IE System Alert bei aufruf des Internet Explorer!

#1 Wenn ich mein IE aufrufe, kommt bei jedem 2. klick...
----------------------------------------------------------
System Security Center Alert:



Warning! Spyware files are detected on your computer!

It’s highly recommended to scan the system immediately to remove all dangerous spyware/adware programs.



Spyware gathers your private information without your consent.

This information includes passwords and credit card details, as well as other sensitive data.



Once installed, spyware keeps track of your surfing habits, which makes it possible for unsolicited ads and SPAM messages.

Spyware can not be removed by antivirus and firewalls.

These programs are not even able to find evidence of spyware being installed on the computer.

Spyware also uses your computer’s memory and system resources making your PC incredibly slow

--------------------------------------------------------
Kann mir jemand helfen mal, wie ich den unsinn los bekomme wieder?

Lg danke im vorraus

#2 arbeite das ab und poste die logs hier
http://board.protecus.de/t23187.htm
__________
MfG Sabina

rund um die PC-Sicherheit

#3 1. HJT
---------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 02:14:59, on 23.12.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Nvida\Apache Group\Apache2\bin\apache.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
E:\Antivir\nod32krn.exe
E:\Nvida\bin\nSvcIp.exe
E:\Nvida\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\oodag.exe
e:\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
E:\Nvida\Apache Group\Apache2\bin\apache.exe
E:\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
E:\asus probe\AsusProb.exe
C:\Programme\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\System32\CTXFIHLP.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Creative\ShareDLL\CADI\NotiMan.exe
C:\WINDOWS\System32\svchost.exe
E:\OFFICE~2\Office10\OUTLOOK.EXE
E:\Office XP\Office10\WINWORD.EXE
E:\Trillian\trillian.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\André\Desktop\hijackthis\HjT1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {7070a8f9-08a4-ca47-0ab0-1eb9e4ee1f3b} - (no file)
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\System32\ipv6mons.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8dc8f96d-34f7-1501-a2a4-631341aa3ac1} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: ASGP32.ASGP - {BB89F547-37EC-4920-880C-9D553B1C788C} - C:\WINDOWS\System32\asgp32.dll
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - e:\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VolPanel] "e:\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [ASUS Probe] e:\asus probe\AsusProb.exe
O4 - HKLM\..\Run: [RCSystem] "C:\Programme\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Programme\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Programme\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] E:\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Download with &DAP - E:\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - E:\DAP\dapextie2.htm
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://e:\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://e:\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://e:\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://e:\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://E:\OFFICE~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\AIM95\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - E:\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - E:\Nvida\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - E:\Nvida\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - E:\Antivir\nod32krn.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - E:\Nvida\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - E:\Nvida\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - e:\Spyware Doctor\sdhelp.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - E:\TuneUp Utilities 2006\WinStylerThemeSvc.exe

---------------------------------------------------

2. Clean up gelaufen

---------------------------------------------------

3. Combofix

Andr‚ - 06-12-23 2:17:49,00 Service Pack 1
ComboFix 06.11.27 - Running from: "C:\Dokumente und Einstellungen\Andr‚\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-23 to 2006-12-23 ))))))))))))))))))))))))))))))))))


2006-12-23 02:15 <DIR> d-------- C:\Programme\CleanUp!
2006-12-15 17:34 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2006-12-15 17:34 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-22 01:45 -------- d-------- C:\Dokumente und Einstellungen\Andr‚\Anwendungsdaten\Azureus
2006-12-15 17:36 -------- d--h----- C:\Programme\InstallShield Installation Information
2006-12-15 17:34 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll
2006-12-15 17:34 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2006-11-19 02:15 24968 --a------ C:\Dokumente und Einstellungen\Andr‚\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2006-11-05 16:16 -------- d-------- C:\Dokumente und Einstellungen\Andr‚\Anwendungsdaten\temp
2006-10-30 13:18 -------- d-------- C:\Dokumente und Einstellungen\Andr‚\Anwendungsdaten\Opera
2006-10-30 10:30 8448 --a------ C:\WINDOWS\system32\anti_troj.exe
2006-10-30 10:30 8192 --a------ C:\WINDOWS\system32\kernels64.exe
2006-10-30 10:30 30976 --a------ C:\WINDOWS\system32\win32hp.dll
2006-10-30 10:30 28416 --a------ C:\WINDOWS\system32\msmsn.exe
2006-10-30 10:30 27648 --a------ C:\WINDOWS\system32\VXH8JKDQ2.EXE
2006-10-30 10:30 21760 --a------ C:\WINDOWS\notepad32.exe
2006-10-30 10:30 16128 --a------ C:\WINDOWS\system32\mpsegment.exe
2006-10-30 10:30 15360 --a------ C:\WINDOWS\system32\ace16win.dll
2006-10-30 10:30 13568 --a------ C:\WINDOWS\system32\VXH8JKDQ6.EXE
2006-10-30 10:04 -------- d-------- C:\Dokumente und Einstellungen\Andr‚\Anwendungsdaten\PC Tools
2006-10-30 09:54 24320 --a------ C:\WINDOWS\system32\performent202.dll
2006-10-30 09:44 -------- d-------- C:\Dokumente und Einstellungen\Andr‚\Anwendungsdaten\Spybot - Search & Destroy
2006-10-29 11:56 26368 --a------ C:\WINDOWS\system32\proqlaim.exe
2006-10-29 11:56 16128 --a------ C:\WINDOWS\system32\netstat2.exe
2006-10-29 11:55 9984 --a------ C:\WINDOWS\winmgnt.exe
2006-10-29 11:55 9216 --a------ C:\WINDOWS\x.exe
2006-10-29 11:55 31744 --a------ C:\WINDOWS\spp3.dll
2006-10-29 11:55 30720 --a------ C:\WINDOWS\mtwirl32.dll
2006-10-29 11:55 27648 --a------ C:\WINDOWS\xplugin.dll
2006-10-29 11:55 27392 --a------ C:\WINDOWS\dialup.exe
2006-10-29 11:55 26112 --a------ C:\WINDOWS\olehelp.exe
2006-10-29 11:55 24064 --a------ C:\WINDOWS\inetdctr.dll
2006-10-29 11:55 24064 --a------ C:\WINDOWS\clrssn.exe
2006-10-29 11:55 23296 --a------ C:\WINDOWS\window.exe
2006-10-29 11:55 22272 --a------ C:\WINDOWS\win32e.exe
2006-10-29 11:55 20992 --a------ C:\WINDOWS\win64.exe
2006-10-29 11:55 20736 --a------ C:\WINDOWS\users32.exe
2006-10-29 11:55 19968 --a------ C:\WINDOWS\winajbm.dll
2006-10-29 11:55 19968 --a------ C:\WINDOWS\system32\dload.exe
2006-10-29 11:55 19200 --a------ C:\WINDOWS\y.exe
2006-10-29 11:55 18176 --a------ C:\WINDOWS\systemcritical.exe
2006-10-29 11:55 17920 --a------ C:\WINDOWS\avpcc.dll
2006-10-29 11:55 17664 --a------ C:\WINDOWS\system32\iewd.exe
2006-10-29 11:55 16896 --a------ C:\WINDOWS\systeem.exe
2006-10-29 11:55 16384 --a------ C:\WINDOWS\accesss.exe
2006-10-29 11:55 15104 --a------ C:\WINDOWS\waol.exe
2006-10-29 11:55 13312 --a------ C:\WINDOWS\runwin32.exe
2006-10-29 11:55 12288 --a------ C:\WINDOWS\cpan.dll
2006-10-29 11:55 10496 --a------ C:\WINDOWS\time.exe
2006-10-29 11:54 9216 --a------ C:\WINDOWS\system32\zggjudxn.exe
2006-10-29 11:54 5707 --a------ C:\WINDOWS\system32\dsrvknvk.exe
2006-10-29 11:54 55016 --a------ C:\WINDOWS\system32\1821.exe
2006-10-29 11:54 43520 --a------ C:\WINDOWS\system32\msmapi32.exe
2006-10-29 11:54 19968 --a------ C:\WINDOWS\system32\asgp32.dll
2006-10-29 11:54 15360 --a------ C:\WINDOWS\system32\intr32.dll
2006-10-28 22:48 -------- d-------- C:\Dokumente und Einstellungen\Andr‚\Anwendungsdaten\Skype
2006-10-15 12:33 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"AIM"="E:\\AIM95\\aim.exe -cnetwait.odl"
"msnmsgr"="\"C:\\Programme\\MSN Messenger\\msnmsgr.exe\" /background"
"Yahoo! Pager"="\"E:\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\Disabled]
"msnmsgr"="\"C:\\Programme\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"VolPanel"="\"e:\\Sound Blaster X-Fi\\Volume Panel\\VolPanel.exe\" /r"
"ASUS Probe"="e:\\asus probe\\AsusProb.exe"
"RCSystem"="\"C:\\Programme\\Creative\\Shared Files\\Module Loader\\DLLML.exe\" RCSystem * -Startup"
"AudioDrvEmulator"="\"C:\\Programme\\Creative\\Shared Files\\Module Loader\\DLLML.exe\" -1 AudioDrvEmulator \"C:\\Programme\\Creative\\Shared Files\\Module Loader\\Audio Emulator\\AudDrvEm.dll\""
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"CTxfiHlp"="CTXFIHLP.EXE"
"CTHelper"="CTHELPER.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,cb,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,50,01,00,00,62,01,00,00,20,01,00,00,23,01,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Spyware Doctor"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Spyware Doctor"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"MaxRecentDocs"=dword:0000001f
"NoRecentDocsHistory"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="E:\\AIM95\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AnyDVD"
"hkey"="HKLM"
"command"="\"E:\\AnyDVD\\AnyDVD.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"e:\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dxdllreg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\dxdllreg.exe "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BJPSMAIN"
"hkey"="HKLM"
"command"="C:\\Programme\\Canon\\Easy-PrintToolBox\\BJPSMAIN.EXE /logon"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ICQLite"
"hkey"="HKLM"
"command"="\"C:\\Programme\\ICQLite\\ICQLite.exe\" -minimize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Programme\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetPumper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NetPumperIEProxy"
"hkey"="HKLM"
"command"="\"e:\\NetPumper\\NetPumperIEProxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nod32kui"
"hkey"="HKLM"
"command"="\"E:\\Antivir\\nod32kui.exe\" /WAITSERVICE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nTrayFw]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nTrayFw"
"hkey"="HKLM"
"command"="E:\\Nvida\\bin\\nTrayFw.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Overnet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Overnet"
"hkey"="HKLM"
"command"="E:\\Overnet\\Overnet.exe -t"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UninstalTime]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="chkdisk"
"hkey"="HKLM"
"command"="chkdisk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdReg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\UpdReg.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"E:\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Klick-Wartung.job

Completion time: 06-12-23 2:18:13.07
C:\ComboFix.txt ... 06-12-23 02:18

-----------------------------------------------------------

4. datfind

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: FC5C-B857

Verzeichnis von C:\WINDOWS\system32

23.12.2006 02:19 4 stfv.bin
23.12.2006 02:09 63.114 nvapps.xml
23.12.2006 02:08 0 _nvidia_xxx_.log
23.12.2006 02:08 2.206 wpa.dbl
23.12.2006 02:08 35.803 OODBS.lor
23.12.2006 02:08 79.104 ikhcore.log
22.12.2006 01:45 64.980 DVCState-{00000005-00000000-00000008-00001102-00000005-00211102}.rfx
22.12.2006 01:45 1.080 settings.sfm
22.12.2006 01:45 1.080 settingsbkup.sfm
22.12.2006 01:45 55.172 BMXStateBkp-{00000005-00000000-00000008-00001102-00000005-00211102}.rfx
22.12.2006 01:45 55.172 BMXState-{00000005-00000000-00000008-00001102-00000005-00211102}.rfx
15.12.2006 17:34 86.016 OpenAL32.dll
15.12.2006 17:34 409.600 wrap_oal.dll
30.10.2006 10:30 30.976 win32hp.dll
30.10.2006 10:30 27.648 VXH8JKDQ2.EXE
30.10.2006 10:30 13.568 VXH8JKDQ6.EXE
30.10.2006 10:30 9.984 ts.ico
30.10.2006 10:30 27.392 ot.ico
30.10.2006 10:30 15.360 ace16win.dll
30.10.2006 10:30 28.416 msmsn.exe
30.10.2006 10:30 8.192 kernels64.exe
30.10.2006 10:30 8.448 anti_troj.exe
30.10.2006 10:30 16.128 mpsegment.exe
30.10.2006 10:30 10.496 msvol.tlb
30.10.2006 09:54 24.320 performent202.dll
30.10.2006 00:50 5 SndDrv32ds_d.ods
30.10.2006 00:50 5 AuxDrv32ds_d.ods

30.10.2006 00:00 0 lfd.dat
30.10.2006 00:00 12 oiso.bin
30.10.2006 00:00 0 pcf.pdf
29.10.2006 11:56 16.128 netstat2.exe
29.10.2006 11:56 26.368 proqlaim.exe
29.10.2006 11:55 17.664 iewd.exe
29.10.2006 11:55 19.968 dload.exe
29.10.2006 11:54 19.968 asgp32.dll
29.10.2006 11:54 55.016 1821.exe
29.10.2006 11:54 43.520 msmapi32.exe
29.10.2006 11:54 15.360 intr32.dll
29.10.2006 11:54 5.707 dsrvknvk.exe
29.10.2006 11:54 9.216 zggjudxn.exe
29.10.2006 09:33 311.740 perfh009.dat
29.10.2006 09:33 40.128 perfc009.dat
29.10.2006 09:33 316.924 perfh007.dat
29.10.2006 09:33 48.354 perfc007.dat
29.10.2006 09:33 723.744 PerfStringBackup.INI
15.10.2006 12:33 98.304 CmdLineExt.dll
21.09.2006 13:35 126.112 FNTCACHE.DAT
16.09.2006 09:18 14 systeminfo.dll
15.08.2006 12:56 28 log200672.log
15.08.2006 12:56 22.481 chkdisk.exe ->>>>>>>>?????????
21.07.2006 23:10 34.308 BASSMOD.dll
25.06.2006 15:04 93 imon1.dat
16.06.2006 13:34 48.936 sirenacm.dll
01.06.2006 16:22 2.977.792 nvvitvsr.dll
01.06.2006 16:22 2.924.544 nvvitvs.dll


Verzeichnis von C:\DOKUME~1\ANDR~1\LOKALE~1\Temp

23.12.2006 02:11 512 ~DF91C1.tmp
1 Datei(en) 512 Bytes
0 Verzeichnis(se), 4.078.292.992 Bytes frei


Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: FC5C-B857

Verzeichnis von C:\WINDOWS

23.12.2006 02:09 0 0.log
23.12.2006 02:09 159 wiadebug.log
23.12.2006 02:09 0 wiaservc.log
23.12.2006 02:08 2.048 bootstat.dat
22.12.2006 01:45 32.622 SchedLgU.Txt
15.12.2006 19:00 453.545 setupapi.log
15.12.2006 18:17 116 NeroDigital.ini
15.12.2006 17:26 201.214 Windows Update.log
14.12.2006 22:26 45.106 wmsetup.log
12.11.2006 13:57 583 win.ini
12.11.2006 13:57 227 system.ini
05.11.2006 16:11 349.555 DirectX.log
05.11.2006 02:35 180.186 setupact.log
04.11.2006 02:23 729 ie7_main.log
30.10.2006 10:30 21.760 notepad32.exe
29.10.2006 23:00 227 system.tmp
29.10.2006 23:00 583 win.tmp
29.10.2006 11:55 31.744 spp3.dll
29.10.2006 11:55 13.312 runwin32.exe
29.10.2006 11:55 27.392 dialup.exe
29.10.2006 11:55 19.200 y.exe
29.10.2006 11:55 28.160 xxxvideo.hta
29.10.2006 11:55 27.648 xplugin.dll
29.10.2006 11:55 9.216 x.exe
29.10.2006 11:55 9.984 winmgnt.exe
29.10.2006 11:55 23.296 window.exe
29.10.2006 11:55 19.968 winajbm.dll
29.10.2006 11:55 20.992 win64.exe
29.10.2006 11:55 22.272 win32e.exe
29.10.2006 11:55 15.104 waol.exe
29.10.2006 11:55 20.736 users32.exe
29.10.2006 11:55 10.496 time.exe
29.10.2006 11:55 18.176 systemcritical.exe
29.10.2006 11:55 16.896 systeem.exe
29.10.2006 11:55 26.112 olehelp.exe
29.10.2006 11:55 30.720 mtwirl32.dll
29.10.2006 11:55 12.288 cpan.dll
29.10.2006 11:55 24.064 clrssn.exe
29.10.2006 11:55 17.920 avpcc.dll
29.10.2006 11:55 10.752 astctl32.ocx
29.10.2006 11:55 16.384 accesss.exe
29.10.2006 11:55 24.064 inetdctr.dll
15.10.2006 12:59 50 Winamp.ini
16.09.2006 09:16 58 videoimp.ini

Verzeichnis von C:\WINDOWS\Temp

Verzeichnis von C:\WINDOWS\Downloaded Program Files

09.11.2006 14:36 5.019 swflash.inf
07.06.2006 10:09 1.249 erma.inf
13.03.2006 16:56 65 desktop.ini
19.09.2003 14:22 299.008 isusweb.dll
25.07.2002 17:13 24.576 dwusplay.dll
25.07.2002 17:13 196.608 dwusplay.exe
20.01.2000 15:25 1.162 Microsoft XML Parser for Java.osd
14.10.1997 18:52 697 DirectAnimation Java Classes.osd
8 Datei(en) 528.384 Bytes
0 Verzeichnis(se), 4.078.276.608 Bytes frei



Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: FC5C-B857

Verzeichnis von C:\

23.12.2006 02:22 0 sys.txt
23.12.2006 02:22 681 down.txt
23.12.2006 02:22 117 tmp.txt
23.12.2006 02:21 7.188 system.txt
23.12.2006 02:21 293 systemtemp.txt
23.12.2006 02:21 104.489 system32.txt
23.12.2006 02:18 12.916 ComboFix.txt
23.12.2006 02:08 1.610.612.736 pagefile.sys
12.11.2006 13:57 194 boot.ini
09.11.2006 21:59 638 crashAddress.txt
29.10.2006 12:06 61.838 2.html


-----------------------------------------------------------

5. WIe gesagt, bei jedem 2. seitenaufruf im IE wird die seite angezeigt wo man antiviren program saugen soll.. siehe post oben

#4 ««
Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein:

Zitat

registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetPumper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UninstalTime
HKLM\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}
HKLM\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7070a8f9-08a4-ca47-0ab0-1eb9e4ee1f3b}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7070a8f9-08a4-ca47-0ab0-1eb9e4ee1f3b}
HKLM\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{73364D99-1240-4dff-B12A-67E448373148}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73364D99-1240-4dff-B12A-67E448373148}
HKLM\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8dc8f96d-34f7-1501-a2a4-631341aa3ac1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8dc8f96d-34f7-1501-a2a4-631341aa3ac1}
HKLM\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB89F547-37EC-4920-880C-9D553B1C788C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB89F547-37EC-4920-880C-9D553B1C788C}

Files to delete:
C:\WINDOWS\system32\win32hp.dll
C:\WINDOWS\system32\VXH8JKDQ2.EXE
C:\WINDOWS\system32\VXH8JKDQ6.EXE
C:\WINDOWS\system32\ts.ico
C:\WINDOWS\system32\ot.ico
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\msmsn.exe
C:\WINDOWS\system32\kernels64.exe
C:\WINDOWS\system32\anti_troj.exe
C:\WINDOWS\system32\mpsegment.exe
C:\WINDOWS\system32\msvol.tlb
C:\WINDOWS\system32\performent202.dll
C:\WINDOWS\system32\lfd.dat
C:\WINDOWS\system32\oiso.bin
C:\WINDOWS\system32\pcf.pdf
C:\WINDOWS\system32\netstat2.exe
C:\WINDOWS\system32\proqlaim.exe
C:\WINDOWS\system32\iewd.exe
C:\WINDOWS\system32\dload.exe
C:\WINDOWS\system32\asgp32.dll
C:\WINDOWS\system32\1821.exe
C:\WINDOWS\system32\msmapi32.exe
C:\WINDOWS\system32\intr32.dll
C:\WINDOWS\system32\dsrvknvk.exe
C:\WINDOWS\system32\zggjudxn.exe
C:\WINDOWS\system32\log200672.log
C:\WINDOWS\system32\imon1.dat
C:\WINDOWS\notepad32.exe
C:\WINDOWS\system.tmp
C:\WINDOWS\win.tmp
C:\WINDOWS\spp3.dll
C:\WINDOWS\runwin32.exe
C:\WINDOWS\dialup.exe
C:\WINDOWS\y.exe
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\xplugin.dll
C:\WINDOWS\x.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\window.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\win64.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\time.exe
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\cpan.dll
C:\WINDOWS\clrssn.exe
C:\WINDOWS\avpcc.dll
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\accesss.exe
C:\WINDOWS\inetdctr.dll
C:\2.html

Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

««
öffne das HijackThis -- Button "scan" -- vor diese Einträge Häkchen setzen /soweit sie noch vorhanden sind.....-- Button "Fix checked" -- PC neustarten

Zitat

O2 - BHO: (no name) - {7070a8f9-08a4-ca47-0ab0-1eb9e4ee1f3b} - (no file)

O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINDOWS\System32\ipv6mons.dll (file missing)

O2 - BHO: (no name) - {8dc8f96d-34f7-1501-a2a4-631341aa3ac1} - (no file)

O2 - BHO: ASGP32.ASGP - {BB89F547-37EC-4920-880C-9D553B1C788C} - C:\WINDOWS\System32\asgp32.dll

O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - (no file)

»»
scanne und poste den scanreport
http://virus-protect.org/ewido.html

------------

virustotal
Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen (oder gleich die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf "Send"... jetzt abwarten - dann mit der rechten Maustaste den Text markieren -> kopieren - einfügen
http://www.virustotal.com/flash/index_en.html

C:\WINDOWS\system32\chkdisk.exe

poste den report hier

http://nepenthes.mwcollect.org/analysis:norman:be662ede2b99676217cdf97a95365891
__________
MfG Sabina

rund um die PC-Sicherheit

#5 1. Avanger

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mqlhrqsy

*******************

Script file located at: qeokghyb

Could not open script file! Error

Could not open script file! Status: 0xc000003b Abort!

---------------------------------------------------

2. HTJ gelaufen

---------------------------------------------------

3. Virusscanner

Läuft und läuft und läuft.... Duracel *lach*

Report:

---------------------------------------------------------
AVG Anti-Spyware - Scan-Bericht
---------------------------------------------------------

+ Erstellt um: 15:11:35 24.12.2006

+ Scan-Ergebnis:



L:\Download programme\Download.Accelerator.7.2.Premium.by.MadHacker2k4.for.www.goldesel.6x.to.rar/Download.Accelerator.7.2.Premium.by.MadHacker2k4.for.www.goldesel.6x.to\Crack\DAP.exe -> Adware.Dap : Gesäubert.
E:\Antivir\INFECTED\MEMQS4AA.NQF -> Adware.NewDotNet : Gesäubert.
E:\Antivir\INFECTED\LQAVW4AA.NQF -> Adware.SaveNow : Gesäubert.
E:\System Volume Information\_restore{F47EF1A3-4054-4B0B-9D14-D42888472642}\RP104\A0071979.exe -> Backdoor.Hupigon.dp : Gesäubert.
L:\Gta San Andreas\hlm-gtasa\HOODLUM\HLM-INTR.EXE -> Backdoor.Hupigon.kg : Gesäubert.
E:\System Volume Information\_restore{F47EF1A3-4054-4B0B-9D14-D42888472642}\RP104\A0072083.exe -> Dropper.AphexLace.a : Gesäubert.
L:\400.Winamp.Plugins.by.neonic\400.Winamp.Plugins.by.neonic\EINFACH GELD VERDIENEN\test33.exe -> Logger.Alexa.a : Gesäubert.
E:\Trillian\Trillian.Pro.v3.1.0.121.WinALL.PROPER-BM.for.goldesel.6x.to\crack\patcher-arn.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Gesäubert.
E:\Trillian\Trillian.Pro.v3.1.0.121.WinALL.PROPER-BM.for.goldesel.6x.to\crack\patcher.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Gesäubert.
E:\Trillian\patcher-arn.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Gesäubert.
E:\Trillian\patcher.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Gesäubert.
L:\Download programme\IncrediMail.Xe.Premium.4.00.Build.1874.rar/IncrediMail Xe Premium 4.00 Build 1874\Incredimail13xx-14xxgoldpatch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Gesäubert.
L:\Download programme\RegSupreme.Professional.1.2.0.35_CRK-FFF.rar/Crack-FFF.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Gesäubert.
E:\Hot CPU Tester Pro 4 LE\crack_ttdown.exe -> Trojan.Regpat.a : Gesäubert.
L:\Download programme\Hot.CPU.Tester.Pro.v4.2.2.Pro.Edition-Full[www.ed2kmagazine.com].rar/Hot CPU Tester Pro v4.2.2 Pro Edition-Full[www.ed2kmagazine.com]\Keygen\crack_ttdown.exe -> Trojan.Regpat.a : Gesäubert.
E:\AIM95\icbmft.ocm -> Worm.AimVen : Gesäubert.


::Berichtende



---------------------------------------------------

Virustotal HP

STATUS: FINISHEDComplete scanning result of "chkdisk.exe", received in VirusTotal at 12.24.2006, 14:25:18 (CET).

Antivirus Version Update Result
AntiVir 7.3.0.21 12.23.2006 no virus found
Authentium 4.93.8 12.22.2006 no virus found
Avast 4.7.892.0 12.21.2006 no virus found
AVG 386 12.24.2006 no virus found
BitDefender 7.2 12.24.2006 no virus found
CAT-QuickHeal 8.00 12.23.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 12.24.2006 no virus found
DrWeb 4.33 12.24.2006 no virus found
eSafe 7.0.14.0 12.24.2006 Suspicious Trojan/Worm
eTrust-InoculateIT 23.73.97 12.23.2006 no virus found
eTrust-Vet 30.3.3271 12.23.2006 no virus found
Ewido 4.0 12.24.2006 no virus found
Fortinet 2.82.0.0 12.24.2006 suspicious
F-Prot 3.16f 12.22.2006 no virus found
F-Prot4 4.2.1.29 12.22.2006 no virus found
Ikarus T3.1.0.27 12.24.2006 not-a-virus:AdWare.Win32.Agent.ab
Kaspersky 4.0.2.24 12.24.2006 no virus found
McAfee 4925 12.22.2006 no virus found
Microsoft 1.1904 12.24.2006 no virus found
NOD32v2 1937 12.24.2006 no virus found
Norman 5.80.02 12.22.2006 no virus found
Panda 9.0.0.4 12.24.2006 Suspicious file
Prevx1 V2 12.24.2006 Covert.Sys.Exec
Sophos 4.12.0 12.24.2006 Mal/Packer
Sunbelt 2.2.907.0 12.18.2006 VIPRE.Suspicious
TheHacker 6.0.3.136 12.24.2006 no virus found
UNA 1.83 12.22.2006 no virus found
VBA32 3.11.1 12.24.2006 no virus found
VirusBuster 4.3.19:9 12.23.2006 novirusacked/FSG


Aditional Information
File size: 22481 bytes
MD5: 7c24a96026b8e28bd03f39ec231b9025
SHA1: 93401f1a89b99c7a3afbc4494125a7db1ff372a4
packers: FSG
packers: FSG
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=2bfe43009388
Sunbelt info: VIPRE.Suspicious is a generic detection for potential Thread that are deemed suspicious through heuristics.

#6 du musst den avenger korrekt anwenden , also erst mal auf c:\ und dann genau nach Anleitung alles anhaken und klicken, wie auf der seite vom avenger beschrieben

Input script manually (anhaken)

(und nicht "Zitat" mit reinkopieren !
__________
MfG Sabina

rund um die PC-Sicherheit

#7 Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\njl^ekej

*******************

Script file located at: \??\C:\Program Files\yyexphkt.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\win32hp.dll deleted successfully.
File C:\WINDOWS\system32\VXH8JKDQ2.EXE deleted successfully.
File C:\WINDOWS\system32\VXH8JKDQ6.EXE deleted successfully.
File C:\WINDOWS\system32\ts.ico deleted successfully.
File C:\WINDOWS\system32\ot.ico deleted successfully.
File C:\WINDOWS\system32\ace16win.dll deleted successfully.
File C:\WINDOWS\system32\msmsn.exe deleted successfully.
File C:\WINDOWS\system32\kernels64.exe deleted successfully.
File C:\WINDOWS\system32\anti_troj.exe deleted successfully.
File C:\WINDOWS\system32\mpsegment.exe deleted successfully.
File C:\WINDOWS\system32\msvol.tlb deleted successfully.
File C:\WINDOWS\system32\performent202.dll deleted successfully.
File C:\WINDOWS\system32\lfd.dat deleted successfully.
File C:\WINDOWS\system32\oiso.bin deleted successfully.
File C:\WINDOWS\system32\pcf.pdf deleted successfully.
File C:\WINDOWS\system32\netstat2.exe deleted successfully.
File C:\WINDOWS\system32\proqlaim.exe deleted successfully.
File C:\WINDOWS\system32\iewd.exe deleted successfully.
File C:\WINDOWS\system32\dload.exe deleted successfully.


File C:\WINDOWS\system32\asgp32.dll not found!
Deletion of file C:\WINDOWS\system32\asgp32.dll failed!

Could not process line:
C:\WINDOWS\system32\asgp32.dll
Status: 0xc0000034

File C:\WINDOWS\system32\1821.exe deleted successfully.
File C:\WINDOWS\system32\msmapi32.exe deleted successfully.
File C:\WINDOWS\system32\intr32.dll deleted successfully.
File C:\WINDOWS\system32\dsrvknvk.exe deleted successfully.
File C:\WINDOWS\system32\zggjudxn.exe deleted successfully.
File C:\WINDOWS\system32\log200672.log deleted successfully.
File C:\WINDOWS\system32\imon1.dat deleted successfully.
File C:\WINDOWS\notepad32.exe deleted successfully.
File C:\WINDOWS\system.tmp deleted successfully.
File C:\WINDOWS\win.tmp deleted successfully.
File C:\WINDOWS\spp3.dll deleted successfully.
File C:\WINDOWS\runwin32.exe deleted successfully.
File C:\WINDOWS\dialup.exe deleted successfully.
File C:\WINDOWS\y.exe deleted successfully.
File C:\WINDOWS\xxxvideo.hta deleted successfully.
File C:\WINDOWS\xplugin.dll deleted successfully.
File C:\WINDOWS\x.exe deleted successfully.
File C:\WINDOWS\winmgnt.exe deleted successfully.
File C:\WINDOWS\window.exe deleted successfully.
File C:\WINDOWS\winajbm.dll deleted successfully.
File C:\WINDOWS\win64.exe deleted successfully.
File C:\WINDOWS\win32e.exe deleted successfully.
File C:\WINDOWS\waol.exe deleted successfully.
File C:\WINDOWS\users32.exe deleted successfully.
File C:\WINDOWS\time.exe deleted successfully.
File C:\WINDOWS\systemcritical.exe deleted successfully.
File C:\WINDOWS\systeem.exe deleted successfully.
File C:\WINDOWS\olehelp.exe deleted successfully.
File C:\WINDOWS\mtwirl32.dll deleted successfully.
File C:\WINDOWS\cpan.dll deleted successfully.
File C:\WINDOWS\clrssn.exe deleted successfully.
File C:\WINDOWS\avpcc.dll deleted successfully.
File C:\WINDOWS\astctl32.ocx deleted successfully.
File C:\WINDOWS\accesss.exe deleted successfully.
File C:\WINDOWS\inetdctr.dll deleted successfully.
File C:\2.html deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetPumper deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UninstalTime deleted successfully.


Registry key HKLM\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} not found!
Deletion of registry key HKLM\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} failed!
Status: 0xc0000034



Registry key HKLM\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7070a8f9-08a4-ca47-0ab0-1eb9e4ee1f3b} not found!
Deletion of registry key HKLM\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7070a8f9-08a4-ca47-0ab0-1eb9e4ee1f3b} failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7070a8f9-08a4-ca47-0ab0-1eb9e4ee1f3b} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7070a8f9-08a4-ca47-0ab0-1eb9e4ee1f3b} failed!
Status: 0xc0000034



Registry key HKLM\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{73364D99-1240-4dff-B12A-67E448373148} not found!
Deletion of registry key HKLM\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{73364D99-1240-4dff-B12A-67E448373148} failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73364D99-1240-4dff-B12A-67E448373148} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73364D99-1240-4dff-B12A-67E448373148} failed!
Status: 0xc0000034



Registry key HKLM\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8dc8f96d-34f7-1501-a2a4-631341aa3ac1} not found!
Deletion of registry key HKLM\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8dc8f96d-34f7-1501-a2a4-631341aa3ac1} failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8dc8f96d-34f7-1501-a2a4-631341aa3ac1} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8dc8f96d-34f7-1501-a2a4-631341aa3ac1} failed!
Status: 0xc0000034



Registry key HKLM\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB89F547-37EC-4920-880C-9D553B1C788C} not found!
Deletion of registry key HKLM\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB89F547-37EC-4920-880C-9D553B1C788C} failed!
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB89F547-37EC-4920-880C-9D553B1C788C} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BB89F547-37EC-4920-880C-9D553B1C788C} failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

#8 1.
poste noch mal die 6 logs von datfindbat

2.
poste das neue log vom HijackThis
__________
MfG Sabina

rund um die PC-Sicherheit

#9 1.

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: FC5C-B857

Verzeichnis von C:\WINDOWS\system32

27.12.2006 15:35 7.749 _nvidia_xxx_.log
27.12.2006 11:29 63.114 nvapps.xml
27.12.2006 11:27 2.206 wpa.dbl
27.12.2006 11:26 37.840 OODBS.lor
27.12.2006 11:26 91.249 ikhcore.log
26.12.2006 03:54 64.980 DVCState-{00000005-00000000-00000008-00001102-00000005-00211102}.rfx
26.12.2006 03:54 1.080 settings.sfm
26.12.2006 03:54 1.080 settingsbkup.sfm
26.12.2006 03:54 55.172 BMXState-{00000005-00000000-00000008-00001102-00000005-00211102}.rfx
26.12.2006 03:54 55.172 BMXStateBkp-{00000005-00000000-00000008-00001102-00000005-00211102}.rfx
24.12.2006 15:12 4 stfv.bin
15.12.2006 17:34 409.600 wrap_oal.dll
15.12.2006 17:34 86.016 OpenAL32.dll
30.10.2006 00:50 5 SndDrv32ds_d.ods
30.10.2006 00:50 5 AuxDrv32ds_d.ods
29.10.2006 09:33 311.740 perfh009.dat
29.10.2006 09:33 40.128 perfc009.dat
29.10.2006 09:33 316.924 perfh007.dat
29.10.2006 09:33 48.354 perfc007.dat
29.10.2006 09:33 723.744 PerfStringBackup.INI
15.10.2006 12:33 98.304 CmdLineExt.dll
21.09.2006 13:35 126.112 FNTCACHE.DAT
16.09.2006 09:18 14 systeminfo.dll
------------------------------------------------
2.

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: FC5C-B857

Verzeichnis von C:\DOKUME~1\ANDR~1\LOKALE~1\Temp

28.12.2006 02:38 512 ~DF2D54.tmp
28.12.2006 02:36 0 NEREC.tmp
27.12.2006 11:31 16.384 Perflib_Perfdata_c68.dat
26.12.2006 02:02 2.912 java_install_reg.log
23.12.2006 11:20 5.512.294 splist.txt
23.12.2006 11:20 1.637.980 ranges18909.zip
23.12.2006 02:26 1.637.980 ranges41723.zip
30.07.2006 05:44 16.330.024 Install_Messenger.exe
8 Datei(en) 25.138.086 Bytes
0 Verzeichnis(se), 4.002.840.576 Bytes frei
------------------------------------------------------------
3.

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: FC5C-B857

Verzeichnis von C:\WINDOWS

27.12.2006 15:35 116 NeroDigital.ini
27.12.2006 11:30 456.113 setupapi.log
27.12.2006 11:28 0 0.log
27.12.2006 11:27 159 wiadebug.log
27.12.2006 11:27 50 wiaservc.log
27.12.2006 11:26 2.048 bootstat.dat
22.12.2006 01:45 32.622 SchedLgU.Txt
15.12.2006 17:26 201.214 Windows Update.log
14.12.2006 22:26 45.106 wmsetup.log
12.11.2006 13:57 227 system.ini
12.11.2006 13:57 583 win.ini
05.11.2006 16:11 349.555 DirectX.log
05.11.2006 02:35 180.186 setupact.log
04.11.2006 02:23 729 ie7_main.log
15.10.2006 12:59 50 Winamp.ini
16.09.2006 09:16 58 videoimp.ini
15.08.2006 11:58 0 ROUTE
15.08.2006 11:52 0 stduser.ini
---------------------------------------------------
4.
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: FC5C-B857

Verzeichnis von C:\WINDOWS\Temp

26.12.2006 02:35 0 exp2F2.tmp
24.12.2006 13:45 0 exp16.tmp
2 Datei(en) 0 Bytes
0 Verzeichnis(se), 4.002.840.576 Bytes frei
------------------------------------------------------
5.
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: FC5C-B857

Verzeichnis von C:\WINDOWS\Downloaded Program Files

09.11.2006 14:36 5.019 swflash.inf
07.06.2006 10:09 1.249 erma.inf
13.03.2006 16:56 65 desktop.ini
19.09.2003 14:22 299.008 isusweb.dll
25.07.2002 17:13 24.576 dwusplay.dll
25.07.2002 17:13 196.608 dwusplay.exe
------------------------------------------------------
6.
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: FC5C-B857

Verzeichnis von C:\

28.12.2006 02:41 0 sys.txt
28.12.2006 02:40 681 down.txt
28.12.2006 02:40 322 tmp.txt
28.12.2006 02:40 5.839 system.txt
28.12.2006 02:40 673 systemtemp.txt
28.12.2006 02:39 103.179 system32.txt
27.12.2006 11:26 1.610.612.736 pagefile.sys
26.12.2006 01:33 13.304 avenger.txt
23.12.2006 02:18 12.916 ComboFix.txt
12.11.2006 13:57 194 boot.ini
09.11.2006 21:59 638 crashAddress.txt
-----------------------------------------------------
-----------------------------------------------------
HTJ

Logfile of HijackThis v1.99.1
Scan saved at 02:42:32, on 28.12.2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
e:\AVG Anti-Spyware 7.5\guard.exe
E:\Nvida\Apache Group\Apache2\bin\apache.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
E:\Antivir\nod32krn.exe
E:\Nvida\bin\nSvcIp.exe
E:\Nvida\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\oodag.exe
e:\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
E:\Nvida\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\Explorer.EXE
E:\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
E:\asus probe\AsusProb.exe
C:\Programme\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\WINDOWS\System32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Creative\ShareDLL\CADI\NotiMan.exe
E:\Nero 7\Nero Vision\NeroVision.exe
C:\WINDOWS\System32\imapi.exe
E:\OFFICE~2\Office10\OUTLOOK.EXE
E:\Office XP\Office10\WINWORD.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\André\Desktop\hijackthis\HjT1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - e:\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VolPanel] "e:\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [ASUS Probe] e:\asus probe\AsusProb.exe
O4 - HKLM\..\Run: [RCSystem] "C:\Programme\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Programme\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Programme\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] E:\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Download with &DAP - E:\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - E:\DAP\dapextie2.htm
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://e:\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://e:\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://e:\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://e:\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://E:\OFFICE~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\AIM95\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - E:\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - e:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - E:\Nvida\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - E:\Nvida\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - E:\Antivir\nod32krn.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - E:\Nvida\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - E:\Nvida\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - e:\Spyware Doctor\sdhelp.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - E:\TuneUp Utilities 2006\WinStylerThemeSvc.exe

#10 sandbox.norman
http://sandbox.norman.no/live_4.html

C:\WINDOWS\system32\chkdisk.exe

wenn du dann benachrichtigt wirst, per mail, poste hier die antwort
__________
MfG Sabina

rund um die PC-Sicherheit

#11 Your message ID (for later reference): 20061228-4134

Hello,

Thanks for taking the time to submit your samples to the Norman
Sandbox Information Center. Customer delight is our top priority at
Norman. With that in mind we have developed Sandbox Solutions for
organizations that are committed to speedy analysis and debugging.

Norman Sandbox Solutions give your organization the opportunity to
analyze files immediately in your own environment.

To find out how to bring the power of Norman Sandbox into your test
environments follow the links below.

Norman Sandbox Solutions http://www.norman.com/Product/Sandbox-products/

Norman Sandbox Analyzer http://www.norman.com/Product/Sandbox-products/Analyzer/

Norman Sandbox Analyzer Pro http://www.norman.com/Product/Sandbox-products/Analyzer-pro/

Norman SandBox Reporter http://www.norman.com/Product/Sandbox-products/Reporter/

chkdisk.exe : Not detected by Sandbox (Signature: NO_VIRUS)

[ General information ]
* Decompressing Unk3!FSG?.
* File length: 22481 bytes.
* MD5 hash: 7c24a96026b8e28bd03f39ec231b9025.

[ Changes to registry ]
* Creates value "UninstalTime"="chkdisk.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Sets value "SubVer"="1" in key "HKLM\Software\Microsoft\Windows\CurrentVersion".

[ Process/window information ]
* Will automatically restart after boot (I'll be back...).

(C) 2004-2006 Norman ASA. All Rights Reserved.

#12 1.
Avenger
kopiere rein

Zitat

Files to delete:
C:\WINDOWS\system32\chkdisk.exe

»»loesche nicht das backup vom avenger, falls es probleme geben sollte.....

2.
poste noch mal das log vom combofix
__________
MfG Sabina

rund um die PC-Sicherheit

#13 1. Erledigt
------------------------------------------------------
2. Combifix

Andr‚ - 06-12-31 2:22:54,39 Service Pack 1
ComboFix 06.11.27 - Running from: "L:\Download programme"

((((((((((((((((((((((((((((((( Files Created from 2006-11-31 to 2006-12-31 ))))))))))))))))))))))))))))))))))


2006-12-31 02:19 <DIR> d-------- C:\avenger
2006-12-24 13:59 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-23 02:15 <DIR> d-------- C:\Programme\CleanUp!
2006-12-15 17:34 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2006-12-15 17:34 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-31 01:59 -------- d-------- C:\Dokumente und Einstellungen\Andr‚\Anwendungsdaten\Adobe
2006-12-28 03:01 -------- d-------- C:\Dokumente und Einstellungen\Andr‚\Anwendungsdaten\Azureus
2006-12-15 17:36 -------- d--h----- C:\Programme\InstallShield Installation Information
2006-12-15 17:34 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll
2006-12-15 17:34 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2006-11-19 02:15 24968 --a------ C:\Dokumente und Einstellungen\Andr‚\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2006-11-05 16:16 -------- d-------- C:\Dokumente und Einstellungen\Andr‚\Anwendungsdaten\temp
2006-10-15 12:33 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"AIM"="E:\\AIM95\\aim.exe -cnetwait.odl"
"msnmsgr"="\"C:\\Programme\\MSN Messenger\\msnmsgr.exe\" /background"
"Yahoo! Pager"="\"E:\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\Disabled]
"msnmsgr"="\"C:\\Programme\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"VolPanel"="\"e:\\Sound Blaster X-Fi\\Volume Panel\\VolPanel.exe\" /r"
"ASUS Probe"="e:\\asus probe\\AsusProb.exe"
"RCSystem"="\"C:\\Programme\\Creative\\Shared Files\\Module Loader\\DLLML.exe\" RCSystem * -Startup"
"AudioDrvEmulator"="\"C:\\Programme\\Creative\\Shared Files\\Module Loader\\DLLML.exe\" -1 AudioDrvEmulator \"C:\\Programme\\Creative\\Shared Files\\Module Loader\\Audio Emulator\\AudDrvEm.dll\""
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"CTxfiHlp"="CTXFIHLP.EXE"
"CTHelper"="CTHELPER.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,cb,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,50,01,00,00,62,01,00,00,20,01,00,00,23,01,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Spyware Doctor"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"Spyware Doctor"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"MaxRecentDocs"=dword:0000001f
"NoRecentDocsHistory"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="E:\\AIM95\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AnyDVD"
"hkey"="HKLM"
"command"="\"E:\\AnyDVD\\AnyDVD.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"e:\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dxdllreg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\dxdllreg.exe "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BJPSMAIN"
"hkey"="HKLM"
"command"="C:\\Programme\\Canon\\Easy-PrintToolBox\\BJPSMAIN.EXE /logon"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ICQLite"
"hkey"="HKLM"
"command"="\"C:\\Programme\\ICQLite\\ICQLite.exe\" -minimize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Programme\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nod32kui"
"hkey"="HKLM"
"command"="\"E:\\Antivir\\nod32kui.exe\" /WAITSERVICE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nTrayFw]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nTrayFw"
"hkey"="HKLM"
"command"="E:\\Nvida\\bin\\nTrayFw.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Overnet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Overnet"
"hkey"="HKLM"
"command"="E:\\Overnet\\Overnet.exe -t"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdReg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\UpdReg.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"E:\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Klick-Wartung.job

Completion time: 06-12-31 2:23:19.77
C:\ComboFix.txt ... 06-12-31 02:23
C:\ComboFix2.txt ... 06-12-23 02:18

#14 um das ganze abzuschliessen: scanne mit panda und poste den report + das neue log vom hijackthis
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit