Auch ein critical system error problem ...

#0
27.09.2006, 23:42
...neu hier

Beiträge: 7
#1 1. Der Hijackthis-Logfile:
Logfile of HijackThis v1.99.1
Scan saved at 22:19:11, on 27.09.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\WinMediaCodec\pmsngr.exe
C:\Programme\WinMediaCodec\pmmon.exe
C:\Programme\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Programme\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Programme\Teledat\IWatch.exe
C:\Programme\Microsoft Office\Office\OSA.EXE
C:\Programme\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\WEB.DE\WEB.DE SmartSurfer\SmartSurfer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Admin\Desktop\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zkoam.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zkoam.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zkoam.dll/sp.html#53142%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zkoam.dll/sp.html#53142%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zkoam.dll/sp.html#53142%resultposition.net
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Programme\WinMediaCodec\isaddon.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Class - {A52CD02D-C487-B30D-DB70-31A4C19A741A} - C:\WINDOWS\winnt32.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O3 - Toolbar: Protection Bar - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - C:\Programme\WinMediaCodec\iesplugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TomcatStartup] C:\Programme\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [StatusClient] C:\Programme\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] C:\Programme\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: ISDNWatch.lnk = C:\Programme\Teledat\IWatch.exe
O4 - Global Startup: Office-Start.lnk = C:\Programme\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/mickey/de/win/QuickTimeInstaller.exe
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37710.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24EA67E5-CFB4-4F0D-9187-0529EB849933}: NameServer = 192.168.121.252,192.168.121.253
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E0C0BE7-1EBA-4BF8-98E0-E52D1B8F8C49}: NameServer = 62.104.191.241 62.104.196.134
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9B13642-BCC6-4615-8852-7B2CAD47AACD}: NameServer = 192.168.115.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{24EA67E5-CFB4-4F0D-9187-0529EB849933}: NameServer = 192.168.121.252,192.168.121.253
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

2.) Cleanup durchgeführt

3.) Combofix:
Disk Cleanup erfolgte nicht (weiss nicht warum)
Admin - 06-09-27 23:28:57,28 Service Pack 2
ComboFix 06.09.27 - Running from: "C:\Dokumente und Einstellungen\Admin\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-08-27 to 2006-09-27 ))))))))))))))))))))))))))))))))))


2006-09-24 02:01 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2006-09-24 02:01 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2006-09-24 02:01 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-09-24 02:01 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2006-09-24 02:01 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2006-09-24 01:35 176,128 --a------ C:\WINDOWS\system32\titiau.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-27 23:17 -------- d-------- C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\SmartSurfer
2006-09-27 23:16 -------- d-------- C:\Programme\Mozilla Firefox
2006-09-27 23:12 137187 --a------ C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\iwatch.txt
2006-09-25 23:13 -------- d-------- C:\Programme\WinMediaCodec
2006-09-25 22:38 -------- d-------- C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\AdobeUM
2006-09-25 22:10 -------- d-------- C:\Programme\ICQToolbar
2006-09-24 17:50 -------- d-------- C:\Programme\WinAntiVirus Pro 2006
2006-09-24 13:30 -------- d-------- C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\WinAntiVirus Pro 2006
2006-09-24 02:51 -------- d-------- C:\Programme\vb
2006-09-24 02:10 -------- d-------- C:\Programme\Common Files
2006-09-24 02:01 -------- d-------- C:\Programme\Gemeinsame Dateien\WinAntiVirus Pro 2006
2006-09-24 02:01 -------- d-------- C:\Programme\Gemeinsame Dateien
2006-09-23 12:29 -------- d-------- C:\Programme\Oetinger
2006-09-22 22:40 -------- d-------- C:\Programme\CleanUp!
2006-09-17 08:55 -------- d-------- C:\Programme\PNGIS-EasyEdit Lite
2006-09-01 20:42 -------- d-------- C:\Programme\Internet Explorer
2006-08-24 18:44 -------- d-------- C:\Programme\ICQLite
2006-08-24 18:03 -------- d-------- C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\ICQLite
2006-08-22 20:55 -------- d-------- C:\Programme\Gemeinsame Dateien\Teleca Shared
2006-08-11 22:14 -------- d-------- C:\Programme\Java
2006-08-11 22:12 -------- d-------- C:\Programme\Gemeinsame Dateien\Java
2006-08-06 22:33 -------- d-------- C:\Programme\selfhtml
2006-08-05 22:30 -------- d--h----- C:\Programme\InstallShield Installation Information
2006-08-05 22:30 -------- d-------- C:\Programme\WEB.DE
2006-08-04 22:49 -------- d-------- C:\Programme\Windows NT
2006-07-27 16:20 -------- d---s---- C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Microsoft
2006-07-27 15:25 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-27 10:10 -------- d-------- C:\Programme\Yahoo!
2006-07-27 09:52 -------- d-------- C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Teledat
2006-07-21 10:29 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
@=""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"TomcatStartup"="C:\\Programme\\Hewlett-Packard\\Toolbox2.0\\hpbpsttp.exe"
"StatusClient"="C:\\Programme\\Hewlett-Packard\\Toolbox2.0\\Apache Tomcat 4.0\\webapps\\Toolbox\\StatusClient\\StatusClient.exe /auto"
"QuickTime Task"="\"C:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"InCD"="C:\\Programme\\ahead\\InCD\\InCD.exe"
"SunJavaUpdateSched"="C:\\Programme\\Java\\jre1.5.0_06\\bin\\jusched.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,90,02,00,00,1f,00,00,00,20,01,00,00,2b,01,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"pmsngr.exe"="C:\\Programme\\WinMediaCodec\\pmsngr.exe"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Dokumente und Einstellungen^Admin^Startmenü^Programme^Autostart^WEB.DE SmartSurfer.lnk]
"path"="C:\\Dokumente und Einstellungen\\Admin\\Startmenü\\Programme\\Autostart\\WEB.DE SmartSurfer.lnk"
"backup"="C:\\WINDOWS\\pss\\WEB.DE SmartSurfer.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\WEB.DE\\WEB~1.DES\\SMARTS~1.EXE -m"
"item"="WEB.DE SmartSurfer"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ICQ Lite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ICQLite"
"hkey"="HKLM"
"command"="\"C:\\Programme\\ICQLite\\ICQLite.exe\" -minimize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Programme\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"wuauserv"=dword:00000002
"wscsvc"=dword:00000002
"mnmsrvc"=dword:00000003


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Completion time: 27.09.2006 23:29:44.39
ComboFix.txt
ComboFix2.txt

3.) DATFIND.BAT

SYSTEM.TXT:

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 9C84-24DF

Verzeichnis von C:\WINDOWS\system32

27.09.2006 23:14 13.646 wpa.dbl
24.09.2006 17:50 4.714 ikhcore.log
24.09.2006 17:41 2 stera.job
24.09.2006 02:36 2 stera.log
24.09.2006 01:35 176.128 titiau.dll
23.09.2006 16:07 11.660 ModemLog_ISDN Internet (PPP over ISDN).txt
11.09.2006 19:37 8.960.936 MRT.exe
01.09.2006 23:33 380.350 perfh009.dat
01.09.2006 23:33 52.764 perfc009.dat
01.09.2006 23:33 391.000 perfh007.dat
01.09.2006 23:33 63.580 perfc007.dat
01.09.2006 23:33 897.954 PerfStringBackup.INI
01.09.2006 10:46 4.622 ModemLog_ISDN Custom Config.txt
01.09.2006 10:46 4.602 ModemLog_ISDN BTX.txt
01.09.2006 10:46 4.640 ModemLog_ISDN Analog Modem (V.32bis).txt
01.09.2006 10:46 4.622 ModemLog_ISDN - ISDN (X.75).txt
01.09.2006 10:46 4.624 ModemLog_ISDN Mailbox (X.75).txt
01.09.2006 10:46 4.652 ModemLog_ISDN SoftCompression X.75-V.42bis.txt
01.09.2006 10:46 4.634 ModemLog_ISDN RAS (PPP over ISDN).txt
11.08.2006 22:14 7.006 jupdate-1.5.0_06-b05.log
28.07.2006 13:28 3.075.072 mshtml.dll
27.07.2006 16:10 254.272 FNTCACHE.DAT
27.07.2006 15:25 679.424 inetcomm.dll
25.07.2006 22:33 615.936 urlmon.dll
21.07.2006 10:29 72.704 hlink.dll
14.07.2006 17:38 332.288 netapi32.dll
14.07.2006 17:25 546.304 hhctrl.ocx
13.07.2006 15:34 8.494.592 shell32.dll
05.07.2006 12:55 1.057.792 kernel32.dll
28.06.2006 21:47 41.134 vsconfig.xml
26.06.2006 19:40 148.480 dnsapi.dll
26.06.2006 19:40 8.192 rasadhlp.dll
23.06.2006 23:41 1.798 ModemLog_ISDN FAX (G3).txt
23.06.2006 13:10 664.576 wininet.dll
23.06.2006 13:10 474.624 shlwapi.dll
23.06.2006 13:10 146.432 msrating.dll
23.06.2006 13:10 1.494.016 shdocvw.dll
23.06.2006 13:10 448.512 mshtmled.dll
23.06.2006 13:10 532.480 mstime.dll
23.06.2006 13:10 39.424 pngfilt.dll
23.06.2006 13:10 251.392 iepeers.dll
23.06.2006 13:10 205.312 dxtrans.dll
23.06.2006 13:10 16.384 jsproxy.dll
23.06.2006 13:10 1.056.256 danim.dll
23.06.2006 13:10 96.768 inseng.dll
23.06.2006 13:10 357.888 dxtmsft.dll
23.06.2006 13:10 55.808 extmgr.dll
23.06.2006 13:10 152.064 cdfview.dll
23.06.2006 13:10 1.022.976 browseui.dll
23.06.2006 10:53 27.136 xpsp3res.dll
22.06.2006 12:47 181.248 rasmans.dll
19.06.2006 16:20 702.768 WgaLogon.dll
19.06.2006 16:19 571.184 LegitCheckControl.dll
19.06.2006 16:19 304.944 WgaTray.exe
10.06.2006 15:09 16.832 amcompat.tlb
10.06.2006 15:09 23.392 nscompat.tlb
01.06.2006 20:47 27.648 jgpl400.dll
01.06.2006 20:47 163.840 jgdw400.dll

TEMP.TXT:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 9C84-24DF

Verzeichnis von C:\DOKUME~1\Admin\LOKALE~1\Temp

27.09.2006 23:32 16.384 ~DF415C.tmp
27.09.2006 23:15 2.089.678 jar_cache13666.tmp
2 Datei(en) 2.106.062 Bytes
0 Verzeichnis(se), 46.072.991.744 Bytes frei


WINDOWS.TXT:

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 9C84-24DF

Verzeichnis von C:\WINDOWS

27.09.2006 23:14 54.156 QTFont.qfn
27.09.2006 22:06 7.762 Admin8.xlb
27.09.2006 21:46 130.610 iis6.log
27.09.2006 21:46 246.881 comsetup.log
27.09.2006 21:46 153.185 ntdtcsetup.log
27.09.2006 21:46 326.131 tsoc.log
27.09.2006 21:46 1.917 imsins.log
27.09.2006 21:46 30.968 ocmsn.log
27.09.2006 21:46 431.819 ocgen.log
27.09.2006 21:46 41.737 msgsocm.log
27.09.2006 21:46 818.487 FaxSetup.log
27.09.2006 21:36 526.839 setupapi.log
27.09.2006 21:11 0 0.log
27.09.2006 21:11 2.048 bootstat.dat
25.09.2006 23:15 1.636.186 WindowsUpdate.log
25.09.2006 23:15 32.584 SchedLgU.Txt
25.09.2006 22:37 1.409 QTFont.for
25.09.2006 22:37 227 system.ini
25.09.2006 22:37 519 win.ini
24.09.2006 02:24 73.254 wmsetup.log
21.09.2006 23:02 179.151 setupact.log
18.09.2006 23:33 50 wiaservc.log
18.09.2006 23:33 216 wiadebug.log
17.09.2006 18:37 10.240 Admin.pcb
01.09.2006 23:10 32.667 spupdsvc.log
01.09.2006 20:52 1.355 imsins.BAK
01.09.2006 20:52 16.195 KB917734.log
01.09.2006 20:52 1.176 avmcoins.log
01.09.2006 20:51 19.395 KB920214.log
01.09.2006 20:51 19.715 KB922616.log
01.09.2006 20:50 27.871 updspapi.log
01.09.2006 20:50 19.250 KB911280.log
01.09.2006 20:49 19.207 KB917159.log
01.09.2006 20:49 15.165 WgaNotify.log
01.09.2006 20:46 19.128 KB921398.log
01.09.2006 20:43 22.169 KB918899.log
01.09.2006 20:41 14.435 KB920670.log
01.09.2006 20:41 14.625 KB918439.log
01.09.2006 20:40 15.038 KB914388.log
01.09.2006 20:40 14.135 KB917344.log
01.09.2006 20:39 13.836 KB917953.log
01.09.2006 20:39 13.735 KB917422.log
01.09.2006 20:38 13.285 KB916595.log
01.09.2006 20:38 14.045 KB913580.log
01.09.2006 20:37 13.030 KB920683.log
01.09.2006 20:36 12.696 KB914389.log
31.08.2006 22:21 12.364 KB921883.log
27.07.2006 16:58 5.048 mozver.dat
23.07.2006 21:56 201 wininit.ini
18.07.2006 13:36 410 lernwelt.ini
19.06.2006 15:10 606 Checked.mms
10.06.2006 15:17 190 math2003.INI
10.06.2006 14:38 499 Notice.mms
14.05.2006 22:09 15.919 KB911562.log
14.05.2006 22:09 16.092 KB900485.log
14.05.2006 22:08 17.599 KB912812.log
14.05.2006 22:07 11.765 KB908531.log
14.05.2006 22:06 15.659 KB911565.log
14.05.2006 22:05 10.853 KB911567.log

C.TXT:

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 9C84-24DF

Verzeichnis von C:\

27.09.2006 23:36 0 sys.txt
27.09.2006 23:36 13.251 system.txt
27.09.2006 23:34 348 systemtemp.txt
27.09.2006 23:32 106.265 system32.txt
27.09.2006 23:29 8.211 ComboFix.txt
27.09.2006 23:20 8.196 ComboFix2.txt
27.09.2006 22:25 114 files.txt
27.09.2006 21:10 133.746.688 hiberfil.sys
27.09.2006 21:10 268.435.456 pagefile.sys
25.09.2006 22:37 211 boot.ini
22.08.2006 22:43 167 ICQLite.log
24.05.2006 22:10 81 CTX.DAT
16.01.2006 21:31 4.610 ~WRD0000.tmp

5.)
Die Meldung ist Security alert, spyware found und man kommt auf eine Webseite auf der man Antivirenprogramme kaufen soll


Wäre super wenns klappt - jedenfalls vielen Dank
Seitenanfang Seitenende
28.09.2006, 15:04
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#2 1.
codec.zip laden - auf dem Desktop entpacken - doppelt anklicken und die reg-Datei der Registry beifügen
http://virus-protect.org/zip/codec.zip

2.
Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein

Zitat

registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{202a961f-23ae-42b1-9505-ffe3c818d717}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A52CD02D-C487-B30D-DB70-31A4C19A741A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{202a961f-23ae-42b1-9505-ffe3c818d717}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A52CD02D-C487-B30D-DB70-31A4C19A741A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{479fd0cf-5be9-4c63-8cda-b6d371c67bd5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Programme\Gemeinsame Dateien\WinAntiVirus Pro 2006\WapCHK.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\WinAV.exe\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\WinAV.exe
HKEY_LOCAL_MACHINE\SOFTWARE\WinAntiVirus Pro 2006
HKEY_LOCAL_MACHINE\SOFTWARE\WinSoftware
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WA6P_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Purchased Products\WinAntiVirus Pro 2006
HKEY_LOCAL_MACHINE\SOFTWARE\SupportUninstall\WinAntiVirus Pro 2006
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{723D54C7-7483-4EB8-8EED-CE5B2AEA534D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1AC5C88A-DEA7-462b-A232-04AF5CA42E7E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2178F3FB-2560-458f-BDEE-631E2FE0DFE4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B2A3156E-3332-4b47-AF5A-5B121503514F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B646F5E2-0A48-421d-AC91-F96C92BFC17A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E69F0D6A-1C69-4A04-8709-5EAC2019D9BE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B5141620-C2B2-4d95-9F0F-134D99C87AB0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0903FECD-7F7A-4790-A819-A3CE08416732}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{85C99188-BEFD-4c61-A54B-5D7CB0204C1E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B32FE740-8B67-409A-BCA8-3297263C354E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1234890A-5E6E-4867-8136-CA6F1456B235}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{732B6533-7F78-4C47-9C01-2979BA0829B9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FC0B8EB8-AE24-4FD6-B479-E2B464F32DA6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{367A86A5-D048-4785-86BE-4E2706AAFDD9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2BC32EF8-BB73-4099-BB2E-0F2951B3E276}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vspf_hk
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vspf
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FWSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\FWSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\FWSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FWSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FWSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_FWSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_FWSVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FWSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FOPN
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\FOPN
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\FOPN
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FOPN
HKEY_CURRENT_USER\Software\WinAntiVirus Pro 2006
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\WAVAutoPlay

Files to delete:
C:\WINDOWS\system32\drivers\vspf5.sys
C:\WINDOWS\system32\drivers\vspf_hk5.sys
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\av.cpl
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\stera.exe
C:\WINDOWS\system32\stera.job
C:\WINDOWS\system32\atl71.dll
C:\WINDOWS\system32\SpOrder.dll
C:\WINDOWS\system32\msvcp71.dll
C:\WINDOWS\system32\msvcr71.dll
C:\WINDOWS\system32\mfc71.dll
C:\WINDOWS\system32\titiau.dll
C:\WINDOWS\zkoam.dll

Folders to delete:
C:\Programme\Gemeinsame Dateien\WinAntiVirus Pro 2006
C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\WinAntiVirus Pro 2006
C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\WinSoftware
C:\Programme\WinAntiVirus Pro 2006
C:\Programme\Common Files\WinAntiVirus Pro 2006
C:\Programme\Common Files\Companion Wizard
C:\Programme\WinMediaCodec
C:\Programme\vb
Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

**
poste das log vom avenger, was nach neustart erscheint

**
mit smitfraudfix http://virus-protect.org/artikel/tools/smitfrautfix.html scannen (Option 1 und 2) - lasse auch die Registry mitreinigen
poste beide scanreporte

««

öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zkoam.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zkoam.dll/sp.html#53142%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zkoam.dll/sp.html#53142%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zkoam.dll/sp.html#53142%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zkoam.dll/sp.html#53142%resultposition.net

O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Programme\WinMediaCodec\isaddon.dll (file missing)

O2 - BHO: Class - {A52CD02D-C487-B30D-DB70-31A4C19A741A} - C:\WINDOWS\winnt32.dll (file missing)


PC neustarten

**
neue Startseite
gehe zur Systemsteuerung --> Internetoptionen --> auf dem Reiter Allgemein bei Temporäre Internetdateien klickst du Dateien löschen --> auch bei Alle Offlineinhalte löschen das Häkchen setzen und mit OK bestätigen --> Auf den Reiter Programme gehen und dort auf Webeinstellungen zurücksetzen klicken, mit Ja bestätigen, fall Nachfrage kommt --> auf Übernehmen und abschließend auf OK klicken und stelle eine neue Startseite ein

+++
scanne mit Counterspy, nach dem scan stelle alles auf remove und poste den scanreport
http://virus-protect.org/counterspy.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
29.09.2006, 00:20
...neu hier

Themenstarter

Beiträge: 7
#3 Hallo,
vielen Dank soweit, ich fürchte es hat nicht alles geklappt - Avenger hat ganz schön viele Fehlermeldungen gebracht. Ich fürchte auch ich habe einen SmitFraudFix - File verloren. Und Hijack bietet mir keinen der genannten Einträge an.

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 1813
Line: HKEY_CURRENT_USER\Software\WinAntiVirus Pro 2006


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mjcpjpcd

*******************

Script file located at: \??\C:\WINDOWS\llcpklwi.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vspf_hk deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vspf deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FWSvc not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FWSvc failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FWSvc
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\FWSvc not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\FWSvc failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\FWSvc
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\FWSvc not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\FWSvc failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\FWSvc
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FWSvc not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FWSvc failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FWSvc
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FWSVC not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FWSVC failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FWSVC
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_FWSVC not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_FWSVC failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_FWSVC
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_FWSVC not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_FWSVC failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_FWSVC
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FWSVC not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FWSVC failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FWSVC
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FOPN not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FOPN failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FOPN
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\FOPN not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\FOPN failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\FOPN
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\FOPN not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\FOPN failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\FOPN
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FOPN not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FOPN failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FOPN
Status: 0xc0000034



File C:\WINDOWS\system32\drivers\vspf5.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\vspf5.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\vspf5.sys
Status: 0xc0000034



File C:\WINDOWS\system32\drivers\vspf_hk5.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\vspf_hk5.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\vspf_hk5.sys
Status: 0xc0000034



File C:\WINDOWS\system32\drivers\fopn.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\fopn.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\fopn.sys
Status: 0xc0000034



File C:\WINDOWS\system32\av.cpl not found!
Deletion of file C:\WINDOWS\system32\av.cpl failed!

Could not process line:
C:\WINDOWS\system32\av.cpl
Status: 0xc0000034

File C:\WINDOWS\system32\stera.log deleted successfully.


File C:\WINDOWS\system32\stera.exe not found!
Deletion of file C:\WINDOWS\system32\stera.exe failed!

Could not process line:
C:\WINDOWS\system32\stera.exe
Status: 0xc0000034

File C:\WINDOWS\system32\stera.job deleted successfully.
File C:\WINDOWS\system32\atl71.dll deleted successfully.
File C:\WINDOWS\system32\SpOrder.dll deleted successfully.
File C:\WINDOWS\system32\msvcp71.dll deleted successfully.
File C:\WINDOWS\system32\msvcr71.dll deleted successfully.
File C:\WINDOWS\system32\mfc71.dll deleted successfully.
File C:\WINDOWS\system32\titiau.dll deleted successfully.
File C:\WINDOWS\zkoam.dll deleted successfully.
Folder C:\Programme\Gemeinsame Dateien\WinAntiVirus Pro 2006 deleted successfully.
Folder C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\WinAntiVirus Pro 2006 deleted successfully.


Folder C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\WinSoftware not found!
Deletion of folder C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\WinSoftware failed!

Could not process line:
C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\WinSoftware
Status: 0xc0000034

Folder C:\Programme\WinAntiVirus Pro 2006 deleted successfully.


Folder C:\Programme\Common Files\WinAntiVirus Pro 2006 not found!
Deletion of folder C:\Programme\Common Files\WinAntiVirus Pro 2006 failed!

Could not process line:
C:\Programme\Common Files\WinAntiVirus Pro 2006
Status: 0xc0000034

Folder C:\Programme\Common Files\Companion Wizard deleted successfully.
Folder C:\Programme\WinMediaCodec deleted successfully.
Folder C:\Programme\vb deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{202a961f-23ae-42b1-9505-ffe3c818d717} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{202a961f-23ae-42b1-9505-ffe3c818d717} failed!
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A52CD02D-C487-B30D-DB70-31A4C19A741A} deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{202a961f-23ae-42b1-9505-ffe3c818d717} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{202a961f-23ae-42b1-9505-ffe3c818d717} failed!
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A52CD02D-C487-B30D-DB70-31A4C19A741A} deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{479fd0cf-5be9-4c63-8cda-b6d371c67bd5} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{479fd0cf-5be9-4c63-8cda-b6d371c67bd5} failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Programme\Gemeinsame Dateien\WinAntiVirus Pro 2006\WapCHK.dll not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Programme\Gemeinsame Dateien\WinAntiVirus Pro 2006\WapCHK.dll failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\WinAV.exe\shell not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\WinAV.exe\shell failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\WinAV.exe not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\WinAV.exe failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\WinAntiVirus Pro 2006 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\WinAntiVirus Pro 2006 failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\WinSoftware not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\WinSoftware failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WA6P_is1 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WA6P_is1 failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Purchased Products\WinAntiVirus Pro 2006 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Purchased Products\WinAntiVirus Pro 2006 failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\SupportUninstall\WinAntiVirus Pro 2006 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\SupportUninstall\WinAntiVirus Pro 2006 failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{723D54C7-7483-4EB8-8EED-CE5B2AEA534D} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{723D54C7-7483-4EB8-8EED-CE5B2AEA534D} failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1AC5C88A-DEA7-462b-A232-04AF5CA42E7E} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1AC5C88A-DEA7-462b-A232-04AF5CA42E7E} failed!
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2178F3FB-2560-458f-BDEE-631E2FE0DFE4} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B2A3156E-3332-4b47-AF5A-5B121503514F} deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B646F5E2-0A48-421d-AC91-F96C92BFC17A} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B646F5E2-0A48-421d-AC91-F96C92BFC17A} failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E69F0D6A-1C69-4A04-8709-5EAC2019D9BE} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E69F0D6A-1C69-4A04-8709-5EAC2019D9BE} failed!
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B5141620-C2B2-4d95-9F0F-134D99C87AB0} deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0903FECD-7F7A-4790-A819-A3CE08416732} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0903FECD-7F7A-4790-A819-A3CE08416732} failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{85C99188-BEFD-4c61-A54B-5D7CB0204C1E} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{85C99188-BEFD-4c61-A54B-5D7CB0204C1E} failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B32FE740-8B67-409A-BCA8-3297263C354E} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B32FE740-8B67-409A-BCA8-3297263C354E} failed!
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1234890A-5E6E-4867-8136-CA6F1456B235} deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{732B6533-7F78-4C47-9C01-2979BA0829B9} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{732B6533-7F78-4C47-9C01-2979BA0829B9} failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FC0B8EB8-AE24-4FD6-B479-E2B464F32DA6} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FC0B8EB8-AE24-4FD6-B479-E2B464F32DA6} failed!
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{367A86A5-D048-4785-86BE-4E2706AAFDD9} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2BC32EF8-BB73-4099-BB2E-0F2951B3E276} deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\WAVAutoPlay not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\WAVAutoPlay failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.



SmitFraudFix v2.101

Scan done at 23:12:35,96, 28.09.2006
Run from C:\Dokumente und Einstellungen\Admin\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOKUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted
C:\DOKUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url Deleted
C:\DOKUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOKUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\Programme\WinHound\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

HKLM\SOFTWARE\WinHound.com Deleted

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
Seitenanfang Seitenende
29.09.2006, 00:35
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#4 hat doch gut geklappt ;)
was du so alles fuer Muell auf dem Rechner hast...alles Tools, die den Rechner zerstoeren... ;)

scanne, stelle alles auf remove und poste den report
http://virus-protect.org/counterspy.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
29.09.2006, 19:44
...neu hier

Themenstarter

Beiträge: 7
#5 Hallo Sabina
nochmal vielen Dank, das ist wirklich ein fantastischer Service.
Es sieht alles sehr gut aus. Kann man irgendwo mehr darüber erfahren was da jetzt alles gemacht wurde ? Viele Grüße


Spyware Scan Details
Start Date: 29.09.2006 18:33:25
End Date: 29.09.2006 19:32:14
Total Time: 58 mins 49 secs

Detected spyware

MoneyTree Dialer more information...
Details: MoneyTree is an ActiveX control used to download premium-rate dialers, generally for porn sites. Each time MoneyTree is run, on system startup, it tries to connect to a pornographic website.
Status: Deleted

Infected registry entries detected
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F7EE4E3689C2DCF4A531C20954D158C1936D9A3C
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F7EE4E3689C2DCF4A531C20954D158C1936D9A3C Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\1567DAAB1377FE3552D2F6F2A2FA80200135EDA5
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\1567DAAB1377FE3552D2F6F2A2FA80200135EDA5 Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F705E9D8DAA72DF53D068BF60B551EA3103D51D7
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F705E9D8DAA72DF53D068BF60B551EA3103D51D7 Blob


CWS.NS3 Browser Hijacker more information...
Details: This is a CoolWebSearch hijacker.
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}
HKEY_LOCAL_MACHINE\software\classes\clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\hsa
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\hsa DisplayName Home Search Assistent
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\hsa UninstallString rundll32 url.dll,FileProtocolHandler "http://looking-for.cc/uninstall/HomeSearchAssistant.html"
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\se
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\se DisplayName Search Extender
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\se UninstallString rundll32 url.dll,FileProtocolHandler "http://looking-for.cc/uninstall/SearchExtender.html"
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\sw
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\sw DisplayName Shopping Wizard
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\sw UninstallString rundll32 url.dll,FileProtocolHandler "http://looking-for.cc/uninstall/ShoppingWizard.html"


CWS.AboutBlank Browser Hijacker more information...
Details: This is a CoolWebSearch hijacker.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA UninstallString rundll32 url.dll,FileProtocolHandler "http://looking-for.cc/uninstall/HomeSearchAssistant.html"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA DisplayName Home Search Assistent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE UninstallString rundll32 url.dll,FileProtocolHandler "http://looking-for.cc/uninstall/SearchExtender.html"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW UninstallString rundll32 url.dll,FileProtocolHandler "http://looking-for.cc/uninstall/ShoppingWizard.html"


Trojan.Desktophijack Trojan more information...
Details: Trojan.Desktophijack modifies the home page and desktop settings on a compromised computer.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main Display Inline Images yes


Adw.PSGuard Adware more information...
Details: PSGuard is a fraudulent anti-spyware program which uses desktop advertising to scare users into paying for the product.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main Display Inline Images yes
Seitenanfang Seitenende
29.09.2006, 23:15
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#6 es muesste wieder alles sauber sein, dennoch mache noch einen Onlinevirenscan mit panda oder ewido und poste den/die reports ;)
http://virus-protect.org/onlinescan.html

loesche vorher das backup vom Avenger unter C:\Avenger\backup.zip
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
30.09.2006, 02:02
...neu hier

Themenstarter

Beiträge: 7
#7 _________________________________________________
ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________

Name: Dialer.Generic
Path: HKLM\SOFTWARE\Video1\Dialers
Risk: High

Name: Adware.WinAntiVirus
Path: HKU\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4}
Risk: Medium

Name: Adware.Generic
Path: HKU\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{479FD0CF-5BE9-4C63-8CDA-B6D371C67BD5}
Risk: Medium

Name: Adware.CoolWebSearch
Path: HKU\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A52CD02D-C487-B30D-DB70-31A4C19A741A}
Risk: Medium

Name: Dialer.Generic
Path: HKU\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Video1\Dialers
Risk: High

Name: Dialer.Generic
Path: HKU\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Video1\Dialers\Hot_Tarts_de
Risk: High

Name: Dialer.Generic
Path: HKU\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Video1\Dialers\Hot_Tarts_mc
Risk: High


Name: Not-A-Virus.Hoax.Win32.Renos.er
Path: C:\RECYCLER\S-1-5-21-746137067-1060284298-2115272083-1004\Dc9.zip/avenger/titiau.dll
Risk: Low

Name: Not-A-Virus.Downloader.Win32.WinFixer.o
Path: C:\WINDOWS\Downloaded Program Files\UWA6PU_0001_N91M2107NetInstaller.exe
Risk: Low

Name: Downloader.Dluca
Path: C:\WINDOWS\system32\lukvluxm.exe
Risk: High

Name: Downloader.Dluca
Path: C:\WINDOWS\system32\yultfxuq.exe
Risk: High
Seitenanfang Seitenende
30.09.2006, 11:29
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#8 Tix

nun, nichts war sauber... aber dafuer haben wir ja auch die Onlinevirenscanner ;)

1.
leere den Papierkorb

2.
Avenger

Zitat

registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Video1
HKEY_USERS\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Video1
HKEY_USERS\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4}
HKEY_USERS\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{479FD0CF-5BE9-4C63-8CDA-B6D371C67BD5}
HKEY_USERS\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A52CD02D-C487-B30D-DB70-31A4C19A741A}

Files to delete:
C:\WINDOWS\system32\lukvluxm.exe
C:\WINDOWS\system32\yultfxuq.exe
C:\WINDOWS\Downloaded Program Files\UWA6PU_0001_N91M2107NetInstaller.exe
poste den report vom avenger
+
das neue Log vom HijackThis
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
30.09.2006, 13:46
...neu hier

Themenstarter

Beiträge: 7
#9 Hi Sabina,

hätte ich auch ewido das Zeug entfernen lassen können/sollen ?

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\aujjmnqh

*******************

Script file located at: \??\C:\Program Files\rsbpencf.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\lukvluxm.exe deleted successfully.
File C:\WINDOWS\system32\yultfxuq.exe deleted successfully.
File C:\WINDOWS\Downloaded Program Files\UWA6PU_0001_N91M2107NetInstaller.exe deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Video1 deleted successfully.


Registry key HKEY_USERS\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Video1 not found!
Deletion of registry key HKEY_USERS\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Video1 failed!
Status: 0xc0000034



Registry key HKEY_USERS\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4} not found!
Deletion of registry key HKEY_USERS\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4} failed!
Status: 0xc0000034



Registry key HKEY_USERS\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{479FD0CF-5BE9-4C63-8CDA-B6D371C67BD5} not found!
Deletion of registry key HKEY_USERS\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{479FD0CF-5BE9-4C63-8CDA-B6D371C67BD5} failed!
Status: 0xc0000034



Registry key HKEY_USERS\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A52CD02D-C487-B30D-DB70-31A4C19A741A} not found!
Deletion of registry key HKEY_USERS\S-1-5-21-746137067-1060284298-2115272083-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A52CD02D-C487-B30D-DB70-31A4C19A741A} failed!
Status: 0xc0000034


Completed script processing.
Seitenanfang Seitenende
30.09.2006, 13:48
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#10 scanne noch mal mit ewido ;)
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
01.10.2006, 22:20
...neu hier

Themenstarter

Beiträge: 7
#11 __________________________________________________
ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________


Name: TrackingCookie.2o7
Path: C:\Dokumente und Einstellungen\Admin\Cookies\admin@msnportal.112.2o7[1].txt
Risk: Medium
Das sieht schon ueberschaubarer aus:

Name: TrackingCookie.Doubleclick
Path: :mozilla.21:C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Mozilla\Firefox\Profiles\bzidz00t.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Googleadservices
Path: :mozilla.22:C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Mozilla\Firefox\Profiles\bzidz00t.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Ivwbox
Path: :mozilla.24:C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Mozilla\Firefox\Profiles\bzidz00t.default\cookies.txt
Risk: Medium
Seitenanfang Seitenende
02.10.2006, 01:37
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#12 das sind nur cookies, also kein Grund zur panik.
es ist alles wieder sauber ;) - hoffentlich nun entgueltig.

**
poste das neue Log vom HijackThis
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
05.10.2006, 10:09
...neu hier

Themenstarter

Beiträge: 7
#13 Okey:

Logfile of HijackThis v1.99.1
Scan saved at 10:07:22, on 05.10.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Sunbelt Software\CounterSpy\Consumer\Thread.exe
C:\Programme\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Programme\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Programme\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Programme\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Programme\Teledat\IWatch.exe
C:\Programme\Microsoft Office\Office\OSA.EXE
C:\Programme\WinZip\WZQKPICK.EXE
C:\Programme\WEB.DE\WEB.DE SmartSurfer\SmartSurfer.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Admin\Desktop\exes_etc\hijack\HijackThis.exe

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TomcatStartup] C:\Programme\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [StatusClient] C:\Programme\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] C:\Programme\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SunServer] C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: ISDNWatch.lnk = C:\Programme\Teledat\IWatch.exe
O4 - Global Startup: Office-Start.lnk = C:\Programme\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/mickey/de/win/QuickTimeInstaller.exe
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37710.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24EA67E5-CFB4-4F0D-9187-0529EB849933}: NameServer = 192.168.121.252,192.168.121.253
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E0C0BE7-1EBA-4BF8-98E0-E52D1B8F8C49}: NameServer = 81.209.208.13 83.133.0.13
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9B13642-BCC6-4615-8852-7B2CAD47AACD}: NameServer = 192.168.115.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{24EA67E5-CFB4-4F0D-9187-0529EB849933}: NameServer = 192.168.121.252,192.168.121.253
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Seitenanfang Seitenende
05.10.2006, 12:01
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#14 alles wieder sauber ! ;) ;)
wenn es noch Probleme geben sollte - melde dich.
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende