Problem mit Trojaner TR/Dldr.Agent.uj.1

#1 hier ist mein logfile von HijackThis...
für eure hilfe bin ich euch sehr dankbar!

Logfile of HijackThis v1.99.1
Scan saved at 16:19:01, on 29.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Programme\Sony\vaio entertainment\VzTaskScheduler.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\sony\vaio update 2\VAIOUpdt.exe
C:\Programme\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe
C:\Programme\Utimaco\SafeGuard PrivateDisk\pdservice.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programme\Gemeinsame Dateien\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
C:\Programme\Sony\sonicstage mastering studio\audio filter\SSMSFilter.exe
C:\Programme\Sony\vaio entertainment\VzTrayIcon.exe
C:\WINDOWS\System32\alg.exe
C:\Programme\Gemeinsame Dateien\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
C:\Programme\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Programme\Sony\VAIO Launcher\Launcher.exe
C:\Programme\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\SONYVA~1\LOKALE~1\Temp\Rar$EX00.187\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.ch/0SEDECH/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von cablecom hispeed internet
R3 - URLSearchHook: (no name) - {733421B4-937F-48A9-9200-D48BF660F055} - ___.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programme\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Programme\sony\vaio update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [VZRemoteCommander] C:\Programme\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe
O4 - HKLM\..\Run: [PDService.exe] C:\Programme\Utimaco\SafeGuard PrivateDisk\pdservice.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [UnSpyPC] C:\Programme\UnSpyPC\UnSpyPC.exe
O4 - HKCU\..\Run: [_ctcp] MONITER.exe
O4 - HKCU\..\Run: [DCC_send] iesetupdll.exe
O4 - HKCU\..\Run: [LOPTCON] Testimonials.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: VAIO Launcher.lnk = C:\Programme\Sony\VAIO Launcher\Launcher.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Audio Filter.lnk = C:\Programme\Sony\sonicstage mastering studio\audio filter\SSMSFilter.exe
O4 - Global Startup: Aufzeichnungsstatus.lnk = C:\Programme\Sony\vaio entertainment\VzTrayIcon.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Programme\Sony\vaio entertainment\VzTaskScheduler.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Programme\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Programme\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Programme\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Programme\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Cooporated Initialisation (VCI) - Sony Corporation - C:\Programme\Sony\VAIO Cooperated Initialisation\VCI_SVC.exe

#2 schaans

Download f-secure-Beta Trial
http://www.f-secure.com/blacklight/
doppelklick: blbeta.exe
nach dem Check klicke -- next (poste das log)


stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html

poste das log vom silentrunner
http://virus-protect.org/silentrunner.html
__________
MfG Sabina

rund um die PC-Sicherheit

#3 05/29/06 18:43:04 [Info]: BlackLight Engine 1.0.36 initialized
05/29/06 18:43:04 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/29/06 18:43:04 [Note]: 7019 4
05/29/06 18:43:04 [Note]: 7005 0
05/29/06 18:43:10 [Note]: 7006 0
05/29/06 18:43:10 [Note]: 7011 328
05/29/06 18:43:10 [Note]: 7026 0
05/29/06 18:43:10 [Note]: 7026 0
05/29/06 18:43:10 [Note]: 7024 3
05/29/06 18:43:10 [Info]: Hidden process: C:\WINDOWS\system32\idemlog.exe
05/29/06 18:43:10 [Note]: FSRAW library version 1.7.1015
05/29/06 18:47:24 [Info]: Hidden file: c:\WINDOWS\ServicePackFiles\i386\wbemtest.exe
05/29/06 18:47:24 [Note]: 10002 1
05/29/06 18:47:25 [Info]: Hidden file: c:\WINDOWS\ServicePackFiles\i386\tcptest.exe
05/29/06 18:47:25 [Note]: 10002 1
05/29/06 18:47:27 [Info]: Hidden file: C:\WINDOWS\system32\idemlog.exe
05/29/06 18:47:27 [Note]: 10002 1
05/29/06 18:47:29 [Info]: Hidden file: c:\WINDOWS\system32\cstkh.exe
05/29/06 18:47:29 [Note]: 7002 32
05/29/06 18:47:29 [Note]: 7003 1
05/29/06 18:47:29 [Note]: 10002 1
05/29/06 18:47:32 [Info]: Hidden file: c:\WINDOWS\system32\favset.exe
05/29/06 18:51:40 [Note]: 7002 5
05/29/06 18:51:40 [Note]: 7003 1
05/29/06 18:51:41 [Note]: 10002 1
05/29/06 18:51:41 [Info]: Hidden file: c:\WINDOWS\system32\filesafer23.exe
05/29/06 18:51:41 [Note]: 10002 1
05/29/06 18:51:44 [Info]: Hidden file: c:\WINDOWS\system32\wbem\wbemtest.exe
05/29/06 18:51:44 [Note]: 10002 1
05/29/06 18:51:47 [Info]: Hidden file: c:\WINDOWS\system32\pppcgm.exe
05/29/06 18:51:47 [Note]: 10002 1
05/29/06 18:51:48 [Info]: Hidden file: c:\WINDOWS\system32\howiper.exe
05/29/06 18:51:53 [Note]: 7002 5
05/29/06 18:51:53 [Note]: 7003 1
05/29/06 18:51:53 [Note]: 10002 1
05/29/06 18:51:57 [Info]: Hidden file: c:\WINDOWS\system32\sphlp32.exe
05/29/06 18:52:01 [Note]: 7002 5
05/29/06 18:52:01 [Note]: 7003 1
05/29/06 18:52:01 [Note]: 10002 1
05/29/06 18:53:55 [Note]: 7007 0


Datentr„ger in Laufwerk C: ist VAIO
Volumeseriennummer: 7834-B2AB

Verzeichnis von C:\WINDOWS\system32

29.05.2006 19:59 21'872 close.bmp
29.05.2006 19:59 21'872 insurance.bmp
29.05.2006 19:59 21'872 spyware.bmp
29.05.2006 19:59 21'872 xxx.bmp
29.05.2006 19:59 21'872 pharmacy.bmp
29.05.2006 19:59 21'872 dating.bmp
29.05.2006 19:59 23'480 gambling.bmp
29.05.2006 19:59 387 idesk.conf
27.05.2006 15:58 176'167 rmoc3260.dll
27.05.2006 15:58 5'632 pndx5032.dll
27.05.2006 15:58 6'656 pndx5016.dll
27.05.2006 15:58 278'528 pncrt.dll
27.05.2006 12:12 43'520 CmdLineExt03.dll
26.05.2006 13:34 1'158 wpa.dbl
11.05.2006 23:14 21'840 SIntfNT.dll
11.05.2006 23:14 17'212 SIntf32.dll
11.05.2006 23:14 12'067 SIntf16.dll
09.05.2006 16:50 0 asfiles.txt
09.05.2006 16:45 705 dgprpsetup.exe
09.05.2006 16:45 2'550 Uninstall.ico
09.05.2006 16:45 1'406 Help.ico
09.05.2006 16:45 30'590 pavas.ico
09.05.2006 15:33 100 LuResult.txt
07.05.2006 23:32 39'992 perfc009.dat
07.05.2006 23:32 311'604 perfh009.dat
07.05.2006 23:32 48'156 perfc007.dat
07.05.2006 23:32 316'594 perfh007.dat
07.05.2006 23:32 723'568 PerfStringBackup.INI
04.05.2006 06:26 5'818'784 MRT.exe
06.04.2006 10:54 73'728 asuninst.exe
03.04.2006 10:59 128 xposer.cfg
03.04.2006 10:59 128 asinst.cfg
30.03.2006 11:26 1'492'480 shdocvw.dll
30.03.2006 03:16 18'944 xpsp3res.dll
23.03.2006 22:34 3'074'560 mshtml.dll
18.03.2006 13:09 615'424 urlmon.dll
17.03.2006 11:11 679'424 inetcomm.dll
17.03.2006 06:03 8'493'056 shell32.dll
17.03.2006 02:38 28'672 verclsid.exe
04.03.2006 05:34 664'064 wininet.dll
04.03.2006 05:34 474'624 shlwapi.dll
04.03.2006 05:34 146'432 msrating.dll
04.03.2006 05:34 532'480 mstime.dll
04.03.2006 05:34 39'424 pngfilt.dll
04.03.2006 05:34 448'512 mshtmled.dll
04.03.2006 05:34 1'056'256 danim.dll
04.03.2006 05:34 55'808 extmgr.dll
04.03.2006 05:34 96'768 inseng.dll
04.03.2006 05:34 205'312 dxtrans.dll
04.03.2006 05:34 251'392 iepeers.dll
04.03.2006 05:34 152'064 cdfview.dll
04.03.2006 05:34 1'022'976 browseui.dll
01.03.2006 21:43 91'136 mtxoci.dll
01.03.2006 21:43 161'280 msdtcuiu.dll
01.03.2006 21:43 11'776 xolehlp.dll
01.03.2006 21:43 426'496 msdtcprx.dll
01.03.2006 21:43 956'416 msdtctm.dll
01.03.2006 21:43 66'560 mtxclu.dll
14.02.2006 09:20 550'120 LegitCheckControl.dll
24.01.2006 19:34 118'784 sirenacm.dll
18.01.2006 14:05 57'344 avsda.dll
12.01.2006 13:04 155'648 phvet.dll
07.01.2006 12:14 155'648 cnvbd.dll
04.01.2006 05:35 68'096 webclnt.dll

Datentr„ger in Laufwerk C: ist VAIO
Volumeseriennummer: 7834-B2AB

Verzeichnis von C:\DOKUME~1\SONYVA~1\LOKALE~1\Temp

29.05.2006 20:06 45'056 ~WS3.tmp
29.05.2006 20:06 53'248 ~WS2.tmp
29.05.2006 20:06 118'784 ~WS1.tmp
3 Datei(en) 217'088 Bytes
0 Verzeichnis(se), 2'309'267'456 Bytes frei


Datentr„ger in Laufwerk C: ist VAIO
Volumeseriennummer: 7834-B2AB

Verzeichnis von C:\WINDOWS

29.05.2006 20:06 0 0.log
29.05.2006 20:05 1'781'008 WindowsUpdate.log
29.05.2006 20:05 2'048 bootstat.dat
29.05.2006 20:04 32'212 SchedLgU.Txt
29.05.2006 12:51 256'014 ntbtlog.txt
27.05.2006 03:03 50 cdplayer.ini
27.05.2006 00:17 364'548 setupapi.log
26.05.2006 22:19 74'428 DirectX.log
24.05.2006 00:46 346'837 wmsetup.log
17.05.2006 10:37 4'517 rdt.ini
16.05.2006 22:21 10'883 mozver.dat
12.05.2006 03:00 57'763 iis6.log
12.05.2006 03:00 78'951 ntdtcsetup.log
12.05.2006 03:00 131'358 comsetup.log
12.05.2006 03:00 1'374 imsins.log
12.05.2006 03:00 148'243 tsoc.log
12.05.2006 03:00 20'760 ocmsn.log
12.05.2006 03:00 11'687 KB913580.log
12.05.2006 03:00 190'129 ocgen.log
12.05.2006 03:00 18'742 msgsocm.log
12.05.2006 03:00 362'672 FaxSetup.log
12.05.2006 03:00 28'046 updspapi.log
11.05.2006 23:21 26'943 DIIUnin.dat
09.05.2006 16:48 555 win.ini
09.05.2006 16:08 1'355 imsins.BAK
09.05.2006 16:08 17'489 KB911562.log
09.05.2006 16:08 17'526 KB900485.log
09.05.2006 16:08 18'886 KB912812.log
09.05.2006 16:07 11'978 KB908531.log
09.05.2006 16:07 11'257 KB911567.log
09.05.2006 15:59 5'357 WGA.log
11.03.2006 13:49 1'873 setupact.log
18.02.2006 04:08 29'899 spupdsvc.log
18.02.2006 04:01 10'620 KB911927.log
18.02.2006 04:01 5'224 KB911564.log
18.02.2006 04:01 5'468 KB911565.log
18.02.2006 04:00 6'623 KB913446.log
15.02.2006 19:20 604 Edofma.INI
12.01.2006 18:00 10'089 KB908519.log
07.01.2006 14:41 11'006 KB912919.log

Datentr„ger in Laufwerk C: ist VAIO
Volumeseriennummer: 7834-B2AB

Verzeichnis von C:\

29.05.2006 20:11 0 sys.txt
29.05.2006 20:10 13'475 system.txt
29.05.2006 20:10 375 systemtemp.txt
29.05.2006 20:09 94'459 system32.txt
29.05.2006 20:05 1'073'139'712 hiberfil.sys
29.05.2006 20:05 1'610'612'736 pagefile.sys
26.05.2006 17:45 45'017 tv3d_debug.txt
01.12.2005 08:08 0 AILog.txt
07.06.2005 20:04 166 ambit.log
16.02.2005 11:56 3'447 bink_log.txt
16.02.2005 11:38 438 sound_bank_log.txt
11.01.2005 12:05 211 boot.ini
18.08.2004 14:01 47'564 NTDETECT.COM
18.08.2004 14:01 251'184 ntldr
18.08.2004 13:33 0 IO.SYS
18.08.2004 13:33 0 CONFIG.SYS
18.08.2004 13:33 0 AUTOEXEC.BAT
18.08.2004 13:33 0 MSDOS.SYS
02.04.2003 14:00 4'952 bootfont.bin
19 Datei(en) 2'684'213'736 Bytes
0 Verzeichnis(se), 2'309'246'976 Bytes frei


"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Programme\Messenger\msmsgs.exe" /background" [MS]
"MsnMsgr" = ""C:\Programme\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"desktop" = "C:\WINDOWS\system32\idemlog.exe" [empty string]
"UnSpyPC" = "C:\Programme\UnSpyPC\UnSpyPC.exe" [file not found]
"_ctcp" = "MONITER.exe" [file not found]
"DCC_send" = "iesetupdll.exe" [file not found]
"LOPTCON" = "Testimonials.exe" [file not found]
"SpybotSD TeaTimer" = "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"URLLSTCK.exe" = "C:\Programme\Norton Internet Security\UrlLstCk.exe" [file not found]
"VAIO Update 2" = ""C:\Programme\sony\vaio update 2\VAIOUpdt.exe" /Stationary" ["Sony Corporation"]
"VZRemoteCommander" = "C:\Programme\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe" [null data]
"PDService.exe" = "C:\Programme\Utimaco\SafeGuard PrivateDisk\pdservice.exe" ["Utimaco Safeware AG"]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"dmrbe.exe" = "C:\WINDOWS\system32\dmrbe.exe" [file not found]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Web assistant"
-> {HKLM...CLSID} = "CNisExtBho Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F6A51CCC-6AA6-46ad-B726-97466F0A38BF}" = "SafeGuard® PrivateDisk extension"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Utimaco\SafeGuard PrivateDisk\pdshell.dll" ["Utimaco Safeware AG"]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "C:\Programme\Sonic\RecordNow!\shlext.dll" [null data]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Programme\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csslh.exe" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
SGPDMenu\(Default) = "{F6A51CCC-6AA6-46ad-B726-97466F0A38BF}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Utimaco\SafeGuard PrivateDisk\pdshell.dll" ["Utimaco Safeware AG"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
SGPDMenu\(Default) = "{F6A51CCC-6AA6-46ad-B726-97466F0A38BF}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Utimaco\SafeGuard PrivateDisk\pdshell.dll" ["Utimaco Safeware AG"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]


Group Policies [Description]:
-----------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "NoBandCustomize"=dword:00000001
[disables toolbar status changes in Internet Explorer|View|Toolbars]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\w03-1024.BMP"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\vaioslic.scr" ["Sony Corporation"]


Startup items in "Sony Vaio" & "All Users" startup folders:
-----------------------------------------------------------

C:\Dokumente und Einstellungen\Sony Vaio\Startmenü\Programme\Autostart
"VAIO Launcher" -> shortcut to: "C:\Programme\Sony\VAIO Launcher\Launcher.exe" ["Sony Corporation"]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Acrobat Assistant" -> shortcut to: "C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe" ["Adobe Systems Inc."]
"Adobe Gamma Loader" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Audio Filter" -> shortcut to: "C:\Programme\Sony\sonicstage mastering studio\audio filter\SSMSFilter.exe" ["Sony Corporation"]
"Aufzeichnungsstatus" -> shortcut to: "C:\Programme\Sony\vaio entertainment\VzTrayIcon.exe" ["Sony Corporation"]
"WG111v2 Smart Wizard Wireless Setting" -> shortcut to: "C:\Programme\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe" [empty string]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Programme\Symantec\LiveUpdate\NDetect.exe" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}"
-> {HKLM...CLSID} = "Web assistant"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Web assistant"
-> {HKLM...CLSID} = "Web assistant"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
"{733421B4-937F-48A9-9200-D48BF660F055}" = "iehelper"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "___.dll" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir PersonalEdition Classic Guard, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["AVIRA GmbH"]
AntiVir PersonalEdition Classic Planer, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
SymWMI Service, SymWSC, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe"" ["Symantec Corporation"]
VAIO Entertainment Aggregation and Control Service, VAIO Entertainment Aggregation and Control Service, ""C:\Programme\Gemeinsame Dateien\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe"" ["Sony Corporation"]
VAIO Entertainment File Import Service, VAIO Entertainment File Import Service, "C:\Programme\Gemeinsame Dateien\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe" ["Sony Corporation"]
VAIO Entertainment Task Scheduler, VAIO Entertainment Task Scheduler, ""C:\Programme\Sony\vaio entertainment\VzTaskScheduler.exe"" ["Sony Corporation"]
VAIO Entertainment TV Device Arbitration Service, VAIO Entertainment TV Device Arbitration Service, ""C:\Programme\Gemeinsame Dateien\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe"" ["Sony Corporation"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 35 seconds, including 18 seconds for message boxes)

#4 schaans

Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.-> doppeltklicken und der registry beifuegen

Zitat

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"desktop"=-
"UnSpyPC"=-
"_ctcp"=-
"DCC_send"=-
"LOPTCON"=-

[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dmrbe.exe"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{08BEC6AA-49FC-4379-3587-4B21E286C19E}"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar]
"{08BEC6AA-49FC-4379-3587-4B21E286C19E}"=-

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{08BEC6AA-49FC-4379-3587-4B21E286C19E}"=-

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{08BEC6AA-49FC-4379-3587-4B21E286C19E}"=-

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\{733421B4-937F-48A9-9200-D48BF660F055}]

[-HKEY_CLASSES_ROOT\CLSID\{94A0E512-EFBE-18DE-9964-820E962F7FAD}]
[-HKEY_CLASSES_ROOT\CLSID\{6088FF2E-998F-5345-4D93-575B4AFA0449}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\UnSpyPC]

[-HKEY_CURRENT_USER\Software\UnSpyPC]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UnSpyPC]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoBandCustomize"=-

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
"{BF69DF00-4734-477F-8257-27CD04F88779}"=-

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{BF69DF00-4734-477F-8257-27CD04F88779}]

KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html

Options: Delete on Reboot --> anhaken
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"
reinkopieren: .....

Zitat

C:\WINDOWS\system32\idemlog.exe
C:\WINDOWS\system32\idemlog.exe
c:\WINDOWS\system32\cstkh.exe
c:\WINDOWS\system32\csslh.exe
c:\WINDOWS\system32\favset.exe
c:\WINDOWS\system32\filesafer23.exe
c:\WINDOWS\system32\pppcgm.exe
C:\WINDOWS\system32\dmrbe.exe
C:\WINDOWS\system32\dgprpsetup.exe
c:\WINDOWS\system32\howiper.exe
c:\WINDOWS\system32\sphlp32.exe
C:\WINDOWS\system32\close.bmp
C:\WINDOWS\system32\insurance.bmp
C:\WINDOWS\system32\spyware.bmp
C:\WINDOWS\system32\xxx.bmp
C:\WINDOWS\system32\pharmacy.bmp
C:\WINDOWS\system32\dating.bmp
C:\WINDOWS\system32\gambling.bmp
C:\WINDOWS\system32\idesk.conf
C:\WINDOWS\system32\Uninstall.ico
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\balloon.wav
c:\WINDOWS\rdt.ini

PC in den abgesicherten Modus neustarten

**
C:\Programme\UnSpyPC -> deinstallieren

**
suche: C:\!KillBox
und lösche alle dort befindlichen Dateien manuell

**
boote wieder in den normalmodus

**
Download FixWareout:
http://downloads.subratam.org/Fixwareout.exe
Fixwareout.exe --> next --> Install --> Run fixit --> Finish / der PC wird neustarten --> C:\fixwareout\report.txt

**
Arbeitsplatz-->Rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren. (dann wieder aktivieren)

**
scanne und poste den scanreport
http://virus-protect.org/ewido.html

---------------
Info: Programme\UnSpyPC
http://virus-protect.org/artikel/spyware/idemlog.html
__________
MfG Sabina

rund um die PC-Sicherheit

#5 Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
...

Random Runs removed from HKLM
"dmrbe.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

»»»»» Search by size and names...

»»»»» Misc files
* thequicklink C:\WINDOWS\System32\CNVBD.DLL
* thequicklink C:\WINDOWS\System32\PHVET.DLL
* thequicklink C:\WINDOWS\System32\WZKDW.DLL
* thequicklink C:\WINDOWS\System32\XDKIU.DLL

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSGXR.EXE 51'200 2005-12-11

#6 **
Arbeitsplatz-->Rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren. (dann wieder aktivieren)

**
scanne und poste den scanreport
http://virus-protect.org/ewido.html
__________
MfG Sabina

rund um die PC-Sicherheit

#7 ---------------------------------------------------------
ewido anti-malware - Scan Report
---------------------------------------------------------

+ Erstellt am: 17:49:48, 30.05.2006
+ Report-Checksumme: EA86384D

+ Scanergebnis:

Keine infizierten Objekte gefunden.


::Report Ende

#8 nun...es muesste wieder alles in Ordnung sein findet dein Antivirus-Proggie noch etwas ?
__________
MfG Sabina

rund um die PC-Sicherheit