Ständig kurzzeitige Rechnerausfälle + andere Probleme (alle Logs gepostet)

#1 hier die logs:

hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 21:05:57, on 30.08.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\csrss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\Ati2evxx.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINXP\system32\spoolsv.exe
C:\PROGZ\0190WA~1\w0svc.exe
C:\Progz\AVGFRE~1\avgamsvr.exe
C:\WINXP\system32\Ati2evxx.exe
C:\Progz\AVGFRE~1\avgupsvc.exe
C:\Progz\AVGFRE~1\avgemc.exe
C:\WINXP\Explorer.EXE
C:\PROGRA~1\NORTON~2\NORTON~4\GHOSTS~2.EXE
C:\Programme\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\PROGZ\0190WA~1\WARN0190.EXE
C:\Programme\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\WINXP\system32\ctfmon.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINXP\system32\wbem\wmiprvse.exe
C:\WINXP\system32\wuauclt.exe
C:\WINXP\system32\wscntfy.exe
C:\WINXP\System32\alg.exe
C:\WINXP\system32\NOTEPAD.EXE
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Progz\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [0190 Warner] C:\PROGZ\0190WA~1\WARN0190.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINXP\system32\ctfmon.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Progz\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Progz\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINXP\system32\WPDShServiceObj.dll
O23 - Service: 0190/0900 Warner Überwachungsdienst (0190_0900_Warner_MonitorService) - Mirko Böer - C:\PROGZ\0190WA~1\w0svc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINXP\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINXP\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Progz\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Progz\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Progz\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~4\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
__________________________________________________________________

Combo Fix:

s”gel - 06-08-30 20:36:14,04
ComboFix 06.08.30BT - Running from: H:\

((((((((((((((((((((((((((((((( Files Created from 2006-07-30 to 2006-08-30 ))))))))))))))))))))))))))))))))))


2006-08-25 16:59 91,904 --a------ C:\WINXP\system32\S32EVNT1.DLL
2006-08-24 18:24 51,261 --a------ C:\WINXP\system32\cscir.exe
2006-08-13 18:56 86,016 --------- C:\WINXP\unvise32.exe
2006-08-05 14:56 171,520 --a------ C:\WINXP\system32\cncs32.dll
2006-08-05 12:19 22,752 --a------ C:\WINXP\system32\spupdsvc.exe
2006-07-31 14:31 63,488 --a------ C:\WINXP\system32\unam4ie.exe
2006-07-31 14:31 4,608 --a------ C:\WINXP\system32\w95inf32.dll
2006-07-31 14:31 38,160 --a------ C:\WINXP\system32\LMRTREND.dll
2006-07-31 14:31 2,272 --a------ C:\WINXP\system32\w95inf16.dll
2006-07-31 14:31 194,320 --a------ C:\WINXP\system32\qcut.dll
2006-07-31 14:31 182,032 --a------ C:\WINXP\system32\dxtmsft3.dll
2006-07-31 14:31 10,240 --a------ C:\WINXP\system32\vidx16.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-30 20:25 -------- d-------- C:\Programme\Mozilla Firefox
2006-08-30 20:24 -------- d-------- C:\Programme\hijackthis
2006-08-30 20:21 -------- dr------- C:\Programme\Gemeinsame Dateien
2006-08-30 20:03 -------- d-------- C:\Programme\CleanUp!
2006-08-30 19:54 -------- d-------- C:\Programme\BeClean
2006-08-28 16:54 -------- d-------- C:\Programme\Norton SystemWorks
2006-08-28 16:53 -------- d-------- C:\Dokumente und Einstellungen\s”gel\Anwendungsdaten\Symantec
2006-08-28 16:41 -------- d-------- C:\Programme\Gemeinsame Dateien\Symantec Shared
2006-08-28 15:56 -------- d-------- C:\Programme\TI Education
2006-08-28 15:55 -------- d-------- C:\Programme\Gemeinsame Dateien\TI Shared
2006-08-28 15:52 -------- d-------- C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2006-08-25 20:42 -------- d-------- C:\Programme\Symantec
2006-08-25 20:41 -------- d-------- C:\Programme\SymNetDrv
2006-08-24 19:59 -------- d-------- C:\Dokumente und Einstellungen\s”gel\Anwendungsdaten\Lavasoft
2006-08-24 17:38 -------- d-------- C:\Programme\Zvideo Codec
2006-08-11 17:48 777472 --a------ C:\WINXP\system32\drivers\avg7core.sys
2006-08-11 17:48 27904 --a------ C:\WINXP\system32\drivers\avg7rsxp.sys
2006-08-07 15:02 -------- d-------- C:\Dokumente und Einstellungen\s”gel\Anwendungsdaten\Real
2006-08-07 15:02 -------- d-------- C:\Dokumente und Einstellungen\s”gel\Anwendungsdaten\Media Player Classic
2006-08-07 15:01 -------- d-------- C:\Programme\Media Player Classic
2006-08-05 12:23 -------- d-------- C:\Programme\Windows Media Player
2006-07-31 14:31 -------- d-------- C:\Programme\CyberLink
2006-07-21 10:54 -------- d--h----- C:\Programme\InstallShield Installation Information
2006-07-09 17:40 703631 --a------ C:\WINXP\terrance and phillp in space.exe
2006-07-09 17:40 40960 --a------ C:\WINXP\terrance and phillp in space.dll
2006-07-09 17:40 231328 --a------ C:\WINXP\terrance and phillp in space.scr
2006-07-09 17:38 569522 --a------ C:\WINXP\Towelie.exe
2006-07-09 17:38 40960 --a------ C:\WINXP\Towelie.dll
2006-07-09 17:38 231328 --a------ C:\WINXP\Towelie.scr
2006-07-09 17:34 40960 --a------ C:\WINXP\IT.dll
2006-07-09 17:31 686047 --a------ C:\WINXP\The Cow Cult.exe
2006-07-09 17:31 40960 --a------ C:\WINXP\The Cow Cult.dll
2006-07-09 17:31 231328 --a------ C:\WINXP\The Cow Cult.scr
2006-07-09 17:17 593082 --a------ C:\WINXP\Cartman German Dance Screensave.exe
2006-07-09 17:17 40960 --a------ C:\WINXP\Cartman German Dance Screensave.dll
2006-07-09 17:17 231328 --a------ C:\WINXP\Cartman German Dance Screensave.scr
2006-07-09 17:11 560412 --a------ C:\WINXP\Timmy Screensaver.exe
2006-07-09 17:11 40960 --a------ C:\WINXP\Timmy Screensaver.dll
2006-07-09 17:11 231328 --a------ C:\WINXP\Timmy Screensaver.scr
2006-06-26 15:55 101624 --a------ C:\Dokumente und Einstellungen\s”gel\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2006-06-10 10:27 98304 --a------ C:\WINXP\system32\CmdLineExt.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"0190 Warner"="C:\\PROGZ\\0190WA~1\\WARN0190.EXE"
"ccApp"="\"C:\\Programme\\Gemeinsame Dateien\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINXP\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"AllowLegacyWebView"=dword:00000001
"AllowUnhashedWebView"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,b5,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINXP\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\Progz\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINXP\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\Progz\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""




~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20060830-194034-546
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.6 85.255.112.20
backup-20060830-194034-878
O17 - HKLM\System\CS4\Services\Tcpip\..\{1BD71E28-3D8C-4EC8-8565-671F8865E9D5}: NameServer = 85.255.115.6
backup-20060830-194034-600
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.115.6 85.255.112.20
backup-20060830-194034-333
O17 - HKLM\System\CS3\Services\Tcpip\..\{1BD71E28-3D8C-4EC8-8565-671F8865E9D5}: NameServer = 85.255.115.6
backup-20060830-194034-431
O17 - HKLM\System\CS2\Services\Tcpip\..\{1BD71E28-3D8C-4EC8-8565-671F8865E9D5}: NameServer = 85.255.115.6
backup-20060830-194034-245
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.6 85.255.112.20
backup-20060830-194034-870
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BD71E28-3D8C-4EC8-8565-671F8865E9D5}: NameServer = 85.255.115.6
backup-20060830-194034-787
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.6 85.255.112.20

Contents of the 'Scheduled Tasks' folder
C:\WINXP\tasks\Norton AntiVirus - Meinen Computer pr�fen.job
C:\WINXP\tasks\Norton SystemWorks One Button Checkup.job
C:\WINXP\tasks\Symantec Drmc.job
C:\WINXP\tasks\Symantec NetDetect.job

Completion time: 30.08.2006 20:37:58.14
ComboFix.txt
_________________________________________________________

datFind.bat:

Datentr„ger in Laufwerk C: ist FESTPLATTE
Volumeseriennummer: 2827-5BAE

Verzeichnis von C:\WINXP\system32

29.08.2006 06:31 364.120 FNTCACHE.DAT
27.08.2006 13:49 2.206 wpa.dbl
25.08.2006 17:17 359.851 ikhcore.log
24.08.2006 17:20 51.261 cscir.exe
08.08.2006 00:51 723 IKWM.css
08.08.2006 00:50 667 IKWM.htm
06.08.2006 11:07 16.832 amcompat.tlb
06.08.2006 11:07 23.392 nscompat.tlb
31.07.2006 14:31 2.272 w95inf16.dll
31.07.2006 14:31 4.608 w95inf32.dll
10.06.2006 10:27 98.304 CmdLineExt.dll
02.06.2006 13:34 4.286 ot.ico


2055 Datei(en) 392.038.285 Bytes
0 Verzeichnis(se), 12.701.122.560 Bytes frei

Datentr„ger in Laufwerk C: ist FESTPLATTE
Volumeseriennummer: 2827-5BAE

Verzeichnis von C:\DOKUME~1\SGEL~1\LOKALE~1\Temp

Datentr„ger in Laufwerk C: ist FESTPLATTE
Volumeseriennummer: 2827-5BAE

Verzeichnis von C:\WINXP

30.08.2006 21:07 316.942 WindowsUpdate.log
30.08.2006 21:01 0 0.log
30.08.2006 20:59 2.048 bootstat.dat
30.08.2006 20:58 32.548 SchedLgU.Txt
28.08.2006 23:02 50 wiaservc.log
28.08.2006 23:02 216 wiadebug.log
28.08.2006 18:36 451.987 setupapi.log
28.08.2006 16:04 68 UpTiDev.INI
26.08.2006 12:30 54.156 QTFont.qfn
26.08.2006 10:37 0 muma2003.INI
25.08.2006 17:04 3.890 SYMEVENT.LOG
24.08.2006 18:24 135.812 ntbtlog.txt
06.08.2006 11:07 44.774 spupdsvc.log
06.08.2006 11:07 99.836 wmsetup.log
05.08.2006 12:25 304 wmsetup10.log
05.08.2006 12:25 6.274 MedCtrOC.log
05.08.2006 12:25 5.066 ehOCGen.log
05.08.2006 12:25 109.957 iis6.log
05.08.2006 12:25 34.859 comsetup.log
05.08.2006 12:25 21.100 ntdtcsetup.log
05.08.2006 12:25 4.494 tabletoc.log
05.08.2006 12:25 39.983 tsoc.log
05.08.2006 12:25 1.355 imsins.log
05.08.2006 12:25 4.170 ocmsn.log
05.08.2006 12:25 13.338 wmp11.log
05.08.2006 12:25 13.484 netfxocm.log
05.08.2006 12:25 15.743 plusoc.log
05.08.2006 12:25 4.193 msgsocm.log
05.08.2006 12:25 52.862 ocgen.log
05.08.2006 12:25 64.752 FaxSetup.log
05.08.2006 12:24 32.396 msmqinst.log
05.08.2006 12:23 3.516 updspapi.log
05.08.2006 12:22 1.355 imsins.BAK
05.08.2006 12:22 9.419 Wudf01000Inst.log
05.08.2006 12:20 17.493 WMFDist11.log
05.08.2006 12:19 316.640 WMSysPr9.prx
04.08.2006 14:58 12.171 EAConfigInfo.txt
31.07.2006 21:14 234 fs_rm.ini
23.07.2006 11:07 278 system.ini
18.07.2006 11:27 251 game.ini
15.07.2006 16:47 7.974 Aware40.mch
15.07.2006 16:47 35 A4W.INI
09.07.2006 17:40 703.631 terrance and phillp in space.exe
09.07.2006 17:40 231.328 terrance and phillp in space.scr
09.07.2006 17:40 40.960 terrance and phillp in space.dll
09.07.2006 17:38 569.522 Towelie.exe
09.07.2006 17:38 231.328 Towelie.scr
09.07.2006 17:38 40.960 Towelie.dll
09.07.2006 17:34 40.960 IT.dll
09.07.2006 17:31 686.047 The Cow Cult.exe
09.07.2006 17:31 231.328 The Cow Cult.scr
09.07.2006 17:31 40.960 The Cow Cult.dll
09.07.2006 17:21 74 control.ini
09.07.2006 17:17 593.082 Cartman German Dance Screensave.exe
09.07.2006 17:17 231.328 Cartman German Dance Screensave.scr
09.07.2006 17:17 40.960 Cartman German Dance Screensave.dll
09.07.2006 17:11 560.412 Timmy Screensaver.exe
09.07.2006 17:11 231.328 Timmy Screensaver.scr
09.07.2006 17:11 40.960 Timmy Screensaver.dll
08.07.2006 15:48 317 snapsaver-s”gel.ini
22.06.2006 15:47 1.409 QTFont.for
11.06.2006 21:30 529 eReg.dat
10.06.2006 13:28 307 cncscore.ini
04.06.2006 15:35 398 CDPlayer.ini
02.06.2006 13:41 13.632 KB912812.log
02.06.2006 13:38 7.040 KB912919.log
02.06.2006 13:23 589 win.ini

140 Datei(en) 13.377.406 Bytes
0 Verzeichnis(se), 12.701.245.440 Bytes frei
Datentr„ger in Laufwerk C: ist FESTPLATTE
Volumeseriennummer: 2827-5BAE

Verzeichnis von C:\

30.08.2006 21:14 0 sys.txt
30.08.2006 21:13 3.689 system.txt
30.08.2006 21:13 131 systemtemp.txt
30.08.2006 21:13 811 system32.txt
30.08.2006 20:59 268.013.568 hiberfil.sys
30.08.2006 20:59 401.915.904 pagefile.sys
30.08.2006 20:37 8.813 ComboFix.txt
110.592 io.sys
24 Datei(en) 690.143.621 Bytes
0 Verzeichnis(se), 12.701.245.440 Bytes frei
_________________________________________________

das größte problem ist das mein computer ständig kleine Ausfälle hat, dann kann ich die maus nicht mehr bewegen, aber der rechner selbst hört auch auf zu arbeiten. Ist quasi kurz stillgelegt. das passiert manchmal auch erst wenn die Sitzung schon einige stunden läuft. die zeit der ausfälle variiert.

manchmal findet mien Arbeitsplatz auch die Festplatten nicht, was anschließend zum Absturz des Explorer.exe führt.

was auch auffällig ist, ist das meine festplatte oft eigenartige geräusche macht...manchmal dreht sie sich abwechselnd ganz schnell dann nicht mehr...

ich denke das es an einem virus/wurm/etc. liegt, leider konnte bis jetzt kein Virusprogramm diese fehler beheben (Norton, AVG, CleanUp, BeClean, AdAware, und und und), ich hoffe ihr findet was in den Logs.

Danke für jede Hilfe,
Soegel

#2 soegel

die Internetverbindung wird/wurde auf einen Server in die Ukraine umgeleitet....hast es ja schon mit HijackThis gefixt.... haettest du auch sagen koennen, dass du schon rumgebastelt hast...

1.
Pocket KillBox
http://virus-protect.org/killbox.html

Options: "Delete on Reboot" und "Single File"--> anhaken
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"
reinkopieren: ...........

C:\WINXP\system32\cscir.exe
C:\WINXP\system32\ot.ico

PC neustarten

2.
scanne und poste den report
http://virus-protect.org/artikel/tools/fixwareout.html

3.
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.
Die Datei "fixme.reg" auf dem Desktop doppelklicken

Zitat

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

4.
F-Secure Online Scanner Next Generation Beta
http://support.f-secure.com/enu/home/ols3.shtml

1. Klicke den Link: "F-Secure Online Scanner Next Generation Beta".
2. Du wirst aufgefordert werden, ein ActiveX-Control zu installieren
3. Installiere diese ActiveX-Komponente
4. Lies die Anleitung und klicke: "Accept"
5. Klicke "Full System Scan"
6. klicke "Show report" - kopiere den Scanreport

5.
scanne und poste den report
http://virus-protect.org/artikel/tools/superantispyware.html
__________
MfG Sabina

rund um die PC-Sicherheit

#3 F-Secure Online Scanner Next Generation Beta:

Scanning Report
Friday, September 01, 2006 16:00:24 - 20:21:01
Computer name: SOEGEL
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ G:\ H:\


--------------------------------------------------------------------------------

Result: 20 malware found
Backdoor.IRC.Zapchast (virus)
D:\WINNT\SYSTEM\DRIVER\NTAUTH.DLL (Renamed & Submitted)
Trojan.JS.Fav.e (virus)
C:\PROGRAMME\NORTON ANTIVIRUS\QUARANTINE\6AB857BD.HTML (Renamed & Submitted)
Trojan.JS.Seeker.ac (virus)
C:\PROGRAMME\NORTON ANTIVIRUS\QUARANTINE\6DFD1924.HTML (Renamed & Submitted)
C:\PROGRAMME\NORTON ANTIVIRUS\QUARANTINE\6E9D6D9B.HTML (Renamed & Submitted)
Trojan.Java.Binny.a (virus)
C:\PROGRAMME\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\QUARANTINE\2D1E4E3C (Renamed & Submitted)
C:\PROGRAMME\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\QUARANTINE\30674D7B (Renamed & Submitted)
Trojan.Java.Nocheat (virus)
C:\PROGRAMME\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\QUARANTINE\308E4550 (Renamed & Submitted)
Trojan.Win32.Small.fb (virus)
C:\WINXP\SYSTEM32\DMBPO.EXE (Renamed & Submitted)
Trojan.Win32.StartPage.qr (virus)
C:\PROGRAMME\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\QUARANTINE\26D54C02 (Renamed & Submitted)
C:\PROGRAMME\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\QUARANTINE\26DC1FFB (Renamed & Submitted)
C:\PROGRAMME\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\QUARANTINE\26DF49F7 (Renamed & Submitted)
C:\PROGRAMME\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\QUARANTINE\2DE362B4 (Renamed & Submitted)
D:\SYSTEM VOLUME INFORMATION\_RESTORE{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP94\A0028795.DLL (Renamed & Submitted)
D:\SYSTEM VOLUME INFORMATION\_RESTORE{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP94\A0028796.DLL (Renamed & Submitted)
D:\SYSTEM VOLUME INFORMATION\_RESTORE{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP94\A0028797.DLL (Renamed & Submitted)
D:\SYSTEM VOLUME INFORMATION\_RESTORE{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP94\A0028798.DLL (Renamed & Submitted)
W32/DLoader.BUQ (virus)
D:\SYSTEM VOLUME INFORMATION\_RESTORE{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP93\A0025468.DLL
W32/ServU.DV (virus)
D:\SYSTEM VOLUME INFORMATION\_RESTORE{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP94\A0028799.EXE
W32/Startpage.CIC (virus)
D:\WINNT\SYSTEM32\PMTINSTALLER.EXE
W32/WinFetcher.B.dropper (virus)
D:\SYSTEM VOLUME INFORMATION\_RESTORE{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP94\A0028800.EXE

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 28072
System: 4139
Not scanned: 5
Actions:
Disinfected: 0
Renamed: 16
Deleted: 0
None: 4
Submitted: 16
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINXP\SYSTEM32\DRIVERS\DTSCSI.SYS
C:\WINXP\SYSTEM32\DRIVERS\SPTD.SYS
C:\WINXP\SYSTEM32\CONFIG\DEFAULT

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-09-01
F-Secure Libra: 2.4.1, 2006-08-30
F-Secure Orion: 1.2.37, 2006-09-01
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Draco: 1.0.35, 2006-08-28
F-Secure Pegasus: 1.19.0, 2006-07-30
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics

Fixwareout:


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}943FB0EC5576-A5F9-7C04-08D2-A9ADD271{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\ntdmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1trap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\2trap
...

Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINXP\SYSTEM32\DMBPO.EXE 61.998 2004-11-11

Other suspects.
Directory of C:\WINXP\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

#4 soegel

1.
loesche mit der killbox:
http://virus-protect.org/killbox.html

C:\WINXP\SYSTEM32\DMBPO.EXE

---------------------------------------------------------------------
2.
multiavtool
http://virus-protect.org/multiavtool.html
klicke "2" , nun beginnt der Scan von Trend Micro

poste den scanreport

3.
scanne und poste den report
http://virus-protect.org/artikel/tools/superantispyware.html

4.
Arbeitsplatz-->Rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.
(dann wieder aktivieren)

5.
loesche das backup vom HijackThis
__________
MfG Sabina

rund um die PC-Sicherheit

#5 Super Anti Spyware:

SUPERAntiSpyware Scan Log
Generated 09/02/2006 at 01:58 AM

Core Rules Database Version : 3071
Trace Rules Database Version: 1110

Memory Thread detected : 0
Registry Thread detected : 0
File Thread detected : 42

Adware.Tracking Cookie
C:\Dokumente und Einstellungen\sögel\Cookies\sögel@ad.yieldmanager[2].txt
C:\Dokumente und Einstellungen\sögel\Cookies\sögel@ads.neodelight[1].txt
C:\Dokumente und Einstellungen\sögel\Cookies\sögel@server.cpmstar[2].txt
C:\Dokumente und Einstellungen\sögel\Cookies\sögel@mediavantage[1].txt
D:\Dokumente und Einstellungen\Fredo Zacharias\Cookies\choppedliver@ad.adition[2].txt
D:\Dokumente und Einstellungen\Fredo Zacharias\Cookies\choppedliver@hmt.connexpromotions[2].txt
D:\Dokumente und Einstellungen\Fredo Zacharias\Cookies\choppedliver@ads.gameforgeads[2].txt
D:\Dokumente und Einstellungen\Fredo Zacharias\Cookies\choppedliver@stats24[1].txt
D:\Dokumente und Einstellungen\Fredo Zacharias\Cookies\choppedliver@adopt.euroclick[1].txt
D:\Dokumente und Einstellungen\Fredo Zacharias\Cookies\choppedliver@ads.planetactive[2].txt
D:\Dokumente und Einstellungen\Fredo Zacharias\Cookies\choppedliver@komtrack[2].txt
D:\Dokumente und Einstellungen\Fredo Zacharias\Cookies\choppedliver@msnportal.112.2o7[1].txt
D:\Dokumente und Einstellungen\Fredo Zacharias\Cookies\choppedliver@4stats[2].txt

Trojan.Security Toolbar
C:\Dokumente und Einstellungen\All Users\Startmenü\Online Security Guide.url
C:\Dokumente und Einstellungen\All Users\Startmenü\Security Troubleshooting.url

Trojan.DOmen
C:\!KillBox\cscir.exe
C:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP100\A0033822.exe
C:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP101\A0034432.exe
C:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP93\A0023299.exe
C:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP93\A0023303.exe
C:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP93\A0024299.exe
C:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP93\A0025302.exe
C:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP93\A0025348.exe
C:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP93\A0025359.exe
C:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP93\A0027488.exe
C:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP93\A0027495.exe
C:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP93\A0027501.exe
C:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP93\A0028728.exe
C:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP94\A0028907.exe
C:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP95\A0028964.exe
C:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP96\A0029111.exe
C:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP96\A0029262.exe
C:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP96\A0029294.exe
C:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP97\A0030306.exe
C:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP97\A0030329.exe
C:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP97\A0030363.exe
C:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP97\A0030370.exe
C:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP97\A0030371.exe
C:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP97\A0030375.exe
C:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP97\A0030383.exe
C:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP97\A0030395.exe
C:\WINXP\system32\DMBPO.0XE

Trend Micro System Cleaner:

/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2006-09-02, 02:37:21, Auto-clean mode specified.
2006-09-02, 02:37:21, Running scanner "c:\AV-CLS\Trend\TSC.BIN"...
2006-09-02, 02:38:05, Scanner "c:\AV-CLS\Trend\TSC.BIN" has finished running.
2006-09-02, 02:38:05, TSC Log:

Damage Cleanup Engine (DCE) 3.98(Build 1012)
Windows XP(Build 2600: Service Pack 2)

Start time : Sa Sep 02 2006 02:37:25

Load Damage Cleanup Template (DCT) "c:\AV-CLS\Trend\tsc.ptn" (version 778) [success]

Complete time : Sa Sep 02 2006 02:38:05
Execute pattern count(2951), Virus found count(0), Virus clean count(0), Clean failed count(0)

2006-09-02, 02:39:12, An error was detected on "C:\System Volume Information\*.*": Zugriff verweigert
2006-09-02, 02:40:01, An error was detected on "G:\System Volume Information\*.*": Zugriff verweigert
2006-09-02, 02:40:15, An error was detected on "H:\System Volume Information\*.*": Zugriff verweigert
2006-09-02, 03:21:49, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 9/2/2006 02:40:25
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 715 (130719 Patterns) (2006/09/01) (371500)
Command Line: c:\AV-CLS\Trend\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=c:\AV-CLS\Trend

38644 files have been read.
38644 files have been checked.
35273 files have been scanned.
69847 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 9/2/2006 03:21:47
---------*---------*---------*---------*---------*---------*---------*---------*
2006-09-02, 03:21:49, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 9/2/2006 02:40:25
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 715 (130719 Patterns) (2006/09/01) (371500)
Command Line: c:\AV-CLS\Trend\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=c:\AV-CLS\Trend

38644 files have been read.
38644 files have been checked.
35273 files have been scanned.
69847 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 9/2/2006 03:21:47 41 minutes 20 seconds (2479.55 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-09-02, 03:21:49, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 9/2/2006 02:40:25
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 715 (130719 Patterns) (2006/09/01) (371500)
Command Line: c:\AV-CLS\Trend\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=c:\AV-CLS\Trend

38644 files have been read.
38644 files have been checked.
35273 files have been scanned.
69847 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 9/2/2006 03:21:47 41 minutes 20 seconds (2479.55 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-09-02, 03:21:49, Scanner "c:\AV-CLS\Trend\VSCANTM.BIN" has finished running.
2006-09-02, 03:51:47, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 9/2/2006 03:21:58
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 715 (130719 Patterns) (2006/09/01) (371500)
Command Line: c:\AV-CLS\Trend\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=c:\AV-CLS\Trend

D:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP94\A0028799.exe [TROJ_SERVU.Q]
D:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP101\A0034433.DLL [IRC_Generic.Z]
D:\WINNT\system\DRIVER\ntsrv.exe [TROJ_Generic]
D:\WINNT\system\DRIVER\NTAUTH.0LL [IRC_Generic.Z]
D:\WINNT\sysdllwm.reg [REG_SEEKER.D]
D:\Dokumente und Einstellungen\Fredo Zacharias\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-45030a30-757affe3.class [JS_Generic.Z]
D:\Dokumente und Einstellungen\Fredo Zacharias\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\file\ok.class-377e0ae3-67d491c5.class [JAVA_NOCHEAT.A]
24576 files have been read.
24576 files have been checked.
21817 files have been scanned.
79043 files have been scanned. (including files in archived)
7 files containing viruses.
Found 7 viruses totally.
Maybe 0 viruses totally.
Stop At : 9/2/2006 03:51:46
---------*---------*---------*---------*---------*---------*---------*---------*
2006-09-02, 03:51:47, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 9/2/2006 03:21:58
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 715 (130719 Patterns) (2006/09/01) (371500)
Command Line: c:\AV-CLS\Trend\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=c:\AV-CLS\Trend

Success Clean [ TROJ_SERVU.Q]( 1) from D:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP94\A0028799.exe
Can not Clean [ IRC_Generic.Z]( 1) from D:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP101\A0034433.DLL
Success Clean [ TROJ_Generic]( 1) from D:\WINNT\system\DRIVER\ntsrv.exe
Can not Clean [ IRC_Generic.Z]( 1) from D:\WINNT\system\DRIVER\NTAUTH.0LL
Success Clean [ REG_SEEKER.D]( 1) from D:\WINNT\sysdllwm.reg
Can not Clean [ JS_Generic.Z]( 1) from D:\Dokumente und Einstellungen\Fredo Zacharias\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-45030a30-757affe3.class
Success Clean [ JAVA_NOCHEAT.A]( 1) from D:\Dokumente und Einstellungen\Fredo Zacharias\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\file\ok.class-377e0ae3-67d491c5.class
24576 files have been read.
24576 files have been checked.
21817 files have been scanned.
79043 files have been scanned. (including files in archived)
7 files containing viruses.
Found 7 viruses totally.
Maybe 0 viruses totally.
Stop At : 9/2/2006 03:51:46 29 minutes 40 seconds (1780.47 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-09-02, 03:51:47, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 9/2/2006 03:21:58
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 715 (130719 Patterns) (2006/09/01) (371500)
Command Line: c:\AV-CLS\Trend\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=c:\AV-CLS\Trend

Can not Clean [ IRC_Generic.Z]( 1) from D:\System Volume Information\_restore{7146E9AB-1288-4533-9592-8A3F0599A86B}\RP101\A0034433.DLL
Can not Clean [ IRC_Generic.Z]( 1) from D:\WINNT\system\DRIVER\NTAUTH.0LL
Can not Clean [ JS_Generic.Z]( 1) from D:\Dokumente und Einstellungen\Fredo Zacharias\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-45030a30-757affe3.class
24576 files have been read.
24576 files have been checked.
21817 files have been scanned.
79043 files have been scanned. (including files in archived)
7 files containing viruses.
Found 7 viruses totally.
Maybe 0 viruses totally.
Stop At : 9/2/2006 03:51:46 29 minutes 40 seconds (1780.47 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-09-02, 03:51:47, Scanner "c:\AV-CLS\Trend\VSCANTM.BIN" has finished running.
2006-09-02, 03:53:38, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 9/2/2006 03:51:51
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 715 (130719 Patterns) (2006/09/01) (371500)
Command Line: c:\AV-CLS\Trend\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 G:\*.* /P=c:\AV-CLS\Trend

4737 files have been read.
4737 files have been checked.
2069 files have been scanned.
2272 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 9/2/2006 03:53:38
---------*---------*---------*---------*---------*---------*---------*---------*
2006-09-02, 03:53:38, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 9/2/2006 03:51:51
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 715 (130719 Patterns) (2006/09/01) (371500)
Command Line: c:\AV-CLS\Trend\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 G:\*.* /P=c:\AV-CLS\Trend

4737 files have been read.
4737 files have been checked.
2069 files have been scanned.
2272 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 9/2/2006 03:53:38 1 minute 45 seconds (104.64 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-09-02, 03:53:38, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 9/2/2006 03:51:51
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 715 (130719 Patterns) (2006/09/01) (371500)
Command Line: c:\AV-CLS\Trend\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 G:\*.* /P=c:\AV-CLS\Trend

4737 files have been read.
4737 files have been checked.
2069 files have been scanned.
2272 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 9/2/2006 03:53:38 1 minute 45 seconds (104.64 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-09-02, 03:53:38, Scanner "c:\AV-CLS\Trend\VSCANTM.BIN" has finished running.
2006-09-02, 04:12:44, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 9/2/2006 03:53:39
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 715 (130719 Patterns) (2006/09/01) (371500)
Command Line: c:\AV-CLS\Trend\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 H:\*.* /P=c:\AV-CLS\Trend

25545 files have been read.
25545 files have been checked.
20395 files have been scanned.
68033 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 9/2/2006 04:12:42
---------*---------*---------*---------*---------*---------*---------*---------*
2006-09-02, 04:12:45, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 9/2/2006 03:53:39
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 715 (130719 Patterns) (2006/09/01) (371500)
Command Line: c:\AV-CLS\Trend\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 H:\*.* /P=c:\AV-CLS\Trend

25545 files have been read.
25545 files have been checked.
20395 files have been scanned.
68033 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 9/2/2006 04:12:42 19 minutes 1 second (1141.24 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-09-02, 04:12:45, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 9/2/2006 03:53:39
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 715 (130719 Patterns) (2006/09/01) (371500)
Command Line: c:\AV-CLS\Trend\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 H:\*.* /P=c:\AV-CLS\Trend

25545 files have been read.
25545 files have been checked.
20395 files have been scanned.
68033 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 9/2/2006 04:12:42 19 minutes 1 second (1141.24 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-09-02, 04:12:45, Scanner "c:\AV-CLS\Trend\VSCANTM.BIN" has finished running.

hijackthis-log

Logfile of HijackThis v1.99.1
Scan saved at 09:37:08, on 02.09.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\csrss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\Ati2evxx.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINXP\system32\spoolsv.exe
C:\PROGZ\0190WA~1\w0svc.exe
C:\Progz\AVGFRE~1\avgamsvr.exe
C:\Progz\AVGFRE~1\avgupsvc.exe
C:\Progz\AVGFRE~1\avgemc.exe
C:\PROGRA~1\NORTON~2\NORTON~4\GHOSTS~2.EXE
C:\Programme\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\Programme\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINXP\System32\alg.exe
C:\WINXP\system32\wscntfy.exe
C:\WINXP\system32\Ati2evxx.exe
C:\WINXP\Explorer.EXE
C:\WINXP\system32\wbem\wmiprvse.exe
C:\PROGZ\0190WA~1\WARN0190.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\WINXP\system32\ctfmon.exe
C:\WINXP\system32\wuauclt.exe
C:\Programme\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Progz\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [0190 Warner] C:\PROGZ\0190WA~1\WARN0190.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINXP\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\DOKUME~1\SGEL~1\LOKALE~1\Temp\SSUPDATE.EXE Software\SUPERAntiSpyware.com\SUPERAntiSpyware
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Progz\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Progz\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINXP\system32\WPDShServiceObj.dll
O23 - Service: 0190/0900 Warner Überwachungsdienst (0190_0900_Warner_MonitorService) - Mirko Böer - C:\PROGZ\0190WA~1\w0svc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINXP\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINXP\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Progz\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Progz\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Progz\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~4\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE

-->> hijack-backups hab ich gelöscht (vor dem obigen check)
-->> systemwiederherstellung habe ich deaktiviert und wieder aktiviert

-> ich glaube die fehler sind behoben, seit den letzten zwei reboots ist nichts mehr passiert, hoffentlich bleibts auch so...
ich hab jetzt mal einen Systemwiederherstellungspunkt erstellt.
ist das normal das anhand der systemprüfpunkte die systemwiederherstellung bei mir nicht funktioniert?

#6 soegel

Information Trojan.Runas.A
http://virus-protect.org/artikel/dienste/runas.html

Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein:

Zitat

registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTSVCMGR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTSVCMGR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTSVCMGR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTSVCMGR
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTSVCMGR
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTSVCMGR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTBOOT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTBOOT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTBOOT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTBOOT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTBOOT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTBOOT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTSVCMGR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTSVCMGR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTSVCMGR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTSVCMGR
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTSVCMGR
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTSVCMGR

Files to delete:
D:\WINNT\sysdllwm.reg
D:\WINNT\system\DRIVER\NTAUTH.0LL
D:\WINNT\system\DRIVER\ntsrv.exe
D:\WINNT\system\DRIVER\csrss.exe
D:\WINNT\system\DRIVER\services.exe
D:\WINNT\system\DRIVER\ntauth.dll

klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

**
poste das log vom avenger, was nach neustart erscheint

**
entpacke die datfindbat auf D:\ und poste die 4 logs
http://virus-protect.org/datfindbat.html
__________
MfG Sabina

rund um die PC-Sicherheit

#7 avanger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wrldyowp

*******************

Script file located at: \??\C:\WINXP\sfyafcin.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTSVCMGR not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTSVCMGR failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTSVCMGR
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTSVCMGR not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTSVCMGR failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTSVCMGR
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTSVCMGR not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTSVCMGR failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTSVCMGR
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTSVCMGR not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTSVCMGR failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTSVCMGR
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTSVCMGR not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTSVCMGR failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTSVCMGR
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTSVCMGR not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTSVCMGR failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTSVCMGR
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTBOOT not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTBOOT failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTBOOT
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTBOOT not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTBOOT failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTBOOT
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTBOOT not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTBOOT failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTBOOT
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTBOOT not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTBOOT failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTBOOT
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTBOOT not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTBOOT failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTBOOT
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTBOOT not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTBOOT failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTBOOT
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTSVCMGR not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTSVCMGR failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTSVCMGR
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTSVCMGR not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTSVCMGR failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTSVCMGR
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTSVCMGR not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTSVCMGR failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTSVCMGR
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTSVCMGR not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTSVCMGR failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTSVCMGR
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTSVCMGR not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTSVCMGR failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTSVCMGR
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTSVCMGR not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTSVCMGR failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTSVCMGR
Status: 0xc0000034



File D:\WINNT\sysdllwm.reg not found!
Deletion of file D:\WINNT\sysdllwm.reg failed!
Status: 0xc0000034
File D:\WINNT\system\DRIVER\NTAUTH.0LL deleted successfully.


File D:\WINNT\system\DRIVER\ntsrv.exe not found!
Deletion of file D:\WINNT\system\DRIVER\ntsrv.exe failed!
Status: 0xc0000034



File D:\WINNT\system\DRIVER\csrss.exe not found!
Deletion of file D:\WINNT\system\DRIVER\csrss.exe failed!
Status: 0xc0000034



File D:\WINNT\system\DRIVER\services.exe not found!
Deletion of file D:\WINNT\system\DRIVER\services.exe failed!
Status: 0xc0000034



File D:\WINNT\system\DRIVER\ntauth.dll not found!
Deletion of file D:\WINNT\system\DRIVER\ntauth.dll failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

datfind auf D:

Datentr„ger in Laufwerk D: ist FESTPLATTE
Volumeseriennummer: 2F34-16F0

Verzeichnis von D:\

04.08.2006 16:33 1.652.736 Thumbs.db
23.01.2006 15:36 429 datFind.bat
19.07.2005 20:18 194 Desktop.ini
3 Datei(en) 1.653.359 Bytes
0 Verzeichnis(se), 12.196.880.384 Bytes frei

Datentr„ger in Laufwerk D: ist FESTPLATTE
Volumeseriennummer: 2F34-16F0

Verzeichnis von D:\

02.09.2006 16:03 357 systemtemp.txt
04.08.2006 16:33 1.652.736 Thumbs.db
23.01.2006 15:36 429 datFind.bat
19.07.2005 20:18 194 Desktop.ini
4 Datei(en) 1.653.716 Bytes
0 Verzeichnis(se), 12.196.872.192 Bytes frei
Datentr„ger in Laufwerk D: ist FESTPLATTE
Volumeseriennummer: 2F34-16F0

Verzeichnis von D:\

02.09.2006 16:03 409 system.txt
02.09.2006 16:03 357 systemtemp.txt
04.08.2006 16:33 1.652.736 Thumbs.db
23.01.2006 15:36 429 datFind.bat
19.07.2005 20:18 194 Desktop.ini
5 Datei(en) 1.654.125 Bytes
0 Verzeichnis(se), 12.196.864.000 Bytes frei

Datentr„ger in Laufwerk D: ist FESTPLATTE
Volumeseriennummer: 2F34-16F0

Verzeichnis von D:\

02.09.2006 16:03 457 sys.txt
02.09.2006 16:03 409 system.txt
02.09.2006 16:03 357 systemtemp.txt
04.08.2006 16:33 1.652.736 Thumbs.db
23.01.2006 15:36 429 datFind.bat
19.07.2005 20:18 194 Desktop.ini
6 Datei(en) 1.654.582 Bytes
0 Verzeichnis(se), 12.196.855.808 Bytes frei

#8 ich gehe mal davon aus, dass die Virenscanner die Viren geloescht haben.
wie steht es mit den Ausfaellen ? laeuft wieder alles rund ?

ServiceFilter.zip
http://virus-protect.org/artikel/tools/ServiceFilter.zip

- entzippen
- doppelklick auf die datei ServiceFilter.vbs
- versions-nummer bestätigen
- scannen
- öffnen von wordpad oder editor erlauben
- POST_THIS.TXT abkopieren
__________
MfG Sabina

rund um die PC-Sicherheit

#9 service filter:

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Professional
Version: 5.1.2600 Service Pack 2
Sep 2, 2006 16:17:59


---> Begin Service Listing <---

Unknown Service # 1
Service Name: 0190_0900_Warner_MonitorService
Display Name: 0190/0900 Warner Überwachungsdienst
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progz\0190wa~1\w0svc.exe
State: Running
Process ID: 1832
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #2
Service Name: aspnet_state
Display Name: ASP.NET State Service
Start Mode: Manual
Start Name: NT AUTHORITY\NetworkService
Description: Provides support for out-of-process session states for ASP.NET. If this service is stopped, ...
Service Type: Own Process
Path: c:\winxp\microsoft.net\framework\v2.0.50727\aspnet_state.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #3
Service Name: Avg7Alrt
Display Name: AVG7 Alert Manager Server
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progz\avgfre~1\avgamsvr.exe
State: Running
Process ID: 1860
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #4
Service Name: Avg7UpdSvc
Display Name: AVG7 Update Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progz\avgfre~1\avgupsvc.exe
State: Running
Process ID: 1876
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 5
Service Name: AVGEMS
Display Name: AVG E-mail Scanner
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progz\avgfre~1\avgemc.exe
State: Running
Process ID: 1920
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #6
Service Name: ccEvtMgr
Display Name: Symantec Event Manager
Start Mode: Auto
Start Name: LocalSystem
Description: Symantec Event ...
Service Type: Own Process
Path: "c:\programme\gemeinsame dateien\symantec shared\ccevtmgr.exe"
State: Running
Process ID: 1564
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #7
Service Name: ccPwdSvc
Display Name: Symantec Password Validation
Start Mode: Manual
Start Name: LocalSystem
Description: Symantec Password Validation ...
Service Type: Own Process
Path: "c:\programme\gemeinsame dateien\symantec shared\ccpwdsvc.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #8
Service Name: ccSetMgr
Display Name: Symantec Settings Manager
Start Mode: Auto
Start Name: LocalSystem
Description: Symantec Settings ...
Service Type: Own Process
Path: "c:\programme\gemeinsame dateien\symantec shared\ccsetmgr.exe"
State: Running
Process ID: 1520
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 9
Service Name: clr_optimization_v2.0.50727_32
Display Name: .NET Runtime Optimization Service v2.0.50727_X86
Start Mode: Manual
Start Name: LocalSystem
Description: Microsoft .NET Framework ...
Service Type: Own Process
Path: c:\winxp\microsoft.net\framework\v2.0.50727\mscorsvw.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #10
Service Name: GhostStartService
Display Name: GhostStartService
Start Mode: Auto
Start Name: LocalSystem
Description: Background service to allow Norton Ghost to perform priviledged ...
Service Type: Own Process
Path: c:\progra~1\norton~2\norton~4\ghosts~2.exe
State: Running
Process ID: 1956
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service # 11
Service Name: IDriverT
Display Name: InstallDriver Table Manager
Start Mode: Manual
Start Name: LocalSystem
Description: Provides support for the Running Object Table for InstallShield ...
Service Type: Own Process
Path: "c:\programme\gemeinsame dateien\installshield\driver\11\intel 32\idrivert.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #12
Service Name: navapsvc
Display Name: Norton AntiVirus Auto-Protect-Dienst
Start Mode: Auto
Start Name: LocalSystem
Description: Verarbeitet Norton AntiVirus ...
Service Type: Own Process
Path: "c:\programme\norton systemworks\norton antivirus\navapsvc.exe"
State: Running
Process ID: 2004
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #13
Service Name: NProtectService
Display Name: Norton Unerase Protection
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\norton~2\norton~2\nprotect.exe
State: Running
Process ID: 256
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #14
Service Name: SAVScan
Display Name: SAVScan
Start Mode: Auto
Start Name: LocalSystem
Description: Handles Norton AntiVirus Auto-Protect Archive ...
Service Type: Own Process
Path: "c:\programme\norton systemworks\norton antivirus\savscan.exe"
State: Running
Process ID: 392
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #15
Service Name: SBService
Display Name: ScriptBlocking Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\gemein~1\symant~1\script~1\sbserv.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #16
Service Name: SNDSrvc
Display Name: Symantec Network Drivers Service
Start Mode: Manual
Start Name: LocalSystem
Description: Symantec Network Drivers ...
Service Type: Own Process
Path: "c:\programme\gemeinsame dateien\symantec shared\sndsrvc.exe"
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service #17
Service Name: Speed Disk service
Display Name: Speed Disk service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\norton~2\norton~2\speedd~1\nopdb.exe
State: Running
Process ID: 772
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

Unknown Service #18
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Verwaltet Software-basierte Schattenkopien des Volumeschattenkopie-Dienstes. Software-basierte ...
Service Type: Own Process
Path: c:\winxp\system32\dllhost.exe /processid:{fe78a69a-ad58-4694-a689-9a94e4100a0e}
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 19
Service Name: WMPNetworkSvc
Display Name: Windows Media Player Network Sharing Service
Start Mode: Manual
Start Name: NT AUTHORITY\NetworkService
Description: Shares Windows Media Player libraries to other networked players and media devices using Universal ...
Service Type: Own Process
Path: c:\programme\windows media player\wmpnetwk.exe
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

Unknown Service # 20
Service Name: WudfSvc
Display Name: Windows Driver Foundation - User-mode Driver Framework
Start Mode: Manual
Start Name: LocalSystem
Description: Manages user-mode driver host ...
Service Type: Share Process
Path: c:\winxp\system32\svchost.exe -k wudfservicegroup
State: Stopped
Process ID: 0
Started: Falsch
Exit Code: 1077
Accept Pause: Falsch
Accept Stop: Falsch

---> End Service Listing <---

There are 100 Win32 services on this machine.
20 were unrecognized.

Script Execution Time: 15,62109 seconds.

______________________________________

eine frage: wenn ich Norton AntiVirus 2004 im autostart habe, muss ich dann noch die Windows Firewall aktiviert haben oder kann ich die dann auch ausmachen?

ja es scheint wieder alles zu funktionieren^^...
ich möcht mich nochmal ganz ganz doll bedanken für deine Hilfe.

#10 Download Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten. in: "Enter search strings" ( reinkopieren)

Windows Driver Foundation
WudfSvc


in edit und klicke "Ok".
Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn.
__________
MfG Sabina

rund um die PC-Sicherheit

#11 ich hab hier nochmal ein hijackthis-log vom abgesicherten modus:

Logfile of HijackThis v1.99.1
Scan saved at 18:47:30, on 03.09.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\Explorer.EXE
C:\WINXP\system32\rundll32.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\DOKUME~1\ADMINI~1.SOE\LOKALE~1\Temp\Temporäres Verzeichnis 2 für regsearch.zip\regsearch.exe
C:\Programme\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://cf.icq.com/cf/icq5/0/unregister.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Progz\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINXP\system32\CTFMON.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINXP\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINXP\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINXP\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Progz\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Progz\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Progz\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~4\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE

regsearch

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 03.09.2006 18:46:48 for strings:
; 'windows driver foundation
wudfsvc
windows driver foundation'
; 'wudfsvc'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Wudf01000\Filelist\3]
"FileName"="WudfSvc.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
; Contents of value:
; WUDFSvc
;
"WudfServiceGroup"=hex(7):57,55,44,46,53,76,63,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WudfSvc\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WudfSvc\Parameters]
; Contents of value:
; %systemroot%\system32\wudfsvc.dll
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,57,55,44,46,53,76,63,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WudfSvc\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\WudfSvc\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\WudfSvc\Parameters]
; Contents of value:
; %systemroot%\system32\wudfsvc.dll
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,57,55,44,46,53,76,63,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\WudfSvc\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\WudfSvc\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\WudfSvc\Parameters]
; Contents of value:
; %systemroot%\system32\wudfsvc.dll
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,57,55,44,46,53,76,63,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\WudfSvc\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WudfSvc\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WudfSvc\Parameters]
; Contents of value:
; %systemroot%\system32\wudfsvc.dll
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,57,55,44,46,53,76,63,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WudfSvc\Security]

; End Of The Log...

Leider muss ich sagen das die AUsfälle doch noch da sind , aber wenigstens kann ich noch im abgesicherten modus gut arbeiten...

#12 1,
Start > Ausfuehren --> reinschreiben --> cmd.exe
und ok. kopiere rein und poste alles, was im Texteditor erscheint

dir /s /a "c:\wudfsvc*.*" > c:\find.txt & start notepad c:\find.txt

2.
virustotal
Oben auf der Seite --> auf Durchsuchen klicken --> Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten

http://www.virustotal.com/flash/index_en.html

C:\WINDOWS\system32\wudfsvc.dll

poste den bericht

3.
poste das log
RootkitRevealer
http://www.sysinternals.com/Utilities/RootkitRevealer.html
__________
MfG Sabina

rund um die PC-Sicherheit

#13 cmd.exe

Datentr„ger in Laufwerk C: ist FESTPLATTE
Volumeseriennummer: 2827-5BAE

Verzeichnis von c:\WINXP\system32

11.04.2006 14:26 54.272 WudfSvc.dll
1 Datei(en) 54.272 Bytes

Anzahl der angezeigten Dateien:
1 Datei(en) 54.272 Bytes
0 Verzeichnis(se), 14.768.046.080 Bytes frei

Virus Total

Complete scanning result of "wudfsvc.dll", received in VirusTotal at 09.03.2006, 21:19:59 (CET).

Antivirus Version Update Result
AntiVir n - no virus found
Authentium n - no virus found
Avast n - no virus found
AVG n - no virus found
BitDefender n - no virus found
CAT-QuickHeal n - no virus found
ClamAV n - no virus found
DrWeb n - no virus found
eTrust-InoculateIT n - no virus found
eTrust-Vet n - no virus found
Ewido n - no virus found
Fortinet n - no virus found
F-Prot n - no virus found
F-Prot4 n - no virus found
Ikarus n - no virus found
Kaspersky n - no virus found
McAfee n - no virus found
Microsoft n - no virus found
NOD32v2 n - no virus found
Norman n - no virus found
Panda n - no virus found
Sophos n - no virus found
Symantec n - no virus found
TheHacker n - no virus found
UNA n - no virus found
VBA32 n - no virus found
VirusBuster n - no virus found


Aditional Information
File size: 0 bytes
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
packers: UPX, embedded
Norman SandBox:
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* Decompressing UPX.
* Creating several executable files on hard-drive.
* File length: 108032 bytes.

[ Changes to filesystem ]
* Creates file C:WINDOWSSYSTEM32hktlgzk.dll.
* Creates file C:WINDOWSSYSTEM32oqidqbm.dll.

[ Changes to registry ]
* Creates key "HKLMSoftwareAdwareDisableKey3".
* Sets value "default"="281485209" in key "HKLMSoftwareAdwareDisableKey3".
* Creates key "HKCUSoftwareAdwareDisableKey3".
* Sets value "default"="281485209" in key "HKCUSoftwareAdwareDisableKey3".
* Deletes value "6af32331.exe" in key "HKCUSoftwareMicrosoftWindowsCurrentVersionRun".
* Deletes value "6af32331.exe" in key "HKLMSoftwareMicrosoftWindowsCurrentVersionRun".
* Creates value "hktlgzk.dll"="C:WINDOWS undll32.exe C:WINDOWSSYSTEM32hktlgzk.dll,jiwrayd" in key "HKLMSoftwareMicrosoftWindowsCurrentVersionRun".
* Creates key "HKCRCLSID{059DD432-4917-A8BF-8284-02E2E7D514B2}InprocServer32".
* Sets value "default"="C:WINDOWSSYSTEM32oqidqbm.dll" in key "HKCRCLSID{059DD432-4917-A8BF-8284-02E2E7D514B2}InprocServer32".
* Sets value "ThreadingModel"="Apartment" in key "HKCRCLSID{059DD432-4917-A8BF-8284-02E2E7D514B2}InprocServer32".
* Creates key "HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{059DD432-4917-A8BF-8284-02E2E7D514B2}".

[ Process/window information ]
* Creates a mutex 7ff32331.
* Enumerates running processes.
* Will automatically restart after boot (I'll be back...).
* Uses rundll32.exe to run function "jiwrayd" in library "C:WINDOWSSYSTEM32hktlgzk.dll".

#14 insteressant, nun sitzen wir in der Tinte... es scheint ein Dienst von MS zu sein, die Virenscanner schlafen und es ist augenscheinlich ein Virus.
und nun ?
bist du vorbereitet zu formatieren ? nur dann lasse ich mich weiter auf eine riskante reinigung ein.....
__________
MfG Sabina

rund um die PC-Sicherheit

#15 das log vom rootkit revealer ist zu lang ich kann es nicht, deswegen als anhang...
ausserdem bekomme ich einen fehler am ende vom rootkit das mit cmd.exe zu tun hat...
http://server6.theimagehosting.com/image.php?img=Unbenannt.ea7.JPG

ja, ich hab mir schon gedacht das es wohl bald zum formatieren übergeht.
wenns nicht anders geht (und danach siehts ja aus) dann müssen wir das machen...