Pipas.A wird von Spybot gefunden, aber nur temporäres Entfernen möglich

#1 Hallo liebe Security Gemeinde,

nachdem ich jetzt 3 Tage lang nach einer Lösung zu meinem Problem gegooglet und sämtliche Lösungsvorschläge ausprobiert habe, bin ich zu der Erkenntnis gekommen, dass nur noch ein Posting in diesem Forum helfen kann.

Spybot findet auf meinem Laptop den Pipas.A mit folgenden Registry Eintrag:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins

Wenn man den entfernen lässt, ist er nach einem Neustart wieder da. Ich habe zwar bisher keine sonstigen Einschränkungen, wie ich sie beim Googlen bei Leidensgenossen gefunden habe (falsche Links bei Google, langer Spybot-Scan, usw.), aber da ich nicht weiß, was der Pipas.A anstellt, würde ich ihn gerne entfernen.

Hier also die erforderlichen Erstinformationen mit der Bitte um Hilfe:

HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 18:25:46, on 19.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Launch Manager\LaunchAp.exe
C:\Programme\Launch Manager\HotkeyApp.exe
C:\Programme\Launch Manager\OSD.exe
C:\Programme\Launch Manager\Wbutton.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\Dokumente und Einstellungen\Markus\Desktop\Entfernen Malware\HjT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.medion.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aldi.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LaunchAp] C:\Programme\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Programme\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Programme\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Programme\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Programme\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Programme\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [dmkyr.exe] C:\WINDOWS\system32\dmkyr.exe
O4 - HKCU\..\Run: [AOLMIcon] C:\Programme\Gemeinsame Dateien\AOLSHARE\AOLMIcon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: MedionShop - {09E5F659-139F-4022-9097-02E25F93F02A} - http://www.medionshop.de/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1092733492931
O17 - HKLM\System\CCS\Services\Tcpip\..\{2553A9AD-4DE5-46CE-89FB-24EA24ED123D}: NameServer = 85.255.113.116,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BE973C8-AEF0-4D53-A291-FFF4D0BDA878}: NameServer = 85.255.113.116,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7D8CD06-B646-4772-8692-637AB194B979}: NameServer = 85.255.113.116,85.255.112.16
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CA-Lizenz-Client (CA_LIC_CLNT) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA-Lizenzserver (CA_LIC_SRVR) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Ereignisprotokoll-Überwachung (LogWatch) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe


Die Einstellungen von CleanUp habe ich vorgenommen.


Und hier die Files aus datFind:

Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: F418-7F23

Verzeichnis von C:\WINDOWS\system32

13.05.2006 20:04 397.064 perfh009.dat
13.05.2006 20:04 61.728 perfc009.dat
13.05.2006 20:04 74.390 perfc007.dat
13.05.2006 20:04 411.382 perfh007.dat
13.05.2006 20:04 955.048 PerfStringBackup.INI
13.05.2006 20:00 2.206 wpa.dbl
13.05.2006 19:50 23.392 nscompat.tlb
13.05.2006 19:50 16.832 amcompat.tlb
04.05.2006 06:26 5.818.784 MRT.exe
30.03.2006 11:26 1.492.480 shdocvw.dll
30.03.2006 03:16 18.944 xpsp3res.dll
27.03.2006 19:37 3.303 qtplugin.log
24.03.2006 06:37 49.152 wdigest.dll
23.03.2006 22:34 3.074.560 mshtml.dll
18.03.2006 13:09 615.424 urlmon.dll
17.03.2006 11:11 679.424 inetcomm.dll
17.03.2006 06:03 8.493.056 shell32.dll
17.03.2006 02:38 28.672 verclsid.exe
13.03.2006 21:55 654.111 filesafer23.exe
10.03.2006 06:09 5.533.696 wmp.dll
04.03.2006 05:34 664.064 wininet.dll
04.03.2006 05:34 474.624 shlwapi.dll
04.03.2006 05:34 39.424 pngfilt.dll
04.03.2006 05:34 448.512 mshtmled.dll
04.03.2006 05:34 146.432 msrating.dll
04.03.2006 05:34 532.480 mstime.dll
04.03.2006 05:34 1.056.256 danim.dll
04.03.2006 05:34 251.392 iepeers.dll
04.03.2006 05:34 96.768 inseng.dll
04.03.2006 05:34 55.808 extmgr.dll
04.03.2006 05:34 205.312 dxtrans.dll
04.03.2006 05:34 152.064 cdfview.dll
04.03.2006 05:34 1.022.976 browseui.dll
01.03.2006 21:43 161.280 msdtcuiu.dll
01.03.2006 21:43 11.776 xolehlp.dll
01.03.2006 21:43 956.416 msdtctm.dll
01.03.2006 21:43 426.496 msdtcprx.dll
01.03.2006 21:43 91.136 mtxoci.dll
01.03.2006 21:43 66.560 mtxclu.dll
23.02.2006 11:22 57.344 avsda.dll
14.02.2006 09:20 550.120 LegitCheckControl.dll
10.02.2006 20:25 10.735 kobdevascii.log
10.02.2006 20:25 21.470 kobdev.log
08.02.2006 16:26 310.784 FNTCACHE.DAT
04.01.2006 05:35 68.096 webclnt.dll


Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: F418-7F23

Verzeichnis von C:\DOKUME~1\Markus\LOKALE~1\Temp



Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: F418-7F23

Verzeichnis von C:\WINDOWS

19.05.2006 18:04 3.886 ModemLog_Intel(R) 537EA Modem.txt
19.05.2006 18:04 1.183.251 WindowsUpdate.log
19.05.2006 18:03 0 0.log
19.05.2006 18:03 2.048 bootstat.dat
19.05.2006 17:46 99.501 setupapi.log
18.05.2006 20:44 303.566 ntbtlog.txt
18.05.2006 20:27 3.934 OEWABLog.txt
18.05.2006 20:27 218.285 wmsetup.log
14.05.2006 21:37 217.113 setupact.log
14.05.2006 09:39 570 win.ini
13.05.2006 22:32 3.642 spupdsvc.log
13.05.2006 22:30 15.109 KB911565.log
13.05.2006 19:58 4.364 COM+.log
13.05.2006 19:57 66.917 iis6.log
13.05.2006 19:57 145.497 comsetup.log
13.05.2006 19:57 1.374 imsins.log
13.05.2006 19:57 22.759 ocmsn.log
13.05.2006 19:57 87.699 ntdtcsetup.log
13.05.2006 19:57 168.852 tsoc.log
13.05.2006 19:57 12.010 KB904942.log
13.05.2006 19:57 209.665 ocgen.log
13.05.2006 19:57 20.767 msgsocm.log
13.05.2006 19:57 419.676 FaxSetup.log
13.05.2006 19:57 25.935 updspapi.log
13.05.2006 19:52 1.374 imsins.BAK
13.05.2006 19:52 7.573 WMCSetup.log
13.05.2006 19:51 4.449 basecsp.log
13.05.2006 19:51 7.841 KB891122.log
13.05.2006 19:51 316.640 WMSysPr9.prx
13.05.2006 19:50 243 wmsetup10.log
12.04.2006 19:35 7.349 WGA.log
12.04.2006 19:35 1.043.851 setupapi.log.0.old
12.04.2006 19:30 873 WINNT32.LOG
12.04.2006 19:30 225 DHCPUPG.LOG
12.04.2006 19:30 149 wsdu.log
09.04.2006 20:29 12.090 KB913580.log
07.04.2006 21:24 202 NeroDigital.ini
02.04.2006 16:02 50 wiaservc.log
02.04.2006 16:02 410 wiadebug.log
25.03.2006 21:10 11.312 KB900485.log
24.03.2006 21:53 4.255 mozver.dat
15.03.2006 11:30 16.689 KB908531.log
15.03.2006 11:30 18.572 KB911562.log
15.03.2006 11:30 24.484 KB912812.log
15.03.2006 11:29 13.703 KB911567.log
13.03.2006 22:07 4.334 rdt.ini
20.02.2006 18:16 2.068 vminst.log
14.02.2006 20:24 59 cdplayer.ini
10.02.2006 20:30 0 paths.dat
10.02.2006 20:26 513 hbcikrnl.ini
04.02.2006 19:43 249 accessdll.log
04.02.2006 19:21 1.988 avmadd32.log
04.02.2006 19:20 107 avmsysnet.log
28.01.2006 20:25 6.618 KB913446.log
19.01.2006 15:19 11.078 KB911927.log
19.01.2006 15:18 7.719 KB911564.log
12.01.2006 21:34 10.171 KB908519.log
07.01.2006 16:31 11.060 KB912919.log
07.01.2006 16:31 0 setuperr.log



Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: F418-7F23

Verzeichnis von C:\

19.05.2006 18:31 0 sys.txt
19.05.2006 18:29 9.178 system.txt
19.05.2006 18:29 125 systemtemp.txt
19.05.2006 18:27 98.211 system32.txt
19.05.2006 18:03 535.875.584 hiberfil.sys
19.05.2006 18:03 805.306.368 pagefile.sys
25.12.2004 10:42 211 boot.ini
05.09.2004 09:35 100 AUTOEXEC.BAT
17.08.2004 17:43 0 MSDOS.SYS
17.08.2004 17:43 0 IO.SYS
17.08.2004 17:43 0 CONFIG.SYS
04.08.2004 14:00 4.952 bootfont.bin
04.08.2004 14:00 47.564 NTDETECT.COM
04.08.2004 14:00 251.184 ntldr
14 Datei(en) 1.341.593.477 Bytes
0 Verzeichnis(se), 24.195.792.896 Bytes frei

Hoffentlich habe ich nichts vergessen!

Ich würde mich freuen, wenn sich jemand meinem Problem annehmen würde.

Vielen Dank schon einmal!

Beste Grüße
Markus

#2 magicpiano

Download f-secure-Beta Trial
http://www.f-secure.com/blacklight/
doppelklick: blbeta.exe
nach dem Check klicke -- next -> poste das log

+
das Log vom Silentrunner
http://virus-protect.org/silentrunner.html
__________
MfG Sabina

rund um die PC-Sicherheit

#3 Hallo Sabina,

ich wusste doch, dass ich etwas vergessen habe. Blacklight findet bei mir keine versteckten Einträge. Hier trotzdem das Log:

05/20/06 13:53:20 [Info]: BlackLight Engine 1.0.36 initialized
05/20/06 13:53:20 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/20/06 13:53:20 [Note]: 7019 4
05/20/06 13:53:20 [Note]: 7005 0
05/20/06 13:53:24 [Note]: 7006 0
05/20/06 13:53:24 [Note]: 7011 912
05/20/06 13:53:24 [Note]: 7026 0
05/20/06 13:53:24 [Note]: 7026 0
05/20/06 13:53:33 [Note]: FSRAW library version 1.7.1015
05/20/06 13:54:46 [Note]: 2000 1006
05/20/06 13:55:28 [Note]: 7007 0

Und hier das Log vom SilentRunner:

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AOLMIcon" = "C:\Programme\Gemeinsame Dateien\AOLSHARE\AOLMIcon.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"LaunchAp" = "C:\Programme\Launch Manager\LaunchAp.exe" [empty string]
"HotkeyApp" = "C:\Programme\Launch Manager\HotkeyApp.exe" ["Wistron"]
"CtrlVol" = "C:\Programme\Launch Manager\CtrlVol.exe" ["Wistron"]
"LMgrOSD" = "C:\Programme\Launch Manager\OSD.exe" ["Wistron"]
"Wbutton" = ""C:\Programme\Launch Manager\Wbutton.exe"" [empty string]
"SynTPLpr" = "C:\Programme\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Programme\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"PCMService" = ""C:\Programme\Home Cinema\PowerCinema\PCMService.exe"" ["CyberLink Corp."]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]
"BDNewsAgent" = ""C:\Programme\Softwin\BitDefender8\bdnagent.exe"" [file not found]
"dmhus.exe" = "C:\WINDOWS\system32\dmhus.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{DCED20BE-3645-11D4-BC95-00C04F0E0588}" = "InoShell"
-> {HKLM...CLSID} = "InoShell"
\InProcServer32\(Default) = "C:\Programme\CA\eTrust Antivirus\InoShell.dll" [file not found]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Neu\OpenOffice.org1.1.4\program\shlxthdl.dll" ["Sun Microsystems, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a² Context Menu Shell Extension"
-> {HKLM...CLSID} = "a² Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Programme\a-squared\a2contmenu.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {HKLM...CLSID} = "ShellLink for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {HKLM...CLSID} = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588}"
-> {HKLM...CLSID} = "InoShell"
\InProcServer32\(Default) = "C:\Programme\CA\eTrust Antivirus\InoShell.dll" [file not found]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588}"
-> {HKLM...CLSID} = "InoShell"
\InProcServer32\(Default) = "C:\Programme\CA\eTrust Antivirus\InoShell.dll" [file not found]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"
-> {HKLM...CLSID} = "a² Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Programme\a-squared\a2contmenu.dll" [null data]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\MEDION 5aol.bmp"


Startup items in "Markus" & "All Users" startup folders:
--------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Gamma Loader" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"WinZip Quick Pick" -> shortcut to: "C:\Programme\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 22
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{09E5F659-139F-4022-9097-02E25F93F02A}\
"ButtonText" = "MedionShop"
"Exec" = "http://www.medionshop.de/" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.aldi.com

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir PersonalEdition Classic Guard, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["AVIRA GmbH"]
AntiVir PersonalEdition Classic Planer, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Ereignisprotokoll-Überwachung, LogWatch, "C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe" ["Computer Associates"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
X10 Device Network Service, x10nets, "C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe" ["X10"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
avm:\Driver = "avmprmon.dll" ["AVM Berlin GmbH"]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
PDFCreator\Driver = "redmonnt.dll" [null data]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 39 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 6 seconds.
---------- (total run time: 61 seconds)


Danke schonmal für die schnelle Antwort!

Beste Grüße
Markus

#4 magicpiano

1.
KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html

Options: Delete on Reboot --> anhaken
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"
reinkopieren: ............

C:\WINDOWS\system32\dmhus.exe
C:\WINDOWS\system32\dmkyr.exe
C:\WINDOWS\rdt.ini
C:\WINDOWS\system32\filesafer23.exe

PC neustarten

2.
du musst nach neustarte eine neue Internetverbindung erstellen

öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

O4 - HKLM\..\Run: [dmkyr.exe] C:\WINDOWS\system32\dmkyr.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2553A9AD-4DE5-46CE-89FB-24EA24ED123D}:
NameServer = 85.255.113.116,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BE973C8-AEF0-4D53-A291-FFF4D0BDA878}:
NameServer = 85.255.113.116,85.255.112.16
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7D8CD06-B646-4772-8692-637AB194B979}:
NameServer = 85.255.113.116,85.255.112.16

3.
Download FixWareout
http://downloads.subratam.org/Fixwareout.exe
Fixwareout.exe --> next --> Install --> Run fixit --> Finish / der PC wird neustarten --> C:\fixwareout\report.txt

4
SmitRem2.8
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
öffne smitRem folder,Doppelklick: RunThis.bat
warte, bis der Scan beendet ist (der Bildschirm wird blau werden. das ist normal)
poste die smitfile.txt (von smitrem)

5.
poste das neue Log vom HijackThis
__________
MfG Sabina

rund um die PC-Sicherheit

#5 Hallo Sabina,

zu 1. erledigt

zu 2. auch erledigt, allerdings habe ich nicht den O4-Eintrag gefunden (hat der HjT-Scan nicht angezeigt) und ich habe noch einen ähnlichen O17-Eintrag (siehe Log). Soll ich den auch noch löschen?

Hier noch einmal einaktueller HjT-Log:

Logfile of HijackThis v1.99.1
Scan saved at 16:23:58, on 20.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Programme\Launch Manager\LaunchAp.exe
C:\Programme\Launch Manager\HotkeyApp.exe
C:\Programme\Launch Manager\OSD.exe
C:\Programme\Launch Manager\Wbutton.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Dokumente und Einstellungen\Markus\Desktop\Entfernen Malware\HjT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LaunchAp] C:\Programme\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Programme\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Programme\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Programme\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Programme\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Programme\Softwin\BitDefender8\bdnagent.exe"
O4 - HKCU\..\Run: [AOLMIcon] C:\Programme\Gemeinsame Dateien\AOLSHARE\AOLMIcon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: MedionShop - {09E5F659-139F-4022-9097-02E25F93F02A} - http://www.medionshop.de/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1092733492931
O17 - HKLM\System\CCS\Services\Tcpip\..\{334BB9A3-039D-4EDE-BDD1-B18C81EECA23}: NameServer = 62.104.191.241 62.104.196.134
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CA-Lizenz-Client (CA_LIC_CLNT) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA-Lizenzserver (CA_LIC_SRVR) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Ereignisprotokoll-Überwachung (LogWatch) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

zu 3. erledigt:


Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\aesmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
...

Random Runs removed from HKLM
"dmsea.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\DMSEA.EXE 44.130 2004-08-04


zu 4. erledigt:


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]

Running from
C:\Dokumente und Einstellungen\Markus\Desktop\Entfernen Malware\SmitRem\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

logfiles


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1160 'explorer.exe'
Killing PID 1160 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN!



Beste Grüße
Markus

#6 scanne mit kaspersky und poste den scanreport
http://virus-protect.org/onlinescan.html
+
poste das neue Log vom HijackThis
__________
MfG Sabina

rund um die PC-Sicherheit

#7 Hallo Sabina,

bei Kapersky kam die Meldung:

"Report is empty"!

Hier das neue HjT-Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:31:11, on 21.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Launch Manager\LaunchAp.exe
C:\Programme\Launch Manager\HotkeyApp.exe
C:\Programme\Launch Manager\OSD.exe
C:\Programme\Launch Manager\Wbutton.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Dokumente und Einstellungen\Markus\Desktop\Entfernen Malware\HjT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LaunchAp] C:\Programme\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Programme\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Programme\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Programme\Launch Manager\OSD.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Programme\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Programme\Softwin\BitDefender8\bdnagent.exe"
O4 - HKCU\..\Run: [AOLMIcon] C:\Programme\Gemeinsame Dateien\AOLSHARE\AOLMIcon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: MedionShop - {09E5F659-139F-4022-9097-02E25F93F02A} - http://www.medionshop.de/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1092733492931
O17 - HKLM\System\CCS\Services\Tcpip\..\{334BB9A3-039D-4EDE-BDD1-B18C81EECA23}: NameServer = 212.60.192.100 212.60.192.101
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CA-Lizenz-Client (CA_LIC_CLNT) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA-Lizenzserver (CA_LIC_SRVR) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Ereignisprotokoll-Überwachung (LogWatch) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

Beste Grüße
Markus

#8 magicpiano

ich denke, dass das Problem behoben ist, da der Wareout jedoch sehr "hartnaeckig" ist...mache bitte noch einen scan mit ewido
(abges.Modus und Normalmodus)
und poste die scanreporte.
http://virus-protect.org/ewido.html
__________
MfG Sabina

rund um die PC-Sicherheit

#9 Hallo Sabina,

hier die zwei Reporte:

Abgesicherter Modus:

---------------------------------------------------------
ewido anti-malware - Scan Report
---------------------------------------------------------

+ Erstellt am: 08:34:17, 22.05.2006
+ Report-Checksumme: C0F283B3

+ Scanergebnis:

C:\Dokumente und Einstellungen\Markus\Cookies\markus@as1.falkag[2].txt -> TrackingCookie.Falkag : Gesäubert mit Backup
C:\WINDOWS\system32\dmsea.exe -> Trojan.Pakes : Gesäubert mit Backup


::Report Ende


Und danach im normalen Modus (also nach Bereinigung und Neustart):

---------------------------------------------------------
ewido anti-malware - Scan Report
---------------------------------------------------------

+ Erstellt am: 09:03:40, 22.05.2006
+ Report-Checksumme: 83BC92B3

+ Scanergebnis:

Keine infizierten Objekte gefunden.


::Report Ende

Sieht doch ganz gut aus, oder? Habe auch nochmal Spybot laufen lassen. Der hat auch nichts mehr gefunden.

Hast Du noch einen Tipp, mit welchen der benutzten Programme man einigermaßen sicher "fährt"?

Und abschließend natürlich ein ganz dickes Lob und Dankeschön für immer schnelle und kompetente Hilfe! Ich werde Euer Forum auf alle Fälle weiterempfehlen!

Beste Grüße
Markus

#10 magicpiano

1.
ewido muss man nach 14 Tagen kaufen oder deinstallieren

2.
Windows-Defender ist free und mit aktiviertem Guard zu empfehlen
http://virus-protect.org/ms.html

3.
gewisse Seiten konsequent meiden , dann bleibt man vom Wareout verschont.

Alles Gute
__________
MfG Sabina

rund um die PC-Sicherheit