Auch Spyfalcon Problem |
||
---|---|---|
#0
| ||
05.03.2006, 11:29
...neu hier
Beiträge: 7 |
||
|
||
05.03.2006, 14:13
Ehrenmitglied
Beiträge: 29434 |
#2
Ghrom
Der PC ist voellig verseucht, der SpyFalcon ist nicht das schlimmste, sondern der Wareout + SafeSurfing. Download f-secure-Beta Trial http://www.f-secure.com/blacklight/ doppelklick: blbeta.exe nach dem Check klicke -- next nun findet man eine Log-Datei (txt) auf dem Desktop (hier posten) ------------------------------------------------------------------------ KILLBOX - Pocket KillBox http://virus-protect.org/killbox.html Options: Delete on Reboot --> anhaken und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes" reinkopieren: ............ C:\WINDOWS\system32\unirimon.exe C:\WINDOWS\system32\irsmamss.dll C:\WINDOWS\system32\ot.ico C:\WINDOWS\system32\ginuerep.dll C:\WINDOWS\system32\hp6C46.tmp C:\WINDOWS\system32\nsh22.dll C:\WINDOWS\system32\nsf17.dll C:\WINDOWS\system32\nsy1A.dll C:\DOKUME~1\XXXXX\LOKALE~1\Temp\SFLanguage.ini C:\DOKUME~1\XXXXX\LOKALE~1\Temp\sa1.exe C:\WINDOWS\system32\sporder.dll C:\WINDOWS\system32\irssyncd.exe C:\WINDOWS\system32\irismon.dll C:\WINDOWS\system32\irsmamss.dll C:\WINDOWS\system32\msxml3a.dll C:\WINDOWS\system32\b2search.exe C:\WINDOWS\system32\kernels64.exe C:\WINDOWS\system32\filesafer23.exe C:\WINDOWS\system32\dmejv.exe C:\WINDOWS\system32\pppcgm.exe C:\WINDOWS\system32\gzclj.dll C:\WINDOWS\tm.ini C:\WINDOWS\tdf.dii C:\WINDOWS\NDNuninstall7_22.exe C:\WINDOWS\GatorGainPlugin.log C:\WINDOWS\hosts C:\WINDOWS\uniq C:\secure32.html C:\ _Sid.txt PC neustarten Hoster.zip http://www.funkytoad.com/download/hoster.zip Press 'Restore Original Hosts' and press 'OK' Exit Program. nach dem Neustart suche: C:\!KillBox und loesche alle dort befindlichen Dateien manuell damit wird auch eine der Internetverbindungen ausgeloescht (geht in die Ukraine...da du den Wareout auf dem PC hast.) öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R3 - URLSearchHook: (no name) - {3876701E-7892-886C-3537-2523FD7B98C1} - MNTP.dll (file missing) O3 - Toolbar: (no name) - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - (no file) O4 - HKLM\..\Run: [dmejv.exe] C:\WINDOWS\system32\dmejv.exe O9 - Extra button: Amex - {0F778FE7-0C68-4F48-B86D-74B2AAA82BD9} - www.americanexpress.de (file missing) O9 - Extra button: fgc - {33D97381-7573-4195-BB2F-D0D6ECA84967} - gcdhgc vhb (file missing) O9 - Extra button: AMEX - {7AFE1D9C-D8BA-48DE-A3DF-CE96DCEA50F8} - www.americanexpress.de (file missing) O9 - Extra button: BvB - {A61DFBFA-D82B-4F23-9124-73A94E20DAB7} - http://www.berliner-volksbank.de/ (file missing) O9 - Extra button: eBAY - {C74C1088-C6FF-42AB-9904-2FF5D25572B6} - www.ebay.de (file missing) O9 - Extra button: PB - {D033E466-131F-474C-85DB-64A95975441D} - www.postbank.de (file missing) O9 - Extra button: AmEx - {EB85F235-E43D-4DC3-819C-8B77BB49FA20} - www.americanexpress.de/konto-online (file missing) O9 - Extra button: Amex - {F51517ED-C27B-49D2-A0CF-47481BF38970} - www.americanexpress.com (file missing) O17 - HKLM\System\CCS\Services\Tcpip\..\{E91B290B-71ED-467D-AE79-0632F9B60D6B}: NameServer = 85.255.116.68,85.255.112.220 PC neustarten Download FixWareout: http://swandog46.geekstogo.com/Fixwareout.exe Fixwareout.exe --> next --> Install --> Run fixit --> Finish / der PC wird neustarten --> C:\fixwareout\report.txt -->kopiere die txt-Datei ins Forum abarbeiten (poste dann den scanreport vom ewido) http://virus-protect.org/artikel/bfu/spyaxebfu.html http://virus-protect.org/ewido.html dann kommt noch mehr, denn der Wareout ist sehr schwer zu loeschen............... __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
05.03.2006, 16:56
...neu hier
Themenstarter Beiträge: 7 |
#3
Vielen Dank für diese selbstlose kompetente Hilfe.
Hier nun die gewünschten Logs und Reports. Ich werde auch noch eine aktualisierte HJT-Log und DatFind-Log anhängen am Schluss F-Secure Beta Trial 03/05/06 16:14:08 [Info]: BlackLight Engine 1.0.33 initialized 03/05/06 16:14:08 [Info]: OS: 5.1 build 2600 (Service Pack 2) 03/05/06 16:14:08 [Note]: 7019 4 03/05/06 16:14:08 [Note]: 7005 0 03/05/06 16:14:13 [Note]: 7006 0 03/05/06 16:14:13 [Note]: 7011 1752 03/05/06 16:14:14 [Note]: 7015 248 03/05/06 16:14:14 [Note]: 7015 5 03/05/06 16:14:14 [Note]: 7015 1932 03/05/06 16:14:14 [Note]: 7015 5 03/05/06 16:14:14 [Note]: FSRAW library version 1.7.1015 03/05/06 16:17:33 [Note]: 7007 0 Fixwareout Fixwareout ver 1.003 Last edited 2/15/2006 Post this report in the forums please Reg Entries that were deleted ... Random Runs removed from HKLM REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] ... PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»» Search by size and names... »»»»» Misc files »»»»» Checking for older varients covered by the Rem3 tool Ewido --------------------------------------------------------- ewido anti-malware - Scan Report --------------------------------------------------------- + Erstellt am: 16:40:13, 05.03.2006 + Report-Checksumme: A930B6C4 + Scanergebnis: HKU\S-1-5-21-602162358-1677128483-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01EB5130-FC0C-4D75-B9CE-4801B1B854F5} -> Adware.Begin2Search : Gesäubert ohne Backup HKU\S-1-5-21-602162358-1677128483-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22} -> Adware.Generic : Gesäubert ohne Backup HKU\S-1-5-21-602162358-1677128483-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{78364D99-A640-4DDF-B91A-67EFF8373045} -> Trojan.Brospy.c : Gesäubert ohne Backup HKU\S-1-5-21-602162358-1677128483-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ADE0443-2AB2-4B23-A3F8-AC520773DE12} -> Adware.Begin2Search : Gesäubert ohne Backup HKU\S-1-5-21-602162358-1677128483-725345543-1004\Software\Classes\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D} -> Adware.SpyFalcon : Gesäubert ohne Backup HKU\S-1-5-21-602162358-1677128483-725345543-1004_Classes\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D} -> Adware.SpyFalcon : Gesäubert ohne Backup C:\Programme\DAEMON Tools\SetupDTSB.exe -> Adware.SaveNow : Gesäubert ohne Backup C:\Programme\Gemeinsame Dateien\uueetbmd\somammrf\lcobrmcr.exe -> Adware.Gator : Gesäubert ohne Backup C:\Programme\Gemeinsame Dateien\uueetbmd\unpaoqubea\raoqrlapm.exe -> Adware.Gator : Gesäubert ohne Backup C:\Programme\Save -> Adware.SaveNow : Gesäubert ohne Backup C:\Programme\Save\store.db -> Adware.SaveNow : Gesäubert ohne Backup C:\Programme\TrilliPlus\patch.exe -> Trojan.Agent.jh : Gesäubert ohne Backup C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1101.dll -> Adware.Gator : Gesäubert ohne Backup C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll -> Adware.Gator : Gesäubert ohne Backup E:\Downloads\Aquatica_s_Inst-25.exe -> Adware.Gator : Gesäubert ohne Backup ::Report Ende DatFind Datentr„ger in Laufwerk C: ist Windowsinstallation Volumeseriennummer: 6051-3443 Verzeichnis von C:\WINDOWS\system32 05.03.2006 16:45 43.459 nvapps.xml 05.03.2006 11:08 13.646 wpa.dbl 24.02.2006 12:39 383.562 perfh009.dat 24.02.2006 12:39 53.724 perfc009.dat 24.02.2006 12:39 394.848 perfh007.dat 24.02.2006 12:39 64.718 perfc007.dat 24.02.2006 12:39 907.468 PerfStringBackup.INI 24.02.2006 12:30 197.752 FNTCACHE.DAT 14.02.2006 09:20 550.120 LegitCheckControl.dll 13.02.2006 19:03 8.632 spmsg.dll 07.02.2006 21:28 4.513.120 MRT.exe 04.02.2006 19:36 108.754 kspydoc.log 28.01.2006 20:48 698.190 Cats Play.scr 28.01.2006 19:44 909 GLOBAL~1.log 18.01.2006 13:05 57.344 avsda.dll 07.01.2006 01:39 7.006 jupdate-1.5.0_06-b05.log 04.01.2006 04:35 68.096 webclnt.dll 29.12.2005 03:54 280.064 gdi32.dll 18.12.2005 16:22 176.167 rmoc3260.dll Datentr„ger in Laufwerk C: ist Windowsinstallation Volumeseriennummer: 6051-3443 Verzeichnis von C:\DOKUME~1\XXXX\LOKALE~1\Temp 05.03.2006 16:45 224 WCESCOMM.LOG 05.03.2006 16:17 206 jusched.log 2 Datei(en) 430 Bytes 0 Verzeichnis(se), 29.920.251.904 Bytes frei Datentr„ger in Laufwerk C: ist Windowsinstallation Volumeseriennummer: 6051-3443 Verzeichnis von C:\WINDOWS 05.03.2006 16:43 0 0.log 05.03.2006 16:43 1.526.581 WindowsUpdate.log 05.03.2006 16:42 159 wiadebug.log 05.03.2006 16:42 50 wiaservc.log 05.03.2006 16:42 2.048 bootstat.dat 05.03.2006 16:41 32.548 SchedLgU.Txt 05.03.2006 16:04 265.515 setupact.log 05.03.2006 15:51 395.692 ntbtlog.txt 05.03.2006 11:07 10.626 WGA.log 05.03.2006 11:07 614.925 setupapi.log 03.03.2006 21:43 46.499 wmsetup.log 03.03.2006 21:15 238 bildsh32.ini 28.02.2006 22:00 335 mozregistry.dat 27.02.2006 18:45 0 hpqEmlSz.INI 27.02.2006 18:45 907 win.ini 26.02.2006 15:32 59 popcinfo.dat 24.02.2006 12:31 923 spupdsvc.log 24.02.2006 12:28 111.771 ntdtcsetup.log 24.02.2006 12:28 190.944 comsetup.log 24.02.2006 12:28 198.255 tsoc.log 24.02.2006 12:28 76.365 iis6.log 24.02.2006 12:28 1.374 imsins.log 24.02.2006 12:28 27.963 ocmsn.log 24.02.2006 12:28 49.176 KB899587.log 24.02.2006 12:28 259.683 ocgen.log 24.02.2006 12:28 25.263 msgsocm.log 24.02.2006 12:28 491.610 FaxSetup.log 24.02.2006 12:28 33.350 updspapi.log 24.02.2006 12:28 1.374 imsins.BAK 24.02.2006 12:28 45.801 KB896422.log 24.02.2006 12:28 44.728 KB885835.log 24.02.2006 12:28 40.050 KB885836.log 24.02.2006 12:28 43.806 KB885250.log 24.02.2006 12:28 27.702 KB911927.log 24.02.2006 12:27 52.561 KB901017.log 24.02.2006 12:27 51.652 KB899591.log 24.02.2006 12:27 41.264 KB896424.log 24.02.2006 12:27 51.640 KB893756.log 24.02.2006 12:27 49.952 KB896423.log 24.02.2006 12:27 38.173 KB873339.log 24.02.2006 12:27 43.017 KB888113.log 24.02.2006 12:27 45.578 KB887742.log 24.02.2006 12:27 25.202 KB887472.log 24.02.2006 12:27 49.628 KB896358.log 24.02.2006 12:27 32.054 KB910437.log 24.02.2006 12:26 21.936 KB911564.log 24.02.2006 12:26 44.351 KB905915.log 24.02.2006 12:26 39.822 KB891781.log 24.02.2006 12:26 55.942 KB902400.log 24.02.2006 12:26 15.810 KB911565.log 24.02.2006 12:25 40.641 KB890046.log 24.02.2006 12:25 36.459 KB905414.log 24.02.2006 12:25 38.410 KB901214.log 24.02.2006 12:25 33.502 KB888302.log 24.02.2006 12:25 35.797 KB900725.log 24.02.2006 12:25 15.312 KB912919.log 24.02.2006 12:25 17.822 KB886185.log 24.02.2006 12:25 30.630 KB904706.log 24.02.2006 12:24 31.890 KB905749.log 24.02.2006 12:24 34.131 KB896428.log 24.02.2006 12:24 39.577 KB894391.log 24.02.2006 12:24 12.300 KB908519.log 24.02.2006 12:24 8.671 KB913446.log 24.02.2006 12:24 38.604 KB890859.log 24.02.2006 12:07 15.842 KB893803v2.log 17.02.2006 18:59 2.909 mozver.dat 17.02.2006 18:50 0 nsreg.dat 17.02.2006 18:50 107.134 UninstallFirefox.exe 14.02.2006 22:32 487 cdplayer.ini 09.02.2006 17:47 100.724 cpeins04.dat 29.01.2006 15:56 23 lnpth.lnf 23.01.2006 08:16 871 KB842773.log 21.01.2006 11:50 40 RSoftInfo.dat 09.01.2006 09:51 1.065 winamp.ini 08.01.2006 19:17 104.140 hpoins04.dat 29.12.2005 16:45 60.896 WFXINST.LOG 27.12.2005 10:56 48 WFXDEL.BAT 26.12.2005 15:04 2.464 $_hpcst$.hpc 26.12.2005 12:28 2.510 Microsoft.MIF Datentr„ger in Laufwerk C: ist Windowsinstallation Volumeseriennummer: 6051-3443 Verzeichnis von C:\ 05.03.2006 16:53 0 sys.txt 05.03.2006 16:52 9.007 system.txt 05.03.2006 16:51 349 systemtemp.txt 05.03.2006 16:50 102.578 system32.txt 05.03.2006 16:42 1.610.612.736 pagefile.sys 05.03.2006 16:04 3.139 smitfiles.txt 05.03.2006 16:00 466 rapport.txt 26.02.2006 11:32 114 DownloadLog.txt 23.01.2006 15:36 429 datFind.bat 08.01.2006 19:17 1.159 _Sid.txt 18.12.2005 14:20 211 boot.ini 07.12.2005 17:34 1 REC.TXT HJT-Log Logfile of HijackThis v1.99.1 Scan saved at 16:55:27, on 05.03.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Programme\ewido anti-malware\ewidoctrl.exe C:\Programme\ewido anti-malware\ewidoguard.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Rundll32.exe C:\Programme\HP\Digital Imaging\Promotions\HPpromo.exe C:\WINDOWS\system32\wfxsnt40.exe C:\Programme\Winamp\Winampa.exe D:\eBayTBDaemon.exe C:\Programme\HP\hpcoretech\hpcmpmgr.exe C:\Programme\DAEMON Tools\daemon.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Programme\SlySoft\AnyDVD\AnyDVD.exe C:\Programme\Java\jre1.5.0_06\bin\jusched.exe C:\Programme\HP\HP Software Update\HPWuSchd2.exe C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE C:\Programme\Spybot - Search & Destroy\TeaTimer.exe C:\Programme\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Programme\Outlook Express\msimn.exe D:\Security\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s R3 - URLSearchHook: (no name) - {3876701E-7892-886C-3537-2523FD7B98C1} - MNTP.dll (file missing) F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\system32\dxdllreg.exe O4 - HKLM\..\Run: [HPpromo psc 1300 series] "C:\Programme\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 1300 series" -r O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp\Winampa.exe" O4 - HKLM\..\Run: [eBayToolbar] D:\eBayTBDaemon.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AnyDVD] C:\Programme\SlySoft\AnyDVD\AnyDVD.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [HP Software Update] C:\Programme\HP\HP Software Update\HPWuSchd2.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [updateMgr] C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_7 -reboot 1 O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &eBay Search - res://D:\eBayTb.dll/RCSearch.html O8 - Extra context menu item: &Google-Suche - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Ins Deutsche übersetzen - res://c:\programme\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\MSOFFI~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll (file missing) O9 - Extra button: Amex - {0F778FE7-0C68-4F48-B86D-74B2AAA82BD9} - www.americanexpress.de (file missing) O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MSOFFI~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {09954582-CAC3-4E05-A09C-4955BBD3187F} (Privat-X Client) - http://www.px24.com/ax/px_client_en.cab O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - http://creative.com/su/ocx/15015/CTSUEng.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129014461046 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137986942828 O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/de/check/qdiagh.cab?326 O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://creative.com/su/ocx/15016/CTPID.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{F234ED16-A3E6-4377-B9EA-11D580042B54}: NameServer = 192.168.0.1 O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Unknown owner - C:\Programme\AntiVir PersonalEdition Classic\sched.exe (file missing) O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Unknown owner - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Programme\ewido anti-malware\ewidoguard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: kavsvc - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe O23 - Service: License Management Service ESD - element5 - C:\Programme\Gemeinsame Dateien\element5 Shared\Service\Licence Manager ESD.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe |
|
|
||
05.03.2006, 18:38
Ehrenmitglied
Beiträge: 29434 |
#4
Ghrom
fixe mit dem HijackThis: R3 - URLSearchHook: (no name) - {3876701E-7892-886C-3537-2523FD7B98C1} - MNTP.dll (file missing) PC neustarten poste das log vom Silentrunner http://virus-protect.org/silentrunner.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
08.03.2006, 08:06
...neu hier
Themenstarter Beiträge: 7 |
#5
"Silent Runners.vbs", revision 43, http://www.silentrunners.org/
Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "H/PC Connection Agent" = ""C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"" [MS] "updateMgr" = "C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_7 -reboot 1" ["Adobe Systems Incorporated"] "SpybotSD TeaTimer" = "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "P17Helper" = "Rundll32 P17.dll,P17Helper" [MS] "DXDllRegExe" = "C:\WINDOWS\system32\dxdllreg.exe" [file not found] "HPpromo psc 1300 series" = ""C:\Programme\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 1300 series" -r" ["hp"] "WinFaxAppPortStarter" = "wfxsnt40.exe" [MS] "DAEMON Tools-1033" = ""C:\Programme\D-Tools\daemon.exe" -lang 1033" ["DAEMON'S HOME"] "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "WinampAgent" = ""C:\Programme\Winamp\Winampa.exe"" [null data] "eBayToolbar" = "D:\eBayTBDaemon.exe" ["eBay"] "HP Component Manager" = ""C:\Programme\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"] "CloneCDTray" = ""C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s" ["SlySoft, Inc."] "KAVPersonal50" = ""C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize" ["Kaspersky Lab"] "DAEMON Tools" = ""C:\Programme\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."] "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS] "AnyDVD" = "C:\Programme\SlySoft\AnyDVD\AnyDVD.exe" ["SlySoft, Inc."] "SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."] "HP Software Update" = "C:\Programme\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "D:\MS Office\OFFICE11\msohev.dll" [MS] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS] "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {CLSID}\InProcServer32\(Default) = "D:\MSOFFI~1\OFFICE11\MLSHEXT.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "D:\MSOFFI~1\OFFICE11\OLKFSTUB.DLL" [MS] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS] "{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{A213B520-C6C2-11d0-AF9D-008029E1027E}" = "WinFax PRO IShellExecuteHook" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Symantec\WinFax\WfxSeh32.Dll" ["Symantec Corporation"] INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ "AppInit_DLLs" = (value not set) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ "System" = (value not set) HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido anti-malware\context.dll" ["ewido networks"] Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\shellex.dll" ["Kaspersky Lab"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido anti-malware\context.dll" ["ewido networks"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\shellex.dll" ["Kaspersky Lab"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Dokumente und Einstellungen\WJoest\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Startup items in "WJoest" & "All Users" startup folders: -------------------------------------------------------- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."] {0F778FE7-0C68-4F48-B86D-74B2AAA82BD9}\ "ButtonText" = "Amex" "CLSIDExtension" = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS] "Exec" = "www.americanexpress.de" [file not found] {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\ "ButtonText" = "Mobilen Favoriten erstellen" "CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft ActiveSync\INetRepl.dll" [MS] {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\ "MenuText" = "Mobilen Favoriten erstellen..." "CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft ActiveSync\INetRepl.dll" [MS] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ "ButtonText" = "Recherchieren" {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ ewido security suite control, ewido security suite control, "C:\Programme\ewido anti-malware\ewidoctrl.exe" ["ewido networks"] ewido security suite guard, ewido security suite guard, "C:\Programme\ewido anti-malware\ewidoguard.exe" ["ewido networks"] HTTP-SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]} kavsvc, kavsvc, ""C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe"" ["Kaspersky Lab"] NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ GEngine Port Monitor\Driver = "gengpmon.dll" [null data] hpzsnt09\Driver = "hpzsnt09.dll" ["HP"] hpzsnt10\Driver = "hpzsnt10.dll" ["HP"] Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS] WinFax Ports\Driver = "WFXMNT40.DLL" [MS] WinFax Ports (Fotoqualität)\Driver = "WFXMNTHQ.DLL" [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 15 seconds, including 6 seconds for message boxes) |
|
|
||
08.03.2006, 12:34
Ehrenmitglied
Beiträge: 29434 |
#6
Ghrom
1. Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden. Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "fixme.reg" auf dem Desktop doppelklicken Zitat REGEDIT42. Fixe mit dem HijackThis: O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll (file missing) O9 - Extra button: Amex - {0F778FE7-0C68-4F48-B86D-74B2AAA82BD9} - www.americanexpress.de (file missing) 3. scanne mit Kaspersky und poste den scanreport (alles scannen) http://virus-protect.org/onlinescan.html 4. installiere Java-Sun eventuell neu __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
Zitat
Ich habe mal den Tip aus diesem Thread versucht:Und es blinkt nix mehr und von Spyfalcon ist auch nichts mehr auf den ersten Blick zu erkennen. Aber ich poste mal das jetzige aktuelle HJT-Log vllt. sieht ja doch noch jemand was.
Logfile of HijackThis v1.99.1
Scan saved at 13:10:54, on 05.03.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Programme\HP\Digital Imaging\Promotions\HPpromo.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Programme\Winamp\Winampa.exe
D:\eBayTBDaemon.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\Programme\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\SlySoft\AnyDVD\AnyDVD.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Sunbelt Software\CounterSpy\Consumer\CounterSpy.exe
C:\Programme\Mozilla Firefox\firefox.exe
D:\Security\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - URLSearchHook: (no name) - {3876701E-7892-886C-3537-2523FD7B98C1} - MNTP.dll (file missing)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O3 - Toolbar: (no name) - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\system32\dxdllreg.exe
O4 - HKLM\..\Run: [HPpromo psc 1300 series] "C:\Programme\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 1300 series" -r
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [eBayToolbar] D:\eBayTBDaemon.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AnyDVD] C:\Programme\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [dmejv.exe] C:\WINDOWS\system32\dmejv.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunServer] C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [updateMgr] C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &eBay Search - res://D:\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Google-Suche - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://c:\programme\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\MSOFFI~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Amex - {0F778FE7-0C68-4F48-B86D-74B2AAA82BD9} - www.americanexpress.de (file missing)
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: fgc - {33D97381-7573-4195-BB2F-D0D6ECA84967} - gcdhgc vhb (file missing)
O9 - Extra button: AMEX - {7AFE1D9C-D8BA-48DE-A3DF-CE96DCEA50F8} - www.americanexpress.de (file missing)
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MSOFFI~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BvB - {A61DFBFA-D82B-4F23-9124-73A94E20DAB7} - http://www.berliner-volksbank.de/ (file missing)
O9 - Extra button: eBAY - {C74C1088-C6FF-42AB-9904-2FF5D25572B6} - www.ebay.de (file missing)
O9 - Extra button: PB - {D033E466-131F-474C-85DB-64A95975441D} - www.postbank.de (file missing)
O9 - Extra button: AmEx - {EB85F235-E43D-4DC3-819C-8B77BB49FA20} - www.americanexpress.de/konto-online (file missing)
O9 - Extra button: Amex - {F51517ED-C27B-49D2-A0CF-47481BF38970} - www.americanexpress.com (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {09954582-CAC3-4E05-A09C-4955BBD3187F} (Privat-X Client) - http://www.px24.com/ax/px_client_en.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129014461046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137986942828
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/de/check/qdiagh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E91B290B-71ED-467D-AE79-0632F9B60D6B}: NameServer = 85.255.116.68,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{F234ED16-A3E6-4377-B9EA-11D580042B54}: NameServer = 192.168.0.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Unknown owner - C:\Programme\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Unknown owner - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: License Management Service ESD - element5 - C:\Programme\Gemeinsame Dateien\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe