Falsche seite wird angezeigt

#1 Hallo zusammen
Folgendes Problem tritt seit ein paar Tagen auf.
Wenn ich auf Goggle einen Link anklicke werde ich auf irgendwelche anderen Suchseiten umgeleitet. Gewöhnlich funktioniert es beim dritten mal anklicken und die richtige Seite wird angezeigt.
Habe die Zeile im Logfile fett markiert mit der wahrscheinlich etwas nicht in Ordung ist.
Danke für eure Hilfe.

Logfile of HijackThis v1.99.1
Scan saved at 20:41:26, on 17.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Programme\QuickTime\qttask.exe
E:\Programme\FreePDF_XP\fpassist.exe
E:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
E:\Programme\Java\jre1.5.0_04\bin\jusched.exe
E:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
E:\Programme\Spamihilator\spamihilator.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Programme\Messenger\msmsgs.exe
E:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe
E:\Programme\AntiVir PersonalEdition Classic\sched.exe
E:\Programme\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
E:\Programme\AntiVir PersonalEdition Classic\avguard.exe
E:\WINDOWS\System32\LckFldService.exe
E:\Programme\C-CHANNEL\MyPen Pro\MyPenPro.exe
E:\Programme\Psion\PsiWin\Psconsv.exe
E:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe
E:\PROGRA~1\Psion\PsiWin\Elogerr.exe
E:\PROGRA~1\GEMEIN~1\Nokia\MPAPI\MPAPI3s.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\2\WPSC3PSW.EXE
E:\Programme\Internet Explorer\IEXPLORE.EXE
E:\Programme\Gemeinsame Dateien\PCSuite\Services\ServiceLayer.exe
E:\WINDOWS\explorer.exe
E:\DOKUME~1\RENATO~1\LOKALE~1\Temp\Temporäres Verzeichnis 7 für hijackthis_199.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.ch/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7FC09A5A-A2AE-4B01-86AA-DBB7BFF4EB5F} - E:\WINDOWS\system32\logset.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\programme\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WpsRePsw] E:\WINDOWS\System32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE
O4 - HKLM\..\Run: [Messenger Backup Chat Logger] "E:\Programme\Messenger Backup\ChatLogger.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FreePDF Assistant] E:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Programme\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "E:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Zone Labs Client] E:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCSuiteTrayApplication] E:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [dmhkg.exe] E:\WINDOWS\system32\dmhkg.exe
O4 - HKCU\..\Run: [Spamihilator] "E:\Programme\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PcSync] E:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [swg] E:\Programme\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Acrobat - Schnellstart.lnk = ?
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = E:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: C-CHANNEL OnlineUpdate.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = E:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MyPen Pro.lnk = ?
O4 - Global Startup: PsiWin 2.3 Verbindungsserver.lnk = E:\Programme\Psion\PsiWin\Psconsv.exe
O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - res://E:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - res://E:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - res://E:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - res://E:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: In Adobe PDF konvertieren - res://E:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: In vorhandene PDF-Datei konvertieren - res://E:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://E:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - res://E:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - res://E:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programme\Messenger\msmsgs.exe
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.krankenversicherung.ch/CFIDE/classes/CFJava.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.de/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143736238503
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://s01.picserver.info/upload/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.games.yahoo.com/zylom/activex/zylomloader.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www3.photo-druck.de/XUpload.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: Monutil - {2202ADA7-DE3B-480D-974A-974B05221512} - E:\WINDOWS\system32\ctllan.dll
O23 - Service: Adobe LM Service - Adobe Systems - E:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - E:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - E:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: LckFldService - Unknown owner - E:\WINDOWS\System32\LckFldService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - E:\Programme\Gemeinsame Dateien\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe
__________
MfG Hägi

#2 1.
poste dieses log
http://virus-protect.org/artikel/tools/combofix.html

2.
scanne und poste den report
http://virus-protect.org/artikel/tools/fixwareout.html

3.
stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

4.
Kopiere diese 6 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html
__________
MfG Sabina

rund um die PC-Sicherheit

#3 Hallo Sabina
Hier die entsprechenden Logs.
Danke

- 06-11-18 8:43:45.51 Service Pack 2
ComboFix 06.11.9 - Running from: "E:\Dokumente und Einstellungen\Renato Brigger\Eigene Dateien\Download"

((((((((((((((((((((((((((((((( Files Created from 2006-10-18 to 2006-11-18 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-18 00:16 -------- d-------- E:\Programme\Spamihilator
2006-10-31 13:46 -------- d-------- E:\Programme\Google
2006-10-30 18:21 -------- d-------- E:\Programme\Zylom Games
2006-10-17 18:49 -------- d-------- E:\Programme\eMule
2006-10-10 08:34 72008 --a------ E:\Dokumente und Einstellungen\Renato Brigger\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2006-09-10 19:48 10 --a------ E:\WINDOWS\system32\Mlkf.dll
2006-08-29 20:07 13480 --a------ E:\Dokumente und Einstellungen\Renato Brigger\Anwendungsdaten\NMM-MetaData.db
2006-08-11 17:46 780 --a------ E:\Dokumente und Einstellungen\Renato Brigger\Anwendungsdaten\AdobeDLM.log


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Spamihilator"="\"E:\\Programme\\Spamihilator\\spamihilator.exe\""
"ctfmon.exe"="E:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"E:\\Programme\\Messenger\\msmsgs.exe\" /background"
"PcSync"="E:\\Programme\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
"swg"="E:\\Programme\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"WpsRePsw"="E:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\2\\WpsRePsw.EXE"
"Messenger Backup Chat Logger"="\"E:\\Programme\\Messenger Backup\\ChatLogger.exe"
"QuickTime Task"="\"E:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"FreePDF Assistant"="E:\\Programme\\FreePDF_XP\\fpassist.exe"
"Acrobat Assistant 7.0"="\"E:\\Programme\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
@=""
"SunJavaUpdateSched"="E:\\Programme\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"NeroFilterCheck"="E:\\WINDOWS\\system32\\NeroCheck.exe"
"avgnt"="\"E:\\Programme\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"Zone Labs Client"="E:\\Programme\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"NvCplDaemon"="RUNDLL32.EXE E:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE E:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"PCSuiteTrayApplication"="E:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -startup"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"dmhkg.exe"="E:\\WINDOWS\\system32\\dmhkg.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="E:\\WINDOWS\\System32\\CTFMON.EXE"
"Symantec Network Driver Update Warning"="E:\\PROGRA~1\\Symantec\\LIVEUP~1\\SNDWarn.EXE"
"Symantec NetDriver Warning"="E:\\PROGRA~1\\SYMNET~1\\SNDWarn.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="E:\\WINDOWS\\System32\\CTFMON.EXE"
"Symantec Network Driver Update Warning"="E:\\PROGRA~1\\Symantec\\LIVEUP~1\\SNDWarn.EXE"
"Symantec NetDriver Warning"="E:\\PROGRA~1\\SYMNET~1\\SNDWarn.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"Monutil"="{2202ADA7-DE3B-480D-974A-974B05221512}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-18 8:45:04.48
E:\ComboFix.txt ... 06-11-18 08:45
E:\ComboFix2.txt ... 06-11-18 00:32


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}72B8FFCBFE33-2E39-1B14-764D-A6F86F06{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D34093E7D0D9-9F2A-12E4-D8EC-1754D4BF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\gkhmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
...

Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
E:\WINDOWS\SYSTEM32\DMHKG.EXE 60'982 2004-08-04

Other suspects.
Directory of E:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.


Volume in Laufwerk E: hat keine Bezeichnung.
Volumeseriennummer: B0A2-D515

Verzeichnis von E:\WINDOWS\system32

18.11.2006 09:09 41'108 vsconfig.xml
18.11.2006 09:08 3'770 lckfldservicelog.txt
18.11.2006 09:08 4'599 nvapps.xml
17.11.2006 20:18 21'760 wpa.dbl
17.11.2006 20:11 486 mnvpljmy.txt
03.11.2006 16:35 40'128 perfc009.dat
03.11.2006 16:35 311'740 perfh009.dat
03.11.2006 16:35 48'354 perfc007.dat
03.11.2006 16:35 316'924 perfh007.dat
03.11.2006 16:35 723'744 PerfStringBackup.INI
30.10.2006 18:37 1'632 d3d8caps.dat
30.10.2006 18:37 1'744 d3d9caps.dat
12.10.2006 11:55 0 mslck.dat
10.09.2006 19:48 10 Mlkf.dll
28.08.2006 14:22 109'248 mswinsck.ocx
28.08.2006 14:22 115'920 Msinet.ocx
04.07.2006 13:26 704'000 DAAPI.dll
04.07.2006 13:25 131'072 NclAPI.dll
04.07.2006 13:25 245'760 VersitConverter.dl


Volume in Laufwerk E: hat keine Bezeichnung.
Volumeseriennummer: B0A2-D515

Verzeichnis von E:\DOKUME~1\RENATO~1\LOKALE~1\Temp

18.11.2006 09:08 8'864 EPOCLOG.001
18.11.2006 09:08 16'384 ~DF9663.tmp
18.11.2006 09:08 406 jusched.log
3 Datei(en) 25'654 Bytes
0 Verzeichnis(se), 8'916'254'720 Bytes frei


Volume in Laufwerk E: hat keine Bezeichnung.
Volumeseriennummer: B0A2-D515

Verzeichnis von E:\WINDOWS

18.11.2006 09:09 0 0.log
18.11.2006 09:08 159 wiadebug.log
18.11.2006 09:08 26 Debug.ini
18.11.2006 09:08 50 wiaservc.log
18.11.2006 09:08 2'048 bootstat.dat
18.11.2006 09:07 32'540 SchedLgU.Txt
18.11.2006 09:07 956'358 WindowsUpdate.log
18.11.2006 09:00 533 SYSTEM.INI
17.11.2006 19:59 494'483 setupapi.log
17.11.2006 15:35 75 ImportClient.INI
31.10.2006 20:55 6'403 PSPICEEV.INI
26.10.2006 20:19 54'317 wmsetup.log
26.09.2006 15:49 267'948'032 MEMORY.DMP
26.09.2006 07:28 116 NeroDigital.ini
14.09.2006 17:52 16 Temp.ini
14.09.2006 17:51 1'068 umaxuapi.ini
29.08.2006 19:50 1'409 QTFont.for
29.08.2006 19:50 54'156 QTFont.qfn
29.08.2006 19:45 4'708 DPINST.LOG
29.08.2006 19:36 19 SoundConverter.INI
11.08.2006 18:20 87'350 Directx.log


Volume in Laufwerk E: hat keine Bezeichnung.
Volumeseriennummer: B0A2-D515

Verzeichnis von E:\WINDOWS\Temp


Volume in Laufwerk E: hat keine Bezeichnung.
Volumeseriennummer: B0A2-D515

Verzeichnis von E:\WINDOWS\Downloaded Program Files

17.11.2006 20:01 49'430 daas.log
16.06.2006 15:31 181'856 fscax.dll
15.06.2006 10:19 483 fscax.inf
01.06.2006 02:57 1'331 oscan8.inf
01.06.2006 02:54 471'040 oscan8.ocx
31.05.2006 04:15 10 oscan81.ocx_x
30.03.2006 16:30 65 desktop.ini
27.03.2006 12:00 5'019 swflash.inf
03.02.2006 11:20 188'416 fsauc.dll
17.01.2006 17:11 580'663 daas_s.dll
26.08.2005 18:39 1'893'912 ImageUploader3.ocx
26.08.2005 18:39 379 ImageUploader3.inf
14.08.2005 00:26 113'664 MsnMessengerSetupDownloader.ocx
30.06.2005 15:19 227 MsnMessengerSetupDownloader.inf


Volume in Laufwerk E: hat keine Bezeichnung.
Volumeseriennummer: B0A2-D515

Verzeichnis von E:\

18.11.2006 09:17 0 sys.txt
18.11.2006 09:17 2'242 down.txt
18.11.2006 09:17 117 tmp.txt
18.11.2006 09:17 12'404 system.txt
18.11.2006 09:17 393 systemtemp.txt
18.11.2006 09:15 113'872 system32.txt
18.11.2006 09:08 402'653'184 pagefile.sys
18.11.2006 08:46 6'320 ComboFix.txt
18.11.2006 00:32 6'334 ComboFix2.txt
17.11.2006 20:31 2'452 avenger.txt
29.05.2006 13:25 7'141 PWlang.log
11 Datei(en) 402'804'459 Bytes
0 Verzeichnis(se), 8'916'234'240 Bytes frei
__________
MfG Hägi

#4 Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein

Zitat

Registry values to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|dmhkg.exe
HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload|Monutil

registry keys to delete:
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2202ADA7-DE3B-480D-974A-974B05221512}

Files to delete:
E:\WINDOWS\system32\ctllan.dll
E:\WINDOWS\system32\dmhkg.exe

Klicke die grüne Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

**
loesche das backup unter E:\Avenger\backup.zip und leere den Papierkorb

**
scanne und post den scanreport
http://virus-protect.org/artikel/tools/superantispyware.html
__________
MfG Sabina

rund um die PC-Sicherheit

#5 Hier der Scanreport

SUPERAntiSpyware Scan Log
Generated 11/18/2006 at 05:03 PM

Application Version : 3.3.1020

Core Rules Database Version : 3132
Trace Rules Database Version: 1150

Scan type : Complete Scan
Total Scan Time : 00:15:28

Memory items scanned : 431
Memory Thread detected : 0
Registry items scanned : 5794
Registry Thread detected : 6
File items scanned : 6402
File Thread detected : 53

Adware.Tracking Cookie
E:\Dokumente und Einstellungen\Renato Brigger\Cookies\renato brigger@as1.falkag[1].txt
E:\Dokumente und Einstellungen\Renato Brigger\Cookies\renato brigger@mediaplex[1].txt
E:\Dokumente und Einstellungen\Renato Brigger\Cookies\renato brigger@adbrite[2].txt
E:\Dokumente und Einstellungen\Renato Brigger\Cookies\renato brigger@1064184248[1].txt
E:\Dokumente und Einstellungen\Renato Brigger\Cookies\renato brigger@as-eu.falkag[2].txt
E:\Dokumente und Einstellungen\Renato Brigger\Cookies\renato brigger@cgi-bin[2].txt
E:\Dokumente und Einstellungen\Renato Brigger\Cookies\renato brigger@tradedoubler[2].txt
E:\Dokumente und Einstellungen\Renato Brigger\Cookies\renato brigger@statse.webtrendslive[1].txt
E:\Dokumente und Einstellungen\Renato Brigger\Cookies\renato brigger@stat.onestat[2].txt
E:\Dokumente und Einstellungen\Renato Brigger\Cookies\renato brigger@questionmarket[2].txt
E:\Dokumente und Einstellungen\Renato Brigger\Cookies\renato brigger@hitbox[2].txt
E:\Dokumente und Einstellungen\Renato Brigger\Cookies\renato brigger@ads.monster[1].txt
E:\Dokumente und Einstellungen\Renato Brigger\Cookies\renato brigger@mb[2].txt
E:\Dokumente und Einstellungen\Renato Brigger\Cookies\renato brigger@2o7[2].txt
E:\Dokumente und Einstellungen\Renato Brigger\Cookies\renato brigger@xiti[1].txt
E:\Dokumente und Einstellungen\Renato Brigger\Cookies\renato brigger@ads.planetactive[1].txt
E:\Dokumente und Einstellungen\Renato Brigger\Cookies\renato brigger@www.zanox-affiliate[1].txt
E:\Dokumente und Einstellungen\Renato Brigger\Cookies\renato brigger@findwhat[1].txt
E:\Dokumente und Einstellungen\Renato Brigger\Cookies\renato brigger@doubleclick[1].txt
E:\Dokumente und Einstellungen\Renato Brigger\Cookies\renato brigger@ad.yieldmanager[1].txt
E:\Dokumente und Einstellungen\Renato Brigger\Cookies\renato brigger@adserver.easyad[2].txt
E:\Dokumente und Einstellungen\Renato Brigger\Cookies\renato brigger@ehg-idg.hitbox[1].txt
E:\Dokumente und Einstellungen\Renato Brigger\Cookies\renato brigger@komtrack[2].txt
E:\Dokumente und Einstellungen\Renato Brigger\Cookies\renato brigger@statcounter[2].txt
E:\Dokumente und Einstellungen\Renato Brigger\Cookies\renato brigger@ehg-swisscom.hitbox[2].txt

Adware.IST/ISTBar (Slotch Bar)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\E:/WINDOWS/Downloaded Program Files/ISTactivex.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\E:/WINDOWS/Downloaded Program Files/ISTactivex.dll#.Owner
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\E:/WINDOWS/Downloaded Program Files/ISTactivex.dll#{386A771C-E96A-421F-8BA7-32F1B706892F}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs#E:\WINDOWS\Downloaded Program Files\ISTactivex.dll [
]
HKU\S-1-5-21-448539723-854245398-1060284298-1004\Software\Microsoft\Internet Explorer\Main#BandRest
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main#BandRest

Browser Hijacker.Favorites
E:\Dokumente und Einstellungen\All Users\Favoriten\Download Free Spyware Remover.url
E:\Dokumente und Einstellungen\All Users\Favoriten\NEW VIAGRA at Half Price!.url
E:\Dokumente und Einstellungen\All Users\Favoriten\Online Pharmacy\Cialis at HALF PRICE!.url
E:\Dokumente und Einstellungen\All Users\Favoriten\Online Pharmacy\Fast Way To Loose Your Weight!.url
E:\Dokumente und Einstellungen\All Users\Favoriten\Online Pharmacy\Guaranteed low price at Pills..url
E:\Dokumente und Einstellungen\All Users\Favoriten\Online Pharmacy\SOMA at Special LOW PRICE.url
E:\Dokumente und Einstellungen\All Users\Favoriten\Online Pharmacy\Tramadol Special Offer!.url
E:\Dokumente und Einstellungen\All Users\Favoriten\Online Pharmacy\Try New VIAGRA! Works Faster and Longer!.url
E:\Dokumente und Einstellungen\All Users\Favoriten\Spyware Uninstall\Easy Detect and Uninstall Spyware..url
E:\Dokumente und Einstellungen\All Users\Favoriten\Spyware Uninstall\Free Spyware Scanner..url
E:\Dokumente und Einstellungen\All Users\Favoriten\Spyware Uninstall\Search & Destroy Annoying Adware..url
E:\Dokumente und Einstellungen\All Users\Favoriten\Spyware Uninstall\Stop PopUps on your PC..url
E:\Dokumente und Einstellungen\All Users\Favoriten\Spyware Uninstall

MfG Hägi
__________
MfG Hägi

#6 wie steht es ? immer noch umleitungen oder schon besser

poste dieses log
http://virus-protect.org/winpfind.html
__________
MfG Sabina

rund um die PC-Sicherheit

#7 Ich habe jetzt einen Moment getestet und es scheint jetzt wieder alles in Ordnung zu sein.
Was habe ich mir da eigentlich eingefangen.
Danke für deine Hilfe. War echt super und schnell.
MfG Hägi
__________
MfG Hägi

#8 poste dieses log
http://virus-protect.org/winpfind.html
__________
MfG Sabina

rund um die PC-Sicherheit

#9 Hallo Sabina
Kann mit WinPfind nicht scannen. Programm bleibt immer kurz nach scannstart hängen. Siehe Anhang.
MfG Hägi


__________
MfG Hägi

#10 dann scanne mit silentrunner
http://virus-protect.org/silentrunner.html
__________
MfG Sabina

rund um die PC-Sicherheit

#11 Hier der Scannreport:

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Spamihilator" = ""E:\Programme\Spamihilator\spamihilator.exe"" ["Michel Krämer"]
"ctfmon.exe" = "E:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = ""E:\Programme\Messenger\msmsgs.exe" /background" [MS]
"PcSync" = "E:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog" ["Time Information Services Ltd."]
"swg" = "E:\Programme\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe" ["Google Inc."]
"SUPERAntiSpyware" = "E:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"WpsRePsw" = "E:\WINDOWS\System32\spool\DRIVERS\W32X86\2\WpsRePsw.EXE" ["Canon Inc."]
"Messenger Backup Chat Logger" = ""E:\Programme\Messenger Backup\ChatLogger.exe" [file not found]
"QuickTime Task" = ""E:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"FreePDF Assistant" = "E:\Programme\FreePDF_XP\fpassist.exe" [null data]
"Acrobat Assistant 7.0" = ""E:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"" ["Adobe Systems Inc."]
"(Default)" = "(empty string)" [file not found]
"SunJavaUpdateSched" = "E:\Programme\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]
"NeroFilterCheck" = "E:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"avgnt" = ""E:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"Zone Labs Client" = "E:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"NvCplDaemon" = "RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"NvMediaCenter" = "RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"PCSuiteTrayApplication" = "E:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup" ["Nokia"]
"KernelFaultCheck" = "E:\WINDOWS\system32\dumprep 0 -k"

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "E:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{7FC09A5A-A2AE-4B01-86AA-DBB7BFF4EB5F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\WINDOWS\system32\logset.dll" [null data]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "e:\programme\google\googletoolbar1.dll" ["Google Germany GmbH"]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"
\InProcServer32\(Default) = "E:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "E:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "E:\Programme\Real\RealOne Player\rpshell.dll" ["RealNetworks, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
\InProcServer32\(Default) = "E:\Programme\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Programme\Microsoft Office\Office10\msohev.dll" [MS]
"{661825E5-B9A4-4D3E-8B74-3B6B63C32A80}" = "Shell Extensions for The Font Creator Program"
-> {HKLM...CLSID} = "Shell Extensions for The Font Creator Program"
\InProcServer32\(Default) = "E:\PROGRA~1\HIGH-L~1\FONTCR~1\FCPSHL.dll" ["High-Logic"]
"{A8DD28BB-9430-47e4-972D-08A47C788D56}" = "MyPen Pro"
-> {HKLM...CLSID} = "MyPen Pro"
\InProcServer32\(Default) = "E:\Programme\C-CHANNEL\MyPen Pro\MyPenPro.exe" ["C Technologies AB (publ)"]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "E:\Programme\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Programme\WinRAR\rarext.dll" [null data]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "E:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
"{3a9ae750-cf44-11cf-8835-0020afc04e78}" = "Psion-Arbeitsplatz"
-> {HKLM...CLSID} = "Psion-Arbeitsplatz"
\InProcServer32\(Default) = "E:\PROGRA~1\Psion\PsiWin\pw32expl.dll" ["Symbian Ltd."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "E:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "E:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "PhoneBrowser"
-> {HKLM...CLSID} = "Nokia Phone Browser"
\InProcServer32\(Default) = "E:\Programme\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "E:\Programme\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "System" = "csxtb.exe" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "E:\Programme\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "E:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "E:\Programme\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {HKLM...CLSID} = "PowerArchiver Shell Extensions"
\InProcServer32\(Default) = "E:\Programme\PowerArchiver\PASHLEXT.DLL" ["ConeXware, Inc."]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "E:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
LockFolder\(Default) = "{4852341A-43E6-4994-B29B-E82904992884}"
-> {HKLM...CLSID} = "LckFldMenu.Locker"
\InProcServer32\(Default) = "E:\Programme\FolderAccess\LckFldMenu.dll" ["Topdownloads Network"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {HKLM...CLSID} = "PowerArchiver Shell Extensions"
\InProcServer32\(Default) = "E:\Programme\PowerArchiver\PASHLEXT.DLL" ["ConeXware, Inc."]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "E:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Programme\WinRAR\rarext.dll" [null data]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "E:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "E:\Dokumente und Einstellungen\Renato Brigger\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "E:\WINDOWS\Pistenb.scr" ["MacSourcery"]


Startup items in "Renato Brigger" & "All Users" startup folders:
----------------------------------------------------------------

E:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Acrobat - Schnellstart" -> shortcut to: "E:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat.exe" [null data]
"Adobe Reader - Schnellstart" -> shortcut to: "E:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"C-CHANNEL OnlineUpdate" -> shortcut to: "E:\Programme\C-CHANNEL\OnlineUpdate\PeOnlineUpdate.exe /auto /AllCChannelProducts" ["C-Channel AG, 6331 Hünenberg"]
"Microsoft Office" -> shortcut to: "E:\Programme\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"MyPen Pro" -> shortcut to: "E:\Programme\C-CHANNEL\MyPen Pro\MyPenPro.exe" ["C Technologies AB (publ)"]
"PsiWin 2.3 Verbindungsserver" -> shortcut to: "E:\Programme\Psion\PsiWin\Psconsv.exe" ["Symbian Ltd."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "E:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "e:\programme\google\googletoolbar1.dll" ["Google Germany GmbH"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "e:\programme\google\googletoolbar1.dll" ["Google Germany GmbH"]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "E:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "E:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "e:\programme\google\googletoolbar1.dll" ["Google Germany GmbH"]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "E:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "E:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_04"
\InProcServer32\(Default) = "E:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "E:\Programme\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir PersonalEdition Classic Service, AntiVirService, "E:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["AVIRA GmbH"]
AntiVir Scheduler, AntiVirScheduler, "E:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
LckFldService, LckFldService, "E:\WINDOWS\System32\LckFldService.exe" [null data]
Machine Debug Manager, MDM, ""E:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
NVIDIA Display Driver Service, NVSvc, "E:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
ServiceLayer, ServiceLayer, ""E:\Programme\Gemeinsame Dateien\PCSuite\Services\ServiceLayer.exe"" ["Nokia."]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "E:\WINDOWS\System32\AdobePDF.dll" ["Adobe Systems Incorporated."]
Redirected Port\Driver = "redmonnt.dll" [null data]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 68 seconds, including 7 seconds for message boxes)


MfG
Hägi
__________
MfG Hägi

#12 Hägi

1.
virustotal
Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen (oder gleich die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf "Send"... jetzt abwarten - dann mit der rechten Maustaste den Text markieren -> kopieren - einfügen
http://www.virustotal.com/flash/index_en.html

E:\WINDOWS\system32\logset.dll
E:\WINDOWS\system32\Mlkf.dll


poste die reporte hier
---------------------------------------------------------------------

2.
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.
Die Datei "fixme.reg" auf dem Desktop doppelklicken und der Registry beifuegen.

Zitat

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""

3.
Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein

Zitat

Files to delete:
E:\WINDOWS\system32\csxtb.exe
E:\Dokumente und Einstellungen\Renato Brigger\Anwendungsdaten\kc.tmp
E:\Dokumente und Einstellungen\Renato Brigger\Anwendungsdaten\wo.tmp

4.
F-Secure Online Scanner Next Generation Beta
http://support.f-secure.com/enu/home/ols3.shtml
1. Klicke den Link: "F-Secure Online Scanner Next Generation Beta".
2. Du wirst aufgefordert werden, ein ActiveX-Control zu installieren
3. Installiere diese ActiveX-Komponente
4. Lies die Anleitung und klicke: "Accept"
5. Klicke "Full System Scan"
6. klicke "Show report" - kopiere den Scanreport
__________
MfG Sabina

rund um die PC-Sicherheit

#13 Hallo
Die Reporte:

STATUS: FINISHEDComplete scanning result of "logset.dll", received in VirusTotal at 11.20.2006, 14:30:53 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.39 11.20.2006 no virus found
Authentium 4.93.8 11.17.2006 no virus found
Avast 4.7.892.0 11.18.2006 no virus found
AVG 386 11.20.2006 no virus found
BitDefender 7.2 11.20.2006 no virus found
CAT-QuickHeal 8.00 11.20.2006 no virus found
ClamAV devel-20060426 11.20.2006 no virus found
DrWeb 4.33 11.20.2006 no virus found
eSafe 7.0.14.0 11.20.2006 no virus found
eTrust-InoculateIT 23.73.59 11.18.2006 no virus found
eTrust-Vet 30.3.3203 11.20.2006 no virus found
Ewido 4.0 11.20.2006 no virus found
Fortinet 2.82.0.0 11.20.2006 suspicious
F-Prot 3.16f 11.17.2006 no virus found
F-Prot4 4.2.1.29 11.17.2006 no virus found
Ikarus 0.2.65.0 11.20.2006 no virus found
Kaspersky 4.0.2.24 11.20.2006 no virus found
McAfee 4899 11.18.2006 potentially unwanted program Spyware-eBlaster
Microsoft 1.1609 11.20.2006 no virus found
NOD32v2 1873 11.20.2006 no virus found
Norman 5.80.02 11.20.2006 no virus found
Panda 9.0.0.4 11.19.2006 no virus found
Prevx1 V2 11.20.2006 no virus found
Sophos 4.11.0 11.16.2006 no virus found
TheHacker 6.0.3.122 11.18.2006 no virus found
UNA 1.83 11.17.2006 no virus found
VBA32 3.11.1 11.20.2006 suspected of Backdoor.xBot.26
VirusBuster 4.3.15:9 11.20.2006 no virus found


Aditional Information
File size: 753664 bytes
MD5: 92cd5ed51e61ecd01e7899aa6c12f907
SHA1: 9d174b061c3885351001e3660ff068ef02aab6ef


STATUS: FINISHEDComplete scanning result of "Mlkf.dll", received in VirusTotal at 11.20.2006, 14:36:50 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.39 11.20.2006 no virus found
Authentium 4.93.8 11.17.2006 no virus found
Avast 4.7.892.0 11.18.2006 no virus found
AVG 386 11.20.2006 no virus found
BitDefender 7.2 11.20.2006 no virus found
CAT-QuickHeal 8.00 11.20.2006 no virus found
ClamAV devel-20060426 11.20.2006 no virus found
DrWeb 4.33 11.20.2006 no virus found
eSafe 7.0.14.0 11.20.2006 no virus found
eTrust-InoculateIT 23.73.59 11.18.2006 no virus found
eTrust-Vet 30.3.3203 11.20.2006 no virus found
Ewido 4.0 11.20.2006 no virus found
Fortinet 2.82.0.0 11.20.2006 no virus found
F-Prot 3.16f 11.17.2006 no virus found
F-Prot4 4.2.1.29 11.17.2006 no virus found
Ikarus 0.2.65.0 11.20.2006 no virus found
Kaspersky 4.0.2.24 11.20.2006 no virus found
McAfee 4899 11.18.2006 no virus found
Microsoft 1.1609 11.20.2006 no virus found
NOD32v2 1873 11.20.2006 no virus found
Norman 5.80.02 11.20.2006 no virus found
Panda 9.0.0.4 11.19.2006 no virus found
Prevx1 V2 11.20.2006 no virus found
Sophos 4.11.0 11.16.2006 no virus found
TheHacker 6.0.3.122 11.18.2006 no virus found
UNA 1.83 11.17.2006 no virus found
VBA32 3.11.1 11.20.2006 no virus found
VirusBuster 4.3.15:9 11.20.2006 no virus found


Aditional Information
File size: 10 bytes
MD5: e17009af73e05847a4f265562414780e
SHA1: 9c7da15f9c2c6f945be902e5b2d30c66bd4eb103


Scanning Report
Monday, November 20, 2006 19:43:42 - 21:13:06
Computer name: DESKTOP
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ E:\ F:\ G:\


--------------------------------------------------------------------------------

Result: 0 malware found

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 37190
System: 4990
Not scanned: 4
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 0
Submitted: 0
Files not scanned:
E:\PAGEFILE.SYS
E:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
E:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{59D0A58E-7AAE-4597-9489-8F63D1305B79}.BIN
E:\PROGRAMME\C-CHANNEL\MYPEN PRO\KREDISW_DESCRIPTION-DATEIEN\KREDI13`8?


--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2006-11-17
F-Secure AVP: 7.0.171, 2006-11-20
F-Secure Orion: 1.2.37, 2006-11-20
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Draco: 1.0.35, 2006-11-14
F-Secure Pegasus: 1.19.0, 2006-08-29
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics

--------------------------------------------------------------------------------
MfG Hägi
__________
MfG Hägi

#14 Avenger

Zitat

registry keys to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper\{7FC09A5A-A2AE-4B01-86AA-DBB7BFF4EB5F}

Files to delete:
E:\WINDOWS\system32\logset.dll

**
scanne mit McAfee FreeScan (Online) - und poste den scanreport
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#15 Hallo Sabina

Bei McAfee Free Scan kann ich nur Drive C, My documents oder Windows Files auswählen, nicht aber das gesammte System. Winwows XP ist aber auf drive E.
Soll ich nur Windows Files auswählen?

Mfg Hägi
__________
MfG Hägi