 17:02 0 TFTP2456
18.12.2005 16:36 25.065 wmpscheme.xml
18.12.2005 16:27 261 $winnt$.inf
18.12.2005 16:24 2.951 CONFIG.NT
18.12.2005 16:24 16.832 amcompat.tlb
18.12.2005 16:24 23.392 nscompat.tlb
18.12.2005 16:23 488 WindowsLogon.manifest
18.12.2005 16:23 488 logonui.exe.manifest
18.12.2005 16:23 749 wuaucpl.cpl.manifest
18.12.2005 16:23 749 cdplayer.exe.manifest
18.12.2005 16:23 749 nwc.cpl.manifest
18.12.2005 16:23 749 ncpa.cpl.manifest
18.12.2005 16:23 749 sapi.cpl.manifest
18.12.2005 16:21 21.740 emptyregdb.dat
18.12.2005 16:19 0 h323log.txt
15.11.2005 00:51 71.440 zlcommdb.dll
15.11.2005 00:51 79.624 zlcomm.dll
15.11.2005 00:51 100.104 vsxml.dll
15.11.2005 00:51 382.728 vsutil.dll
15.11.2005 00:51 71.440 vsregexp.dll
15.11.2005 00:50 227.088 vspubapi.dll
15.11.2005 00:50 104.208 vsmonapi.dll
15.11.2005 00:50 141.064 vsinit.dll
15.11.2005 00:50 372.816 vsdatant.sys
15.11.2005 00:50 83.720 vsdata.dll

Die nächste Anzeige sah so aus :
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: FC23-2040

Verzeichnis von C:\DOKUME~1\Rolf\LOKALE~1\Temp

mehr kam nicht.

Verzeichnis von C:\WINDOWS

03.02.2006 13:00 157 wiadebug.log
03.02.2006 12:59 50 wiaservc.log
03.02.2006 12:58 2.048 bootstat.dat
30.01.2006 16:20 50.912 iconu.exe
30.01.2006 16:14 42.736 icont.exe
29.01.2006 14:20 3.406 mozver.dat
29.01.2006 14:18 107.132 UninstallFirefox.exe
27.01.2006 17:37 2.560 _MSRSTRT.EXE
27.01.2006 16:24 116 NeroDigital.ini
25.01.2006 15:24 780 hosts
25.01.2006 15:23 37.592 country.exe
25.01.2006 15:23 0 uniq
24.01.2006 18:48 43 drsmartload2.dat
15.01.2006 18:33 151 PhotoSnapViewer.INI
08.01.2006 14:15 0 nsreg.dat
19.12.2005 16:32 31 EPSMTL32.TXT
19.12.2005 16:31 25 CDE DX4200EFGIPSD.ini
18.12.2005 18:38 572 win.ini
18.12.2005 16:28 8.192 REGLOCS.OLD
18.12.2005 16:24 0 control.ini
18.12.2005 16:24 299.552 WMSysPrx.prx
18.12.2005 16:24 4.161 ODBCINST.INI
18.12.2005 16:23 749 WindowsShell.Manifest
18.12.2005 16:21 36 vb.ini
18.12.2005 16:21 37 vbaddin.ini
18.12.2005 16:14 0 Sti_Trace.log
18.12.2005 16:12 231 system.ini
18.08.2001 13:00 15.872 TASKMAN.EXE
18.08.2001 13:00 46.592 twain_32.dll
18.08.2001 13:00 49.680 twunk_16.exe
18.08.2001 13:00 25.600 twunk_32.exe
18.08.2001 13:00 141.312 regedit.exe
18.08.2001 13:00 67.072 NOTEPAD.EXE
18.08.2001 13:00 1.405 msdfmap.ini
18.08.2001 13:00 2 desktop.ini
18.08.2001 13:00 18.944 vmmreg32.dll
18.08.2001 13:00 82.944 clock.avi
18.08.2001 13:00 707 _default.pif
18.08.2001 13:00 26.647 hh.exe
18.08.2001 13:00 80 explorer.scf
18.08.2001 13:00 257.568 winhelp.exe
18.08.2001 13:00 271.872 winhlp32.exe
18.08.2001 13:00 48.680 winnt.bmp
18.08.2001 13:00 48.680 winnt256.bmp
18.08.2001 13:00 34.818 wmprfDEU.prx
18.08.2001 13:00 94.800 twain.dll
18.08.2001 13:00 1.004.032 explorer.exe
17.11.1998 12:44 328.704 IsUn0407.exe
48 Datei(en) 3.127.280 Bytes
0 Verzeichnis(se), 17.458.548.736 Bytes frei

Verzeichnis von C:\

03.02.2006 13:19 0 sys.txt
03.02.2006 13:18 2.599 system.txt
03.02.2006 13:15 132 systemtemp.txt
03.02.2006 13:15 95.572 system32.txt
03.02.2006 12:58 402.653.184 pagefile.sys
18.12.2005 16:24 0 AUTOEXEC.BAT
18.12.2005 16:24 0 CONFIG.SYS
18.12.2005 16:24 0 IO.SYS
18.12.2005 16:24 0 MSDOS.SYS
18.12.2005 16:19 194 boot.ini
18.08.2001 13:00 4.952 bootfont.bin
18.08.2001 13:00 45.124 NTDETECT.COM
18.08.2001 13:00 224.032 ntldr
13 Datei(en) 403.025.789 Bytes
0 Verzeichnis(se), 17.458.548.736 Bytes frei

Ich hoffe das ich nun alles beisammen habe
MfG
Karolf

03.02.2006, 14:57

Sabina

Ehrenmitglied

Beiträge: 29434

#8 wende das an
http://virus-protect.org/artikel/tools/vundofixx.html

KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html

Options: Delete on Reboot --> anhaken
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"
reinkopieren:

C:\WINDOWS\iconu.exe
C:\WINDOWS\icont.exe
C:\WINDOWS\hosts
C:\WINDOWS\country.exe
C:\WINDOWS\uniq
C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\cnosys.dll
C:\WINDOWS\System32\f4j20e1oeh.dll
C:\WINDOWS\System32\mowsock.dll
C:\WINDOWS\System32\en64l1jq1.dll
C:\WINDOWS\System32\clmmdlg.dll
C:\WINDOWS\System32\p2n8lc5u1f.dll
C:\WINDOWS\System32\ijfgnt5.dll
C:\WINDOWS\System32\l22slcf71f2.dll
C:\WINDOWS\System32\jnsd400.dll
C:\WINDOWS\System32\mmobjs.dll
C:\WINDOWS\System32\bgowsewm.dll
C:\WINDOWS\System32\en26l1fs1.dll
C:\WINDOWS\System32\insecsnp.dll
C:\WINDOWS\System32\mcrh.tmp
C:\WINDOWS\System32\atmtd.dll.tmp
C:\WINDOWS\System32\mwhcp.dll
C:\WINDOWS\System32\bjowser.dll
C:\WINDOWS\System32\skfolder.dll
C:\WINDOWS\System32\EPFBCHAEE.DLL
C:\WINDOWS\System32\mdvcp50.dll
C:\WINDOWS\System32\zhpfldr.dll
C:\WINDOWS\System32\stbiop.dll
C:\WINDOWS\System32\dDdxof.dll
C:\WINDOWS\System32\mhvcp50.dll
C:\WINDOWS\System32\cbwmdm.dll
C:\WINDOWS\System32\AdService.bat
C:\WINDOWS\System32\AdService.dll
C:\WINDOWS\System32\dlrpsetu.dll
C:\WINDOWS\System32\jkkif.dll
C:\WINDOWS\System32\rIsppp.dll
C:\WINDOWS\System32\dsskperf.dll
C:\WINDOWS\System32\winhfp32.dll
C:\WINDOWS\System32\ljjjk.dll
C:\WINDOWS\System32\ihaksie.dll
C:\WINDOWS\System32\sqorage.dll
C:\WINDOWS\System32\muc42loc.dll
C:\WINDOWS\System32\khhed.dll
C:\WINDOWS\System32\dergres.dll
C:\WINDOWS\System32\mrw3prt.dll
C:\WINDOWS\System32\rqrsr.dll
C:\WINDOWS\System32\cwl3d32.dll
C:\WINDOWS\System32\hr6q05j5e.dll
C:\WINDOWS\System32\vtust.dll
C:\WINDOWS\System32\saorage.dll
C:\WINDOWS\System32\oppqo.dll
C:\WINDOWS\System32\info.txt
C:\WINDOWS\System32\dzgest.dll
C:\WINDOWS\System32\awtts.dll
C:\WINDOWS\System32\mllif.dll
C:\WINDOWS\System32\avsda.dll
C:\WINDOWS\System32\khfdc.dll
C:\WINDOWS\System32\pmnlm.dll
C:\WINDOWS\System32\ursqp.dll
C:\WINDOWS\System32\efcba.dll
C:\WINDOWS\System32\REN5.tmp
C:\WINDOWS\System32\REN6.tmp
C:\WINDOWS\System32\eraseme_60420.exe
C:\WINDOWS\System32\i
C:\WINDOWS\System32\download.dat
C:\WINDOWS\System32\ExtraUpdate.exe
C:\WINDOWS\System32\TFTP2456

pC neustarten

nach dem Neustart suche: C:\!KillBox
und loesche alle dort befindlichen Dateien manuell

Hoster.zip
http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK' Exit Program.

L2mfix--> wende Option 2 an, und nach neustart und scan...poste den scanreport
http://virus-protect.org/l2mfix.html

Download Registry Search by Bobbi Flekman
http://www.bleepingcomputer.com/files/regsearch.php
und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren)

Windows Disk Check

in edit und klicke "Ok".
Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn.
__________
MfG Sabina

rund um die PC-Sicherheit

04.02.2006, 13:03

karolf

...neu hier

Themenstarter

Beiträge: 10

#9 hi, folgendes Log hat sich ergeben nach ausführen der Anweisungen :

L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmnlm]
"Asynchronous"=dword:00000001
"DllName"="pmnlm.dll"
"Impersonate"=dword:00000000
"Logon"="Logon"
"Logoff"="Logoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnceEx]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en60l1jm1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayyy]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\System32\\yayyy.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{29503AF9-6E4D-0972-3248-A94EB43ED8CB}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Eigenschaften fr Multimediadatei"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM-Scannerverwaltung"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS-Sicherheit"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE-Eigenschaftenseite fr Dokumente"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shellerweiterungen fr Freigaben"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung fr Grafikkarten"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung fr Bildschirme"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung fr Anzeigeverschiebung"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS-Sicherheit"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Kompatibilit„tsseite"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell-Datenauszughandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Erweiterung fr Datentr„gerkopien"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shellerweiterungen fr Microsoft Windows-Netzwerkobjekte"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM-Monitorverwaltung"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM-Druckerverwaltung"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shellerweiterungen fr die Dateikomprimierung"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Shellerweiterung fr Webdrucker"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Kontextmen fr die Verschlsselung"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Aktenkoffer"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Erweiterung fr HyperTerminal-Icons"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Schriftarten"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-Profil"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Druckersicherheit"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shellerweiterungen fr Freigaben"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Krypto-PKO-Erweiterung"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Krypto-Sign-Erweiterung"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Netzwerkverbindungen"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Netzwerkverbindungen"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanner und Kameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanner und Kameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanner und Kameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanner und Kameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanner und Kameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Eigenschaftenseitenerweiterung des automatischen Updates"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shellerweiterungen fr Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Datenverknpfung"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Geplante Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskleiste und Startmen"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Suchen"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Hilfe und Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Hilfe und Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Ausfhren..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-Mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Schriftarten"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Verwaltung"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Syntaxanalyse der Adressleiste"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft URL-Verlauf-Dienst"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Verlauf"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Sucheingriff"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite-Begráungsbildschirm"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer-Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX-Cacheordner"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ Dateiminiaturansicht-Extrahierungsprogramm"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Zusammenfassungs-Miniaturansichthandler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML-Extrahierungsprogramm"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Webpublishing-Assistent"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Bestellung von Abzgen ber das Internet"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shellobjekt des Webpublishing-Assistenten"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Passport-Assistent"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Benutzerkonten"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channeldatei"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channelverknpfung"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channelhandlerobjekt"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Ordner 'Offlinedateien'"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Nach Personen..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{B327765E-D724-4347-8B16-78AE18552FC3}"="NeroDigitalIconHandler"
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}"="NeroDigitalPropSheetHandler"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"="Shell Extension for Malware scanning"
"{CBA0AD09-7761-4156-8225-06AF90FDCFFE}"=""
"{C87C2245-D1E6-4CB8-96EB-96BB4BC1B352}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{CBA0AD09-7761-4156-8225-06AF90FDCFFE}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CBA0AD09-7761-4156-8225-06AF90FDCFFE}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CBA0AD09-7761-4156-8225-06AF90FDCFFE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CBA0AD09-7761-4156-8225-06AF90FDCFFE}\InprocServer32]
@="C:\\WINDOWS\\system32\\ezpsrv.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C87C2245-D1E6-4CB8-96EB-96BB4BC1B352}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C87C2245-D1E6-4CB8-96EB-96BB4BC1B352}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C87C2245-D1E6-4CB8-96EB-96BB4BC1B352}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C87C2245-D1E6-4CB8-96EB-96BB4BC1B352}\InprocServer32]
@="C:\\WINDOWS\\system32\\kfdhe.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
adserv~1.dll Fri 27 Jan 2006 18:18:36 ..... 16.896 16,50 K
avsda.dll Wed 18 Jan 2006 13:05:54 ..... 57.344 56,00 K
awtts.dll Wed 25 Jan 2006 15:23:40 ..... 35.853 35,01 K
bgowsewm.dll Sun 29 Jan 2006 20:53:40 ..... 237.077 231,52 K
bjowser.dll Sun 29 Jan 2006 13:03:04 ..... 235.756 230,23 K
cbwmdm.dll Fri 27 Jan 2006 18:36:28 ..... 235.552 230,03 K
clmmdlg.dll Wed 1 Feb 2006 14:38:52 ..... 236.125 230,59 K
cwl3d32.dll Thu 26 Jan 2006 15:25:58 ..... 234.272 228,78 K
d40m0e~1.dll Fri 3 Feb 2006 13:33:54 ..S.R 233.978 228,49 K
dddxof.dll Sat 28 Jan 2006 17:38:24 ..... 236.768 231,22 K
dergres.dll Fri 27 Jan 2006 16:07:08 ..... 235.758 230,23 K
dlrpsetu.dll Fri 27 Jan 2006 18:18:20 ..... 234.272 228,78 K
dsskperf.dll Fri 27 Jan 2006 17:47:04 ..... 234.272 228,78 K
dzgest.dll Wed 25 Jan 2006 19:00:06 ..... 234.272 228,78 K
en26l1~1.dll Sun 29 Jan 2006 20:53:40 ..... 234.058 228,57 K
en60l1~1.dll Sat 4 Feb 2006 12:18:20 ..S.R 234.538 229,04 K
enjol1~1.dll Sat 4 Feb 2006 12:39:02 ..S.R 234.538 229,04 K
epfbch~1.dll Sun 29 Jan 2006 10:41:38 ..... 234.721 229,22 K
ezpsrv.dll Sat 4 Feb 2006 12:39:48 ..S.R 234.538 229,04 K
f4j20e~1.dll Thu 2 Feb 2006 15:37:38 ..... 234.192 228,70 K
hr6q05~1.dll Wed 25 Jan 2006 19:26:52 ..... 235.928 230,40 K
ihaksie.dll Fri 27 Jan 2006 17:41:34 ..... 234.506 229,01 K
ijfgnt5.dll Mon 30 Jan 2006 17:51:32 ..... 235.825 230,30 K
insecsnp.dll Sun 29 Jan 2006 16:10:44 ..... 237.077 231,52 K
jkkif.dll Fri 27 Jan 2006 18:17:38 ..... 35.853 35,01 K
jnsd400.dll Sun 29 Jan 2006 21:14:28 ..... 237.077 231,52 K
kfdhe.dll Sat 4 Feb 2006 12:53:20 ..S.R 234.538 229,04 K
khfdc.dll Sat 14 Jan 2006 17:32:48 ..... 35.853 35,01 K
khhed.dll Fri 27 Jan 2006 16:09:30 ..... 35.853 35,01 K
l22slc~1.dll Sun 29 Jan 2006 21:28:28 ..... 237.077 231,52 K
ljjjk.dll Fri 27 Jan 2006 17:46:44 ..... 35.853 35,01 K
m2julc~1.dll Sat 4 Feb 2006 12:53:20 ..S.R 236.450 230,91 K
mdvcp50.dll Sun 29 Jan 2006 10:06:10 ..... 237.314 231,75 K
mhvcp50.dll Sat 28 Jan 2006 17:28:32 ..... 237.314 231,75 K
mllif.dll Tue 24 Jan 2006 18:47:38 ..... 35.853 35,01 K
mmobjs.dll Sun 29 Jan 2006 21:02:56 ..... 237.077 231,52 K
mowsock.dll Wed 1 Feb 2006 14:48:12 ..... 236.125 230,59 K
mrw3prt.dll Thu 26 Jan 2006 15:41:20 ..... 234.272 228,78 K
mtc42loc.dll Fri 3 Feb 2006 12:58:54 ..S.R 233.978 228,49 K
muc42loc.dll Fri 27 Jan 2006 17:36:22 ..... 234.506 229,01 K
mwhcp.dll Sun 29 Jan 2006 13:36:40 ..... 234.691 229,19 K
oppqo.dll Wed 25 Jan 2006 19:07:56 ..... 35.853 35,01 K
p2n8lc~1.dll Wed 1 Feb 2006 14:38:52 ..... 234.174 228,68 K
pmnlm.dll Thu 12 Jan 2006 17:51:10 ..... 35.853 35,01 K
prcsdk.dll Sat 4 Feb 2006 12:11:20 ..S.R 234.538 229,04 K
risppp.dll Fri 27 Jan 2006 18:15:40 ..... 237.314 231,75 K
rqrsr.dll Thu 26 Jan 2006 15:28:12 ..... 35.853 35,01 K
saorage.dll Wed 25 Jan 2006 19:16:50 ..... 235.928 230,40 K
skfolder.dll Sun 29 Jan 2006 12:36:30 ..... 233.425 227,95 K
sqorage.dll Fri 27 Jan 2006 17:39:00 ..... 237.314 231,75 K
stbiop.dll Sat 28 Jan 2006 18:25:40 ..... 237.314 231,75 K
sxcur32.dll Sat 4 Feb 2006 11:59:12 ..S.R 234.538 229,04 K
vsdata.dll Tue 15 Nov 2005 0:50:30 A.... 83.720 81,76 K
vsinit.dll Tue 15 Nov 2005 0:50:42 A.... 141.064 137,76 K
vsmonapi.dll Tue 15 Nov 2005 0:50:52 A.... 104.208 101,77 K
vspubapi.dll Tue 15 Nov 2005 0:50:56 A.... 227.088 221,77 K
vsregexp.dll Tue 15 Nov 2005 0:51:00 A.... 71.440 69,77 K
vsutil.dll Tue 15 Nov 2005 0:51:12 A.... 382.728 373,76 K
vsxml.dll Tue 15 Nov 2005 0:51:20 A.... 100.104 97,76 K
vtust.dll Wed 25 Jan 2006 19:20:52 ..... 35.853 35,01 K
winhfp32.dll Fri 27 Jan 2006 17:46:52 ..... 16.896 16,50 K
yayyy.dll Mon 9 Jan 2006 16:17:44 ..... 565.300 552,05 K
zhpfldr.dll Sat 28 Jan 2006 19:41:32 ..... 233.996 228,51 K
zlcomm.dll Tue 15 Nov 2005 0:51:40 A.... 79.624 77,76 K
zlcommdb.dll Tue 15 Nov 2005 0:51:44 A.... 71.440 69,77 K

65 items found: 65 files (9 H/S), 0 directories.
Total of file sizes: 12.163.365 bytes 11,60 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
atmtdd~1.tmp Sun 29 Jan 2006 13:37:50 ..... 0 0,00 K
mcrh.tmp Sun 29 Jan 2006 13:58:46 ..... 97 0,09 K

2 items found: 2 files, 0 directories.
Total of file sizes: 97 bytes 0,09 K
**********************************************************************************
Directory Listing of system files:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: FC23-2040

Verzeichnis von C:\WINDOWS\System32

04.02.2006 12:56 407.767 yyyay.ini
04.02.2006 12:53 234.538 kfdhe.dll
04.02.2006 12:53 236.450 m2julc191f.dll
04.02.2006 12:39 234.538 ezpsrv.dll
04.02.2006 12:39 234.538 enjol1131.dll
04.02.2006 12:18 234.538 en60l1jm1.dll
04.02.2006 12:11 234.538 PRCSDK.dll
04.02.2006 11:59 234.538 sxcur32.dll
03.02.2006 13:33 233.978 d40m0ed1eh0.dll
03.02.2006 12:58 233.978 mtc42loc.dll
29.01.2006 14:25 <DIR> dllcache
18.12.2005 18:36 <DIR> Microsoft
10 Datei(en) 2.519.401 Bytes
2 Verzeichnis(se), 17.418.211.328 Bytes frei

und das zweite Log :

REGEDIT4

; Registry Search by Bobbi Flekman © 2005
; Version: 1.0.2.4

; Results at 04.02.2006 13:01:51 for strings:
; 'windows disk check
windows disk check
windows disk check'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS

; End Of The Log...

04.02.2006, 17:08

Sabina

Ehrenmitglied

Beiträge: 29434

#10 das war die Option 1 ---> du musst die Option 2 anwenden und mir nach neustart und scan den scanreport posten

wende das an (noch mal...und kopiere mir den scanreport hier)
http://virus-protect.org/artikel/tools/vundofixx.html

loesche mit der Killbox:
C:\WINDOWS\SYSTEM32\atmtdd~1.tmp
C:\WINDOWS\SYSTEM32\mcrh.tmp
C:\WINDOWS\SYSTEM32\kfdhe.dll
C:\WINDOWS\SYSTEM32\m2julc191f.dll
C:\WINDOWS\SYSTEM32\ezpsrv.dll
C:\WINDOWS\SYSTEM32\enjol1131.dll
C:\WINDOWS\SYSTEM32\en60l1jm1.dll
C:\WINDOWS\SYSTEM32\PRCSDK.dll
C:\WINDOWS\SYSTEM32\sxcur32.dll
C:\WINDOWS\SYSTEM32\d40m0ed1eh0.dll
C:\WINDOWS\SYSTEM32\mtc42loc.dll
C:\WINDOWS\SYSTEM32\winhfp32.dll
C:\WINDOWS\SYSTEM32\mwhcp.dll

scanne mit Spysweeper (trial) und kopiere ebenfalls den scanreport)
http://virus-protect.org/spysweeper.html
__________
MfG Sabina

rund um die PC-Sicherheit

06.02.2006, 16:37

karolf

...neu hier

Themenstarter

Beiträge: 10

#11 ich weiss zwar nicht wovon option 1 und wovon option zwei, aber hier schon mal die scanreports von :

VundoFix V4.0

Listing files found while scanning....

C:\WINDOWS\System32\yayyy.dll
C:\WINDOWS\System32\yyyay.ini
C:\WINDOWS\System32\yyyay.bak1
C:\WINDOWS\System32\yyyay.bak2
C:\WINDOWS\system32\pmnlm.dll

C:\WINDOWS\system32\yyyay.bak1
C:\WINDOWS\system32\yyyay.bak2
C:\WINDOWS\system32\yyyay.ini
C:\WINDOWS\system32\yayyy.dll
Attempting to delete C:\WINDOWS\System32\yayyy.dll
C:\WINDOWS\System32\yayyy.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\yyyay.ini
C:\WINDOWS\System32\yyyay.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\yyyay.bak1
C:\WINDOWS\System32\yyyay.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\yyyay.bak2
C:\WINDOWS\System32\yyyay.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnlm.dll
C:\WINDOWS\system32\pmnlm.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\yayyy.dll
C:\WINDOWS\system32\yayyy.dll Could not be deleted.

Performing Repairs to the registry.
Done!
VundoFix V4.0

********
16:23: | Start of Session, Montag, 6. Februar 2006 |
16:23: Spy Sweeper started
16:23: Sweep initiated using definitions version 611
16:23: Found Trojan Horse: trojan-downloader-conhook
16:23: HKCR\clsid\{ea32fb3b-21c9-42cc-b8ef-01a9b28edb0d}\inprocserver32\ (2 subtraces) (ID = 1139035)
16:23: pmnlm.dll (ID = 1139035)
16:23: Starting Memory Sweep
16:25: Memory Sweep Complete, Elapsed Time: 00:01:15
16:25: Starting Registry Sweep
16:25: Found Adware: effective-i toolbar
16:25: HKU\.default\software\maxthon\plugin\toolbar\{44be0690-5429-47f0-85bb-3ffd8020233e}\ (1 subtraces) (ID = 125650)
16:25: Found Adware: virtumonde
16:25: HKCR\atldistrib.atldistrib\ (5 subtraces) (ID = 1030533)
16:25: HKCR\atldistrib.atldistrib\clsid\ (1 subtraces) (ID = 1030535)
16:25: HKCR\atldistrib.atldistrib\curver\ (1 subtraces) (ID = 1030537)
16:25: HKCR\atldistrib.atldistrib.1\ (3 subtraces) (ID = 1030539)
16:25: HKCR\atldistrib.atldistrib.1\clsid\ (1 subtraces) (ID = 1030541)
16:25: HKLM\software\classes\atldistrib.atldistrib\ (5 subtraces) (ID = 1030666)
16:25: HKLM\software\classes\atldistrib.atldistrib\clsid\ (1 subtraces) (ID = 1030668)
16:25: HKLM\software\classes\atldistrib.atldistrib\curver\ (1 subtraces) (ID = 1030670)
16:25: HKLM\software\classes\atldistrib.atldistrib.1\ (3 subtraces) (ID = 1030672)
16:25: HKLM\software\classes\atldistrib.atldistrib.1\clsid\ (1 subtraces) (ID = 1030674)
16:25: HKCR\clsid\{ea32fb3b-21c9-42cc-b8ef-01a9b28edb0d}\ (3 subtraces) (ID = 1124201)
16:25: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{ea32fb3b-21c9-42cc-b8ef-01a9b28edb0d}\ (ID = 1124227)
16:25: HKLM\software\classes\clsid\{ea32fb3b-21c9-42cc-b8ef-01a9b28edb0d}\ (3 subtraces) (ID = 1124238)
16:25: HKCR\clsid\{2353fcbc-012d-487b-8bf3-865c0929fbeb}\ (12 subtraces) (ID = 1124723)
16:25: HKLM\software\classes\clsid\{2353fcbc-012d-487b-8bf3-865c0929fbeb}\ (12 subtraces) (ID = 1124736)
16:25: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{2353fcbc-012d-487b-8bf3-865c0929fbeb}\ (ID = 1124749)
16:25: Found Adware: dollarrevenue
16:25: HKLM\software\microsoft\drsmartload2\ (1 subtraces) (ID = 1134137)
16:25: Registry Sweep Complete, Elapsed Time:00:00:06
16:25: Starting Cookie Sweep
16:25: Cookie Sweep Complete, Elapsed Time: 00:00:00
16:25: Starting File Sweep
16:25: Found Adware: targetsaver
16:25: tsupdate2[1].ini (ID = 193498)
16:25: Found Trojan Horse: trojan downloader matcash
16:25: launcher[1].exe (ID = 184140)
16:25: Found Adware: maxifiles
16:25: director_install[1].exe (ID = 190798)
16:26: Found Adware: look2me
16:26: risppp.dll (ID = 159)
16:26: en26l1fs1.dll (ID = 159)
16:26: mowsock.dll (ID = 159)
16:26: mhvcp50.dll (ID = 159)
16:26: zhpfldr.dll (ID = 159)
16:26: installer[1].exe (ID = 168558)
16:26: mdvcp50.dll (ID = 159)
16:26: appwrap[3].exe (ID = 65721)
16:27: appwrap[1].exe (ID = 65722)
16:27: ucmoreiex[1].exe (ID = 59853)
16:27: stbiop.dll (ID = 159)
16:27: epfbchaee.dll (ID = 159)
16:27: muc42loc.dll (ID = 159)
16:27: saorage.dll (ID = 159)
16:27: appwrap[2].exe (ID = 65739)
16:27: sqorage.dll (ID = 159)
16:27: cbwmdm.dll (ID = 159)
16:27: ihaksie.dll (ID = 159)
16:27: mrw3prt.dll (ID = 163672)
16:28: drsmartload[1].exe (ID = 239204)
16:28: appwrap[1].exe (ID = 65739)
16:28: appwrap[4].exe (ID = 65722)
16:28: jnsd400.dll (ID = 159)
16:28: dzgest.dll (ID = 163672)
16:28: Found Adware: command
16:28: asappsrv.dll (ID = 144945)
16:28: dsskperf.dll (ID = 163672)
16:28: insecsnp.dll (ID = 159)
16:28: cwl3d32.dll (ID = 163672)
16:28: dddxof.dll (ID = 159)
16:28: ijfgnt5.dll (ID = 159)
16:28: freeprodtb[1].exe (ID = 198662)
16:28: dergres.dll (ID = 159)
16:29: hr6q05j5e.dll (ID = 159)
16:29: l22slcf71f2.dll (ID = 159)
16:29: appwrap[5].exe (ID = 65722)
16:29: bgowsewm.dll (ID = 159)
16:29: dlrpsetu.dll (ID = 163672)
16:29: guard.tmp (ID = 159)
16:29: p2n8lc5u1f.dll (ID = 159)
16:29: installer[1].exe (ID = 231664)
16:29: bjowser.dll (ID = 159)
16:29: f4j20e1oeh.dll (ID = 159)
16:29: mmobjs.dll (ID = 159)
16:29: clmmdlg.dll (ID = 159)
16:29: ozhcxquxtk.vbs (ID = 185675)
16:29: donotdelete[1].htm (ID = 198788)
16:29: File Sweep Complete, Elapsed Time: 00:03:48
16:29: Full Sweep has completed. Elapsed time 00:05:12
16:29: Traces Found: 125
16:30: Removal process initiated
16:30: Quarantining All Traces: look2me
16:30: Quarantining All Traces: trojan downloader matcash
16:30: Quarantining All Traces: virtumonde
16:30: Quarantining All Traces: dollarrevenue
16:30: Quarantining All Traces: maxifiles
16:30: Quarantining All Traces: trojan-downloader-conhook
16:30: trojan-downloader-conhook is in use. It will be removed on reboot.
16:30: pmnlm.dll is in use. It will be removed on reboot.
16:30: Quarantining All Traces: command
16:30: Quarantining All Traces: effective-i toolbar
16:30: Quarantining All Traces: targetsaver
16:30: Removal process completed. Elapsed time 00:00:41
********
16:19: | Start of Session, Montag, 6. Februar 2006 |
16:19: Spy Sweeper started
16:23: Your spyware definitions have been updated.
16:23: | End of Session, Montag, 6. Februar 2006 |

06.02.2006, 16:40

Sabina

Ehrenmitglied

Beiträge: 29434

#12 karolf

Start -- Ausführen -- regedit (reinschreiben)

bearbeiten--> suchen--> dskcheck

Sollte man Probleme haben, die Einträge zu löschen,
Legacy_ .....kann nicht gelöscht werden. Fehler beim Löschen des Schlüssels,
dann gehe mit Rechtsklick im Kontextmenü auf: "Berechtigungen" Setze das Häkchen bei "Vollzugriff zulassen"
Übernehmen, OK
Danach sollte(n) sich der(die) betreffenden Schlüssel löschen lassen.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DSKCHECK\0000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dskcheck
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DSKCHECK\0000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\dskcheck
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DSKCHECK\0000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dskcheck

Zitat

16:30: trojan-downloader-conhook is in use. It will be removed on reboot.

starte den PC neu

L2mfix--> wende Option 2 an, und nach neustart und scan...poste den scanreport
http://virus-protect.org/l2mfix.html

nun buegel noch mal mit dem panda (Onlinescan) drueber und berichte
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

07.02.2006, 16:25

karolf

...neu hier

Themenstarter

Beiträge: 10

#13 Die Werte :

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DSKCHECK\0000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dskcheck

waren nicht vorhanden.

L2mfix--> Option 2 ergab folgendes :

Running From:
C:\l2mfix

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 468 'smss.exe'
Error 0x6 : Das Handle ist ungültig.
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 560 'winlogon.exe'
Error 0x6 : Das Handle ist ungültig.
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1288 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administratoren ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 Datei(en) kopiert.
Deleting: C:\WINDOWS\system32\skfolder.dll
Successfully Deleted: C:\WINDOWS\system32\skfolder.dll

msg11?.dll
0 Datei(en) kopiert.

Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Group Policy]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en60l1jm1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmnlm]
"Asynchronous"=dword:00000001
"DllName"="pmnlm.dll"
"Impersonate"=dword:00000000
"Logon"="Logon"
"Logoff"="Logoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayyy]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\System32\\yayyy.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\skfolder.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{CBA0AD09-7761-4156-8225-06AF90FDCFFE}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CBA0AD09-7761-4156-8225-06AF90FDCFFE}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CBA0AD09-7761-4156-8225-06AF90FDCFFE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CBA0AD09-7761-4156-8225-06AF90FDCFFE}\InprocServer32]
@="C:\\WINDOWS\\system32\\ezpsrv.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C87C2245-D1E6-4CB8-96EB-96BB4BC1B352}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C87C2245-D1E6-4CB8-96EB-96BB4BC1B352}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C87C2245-D1E6-4CB8-96EB-96BB4BC1B352}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C87C2245-D1E6-4CB8-96EB-96BB4BC1B352}\InprocServer32]
@="C:\\WINDOWS\\system32\\kfdhe.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{CBA0AD09-7761-4156-8225-06AF90FDCFFE}"=-
"{C87C2245-D1E6-4CB8-96EB-96BB4BC1B352}"=-
[-HKEY_CLASSES_ROOT\CLSID\{CBA0AD09-7761-4156-8225-06AF90FDCFFE}]
[-HKEY_CLASSES_ROOT\CLSID\{C87C2245-D1E6-4CB8-96EB-96BB4BC1B352}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

Panda ergab :

Incident Status Location

Adware:adware/maxifiles Not disinfected C:\PROGRAMME\GEMEINSAME DATEIEN\InetGet
Spyware:spyware/virtumonde Not disinfected Windows Registry
Virus:W32/Sdbot.GJB.worm Disinfected C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\TBX2Z85H\winsysupd3[1].exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Dokumente und Einstellungen\Rolf\Desktop\l2mfix(2).exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Dokumente und Einstellungen\Rolf\Desktop\l2mfix.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Dokumente und Einstellungen\Rolf\l2mfix\Process.exe
Adware:Adware/Look2Me Not disinfected C:\l2mfix\dlls\skfolder.dll
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UERSU_0001_LPNetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5U_0001_N57M1412NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UERSU_0001_LPNetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX5U_0001_N57M1412NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UERSU_0001_LPNetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWFX5U_0001_N57M1412NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UERSU_0001_LPNetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWFX5U_0001_N57M1412NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UERSU_0001_LPNetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UWFX5U_0001_N57M1412NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UERSU_0001_LPNetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UWFX5U_0001_N57M1412NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.7\UERSU_0001_LPNetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.7\UWFX5U_0001_N57M1412NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.8\UERSU_0001_LPNetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.8\UWFX5U_0001_N57M1412NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.9\UWFX5U_0001_N57M1412NetInstaller.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\awtts.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\jkkif.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\khfdc.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\khhed.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ljjjk.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\mllif.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\oppqo.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\rqrsr.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\vtust.dll

07.02.2006, 16:29

Sabina

Ehrenmitglied

Beiträge: 29434

#14 Versteckte- und Systemdateien
http://virus-protect.org/invisible.html

loesche:
C:\PROGRAMME\GEMEINSAME DATEIEN\InetGet

C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\TBX2Z85H--> loeschen

loesche mit der Killbox:

C:\WINDOWS\system32\awtts.dll
C:\WINDOWS\system32\jkkif.dll
C:\WINDOWS\system32\khfdc.dll
C:\WINDOWS\system32\khhed.dll
C:\WINDOWS\system32\ljjjk.dll
C:\WINDOWS\system32\mllif.dll
C:\WINDOWS\system32\oppqo.dll
C:\WINDOWS\system32\rqrsr.dll
C:\WINDOWS\system32\vtust.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.9\UWFX5U_0001_N57M1412NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\UERSU_0001_LPNetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\UWFX5U_0001_N57M1412NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\UERSU_0001_LPNetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\UWFX5U_0001_N57M1412NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UERSU_0001_LPNetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UWFX5U_0001_N57M1412NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UWFX5U_0001_N57M1412NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UERSU_0001_LPNetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UERSU_0001_LPNetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWFX5U_0001_N57M1412NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWFX5U_0001_N57M1412NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UERSU_0001_LPNetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX5U_0001_N57M1412NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UERSU_0001_LPNetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UERSU_0001_LPNetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5U_0001_N57M1412NetInstaller.exe

PC neustarten

Start-->Ausfuehren --> cmd

gebe folgende Befehel in die Konsole ein: (reinkopieren)

attrib -a -h -r -s C:\WINDOWS\system32\mcrh.tmp
del C:\WINDOWS\system32\mcrh.tmp

attrib -a -h -r -s C:\WINDOWS\system32\atmtd.dll.tmp
del C:\WINDOWS\system32\atmtd.dll.tmp

attrib -a -h -r -s C:\WINDOWS\system32\REN6.tmp
del C:\WINDOWS\system32\REN6.tmp

attrib -a -h -r -s C:\WINDOWS\system32\REN5.tmp
del C:\WINDOWS\system32\REN5.tmp

---------------------------------------------------------------------

scanne noch mal: (poste den scanreport)
http://virus-protect.org/artikel/tools/vundofixx.html

dann poste noch mal die 4 Logs von datfinbat

__________
MfG Sabina

rund um die PC-Sicherheit

07.02.2006, 23:32

juja

...neu hier

Beiträge: 2

#15 ich habe den winfixer. ich habe hijackthis runtergeladen, weiß aber ncihtm, wie ich damit umgehen mss, hier das ergebnis meines scans

Logfile of HijackThis v1.99.1
Scan saved at 23:26:08, on 07.02.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
D:\iTunesHelper.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Lexmark X1100 Series\lxbkbmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\WEBDE\SmartSurfer\SmartSurfer.exe
D:\iTunes.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\Julia\LOKALE~1\Temp\Rar$EX45.709\HijackThis.exe

O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Windows live Support] wlmsn.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Startup: SmartSurfer_0.lnk = C:\Programme\WEBDE\SmartSurfer\SmartSurfer.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .php: C:\Programme\Internet Explorer\PLUGINS\nppdf32.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D622980-164E-4CD4-AD01-54CB53A08350}: NameServer = 62.104.191.241 62.104.196.134
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awvtq - C:\WINDOWS\System32\awvtq.dll (file missing)
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\h0n00a5med.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: dllmgr64 - Unknown owner - C:\WINDOWS\dllmgr64.exe (file missing)
O23 - Service: fwnet64 (fwnet) - Unknown owner - C:\WINDOWS\fwnet64.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Programme\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: netconf32 - Unknown owner - C:\WINDOWS\netconf32.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Plug-n-Play SP2 Fix (sp2pnpfix) - Unknown owner - C:\WINDOWS\system32\pnpsp2fix.exe (file missing)
O23 - Service: sysmgr64 - Unknown owner - C:\WINDOWS\sysmgr64.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

ich habe antivir und zonealarm. mit ad-aware konnte nciht alles gelöscht werden, mein browser geht automatischa uf seiten wie diese hier:

http://www.blow-outsales.com/normal/yyy102.html

bitte helft mir, ich kann das alleine nciht!

Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren:

Seite(n): 1 2