Virus WS32/Nsag.BThema ist geschlossen! |
||
---|---|---|
Thema ist geschlossen! |
||
#0
| ||
27.09.2006, 23:33
...neu hier
Beiträge: 10 |
||
|
||
28.09.2006, 16:05
Ehrenmitglied
Beiträge: 29434 |
#2
erolakpinar
poste dieses log http://virus-protect.org/artikel/tools/combofix.html ist fuer mich: Zitat O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
28.09.2006, 18:26
...neu hier
Themenstarter Beiträge: 10 |
#3
Also den Virus habe ich nun im Abgesichterenmodus wegbekommen .. aber der wei゚e Hintergrund ist immernoch da.. den Combofix Log poste ich sobald ich von der Arbeit wieder zu Hause bin
|
|
|
||
29.09.2006, 00:49
Ehrenmitglied
Beiträge: 29434 |
#4
poste alles, dann bekommen wir das auch wieder sauber
__________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
02.10.2006, 19:50
...neu hier
Themenstarter Beiträge: 10 |
#5
Combofix Log>
H《eyin - 06-10-02 19:49:09,97 Service Pack 2, v.2096 ComboFix 06.09.28 - Running from: "C:\Dokumente und Einstellungen\H《eyin\Desktop" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Dokumente und Einstellungen\H《eyin\Anwendungsdaten\Install.dat ((((((((((((((((((((((((((((((( Files Created from 2006-09-02 to 2006-10-02 )))))))))))))))))))))))))))))))))) 2006-09-27 21:46 57,384 --a------ C:\WINDOWS\system32\avsda.dll 2006-09-27 21:46 32,768 --a------ C:\WINDOWS\system32\drivers\avgntdd.sys 2006-09-27 21:46 14,848 --a------ C:\WINDOWS\system32\drivers\avgntmgr.sys 2006-09-27 21:09 24,072 --a------ C:\WINDOWS\system32\uxtuneup.dll 2006-09-27 20:29 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys 2006-09-27 20:29 12,288 --a------ C:\WINDOWS\system32\drivers\mouhid.sys 2006-09-11 18:35 9,897 --------- C:\WINDOWS\system32\svch1.exe 2006-09-11 18:35 4,096 -rah----- C:\WINDOWS\system32\win_0k8.dll 2006-09-11 18:22 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll 2006-09-11 18:22 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll 2006-09-11 18:22 6,144 --a------ C:\WINDOWS\system32\kbd106.dll 2006-09-11 18:22 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll 2006-09-11 18:22 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll 2006-09-11 18:22 5,632 --a------ C:\WINDOWS\system32\kbd103.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-09-28 16:49 -------- d--h----- C:\Programme\InstallShield Installation Information 2006-09-28 13:19 -------- d-------- C:\Programme\XoftSpySE 2006-09-27 23:08 -------- d-------- C:\Programme\CleanUp! 2006-09-27 22:32 -------- d-------- C:\Dokumente und Einstellungen\H《eyin\Anwendungsdaten\Lavasoft 2006-09-27 21:46 -------- d-------- C:\Programme\AntiVir PersonalEdition Classic 2006-09-27 21:34 -------- d-------- C:\Programme\Lavasoft 2006-09-27 21:26 -------- d-------- C:\Programme\WinRAR 2006-09-27 21:26 -------- d-------- C:\Programme\Winamp 2006-09-27 21:13 -------- d-------- C:\Programme\TuneUp Utilities 2006 2006-09-27 21:08 -------- d-------- C:\Programme\Gemeinsame Dateien 2006-09-27 21:08 -------- d-------- C:\Dokumente und Einstellungen\H《eyin\Anwendungsdaten\TuneUp Software 2006-09-27 21:06 -------- d-------- C:\Programme\Gemeinsame Dateien\Wise Installation Wizard 2006-09-11 18:33 -------- d-------- C:\Programme\Gemeinsame Dateien\Microsoft Shared 2006-08-18 00:24 -------- d-------- C:\Programme\Rockstar Games (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="\"C:\\Programme\\Messenger\\msmsgs.exe\" /background" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrackPointSrv"="tp4serv.exe" "LTWinModem1"="ltmsg.exe 9" "TPHOTKEY"="C:\\PROGRA~1\\Lenovo\\PkgMgr\\HOTKEY\\TPHKMGR.exe" "TP4EX"="tp4ex.exe" "QCWLICON"="C:\\Programme\\ThinkPad\\ConnectUtilities\\QCWLICON.EXE" "TPKMAPHELPER"="C:\\Programme\\ThinkPad\\Utilities\\TpKmapAp.exe -helper" "BigDogPath"="C:\\WINDOWS\\VM_STI.EXE ZSMC USB PC Camera" "avgnt"="\"C:\\Programme\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000002 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="Die derzeitige Homepage" "Flags"=dword:00002002 "Position"=hex:2c,00,00,00,bc,03,00,00,01,00,00,00,44,00,00,00,e1,02,00,00,18,\ 27,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=dword:40000001 "OriginalStateInfo"=hex:18,00,00,00,bc,03,00,00,01,00,00,00,44,00,00,00,e1,02,\ 00,00,01,00,00,40 "RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\ 00,00,01,00,00,00 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE" [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "NoColorChoice"=dword:00000000 "NoSizeChoice"=dword:00000000 "NoDispScrSavPage"=dword:00000000 "NoDispCPL"=dword:00000000 "NoVisualStyleChoice"=dword:00000000 "NoDispSettingsPage"=dword:00000000 "NoDispAppearancePage"=dword:00000000 "NoDispBackgroundPage"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 "ClearRecentDocsOnExit"=hex:00,00,00,00 "NoActiveDesktop"=dword:00000000 "NoSaveSettings"=dword:00000000 "ClassicShell"=dword:00000000 "NoThemesTab"=dword:00000000 "ForceActiveDesktopOn"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 "DisableTaskMgr"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoActiveDesktopChanges"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" "UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\1-Klick-Wartung.job C:\WINDOWS\tasks\XoftSpySE.job Completion time: 02.10.2006 19:49:37.12 ComboFix.txt Edit: Jetzt habe ich auch noch den Virus TR/Dldr.Small.dhz der ist gekommen als ich den anderen geloescht habe Dieser Beitrag wurde am 02.10.2006 um 22:51 Uhr von erolakpinar editiert.
|
|
|
||
03.10.2006, 00:39
Ehrenmitglied
Beiträge: 29434 |
#6
erolakpinar
0. soweit es noch vorhanden ist: fixe ffne das HijackThis -- Button "scan" -- vor die Malware-Eintr臠e H臾chen setzen -- Button "Fix checked" -- PC neustarten Zitat O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe1. Den folgenden Text in den Editor (Start - Zubehr - Editor) kopieren und als sheriff.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden. Zitat REGEDIT42. avenger http://virus-protect.org/artikel/tools/avenger.html kopiere rein: Zitat Files to delete:Klicke die gruene Ampel das Script wird nun ausgefhrt, dann wird der PC automatisch neustarten ** poste das log vom avenger, was nach neustart erscheint ** scanne - stelle alles auf remove und poste den report http://virus-protect.org/counterspy.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
03.10.2006, 18:46
...neu hier
Themenstarter Beiträge: 10 |
#7
Avenger Log:
Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\wftxbiqf ******************* Script file located at: \??\C:\Program Files\hdsgtaud.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00003.exe not found! Deletion of file C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00003.exe failed! Could not process line: C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00003.exe Status: 0xc0000034 File C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00003.dll not found! Deletion of file C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00003.dll failed! Could not process line: C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00003.dll Status: 0xc0000034 File C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00002.dll not found! Deletion of file C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00002.dll failed! Could not process line: C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00002.dll Status: 0xc0000034 File C:\WINDOWS\system32\win_0k8.dll deleted successfully. File C:\WINDOWS\system32\svch1.exe deleted successfully. File C:\WINDOWS\system32\inistone.ini deleted successfully. File C:\qdgkp.exe not found! Deletion of file C:\qdgkp.exe failed! Could not process line: C:\qdgkp.exe Status: 0xc0000034 File C:\nuiq.exe not found! Deletion of file C:\nuiq.exe failed! Could not process line: C:\nuiq.exe Status: 0xc0000034 Completed script processing. ******************* Finished! Terminate. Counterspy Rport: Spyware Scan Details Start Date: 03.10.2006 18:24:19 End Date: 03.10.2006 18:44:48 Total Time: 20 mins 29 secs Detected spyware Trojan.Proxy.Atiup Trojan more information... Status: Deleted Infected registry entries detected HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft ATI_VER Advertising.com Cookie more information... Status: Deleted Infected cookies detected c:\dokumente und einstellungen\hseyin\cookies\hseyin@advertising[2].txt ATDMT.com Cookie more information... Status: Deleted Infected cookies detected c:\dokumente und einstellungen\hseyin\cookies\hseyin@atdmt[2].txt Bluestreak.com Cookie more information... Status: Deleted Infected cookies detected c:\dokumente und einstellungen\hseyin\cookies\hseyin@bluestreak[2].txt DoubleClick Cookie more information... Details: DoubleClick is a popular ad serving network that uses spyware cookies, to target advertising. Status: Deleted Infected cookies detected c:\dokumente und einstellungen\hseyin\cookies\hseyin@doubleclick[2].txt Mediaplex.com Cookie more information... Details: Cookie used to track cross site advertising with the Mediaplex and value Click advertising companies. Status: Deleted Infected cookies detected c:\dokumente und einstellungen\hseyin\cookies\hseyin@mediaplex[1].txt Radar Spy 1.0 Cookie more information... Status: Deleted Infected cookies detected c:\dokumente und einstellungen\hseyin\cookies\hseyin@tradedoubler[2].txt |
|
|
||
04.10.2006, 00:24
Ehrenmitglied
Beiträge: 29434 |
#8
erolakpinar
F-Secure Online Scanner Next Generation Beta http://support.f-secure.com/enu/home/ols3.shtml 1. Klicke den Link: "F-Secure Online Scanner Next Generation Beta". 2. Du wirst aufgefordert werden, ein ActiveX-Control zu installieren 3. Installiere diese ActiveX-Komponente 4. Lies die Anleitung und klicke: "Accept" 5. Klicke "Full System Scan" 6. klicke "Show report" - kopiere den Scanreport __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
04.10.2006, 16:24
...neu hier
Themenstarter Beiträge: 10 |
#9
Die ganzen Viren scheinen weg zu sein aber der weisse Hintergrund ist immer noch da ...
F-Secure Report: Scanning Report Wednesday, October 04, 2006 15:20:37 - 16:23:23 Computer name: 0114AC98ECA241C Scanning type: Scan system for viruses, rootkits, spyware Target: C:\ D:\ -------------------------------------------------------------------------------- Result: 11 malware found Tracking Cookie (spyware) System (Disinfected) System System System System System System System System System W32/Spywad.HF (virus) C:\PROGRAM FILES\SPYSHERIFF\UNINSTALL.EXE -------------------------------------------------------------------------------- Statistics Scanned: Files: 12446 System: 3466 Not scanned: 8 Actions: Disinfected: 1 Renamed: 0 Deleted: 0 None: 10 Submitted: 0 Files not scanned: C:\HIBERFIL.SYS C:\PAGEFILE.SYS C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT C:\WINDOWS\SYSTEM32\CONFIG\SAM C:\WINDOWS\SYSTEM32\CONFIG\SECURITY C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{A28815F8-02AD-4A77-9C03-EC13986424AD}.BIN -------------------------------------------------------------------------------- Options Scanning engines: F-Secure AVP: 6.0.171, 2006-10-04 F-Secure Libra: 2.4.1, 2006-10-03 F-Secure Orion: 1.2.37, 2006-10-03 F-Secure Blacklight: 1.0.31, 0000-00-00 F-Secure Draco: 1.0.35, 0259-24-212 F-Secure Pegasus: 1.19.0, 2006-08-29 Scanning options: Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX Use Advanced heuristics |
|
|
||
04.10.2006, 16:56
Ehrenmitglied
Beiträge: 29434 |
#10
scanne mit smitfraudfix - poste den report
http://virus-protect.org/artikel/tools/smitfrautfix.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
04.10.2006, 17:41
...neu hier
Themenstarter Beiträge: 10 |
#11
smitfraufix report:
SmitFraudFix v2.104 Scan done at 17:36:32,64, 04.10.2006 Run from C:\Dokumente und Einstellungen\Administrator\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix run in safe mode ササササササササササササササササササササササササ Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll ササササササササササササササササササササササササ Killing process ササササササササササササササササササササササササ Generic Renos Fix GenericRenosFix by S!Ri ササササササササササササササササササササササササ Deleting infected files ササササササササササササササササササササササササ Deleting Temp Files ササササササササササササササササササササササササ Registry Cleaning Registry Cleaning done. ササササササササササササササササササササササササ After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll ササササササササササササササササササササササササ End |
|
|
||
04.10.2006, 20:10
Ehrenmitglied
Beiträge: 29434 |
#12
es muesste alles wieder in Ordnung sein ... oder ?
__________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
04.10.2006, 20:13
...neu hier
Themenstarter Beiträge: 10 |
#13
Der Weisse hintergrund ist immernoch da.. aber sonnst alles ok
trozdem danke sehr :> Dieser Beitrag wurde am 04.10.2006 um 22:24 Uhr von erolakpinar editiert.
|
|
|
||
05.10.2006, 00:47
Ehrenmitglied
Beiträge: 29434 |
#14
poste dieses log
http://virus-protect.org/silentrunner.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
05.10.2006, 15:49
...neu hier
Themenstarter Beiträge: 10 |
#15
Silent Runner Log:
"Silent Runners.vbs", revision 48, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "TuneUp MemOptimizer" = ""C:\Programme\TuneUp Utilities 2006\MemOptimizer.exe" autostart" ["TuneUp Software GmbH"] "MsnMsgr" = ""C:\Programme\MSN Messenger\MsnMsgr.Exe" /background" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "TrackPointSrv" = "tp4serv.exe" ["IBM Corporation"] "LTWinModem1" = "ltmsg.exe 9" ["LUCENT TECHNOLOGIES"] "TPHOTKEY" = "C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [null data] "TP4EX" = "tp4ex.exe" ["IBM Corporation"] "QCWLICON" = "C:\Programme\ThinkPad\ConnectUtilities\QCWLICON.EXE" ["IBM Corp."] "TPKMAPHELPER" = "C:\Programme\ThinkPad\Utilities\TpKmapAp.exe -helper" ["IBM Corp."] "BigDogPath" = "C:\WINDOWS\VM_STI.EXE ZSMC USB PC Camera" ["VM."] "avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung fr Anzeigeverschiebung" -> {HKLM...CLSID} = "CPL-Erweiterung fr Anzeigeverschiebung" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung fr HyperTerminal-Icons" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] "{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universelle Plug & Play-Ger舩e" -> {HKLM...CLSID} = "Universelle Plug & Play-Ger舩e" \InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS] "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension" -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension" \InProcServer32\(Default) = "C:\Programme\TuneUp Utilities 2006\SDShelEx-win32.dll" ["TuneUp Software GmbH"] "{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension" -> {HKLM...CLSID} = "TuneUp Theme Extension" \InProcServer32\(Default) = "C:\WINDOWS\system32\uxtuneup.dll" ["TuneUp Software GmbH"] "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! QConGina\DLLName = "QConGina.dll" ["IBM Corp."] INFECTION WARNING! tphotkey\DLLName = "tphklock.dll" [null data] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"] TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension" \InProcServer32\(Default) = "C:\Programme\TuneUp Utilities 2006\SDShelEx-win32.dll" ["TuneUp Software GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension" \InProcServer32\(Default) = "C:\Programme\TuneUp Utilities 2006\SDShelEx-win32.dll" ["TuneUp Software GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Active Desktop web content: HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\ "FriendlyName" = "Die derzeitige Homepage" "Source" = "About:Home" "SubscribedURL" = "About:Home" Startup items in "Hseyin" & "All Users" startup folders: --------------------------------------------------------- C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart "22M WLAN Adapter Utility" -> shortcut to: "C:\Programme\22M WLAN\WLANMON.exe" ["GLOBALSUN TECH"] Enabled Scheduled Tasks: ------------------------ "1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 18 %SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS] Miscellaneous IE Hijack Points ------------------------------ HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ Missing lines (compared with English-language version): HIJACK WARNING! "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir PersonalEdition Classic Guard, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["AVIRA GmbH"] AntiVir PersonalEdition Classic Planer, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"] IBM KCU Service, TpKmpSVC, "C:\WINDOWS\system32\TpKmpSVC.exe" [null data] IBM PM Service, IBMPMSVC, "C:\WINDOWS\system32\ibmpmsvc.exe" [null data] QCONSVC, QCONSVC, "System32\QCONSVC.EXE" ["IBM Corp."] TuneUp Designerweiterung, UxTuneUp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]} Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 54 seconds, including 6 seconds for message boxes) |
|
|
||
Scan saved at 23:26:22, on 27.09.2006
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\system32\ltmsg.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Programme\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Programme\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\VM_STI.EXE
C:\Programme\22M WLAN\WLANMON.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\TuneUp Utilities 2006\RegistryCleaner.exe
C:\Programme\TuneUp Utilities 2006\RegistryCleaner.exe
C:\WINDOWS\system32\CTFMON.EXE
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\DOKUME~1\HSEYIN~1\LOKALE~1\Temp\Rar$EX00.810\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Programme\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programme\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ZSMC USB PC Camera
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [WinMedia] c:\qdgkp2560.exe
O4 - HKCU\..\Run: [Winsvr] C:\qdgkp5632.exe
O4 - HKCU\..\Run: [shell] "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\ibm00003.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE
O4 - Global Startup: 22M WLAN Adapter Utility.lnk = C:\Programme\22M WLAN\WLANMON.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\win_0k8.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
System23 Log:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: BC01-C7BD
Verzeichnis von C:\WINDOWS\system32
27.09.2006 20:37 90.296 FNTCACHE.DAT
27.09.2006 20:26 2.206 wpa.dbl
11.09.2006 18:35 4.096 win_0k8.dll
11.09.2006 18:35 9.897 svch1.exe
11.09.2006 18:35 0 inistone.ini
07.09.2006 12:54 57.384 avsda.dll
05.09.2006 15:47 24.072 uxtuneup.dll
17.08.2006 23:32 40.326 perfc009.dat
17.08.2006 23:32 311.938 perfh009.dat
17.08.2006 23:32 316.888 perfh007.dat
17.08.2006 23:32 48.486 perfc007.dat
22.07.2006 14:01 1.919 AUTOEXEC.NT
06.06.2006 23:10 664 d3d9caps.dat
07.05.2006 16:31 723.744 PerfStringBackup.INI
06.07.2005 19:18 64.297 irftp.rar
17.06.2005 14:47 0 h323log.txt
17.06.2005 14:04 261 $winnt$.inf
17.06.2005 13:58 2.951 CONFIG.NT
17.06.2005 13:55 488 WindowsLogon.manifest
17.06.2005 13:55 488 logonui.exe.manifest
17.06.2005 13:55 749 sapi.cpl.manifest
17.06.2005 13:55 749 cdplayer.exe.manifest
17.06.2005 13:55 749 wuaucpl.cpl.manifest
17.06.2005 13:55 749 nwc.cpl.manifest
17.06.2005 13:55 749 ncpa.cpl.manifest
17.06.2005 13:51 21.740 emptyregdb.dat
18.03.2005 03:07 282.624 tvt_gina_api.dll
18.03.2005 03:07 77.824 QCONSVC.EXE
18.03.2005 03:07 577.536 tvt_gina.dll
18.03.2005 03:07 262.144 QConGina.dll
12.03.2005 00:48 109.568 pxinsi64.exe
12.03.2005 00:48 56.320 pxinsa64.exe
12.03.2005 00:48 61.440 pxhpinst.exe
12.03.2005 00:48 108.544 pxcpyi64.exe
12.03.2005 00:48 56.832 pxcpya64.exe
12.03.2005 00:28 28.672 vxblock.dll
12.03.2005 00:28 339.968 pxwave.dll
12.03.2005 00:28 151.552 pxwma.dll
12.03.2005 00:28 172.032 pxmas.dll
12.03.2005 00:28 405.504 pxdrv.dll
12.03.2005 00:28 339.968 px.dll
24.02.2005 12:32 48.640 SP207.ax
18.02.2005 03:51 5.537 tp4scrol.css
18.02.2005 03:51 5.788 tp4table.dat
18.02.2005 03:51 201 tp4-note.gif
18.02.2005 03:51 57.344 tp4ui.dll
18.02.2005 03:51 77.083 tp4-sc.gif
18.02.2005 03:51 94.208 tp4serv.exe
18.02.2005 03:51 13.361 tp4scrol.htm
18.02.2005 03:51 16.677 tp4ui.hlp
18.02.2005 03:51 122.880 tp4uires.dll
18.02.2005 03:51 7.070 tp4coins.dll
18.02.2005 03:51 49.152 tp4unins.exe
18.02.2005 03:51 28.493 tp4-mg.gif
25.01.2005 16:15 10.240 PA207USD.DLL
21.01.2005 01:40 34.816 TP98.CPL
Systemtemp Log:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: BC01-C7BD
Verzeichnis von C:\DOKUME~1\HSEYIN~1\LOKALE~1\Temp
System Log:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: BC01-C7BD
Verzeichnis von C:\WINDOWS
27.09.2006 23:21 175.488 setupact.log
27.09.2006 23:17 578.814 WindowsUpdate.log
27.09.2006 22:41 403.225 setupapi.log
27.09.2006 22:27 159 wiadebug.log
27.09.2006 22:27 50 wiaservc.log
27.09.2006 22:26 0 0.log
27.09.2006 22:26 2.048 bootstat.dat
27.09.2006 22:18 348.924 ntbtlog.txt
27.09.2006 21:49 346 SchedLgU.Txt
27.09.2006 20:36 250 system.ini
11.09.2006 18:21 2.332 regopt.log
03.09.2006 20:03 192 winamp.ini
18.08.2006 00:38 9.259 wmsetup.log
18.08.2006 00:06 4.270 ModemLog_Lucent Win Modem.txt
17.08.2006 23:32 24.309 comsetup.log
17.08.2006 23:32 129.917 iis6.log
17.08.2006 23:32 15.078 ntdtcsetup.log
17.08.2006 23:32 1.898 tabletoc.log
17.08.2006 23:32 2.655 ocmsn.log
17.08.2006 23:32 4.566 imsins.log
17.08.2006 23:32 26.540 tsoc.log
17.08.2006 23:32 48.677 ocgen.log
17.08.2006 23:32 3.901 MedCtrOC.log
17.08.2006 23:32 2.625 msgsocm.log
17.08.2006 23:32 36.831 FaxSetup.log
17.08.2006 23:32 7.112 netfxocm.log
17.08.2006 23:32 28.894 msmqinst.log
27.06.2006 16:38 970 win.ini
06.06.2006 23:32 9.478 wmsetup10.log
23.02.2006 13:10 475 SIERRA.INI
23.02.2006 12:49 355 nsw.log
Sys Log:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: BC01-C7BD
Verzeichnis von C:\
27.09.2006 23:32 0 sys.txt
27.09.2006 23:31 4.501 system.txt
27.09.2006 23:31 136 systemtemp.txt
27.09.2006 23:30 92.653 system32.txt
27.09.2006 23:20 3.903 smitfiles.txt
27.09.2006 23:11 840 DirDPF.txt
27.09.2006 23:11 2 DirDPFCns.txt
27.09.2006 22:26 267.948.032 hiberfil.sys
27.09.2006 22:26 402.653.184 pagefile.sys
11.09.2006 18:35 2.048 qdgkp.exe
11.09.2006 18:34 32.768 nuiq.exe
Smitfiles.txt
smitRem ゥ log file
version 3.2
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"
Running from
C:\Dokumente und Einstellungen\H《eyin\Desktop\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Appinitdll check ........ Thank you Grinler!
dumphive.exe (C)2000-2004 Markus Stephany
REGEDIT4
[Windows]
"AppInit_DLLs"="C:\\WINDOWS\\system32\\win_0k8.dll"
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key not present!
checking for drsmartload2 key
drsmartload2 key not present!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
Trust Cleaner uninstaller NOT present
SpyHeal uninstaller NOT present
VirusBurst uninstaller NOT present
BraveSentry uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 3460 'explorer.exe'
Starting registry repairs
Registry repairs complete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SharedTask Export after registry fix
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deleting files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
CLEAN!
Also Antivr findet immer diesen Virus und habe schon den removetool genutzt ist aver immernoch nicht weg und dazu habe ich diesen weissen Hintergund den ich auch nicht wegbekomme, bitte um hilfe.