Bin ein Laie und weiß nicht weiter! win32\Nsag

#1 hallo,

habe auf meinem rechner den virus Win32.Nsag gefunden und kriege den nicht weg, hab auch schon fleißig im forum gelesen aber irgendwie komme ich nicht weiter, sorry aber ich bin totaller neuling auf diesem feld und brauche daher eure hilfe! zum anderen kann ich mein desktop-hintergrundbild nicht mehr ändern!

bitte leitet mich nicht zu anderen seiten rüber da ich die sogut wie kaum verstanden habe!

das einzigste was ich verstanden habe ist das mit der logfile

hier ist meine:

Logfile of HijackThis v1.99.1
Scan saved at 22:28:00, on 23.06.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\MicroWorld\Agent\MWASER.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Gemeinsame Dateien\MicroWorld\Agent\MWAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Programme\Logitech\Video\LogiTray.exe
C:\Programme\MessengerPlus! 3\MsgPlus.exe
C:\Programme\Winamp\winampa.exe
C:\PROGRA~1\GEMEIN~1\PCSuite\Services\SERVIC~1.EXE
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Logitech\Video\FxSvr2.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\MSN Messenger\msnmsgr.exe
C:\WINDOWS\notepad.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Dokumente und Einstellungen\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programme\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programme\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programme\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programme\Logitech\Video\ManifestEngine.exe boot
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus DWL-120+ Wireless USB Adapter.lnk = ?
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://F:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Programme\AIM95\aim.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programme\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programme\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.bets4all.com/bets/agency/bet/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,910,0
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Programme\Gemeinsame Dateien\MicroWorld\Agent\MWASER.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
[/b]

#2 1.
kopiere hier bitte dieses Log:
http://virus-protect.org/silentrunner.html

2.
Datfindbat
http://virus-protect.org/datfindbat.html

datFind.zip --> entzippe datFind.zip --> datFind.bat
http://virus-protect.org/zip/datFind.zip
-----------------------------------------------------------------------

Kurzanleitung datfindbat

1. Doppel-klick DATFINDBAT

2. Es öffnet sich der Texteditor. Speichern als system32.txt - oder (rechter Mausklick --> Text markieren --> kopieren --> in den Thread einfügen) - (3 Monate vom Datum her, mehr ist nicht notwendig)

3. auf das Command Fenster klicken und beliebige Taste druecken

4. Es öffnet sich der Texteditor. Speichern als temp.txt - oder (rechter Mausklick --> Text markieren --> kopieren --> in den Thread einfügen) - (3 Monate vom Datum her, mehr ist nicht notwendig)

5. Wiederhole Schritt 3 und speichere als windows.txt - oder (rechter Mausklick --> Text markieren --> kopieren --> in den Thread einfügen) - (3 Monate vom Datum her, mehr ist nicht notwendig)

6. Wiederhole Schritt 3 und speichere als c.txt - oder (rechter Mausklick --> Text markieren --> kopieren --> in den Thread einfügen) - (3 Monate vom Datum her, mehr ist nicht notwendig)

7. Poste ALLE Logs (3 Monate vom Datum her, mehr ist nicht notwendig)
__________
MfG Sabina

rund um die PC-Sicherheit

#3 zu 1

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Programme\Messenger\msmsgs.exe" /background" [MS]
"LogitechSoftwareUpdate" = "C:\Programme\Logitech\Video\ManifestEngine.exe boot" ["Logitech Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"SoundMan" = "SOUNDMAN.EXE" ["Avance Logic, Inc."]
"NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]
"DataLayer" = "C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE" ["Nokia Mobile Phones Ltd."]
"PCSuiteTrayApplication" = "C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE" [empty string]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"ICQ Lite" = "C:\Programme\ICQLite\ICQLite.exe -minimize" ["ICQ Ltd."]
"LogitechVideoRepair" = "C:\Programme\Logitech\Video\ISStart.exe " ["Logitech Inc."]
"LogitechVideoTray" = "C:\Programme\Logitech\Video\LogiTray.exe" ["Logitech Inc."]
"CloneCDElbyCDFL" = ""C:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL" ["Elaborate Bytes"]
"MessengerPlus3" = ""C:\Programme\MessengerPlus! 3\MsgPlus.exe"" ["Patchou"]
"WinampAgent" = "C:\Programme\Winamp\winampa.exe" [null data]
"SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Programme\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "F:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
\InProcServer32\(Default) = "F:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{0E6C58A9-F592-4862-B35F-CA45E24003B3}" = "CloneCD"
-> {HKLM...CLSID} = "CloneCD Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Elaborate Bytes\CloneCD\ElbyVCDShell.dll" ["Elaborate Bytes"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop-Explorer"
-> {HKLM...CLSID} = "Desktop-Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{40950107-FEA6-4d53-A65F-B2DCBA57DD58}" = "Nokia Phone Browser"
-> {HKLM...CLSID} = "Nokia Phone Browser"
\InProcServer32\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\Components\PhoneBrowserComponents\NokiaPhoneBrowser.dll" ["Nokia"]
"{FBFE7864-D495-41f0-B7DC-4BB601CC295E}" = "Contact View"
-> {HKLM...CLSID} = "Contact View"
\InProcServer32\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\Components\PhoneBrowserComponents\ContactView.dll" ["Nokia"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "Eigene Logitech-Bilder"
-> {HKLM...CLSID} = "Eigene Logitech-Bilder"
\InProcServer32\(Default) = "C:\Programme\Logitech\Video\Namespc2.dll" ["Logitech Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ygpss.scr" ["America Online Inc"]


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"D-Link AirPlus DWL-120+ Wireless USB Adapter" -> shortcut to: "C:\Programme\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE" ["D-Link"]


Enabled Scheduled Tasks:
------------------------

"A29F4D0D91B8C549" -> launches: "c:\progra~1\playooze\Peak 4 funk.exe" [file not found]
"1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AOL Instant Messenger (TM)"
"Exec" = "C:\Programme\AIM95\aim.exe" [file not found]

{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\
"ButtonText" = "PartyPoker.com"
"MenuText" = "PartyPoker.com"
"Exec" = "C:\Programme\PartyPoker\PartyPoker.exe" [file not found]

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\

{F4430FE8-2638-42E5-B849-800749B94EED}\
"ButtonText" = "PartyPoker.net"
"MenuText" = "PartyPoker.net"
"Exec" = "C:\Programme\PartyGaming.Net\PartyPokerNet\RunPF.exe" [file not found]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\MSMSGS.EXE" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

Missing lines (compared with English-language version):
HIJACK WARNING! "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir PersonalEdition Classic Guard, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["AVIRA GmbH"]
AntiVir PersonalEdition Classic Planer, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor i550\Driver = "CNMLM49.DLL" ["CANON INC."]
HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" ["Hewlett Packard"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 912 seconds, including 3 seconds for message boxes)

zu 2

system32.txt:

23.06.2006 22:33 590.848 wininet.old.mwt
23.06.2006 22:29 0 asfiles.txt
23.06.2006 22:23 2.550 Uninstall.ico
23.06.2006 22:23 1.406 Help.ico
23.06.2006 22:23 30.590 pavas.ico
23.06.2006 17:37 34.304 NOTEPAD.EXE
23.06.2006 15:46 75.264 winbrume.dll
23.06.2006 15:46 150.016 dcom_24.dll
23.06.2006 15:46 159.744 dxvwpqva.exe
23.06.2006 07:02 159.744 dxvwqzeh.exe
22.06.2006 22:35 159.744 dxvwylel.exe
22.06.2006 22:25 159.744 dxvwsazh.exe
22.06.2006 22:15 159.744 dxvwovgc.exe
22.06.2006 22:05 159.744 dxvwjyfy.exe
22.06.2006 21:55 159.744 dxvwtixc.exe
22.06.2006 21:45 159.744 dxvwewrt.exe
22.06.2006 21:34 159.744 dxvwpbxl.exe
22.06.2006 21:24 159.744 dxvwtoqu.exe
22.06.2006 21:14 159.744 dxvwhnnx.exe
22.06.2006 21:04 159.744 dxvwbyrv.exe
22.06.2006 20:54 159.744 dxvwvkdw.exe
22.06.2006 20:44 159.744 dxvwxxuf.exe
22.06.2006 20:34 159.744 dxvwolyg.exe
22.06.2006 20:24 159.744 dxvwleie.exe
22.06.2006 20:14 159.744 dxvwalis.exe
22.06.2006 20:04 159.744 dxvwpkdg.exe
22.06.2006 19:54 159.744 dxvwwaxm.exe
22.06.2006 19:44 159.744 dxvwzuqx.exe
22.06.2006 19:34 159.744 dxvwssvw.exe
22.06.2006 19:24 159.744 dxvwboyr.exe
22.06.2006 19:13 159.744 dxvwevzu.exe
22.06.2006 19:03 159.744 dxvwxpmm.exe
22.06.2006 18:42 159.744 dxvwkmyl.exe
22.06.2006 18:32 159.744 dxvwsmek.exe
22.06.2006 17:44 159.744 dxvwnczy.exe
22.06.2006 17:34 159.744 dxvwrran.exe
21.06.2006 20:43 159.744 dxvwspui.exe
21.06.2006 20:32 159.744 dxvwgjpd.exe
21.06.2006 20:22 159.744 dxvwusas.exe
21.06.2006 20:12 159.744 dxvwjzxz.exe
21.06.2006 20:02 159.744 dxvwapdz.exe
21.06.2006 19:52 159.744 dxvwdpla.exe
21.06.2006 19:42 159.744 dxvwacnt.exe
21.06.2006 19:32 159.744 dxvwiuae.exe
21.06.2006 19:22 159.744 dxvwvqjo.exe
21.06.2006 18:39 159.744 dxvwuzeh.exe
21.06.2006 18:30 159.744 dxvwucwg.exe
21.06.2006 17:49 64.598 perfc007.dat
21.06.2006 17:49 906.552 PerfStringBackup.INI
21.06.2006 17:49 383.254 perfh009.dat
21.06.2006 17:49 394.500 perfh007.dat
21.06.2006 17:49 53.608 perfc009.dat
20.06.2006 23:08 159.744 dxvwhgbq.exe
20.06.2006 22:50 159.744 dxvwkhcf.exe
20.06.2006 22:40 159.744 dxvwllkn.exe
20.06.2006 22:30 159.744 dxvwyous.exe
20.06.2006 22:15 159.744 dxvwljrd.exe
20.06.2006 22:05 159.744 dxvwqchd.exe
20.06.2006 21:54 159.744 dxvwgrwq.exe
20.06.2006 21:44 159.744 dxvwarlq.exe
20.06.2006 21:44 0 ImaS3r
20.06.2006 17:55 2.206 wpa.dbl
02.06.2006 11:04 57.384 avsda.dll
17.05.2006 11:23 579.888 LegitCheckControl.dll
16.05.2006 22:23 339.968 pxwave.dll
16.05.2006 22:23 28.672 vxblock.dll
16.05.2006 22:23 57.344 pxcpya64.exe
16.05.2006 22:23 56.832 pxinsa64.exe
16.05.2006 22:23 1.257.472 pxsfs.dll
16.05.2006 22:23 176.128 pxmas.dll
16.05.2006 22:23 430.080 px.dll
16.05.2006 22:23 450.560 pxdrv.dll
16.05.2006 22:23 61.440 pxhpinst.exe
06.04.2006 10:54 73.728 asuninst.exe
03.04.2006 11:40 14.048 spmsg.dll
03.04.2006 10:59 128 xposer.cfg
03.04.2006 10:59 128 asinst.cfg
26.03.2006 12:58 305.216 FNTCACHE.DAT
11.02.2006 04:08 913.408 contfilt.dll
11.02.2006 03:58 335.872 mwtsp.dll
11.02.2006 03:56 110.592 mwnsp.dll
15.01.2006 20:12 0 Sweeper.cfg
15.01.2006 16:20 7.006 jupdate-1.5.0_06-b05.log
12.01.2006 23:13 17.924 kspydoc.log
02.01.2006 23:38 260.608 gdi32.dll

zu 4

temp.txt:


24.06.2006 17:59 16.384 ~DF8EDD.tmp
24.06.2006 15:47 16.384 ~DF87EA.tmp
24.06.2006 14:00 1.980 29.tmp
24.06.2006 11:52 618 jusched.log
24.06.2006 01:36 16.384 ~DF81C7.tmp
23.06.2006 23:45 81.920 ~DF7FCC.tmp
23.06.2006 23:45 81.920 ~DF795E.tmp
23.06.2006 23:45 16.384 ~DFF52F.tmp
23.06.2006 23:39 2.116.844 mps061CA.tmp
23.06.2006 19:31 2.003 NBUD.tmp
23.06.2006 19:30 16.384 ~DF52C0.tmp
23.06.2006 19:06 81.920 ~DFF0E6.tmp



mehr gabs nicht!!!


zu 5

windows.txt:

24.06.2006 18:00 0 0.log
24.06.2006 17:59 159 wiadebug.log
24.06.2006 15:47 72.178 WindowsUpdate.log
24.06.2006 15:47 50 wiaservc.log
24.06.2006 15:47 32.414 SchedLgU.Txt
24.06.2006 13:49 277 system.ini
23.06.2006 23:21 8.946 WGA.log
23.06.2006 23:21 53.058 setupapi.log
23.06.2006 23:20 7.531 KB898461.log
23.06.2006 23:20 4.182 comsetup.log
23.06.2006 23:20 616 msgsocm.log
23.06.2006 23:20 5.648 tsoc.log
23.06.2006 23:20 622 tabletoc.log
23.06.2006 23:20 6.170 ocgen.log
23.06.2006 23:20 3.812 msmqinst.log
23.06.2006 23:20 13.468 iis6.log
23.06.2006 23:20 2.530 ntdtcsetup.log
23.06.2006 23:20 2.166 netfxocm.log
23.06.2006 23:20 12.364 FaxSetup.log
23.06.2006 23:20 424 ocmsn.log
23.06.2006 23:20 1.374 imsins.log
23.06.2006 23:20 10.476 KB893803v2.log
23.06.2006 23:20 1.374 imsins.BAK
23.06.2006 22:26 819 win.ini
23.06.2006 22:07 4.988.528 REGBK00.ZIP
23.06.2006 22:07 4.949 mailremv.log
23.06.2006 22:07 44.017 ESCAN.LOG
23.06.2006 22:07 434 INST_TSP.LOG
23.06.2006 22:04 1.203 frights.log
23.06.2006 19:24 331.756 ntbtlog.txt
23.06.2006 19:14 345 OEWABLog.txt
23.06.2006 19:14 1.014 wmsetup.log
23.06.2006 19:12 0 nsreg.dat
23.06.2006 17:38 589 MAILINST.LOG
23.06.2006 17:37 34.304 NOTEPAD.EXE
23.06.2006 17:37 141.756 winsbak2.reg
23.06.2006 17:37 20.626 winsbak.reg
23.06.2006 17:03 0 setuperr.log
23.06.2006 17:03 60 setupact.log
17.06.2006 01:29 127 muma2003.INI
05.06.2006 13:25 280 beatbox.INI
04.06.2006 03:10 132 magix.ini
04.06.2006 03:06 316.640 WMSysPr9.prx
22.05.2006 21:09 3.875 CDPlayer.ini
01.05.2006 22:58 60.928 Thumbs.db
26.04.2006 23:06 253 tm.ini
05.03.2006 22:25 41 tdf.dii


zu 6

c.txt:

24.06.2006 18:09 0 sys.txt
24.06.2006 18:08 9.631 system.txt
24.06.2006 18:07 821 systemtemp.txt
24.06.2006 18:06 112.978 system32.txt
24.06.2006 17:59 805.306.368 pagefile.sys
23.06.2006 22:07 0 23990098.$$$
23.06.2006 17:12 3.398 smitfiles.txt

auch hier gabs nichts mehr !!!

#4 1.
Oben auf der Seite --> auf Durchsuchen klicken --> Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten
http://www.virustotal.com/flash/index_en.html

C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE

poste die scanreporte

2.
http://www.f-secure.com/blacklight/
starte die Datei, nimm die Lizenzbestimmung an und waehle scan, wenn es mit dem Scan fertig ist, druecke next und danach close. Nun befindet sich im selben Ordner von Blacklight eine FSB*.TXT Datei -> hier posten
__________
MfG Sabina

rund um die PC-Sicherheit

#5 C:\WINDOWS\notepad.exe:

Antivirus Version Update Result
AntiVir 6.35.0.16 06.24.2006 no virus found
Authentium 4.93.8 06.23.2006 no virus found
Avast 4.7.844.0 06.23.2006 no virus found
AVG 386 06.23.2006 no virus found
BitDefender 7.2 06.25.2006 no virus found
CAT-QuickHeal 8.00 06.24.2006 no virus found
ClamAV devel-20060426 06.23.2006 no virus found
DrWeb 4.33 06.24.2006 no virus found
eTrust-InoculateIT 23.72.48 06.24.2006 no virus found
eTrust-Vet 12.6.2272 06.23.2006 no virus found
Ewido 3.5 06.24.2006 no virus found
Fortinet 2.77.0.0 06.24.2006 no virus found
F-Prot 3.16f 06.23.2006 no virus found
Ikarus 0.2.65.0 06.23.2006 no virus found
Kaspersky 4.0.2.24 06.25.2006 no virus found
McAfee 4792 06.23.2006 no virus found
Microsoft 1.1481 06.25.2006 no virus found
NOD32v2 1.1621 06.24.2006 no virus found
Norman 5.90.21 06.23.2006 no virus found
Panda 9.0.0.4 06.24.2006 no virus found
Sophos 4.07.0 06.24.2006 no virus found
Symantec 8.0 06.24.2006 no virus found
TheHacker 5.9.8.164 06.23.2006 no virus found
UNA 1.83 06.23.2006 no virus found
VBA32 3.11.0 06.24.2006 no virus found
VirusBuster 4.3.7:9 06.24.2006 no virus found


C:\WINDOWS\system32\NOTEPAD.EXE:

Antivirus Version Update Result
AntiVir 6.35.0.16 06.24.2006 no virus found
Authentium 4.93.8 06.23.2006 no virus found
Avast 4.7.844.0 06.23.2006 no virus found
AVG 386 06.23.2006 no virus found
BitDefender 7.2 06.25.2006 no virus found
CAT-QuickHeal 8.00 06.24.2006 no virus found
ClamAV devel-20060426 06.23.2006 no virus found
DrWeb 4.33 06.24.2006 no virus found
eTrust-InoculateIT 23.72.48 06.24.2006 no virus found
eTrust-Vet 12.6.2272 06.23.2006 no virus found
Ewido 3.5 06.24.2006 no virus found
Fortinet 2.77.0.0 06.24.2006 no virus found
F-Prot 3.16f 06.23.2006 no virus found
Ikarus 0.2.65.0 06.23.2006 no virus found
Kaspersky 4.0.2.24 06.25.2006 no virus found
McAfee 4792 06.23.2006 no virus found
Microsoft 1.1481 06.25.2006 no virus found
NOD32v2 1.1621 06.24.2006 no virus found
Norman 5.90.21 06.23.2006 no virus found
Panda 9.0.0.4 06.24.2006 no virus found
Sophos 4.07.0 06.24.2006 no virus found
Symantec 8.0 06.24.2006 no virus found
TheHacker 5.9.8.164 06.23.2006 no virus found
UNA 1.83 06.23.2006 no virus found
VBA32 3.11.0 06.24.2006 no virus found
VirusBuster 4.3.7:9 06.24.2006 no virus found



http://www.f-secure.com/blacklight/:

ÿþ0 6 / 2 5 / 0 6 0 3 : 0 8 : 1 5 [ I n f o ] : B l a c k L i g h t E n g i n e 1 . 0 . 4 1 i n i t i a l i z e d

0 6 / 2 5 / 0 6 0 3 : 0 8 : 1 5 [ I n f o ] : O S : 5 . 1 b u i l d 2 6 0 0 ( S e r v i c e P a c k 1 )

0 6 / 2 5 / 0 6 0 3 : 0 8 : 1 5 [ N o t e ] : 7 0 1 9 4

0 6 / 2 5 / 0 6 0 3 : 0 8 : 1 5 [ N o t e ] : 7 0 0 5 0

0 6 / 2 5 / 0 6 0 3 : 0 8 : 3 4 [ N o t e ] : 7 0 0 6 0

0 6 / 2 5 / 0 6 0 3 : 0 8 : 3 4 [ N o t e ] : 7 0 1 1 2 7 6

0 6 / 2 5 / 0 6 0 3 : 0 8 : 3 4 [ N o t e ] : 7 0 2 6 0

0 6 / 2 5 / 0 6 0 3 : 0 8 : 3 4 [ N o t e ] : 7 0 2 6 0

0 6 / 2 5 / 0 6 0 3 : 0 8 : 3 8 [ N o t e ] : F S R A W l i b r a r y v e r s i o n 1 . 7 . 1 0 1 8

0 6 / 2 5 / 0 6 0 3 : 0 9 : 0 4 [ N o t e ] : 7 0 0 7 0

#6 0.
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als listen.bat mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.--> die list.bat doppelt klicken--> kopiere den Text, der erscheint

Zitat

cd\
dir "C:\Programme\Internet Explorer" >> files.txt
notepad files.txt

1.
Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein:

Zitat

Files to delete:
C:\WINDOWS\System32\winbrume.dll
C:\WINDOWS\System32\winbrume.dat
c:\programme\internet explorer\winbrume.dat
C:\WINDOWS\System32\dcom_24.dll
C:\WINDOWS\System32\dxvwpqva.exe
C:\WINDOWS\System32\dxvwqzeh.exe
C:\WINDOWS\System32\dxvwylel.exe
C:\WINDOWS\System32\dxvwsazh.exe
C:\WINDOWS\System32\dxvwovgc.exe
C:\WINDOWS\System32\dxvwjyfy.exe
C:\WINDOWS\System32\dxvwtixc.exe
C:\WINDOWS\System32\dxvwewrt.exe
C:\WINDOWS\System32\dxvwpbxl.exe
C:\WINDOWS\System32\dxvwtoqu.exe
C:\WINDOWS\System32\dxvwhnnx.exe
C:\WINDOWS\System32\dxvwbyrv.exe
C:\WINDOWS\System32\dxvwvkdw.exe
C:\WINDOWS\System32\dxvwxxuf.exe
C:\WINDOWS\System32\dxvwolyg.exe
C:\WINDOWS\System32\dxvwleie.exe
C:\WINDOWS\System32\dxvwalis.exe
C:\WINDOWS\System32\dxvwpkdg.exe
C:\WINDOWS\System32\dxvwwaxm.exe
C:\WINDOWS\System32\dxvwzuqx.exe
C:\WINDOWS\System32\dxvwssvw.exe
C:\WINDOWS\System32\dxvwboyr.exe
C:\WINDOWS\System32\dxvwevzu.exe
C:\WINDOWS\System32\dxvwxpmm.exe
C:\WINDOWS\System32\dxvwkmyl.exe
C:\WINDOWS\System32\dxvwsmek.exe
C:\WINDOWS\System32\dxvwnczy.exe
C:\WINDOWS\System32\dxvwrran.exe
C:\WINDOWS\System32\dxvwspui.exe
C:\WINDOWS\System32\dxvwgjpd.exe
C:\WINDOWS\System32\dxvwusas.exe
C:\WINDOWS\System32\dxvwjzxz.exe
C:\WINDOWS\System32\dxvwapdz.exe
C:\WINDOWS\System32\dxvwdpla.exe
C:\WINDOWS\System32\dxvwacnt.exe
C:\WINDOWS\System32\dxvwiuae.exe
C:\WINDOWS\System32\dxvwvqjo.exe
C:\WINDOWS\System32\dxvwuzeh.exe
C:\WINDOWS\System32\dxvwucwg.exe
C:\WINDOWS\System32\dxvwhgbq.exe
C:\WINDOWS\System32\dxvwkhcf.exe
C:\WINDOWS\System32\dxvwllkn.exe
C:\WINDOWS\System32\dxvwyous.exe
C:\WINDOWS\System32\dxvwljrd.exe
C:\WINDOWS\System32\dxvwqchd.exe
C:\WINDOWS\System32\dxvwgrwq.exe
C:\WINDOWS\System32\dxvwarlq.exe
C:\WINDOWS\System32\ImaS3r

Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

**
2.
poste das log vom Avenger, was erscheint

**
3.
öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyPoker\PartyPoker.exe (file missing)

PC neustarten

**
4.
smitfraud.fix -> arbeite alles ab und poste beide scanreporte
http://virus-protect.org/artikel/tools/smitfrautfix.html

----------------------------------------------------------------

Info:
http://virus-protect.org/artikel/spyware/winbrume.html
__________
MfG Sabina

rund um die PC-Sicherheit

#7 zu 0:

Datentr„ger in Laufwerk C: ist WINDOWS
Volumeseriennummer: CC2E-CA76

Verzeichnis von c:\programme\internet explorer

09.11.2003 14:28 <DIR> .
09.11.2003 14:28 <DIR> ..
09.11.2003 14:28 <DIR> SIGNUP
09.11.2003 14:28 <DIR> Connection Wizard
09.11.2003 14:30 <DIR> PLUGINS
16.04.2004 11:28 <DIR> Deinstallation von Internet Explorer
16.04.2004 11:28 <DIR> W2K
29.08.2002 09:32 22.836 support.txt
29.08.2002 10:50 6.843 Q837009.cat
29.08.2002 11:50 6.843 KB870669.cat
29.08.2002 03:43 91.136 IEXPLORE.EXE
29.08.2002 03:43 36.352 HMMAPI.DLL
29.08.2002 11:50 6.843 Q823353.cat
29.08.2002 10:50 6.843 Q832894.cat
29.08.2002 09:32 34.384 fixie.inf
15.01.2006 01:29 496.888 ie6setup.exe
24.03.2004 22:19 38.792 iesetup.cif
29.08.2002 09:32 14.336 iedetect.dll
15.03.2006 17:32 <DIR> MUI
11 Datei(en) 762.096 Bytes
8 Verzeichnis(se), 14.207.385.600 Bytes frei




notepad files.txt:

kein text vorhanden!!!


zu 1:

avenger logfile:

L o g f i l e o f T h e A v e n g e r v e r s i o n 1 , b y S w a n d o g 4 6

R u n n i n g f r o m r e g i s t r y k e y :

\ R e g i s t r y \ M a c h i n e \ S y s t e m \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ q x y q b c i b



* * * * * * * * * * * * * * * * * * *



S c r i p t f i l e l o c a t e d a t : \ ? ? \ C : \ P r o g r a m F i l e s \ n c j q u v x l . t x t

S c r i p t f i l e o p e n e d s u c c e s s f u l l y .



S c r i p t f i l e r e a d s u c c e s s f u l l y



B a c k u p s d i r e c t o r y o p e n e d s u c c e s s f u l l y a t C : \ A v e n g e r



* * * * * * * * * * * * * * * * * * *



B e g i n n i n g t o p r o c e s s s c r i p t f i l e :



F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ w i n b r u m e . d l l d e l e t e d s u c c e s s f u l l y .





F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ w i n b r u m e . d a t n o t f o u n d !

D e l e t i o n o f f i l e C : \ W I N D O W S \ S y s t e m 3 2 \ w i n b r u m e . d a t f a i l e d !



C o u l d n o t p r o c e s s l i n e :

C : \ W I N D O W S \ S y s t e m 3 2 \ w i n b r u m e . d a t

S t a t u s : 0 x c 0 0 0 0 0 3 4







F i l e c : \ p r o g r a m m e \ i n t e r n e t e x p l o r e r \ w i n b r u m e . d a t n o t f o u n d !

D e l e t i o n o f f i l e c : \ p r o g r a m m e \ i n t e r n e t e x p l o r e r \ w i n b r u m e . d a t f a i l e d !



C o u l d n o t p r o c e s s l i n e :

c : \ p r o g r a m m e \ i n t e r n e t e x p l o r e r \ w i n b r u m e . d a t

S t a t u s : 0 x c 0 0 0 0 0 3 4



F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d c o m _ 2 4 . d l l d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w p q v a . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w q z e h . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w y l e l . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w s a z h . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w o v g c . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w j y f y . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w t i x c . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w e w r t . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w p b x l . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w t o q u . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w h n n x . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w b y r v . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w v k d w . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w x x u f . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w o l y g . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w l e i e . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w a l i s . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w p k d g . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w w a x m . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w z u q x . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w s s v w . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w b o y r . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w e v z u . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w x p m m . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w k m y l . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w s m e k . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w n c z y . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w r r a n . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w s p u i . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w g j p d . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w u s a s . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w j z x z . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w a p d z . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w d p l a . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w a c n t . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w i u a e . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w v q j o . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w u z e h . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w u c w g . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w h g b q . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w k h c f . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w l l k n . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w y o u s . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w l j r d . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w q c h d . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w g r w q . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ d x v w a r l q . e x e d e l e t e d s u c c e s s f u l l y .

F i l e C : \ W I N D O W S \ S y s t e m 3 2 \ I m a S 3 r d e l e t e d s u c c e s s f u l l y .



C o m p l e t e d s c r i p t p r o c e s s i n g .



* * * * * * * * * * * * * * * * * * *



F i n i s h e d ! T e r m i n a t e .

#8 smitfraud.fix -> arbeite alles ab und poste beide scanreporte
http://virus-protect.org/artikel/tools/smitfrautfix.html
__________
MfG Sabina

rund um die PC-Sicherheit

#9 Logfile of HijackThis v1.99.1
Scan saved at 12:41:05, on 25.06.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\cisvc.exe
C:\Programme\Gemeinsame Dateien\MicroWorld\Agent\MWASER.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Programme\Logitech\Video\LogiTray.exe
C:\Programme\MessengerPlus! 3\MsgPlus.exe
C:\Programme\Winamp\winampa.exe
C:\PROGRA~1\GEMEIN~1\PCSuite\Services\SERVIC~1.EXE
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programme\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Dokumente und Einstellungen\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\GEMEIN~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programme\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programme\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programme\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programme\Logitech\Video\ManifestEngine.exe boot
O4 - Global Startup: D-Link AirPlus DWL-120+ Wireless USB Adapter.lnk = ?
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://F:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Programme\AIM95\aim.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programme\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programme\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.bets4all.com/bets/agency/bet/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,910,0
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151097009968
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151097003593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Programme\Gemeinsame Dateien\MicroWorld\Agent\MWASER.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



zu 4:

SmitFraudFix v2.65

Scan done at 12:37:06,45, 25.06.2006
Run from C:\Dokumente und Einstellungen\Administrator\Desktop\sean\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\winbrume.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

#10 scanne mit Kaspersky und poste den scanreport
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#11 ÿþ- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

K A S P E R S K Y O N - L I N E S C A N N E R R E P O R T

S u n d a y , J u n e 2 5 , 2 0 0 6 3 : 2 2 : 3 0 P M

O p e r a t i n g S y s t e m : M i c r o s o f t W i n d o w s X P P r o f e s s i o n a l , S e r v i c e P a c k 1 ( B u i l d 2 6 0 0 )

K a s p e r s k y O n - l i n e S c a n n e r v e r s i o n : 5 . 0 . 7 8 . 0

K a s p e r s k y A n t i - V i r u s d a t a b a s e l a s t u p d a t e : 2 5 / 0 6 / 2 0 0 6

K a s p e r s k y A n t i - V i r u s d a t a b a s e r e c o r d s : 1 9 0 5 0 8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



S c a n S e t t i n g s :

S c a n u s i n g t h e f o l l o w i n g a n t i v i r u s d a t a b a s e : s t a n d a r d

S c a n A r c h i v e s : t r u e

S c a n M a i l B a s e s : t r u e



S c a n T a r g e t - M y C o m p u t e r :

A : \

C : \

D : \

E : \

F : \

G : \

I : \

J : \



S c a n S t a t i s t i c s :

T o t a l n u m b e r o f s c a n n e d o b j e c t s : 6 2 5 3 2

N u m b e r o f v i r u s e s f o u n d : 1

N u m b e r o f i n f e c t e d o b j e c t s : 1

N u m b e r o f s u s p i c i o u s o b j e c t s : 0

D u r a t i o n o f t h e s c a n p r o c e s s : 0 0 : 5 6 : 0 5



I n f e c t e d O b j e c t N a m e / V i r u s N a m e / L a s t A c t i o n

C : \ D o k u m e n t e u n d E i n s t e l l u n g e n \ L o c a l S e r v i c e \ L o k a l e E i n s t e l l u n g e n \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ G L Q J O L I V \ p l f e q c a m h [ 1 ] . t x t I n f e c t e d : n o t - v i r u s : H o a x . W i n 3 2 . R e n o s . c n s k i p p e d



S c a n p r o c e s s c o m p l e t e d .

#12 1.
Versteckte- und Systemdateien sichtbar machen
http://virus-protect.org/invisible.html

2.
C : \ D o k u m e n t e u n d E i n s t e l l u n g e n \ L o c a l S e r v i c e \ L o k a l e E i n s t e l l u n g e n \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ G L Q J O L I V -> loeschen

3.
SmitRem2.8
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
Doppelklick: smitRem.exe -> Klicke: Start --> klicke: ok
öffne smitRem --> Doppelklick: RunThis.bat warte, bis der Scan beendet ist (der Bildschirm wird blau werden. das ist normal)

poste die smitfile.txt
__________
MfG Sabina

rund um die PC-Sicherheit

#13 smitRem © log file
version 3.0

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"

Running from
C:\Dokumente und Einstellungen\Administrator\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!


checking for drsmartload2 key


drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1844 'explorer.exe'
Killing PID 1844 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN!

#14 es muesste wieder alles o.k. sein
__________
MfG Sabina

rund um die PC-Sicherheit

#15 ja ich kann wieder mein desktop hintergrundbild ändern und die viren programme erkennen nichts mehr!!


dankeschön!