Auch Spyfalcon Problem

#0
05.03.2006, 11:29
...neu hier

Beiträge: 7
#1 Update, da ich mir ja nicht selber antworten kann

Zitat

Hallo an alle.

Mein Vater hat sich Spyfalcon eingefangen und nun durchforste ich das Net zur Behebung und bin bei Euch gelandet. Ich habe mir auch schon die diversen Threads dazu durchgelesen, aber stoße immer an einen Punkt der bei mir nicht vorkommt.

Bei HJT haben alle einen eintrag wie: O4 - HKLM\..\Run: [SpyFalcon] C:\Programme\SpyFalcon\SpyFalcon.exe /h

Dieser kommt bei mir nicht vor, wie Ihr im nachstehenden Log sehen könnt. Dennoch ist pyfalcen sehr aktiv bei mir am blinken usw. Daher bin ich nun etwas verunsichert wie ich da nun vorgehen soll. GGf. seht Ihr ja noch andere nicht erwünschte Sachen ;)

Ich hoffe Ihr könnt mir dabei weiterhelfen.

Vielen Dank im Vorraus

Mario


HJT-Log

Logfile of HijackThis v1.99.1
Scan saved at 11:28:40, on 05.03.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Programme\HP\Digital Imaging\Promotions\HPpromo.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Programme\Winamp\Winampa.exe
D:\eBayTBDaemon.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\Programme\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\SlySoft\AnyDVD\AnyDVD.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\SpyFalcon\SpyFalcon.exe
C:\Programme\SpyFalcon\SpyFalcon.exe

C:\Programme\Mozilla Firefox\firefox.exe
D:\Security\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - URLSearchHook: (no name) - {3876701E-7892-886C-3537-2523FD7B98C1} - MNTP.dll (file missing)

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - (no file)
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmamss.dll
O3 - Toolbar: (no name) - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\system32\dxdllreg.exe
O4 - HKLM\..\Run: [HPpromo psc 1300 series] "C:\Programme\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 1300 series" -r
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [eBayToolbar] D:\eBayTBDaemon.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AnyDVD] C:\Programme\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [dmejv.exe] C:\WINDOWS\system32\dmejv.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels64.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [updateMgr] C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &eBay Search - res://D:\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Google-Suche - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://c:\programme\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\MSOFFI~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Amex - {0F778FE7-0C68-4F48-B86D-74B2AAA82BD9} - www.americanexpress.de (file missing)
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: fgc - {33D97381-7573-4195-BB2F-D0D6ECA84967} - gcdhgc vhb (file missing)
O9 - Extra button: AMEX - {7AFE1D9C-D8BA-48DE-A3DF-CE96DCEA50F8} - www.americanexpress.de (file missing)
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MSOFFI~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BvB - {A61DFBFA-D82B-4F23-9124-73A94E20DAB7} - http://www.berliner-volksbank.de/ (file missing)
O9 - Extra button: eBAY - {C74C1088-C6FF-42AB-9904-2FF5D25572B6} - www.ebay.de (file missing)
O9 - Extra button: PB - {D033E466-131F-474C-85DB-64A95975441D} - www.postbank.de (file missing)
O9 - Extra button: AmEx - {EB85F235-E43D-4DC3-819C-8B77BB49FA20} - www.americanexpress.de/konto-online (file missing)
O9 - Extra button: Amex - {F51517ED-C27B-49D2-A0CF-47481BF38970} - www.americanexpress.com (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {09954582-CAC3-4E05-A09C-4955BBD3187F} (Privat-X Client) - http://www.px24.com/ax/px_client_en.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129014461046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137986942828
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/de/check/qdiagh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E91B290B-71ED-467D-AE79-0632F9B60D6B}: NameServer = 85.255.116.68,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{F234ED16-A3E6-4377-B9EA-11D580042B54}: NameServer = 192.168.0.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Unknown owner - C:\Programme\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Unknown owner - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: License Management Service ESD - element5 - C:\Programme\Gemeinsame Dateien\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


Datfind Ausgaben:

Datentr„ger in Laufwerk C: ist Windowsinstallation
Volumeseriennummer: 6051-3443

Verzeichnis von C:\WINDOWS\system32

05.03.2006 11:20 43.459 nvapps.xml
05.03.2006 11:08 13.646 wpa.dbl
03.03.2006 09:39 46.578 unirimon.exe --> SafeSurfing
03.03.2006 09:39 233.472 irsmamss.dll

02.03.2006 22:00 4.286 ot.ico --> SpyFalcon
02.03.2006 22:00 102.400 ginuerep.dll --> SpyFalcon
01.03.2006 07:58 30.208 hp6C46.tmp

24.02.2006 12:39 53.724 perfc009.dat
24.02.2006 12:39 64.718 perfc007.dat
24.02.2006 12:39 383.562 perfh009.dat
24.02.2006 12:39 394.848 perfh007.dat
24.02.2006 12:39 907.468 PerfStringBackup.INI
24.02.2006 12:30 197.752 FNTCACHE.DAT
14.02.2006 09:20 550.120 LegitCheckControl.dll
13.02.2006 19:03 8.632 spmsg.dll
07.02.2006 21:28 4.513.120 MRT.exe
04.02.2006 19:36 108.754 kspydoc.log
28.01.2006 21:04 8.464 sporder.dll --> New.Net
28.01.2006 20:48 698.190 Cats Play.scr
28.01.2006 19:44 909 GLOBAL~1.log
25.01.2006 19:17 36.864 irssyncd.exe --> SafeSurfing
25.01.2006 19:17 417.792 irismon.dll
25.01.2006 19:17 24.576 msxml3a.dll

23.01.2006 18:59 136.741 b2search.exe --> Adware.EZula
18.01.2006 22:19 84.480 nsh22.dll
18.01.2006 22:19 84.480 nsf17.dll
18.01.2006 22:19 84.480 nsy1A.dll

18.01.2006 13:05 57.344 avsda.dll
08.01.2006 02:59 654.111 filesafer23.exe --> Wareout
08.01.2006 02:59 45.568 pppcgm.exe
08.01.2006 02:59 155.648 gzclj.dll

07.01.2006 01:39 7.006 jupdate-1.5.0_06-b05.log

-----------------------------------------------------------------

Datentr„ger in Laufwerk C: ist Windowsinstallation
Volumeseriennummer: 6051-3443

Verzeichnis von C:\DOKUME~1\XXXXX\LOKALE~1\Temp

05.03.2006 11:50 416 java_install_reg.log
05.03.2006 11:30 206 jusched.log
05.03.2006 11:21 31.923 SFLanguage.ini
05.03.2006 11:21 2.930.621 sa1.exe

05.03.2006 11:20 224 WCESCOMM.LOG
27.02.2006 19:21 99 507B8750.TMP
6 Datei(en) 2.963.489 Bytes
0 Verzeichnis(se), 27.366.469.632 Bytes frei

----------------------------------------------------------------

Datentr„ger in Laufwerk C: ist Windowsinstallation
Volumeseriennummer: 6051-3443

Verzeichnis von C:\WINDOWS

05.03.2006 11:21 0 0.log
05.03.2006 11:21 1.488.484 WindowsUpdate.log
05.03.2006 11:21 159 wiadebug.log
05.03.2006 11:21 50 wiaservc.log
05.03.2006 11:20 2.048 bootstat.dat
05.03.2006 11:19 32.548 SchedLgU.Txt
05.03.2006 11:07 10.626 WGA.log
05.03.2006 11:07 614.925 setupapi.log
05.03.2006 05:07 264.615 setupact.log
03.03.2006 21:43 46.499 wmsetup.log
03.03.2006 21:15 238 bildsh32.ini
28.02.2006 22:00 335 mozregistry.dat
27.02.2006 18:45 0 hpqEmlSz.INI
27.02.2006 18:45 907 win.ini
26.02.2006 15:32 59 popcinfo.dat
24.02.2006 12:31 923 spupdsvc.log
24.02.2006 12:28 190.944 comsetup.log
24.02.2006 12:28 198.255 tsoc.log
24.02.2006 12:28 111.771 ntdtcsetup.log
24.02.2006 12:28 1.374 imsins.log
24.02.2006 12:28 76.365 iis6.log
24.02.2006 12:28 27.963 ocmsn.log
24.02.2006 12:28 49.176 KB899587.log
24.02.2006 12:28 259.683 ocgen.log
24.02.2006 12:28 25.263 msgsocm.log
24.02.2006 12:28 491.610 FaxSetup.log
24.02.2006 12:28 33.350 updspapi.log
24.02.2006 12:28 1.374 imsins.BAK
24.02.2006 12:28 45.801 KB896422.log
24.02.2006 12:28 44.728 KB885835.log
24.02.2006 12:28 40.050 KB885836.log
24.02.2006 12:28 43.806 KB885250.log
24.02.2006 12:28 27.702 KB911927.log
24.02.2006 12:07 15.842 KB893803v2.log
17.02.2006 18:59 2.909 mozver.dat
17.02.2006 18:50 0 nsreg.dat
17.02.2006 18:50 107.134 UninstallFirefox.exe
14.02.2006 22:32 487 cdplayer.ini
09.02.2006 17:47 100.724 cpeins04.dat
03.02.2006 19:44 3.284 tm.ini
03.02.2006 19:34 118 tdf.dii
29.01.2006 15:56 23 lnpth.lnf
28.01.2006 21:05 183.296 NDNuninstall7_22.exe
27.01.2006 22:33 3.678 GatorGainPlugin.log

23.01.2006 15:36 429 datFind.bat
23.01.2006 08:16 871 KB842773.log
23.01.2006 03:50 780 hosts
23.01.2006 03:49 0 uniq

21.01.2006 11:50 40 RSoftInfo.dat
09.01.2006 09:51 1.065 winamp.ini
08.01.2006 19:17 104.140 hpoins04.dat

------------------------------------------------------------------

Datentr„ger in Laufwerk C: ist Windowsinstallation
Volumeseriennummer: 6051-3443

Verzeichnis von C:\

05.03.2006 12:04 0 sys.txt
05.03.2006 12:03 9.345 system.txt
05.03.2006 12:01 554 systemtemp.txt
05.03.2006 12:01 103.601 system32.txt
05.03.2006 11:20 1.610.612.736 pagefile.sys
05.03.2006 11:13 3.112 rapport.txt
26.02.2006 11:32 114 DownloadLog.txt
23.01.2006 15:36 429 datFind.bat
23.01.2006 09:04 145 secure32.html
08.01.2006 19:17 1.159 _Sid.txt
Ich habe mal den Tip aus diesem Thread versucht:
Und es blinkt nix mehr und von Spyfalcon ist auch nichts mehr auf den ersten Blick zu erkennen. Aber ich poste mal das jetzige aktuelle HJT-Log vllt. sieht ja doch noch jemand was.

Logfile of HijackThis v1.99.1
Scan saved at 13:10:54, on 05.03.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Programme\HP\Digital Imaging\Promotions\HPpromo.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Programme\Winamp\Winampa.exe
D:\eBayTBDaemon.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\Programme\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\SlySoft\AnyDVD\AnyDVD.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Sunbelt Software\CounterSpy\Consumer\CounterSpy.exe
C:\Programme\Mozilla Firefox\firefox.exe
D:\Security\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - URLSearchHook: (no name) - {3876701E-7892-886C-3537-2523FD7B98C1} - MNTP.dll (file missing)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O3 - Toolbar: (no name) - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\system32\dxdllreg.exe
O4 - HKLM\..\Run: [HPpromo psc 1300 series] "C:\Programme\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 1300 series" -r
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [eBayToolbar] D:\eBayTBDaemon.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AnyDVD] C:\Programme\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [dmejv.exe] C:\WINDOWS\system32\dmejv.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunServer] C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [updateMgr] C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &eBay Search - res://D:\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Google-Suche - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://c:\programme\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\MSOFFI~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Amex - {0F778FE7-0C68-4F48-B86D-74B2AAA82BD9} - www.americanexpress.de (file missing)
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: fgc - {33D97381-7573-4195-BB2F-D0D6ECA84967} - gcdhgc vhb (file missing)
O9 - Extra button: AMEX - {7AFE1D9C-D8BA-48DE-A3DF-CE96DCEA50F8} - www.americanexpress.de (file missing)
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MSOFFI~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BvB - {A61DFBFA-D82B-4F23-9124-73A94E20DAB7} - http://www.berliner-volksbank.de/ (file missing)
O9 - Extra button: eBAY - {C74C1088-C6FF-42AB-9904-2FF5D25572B6} - www.ebay.de (file missing)
O9 - Extra button: PB - {D033E466-131F-474C-85DB-64A95975441D} - www.postbank.de (file missing)
O9 - Extra button: AmEx - {EB85F235-E43D-4DC3-819C-8B77BB49FA20} - www.americanexpress.de/konto-online (file missing)
O9 - Extra button: Amex - {F51517ED-C27B-49D2-A0CF-47481BF38970} - www.americanexpress.com (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {09954582-CAC3-4E05-A09C-4955BBD3187F} (Privat-X Client) - http://www.px24.com/ax/px_client_en.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129014461046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137986942828
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/de/check/qdiagh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E91B290B-71ED-467D-AE79-0632F9B60D6B}: NameServer = 85.255.116.68,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{F234ED16-A3E6-4377-B9EA-11D580042B54}: NameServer = 192.168.0.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Unknown owner - C:\Programme\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Unknown owner - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: License Management Service ESD - element5 - C:\Programme\Gemeinsame Dateien\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Dieser Beitrag wurde am 05.03.2006 um 13:14 Uhr von Ghrom editiert.
Seitenanfang Seitenende
05.03.2006, 14:13
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#2 Ghrom

Der PC ist voellig verseucht, der SpyFalcon ist nicht das schlimmste, sondern der Wareout + SafeSurfing.

Download f-secure-Beta Trial
http://www.f-secure.com/blacklight/
doppelklick: blbeta.exe
nach dem Check klicke -- next
nun findet man eine Log-Datei (txt) auf dem Desktop (hier posten)

------------------------------------------------------------------------

KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html

Options: Delete on Reboot --> anhaken
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"
reinkopieren: ............

C:\WINDOWS\system32\unirimon.exe
C:\WINDOWS\system32\irsmamss.dll
C:\WINDOWS\system32\ot.ico
C:\WINDOWS\system32\ginuerep.dll
C:\WINDOWS\system32\hp6C46.tmp

C:\WINDOWS\system32\nsh22.dll
C:\WINDOWS\system32\nsf17.dll
C:\WINDOWS\system32\nsy1A.dll

C:\DOKUME~1\XXXXX\LOKALE~1\Temp\SFLanguage.ini
C:\DOKUME~1\XXXXX\LOKALE~1\Temp\sa1.exe

C:\WINDOWS\system32\sporder.dll
C:\WINDOWS\system32\irssyncd.exe
C:\WINDOWS\system32\irismon.dll
C:\WINDOWS\system32\irsmamss.dll
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\system32\b2search.exe
C:\WINDOWS\system32\kernels64.exe
C:\WINDOWS\system32\filesafer23.exe
C:\WINDOWS\system32\dmejv.exe
C:\WINDOWS\system32\pppcgm.exe
C:\WINDOWS\system32\gzclj.dll

C:\WINDOWS\tm.ini
C:\WINDOWS\tdf.dii
C:\WINDOWS\NDNuninstall7_22.exe
C:\WINDOWS\GatorGainPlugin.log
C:\WINDOWS\hosts
C:\WINDOWS\uniq
C:\secure32.html
C:\ _Sid.txt

PC neustarten

Hoster.zip
http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK' Exit Program.

nach dem Neustart suche: C:\!KillBox
und loesche alle dort befindlichen Dateien manuell

damit wird auch eine der Internetverbindungen ausgeloescht (geht in die Ukraine...da du den Wareout auf dem PC hast.)


öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - URLSearchHook: (no name) - {3876701E-7892-886C-3537-2523FD7B98C1} - MNTP.dll (file missing)
O3 - Toolbar: (no name) - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - (no file)
O4 - HKLM\..\Run: [dmejv.exe] C:\WINDOWS\system32\dmejv.exe

O9 - Extra button: Amex - {0F778FE7-0C68-4F48-B86D-74B2AAA82BD9} - www.americanexpress.de (file missing)
O9 - Extra button: fgc - {33D97381-7573-4195-BB2F-D0D6ECA84967} - gcdhgc vhb (file missing)
O9 - Extra button: AMEX - {7AFE1D9C-D8BA-48DE-A3DF-CE96DCEA50F8} - www.americanexpress.de (file missing)
O9 - Extra button: BvB - {A61DFBFA-D82B-4F23-9124-73A94E20DAB7} - http://www.berliner-volksbank.de/ (file missing)
O9 - Extra button: eBAY - {C74C1088-C6FF-42AB-9904-2FF5D25572B6} - www.ebay.de (file missing)
O9 - Extra button: PB - {D033E466-131F-474C-85DB-64A95975441D} - www.postbank.de (file missing)
O9 - Extra button: AmEx - {EB85F235-E43D-4DC3-819C-8B77BB49FA20} - www.americanexpress.de/konto-online (file missing)
O9 - Extra button: Amex - {F51517ED-C27B-49D2-A0CF-47481BF38970} - www.americanexpress.com (file missing)

O17 - HKLM\System\CCS\Services\Tcpip\..\{E91B290B-71ED-467D-AE79-0632F9B60D6B}: NameServer = 85.255.116.68,85.255.112.220

PC neustarten

Download FixWareout:
http://swandog46.geekstogo.com/Fixwareout.exe

Fixwareout.exe --> next --> Install --> Run fixit --> Finish / der PC wird neustarten --> C:\fixwareout\report.txt -->kopiere die txt-Datei ins Forum

abarbeiten (poste dann den scanreport vom ewido)

http://virus-protect.org/artikel/bfu/spyaxebfu.html
http://virus-protect.org/ewido.html

dann kommt noch mehr, denn der Wareout ist sehr schwer zu loeschen...............
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
05.03.2006, 16:56
...neu hier

Themenstarter

Beiträge: 7
#3 Vielen Dank für diese selbstlose kompetente Hilfe.

Hier nun die gewünschten Logs und Reports.
Ich werde auch noch eine aktualisierte HJT-Log und DatFind-Log anhängen am Schluss


F-Secure Beta Trial

03/05/06 16:14:08 [Info]: BlackLight Engine 1.0.33 initialized
03/05/06 16:14:08 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/05/06 16:14:08 [Note]: 7019 4
03/05/06 16:14:08 [Note]: 7005 0
03/05/06 16:14:13 [Note]: 7006 0
03/05/06 16:14:13 [Note]: 7011 1752
03/05/06 16:14:14 [Note]: 7015 248
03/05/06 16:14:14 [Note]: 7015 5
03/05/06 16:14:14 [Note]: 7015 1932
03/05/06 16:14:14 [Note]: 7015 5
03/05/06 16:14:14 [Note]: FSRAW library version 1.7.1015
03/05/06 16:17:33 [Note]: 7007 0


Fixwareout

Fixwareout ver 1.003
Last edited 2/15/2006
Post this report in the forums please

Reg Entries that were deleted
...

Random Runs removed from HKLM
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
...

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool


Ewido
---------------------------------------------------------
ewido anti-malware - Scan Report
---------------------------------------------------------

+ Erstellt am: 16:40:13, 05.03.2006
+ Report-Checksumme: A930B6C4

+ Scanergebnis:

HKU\S-1-5-21-602162358-1677128483-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01EB5130-FC0C-4D75-B9CE-4801B1B854F5} -> Adware.Begin2Search : Gesäubert ohne Backup
HKU\S-1-5-21-602162358-1677128483-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22} -> Adware.Generic : Gesäubert ohne Backup
HKU\S-1-5-21-602162358-1677128483-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{78364D99-A640-4DDF-B91A-67EFF8373045} -> Trojan.Brospy.c : Gesäubert ohne Backup
HKU\S-1-5-21-602162358-1677128483-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ADE0443-2AB2-4B23-A3F8-AC520773DE12} -> Adware.Begin2Search : Gesäubert ohne Backup
HKU\S-1-5-21-602162358-1677128483-725345543-1004\Software\Classes\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D} -> Adware.SpyFalcon : Gesäubert ohne Backup
HKU\S-1-5-21-602162358-1677128483-725345543-1004_Classes\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D} -> Adware.SpyFalcon : Gesäubert ohne Backup
C:\Programme\DAEMON Tools\SetupDTSB.exe -> Adware.SaveNow : Gesäubert ohne Backup
C:\Programme\Gemeinsame Dateien\uueetbmd\somammrf\lcobrmcr.exe -> Adware.Gator : Gesäubert ohne Backup
C:\Programme\Gemeinsame Dateien\uueetbmd\unpaoqubea\raoqrlapm.exe -> Adware.Gator : Gesäubert ohne Backup
C:\Programme\Save -> Adware.SaveNow : Gesäubert ohne Backup
C:\Programme\Save\store.db -> Adware.SaveNow : Gesäubert ohne Backup
C:\Programme\TrilliPlus\patch.exe -> Trojan.Agent.jh : Gesäubert ohne Backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1101.dll -> Adware.Gator : Gesäubert ohne Backup
C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll -> Adware.Gator : Gesäubert ohne Backup
E:\Downloads\Aquatica_s_Inst-25.exe -> Adware.Gator : Gesäubert ohne Backup


::Report Ende


DatFind

Datentr„ger in Laufwerk C: ist Windowsinstallation
Volumeseriennummer: 6051-3443

Verzeichnis von C:\WINDOWS\system32

05.03.2006 16:45 43.459 nvapps.xml
05.03.2006 11:08 13.646 wpa.dbl
24.02.2006 12:39 383.562 perfh009.dat
24.02.2006 12:39 53.724 perfc009.dat
24.02.2006 12:39 394.848 perfh007.dat
24.02.2006 12:39 64.718 perfc007.dat
24.02.2006 12:39 907.468 PerfStringBackup.INI
24.02.2006 12:30 197.752 FNTCACHE.DAT
14.02.2006 09:20 550.120 LegitCheckControl.dll
13.02.2006 19:03 8.632 spmsg.dll
07.02.2006 21:28 4.513.120 MRT.exe
04.02.2006 19:36 108.754 kspydoc.log
28.01.2006 20:48 698.190 Cats Play.scr
28.01.2006 19:44 909 GLOBAL~1.log
18.01.2006 13:05 57.344 avsda.dll
07.01.2006 01:39 7.006 jupdate-1.5.0_06-b05.log
04.01.2006 04:35 68.096 webclnt.dll
29.12.2005 03:54 280.064 gdi32.dll
18.12.2005 16:22 176.167 rmoc3260.dll


Datentr„ger in Laufwerk C: ist Windowsinstallation
Volumeseriennummer: 6051-3443

Verzeichnis von C:\DOKUME~1\XXXX\LOKALE~1\Temp

05.03.2006 16:45 224 WCESCOMM.LOG
05.03.2006 16:17 206 jusched.log
2 Datei(en) 430 Bytes
0 Verzeichnis(se), 29.920.251.904 Bytes frei

Datentr„ger in Laufwerk C: ist Windowsinstallation
Volumeseriennummer: 6051-3443

Verzeichnis von C:\WINDOWS

05.03.2006 16:43 0 0.log
05.03.2006 16:43 1.526.581 WindowsUpdate.log
05.03.2006 16:42 159 wiadebug.log
05.03.2006 16:42 50 wiaservc.log
05.03.2006 16:42 2.048 bootstat.dat
05.03.2006 16:41 32.548 SchedLgU.Txt
05.03.2006 16:04 265.515 setupact.log
05.03.2006 15:51 395.692 ntbtlog.txt
05.03.2006 11:07 10.626 WGA.log
05.03.2006 11:07 614.925 setupapi.log
03.03.2006 21:43 46.499 wmsetup.log
03.03.2006 21:15 238 bildsh32.ini
28.02.2006 22:00 335 mozregistry.dat
27.02.2006 18:45 0 hpqEmlSz.INI
27.02.2006 18:45 907 win.ini
26.02.2006 15:32 59 popcinfo.dat
24.02.2006 12:31 923 spupdsvc.log
24.02.2006 12:28 111.771 ntdtcsetup.log
24.02.2006 12:28 190.944 comsetup.log
24.02.2006 12:28 198.255 tsoc.log
24.02.2006 12:28 76.365 iis6.log
24.02.2006 12:28 1.374 imsins.log
24.02.2006 12:28 27.963 ocmsn.log
24.02.2006 12:28 49.176 KB899587.log
24.02.2006 12:28 259.683 ocgen.log
24.02.2006 12:28 25.263 msgsocm.log
24.02.2006 12:28 491.610 FaxSetup.log
24.02.2006 12:28 33.350 updspapi.log
24.02.2006 12:28 1.374 imsins.BAK
24.02.2006 12:28 45.801 KB896422.log
24.02.2006 12:28 44.728 KB885835.log
24.02.2006 12:28 40.050 KB885836.log
24.02.2006 12:28 43.806 KB885250.log
24.02.2006 12:28 27.702 KB911927.log
24.02.2006 12:27 52.561 KB901017.log
24.02.2006 12:27 51.652 KB899591.log
24.02.2006 12:27 41.264 KB896424.log
24.02.2006 12:27 51.640 KB893756.log
24.02.2006 12:27 49.952 KB896423.log
24.02.2006 12:27 38.173 KB873339.log
24.02.2006 12:27 43.017 KB888113.log
24.02.2006 12:27 45.578 KB887742.log
24.02.2006 12:27 25.202 KB887472.log
24.02.2006 12:27 49.628 KB896358.log
24.02.2006 12:27 32.054 KB910437.log
24.02.2006 12:26 21.936 KB911564.log
24.02.2006 12:26 44.351 KB905915.log
24.02.2006 12:26 39.822 KB891781.log
24.02.2006 12:26 55.942 KB902400.log
24.02.2006 12:26 15.810 KB911565.log
24.02.2006 12:25 40.641 KB890046.log
24.02.2006 12:25 36.459 KB905414.log
24.02.2006 12:25 38.410 KB901214.log
24.02.2006 12:25 33.502 KB888302.log
24.02.2006 12:25 35.797 KB900725.log
24.02.2006 12:25 15.312 KB912919.log
24.02.2006 12:25 17.822 KB886185.log
24.02.2006 12:25 30.630 KB904706.log
24.02.2006 12:24 31.890 KB905749.log
24.02.2006 12:24 34.131 KB896428.log
24.02.2006 12:24 39.577 KB894391.log
24.02.2006 12:24 12.300 KB908519.log
24.02.2006 12:24 8.671 KB913446.log
24.02.2006 12:24 38.604 KB890859.log
24.02.2006 12:07 15.842 KB893803v2.log
17.02.2006 18:59 2.909 mozver.dat
17.02.2006 18:50 0 nsreg.dat
17.02.2006 18:50 107.134 UninstallFirefox.exe
14.02.2006 22:32 487 cdplayer.ini
09.02.2006 17:47 100.724 cpeins04.dat
29.01.2006 15:56 23 lnpth.lnf
23.01.2006 08:16 871 KB842773.log
21.01.2006 11:50 40 RSoftInfo.dat
09.01.2006 09:51 1.065 winamp.ini
08.01.2006 19:17 104.140 hpoins04.dat
29.12.2005 16:45 60.896 WFXINST.LOG
27.12.2005 10:56 48 WFXDEL.BAT
26.12.2005 15:04 2.464 $_hpcst$.hpc
26.12.2005 12:28 2.510 Microsoft.MIF

Datentr„ger in Laufwerk C: ist Windowsinstallation
Volumeseriennummer: 6051-3443

Verzeichnis von C:\

05.03.2006 16:53 0 sys.txt
05.03.2006 16:52 9.007 system.txt
05.03.2006 16:51 349 systemtemp.txt
05.03.2006 16:50 102.578 system32.txt
05.03.2006 16:42 1.610.612.736 pagefile.sys
05.03.2006 16:04 3.139 smitfiles.txt
05.03.2006 16:00 466 rapport.txt
26.02.2006 11:32 114 DownloadLog.txt
23.01.2006 15:36 429 datFind.bat
08.01.2006 19:17 1.159 _Sid.txt
18.12.2005 14:20 211 boot.ini
07.12.2005 17:34 1 REC.TXT


HJT-Log


Logfile of HijackThis v1.99.1
Scan saved at 16:55:27, on 05.03.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ewido anti-malware\ewidoctrl.exe
C:\Programme\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Programme\HP\Digital Imaging\Promotions\HPpromo.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Programme\Winamp\Winampa.exe
D:\eBayTBDaemon.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\Programme\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\SlySoft\AnyDVD\AnyDVD.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programme\Outlook Express\msimn.exe
D:\Security\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R3 - URLSearchHook: (no name) - {3876701E-7892-886C-3537-2523FD7B98C1} - MNTP.dll (file missing)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\system32\dxdllreg.exe
O4 - HKLM\..\Run: [HPpromo psc 1300 series] "C:\Programme\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 1300 series" -r
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [eBayToolbar] D:\eBayTBDaemon.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AnyDVD] C:\Programme\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [updateMgr] C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &eBay Search - res://D:\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Google-Suche - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://c:\programme\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\MSOFFI~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Amex - {0F778FE7-0C68-4F48-B86D-74B2AAA82BD9} - www.americanexpress.de (file missing)
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MSOFFI~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {09954582-CAC3-4E05-A09C-4955BBD3187F} (Privat-X Client) - http://www.px24.com/ax/px_client_en.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129014461046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137986942828
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/de/check/qdiagh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F234ED16-A3E6-4377-B9EA-11D580042B54}: NameServer = 192.168.0.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Unknown owner - C:\Programme\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Unknown owner - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programme\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: License Management Service ESD - element5 - C:\Programme\Gemeinsame Dateien\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Seitenanfang Seitenende
05.03.2006, 18:38
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#4 Ghrom

fixe mit dem HijackThis:

R3 - URLSearchHook: (no name) - {3876701E-7892-886C-3537-2523FD7B98C1} - MNTP.dll (file missing)

PC neustarten

poste das log vom Silentrunner
http://virus-protect.org/silentrunner.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
08.03.2006, 08:06
...neu hier

Themenstarter

Beiträge: 7
#5 "Silent Runners.vbs", revision 43, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"H/PC Connection Agent" = ""C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"" [MS]
"updateMgr" = "C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_7 -reboot 1" ["Adobe Systems Incorporated"]
"SpybotSD TeaTimer" = "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"P17Helper" = "Rundll32 P17.dll,P17Helper" [MS]
"DXDllRegExe" = "C:\WINDOWS\system32\dxdllreg.exe" [file not found]
"HPpromo psc 1300 series" = ""C:\Programme\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 1300 series" -r" ["hp"]
"WinFaxAppPortStarter" = "wfxsnt40.exe" [MS]
"DAEMON Tools-1033" = ""C:\Programme\D-Tools\daemon.exe" -lang 1033" ["DAEMON'S HOME"]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"WinampAgent" = ""C:\Programme\Winamp\Winampa.exe"" [null data]
"eBayToolbar" = "D:\eBayTBDaemon.exe" ["eBay"]
"HP Component Manager" = ""C:\Programme\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]
"CloneCDTray" = ""C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s" ["SlySoft, Inc."]
"KAVPersonal50" = ""C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize" ["Kaspersky Lab"]
"DAEMON Tools" = ""C:\Programme\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"AnyDVD" = "C:\Programme\SlySoft\AnyDVD\AnyDVD.exe" ["SlySoft, Inc."]
"SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"HP Software Update" = "C:\Programme\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\MS Office\OFFICE11\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\MSOFFI~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\MSOFFI~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{A213B520-C6C2-11d0-AF9D-008029E1027E}" = "WinFax PRO IShellExecuteHook" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Symantec\WinFax\WfxSeh32.Dll" ["Symantec Corporation"]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"AppInit_DLLs" = (value not set)

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
"System" = (value not set)

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido anti-malware\context.dll" ["ewido networks"]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\shellex.dll" ["Kaspersky Lab"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido anti-malware\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\shellex.dll" ["Kaspersky Lab"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\WJoest\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Startup items in "WJoest" & "All Users" startup folders:
--------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{0F778FE7-0C68-4F48-B86D-74B2AAA82BD9}\
"ButtonText" = "Amex"
"CLSIDExtension" = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"Exec" = "www.americanexpress.de" [file not found]

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Mobilen Favoriten erstellen"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft ActiveSync\INetRepl.dll" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Mobilen Favoriten erstellen..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft ActiveSync\INetRepl.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Programme\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Programme\ewido anti-malware\ewidoguard.exe" ["ewido networks"]
HTTP-SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
kavsvc, kavsvc, ""C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe"" ["Kaspersky Lab"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
GEngine Port Monitor\Driver = "gengpmon.dll" [null data]
hpzsnt09\Driver = "hpzsnt09.dll" ["HP"]
hpzsnt10\Driver = "hpzsnt10.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
WinFax Ports\Driver = "WFXMNT40.DLL" [MS]
WinFax Ports (Fotoqualität)\Driver = "WFXMNTHQ.DLL" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 15 seconds, including 6 seconds for message boxes)
Seitenanfang Seitenende
08.03.2006, 12:34
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#6 Ghrom

1.
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.

Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "fixme.reg" auf dem Desktop doppelklicken

Zitat

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""
2.
Fixe mit dem HijackThis:
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Amex - {0F778FE7-0C68-4F48-B86D-74B2AAA82BD9} - www.americanexpress.de (file missing)

3.
scanne mit Kaspersky und poste den scanreport (alles scannen)
http://virus-protect.org/onlinescan.html

4.
installiere Java-Sun eventuell neu
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren: