Recht penetranter "Windows...Alert"+Popups+Antispyware *seufz*

#31 Kommt wieder das gleiche.
Hab mal den Error-Log :

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\srv32 spool service


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Srv32 spool service

#32 ich habs rausgenommen, kopiere den rest ab und berichte
__________
MfG Sabina

rund um die PC-Sicherheit

#33 Ich berichte
Again

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CLASSES_ROOT\AlxTB.BHO


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CLASSES_ROOT\Bridge.brdg


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CLASSES_ROOT\DailyToolbar.IEBand


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CLASSES_ROOT\DailyToolbar.SysMgr

#34 klicke immer weiter, lasse es zu, dass ignoriert wird, bis das log durch ist
__________
MfG Sabina

rund um die PC-Sicherheit

#35 Puh,die Entertaste malträtiert bisses ging
Avenger 2:

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CLASSES_ROOT\AlxTB.BHO


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CLASSES_ROOT\Bridge.brdg


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CLASSES_ROOT\DailyToolbar.IEBand


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CLASSES_ROOT\DailyToolbar.SysMgr


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CLASSES_ROOT\IEToolbar.AffiliateCtl


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CLASSES_ROOT\jao.jao


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CLASSES_ROOT\office_pnl.office_panel


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CLASSES_ROOT\Popup.HTMLEvent


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CLASSES_ROOT\PopMenu.Menu


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CLASSES_ROOT\Popup.PopupKiller


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CLASSES_ROOT\url_relpacer.URLResolver


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CLASSES_ROOT\WStart.WHttpHelper


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CLASSES_ROOT\WStart.WHttpHelper.1


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CLASSES_ROOT\AppID\DailyToolbar.DLL


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CLASSES_ROOT\AppID\WStart.DLL


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CLASSES_ROOT\AppID\{951B3138-AE8E-4676-A05A-250A5F111631}


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CLASSES_ROOT\AppID\{F6BDB4E5-D6AA-4D1F-8B67-BCB0F2246E21}


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CLASSES_ROOT\CLSID\{B53455DB-5527-4041-AC41-F86E6947AA47}


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CLASSES_ROOT\Interface\{900FBC20-6AEE-4E05-ABA9-AC46E309C029}


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CLASSES_ROOT\TypeLib\{8B076501-1D1B-4B26-9492-FDB8EEE00D7F}


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\Software\Microsoft\IPCheck


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\yxfkjxck

*******************

Script file located at: \??\C:\WINDOWS\clvkppde.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\fab.exe not found!
Deletion of file C:\WINDOWS\system32\fab.exe failed!

Could not process line:
C:\WINDOWS\system32\fab.exe
Status: 0xc0000034



File C:\uptekesi.bat not found!
Deletion of file C:\uptekesi.bat failed!

Could not process line:
C:\uptekesi.bat
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\Adware.Srv32 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\Adware.Srv32 failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\Transponder not found!
Deletion of registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\Transponder failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\Software\DailyToolbar not found!
Deletion of registry key HKEY_LOCAL_MACHINE\Software\DailyToolbar failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\Software\NIX Solutions\DailyToolbar not found!
Deletion of registry key HKEY_LOCAL_MACHINE\Software\NIX Solutions\DailyToolbar failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\Software\RespondMiter not found!
Deletion of registry key HKEY_LOCAL_MACHINE\Software\RespondMiter failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\Software\Software\TPS108 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\Software\Software\TPS108 failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\Software\Transponder not found!
Deletion of registry key HKEY_LOCAL_MACHINE\Software\Transponder failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\Software\WSoft not found!
Deletion of registry key HKEY_LOCAL_MACHINE\Software\WSoft failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\bridge not found!
Deletion of registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\bridge failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

-----------
Die 3.Dateien in Programme -> gelöscht

-----------

Kasperky-Scan klappt wie letztes mal schon nicht.Irgendwelche Steuerelemente installieren sich nicht.*grumml*


btw.
des komische Popup kam schon wieder beim Neustart. Sah aus wie ein neuer Trojaner *denk*

#36 poste das neue log vom hijackThis + die 4 logs von datfindbat
__________
MfG Sabina

rund um die PC-Sicherheit

#37 Logfile of HijackThis v1.99.1
Scan saved at 20:40:11, on 12.08.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programme\Sunbelt Software\CounterSpy\Consumer\Thread.exe
C:\Programme\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programme\Logitech\Video\LogiTray.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\ICQLite\ICQLite.exe
C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Programme\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LVComS.exe
C:\Programme\Sunbelt Software\CounterSpy\Consumer\SunServAlert.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Dodge\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: office_pnl.office_panel - {B53455DB-5527-4041-AC41-F86E6947AA47} - C:\WINDOWS\system32\office_pnl.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programme\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programme\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Programme\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [SunServer] C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [LDM] C:\Programme\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Zur Filterliste hinzufügen (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesde.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesde.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Programme\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: MedionShop - {84FAA847-1400-4400-BC93-D338EF03127B} - http://www.medionshop.de/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt3_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Mensch - http://download.games.yahoo.com/games/clients/y/mat3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {14325268-79E0-4D2A-89A4-FFFC6E22741E} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_3_EN_XP.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Programme\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp07.photoprintit.de/microsite/1119/defaults/activex/ImageUploader3.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E389B76-1702-43B0-8FFF-07046F351EFA}: NameServer = 217.237.151.161 217.237.150.188
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: CA-Lizenz-Client (CA_LIC_CLNT) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA-Lizenzserver (CA_LIC_SRVR) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Ereignisprotokoll-Überwachung (LogWatch) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

------------------------------------------------------

Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: 882C-5933

Verzeichnis von C:\WINDOWS\system32

12.08.2006 20:21 376.016 perfh009.dat
12.08.2006 20:21 51.814 perfc009.dat
12.08.2006 20:21 386.338 perfh007.dat
12.08.2006 20:21 62.578 perfc007.dat
12.08.2006 20:21 886.752 PerfStringBackup.INI
12.08.2006 20:07 506 plnkuess.txt
12.08.2006 19:38 370 lnfsdkcb.txt
12.08.2006 19:34 816 qthxrjho.txt
10.08.2006 19:40 0 asfiles.txt
10.08.2006 19:37 2.550 Uninstall.ico
10.08.2006 19:37 1.406 Help.ico
10.08.2006 19:37 30.590 pavas.ico
06.08.2006 15:39 2.206 wpa.dbl
03.08.2006 03:22 8.255.912 MRT.exe
23.07.2006 15:12 252 lvcoinst.log
14.07.2006 17:38 332.288 netapi32.dll
15.06.2006 23:55 778.240 divx_xx07.dll
15.06.2006 23:55 778.240 divx_xx0c.dll
15.06.2006 23:55 761.856 divx_xx11.dll
15.06.2006 23:55 620.180 DivX.dll
14.06.2006 19:49 118.784 DivXCodecUpdateChecker.exe
13.06.2006 23:36 700.416 divxdec.ax
12.06.2006 21:22 4.276 divxsm.tlb
12.06.2006 21:22 520.192 DivXsm.exe
12.06.2006 21:22 10.863 dsm_ja.qm
12.06.2006 21:22 15.507 dsm_de.qm
12.06.2006 21:22 15.299 dsm_fr.qm
01.06.2006 20:47 27.648 jgpl400.dll
01.06.2006 20:47 163.840 jgdw400.dll
29.05.2006 17:30 1.494.016 shdocvw.dll
25.05.2006 00:48 421.888 pxdrv.dll
25.05.2006 00:48 108.544 pxcpyi64.exe
25.05.2006 00:48 109.568 pxinsi64.exe
25.05.2006 00:48 172.032 pxmas.dll
25.05.2006 00:48 372.736 px.dll
25.05.2006 00:48 56.832 pxcpya64.exe
25.05.2006 00:48 61.440 pxhpinst.exe
25.05.2006 00:48 56.320 pxinsa64.exe
25.05.2006 00:48 339.968 pxwave.dll
25.05.2006 00:48 28.672 vxblock.dll
25.05.2006 00:47 3.596.288 qt-dx331.dll
25.05.2006 00:46 53.248 dpuGUI10.dll
25.05.2006 00:46 90.112 dpl100.dll
25.05.2006 00:46 593.920 dpuGUI11.dll
25.05.2006 00:46 200.704 dtu100.dll
25.05.2006 00:46 344.064 dpus11.dll
25.05.2006 00:46 57.344 dpv11.dll
25.05.2006 00:46 294.912 dpu11.dll
25.05.2006 00:46 294.912 dpu10.dll
25.05.2006 00:43 352.401 DivXMedia.ax
25.05.2006 00:43 1.044.480 libdivx.dll
25.05.2006 00:43 200.704 ssldivx.dll
25.05.2006 00:43 245.408 unicows.dll
20.05.2006 16:49 228 Deutz Engine.log
20.05.2006 16:49 501.760 Deutz Engine.exe
20.05.2006 16:49 501.760 Deutz Engine.scr
20.05.2006 16:49 1.350 Deutz Engine.ssp
20.05.2006 16:49 15.310.852 Deutz Engine.002
20.05.2006 16:49 29.493.252 Deutz Engine.001
20.05.2006 16:49 0 Deutz Engine.mda
19.05.2006 17:09 3.073.536 mshtml.dll
19.05.2006 15:09 148.480 dnsapi.dll
19.05.2006 15:09 95.744 iphlpapi.dll
19.05.2006 15:09 112.128 dhcpcsvc.dll
18.05.2006 07:36 450.560 jscript.dll
14.05.2006 10:48 181.248 rasmans.dll
11.05.2006 10:57 27.136 xpsp3res.dll
10.05.2006 07:23 664.064 wininet.dll
10.05.2006 07:22 474.624 shlwapi.dll
10.05.2006 07:22 615.936 urlmon.dll
10.05.2006 07:22 532.480 mstime.dll
10.05.2006 07:22 448.512 mshtmled.dll
10.05.2006 07:22 39.424 pngfilt.dll
10.05.2006 07:22 146.432 msrating.dll
10.05.2006 07:22 96.768 inseng.dll
10.05.2006 07:22 16.384 jsproxy.dll
10.05.2006 07:22 55.808 extmgr.dll
10.05.2006 07:22 205.312 dxtrans.dll
10.05.2006 07:22 251.392 iepeers.dll
10.05.2006 07:22 1.056.256 danim.dll
10.05.2006 07:22 357.888 dxtmsft.dll
10.05.2006 07:22 152.064 cdfview.dll
10.05.2006 07:22 1.022.976 browseui.dll
04.05.2006 17:35 65.536 QuickTimeVR.qtx
04.05.2006 17:35 49.152 QuickTime.qts

------------------------------------------------------------------------

Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: 882C-5933

Verzeichnis von C:\DOKUME~1\Dodge\LOKALE~1\Temp

12.08.2006 20:28 1.030 jusched.log
12.08.2006 20:18 32.768 ~DF77E8.tmp
12.08.2006 20:18 49.152 ~DFF2CC.tmp
12.08.2006 20:18 32.768 ~DFB867.tmp
12.08.2006 20:17 16.384 ~DF29AD.tmp
12.08.2006 19:59 16.384 ~DFD673.tmp
12.08.2006 19:59 16.384 ~DFD622.tmp
12.08.2006 19:59 16.384 ~DFD63D.tmp
12.08.2006 19:59 16.384 ~DFD658.tmp
12.08.2006 19:59 16.384 ~DFB6F7.tmp
12.08.2006 19:59 16.384 ~DFADA1.tmp
12.08.2006 19:24 32.768 ~DF3408.tmp
12.08.2006 19:24 49.152 ~DFB1D.tmp
12.08.2006 19:24 32.768 ~DFAA35.tmp
12.08.2006 19:24 16.384 ~DFC6A.tmp
12.08.2006 19:22 32.768 ~DFB2BE.tmp
12.08.2006 19:19 49.152 ~DF5388.tmp
12.08.2006 19:19 32.768 ~DFD263.tmp
12.08.2006 19:18 16.384 ~DF2DDD.tmp
12.08.2006 17:41 49.152 ~DF9B54.tmp
12.08.2006 17:41 32.768 ~DFFB76.tmp
12.08.2006 17:40 16.384 ~DF19E8.tmp
11.08.2006 17:36 1.212.416 ~DF9888.tmp
11.08.2006 17:33 1.015.808 ~DF100C.tmp
11.08.2006 17:33 49.152 ~DF5EA6.tmp
11.08.2006 17:33 32.768 ~DF53C3.tmp
11.08.2006 17:33 16.384 ~DF3261.tmp
11.08.2006 16:44 16.384 ~DF95B8.tmp
11.08.2006 16:44 16.384 ~DF9582.tmp
11.08.2006 16:44 16.384 ~DF959D.tmp
11.08.2006 16:44 16.384 ~DF9567.tmp
11.08.2006 16:33 16.384 ~DF721E.tmp
11.08.2006 16:33 16.384 ~DF6895.tmp
28.06.2004 19:42 24.576 IadHide4.dll
34 Datei(en) 3.040.262 Bytes
0 Verzeichnis(se), 14.093.926.400 Bytes frei

------------------------------------------------------------------------

Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: 882C-5933

Verzeichnis von C:\WINDOWS

12.08.2006 20:23 1.053.828 WindowsUpdate.log
12.08.2006 20:17 0 0.log
12.08.2006 20:17 3.922 ModemLog_Creatix V.9X DSP Data Fax Modem.txt
12.08.2006 20:17 159 wiadebug.log
12.08.2006 20:17 50 wiaservc.log
12.08.2006 20:17 2.048 bootstat.dat
12.08.2006 20:16 32.622 SchedLgU.Txt
12.08.2006 19:25 6.109 KB918899.log
12.08.2006 19:20 2.740 KB920670.log
12.08.2006 19:19 5.295 KB917422.log
10.08.2006 20:51 1.409 QTFont.for
10.08.2006 20:51 54.156 QTFont.qfn
10.08.2006 19:40 666 win.ini
10.08.2006 19:38 33.386 setupapi.log
10.08.2006 17:31 227.564 setupact.log
10.08.2006 17:11 1.207.264 ntbtlog.txt
09.08.2006 21:51 5.084 KB920683.log
09.08.2006 09:27 148.519 iis6.log
09.08.2006 09:27 1.355 imsins.log
09.08.2006 09:27 422.602 tsoc.log
09.08.2006 09:27 50.787 ocmsn.log
09.08.2006 09:27 342.030 comsetup.log
09.08.2006 09:27 219.545 ntdtcsetup.log
09.08.2006 09:27 11.131 KB921883.log
09.08.2006 09:27 632.705 ocgen.log
09.08.2006 09:27 55.929 msgsocm.log
09.08.2006 09:27 1.016.437 FaxSetup.log
09.08.2006 09:27 39.611 updspapi.log
30.07.2006 18:08 338 lexstat.ini
27.07.2006 00:38 127.535 wmsetup.log
21.07.2006 21:21 202 NeroDigital.ini
15.07.2006 23:51 1.374 imsins.BAK
15.07.2006 23:51 12.745 KB916595.log
14.07.2006 13:12 11.940 KB917159.log
14.07.2006 13:12 12.561 KB914388.log
17.06.2006 03:10 33.264 spupdsvc.log
17.06.2006 03:02 12.531 KB917734.log
17.06.2006 03:02 1.054.919 setupapi.log.0.old
17.06.2006 03:01 14.774 KB918439.log
17.06.2006 03:01 15.133 KB917344.log
17.06.2006 03:01 14.909 KB917953.log
17.06.2006 03:01 14.886 KB911280.log
17.06.2006 03:01 18.104 KB916281.log
17.06.2006 03:00 11.521 KB914389.log
25.05.2006 01:39 0 msds.dat
19.05.2006 16:46 121 GEARInstall.log
11.05.2006 23:57 11.702 KB913580.log

-------------------------------------------------------------------------
Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: 882C-5933

Verzeichnis von C:\

12.08.2006 20:45 0 sys.txt
12.08.2006 20:45 16.650 windows.txt
12.08.2006 20:45 16.650 system.txt
12.08.2006 20:44 1.899 temp.txt
12.08.2006 20:44 1.899 systemtemp.txt
12.08.2006 20:43 108.357 system32.txt
12.08.2006 20:17 12.274 avenger.txt
12.08.2006 20:17 536.399.872 hiberfil.sys
12.08.2006 20:17 805.306.368 pagefile.sys
12.08.2006 20:08 506 opcvubhq.txt
12.08.2006 18:37 37.797 files.txt
10.08.2006 17:31 16.509 ComboFix.txt
10.08.2006 17:28 1.458 c.txt
10.08.2006 17:18 1.226 rapport.txt
08.08.2006 19:18 22.136 ComboFix.2006-08-10.173128.txt

------------------------------------------------------------------

#38 1.
fixe mit dem HijackTHis:

Zitat

O2 - BHO: office_pnl.office_panel - {B53455DB-5527-4041-AC41-F86E6947AA47} - C:\WINDOWS\system32\office_pnl.dll (file missing)
O16 - DPF: {14325268-79E0-4D2A-89A4-FFFC6E22741E} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_3_EN_XP.cab

PC neustarten

2.
scanne mit Bitdefender und poste den report
http://virus-protect.org/onlinescan.html

3.
poste dann das neue log vom silentrunner
http://virus-protect.org/silentrunner.html
__________
MfG Sabina

rund um die PC-Sicherheit

#39 1.->done

2.

Prüf-Info



Trojan.Downloader.VB.SR


1

Trojan.Downloader.VB.AJV


1

Trojan.Pws.Sinowal.AE


1

Adware.Trojfact.B


3

Trojan.Clspring.BS


1

Adware.PurityScan.D


1

Trojan.Agent.QE


1

Win32.FpuJunk.2


2

Trojan.Downloader.Small.AYS


2

Trojan.FakeAlert.CY


12

Trojan.Downloader.Small.BCN


1

Dropped:Trojan.Dropper.VB.AT


1

Trojan.PWS.Sinowal.AF


1

Trojan.Downloader.VB.RE
2

Trojan.PWS.Sinowal.AH
2

Trojan.Tibs.E
5

Trojan.Downloader.Small.DAM
2

Trojan.Downloader.Galapoper.A
4

Trojan.Downloader.VB.OX
2

Trojan.Downloader.VB.AJP
1

GenPack:Trojan.Downloader.Small.DDE
1

Trojan.Agent.SNA
2

Trojan.Purityad.DV

1

Trojan.Downloader.Small.DDE
5

Trojan.Dropper.Vb.NN
1

BehavesLike:Win32.ExplorerHijack

2
---------------------------------------------------------------------------

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"LDM" = "C:\Programme\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" ["Logitech"]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"Microsoft Works Update Detection" = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"]
"PinnacleDriverCheck" = "C:\WINDOWS\System32\PSDrvCheck.exe" [empty string]
"LogitechVideoRepair" = "C:\Programme\Logitech\Video\ISStart.exe" ["Logitech Inc."]
"LogitechVideoTray" = "C:\Programme\Logitech\Video\LogiTray.exe" ["Logitech Inc."]
"LogitechGalleryRepair" = "C:\Programme\Logitech\Video\ISStart.exe" ["Logitech Inc."]
"SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"UserFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -u" [MS]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"AVGCtrl" = ""C:\Programme\AVPersonal\AVGNT.EXE" /min" ["H+BEDV Datentechnik GmbH"]
"iTunesHelper" = ""C:\Programme\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"ICQ Lite" = "C:\Programme\ICQLite\ICQLite.exe -minimize" ["ICQ Ltd."]
"SunServer" = "C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunserver.exe" ["Sunbelt Software"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS]
"{F5D92341-0A64-11D0-9956-0000E8096023}" = "CD Copy Shell Extension"
-> {HKLM...CLSID} = "CD Copy Shell Extension"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shellext\CDWshext.dll" ["Pinnacle Systems, Inc."]
"{F5D92342-0A64-11D0-9956-0000E8096023}" = "CD Wizard Shell Extension"
-> {HKLM...CLSID} = "CD Wizard Shell Extension"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shellext\CDWshext.dll" ["Pinnacle Systems, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshellext.dll" ["RealNetworks"]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures"
-> {HKLM...CLSID} = "My Logitech Pictures"
\InProcServer32\(Default) = "C:\Programme\Logitech\Video\Namespc2.dll" ["Logitech Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
"{40950107-FEA6-4d53-A65F-B2DCBA57DD58}" = "Nokia Phone Browser"
-> {HKLM...CLSID} = "Nokia Phone Browser"
\InProcServer32\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]
"{FBFE7864-D495-41f0-B7DC-4BB601CC295E}" = "Contact View"
-> {HKLM...CLSID} = "Contact View"
\InProcServer32\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\ContactView.dll" ["Nokia"]
"{C0C4375A-5B72-4efe-929D-3B848C3A1E91}" = "Message View"
-> {HKLM...CLSID} = "Message View"
\InProcServer32\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\MessageView.dll" ["Nokia"]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"
\InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2004\sdshelex.dll"" ["TuneUp Software GmbH"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{076394AD-7FDD-44EF-A075-32C68DBAB99B}" = "*i" (unwritable string)
-> {HKLM...CLSID} = "GIANT AntiSpyware Service Hook"
\InProcServer32\(Default) = "C:\Programme\Sunbelt Software\CounterSpy\Consumer\SunExecuteHook.dll" ["Sunbelt Software"]

HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * pgdfgsvc C 1" [file not found], [MS], [file not found], [file not found], [file not found], [file not found]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"
\InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2004\sdshelex.dll"" ["TuneUp Software GmbH"]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"
\InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2004\sdshelex.dll"" ["TuneUp Software GmbH"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Dodge\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\DEUTZE~1.SCR" (Deutz Engine.scr) [null data]


Startup items in "Dodge" & "All Users" startup folders:
-------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Logitech Desktop Messenger" -> shortcut to: "C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start" ["Logitech"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}"
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar mit Pop-Up-Blocker"
\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}" = (no title provided)
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar mit Pop-Up-Blocker"
\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesde.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesde.dll" ["Yahoo! Inc."]
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{84FAA847-1400-4400-BC93-D338EF03127B}\
"ButtonText" = "MedionShop"
"Exec" = "http://www.medionshop.de/" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesde.dll" ["Yahoo! Inc."]

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A}\
"ButtonText" = "eBay - Homepage"
"CLSIDExtension" = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"
-> {HKLM...CLSID} = "Toolbar Extension for Executable"
\InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
"Exec" = "C:\Programme\IrfanView\Ebay\Ebay.htm" [null data]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.aldi.com

Missing lines (compared with English-language version):
[Strings]: 1 line

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
"{855F3B16-6D32-4fe6-8A56-BBB695989046}" = (no title provided)
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" ["ICQ Inc."]

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
HIJACK WARNING! "MGINavigationCanceled" = "C:\Programme\MGI\MGI PhotoSuite 4\Internet\NavigationCanceled.html" [null data]
HIJACK WARNING! "MGIWelcome" = "C:\Programme\MGI\MGI PhotoSuite 4\Internet\W_Welcome.html" [null data]
HIJACK WARNING! "MGIOfflineInformation" = "C:\Programme\MGI\MGI PhotoSuite 4\Internet\OfflineInformation.html" [null data]
HIJACK WARNING! "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir Service, AntiVirService, ""C:\Programme\AVPersonal\AVGUARD.EXE"" ["H+BEDV Datentechnik GmbH"]
AntiVir Update, AVWUpSrv, ""C:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"]
Ereignisprotokoll-Überwachung, LogWatch, "C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe" ["Computer Associates"]
iPodService, iPodService, "C:\Programme\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 41 seconds, including 18 seconds for message boxes)

#40 der Bitdefender loescht doch auch..und es wird angezeigt...hast du nicht loeschen lassen ?
__________
MfG Sabina

rund um die PC-Sicherheit

#41 Der hat automatisch gelöscht,so stands jedenfalls dort.
Da war nix anzuklicken ob man löschen will oder sowas...

Moment,ich hab sicherheitshalber von dem was gespeichert gehabt:

*hmpf* geht net als anhang,weils ne html-datei is...

#42 komisch, dass die pfade nicht mit angezeigt wurden.

1.
loesche die backups vom Avenger
C:\avenger\backup.zip
C:\avenger\backup-11.08.2006-17.23.27,15.zip

2.
Arbeitsplatz-->Rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.
(dann wieder aktivieren)

3.
http://virus-protect.org/multiavtool.html
* klicke "3" - McAfee -- es erscheint ein leeres DOS-Fenster.

bei der Eingabe "3" im MULTIAVTOOL muss eine Internetverbindung vorhanden sein

- man muss eingeben, was gescannt werden soll
- C:\Windows\System32 - dann beginnt der Scan, man sollte dann auch scannen lassen:
- C:\Windows
- C:\

* klicke "6 --> der PC wird neustarten --> suche die 3 Scanreporte in C:\AV-CLS und kopiere sie
__________
MfG Sabina

rund um die PC-Sicherheit

#43 Meintest sowas ?:


C:\avenger\backup-11.08.2006-17.23.27,15.zip=>avenger/office_pnl.dll


Erkannt: Adware.Trojfact.B

C:\avenger\backup-11.08.2006-17.23.27,15.zip=>avenger/office_pnl.dll


Desinfektion fehlgeschlagen

C:\avenger\backup-11.08.2006-17.23.27,15.zip=>avenger/office_pnl.dll


Gelöscht

C:\avenger\backup-11.08.2006-17.23.27,15.zip


Aktualisiert

C:\avenger\backup-11.08.2006-17.23.27,15.zip=>avenger/winblsrv.dll


Infiziert: Trojan.FakeAlert.CY

C:\avenger\backup-11.08.2006-17.23.27,15.zip=>avenger/winblsrv.dll


Desinfektion fehlgeschlagen

C:\avenger\backup-11.08.2006-17.23.27,15.zip=>avenger/winblsrv.dll


Gelöscht

C:\avenger\backup-11.08.2006-17.23.27,15.zip


Aktualisiert

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\aepnktmx.exe.bac_a03752=>(Quarantine-4)


Infiziert: Trojan.Downloader.Small.DDE

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\aepnktmx.exe.bac_a03752=>(Quarantine-4)


Desinfektion fehlgeschlagen

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\aepnktmx.exe.bac_a03752=>(Quarantine-4)


Gelöscht

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\eeourbdx.ukd.bac_a03752=>(Quarantine-4)


Infiziert: Trojan.Agent.QE

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\eeourbdx.ukd.bac_a03752=>(Quarantine-4)


Desinfektion fehlgeschlagen

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\eeourbdx.ukd.bac_a03752=>(Quarantine-4)


Gelöscht

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\ghhzdffo.exe.bac_a03752=>(Quarantine-4)


Infiziert: Trojan.Downloader.VB.RE

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\ghhzdffo.exe.bac_a03752=>(Quarantine-4)


Desinfektion fehlgeschlagen

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\ghhzdffo.exe.bac_a03752=>(Quarantine-4)


Gelöscht

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\hynhzzxt.exe.bac_a03752=>(Quarantine-4)


Infiziert: Trojan.Downloader.Galapoper.A

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\hynhzzxt.exe.bac_a03752=>(Quarantine-4)


Desinfektion fehlgeschlagen

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\hynhzzxt.exe.bac_a03752=>(Quarantine-4)


Gelöscht

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\jvckfvvq.exe.bac_a03752=>(Quarantine-4)


Infiziert: Trojan.Downloader.Galapoper.A

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\jvckfvvq.exe.bac_a03752=>(Quarantine-4)


Desinfektion fehlgeschlagen

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\jvckfvvq.exe.bac_a03752=>(Quarantine-4)


Gelöscht

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\ogkfmahr.exe.bac_a03752


Infiziert: Trojan.Downloader.Small.AYS

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\ogkfmahr.exe.bac_a03752


Desinfektion fehlgeschlagen

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\ogkfmahr.exe.bac_a03752


Gelöscht

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\quzqyyti.exe.bac_a03752=>(Quarantine-4)


Infiziert: Trojan.Downloader.Small.DAM

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\quzqyyti.exe.bac_a03752=>(Quarantine-4)


Desinfektion fehlgeschlagen

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\quzqyyti.exe.bac_a03752=>(Quarantine-4)


Gelöscht

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\sphuhmdl.exe.bac_a03752=>(Quarantine-4)


Infiziert: Trojan.Downloader.VB.OX

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\sphuhmdl.exe.bac_a03752=>(Quarantine-4)


Desinfektion fehlgeschlagen

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\sphuhmdl.exe.bac_a03752=>(Quarantine-4)


Gelöscht

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\system32fab.exe.bac_a03752=>(Quarantine-4)


Infiziert: Trojan.FakeAlert.CY

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\system32fab.exe.bac_a03752=>(Quarantine-4)


Desinfektion fehlgeschlagen

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\system32fab.exe.bac_a03752=>(Quarantine-4)


Gelöscht

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\vugqxhgx.exe.bac_a03752


Infiziert: Trojan.Downloader.Small.AYS

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\vugqxhgx.exe.bac_a03752


Desinfektion fehlgeschlagen

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\vugqxhgx.exe.bac_a03752


Gelöscht

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\winblsrv.dll.bac_a03752=>(Quarantine-4)


Infiziert: Trojan.FakeAlert.CY

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\winblsrv.dll.bac_a03752=>(Quarantine-4)


Desinfektion fehlgeschlagen

C:\Dokumente und Einstellungen\Dodge\.housecall\Quarantine\winblsrv.dll.bac_a03752=>(Quarantine-4)


Gelöscht

C:\System Volume Information\_restore{C7E87882-F72B-4CC6-B94B-0C5CDA4414CA}\RP854\A0054348.exe


Infiziert: Trojan.FakeAlert.CY

C:\System Volume Information\_restore{C7E87882-F72B-4CC6-B94B-0C5CDA4414CA}\RP854\A0054348.exe


Desinfektion fehlgeschlagen

C:\System Volume Information\_restore{C7E87882-F72B-4CC6-B94B-0C5CDA4414CA}\RP854\A0054348.exe


Gelöscht

C:\System Volume Information\_restore{C7E87882-F72B-4CC6-B94B-0C5CDA4414CA}\RP854\A0054363.exe


Infiziert: Trojan.FakeAlert.CY

C:\System Volume Information\_restore{C7E87882-F72B-4CC6-B94B-0C5CDA4414CA}\RP854\A0054363.exe

edit

#44 ja das meinte ich

nun mache alles, was ich oben geschrieben habe
__________
MfG Sabina

rund um die PC-Sicherheit

#45 1. ->done

2. ->done

3.

McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights reserved.
(408) 988-3832 LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for Win32.
Virus data file v4827 created Aug 11 2006
Scanning for 203344 viruses, trojans and variants.

Virus Scan Results



08/13/2006 00:35:14


Options:
"C:\WINDOWS\SYSTEM32" /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL /MIME /PROGRAM /EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML"

Scanning C: [BOOT]
Scanning C:\WINDOWS\SYSTEM32\*.*

Summary report on C:\WINDOWS\SYSTEM32\*.*
File(s)
Total files: ........... 7846
Clean: ................. 7833
Possibly Infected: ..... 0
Cleaned: ............... 0
Non-critical Error(s): 1


Time: 00:05.13



------------------------------------------------------------------

McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights reserved.
(408) 988-3832 LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for Win32.
Virus data file v4827 created Aug 11 2006
Scanning for 203344 viruses, trojans and variants.

Virus Scan Results



08/13/2006 00:09:29


Options:
"C:\WINDOWS" /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL /MIME /PROGRAM /EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML"

Scanning C: [BOOT]
Scanning C:\WINDOWS\*.*

Summary report on C:\WINDOWS\*.*
File(s)
Total files: ........... 70903
Clean: ................. 70885
Possibly Infected: ..... 0
Cleaned: ............... 0
Non-critical Error(s): 1


Time: 00:19.55



----------------------------------------------------------------------------

McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights reserved.
(408) 988-3832 LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for Win32.
Virus data file v4827 created Aug 11 2006
Scanning for 203344 viruses, trojans and variants.

Virus Scan Results



08/13/2006 00:44:40


Options:
"C:\" /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL /MIME /PROGRAM /EXCLUDE C:\AV-CLS\EXCLIST.TXT /HTML "C:\AV-CLS\MCAFEE\SCANREPORT.HTML"

Scanning C: [BOOT]
Scanning C:\*.*
C:\RECYCLER\S-1-5-21-268589332-4242579586-737221297-1008\Dc20.zip\EGDHTML_1024.DLL ... Found potentially unwanted program Dialer-Generic.dll.
C:\RECYCLER\S-1-5-21-268589332-4242579586-737221297-1008\Dc20.zip\ISTACTIVEX.INF ... Found potentially unwanted program Adware-ISTBar.
C:\RECYCLER\S-1-5-21-268589332-4242579586-737221297-1008\Dc32.zip\OFFICESCAN.EXE\OFFICESCAN.EXE ... Found the TFactory trojan !!!
C:\RECYCLER\S-1-5-21-268589332-4242579586-737221297-1008\Dc32.zip\SMARTDRV.EXE\SMARTDRV.EXE ... Found the TFactory trojan !!!

Summary report on C:\*.*
File(s)
Total files: ........... 177046
Clean: ................. 176953
Possibly Infected: ..... 2
Cleaned: ............... 0
Non-critical Error(s): 2


Time: 00:38.13