Virusburst und andere spyware

#1 Hallo hab mir virusburst einge´fangen und noch was so ähnlich ist "System Alert:Malware Thread".

höffe ihr könnt mir helfen das loszuwerden.

hier die logs:

hijackthis

Zitat

Logfile of HijackThis v1.99.1
Scan saved at 14:48:48, on 05.10.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ishost.exe
C:\Programme\iMediaCodec\isamonitor.exe
C:\Programme\iMediaCodec\pmsngr.exe
C:\WINDOWS\System32\isnotify.exe
C:\WINDOWS\System32\issearch.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\iMediaCodec\pmmon.exe
C:\WINDOWS\System32\ismini.exe
C:\Programme\iMediaCodec\isamini.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\pc2\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Programme\iMediaCodec\isaddon.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\System32\ixt0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Protection Bar - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - C:\Programme\iMediaCodec\iesplugin.dll
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Programme\Safety Bar\SafetyBar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [type32] "C:\Programme\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {0e921e80-267a-42aa-aee4-60b9a1222a44} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {0e921e80-267a-42aa-aee4-60b9a1222a44} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O20 - AppInit_DLLs:
O21 - SSODL: horologium - {7be183d2-a42d-4915-bf60-ec86fbf002cf} - C:\WINDOWS\System32\httge.dll

Combofix

Zitat

ComboFix 06.09.28 - Running from: "C:\Dokumente und Einstellungen\pc2\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\ismini.exe
C:\WINDOWS\system32\isnotify.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\ixt0.dll
C:\Programme\Safety Bar
C:\WINDOWS\system32\components


((((((((((((((((((((((((((((((( Files Created from 2006-09-05 to 2006-10-05 ))))))))))))))))))))))))))))))))))


2006-10-03 23:00 147,456 --a------ C:\WINDOWS\system32\httge.dll
2006-09-20 20:00 18,432 --a------ C:\WINDOWS\system32\lprmon.dll
2006-09-20 19:59 21,504 --a------ C:\WINDOWS\system32\lpdsvc.dll
2006-09-19 17:21 46,592 --a------ C:\WINDOWS\system32\zlbw.dll
2006-09-19 17:19 50,388 --a------ C:\WINDOWS\system32\ipod.raw.exe
2006-09-19 17:18 5,332 --a------ C:\WINDOWS\system32\aoupszll.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-05 14:54 -------- d-------- C:\Programme\Mozilla Firefox
2006-10-05 14:49 -------- d-------- C:\Programme\CleanUp!
2006-10-04 10:28 -------- d-------- C:\Programme\Winamp
2006-10-04 10:28 -------- d-------- C:\Programme\Microsoft IntelliType Pro
2006-10-04 10:28 -------- d-------- C:\Programme\Microsoft IntelliPoint
2006-10-04 10:28 -------- d-------- C:\Programme\Messenger
2006-10-03 23:00 -------- d-------- C:\Programme\iMediaCodec
2006-10-03 22:59 -------- d-------- C:\Programme\Windows Media Player
2006-09-24 15:15 -------- d-------- C:\Programme\xp-AntiSpy
2006-09-24 15:04 -------- d-------- C:\Dokumente und Einstellungen\pc2\Anwendungsdaten\AdobeUM
2006-09-15 09:11 -------- d-------- C:\Dokumente und Einstellungen\pc2\Anwendungsdaten\Babylon
2006-08-26 18:23 -------- d-------- C:\Programme\LimeWire
2006-07-21 10:44 99970 --a------ C:\WINDOWS\UninstallFirefox.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"MSMSGS"="\"C:\\Programme\\Messenger\\msmsgs.exe\" /background"
"MSMSGS"="\"C:\\Programme\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"SunJavaUpdateSched"="C:\\Programme\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"type32"="\"C:\\Programme\\Microsoft IntelliType Pro\\type32.exe\""
"IntelliPoint"="\"C:\\Programme\\Microsoft IntelliPoint\\point32.exe\""
"WinampAgent"="C:\\Programme\\Winamp\\winampa.exe"
"WinampAgent"="C:\\Programme\\Winamp\\winampa.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,80,00,00,00,00,00,00,00,80,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,80,00,00,00,00,00,00,00,80,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"isamonitor.exe"="C:\\Programme\\iMediaCodec\\isamonitor.exe"
"kernel32.dll"="C:\\WINDOWS\\System32\\isnotify.exe"
"pmsngr.exe"="C:\\Programme\\iMediaCodec\\pmsngr.exe"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"horologium"="{7be183d2-a42d-4915-bf60-ec86fbf002cf}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Completion time: 05.10.2006 14:58:08.70
ComboFix.txt

system32

Zitat

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: B866-C7F8

Verzeichnis von C:\WINDOWS\system32

03.10.2006 23:04 4.286 ts.ico
03.10.2006 23:04 4.286 ot.ico
03.10.2006 23:00 147.456 httge.dll
24.09.2006 15:06 2.184 wpa.dbl
21.09.2006 20:38 552 d3d8caps.dat
20.09.2006 20:00 311.604 perfh009.dat
20.09.2006 20:00 39.992 perfc009.dat
20.09.2006 20:00 721.390 PerfStringBackup.INI
20.09.2006 20:00 48.156 perfc007.dat
20.09.2006 20:00 316.594 perfh007.dat
19.09.2006 17:21 46.592 zlbw.dll
19.09.2006 17:19 50.388 ipod.raw.exe
19.09.2006 17:19 4 winsub.xml
19.09.2006 17:19 62 svcp.csv
19.09.2006 17:18 5.332 aoupszll.exe

1826 Datei(en) 292.569.937 Bytes
0 Verzeichnis(se), 5.853.622.272 Bytes frei

systemtemp

Zitat

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: B866-C7F8

Verzeichnis von C:\DOKUME~1\pc2\LOKALE~1\Temp

system

Zitat

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: B866-C7F8

Verzeichnis von C:\WINDOWS

05.10.2006 14:54 1.505.964 WindowsUpdate.log
05.10.2006 14:53 0 0.log
05.10.2006 14:53 2.048 bootstat.dat
04.10.2006 10:57 178.943 setupact.log
03.10.2006 23:14 32.594 SchedLgU.Txt
01.10.2006 11:06 50 wiaservc.log
01.10.2006 11:06 216 wiadebug.log
24.09.2006 15:07 36.212 setupapi.log
20.09.2006 20:24 227 system.ini
20.09.2006 20:24 554 win.ini
20.09.2006 20:10 5.737 mozver.dat
20.09.2006 20:02 57.179 comsetup.log
20.09.2006 20:02 230.373 iis6.log
20.09.2006 20:02 1.917 imsins.log
20.09.2006 20:02 74.175 tsoc.log
20.09.2006 20:02 34.437 ntdtcsetup.log
20.09.2006 20:02 77.987 ocgen.log
20.09.2006 20:02 6.922 msgsocm.log
20.09.2006 20:02 6.017 ocmsn.log
20.09.2006 20:02 135.632 FaxSetup.log
20.09.2006 20:02 52.986 msmqinst.log
20.09.2006 20:01 4.566 imsins.BAK
20.09.2006 20:01 2.712 WINNT32.LOG
20.09.2006 20:01 983 UPGRADE.TXT
20.09.2006 20:01 40.260 wsdu.log
20.09.2006 20:00 178 DHCPUPG.LOG

TE`MP

Zitat

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: B866-C7F8

Verzeichnis von C:\WINDOWS\Temp

Down

Zitat

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: B866-C7F8

Verzeichnis von C:\WINDOWS\Downloaded Program Files

27.08.2005 14:30 5.065 swflash.inf
01.04.2005 14:30 65 desktop.ini
11.08.2004 02:22 3.036 wmv9dmo.inf
3 Datei(en) 8.166 Bytes
0 Verzeichnis(se), 5.853.683.712 Bytes frei

SYS

Zitat

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: B866-C7F8

Verzeichnis von C:\

05.10.2006 15:02 0 sys.txt
05.10.2006 15:01 394 down.txt
05.10.2006 15:01 117 tmp.txt
05.10.2006 15:01 5.605 system.txt
05.10.2006 15:01 131 systemtemp.txt
05.10.2006 14:58 89.043 system32.txt
05.10.2006 14:58 5.761 ComboFix.txt
05.10.2006 14:53 167.772.160 pagefile.sys
20.09.2006 20:24 194 boot.ini
17.05.2006 20:45 41.856 DSC_006566.JPG
31.10.2005 17:56 700.416 StubInstaller.exe
01.04.2005 14:34 0 MSDOS.SYS
01.04.2005 14:34 0 IO.SYS
01.04.2005 14:34 0 AUTOEXEC.BAT
01.04.2005 14:34 0 CONFIG.SYS
18.08.2001 14:00 4.952 bootfont.bin
18.08.2001 14:00 45.124 NTDETECT.COM
18.08.2001 14:00 224.032 ntldr
18 Datei(en) 168.889.785 Bytes
0 Verzeichnis(se), 5.853.679.616 Bytes frei

#2 0.
Start - Ausfuehren - regedit

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

loeschen:

"isamonitor.exe"="C:\\Programme\\iMediaCodec\\isamonitor.exe"
"kernel32.dll"="C:\\WINDOWS\\System32\\isnotify.exe"
"pmsngr.exe"="C:\\Programme\\iMediaCodec\\pmsngr.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"horologium"="{7be183d2-a42d-4915-bf60-ec86fbf002cf}" -> loeschen

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{7be183d2-a42d-4915-bf60-ec86fbf002cf}"="horologium" -> loeschen

-------------------------------


Avenger
http://virus-protect.org/artikel/tools/avenger.html

kopiere rein:

Zitat

registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\iMediaCodec
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\virusburster.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A569F6C9-29F0-43BC-80CF-6BA138C66108}
HKEY_LOCAL_MACHINE\SOFTWARE\VirusBurster
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\EMediaCodek.Chl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VSEnchancer.Chl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7be183d2-a42d-4915-bf60-ec86fbf002cf}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iMediaCodec
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusBurster
HKEY_CURRENT_USER\Software\Internet Security

Files to delete:
C:\WINDOWS\system32\ts.ico
C:\WINDOWS\system32\ot.ico
C:\WINDOWS\system32\httge.dll
C:\WINDOWS\system32\zlbw.dll
C:\WINDOWS\system32\ipod.raw.exe
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\aoupszll.exe

Folders to delete:
C:\Programme\VirusBurster
C:\Programme\iMediaCodec

Klicke die grüne Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

**
lösche das backup vom Avenger unter C:\Avenger\backup.zip

**
scanne mit smitfraudfix
http://virus-protect.org/artikel/tools/smitfrautfix.html - option 1 und 2

**
öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Programme\iMediaCodec\isaddon.dll

O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\System32\ixt0.dll

O3 - Toolbar: Protection Bar - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - C:\Programme\iMediaCodec\iesplugin.dll
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Programme\Safety Bar\SafetyBar.dll

O21 - SSODL: horologium - {7be183d2-a42d-4915-bf60-ec86fbf002cf} - C:\WINDOWS\System32\httge.dll

+++++++
poste noch mal die logs von datfindbat bis August 2006
__________
MfG Sabina

rund um die PC-Sicherheit

#3 Logfile of HijackThis v1.99.1
Scan saved at 19:23:20, on 14.10.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\MMediaCodec\isamonitor.exe
C:\Programme\MMediaCodec\pmsngr.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\ICQLite\ICQLite.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programme\MMediaCodec\isamini.exe
C:\Programme\MMediaCodec\pmmon.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\WinRAR\WinRAR.exe
C:\Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {d869742a-e5d2-4624-96c7-aae26170665e} - C:\Programme\MMediaCodec\isaddon.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Protection Bar - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - C:\Programme\MMediaCodec\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Programme\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Programme\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Erinnerungen in Microsoft Works-Kalender.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{3BE35BF1-4B5D-451F-9D85-64C3A86115FD}: NameServer = 85.255.115.37,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\..\{87B2946D-F4A0-4A15-B995-6D1B53B1352B}: NameServer = 85.255.115.37 85.255.112.142
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.37 85.255.112.142
O17 - HKLM\System\CS1\Services\Tcpip\..\{3BE35BF1-4B5D-451F-9D85-64C3A86115FD}: NameServer = 85.255.115.37,85.255.112.142
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.37 85.255.112.142
O17 - HKLM\System\CS2\Services\Tcpip\..\{3BE35BF1-4B5D-451F-9D85-64C3A86115FD}: NameServer = 85.255.115.37,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.37 85.255.112.142
O21 - SSODL: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - C:\WINDOWS\System32\dpfwu.dll
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\smc.exe

#4 Troopersix

0.
smitfraudfix abarbeiten - option 1 und 2 - poste beide reporte hier
http://virus-protect.org/artikel/tools/smitfrautfix.html

deine Internetverbindung wird auf einen Server in der Ukraine umeleitet, ich muss also tiefer graben:

1.
poste dieses log
http://virus-protect.org/artikel/tools/combofix.html

2.
stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

3.
Kopiere diese 6 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html

4.
scanne und poste den report
http://virus-protect.org/artikel/tools/fixwareout.html
__________
MfG Sabina

rund um die PC-Sicherheit

#5 Ok hier das ComboFix log:



ComboFix 06.10.08W - Running from: C:\Downloadz

((((((((((((((((((((((((((((((( Files Created from 2006-09-14 to 2006-10-14 ))))))))))))))))))))))))))))))))))


2006-10-14 18:10 106,496 --a------ C:\WINDOWS\system32\dpfwu.dll
2006-10-03 22:12 21,760 --a------ C:\WINDOWS\system32\drivers\USBSTOR.SYS
2006-09-17 18:51 18,176 --a------ C:\WINDOWS\system32\drivers\sermouse.sys
2006-09-17 18:48 171,520 --a------ C:\WINDOWS\system32\LXCASUI.DLL
2006-09-17 18:46 182,880 --a------ C:\WINDOWS\system32\iuengine.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-14 19:17 -------- d-------- C:\Programme\Mozilla Firefox
2006-10-14 19:15 -------- d-------- C:\Programme\MMediaCodec
2006-10-14 19:02 -------- d-------- C:\Programme\Enigma Software Group
2006-10-11 16:21 -------- d-------- C:\Programme\HQvideo
2006-10-10 17:38 -------- d-------- C:\Programme\Teamspeak2_RC2
2006-10-10 17:38 -------- d-------- C:\Dokumente und Einstellungen\Bennjamin\Anwendungsdaten\teamspeak2
2006-10-06 19:03 -------- d-------- C:\Dokumente und Einstellungen\Bennjamin\Anwendungsdaten\Sun
2006-10-06 18:59 -------- d-------- C:\Programme\Java
2006-10-06 18:57 -------- d-------- C:\Programme\Gemeinsame Dateien\Java
2006-10-06 18:57 -------- d-------- C:\Programme\Gemeinsame Dateien
2006-10-05 21:52 -------- d-------- C:\Programme\WinRAR
2006-10-01 20:57 -------- d-------- C:\Programme\Hothouse Creations
2006-09-17 14:20 -------- d---s---- C:\Dokumente und Einstellungen\Bennjamin\Anwendungsdaten\Microsoft
2006-09-17 14:19 -------- d-------- C:\Programme\Microsoft Works
2006-09-17 14:17 -------- d-------- C:\Programme\Microsoft Visual Studio
2006-09-17 14:17 -------- d-------- C:\Programme\Microsoft Office
2006-09-17 14:17 -------- d-------- C:\Programme\Gemeinsame Dateien\Microsoft Shared
2006-09-17 14:17 -------- d-------- C:\Programme\Gemeinsame Dateien\Designer
2006-09-17 14:09 -------- d-------- C:\Programme\Microsoft Works Suite 2002
2006-09-15 18:25 -------- d-------- C:\Dokumente und Einstellungen\Bennjamin\Anwendungsdaten\Apple Computer
2006-09-15 18:23 -------- d-------- C:\Programme\iTunes
2006-09-15 18:22 -------- d-------- C:\Programme\QuickTime
2006-09-15 18:22 -------- d-------- C:\Programme\iPod
2006-09-15 18:22 -------- d-------- C:\Programme\Apple Software Update
2006-09-13 16:41 2829 --a------ C:\WINDOWS\War3Unin.pif
2006-09-13 16:41 139264 --a------ C:\WINDOWS\War3Unin.exe
2006-09-12 17:49 -------- d--h----- C:\Programme\InstallShield Installation Information
2006-09-10 13:01 -------- d-------- C:\Dokumente und Einstellungen\Bennjamin\Anwendungsdaten\AdobeUM
2006-09-07 17:03 -------- d-------- C:\Programme\Gemeinsame Dateien\Adobe
2006-09-07 17:03 -------- d-------- C:\Dokumente und Einstellungen\Bennjamin\Anwendungsdaten\Adobe
2006-09-07 17:02 1557 --a------ C:\Dokumente und Einstellungen\Bennjamin\Anwendungsdaten\AdobeDLM.log
2006-09-07 17:02 0 --a------ C:\Dokumente und Einstellungen\Bennjamin\Anwendungsdaten\dm.ini
2006-09-07 17:02 -------- d-------- C:\Programme\Adobe
2006-09-07 17:01 -------- d-------- C:\Programme\Yahoo!
2006-09-06 00:40 -------- d-------- C:\Programme\Windows Media Player
2006-09-04 20:58 -------- d-------- C:\Dokumente und Einstellungen\Bennjamin\Anwendungsdaten\Real
2006-09-04 20:56 -------- d-------- C:\Programme\Real
2006-09-04 20:56 -------- d-------- C:\Programme\Gemeinsame Dateien\xing shared
2006-09-04 20:56 -------- d-------- C:\Programme\Gemeinsame Dateien\Real
2006-09-04 20:12 74752 --a------ C:\WINDOWS\ST6UNST.EXE
2006-09-04 20:12 319488 --------- C:\WINDOWS\Setup1.exe
2006-09-04 16:05 -------- d-------- C:\Dokumente und Einstellungen\Bennjamin\Anwendungsdaten\Ahead
2006-09-04 15:59 -------- d-------- C:\Programme\Gemeinsame Dateien\Ahead
2006-09-04 15:59 -------- d-------- C:\Programme\Ahead
2006-09-03 17:30 -------- d-------- C:\Dokumente und Einstellungen\Bennjamin\Anwendungsdaten\Macromedia
2006-09-02 15:56 -------- d-------- C:\Programme\Google
2006-09-02 15:56 -------- d-------- C:\Programme\DivX
2006-08-28 22:50 -------- d-------- C:\Programme\Movie Maker
2006-08-28 13:58 -------- d-------- C:\Programme\WinAce
2006-08-28 13:27 -------- d-------- C:\Programme\Sygate
2006-08-27 19:42 -------- d-------- C:\Programme\Gemeinsame Dateien\Blizzard Entertainment
2006-08-27 18:36 -------- d-------- C:\Programme\ICQLite
2006-08-27 18:36 -------- d-------- C:\Dokumente und Einstellungen\Bennjamin\Anwendungsdaten\ICQLite
2006-08-27 18:18 -------- d-------- C:\Programme\ICQToolbar
2006-08-27 18:08 -------- d--h----- C:\Programme\WindowsUpdate
2006-08-27 18:08 -------- d-------- C:\Programme\Realtek Sound Manager
2006-08-27 18:08 -------- d-------- C:\Programme\Gemeinsame Dateien\InstallShield
2006-08-27 18:08 -------- d-------- C:\Programme\AvRack
2006-08-27 18:06 -------- d-------- C:\Programme\Gemeinsame Dateien\SpeechEngines
2006-08-27 18:06 -------- d-------- C:\Programme\Gemeinsame Dateien\ODBC
2006-08-27 18:05 62 --ahs---- C:\Dokumente und Einstellungen\Bennjamin\Anwendungsdaten\desktop.ini
2006-08-27 17:27 -------- d-------- C:\Dokumente und Einstellungen\Bennjamin\Anwendungsdaten\Mozilla
2006-08-27 17:23 -------- d--h----- C:\Programme\Uninstall Information
2006-08-27 17:23 -------- d-------- C:\Programme\Messenger
2006-08-27 17:23 -------- d-------- C:\Dokumente und Einstellungen\Bennjamin\Anwendungsdaten\Identities
2006-08-27 17:16 -------- d-------- C:\Programme\xerox
2006-08-27 17:16 -------- d-------- C:\Programme\microsoft frontpage
2006-08-27 17:15 0 -rahs---- C:\MSDOS.SYS
2006-08-27 17:15 0 -rahs---- C:\IO.SYS
2006-08-27 17:15 0 --a------ C:\CONFIG.SYS
2006-08-27 17:15 0 --a------ C:\AUTOEXEC.BAT
2006-08-27 17:14 -------- d-------- C:\Programme\Online-Dienste
2006-08-27 17:14 -------- d-------- C:\Programme\NetMeeting
2006-08-27 17:14 -------- d-------- C:\Programme\Internet Explorer
2006-08-27 17:13 -------- d-------- C:\Programme\Outlook Express
2006-08-27 17:13 -------- d-------- C:\Programme\Online Services
2006-08-27 17:13 -------- d-------- C:\Programme\MSN
2006-08-27 17:13 -------- d-------- C:\Programme\Gemeinsame Dateien\System
2006-08-27 17:13 -------- d-------- C:\Programme\Gemeinsame Dateien\MSSoap
2006-08-27 17:13 -------- d-------- C:\Programme\Gemeinsame Dateien\Dienste
2006-08-27 17:13 -------- d-------- C:\Programme\ComPlus Applications
2006-08-27 17:12 -------- d-------- C:\Programme\Windows NT
2006-08-27 17:12 -------- d-------- C:\Programme\MSN Gaming Zone
2006-08-04 17:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-08-04 17:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-07-27 04:05 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-07-27 04:05 109568 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-07-27 04:05 108544 --------- C:\WINDOWS\system32\pxcpyi64.exe
2006-07-14 14:51 108144 --a------ C:\WINDOWS\system32\GEARAspi.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"MSMSGS"="\"C:\\Programme\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"SoundMan"="SOUNDMAN.EXE"
"ICQ Lite"="\"C:\\Programme\\ICQLite\\ICQLite.exe\" -minimize"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"TkBellExe"="\"C:\\Programme\\Gemeinsame Dateien\\Real\\Update_OB\\realsched.exe\" -osboot"
"Adobe Photo Downloader"="\"C:\\Programme\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"QuickTime Task"="\"C:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Programme\\iTunes\\iTunesHelper.exe\""
"WorksFUD"="C:\\Programme\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Programme\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Programme\\Gemeinsame Dateien\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"SunJavaUpdateSched"="C:\\Programme\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"SpyHunter"="C:\\Programme\\Enigma Software Group\\SpyHunter\\SpyHunter.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{dfa61db1-388e-4c87-8d56-540fa229bcb4}"="contrabandists"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"isamonitor.exe"="C:\\Programme\\MMediaCodec\\isamonitor.exe"
"pmsngr.exe"="C:\\Programme\\MMediaCodec\\pmsngr.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"contrabandists"="{dfa61db1-388e-4c87-8d56-540fa229bcb4}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 14.10.2006 19:39:11.04
C:\ComboFix.txt ... 14.10.2006 19:39




Hier is das von SmitFraudFix


SmitFraudFix v2.109

Scan done at 19:44:38,06, 14.10.2006
Run from C:\Spyware\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\dpfwu.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Bennjamin


»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Bennjamin\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOKUME~1\BENNJA~1\STARTM~1\PROGRA~1\HQvideo FOUND !
C:\DOKUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOKUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOKUME~1\BENNJA~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programme

C:\Programme\HQvideo\ FOUND !
C:\Programme\MMediaCodec\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{dfa61db1-388e-4c87-8d56-540fa229bcb4}"="contrabandists"

[HKEY_CLASSES_ROOT\CLSID\{dfa61db1-388e-4c87-8d56-540fa229bcb4}\InProcServer32]
@="C:\WINDOWS\System32\dpfwu.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{dfa61db1-388e-4c87-8d56-540fa229bcb4}\InProcServer32]
@="C:\WINDOWS\System32\dpfwu.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



Windows Cleanup!

Report:

CleanUp! started on 10/14/06 19:50:27.



C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\9513p23m.exe - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\Adobe\Acrobat\7.0\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\Adobe\Acrobat\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\Adobe\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\Blizzard Installer Temp - 0007268c\Audio\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\Blizzard Installer Temp - 0007268c\Images\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\Blizzard Installer Temp - 0007268c\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\ff_temp\xpcom.ns\bin\components\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\ff_temp\xpcom.ns\bin\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\ff_temp\xpcom.ns\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\ff_temp\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\hsperfdata_Bennjamin\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\iss4.tmp\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\msohtml1\01\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\msohtml1\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\pft3.tmp\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\plugtmp\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\rb\1428\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\rb\1584\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\rb\1652\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\rb\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\Temporäres Verzeichnis 1 für AoTvsOnyxia.zip\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\Temporäres Verzeichnis 1 für RAGNAROS_NAGINATA.zip\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\VBE\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\WER13.tmp.dir00\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\WER7F.tmp.dir00\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\_ISTMP1.DIR\_ISTMP0.DIR\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\_ISTMP1.DIR\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\{198D74B7-EBE3-43D4-9D7A-32FC72670BDC}\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\~nsu.tmp\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\~rnsetup\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\~WKS99TEMP\ - deleted
C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp\9513p23m.exe - deleted
C:\WINDOWS\SET3.tmp - deleted
C:\WINDOWS\SET7.tmp - deleted
C:\WINDOWS\temp\_ISTMP0.DIR\ - deleted

C:\Dokumente und Einstellungen\Bennjamin\Cookies\index.dat - deleted
C:\WINDOWS\Prefetch\ACRORD32.EXE-0EC716D9.pf - deleted
C:\WINDOWS\Prefetch\ALG.EXE-0F138680.pf - deleted
C:\WINDOWS\Prefetch\APPLET.EXE-0718EF0B.pf - deleted
C:\WINDOWS\Prefetch\AUTOPLAY.EXE-328AAB68.pf - deleted
C:\WINDOWS\Prefetch\AUTORUN.EXE-055703AF.pf - deleted
C:\WINDOWS\Prefetch\AUTORUN.EXE-091F6B68.pf - deleted
C:\WINDOWS\Prefetch\AU_.EXE-30B5F8BF.pf - deleted
C:\WINDOWS\Prefetch\BALDUR.EXE-18484DBE.pf - deleted
C:\WINDOWS\Prefetch\BGMAIN.EXE-282D4371.pf - deleted
C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf - deleted
C:\WINDOWS\Prefetch\CODECINSTALLER.EXE-365B1121.pf - deleted
C:\WINDOWS\Prefetch\DEFRAG.EXE-273F131E.pf - deleted
C:\WINDOWS\Prefetch\DFRGNTFS.EXE-269967DF.pf - deleted
C:\WINDOWS\Prefetch\DIVXSM.EXE-3407AB62.pf - deleted
C:\WINDOWS\Prefetch\DOSBOX.EXE-1D5B291A.pf - deleted
C:\WINDOWS\Prefetch\DRWTSN32.EXE-2B4B52AC.pf - deleted
C:\WINDOWS\Prefetch\DUMPREP.EXE-1B46F901.pf - deleted
C:\WINDOWS\Prefetch\DWWIN.EXE-30875ADC.pf - deleted
C:\WINDOWS\Prefetch\DXSETUP.EXE-0621E587.pf - deleted
C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf - deleted
C:\WINDOWS\Prefetch\FIREFOX.EXE-17EE503B.pf - deleted
C:\WINDOWS\Prefetch\FIREFOX.EXE-1D57670A.pf - deleted
C:\WINDOWS\Prefetch\FREE-SPYWARE-SCANNER-INSTALL.-0F92A0A2.pf - deleted
C:\WINDOWS\Prefetch\FREE-SPYWARE-SCANNER-INSTALL2-1E75DDF4.pf - deleted
C:\WINDOWS\Prefetch\FROZEN THRONE.EXE-054EF48D.pf - deleted
C:\WINDOWS\Prefetch\GANGSTERS.EXE-2B3E4C2A.pf - deleted
C:\WINDOWS\Prefetch\HELPSVC.EXE-2878DDA2.pf - deleted
C:\WINDOWS\Prefetch\HEROES3.EXE-380D5C19.pf - deleted
C:\WINDOWS\Prefetch\ICQLITE.EXE-2AEFACA7.pf - deleted
C:\WINDOWS\Prefetch\IEXPLORE.EXE-2CA9778D.pf - deleted
C:\WINDOWS\Prefetch\IKERNEL.EXE-092EF074.pf - deleted
C:\WINDOWS\Prefetch\IMAPI.EXE-0BF740A4.pf - deleted
C:\WINDOWS\Prefetch\INS3.TMP-15FB5C80.pf - deleted
C:\WINDOWS\Prefetch\INSTMSI.EXE-30ABB33D.pf - deleted
C:\WINDOWS\Prefetch\IPCONFIG.EXE-2395F30B.pf - deleted
C:\WINDOWS\Prefetch\IPODSERVICE.EXE-233792DA.pf - deleted
C:\WINDOWS\Prefetch\ISAMINI.EXE-1EDBB557.pf - deleted
C:\WINDOWS\Prefetch\ISAMONITOR.EXE-1D292FD7.pf - deleted
C:\WINDOWS\Prefetch\ITUNES.EXE-15E88941.pf - deleted
C:\WINDOWS\Prefetch\JAVA.EXE-1586CEFA.pf - deleted
C:\WINDOWS\Prefetch\JAVAW.EXE-02BFF384.pf - deleted
C:\WINDOWS\Prefetch\JAVAW.EXE-1DA9F6E6.pf - deleted
C:\WINDOWS\Prefetch\JUCHECK.EXE-03FBF417.pf - deleted
C:\WINDOWS\Prefetch\LAF12.TMP-23A15B27.pf - deleted
C:\WINDOWS\Prefetch\LAF13.TMP-2B5D828B.pf - deleted
C:\WINDOWS\Prefetch\LAF14.TMP-0E6E0BB5.pf - deleted
C:\WINDOWS\Prefetch\LAF15.TMP-04F607F6.pf - deleted
C:\WINDOWS\Prefetch\LAUNCHER.EXE-011153CC.pf - deleted
C:\WINDOWS\Prefetch\LAUNCHER.EXE-0CBCE3F2.pf - deleted
C:\WINDOWS\Prefetch\Layout.ini - deleted
C:\WINDOWS\Prefetch\LOGON.SCR-151EFAEA.pf - deleted
C:\WINDOWS\Prefetch\LOGONUI.EXE-0AF22957.pf - deleted
C:\WINDOWS\Prefetch\MDM.EXE-27F66238.pf - deleted
C:\WINDOWS\Prefetch\MMCODEC.456.EXE-0ABC87D7.pf - deleted
C:\WINDOWS\Prefetch\MSIEXEC.EXE-2F8A8CAE.pf - deleted
C:\WINDOWS\Prefetch\MSIINST.EXE-11AA42E1.pf - deleted
C:\WINDOWS\Prefetch\MSIMN.EXE-0B61806C.pf - deleted
C:\WINDOWS\Prefetch\MSWORKS.EXE-118DC2B4.pf - deleted
C:\WINDOWS\Prefetch\NERO.EXE-32314E31.pf - deleted
C:\WINDOWS\Prefetch\NEROSTARTSMART.EXE-280EC446.pf - deleted
C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf - deleted
C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf - deleted
C:\WINDOWS\Prefetch\NTVDM.EXE-1A10A423.pf - deleted
C:\WINDOWS\Prefetch\NVCOLOR.EXE-0F67EC09.pf - deleted
C:\WINDOWS\Prefetch\NVCPLUI.EXE-315CED5C.pf - deleted
C:\WINDOWS\Prefetch\NVSVC32.EXE-1F9EED18.pf - deleted
C:\WINDOWS\Prefetch\NWIZ.EXE-2D0F9FBC.pf - deleted
C:\WINDOWS\Prefetch\PATCHJRE.EXE-056822F8.pf - deleted
C:\WINDOWS\Prefetch\PHOTOED.EXE-0635276A.pf - deleted
C:\WINDOWS\Prefetch\PLAYERCODEC1079.EXE-160C6C37.pf - deleted
C:\WINDOWS\Prefetch\PMMON.EXE-004F0E46.pf - deleted
C:\WINDOWS\Prefetch\PMSNGR.EXE-05ADE8D6.pf - deleted
C:\WINDOWS\Prefetch\REALPLAY.EXE-39F79CBD.pf - deleted
C:\WINDOWS\Prefetch\REALSCHED.EXE-0A2A7558.pf - deleted
C:\WINDOWS\Prefetch\REGISTER.EXE-152E239F.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-15BCFBC2.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-16256867.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-1C195F60.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-1EADF949.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-2163E312.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-2256B31D.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-2547AA09.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-26DA8C9B.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-275DA7B9.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-2A94BB85.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-2E0FDD21.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-2E5AF1D7.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-32240B45.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-3379249A.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-34ED4BD7.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-3CA84483.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-451FC2C0.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-47A42AF0.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-48D6C6FA.pf - deleted
C:\WINDOWS\Prefetch\RUNONCE.EXE-2803F297.pf - deleted
C:\WINDOWS\Prefetch\SETUP.EXE-393E66AE.pf - deleted
C:\WINDOWS\Prefetch\SETUP_WM.EXE-19AC5A9B.pf - deleted
C:\WINDOWS\Prefetch\SNDVOL32.EXE-383480B7.pf - deleted
C:\WINDOWS\Prefetch\SPYHUNTER.EXE-01ECD19A.pf - deleted
C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf - deleted
C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf - deleted
C:\WINDOWS\Prefetch\TEAMSPEAK.EXE-1C1FA5B1.pf - deleted
C:\WINDOWS\Prefetch\TFTP.EXE-2FB50BCA.pf - deleted
C:\WINDOWS\Prefetch\TS2_CLIENT_RC2_2032.EXE-2AE11B89.pf - deleted
C:\WINDOWS\Prefetch\UNINST.EXE-13133B97.pf - deleted
C:\WINDOWS\Prefetch\UNINST.EXE-3A05C294.pf - deleted
C:\WINDOWS\Prefetch\UNINSTALL.EXE-15278D8E.pf - deleted
C:\WINDOWS\Prefetch\UNPACK200.EXE-2FB4EB88.pf - deleted
C:\WINDOWS\Prefetch\VB16.EXE-11B33584.pf - deleted
C:\WINDOWS\Prefetch\VOKABELTRAINER.EXE-024F38EF.pf - deleted
C:\WINDOWS\Prefetch\WAR3.EXE-32E38B7E.pf - deleted
C:\WINDOWS\Prefetch\WAR3_INSTALL.EXE-112E0089.pf - deleted
C:\WINDOWS\Prefetch\WDFMGR.EXE-2CF4013B.pf - deleted
C:\WINDOWS\Prefetch\WINRAR.EXE-3588DFE8.pf - deleted
C:\WINDOWS\Prefetch\WINWORD.EXE-259486DA.pf - deleted
C:\WINDOWS\Prefetch\WKSCAL.EXE-28DC9075.pf - deleted
C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf - deleted
C:\WINDOWS\Prefetch\WMPLAYER.EXE-09969332.pf - deleted
C:\WINDOWS\Prefetch\WMPLAYER.EXE-09969333.pf - deleted
C:\WINDOWS\Prefetch\WMPLAYER.EXE-09969338.pf - deleted
C:\WINDOWS\Prefetch\WMPLAYER.EXE-09969339.pf - deleted
C:\WINDOWS\Prefetch\WMPLAYER.EXE-0996933A.pf - deleted
C:\WINDOWS\Prefetch\WMPLAYER.EXE-0996933B.pf - deleted
C:\WINDOWS\Prefetch\WOW.EXE-02CAE308.pf - deleted
C:\WINDOWS\Prefetch\WRAR361D.EXE-12BD6547.pf - deleted
C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf - deleted
C:\WINDOWS\Prefetch\XPINSTALL.EXE-1F37F65D.pf - deleted
C:\WINDOWS\Prefetch\ZIPPER.EXE-2CD7645A.pf - deleted
C:\WINDOWS\Prefetch\_INS576._MP-163C354D.pf - deleted
'Run MRU' list - removed from the registry.
'Doc Find Spec MRU' list - removed from the registry.
'FindComputerMRU' list - removed from the registry.
'ComputerNameMRU' list - removed from the registry.
'ContainingTextMRU' list - removed from the registry.
'FilesNamedMRU' list - removed from the registry.
Search Assistant MRU list - removed from the registry.
Explorer Open/Save MRU list - removed from the registry.
Explorer Last Visited MRU list - removed from the registry.
Paint Recent File List - removed from the registry.
WordPad Recent File List - removed from the registry.
Telnet's MRU list - removed from the registry.
Windows Media Player Recent File List - removed from the registry.
WinZip Extract MRU list - removed from the registry.
WinZip File MRU list - removed from the registry.
CleanUp! 4.5.2 recovered 55.0 MB of disk space from 4308 files.
CleanUp! finished on 10/14/06 19:50:32.

#6 smitfraudfix wird das rausloeschen:

Zitat

C:\WINDOWS\system32\dpfwu.dll
2006-10-14 19:15 -------- d-------- C:\Programme\MMediaCodec
2006-10-11 16:21 -------- d-------- C:\Programme\HQvideo

**
poste also alle weiteren logs, um die ich gebeten habe
__________
MfG Sabina

rund um die PC-Sicherheit

#7 Wie soll ich mit mit SmitFraudfix löschen???


Hier das Datfind:

14.10.2006 18:42 63.804 nvapps.xml
14.10.2006 13:40 2.184 wpa.dbl
10.10.2006 17:38 34.064 lhacm.acm
08.10.2006 13:53 0 TFTP2260
06.10.2006 18:59 7.006 jupdate-1.5.0_06-b05.log
01.10.2006 19:24 33.505 HDMPATH.INI
01.10.2006 19:24 463 WHDM.INI
18.09.2006 17:44 149.992 FNTCACHE.DAT
12.09.2006 16:34 0 TFTP2140
06.09.2006 00:39 16.832 amcompat.tlb
06.09.2006 00:39 23.392 nscompat.tlb
04.09.2006 20:56 176.167 rmoc3260.dll
04.09.2006 20:56 6.656 pndx5016.dll
04.09.2006 20:56 5.632 pndx5032.dll
04.09.2006 20:56 278.528 pncrt.dll
04.09.2006 12:15 0 TFTP1944
01.09.2006 16:14 65.536 QuickTimeVR.qtx
01.09.2006 16:14 49.152 QuickTime.qts
29.08.2006 19:43 135.168 swreg.exe
29.08.2006 17:51 0 TFTP1556
28.08.2006 13:00 4.212 zllictbl.dat
27.08.2006 18:09 0 h323log.txt
27.08.2006 17:28 39.992 perfc009.dat
27.08.2006 17:28 316.594 perfh007.dat
27.08.2006 17:28 311.604 perfh009.dat
27.08.2006 17:28 723.744 PerfStringBackup.INI
27.08.2006 17:28 48.156 perfc007.dat
27.08.2006 17:23 25.065 wmpscheme.xml
27.08.2006 17:17 261 $winnt$.inf
27.08.2006 17:15 2.951 CONFIG.NT
27.08.2006 17:15 488 logonui.exe.manifest
27.08.2006 17:15 488 WindowsLogon.manifest
27.08.2006 17:14 749 nwc.cpl.manifest
27.08.2006 17:14 749 wuaucpl.cpl.manifest
27.08.2006 17:14 749 sapi.cpl.manifest
27.08.2006 17:14 749 cdplayer.exe.manifest
27.08.2006 17:14 749 ncpa.cpl.manifest
27.08.2006 17:13 21.740 emptyregdb.dat
04.08.2006 17:37 73.728 dpl100.dll
04.08.2006 17:37 196.608 dtu100.dll
27.07.2006 04:05 3.596.288 qt-dx331.dll
27.07.2006 04:05 421.888 pxdrv.dll
27.07.2006 04:05 108.544 pxcpyi64.exe
27.07.2006 04:05 109.568 pxinsi64.exe
27.07.2006 04:05 172.032 pxmas.dll
27.07.2006 04:05 372.736 px.dll
27.07.2006 04:05 56.832 pxcpya64.exe
27.07.2006 04:05 61.440 pxhpinst.exe
27.07.2006 04:05 56.320 pxinsa64.exe
27.07.2006 04:05 339.968 pxwave.dll
27.07.2006 04:05 28.672 vxblock.dll
14.07.2006 14:51 108.144 GEARAspi.dll

#8 du sollst smitfraudfix einfach anwenden - option 1 und 2 und dann beide scanreporte hier posten
__________
MfG Sabina

rund um die PC-Sicherheit

#9 datfind sind 6 logs ..........
__________
MfG Sabina

rund um die PC-Sicherheit

#10 er macht nur eine log datei auf bei datfind

Ah habs!

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 18E5-55E6

Verzeichnis von C:\DOKUME~1\BENNJA~1\LOKALE~1\Temp

14.10.2006 20:07 978 TmpICQMagic_{05736BBE-C20F-4F10-A6DE-4DB1E3564B0E}18015.html
14.10.2006 20:07 512 ~DF9A59.tmp
14.10.2006 20:07 16.384 ~DF9A4D.tmp
14.10.2006 20:07 512 ~DF9A3D.tmp
14.10.2006 20:07 16.384 ~DF99F9.tmp
14.10.2006 20:07 512 ~DF9A05.tmp
14.10.2006 20:07 16.384 ~DF9A15.tmp
14.10.2006 20:07 512 ~DF9A21.tmp
14.10.2006 20:07 16.384 ~DF9A31.tmp
14.10.2006 20:07 16.384 ~DF8DA1.tmp
14.10.2006 20:07 512 ~DF65E6.tmp
14.10.2006 20:07 16.384 ~DF65AA.tmp
14.10.2006 20:02 16.384 ~DFC974.tmp
13 Datei(en) 118.226 Bytes
0 Verzeichnis(se), 38.677.942.272 Bytes frei


Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 18E5-55E6

Verzeichnis von C:\WINDOWS

14.10.2006 20:06 159 wiadebug.log
14.10.2006 20:06 50 wiaservc.log
14.10.2006 20:06 0 0.log
14.10.2006 20:05 2.048 bootstat.dat
14.10.2006 20:01 32.614 SchedLgU.Txt
14.10.2006 19:58 176.195 setupact.log
14.10.2006 13:43 400.951 setupapi.log
06.10.2006 19:04 2.387 mozver.dat
03.10.2006 22:13 12.580 Windows Update.log
30.09.2006 21:44 3.122 wmsetup.log
17.09.2006 14:19 400 ODBC.INI
15.09.2006 18:23 498 GEARInstall.log
13.09.2006 16:44 54.239 War3Unin.dat
13.09.2006 16:41 2.829 War3Unin.pif
13.09.2006 16:41 139.264 War3Unin.exe
06.09.2006 00:39 374 wmsetup10.log
06.09.2006 00:39 503 win.ini
06.09.2006 00:39 316.640 WMSysPr9.prx
06.09.2006 00:39 299.552 WMSysPrx.prx
05.09.2006 22:27 270 nsw.log
04.09.2006 20:58 25 cdplayer.ini
04.09.2006 20:12 319.488 Setup1.exe
04.09.2006 20:12 74.752 ST6UNST.EXE
27.08.2006 20:08 76.565 DirectX.log
27.08.2006 18:08 0 Sti_Trace.log
27.08.2006 18:06 1.348 regopt.log
27.08.2006 18:06 231 system.ini
27.08.2006 17:28 0 nsreg.dat
27.08.2006 17:23 820 OEWABLog.txt
27.08.2006 17:23 712.027 setuplog.txt
27.08.2006 17:18 8.192 REGLOCS.OLD
27.08.2006 17:17 7.699 ntdtcsetup.log
27.08.2006 17:17 15.687 comsetup.log
27.08.2006 17:17 47.549 iis6.log
27.08.2006 17:17 10.175 tsoc.log
27.08.2006 17:17 4.382 imsins.log
27.08.2006 17:17 1.246 setuperr.log
27.08.2006 17:15 0 control.ini
27.08.2006 17:15 4.161 ODBCINST.INI
27.08.2006 17:14 749 WindowsShell.Manifest
27.08.2006 17:13 12.817 ocgen.log
27.08.2006 17:13 1.065 ocmsn.log
27.08.2006 17:13 821 msgsocm.log
27.08.2006 17:13 11.536 FaxSetup.log
27.08.2006 17:13 1.060 sessmgr.setup.log
27.08.2006 17:13 36 vb.ini
27.08.2006 17:13 37 vbaddin.ini
27.08.2006 17:13 128 DtcInstall.log
27.08.2006 17:12 9.868 msmqinst.log



Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 18E5-55E6

Verzeichnis von C:\WINDOWS\Temp




Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 18E5-55E6

Verzeichnis von C:\WINDOWS\Downloaded Program Files

27.08.2006 17:15 65 desktop.ini
30.06.2003 22:41 1.689 WMV9VCM.inf
2 Datei(en) 1.754 Bytes
0 Verzeichnis(se), 38.677.929.984 Bytes frei




Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 18E5-55E6

Verzeichnis von C:\

14.10.2006 20:10 0 sys.txt
14.10.2006 20:10 345 down.txt
14.10.2006 20:10 117 tmp.txt
14.10.2006 20:09 4.571 system.txt
14.10.2006 20:09 932 systemtemp.txt
14.10.2006 20:09 98.853 system32.txt
14.10.2006 20:05 805.306.368 pagefile.sys
14.10.2006 19:58 847 rapport.txt
14.10.2006 19:39 12.168 ComboFix.txt
01.10.2006 18:45 14 EARTH.$$$
27.08.2006 17:15 0 MSDOS.SYS
27.08.2006 17:15 0 IO.SYS
27.08.2006 17:15 0 CONFIG.SYS
27.08.2006 17:15 0 AUTOEXEC.BAT
27.08.2006 17:10 194 boot.ini





Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
...

Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.


OK bin soweit kommt keine Meldung mehr von Virusburster. Soll ich noch irgendwas machen?

#11 Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein

Zitat

Files to delete:
C:\WINDOWS\system32\TFTP2260
C:\WINDOWS\system32\TFTP2140
C:\WINDOWS\system32\TFTP1944
C:\WINDOWS\system32\TFTP1556

Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten


öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

O2 - BHO: (no name) - {d869742a-e5d2-4624-96c7-aae26170665e} - C:\Programme\MMediaCodec\isaddon.dll

O3 - Toolbar: Protection Bar - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - C:\Programme\MMediaCodec\iesplugin.dll (file missing)


O17 - HKLM\System\CCS\Services\Tcpip\..\{3BE35BF1-4B5D-451F-9D85-64C3A86115FD}: NameServer = 85.255.115.37,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\..\{87B2946D-F4A0-4A15-B995-6D1B53B1352B}: NameServer = 85.255.115.37 85.255.112.142
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.37 85.255.112.142
O17 - HKLM\System\CS1\Services\Tcpip\..\{3BE35BF1-4B5D-451F-9D85-64C3A86115FD}: NameServer = 85.255.115.37,85.255.112.142
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.37 85.255.112.142
O17 - HKLM\System\CS2\Services\Tcpip\..\{3BE35BF1-4B5D-451F-9D85-64C3A86115FD}: NameServer = 85.255.115.37,85.255.112.142
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.37 85.255.112.142


O21 - SSODL: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - C:\WINDOWS\System32\dpfwu.dll

PC neustarten

bevor du wieder ins Internet gehst:

Bei Netzwerk/Eigenschaften des Internetprotokolls steht denn auch IP und DNS automatisch beziehen - anhaken

85.255.115.37,85.255.112.142 - muss raus !

1. Click Start > Control Panel
2. Double-click Network Connections.


**
F-Secure Online Scanner Next Generation Beta
http://support.f-secure.com/enu/home/ols3.shtml

1. Klicke den Link: "F-Secure Online Scanner Next Generation Beta".
2. Du wirst aufgefordert werden, ein ActiveX-Control zu installieren
3. Installiere diese ActiveX-Komponente
4. Lies die Anleitung und klicke: "Accept"
5. Klicke "Full System Scan"
6. klicke "Show report" - kopiere den Scanreport

**
poste das neue Log vom HijackThis
__________
MfG Sabina

rund um die PC-Sicherheit

#12 Hiho, wollt nur sagen das nu alles wieder ganz normal is. Alles soweit weg! Wollt mich nochmal bedanken^^. Hier noch die Logfile:

Logfile of HijackThis v1.99.1
Scan saved at 22:16:57, on 15.10.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\ICQLite\ICQLite.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Spyware\HijackThis.exe

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Programme\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Programme\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Erinnerungen in Microsoft Works-Kalender.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{87B2946D-F4A0-4A15-B995-6D1B53B1352B}: NameServer = 85.255.115.37 85.255.112.142
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\smc.exe

#13 Troopersix

fixe mit dem Hijackthis:

O17 - HKLM\System\CCS\Services\Tcpip\..\{87B2946D-F4A0-4A15-B995-6D1B53B1352B}: NameServer = 85.255.115.37 85.255.112.142

PC neustarten

F-Secure Online Scanner Next Generation Beta
http://support.f-secure.com/enu/home/ols3.shtml

1. Klicke den Link: "F-Secure Online Scanner Next Generation Beta".
2. Du wirst aufgefordert werden, ein ActiveX-Control zu installieren
3. Installiere diese ActiveX-Komponente
4. Lies die Anleitung und klicke: "Accept"
5. Klicke "Full System Scan"
6. klicke "Show report" - kopiere hier den Scanreport
+
das neue log vom HijackThis

**
dann musst du auch unbedingt die windowsupdates machen !
__________
MfG Sabina

rund um die PC-Sicherheit

#14 Hallo,

hab mir ebenfalls diese Schei... eingafangen und bin zudem noch blutiger PC-Anfänger.
Hab mir Hijack... runtergeladen, welches mir folgendes Ergebnis auflistet:

__________________________________________________________________

Hallo,

habe mittlerweile den Ordner MMEDIACODEC gelöscht bekommen.
Folglich nochmal ein neuer Log von Hijacker:

Logfile of HijackThis v1.99.1
Scan saved at 16:32:48, on 16.10.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Ashampoo\Ashampoo AntiVirus\AshAVSrv.exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\Spyware Doctor\sdhelp.exe
C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programme\Google\Gmail Notifier\gnotify.exe
C:\Programme\Picasa2\PicasaMediaDetector.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\ICQLite\ICQLite.exe
C:\Programme\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\SlySoft\AnyDVD\AnyDVD.exe
C:\Programme\Spyware Doctor\swdoctor.exe
C:\Programme\Ferrari\FFAX32\ffax32.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\Programme\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Programme\AntiVir PersonalEdition Classic\avcenter.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Programme\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Programme\Datasec sales.IQ\sales.IQ 3.3.0.888\salesperformer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Dokumente und Einstellungen\tweber\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.localshop24.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://heidi/
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {d869742a-e5d2-4624-96c7-aae26170665e} - C:\Programme\MMediaCodec\isaddon.dll (file missing)
O3 - Toolbar: Protection Bar - {44d22a64-2399-4edf-8b32-f2c729c1e8a7} - C:\Programme\MMediaCodec\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programme\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Programme\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programme\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [kav] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [anqymslo] C:\ubasyyje.bat
O4 - HKCU\..\Run: [AnyDVD] C:\Programme\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programme\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Werkzeugleiste.lnk = C:\Programme\Ferrari\FFAX32\ffax32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = datasec.de
O17 - HKLM\Software\..\Telephony: DomainName = datasec.de
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = datasec.de
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = datasec.de
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Programme\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: avGuard Service (avGuard) - Unknown owner - C:\Programme\Ashampoo\Ashampoo AntiVirus\AshAVSrv.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programme\Spyware Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programme\Analog Devices\SoundMAX\SMAgent.exe

Für eure Hilfe, ob das System jetzt Clean ist, wäre ich Euch sehr dankbar!

#15 tobsen1979

scanne mit option 1 und 2 und poste hier beide scanreporte
http://virus-protect.org/artikel/tools/smitfrautfix.html

Info, http://virus-protect.org/artikel/spyware/mmediacodec_remove.html
__________
MfG Sabina

rund um die PC-Sicherheit