Wie spyware quake 2.3 entfernenThema ist geschlossen! |
||
---|---|---|
Thema ist geschlossen! |
||
#0
| ||
17.08.2006, 09:59
...neu hier
Beiträge: 6 |
||
|
||
17.08.2006, 15:07
Ehrenmitglied
Beiträge: 29434 |
#2
Karel
Information: http://virus-protect.org/artikel/spyware/intcodec_remove.html 0. gehe in die Registry Start - Ausfuehren - regedit [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "bestreak"="{874443fe-aa33-4ebf-a6ac-73208787e62d}" -> loeschen 1. spyfalcon.zip -> http://virus-protect.org/zip/spyfalcon.zip -> entpacken auf dem Desktop -> spyfalcon.reg ->doppeltklicken und der Registry mit "ja/yes" beifügen 2. Avenger http://virus-protect.org/artikel/tools/avenger.html kopiere rein: Zitat Files to delete:Klicke die gruene Ampel das Script wird nun ausgeführt, dann wird der PC automatisch neustarten 3. Smitfraud.fix anwenden - lasse auch die Registry mitreinigen (option 1 und 2) http://virus-protect.org/artikel/tools/smitfrautfix.html 4. loesche das backup vom Avenger unter c:\Avenger 5. Download Registry Search by Bobbi Flekman http://virus-protect.org/artikel/tools/regsearch.html und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren) IntCodec in edit und klicke "Ok". Notepad wird sich oeffnen - poste den text + das neue Log vom HijackThis bitte posten __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
17.08.2006, 22:39
...neu hier
Themenstarter Beiträge: 6 |
#3
Hi Sabine, habe die verschiedene Schritte gemacht. Unten finden Sie die Logfiles. Ich habe den Eindruck, dass das Problem geloest ist: koennen Sie das bestaetigen? Vielen Dank fuer die Hilfe!!
Gruss Karel ************************************************** SmitFraudFix v2.81 Scan done at 18:01:00.80, 17.08.2006 Run from C:\Documents and Settings\Alexandra Bojcic\My Documents\KarelTRY\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Alexandra Bojcic\Application Data C:\Documents and Settings\Alexandra Bojcic\Application Data\Microsoft\Internet Explorer\Quick Launch\SpyQuake2.com 2.3.lnk FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Start Menu C:\DOCUME~1\ALEXAN~1\STARTM~1\SpyQuake2.com 2.3.lnk FOUND ! C:\DOCUME~1\ALEXAN~1\STARTM~1\Programs\SpyQuake2.com FOUND ! C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND ! C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ALEXAN~1\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files C:\Program Files\IntCodec\ FOUND ! C:\Program Files\SpyQuake2.com\ FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End ******************************************************* SmitFraudFix v2.81 Scan done at 18:05:30.53, 17.08.2006 Run from C:\Documents and Settings\Alexandra Bojcic\My Documents\KarelTRY\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri C:\WINDOWS\System32\viruxz.dll -> Missing File »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\Documents and Settings\Alexandra Bojcic\Application Data\Microsoft\Internet Explorer\Quick Launch\SpyQuake2.com 2.3.lnk Deleted C:\DOCUME~1\ALEXAN~1\STARTM~1\SpyQuake2.com 2.3.lnk Deleted C:\DOCUME~1\ALEXAN~1\STARTM~1\Programs\SpyQuake2.com Deleted C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted C:\Program Files\IntCodec\ Deleted C:\Program Files\SpyQuake2.com\ Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End ******************************************************* REGEDIT4 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.1.0 ; Results at 17.08.2006 22:32:40 for strings: ; 'intcodec intcodec' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS ; End Of The Log... ************************************************** Logfile of HijackThis v1.99.1 Scan saved at 22:34:39, on 17.08.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\brss01a.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\system32\ICO.EXE C:\WINDOWS\System32\ezSP_Px.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\Brother\ControlCenter2\brctrcen.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE C:\Program Files\OpenOffice.org1.1.2\program\soffice.exe C:\Program Files\Apoint\Apntex.exe C:\WINDOWS\system32\Brmfrmps.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Alexandra Bojcic\My Documents\KarelTRY\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Telstra Big Pond Home Internet Explorer O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file) O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: OpenOffice.org 1.1.2.lnk = C:\Program Files\OpenOffice.org1.1.2\program\quickstart.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/ O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155736424369 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing) O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe *************************************************** |
|
|
||
17.08.2006, 22:41
Ehrenmitglied
Beiträge: 29434 |
#4
Download Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren) IntCodec in edit und klicke "Ok". Notepad wird sich oeffnen - poste den text __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
17.08.2006, 22:46
...neu hier
Themenstarter Beiträge: 6 |
#5
Logfile vom Registry Search:
REGEDIT4 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.1.0 ; Results at 17.08.2006 22:44:13 for strings: ; 'intcodec' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS ; End Of The Log... |
|
|
||
17.08.2006, 22:47
Ehrenmitglied
Beiträge: 29434 |
#6
mache einen Onlinescan mit panda und poste den report
http://virus-protect.org/onlinescan.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
18.08.2006, 00:18
...neu hier
Themenstarter Beiträge: 6 |
||
|
||
18.08.2006, 00:23
Ehrenmitglied
Beiträge: 29434 |
#8
1.
leere den Papierkorb 2. Avenger: Zitat Files to delete: __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
18.08.2006, 00:33
...neu hier
Themenstarter Beiträge: 6 |
#9
Hoi Sabina
log vom Avenger: Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\mtewkhqo ******************* Script file located at: \??\C:\lokdumbn.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\System32\MYDLL.dll deleted successfully. File C:\Documents and Settings\Alexandra Bojcic\Local Settings\Temporary Internet Files\Content.IE5\5O4EUYHF\safetyhomepage[2].htm deleted successfully. Could not open file C:\RECYCLER\S-1-5-21-2488099398-2712619165-4205801449-1005\Dc8\backup.zip for deletion Deletion of file C:\RECYCLER\S-1-5-21-2488099398-2712619165-4205801449-1005\Dc8\backup.zip failed! Could not process line: C:\RECYCLER\S-1-5-21-2488099398-2712619165-4205801449-1005\Dc8\backup.zip Status: 0xc000003a Completed script processing. ******************* Finished! Terminate. |
|
|
||
18.08.2006, 13:52
Ehrenmitglied
Beiträge: 29434 |
#10
es muesste wieder alles in Ordnung sein
kommen noch popups ? __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
18.08.2006, 16:26
...neu hier
Themenstarter Beiträge: 6 |
#11
Hallo Sabina
nein, keine popups mehr. Wow, ich weiss gar nicht wie ich mich bedanken soll! Wuensche Ihnen ein ganz ganz tolles wochenende!! Lieber Gruss Karel |
|
|
||
1. Hijackthis logfile
Logfile of HijackThis v1.99.1
Scan saved at 09:15:34, on 17.08.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IntCodec\isamonitor.exe
C:\Program Files\IntCodec\pmsngr.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\IntCodec\pmmon.exe
C:\Program Files\IntCodec\isamini.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\SpyQuake2.com\Spy-Quake2.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpyQuake2.com\Spy-Quake2.exe
C:\Program Files\OpenOffice.org1.1.2\program\soffice.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\CleanUp!\cleanup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alexandra Bojcic\My Documents\KarelTRY\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.altavista.yellowpages.com.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smh.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bigpond.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Telstra Big Pond Home Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1da7dbe8-c51b-4ae4-bc6e-21863349b0b4} - C:\Program Files\IntCodec\isaddon.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Protection Bar - {a2595f37-48d0-46a1-9b51-478591a97764} - C:\Program Files\IntCodec\iesplugin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SpyQuake2.com] C:\Program Files\SpyQuake2.com\Spy-Quake2.exe /h
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 1.1.2.lnk = C:\Program Files\OpenOffice.org1.1.2\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155736424369
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - C:\WINDOWS\System32\viruxz.dll
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
2. CleanUp eingestellt, laufen lassen, computer neugestartet
3. Combofix
Start Time= 17.08.2006 9:49:02.24
Running from: C:\Documents and Settings\Alexandra Bojcic\My Documents\KarelTRY
QuickScan did not find any signs of infected files
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-08-17 08:33:58 ( .D... ) "C:\Program Files\CleanUp!"
2006-08-17 07:59:10 ( .D... ) "C:\Program Files\Enigma Software Group"
2006-08-16 18:58:18 ( .D... ) "C:\Program Files\Windows Defender"
2006-08-16 17:28:44 47564 ( A.SHR ) "C:\NTDETECT.COM"
2006-08-16 14:49:40 ( .D... ) "C:\Program Files\SpyQuake2.com"
2006-08-16 14:49:26 176128 ( A.... ) "C:\WINDOWS\system32\viruxz.dll"
2006-08-16 14:49:16 ( .D... ) "C:\Program Files\IntCodec"
2006-07-27 15:24:46 679424 ( A.... ) "C:\WINDOWS\system32\inetcomm.dll"
2006-07-21 10:24:44 72704 ( A.... ) "C:\WINDOWS\system32\hlink.dll"
2006-07-14 17:31:40 332288 ( A.... ) "C:\WINDOWS\system32\netapi32.dll"
2006-07-13 15:33:28 8453632 ( A.... ) "C:\WINDOWS\system32\shell32.dll"
2006-07-05 12:55:02 984064 ( A.... ) "C:\WINDOWS\system32\kernel32.dll"
2006-06-26 19:37:10 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-06-26 19:37:10 8192 ( A.... ) "C:\WINDOWS\system32\rasadhlp.dll"
2006-06-19 16:20:42 702768 ( ..... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-18 17:22:16 25496 ( A.... ) "C:\Documents and Settings\Alexandra Bojcic\Application Data\GDIPFONTCACHEV1.DAT"
2006-05-19 14:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 14:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"
(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))
2006-08-17 09:40 127'208 C:\WINDOWS\system32\mucltui.dll
2006-08-16 16:21 1'082'368 C:\WINDOWS\system32\esent.dll
2006-08-16 15:47 384'000 C:\WINDOWS\system32\ipsmsnap.dll
2006-08-16 15:47 349'696 C:\WINDOWS\system32\ipsecsnp.dll
2006-08-16 15:47 32'768 C:\WINDOWS\system32\winipsec.dll
2006-08-16 15:47 266'752 C:\WINDOWS\system32\oakley.dll
2006-08-16 15:47 182'784 C:\WINDOWS\system32\ipsecsvc.dll
2006-08-16 15:47 105'472 C:\WINDOWS\system32\polstore.dll
2006-08-16 15:41 266'915'840 C:\hiberfil.sys
2006-08-16 14:49 176'128 C:\WINDOWS\system32\viruxz.dll
2006-07-14 17:53 332'288 C:\WINDOWS\system32\netapi32.dll
2006-07-13 15:46 8'453'632 C:\WINDOWS\system32\shell32.dll
2006-07-13 10:50 2'897'920 C:\WINDOWS\system32\xpsp2res.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /install"
"Mouse Suite 98 Daemon"="ICO.EXE"
"ezShieldProtector for Px"="C:\\WINDOWS\\System32\\ezSP_Px.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"Nokia Tray Application"="C:\\Program Files\\Common Files\\Nokia\\NCLTools\\NclTray.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"PaperPort PTD"="C:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe"
"IndexSearch"="C:\\Program Files\\ScanSoft\\PaperPort\\IndexSearch.exe"
"SetDefPrt"="C:\\Program Files\\Brother\\Brmfl04a\\BrStDvPt.exe"
"ControlCenter2.0"="C:\\Program Files\\Brother\\ControlCenter2\\brctrcen.exe /autorun"
"SpyQuake2.com"="C:\\Program Files\\SpyQuake2.com\\Spy-Quake2.exe /h"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"SpyHunter"="C:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"homepage.monitor.exe"="C:\\Program Files\\IntCodec\\isamonitor.exe"
"pmsngr.exe"="C:\\Program Files\\IntCodec\\pmsngr.exe"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,c0
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\
00,00,04,00,00,c0
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"bestreak"="{874443fe-aa33-4ebf-a6ac-73208787e62d}"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WinDefend
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job
Completion time: 17.08.2006 9:49:24.20
ComboFix ver 06.07.15/30 - This logfile is located at C:\ComboFix.txt
4. Logfiles from datfind.bat
Volume in drive C has no label.
Volume Seri*hier nicht!* Number is 54A5-8EF0
Directory of C:\WINDOWS\system32
17.08.2006 09:38 312'172 perfh009.dat
17.08.2006 09:38 40'394 perfc009.dat
17.08.2006 09:38 355'944 PerfStringBackup.INI
17.08.2006 09:36 1'158 wpa.dbl
16.08.2006 18:51 251 spupdwxp.log
16.08.2006 18:50 139'648 FNTCACHE.DAT
16.08.2006 14:49 176'128 viruxz.dll
09.08.2006 12:03 8'325'544 MRT.exe
28.07.2006 13:28 3'054'080 mshtml.dll
27.07.2006 15:24 679'424 inetcomm.dll
25.07.2006 22:33 613'888 urlmon.dll
21.07.2006 10:24 72'704 hlink.dll
14.07.2006 17:31 332'288 netapi32.dll
14.07.2006 17:25 546'304 hhctrl.ocx
13.07.2006 15:33 8'453'632 shell32.dll
05.07.2006 12:55 984'064 kernel32.dll
26.06.2006 19:37 148'480 dnsapi.dll
26.06.2006 19:37 8'192 rasadhlp.dll
23.06.2006 13:02 658'944 wininet.dll
23.06.2006 13:02 1'494'016 shdocvw.dll
23.06.2006 13:02 146'432 msrating.dll
23.06.2006 13:02 474'112 shlwapi.dll
23.06.2006 13:02 39'424 pngfilt.dll
23.06.2006 13:02 532'480 mstime.dll
23.06.2006 13:02 448'512 mshtmled.dll
23.06.2006 13:02 55'808 extmgr.dll
23.06.2006 13:02 205'312 dxtrans.dll
23.06.2006 13:02 1'054'208 danim.dll
23.06.2006 13:02 251'392 iepeers.dll
23.06.2006 13:02 96'256 inseng.dll
23.06.2006 13:02 16'384 jsproxy.dll
23.06.2006 13:02 357'888 dxtmsft.dll
23.06.2006 13:02 151'040 cdfview.dll
23.06.2006 13:02 1'022'976 browseui.dll
23.06.2006 10:34 24'576 xpsp3res.dll
22.06.2006 12:47 181'248 rasmans.dll
19.06.2006 16:20 702'768 WgaLogon.dll
19.06.2006 16:19 571'184 LegitCheckControl.dll
19.06.2006 16:19 304'944 WgaTray.exe
26.05.2006 22:19 163'840 JGDW400.DLL
19.05.2006 14:59 94'720 iphlpapi.dll
19.05.2006 14:59 111'616 dhcpcsvc.dll
18.05.2006 07:24 450'560 jscript.dll
24.04.2006 15:40 4'730'880 wmp.dll
Volume in drive C has no label.
Volume Seri*hier nicht!* Number is 54A5-8EF0
Directory of C:\WINDOWS
17.08.2006 09:49 212'695 setupact.log
17.08.2006 09:46 2'090'065 WindowsUpdate.log
17.08.2006 09:36 261 wiadebug.log
17.08.2006 09:36 0 0.log
17.08.2006 09:35 49 wiaservc.log
17.08.2006 09:35 2'048 bootstat.dat
17.08.2006 09:33 32'618 SchedLgU.Txt
17.08.2006 08:14 135'229 iis6.log
17.08.2006 08:14 207'020 comsetup.log
17.08.2006 08:14 126'923 ntdtcsetup.log
17.08.2006 08:14 344'220 tsoc.log
17.08.2006 08:14 1'374 imsins.log
17.08.2006 08:14 23'877 ocmsn.log
17.08.2006 08:14 17'146 KB920214.log
17.08.2006 08:14 461'504 ocgen.log
17.08.2006 08:14 44'165 msgsocm.log
17.08.2006 08:14 863'688 FaxSetup.log
17.08.2006 08:14 506'615 setupapi.log
Volume in drive C has no label.
Volume Seri*hier nicht!* Number is 54A5-8EF0
Directory of C:\DOCUME~1\ALEXAN~1\LOCALS~1\Temp
Volume in drive C has no label.
Volume Seri*hier nicht!* Number is 54A5-8EF0
Directory of C:\
17.08.2006 09:53 0 sys.txt
17.08.2006 09:53 11'609 system.txt
17.08.2006 09:53 124 systemtemp.txt
17.08.2006 09:53 97'682 system32.txt
17.08.2006 09:49 7'310 ComboFix.txt
17.08.2006 09:34 266'915'840 hiberfil.sys
17.08.2006 09:34 402'653'184 pagefile.sys
17.08.2006 08:49 11'658 windows1.txt
16.08.2006 17:41 211 boot.ini
16.08.2006 17:28 47'564 NTDETECT.COM
16.08.2006 17:28 250'032 ntldr
16.08.2006 15:04 6'042 avenger.txt
16.08.2006 15:00 443 remove.txt
01.07.2004 12:57 4'959'023 FirefoxSetup-0.9.1.exe
22.07.2003 12:39 0 COMLOG.txt
23.06.2003 11:11 628 TBPLOG.TXT
17.04.2003 23:32 0 IO.SYS
17.04.2003 23:32 0 MSDOS.SYS
17.04.2003 23:32 0 CONFIG.SYS
17.04.2003 23:32 0 AUTOEXEC.BAT
20 File(s) 674'961'350 bytes
0 Dir(s) 4'199'419'904 bytes free
Danke fuer die Hilfe!