Hijacker wahrscheinlich

#1 Habe mir glaube ich einen Hijacker eingefangen und sollte ihn wieder los werden.

Danke schon mal Ralf.

Logfile of HijackThis v1.99.1
Scan saved at 19:28:19, on 08.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\Microsoft IntelliType Pro\type32.exe
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\Programme\Canon\CAL\CALMAIN.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Dokumente und Einstellungen\Admin\Lokale Einstellungen\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [type32] "C:\Programme\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [oamxq.exe] C:\WINDOWS\system32\oamxq.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{78A880D5-1FC5-4179-9994-7BCF575F8704}: NameServer = 85.255.114.66,85.255.112.130
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DB7B32B-1936-47F2-B192-F3ECBA607C6D}: NameServer = 85.255.114.66,85.255.112.130
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.66 85.255.112.130
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.66 85.255.112.130
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.66 85.255.112.130
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programme\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe

so jetzt noch combofix:

Admin - 06-11-08 19:47:11,65 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Dokumente und Einstellungen\Admin\Eigene Dateien\BrowserHijackerRemoval\combofix"

((((((((((((((((((((((((((((((( Files Created from 2006-10-08 to 2006-11-08 ))))))))))))))))))))))))))))))))))


2006-11-08 05:00 32,768 --a------ C:\WINDOWS\system32\chipxum.dll
2006-11-08 04:53 28,672 --------- C:\WINDOWS\system32\verclsid.exe
2006-11-01 16:45 51,729 --a------ C:\WINDOWS\system32\csmkk.exe
2006-10-16 19:37 159,744 --a------ C:\WINDOWS\BJPSUNST.EXE


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-08 19:38 -------- d-------- C:\Programme\CleanUp!
2006-11-08 05:02 -------- d-------- C:\Programme\Internet Explorer
2006-11-08 05:00 -------- d-------- C:\Programme\CHIP XP-Update-Manager
2006-11-08 04:53 -------- d-------- C:\Programme\Outlook Express
2006-11-08 04:53 -------- d-------- C:\Programme\Gemeinsame Dateien\System
2006-11-08 04:52 -------- d-------- C:\Programme\Windows Media Player
2006-11-08 04:48 -------- d-------- C:\Programme\a-squared HiJackFree
2006-11-07 05:03 -------- d-------- C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\TrojanHunter
2006-11-06 20:32 -------- d-------- C:\Programme\TrojanHunter 4.6
2006-11-05 09:17 1864 --a------ C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\QuickZip45.ini
2006-11-01 18:38 -------- d-------- C:\Programme\Lavasoft
2006-11-01 18:38 -------- d-------- C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Lavasoft
2006-11-01 18:34 -------- d-------- C:\Programme\Spyware Doctor
2006-11-01 18:34 -------- d-------- C:\Programme\CleanUp!(2)
2006-10-18 04:16 -------- d-------- C:\Programme\StarMoney 5.0
2006-10-17 17:51 -------- d-------- C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\Adobe
2006-10-16 19:37 -------- d--h----- C:\Programme\InstallShield Installation Information
2006-10-16 19:37 -------- d-------- C:\Programme\Canon
2006-10-02 19:11 -------- d-------- C:\Programme\PowerQuest
2006-10-02 02:09 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-10-01 04:34 -------- d-------- C:\Programme\Gemeinsame Dateien\Blizzard Entertainment
2006-10-01 04:34 -------- d-------- C:\Programme\Gemeinsame Dateien
2006-09-25 16:45 666240 --a------ C:\WINDOWS\system32\aswBoot.exe
2006-09-25 16:40 87424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2006-09-25 16:40 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2006-09-25 16:39 36176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2006-09-25 16:39 16352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2006-09-25 16:37 90112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2006-09-25 16:37 24560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2006-09-20 07:13 -------- d-------- C:\Programme\Gemeinsame Dateien\Canon
2006-09-13 06:02 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-02 03:16 255 --a------ C:\WINDOWS\TMPCPYIS.BAT
2006-09-02 03:16 122 --a------ C:\WINDOWS\TMPDELIS.BAT
2006-08-25 16:46 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-24 18:16 26 --a------ C:\WINDOWS\WINSTART.BAT
2006-08-21 13:26 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 12:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Programme\\Messenger\\msmsgs.exe\" /background"
"SpybotSD TeaTimer"="C:\\Programme\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"type32"="\"C:\\Programme\\Microsoft IntelliType Pro\\type32.exe\""
"IntelliPoint"="\"C:\\Programme\\Microsoft IntelliPoint\\point32.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Adobe Photo Downloader"="\"C:\\Programme\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"TkBellExe"="\"C:\\Programme\\Gemeinsame Dateien\\Real\\Update_OB\\realsched.exe\" -osboot"
"oamxq.exe"="C:\\WINDOWS\\system32\\oamxq.exe"
"oamxq.exe"="C:\\WINDOWS\\system32\\oamxq.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job

Completion time: 06-11-08 19:48:17.31
C:\ComboFix.txt ... 06-11-08 19:48

und jetzt noch Datfind.bat

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 0057-CF08

Verzeichnis von C:\WINDOWS\system32

08.11.2006 19:19 395.200 perfh009.dat
08.11.2006 19:19 59.440 perfc009.dat
08.11.2006 19:19 408.618 perfh007.dat
08.11.2006 19:19 71.598 perfc007.dat
08.11.2006 19:19 946.822 PerfStringBackup.INI
07.11.2006 19:57 2.206 wpa.dbl
06.11.2006 20:30 59.392 streamhlp.dll
01.11.2006 18:34 534 ikhcore.log
04.10.2006 13:03 9.639.336 MRT.exe
03.10.2006 06:03 51.729 csmkk.exe
02.10.2006 02:09 98.304 CmdLineExt.dll
30.09.2006 04:04 3.002 CONFIG.NT
25.09.2006 16:45 666.240 aswBoot.exe
25.09.2006 16:37 90.112 AVASTSS.scr
13.09.2006 06:02 1.084.416 msxml3.dll
04.09.2006 07:12 1.494.016 shdocvw.dll
25.08.2006 16:46 617.472 comctl32.dll
21.08.2006 13:26 16.896 fltlib.dll
21.08.2006 10:14 23.040 fltmc.exe
16.08.2006 12:58 100.352 6to4svc.dll
06.08.2006 06:11 176.167 rmoc3260.dll
06.08.2006 06:11 5.632 pndx5032.dll
06.08.2006 06:11 6.656 pndx5016.dll
06.08.2006 06:11 278.528 pncrt.dll
28.07.2006 04:28 3.075.072 mshtml.dll
27.07.2006 14:25 679.424 inetcomm.dll
25.07.2006 21:33 615.936 urlmon.dll
23.07.2006 11:16 353 hpguapi.ini
21.07.2006 09:29 72.704 hlink.dll
14.07.2006 16:41 336.896 netapi32.dll
14.07.2006 16:25 546.304 hhctrl.ocx
13.07.2006 14:34 8.494.592 shell32.dll
05.07.2006 11:55 1.057.792 kernel32.dll

edit (Sabina)


Also erstmal Respekt , das du gestern Abend dich noch meines Problems angenommen hast. Und das sagt man immer in diesem Land gibt es keine Leute mit Engagement mehr. Und jetzt der Logfile von fixwareout


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4FB0906619D7-E48A-8A94-605D-A88FFBB6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\wmimd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
...

Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSMKK.EXE 51.729 2006-10-03
C:\WINDOWS\SYSTEM32\CSNQR.EXE 51.729 2006-10-03
C:\WINDOWS\SYSTEM32\DMIMW.EXE 60.951 2004-08-04

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.




"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"SpybotSD TeaTimer" = "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"MSMSGS" = "C:\Programme\Messenger\msmsgs.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"type32" = ""C:\Programme\Microsoft IntelliType Pro\type32.exe"" [MS]
"IntelliPoint" = ""C:\Programme\Microsoft IntelliPoint\point32.exe"" [MS]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"Adobe Photo Downloader" = ""C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"oamxq.exe" = "C:\WINDOWS\system32\oamxq.exe" [file not found]
"dmaqu.exe" = "C:\WINDOWS\system32\dmaqu.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Programme\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{97FA8AA2-EE77-4FF2-9449-424D8924EF21}" = "IntelliType Pro Zooming Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Zooming Property Page"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplzm.dll"" [MS]
"{111D8120-25EB-4E1C-A4DF-C9EE5FCA35CB}" = "IntelliType Pro Scrolling Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Scrolling Property Page"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplwhl.dll"" [MS]
"{ED6E87C6-8A83-43aa-8208-8DBC8247F4D2}" = "IntelliType Pro Key Settings Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Key Settings Property Page"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplkey.dll"" [MS]
"{A2569D1F-4E06-43EC-9825-0088B471BE47}" = "IntelliType Pro Wireless Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Wireless Control Panel Property Page"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplwir.dll"" [MS]
"{20082881-FC36-4E47-9A7A-644C95FF749F}" = "IntelliPoint Wireless Control Panel Property Page"
-> {HKLM...CLSID} = "Schnurlose Eigenschaften"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplwir.dll"" [MS]
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}" = "IntelliPoint Wheel Control Panel Property Page"
-> {HKLM...CLSID} = "Scrollrad-Eigenschaftenseite"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplwhl.dll"" [MS]
"{653DCCC2-13DB-45B2-A389-427885776CFE}" = "IntelliPoint Activities Control Panel Property Page"
-> {HKLM...CLSID} = "Aktivitäten-Eigenschaftenseite"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplact.dll"" [MS]
"{124597D8-850A-41AE-849C-017A4FA99CA2}" = "IntelliPoint Buttons Control Panel Property Page"
-> {HKLM...CLSID} = "Tasten-Eigenschaftenseite"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplbtn.dll"" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"
\InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.6\contmenu.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"System" = (value not set)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Programme\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.6\contmenu.dll" [null data]
TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"
\InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.6\contmenu.dll" [null data]
TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"
\InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Programme\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.6\contmenu.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Grüne Idylle.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Grüne Idylle.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "Admin" & "All Users" startup folders:
-------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Gamma Loader" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"WinZip Quick Pick" -> shortcut to: "C:\Programme\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]


Enabled Scheduled Tasks:
------------------------

"1-Click Maintenance" -> launches: "C:\Programme\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar mit Pop-Up-Blocker"
\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar mit Pop-Up-Blocker"
\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
<<H>> "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
avast! Antivirus, avast! Antivirus, ""C:\Programme\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Programme\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
Canon Camera Access Library 8, CCALib8, "C:\Programme\Canon\CAL\CALMAIN.exe" ["Canon Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor i865\Driver = "CNMLM5m.DLL" ["CANON INC."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
T-Sinus\Driver = "lanpress.dll" [file not found]


----------
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 36 seconds, including 8 seconds for message boxes)

#2 die internetverbindung wird auf einen Server in die Ukraine umgeleitet.

poste dieses log
http://virus-protect.org/artikel/tools/fixwareout.html

+
poste dieses log
http://virus-protect.org/silentrunner.html
__________
MfG Sabina

rund um die PC-Sicherheit

#3 Ralf_z

Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein

Zitat

Registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run|oamxq.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run|dmaqu.exe

Files to delete:
C:\WINDOWS\system32\dmaqu.exe
C:\WINDOWS\system32\csmkk.exe
C:\WINDOWS\SYSTEM32\CSNQR.EXE
C:\WINDOWS\SYSTEM32\DMIMW.EXE
C:\WINDOWS\rdt.ini
C:\WINDOWS\balloon.wav

Klicke die grüne Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

»»
lösche das Backup vom Avenger unter C:\Avenger\backup.zip + leere den Papierkorb

öffne das HijackThis -- Button "scan" -- vor diese Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

O17 - HKLM\System\CCS\Services\Tcpip\..\{78A880D5-1FC5-4179-9994-7BCF575F8704}: NameServer = 85.255.114.66,85.255.112.130
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DB7B32B-1936-47F2-B192-F3ECBA607C6D}: NameServer = 85.255.114.66,85.255.112.130
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.66 85.255.112.130
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.66 85.255.112.130
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.66 85.255.112.130

pc neustarten

**
Bei Netzwerk/Eigenschaften des Internetprotokolls steht denn auch IP und DNS automatisch beziehen - anhaken

85.255.114.66 85.255.112.130 - muss raus !!!!

1. Click Start > Control Panel
2. Double-click Network Connections.

**
F-Secure Online Scanner Next Generation Beta
http://support.f-secure.com/enu/home/ols3.shtml

1. Klicke den Link: "F-Secure Online Scanner Next Generation Beta".
2. Du wirst aufgefordert werden, ein ActiveX-Control zu installieren
3. Installiere diese ActiveX-Komponente
4. Lies die Anleitung und klicke: "Accept"
5. Klicke "Full System Scan"
6. klicke "Show report" - kopiere den Scanreport
+
poste das neue Log vom HijackThis
__________
MfG Sabina

rund um die PC-Sicherheit

#4 Scanning Report
Sunday, November 12, 2006 10:30:49 - 11:15:56
Computer name: RZ-ATLON2600
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ E:\ F:\ G:\ H:\ I:\ L:\


--------------------------------------------------------------------------------

Result: 0 malware found

--------------------------------------------------------------------------------



Statistics
Scanned:
Files: 33801
System: 4027
Not scanned: 10
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 0
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\DMBCV.EXE
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE
D:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE
E:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE
F:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE
G:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE
H:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE
I:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2006-11-10
F-Secure AVP: 7.0.171, 2006-11-10
F-Secure Orion: 1.2.37, 2006-11-10
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Draco: 1.0.35, 0260-02-44
F-Secure Pegasus: 1.19.0, 2006-08-29
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

Logfile of HijackThis v1.99.1
Scan saved at 11:33:26, on 12.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programme\Canon\CAL\CALMAIN.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\Microsoft IntelliType Pro\type32.exe
C:\Programme\Microsoft IntelliPoint\point32.exe
C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\Programme\Internet Explorer\iexplore.exe
G:\Datensic\Treiber_Programme\BrowserHijackerRemoval\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.20.1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.20.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [type32] "C:\Programme\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dmrym.exe] C:\WINDOWS\system32\dmrym.exe
O4 - HKLM\..\Run: [dmhyy.exe] C:\WINDOWS\system32\dmhyy.exe
O4 - HKLM\..\Run: [dmbcv.exe] C:\WINDOWS\system32\dmbcv.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DB7B32B-1936-47F2-B192-F3ECBA607C6D}: NameServer = 192.168.20.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programme\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe




-----------------------------------------------
Noch eine persönliche Bemerkung: Ich schau immer wann, also um welche Uhrzeit du das machst also da muss man schon eine gehörige Portion Engagement und Enthusiasmus mitbringen, um anderer Leute, in diesem Fall mein Problem zu lösen.
Kann mich gar nicht genug Bedanken und dieser Leistung Respekt zollen.

Mit freundlichen Grüßen Ralf

#5 Ralf_z

fixe mit dem HijackThis:

Zitat

O4 - HKLM\..\Run: [dmrym.exe] C:\WINDOWS\system32\dmrym.exe
O4 - HKLM\..\Run: [dmhyy.exe] C:\WINDOWS\system32\dmhyy.exe
O4 - HKLM\..\Run: [dmbcv.exe] C:\WINDOWS\system32\dmbcv.exe

PC neustarten

**
scanne mit panda und poste den scanreport
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#6 Incident Status Location

Adware:adware/megatds Not disinfected Windows Registry
Spyware:Cookie/Overture Not disinfected C:\Dokumente und Einstellungen\Admin\Cookies\admin@overture[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Dokumente und Einstellungen\Admin\Cookies\admin@server.iad.liveperson[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Dokumente und Einstellungen\Admin\Cookies\admin@tradedoubler[2].txt
Virus:Trj/Ruins.DA Disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1003\Dc17.zip[avenger/csmkk.exe]
Virus:Trj/Ruins.DA Disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1003\Dc17.zip[avenger/CSNQR.EXE]
Spyware:Cookie/2o7 Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc1.txt
Spyware:Cookie/Sextracker Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc10.txt
Spyware:Cookie/Sextracker Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc11.txt
Spyware:Cookie/Sextracker Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc12.txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc14.txt
Spyware:Cookie/Doubleclick Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc17.txt
Spyware:Cookie/888 Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc2.txt
Spyware:Cookie/Mediaplex Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc29.txt
Spyware:Cookie/YieldManager Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc3.txt
Spyware:Cookie/Paypopup Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc34.txt
Spyware:Cookie/Sextracker Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc39.txt
Spyware:Cookie/Tradedoubler Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc44.txt
Spyware:Cookie/Falkag Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc6.txt
Spyware:Cookie/Statcounter Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc61.txt
Spyware:Cookie/Atlas DMT Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc7.txt
Spyware:Cookie/Cassava Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc8.txt
Potentially unwanted tool:Application/KillApp.B Not disinfected E:\localhost\xampp\apache\bin\kill.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected E:\xamppInstall\xampp-win32-1.4.2-installer.exe[kill.exe]
danke

#7 leere den Papierkorb, dann muesste wieder alles o.k. sein.
vergiss auch nicht, die Systemwiederherstellung zu deaktivieren - dann wieder aktivieren.
__________
MfG Sabina

rund um die PC-Sicherheit

#8 hat leider nicht hingehauen hab immer noch die Umleitung und falsche Suchergebnisse
Werde jetzt noch mal alles von vorn Anfangen und dann mal sehen

Gruß Ralf

#9 poste dieses log
http://virus-protect.org/winpfind.html
__________
MfG Sabina

rund um die PC-Sicherheit

#10 WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 16.11.2006 18:41:38
WinPFind v1.5.0 Folder = G:\Datensic\Treiber_Programme\BrowserHijackerRemoval\winpfind\WinPFind\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
UPX! 25.09.2006 16:45:08 666240 C:\WINDOWS\SYSTEM32\aswBoot.exe ()
aspack 18.03.2005 17:19:58 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll (Microsoft Corporation)
aspack 26.05.2005 15:34:52 2297552 C:\WINDOWS\SYSTEM32\d3dx9_26.dll (Microsoft Corporation)
PEC2 18.08.2001 13:00:00 41118 C:\WINDOWS\SYSTEM32\dfrg.msc ()
Umonitor 11.04.2001 20:13:46 331776 C:\WINDOWS\SYSTEM32\ipebase12.dll (Hewlett-Packard Company)
PTech 12.07.2005 18:04:22 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll (Microsoft® Corporation)
PECompact2 04.10.2006 13:03:46 9639336 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 04.10.2006 13:03:46 9639336 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
WSUD 04.08.2004 00:58:08 1228800 C:\WINDOWS\SYSTEM32\ntbackup.exe (Microsoft Corporation)
aspack 04.08.2004 00:57:10 733696 C:\WINDOWS\SYSTEM32\ntdll.dll (Microsoft Corporation)
WSUD 04.08.2004 00:58:24 260096 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
Umonitor 04.08.2004 00:57:34 686592 C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
winsync 18.08.2001 13:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu ()

Checking %System%\Drivers folder and sub-folders...
PTech 03.08.2004 22:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys (Smart Link)

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
16.11.2006 18:38:10 S 2048 C:\WINDOWS\bootstat.dat ()
08.11.2006 05:02:36 RHS 227 C:\WINDOWS\assembly\Desktop.ini ()
08.11.2006 05:02:36 RH 0 C:\WINDOWS\assembly\PublisherPolicy.tme ()
08.11.2006 05:02:36 RH 0 C:\WINDOWS\assembly\pubpol1.dat ()
08.11.2006 20:17:48 RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index22.dat ()
08.11.2006 20:17:52 RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index23.dat ()
18.09.2006 15:40:10 S 8847 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB925486.cat ()
16.11.2006 18:38:46 H 1024 C:\WINDOWS\system32\config\default.LOG ()
16.11.2006 18:38:18 H 1024 C:\WINDOWS\system32\config\SAM.LOG ()
16.11.2006 18:38:48 H 1024 C:\WINDOWS\system32\config\SECURITY.LOG ()
16.11.2006 18:44:54 H 1024 C:\WINDOWS\system32\config\software.LOG ()
16.11.2006 18:41:38 H 1024 C:\WINDOWS\system32\config\system.LOG ()
08.11.2006 19:11:10 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG ()
08.10.2006 19:23:38 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\8ebb57ee-f778-4489-92d8-5b8dec749392 ()
08.10.2006 19:23:38 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred ()
16.11.2006 18:38:16 H 6 C:\WINDOWS\Tasks\SA.DAT ()

Checking for CPL files...
04.08.2004 00:58:24 70656 C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
04.08.2004 00:58:24 555008 C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
04.08.2004 00:58:24 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl (Microsoft Corporation)
04.08.2004 00:58:24 138240 C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
04.08.2004 00:58:24 80384 C:\WINDOWS\SYSTEM32\firewall.cpl (Microsoft Corporation)
04.08.2004 00:58:24 157184 C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
23.12.2003 15:40:52 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl (Ahead Software AG)
04.08.2004 00:58:24 359424 C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
04.08.2004 00:58:24 133120 C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
04.08.2004 00:58:24 381440 C:\WINDOWS\SYSTEM32\irprops.cpl (Microsoft Corporation)
04.08.2004 00:58:24 69632 C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
18.08.2001 13:00:00 189440 C:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
04.08.2004 00:58:24 625152 C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
18.08.2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
04.08.2004 00:58:24 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl (Microsoft Corporation)
04.08.2004 00:58:24 260096 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
18.08.2001 13:00:00 38400 C:\WINDOWS\SYSTEM32\nwc.cpl (Microsoft Corporation)
04.08.2004 00:58:24 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
04.08.2004 00:58:24 117248 C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
04.08.2004 00:58:24 303104 C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
18.08.2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
04.08.2004 00:58:24 94208 C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
04.08.2004 00:58:24 148480 C:\WINDOWS\SYSTEM32\wscui.cpl (Microsoft Corporation)
26.05.2005 04:16:22 174872 C:\WINDOWS\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
18.08.2001 13:00:00 189440 C:\WINDOWS\SYSTEM32\dllcache\main.cpl (Microsoft Corporation)
18.08.2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl (Microsoft Corporation)
18.08.2001 13:00:00 38400 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl (Microsoft Corporation)
18.08.2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl (Microsoft Corporation)
26.05.2005 04:16:22 174872 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl (Microsoft Corporation)

Checking for Downloaded Program Files...
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - Office Update Installation Engine - CodeBase = http://office.microsoft.com/officeupdate/content/opuc3.cab
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan/as5free/asinst.cab
{9D190AE6-C81E-4039-8061-978EBAD10073} - F-Secure Online Scanner 3.0 - CodeBase = http://support.f-secure.com/ols3/fscax.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DirectAnimation Java Classes - - CodeBase = file://C:\WINDOWS\Java\classes\dajava.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
11.03.2006 04:18:36 1936 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Gamma Loader.lnk ()
30.06.2006 04:26:44 1737 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader - Schnellstart.lnk ()
06.01.2006 22:45:32 HS 84 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini ()
21.01.2006 20:13:00 1498 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\WinZip Quick Pick.lnk ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...
06.01.2006 20:31:16 HS 62 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini ()

Checking files in %USERPROFILE%\Startup folder...
06.01.2006 22:45:32 HS 84 C:\Dokumente und Einstellungen\Admin\Startmenü\Programme\Autostart\desktop.ini ()

Checking files in %USERPROFILE%\Application Data folder...
26.01.2006 21:12:12 2691 C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\AdobeDLM.log ()
06.01.2006 20:31:16 HS 62 C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\desktop.ini ()
26.01.2006 21:12:12 0 C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\dm.ini ()
05.11.2006 09:17:40 1864 C:\Dokumente und Einstellungen\Admin\Anwendungsdaten\QuickZip45.ini ()

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
\\Search Page - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Default_Page_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Local Page - %SystemRoot%\system32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.google.de/
\\Search Bar - http://www.google.com/ie
\\Search Page - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Local Page - C:\WINDOWS\system32\blank.htm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
\\SearchAssistant - http://www.google.com/ie


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Sucheingriff = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Adobe PDF Reader Link Helper = C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tipps und Tricks = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{32683183-48a0-441b-a342-7c2a440a9478} - = ()
\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer-Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar mit Pop-Up-Blocker = C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Adresse = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Adresse = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar mit Pop-Up-Blocker = C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8192 = Windows Messenger
\\NEXTID - 8194
\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8193 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\{92780B25-18CC-41C8-B9BE-3C9C571A8263} - ButtonText: Recherchieren =
\{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Programme\Messenger\msmsgs.exe (Microsoft Corporation)

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - CPL-Erweiterung für Anzeigeverschiebung = deskpan.dll ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shellerweiterungen für die Dateikomprimierung = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Kontextmenü für die Verschlüsselung = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - Erweiterung für HyperTerminal-Icons = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc.)
\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskleiste und Startmenü = ()
\\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = ()
\\{7A9D77BD-5403-11d2-8785-2E0420524153} - Benutzerkonten = ()
\\{472083B0-C522-11CF-8763-00608CC02F24} - avast = C:\Programme\Alwil Software\Avast4\ashShell.dll (ALWIL Software)
\\{E0D79304-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{E0D79305-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{E0D79306-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{E0D79307-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0} - TuneUp Shredder Shell Context Menu Extension = "C:\Programme\TuneUp Utilities 2006\sdshelex.dll" (TuneUp Software GmbH)
\\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\Programme\Real\RealPlayer\rpshell.dll (RealNetworks, Inc.)
\\{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} - TrojanHunter Menu Shell Extension = C:\PROGRA~1\TROJAN~1.6\contmenu.dll ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\avast - {472083B0-C522-11CF-8763-00608CC02F24} = C:\Programme\Alwil Software\Avast4\ashShell.dll (ALWIL Software)
\TrojanHunter - {EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.6\contmenu.dll ()
\TuneUp Shredder - {00DF1F20-0849-A4D1-0239-00D0AF3E9CB0} = "C:\Programme\TuneUp Utilities 2006\sdshelex.dll" (TuneUp Software GmbH)
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\TrojanHunter - {EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.6\contmenu.dll ()
\TuneUp Shredder - {00DF1F20-0849-A4D1-0239-00D0AF3E9CB0} = "C:\Programme\TuneUp Utilities 2006\sdshelex.dll" (TuneUp Software GmbH)
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\avast - {472083B0-C522-11CF-8763-00608CC02F24} = C:\Programme\Alwil Software\Avast4\ashShell.dll (ALWIL Software)
\TrojanHunter - {EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.6\contmenu.dll ()
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
\{F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Column Info = C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc.)

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
avast! - C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe ()
type32 - C:\Programme\Microsoft IntelliType Pro\type32.exe (Microsoft Corporation)
IntelliPoint - C:\Programme\Microsoft IntelliPoint\point32.exe (Microsoft Corporation)
NeroFilterCheck - C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
Adobe Photo Downloader - C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe (Adobe Systems Incorporated)
TkBellExe - C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
dmulr.exe - C:\WINDOWS\system32\dmulr.exe ()

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE - C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
MSMSGS - C:\Programme\Messenger\msmsgs.exe (Microsoft Corporation)
SpybotSD TeaTimer - C:\Programme\Spybot - Search & Destroy\TeaTimer.exe ()

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Gamma Loader.lnk - C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader - Schnellstart.lnk - C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini ()
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\WinZip Quick Pick.lnk - C:\Programme\WinZip\WZQKPICK.EXE (WinZip Computing, Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\Dokumente und Einstellungen\Admin\Startmenü\Programme\Autostart\desktop.ini ()

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
\\SV1 -

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINDOWS\system32\userinit.exe,
\\Shell = Explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\AtiExtEvent - Ati2evxx.dll = (ATI Technologies Inc.)
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\ScCertProp - wlnotify.dll = (Microsoft Corporation)
\Schedule - wlnotify.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\termsrv - wlnotify.dll = (Microsoft Corporation)
\wlballoon - wlnotify.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{78A880D5-1FC5-4179-9994-7BCF575F8704} - (1394-Netzwerkadapter)
{9DB7B32B-1936-47F2-B192-F3ECBA607C6D} - 192.168.20.1 (NVIDIA nForce MCP Networking Controller)

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
\000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\ipp - ()
\msdaipp - ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


die gewünsche LogDatei

Gruß und Danke Ralf

#11 1.
Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein

Zitat

Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dmulr.exe

Files to delete:
C:\WINDOWS\system32\dmulr.exe

Klicke die grüne Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

**
http://www.f-secure.com/blacklight/
starte die Datei, nimm die Lizenzbestimmung an und waehle scan, wenn es mit dem Scan fertig ist, druecke next und danach close. Nun befindet sich im selben Ordner von Blacklight eine FSB*.TXT Datei - poste den report

**
noch einmal scannen
http://virus-protect.org/artikel/tools/fixwareout.html

**
scanne mit panda und poste den report
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#12 @Sabina

kurze Zwischenfrage Betreff des Zitats soll ich da was in der Registry von Hand löschen, bevor ich loslege.

Gruss Ralf

#13 ich habe den eintrag der registry, der zu loeschen ist, in das avengerscript gepackt
uebrigens, du solltest doch den avenger schon mal anwenden (siehe oben) - sag bloss, du hast es nicht getan
__________
MfG Sabina

rund um die PC-Sicherheit

#14 Moment hatte Avenger als Überschrift überlesen
Sorry
ist schon alles klar
werd ich dann heut Abend machen.

Gruß Ralf
11/18/06 09:25:01 [Info]: BlackLight Engine 1.0.47 initialized
11/18/06 09:25:01 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/18/06 09:25:01 [Note]: 7019 4
11/18/06 09:25:01 [Note]: 7005 0
11/18/06 09:25:08 [Note]: 7006 0
11/18/06 09:25:08 [Note]: 7011 552
11/18/06 09:25:08 [Note]: 7026 0
11/18/06 09:25:08 [Note]: 7026 0
11/18/06 09:25:11 [Note]: FSRAW library version 1.7.1020
11/18/06 10:08:28 [Note]: 7007 0



Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5926173EB8AA-EE7A-BFD4-BF7F-DA622B24{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\rlumd
...

Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.



Incident Status Location

Virus:Trj/Ruins.DA Disinfected C:\avenger\backup.zip[avenger/dmulr.exe]
Spyware:Cookie/Serving-sys Not disinfected C:\Dokumente und Einstellungen\Admin\Cookies\admin@serving-sys[1].txt
Spyware:Cookie/2o7 Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc1.txt
Spyware:Cookie/Sextracker Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc10.txt
Spyware:Cookie/Sextracker Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc11.txt
Spyware:Cookie/Sextracker Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc12.txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc14.txt
Spyware:Cookie/Doubleclick Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc17.txt
Spyware:Cookie/888 Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc2.txt
Spyware:Cookie/Mediaplex Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc29.txt
Spyware:Cookie/YieldManager Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc3.txt
Spyware:Cookie/Paypopup Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc34.txt
Spyware:Cookie/Sextracker Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc39.txt
Spyware:Cookie/Tradedoubler Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc44.txt
Spyware:Cookie/Falkag Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc6.txt
Spyware:Cookie/Statcounter Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc61.txt
Spyware:Cookie/Atlas DMT Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc7.txt
Spyware:Cookie/Cassava Not disinfected C:\RECYCLER\S-1-5-21-1085031214-1417001333-682003330-1004\Dc8.txt
Potentially unwanted tool:Application/KillApp.B Not disinfected E:\localhost\xampp\apache\bin\kill.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected E:\xamppInstall\xampp-win32-1.4.2-installer.exe[kill.exe]



Hallo Sabina

Wir oder besser DU scheinst es geschafft zu haben. Der Browser wird nicht mehr umgeleitet.
Wars das jetzt oder geht demnächst die Party wieder los.

Frage: Welchen Antivirenscanner benutzt man bei mir läuft Avast.com war eigentlich auch ganz zufrieden damit.Bis auf diese Panne.


Gruß und Danke Ralf

#15 eigentlich sollte wieder alles o.k. sein
du musst mit mehr Bedacht surfen, es gibt Seiten und Downloads, die man besser meiden sollte
der Avast ist o.k. - den Wareout kann man am besten auf die tippel-tappeltour entfernen, wie wir es getan haben
__________
MfG Sabina

rund um die PC-Sicherheit