Home » Viren, Trojaner & Malware Forum » Drive Cleaner ... was ist das? » Themenansicht

Drive Cleaner ... was ist das?

Thema ist geschlossen!
Thema ist geschlossen!
#0
11.04.2007, 18:12
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#91 TommyK

«
Gehe in die Registry
Start - Ausfuehren - regedit
oben links - bearbeiten - suchen - kdvmv.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"="kdvmv.exe" - loeschen

----------------------------------------------------------

««
öffne das HijackThis -- Button "scan" -- vor diese Einträge Häkchen setzen -- Button "Fix checked"

Zitat

O2 - BHO: (no name) - {1a1ddc19-5893-43ab-a73f-f41a0f34d115} - C:\Programme\Video ActiveX Object\isaddon.dll (file missing)

O2 - BHO: AlxTB BHO - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:\WINDOWS\system32\AlxTB1.dll (file missing)

O3 - Toolbar: Protection Bar - {5d4831e0-5a7c-4a46-afd5-a79ab8ce36c2} - C:\Programme\Video ActiveX Object\iesplugin.dll (file missing)

O4 - HKLM\..\Run: [NI.UWA6PU_0001_N91M2107] "C:\Dokumente und Einstellungen\Kraus\Desktop\WinAntiVirusPro2006FreeInstall_de.exe" -nag

O4 - HKLM\..\Run: [SDR6U_Check] "C:\Dokumente und Einstellungen\Kraus\Desktop\zu löschen\DriveCleaner 2006 Free\sdrmon.exe"

O4 - HKLM\..\Run: [UERScw] C:\Programme\ErrorSafe Free\UERScw.exe -c

O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe

O4 - HKCU\..\Run: [Malware-Alarm] C:\Program Files\MalwareAlarm\MalwareAlarm.exe

O4 - HKCU\..\Run: [Error Safe Free] C:\Programme\ErrorSafe Free\uers.exe /scan

O4 - HKLM\..\Policies\Explorer\Run: [isamonitor.exe] C:\Programme\Video ActiveX Object\isamonitor.exe

O4 - HKLM\..\Policies\Explorer\Run: [pmsngr.exe] C:\Programme\Video ActiveX Object\pmsngr.exe

O21 - SSODL: iesupport - {E39D1814-691D-4C1D-94BE-9A41B18E5C85} - C:\WINDOWS\iesupport.dll

O21 - SSODL: iedebug - {062A1B6B-B09E-4A5A-B3BF-EF2A7A4D1F77} - C:\WINDOWS\iedebug.dll

O22 - SharedTaskScheduler: haematobia - {3c767c6b-602d-4b9b-829d-a3dc5b2d89dd} - C:\WINDOWS\system32\hjpprpu.dll (file missing)
--------------------------------------


Avenger
http://virus-protect.org/artikel/tools/avenger.html
Input script manually (anhaken)
kopiere in: View/edit script

Zitat

Registry values to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|SDR6U_Check
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|NI.UWA6PU_0001_N91M2107
HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler|{3c767c6b-602d-4b9b-829d-a3dc5b2d89dd}
HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload|haematobia
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|iesupport
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad|iedebug
HKLM\software\microsoft\windows\currentversion\policies\explorer\run|isamonitor.exe
HKLM\software\microsoft\windows\currentversion\policies\explorer\run|pmsngr.exe

registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3c767c6b-602d-4b9b-829d-a3dc5b2d89dd}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9FA1AA9E-7ECF-4f3b-AC23-7F09E01298E4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5F90B57B-3F17-4D9B-8909-1A32AFD6EC0C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FA1AA9E-7ECF-4f3b-AC23-7F09E01298E4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF0D1E98-4FAF-44BD-8ECA-E745820E63DD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VPNS.VPNSApp
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Video ActiveX Object
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video ActiveX Object

Files to delete:
C:\WINDOWS\iesettings.dll
C:\WINDOWS\iesupport.dll
C:\WINDOWS\iedebug.dll
C:\WINDOWS\main_uninstaller.exe
C:\WINDOWS\xpupdate.exe
C:\Dokumente und Einstellungen\Kraus\Desktop\Install533.exe
C:\Dokumente und Einstellungen\Kraus\Desktop\Error Cleaner.url
C:\Dokumente und Einstellungen\Kraus\Desktop\Privacy Protector.url
C:\Dokumente und Einstellungen\Kraus\Desktop\Spyware&Malware Protection.url
C:\Dokumente und Einstellungen\%Username%\Lokale Einstellungen\Temp\ErrorSafeScannerSetup.exe
C:\Dokumente und Einstellungen\%Username%\Lokale Einstellungen\Temp\tmp35.tmp.bat
C:\Dokumente und Einstellungen\%Username%\Lokale Einstellungen\Temp\vo24B.tmp
C:\Dokumente und Einstellungen\%Username%\Lokale Einstellungen\Temp\tjn4A.tmp
C:\Dokumente und Einstellungen\%Username%\Lokale Einstellungen\Temp\~e5.0001
C:\Dokumente und Einstellungen\%Username%\Lokale Einstellungen\Temp\A~NSISu_.exe
C:\Dokumente und Einstellungen\Kraus\Desktop\WinAntiVirusPro2006FreeInstall_de.exe

Folders to delete:
C:\Programme\Video ActiveX Object
C:\Programme\ErrorSafe Free
C:\Program Files\MalwareAlarm
C:\Dokumente und Einstellungen\Kraus\Desktop\zu löschen\DriveCleaner 2006 Free

Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

««
smitfraud.fix abarbeiten (Option 1 und 2 - lasse auch die Registry mitreinigen)
http://virus-protect.org/artikel/tools/smitfrautfix.html

------------------------------------------------

+
poste das neue Log vom HijacktHis
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
11.04.2007, 18:46
Sott
...neu hier

Beiträge: 4
#92 hier die logfiles!! danke

logfiles von datfind

Verzeichnis von C:\WINDOWS\system32

11.04.2007 16:16 20.128 MGHwTemp.sys
06.04.2007 19:26 98.304 CmdLineExt.dll
06.04.2007 03:17 284.520 FNTCACHE.DAT
05.04.2007 21:51 1.158 wpa.dbl
02.04.2007 07:58 546.304 hhctrl.ocx
27.03.2007 20:46 381.304 perfh009.dat
27.03.2007 20:46 53.718 perfc009.dat
27.03.2007 20:46 392.194 perfh007.dat
27.03.2007 20:46 64.596 perfc007.dat
27.03.2007 20:46 900.546 PerfStringBackup.INI
18.03.2007 22:03 9.857 jupdate-1.5.0_11-b03.log
08.03.2007 17:36 579.072 user32.old
08.03.2007 17:36 40.960 mf3216.dll
08.03.2007 17:36 579.072 user32.dll
08.03.2007 17:36 281.600 gdi32.dll
08.03.2007 17:32 1.843.712 win32k.sys
07.03.2007 22:36 12.619.736 MRT.exe
01.03.2007 01:05 86.016 ElbyCDIO.dll
18.02.2007 18:24 122.142 TZLog.log
29.01.2007 10:58 60.416 tzchange.exe
27.01.2007 17:39 9.132 jupdate-1.5.0_10-b03.log
25.01.2007 14:52 617.472 urlmon.dll
04.01.2007 15:41 664.576 wininet.dll
04.01.2007 15:41 474.624 shlwapi.dll
04.01.2007 15:41 1.494.528 shdocvw.dll
04.01.2007 15:41 39.424 pngfilt.dll
04.01.2007 15:41 532.480 mstime.dll
04.01.2007 15:40 146.432 msrating.dll
04.01.2007 15:40 448.512 mshtmled.dll
04.01.2007 15:40 3.077.632 mshtml.dll
04.01.2007 15:40 96.768 inseng.dll
04.01.2007 15:40 16.384 jsproxy.dll
04.01.2007 15:40 251.392 iepeers.dll
04.01.2007 15:40 205.312 dxtrans.dll
04.01.2007 15:40 357.888 dxtmsft.dll
04.01.2007 15:40 1.056.256 danim.dll
04.01.2007 15:40 55.808 extmgr.dll
04.01.2007 15:40 152.064 cdfview.dll
04.01.2007 15:40 1.023.488 browseui.dll
04.01.2007 13:52 123.392 xpsp3res.dll


Verzeichnis von C:\DOKUME~1\GERHAR~1\LOKALE~1\Temp

11.04.2007 16:17 16.384 Perflib_Perfdata_154.dat
11.04.2007 16:17 16.384 Perflib_Perfdata_120.dat
11.04.2007 16:17 245.760 ~DF734E.tmp
3 Datei(en) 278.528 Bytes
0 Verzeichnis(se), 61.728.514.048 Bytes frei


Verzeichnis von C:\WINDOWS

11.04.2007 16:23 1.924.823 WindowsUpdate.log
11.04.2007 16:17 0 0.log
11.04.2007 16:16 159 wiadebug.log
11.04.2007 16:16 50 wiaservc.log
11.04.2007 16:15 2.048 bootstat.dat
11.04.2007 16:15 32.626 SchedLgU.Txt
09.04.2007 21:40 518 ODBC.INI
09.04.2007 11:45 54.263 WgaNotify.log
09.04.2007 11:33 1.134 avmcoins.log
09.04.2007 11:33 995.608 setupapi.log
08.04.2007 11:13 116 NeroDigital.ini
06.04.2007 19:26 537 DirectX.log
06.04.2007 17:57 6.419 KB935448.log
06.04.2007 17:57 104.767 iis6.log
06.04.2007 17:57 227.387 comsetup.log
06.04.2007 17:57 1.355 imsins.log
06.04.2007 17:57 36.111 ocmsn.log
06.04.2007 17:57 136.142 ntdtcsetup.log
06.04.2007 17:57 253.081 tsoc.log
06.04.2007 17:57 315.033 ocgen.log
06.04.2007 17:57 32.698 msgsocm.log
06.04.2007 17:57 648.406 FaxSetup.log
06.04.2007 17:57 39.479 updspapi.log
06.04.2007 03:00 1.355 imsins.BAK
06.04.2007 03:00 12.342 KB925902.log
03.04.2007 16:02 211.168 setupact.log
24.03.2007 14:52 81.395 wmsetup.log
18.03.2007 13:02 8.518 KB929399.log
18.03.2007 13:02 12.085 KB929338.log
18.02.2007 18:25 18.510 KB927779.log
18.02.2007 18:24 15.511 KB927802.log
18.02.2007 18:24 15.191 KB928255.log
18.02.2007 18:24 7.189 KB923723.log
18.02.2007 18:24 11.708 KB924667.log
18.02.2007 18:24 24.140 KB931836.log
18.02.2007 18:24 13.646 KB926436.log
18.02.2007 18:24 13.860 KB918118.log
18.02.2007 18:24 18.160 KB928090.log
18.02.2007 18:23 10.607 KB928843.log
09.02.2007 21:09 414 CLP.INI
27.01.2007 18:47 236 VWdata.INI
27.01.2007 10:17 1.009 win.ini
13.01.2007 12:10 10.525 KB929969.log
03.01.2007 00:56 111.826 _detmp.1
03.01.2007 00:38 357.464 _detmp.3
03.01.2007 00:18 24 AM_D7.PRF


Verzeichnis von C:\WINDOWS\Temp


Verzeichnis von C:\WINDOWS\Downloaded Program Files

13.10.2005 12:00 65 desktop.ini
26.05.2005 04:19 291 wuweb.inf
2 Datei(en) 356 Bytes
0 Verzeichnis(se), 61.728.428.032 Bytes frei


11.04.2007 17:31 0 sys.txt
11.04.2007 17:31 343 down.txt
11.04.2007 17:28 117 tmp.txt
11.04.2007 17:28 11.320 system.txt
11.04.2007 17:28 419 systemtemp.txt
11.04.2007 17:27 100.512 system32.txt
11.04.2007 16:15 1.073.139.712 hiberfil.sys
11.04.2007 16:15 1.610.612.736 pagefile.sys
06.04.2007 19:07 216 DebugTrace-RockallDLL.log
03.01.2007 15:29 54 dxerror.ini



Combofix:

".." - 07-04-11 18:42:05 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Dokumente und Einstellungen\..\Desktop\Neuer Ordner"


((((((((((((((((((((((((((((((( Files Created from 2007-03-11 to 2007-04-11 ))))))))))))))))))))))))))))))))))


2007-04-11 11:11 <DIR> d-------- C:\Programme\ClearProg
2007-04-09 11:27 <DIR> d-------- C:\DOKUME~1\GERHAR~1\ANWEND~1\DriveCleaner 2006 Free
2007-04-09 11:17 <DIR> d-------- C:\Programme\Gemeinsame Dateien\DriveCleaner 2006 Free
2007-04-09 11:17 <DIR> d-------- C:\Programme\DriveCleaner 2006 Free
2007-04-08 19:12 <DIR> d-------- C:\Programme\WinLemm
2007-04-06 19:26 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-04-06 19:21 <DIR> d-------- C:\Programme\2K Games
2007-04-06 01:01 <DIR> d-------- C:\DOKUME~1\GERHAR~1\ANWEND~1\vlc
2007-03-13 16:37 <DIR> d-------- C:\DOKUME~1\GERHAR~1\ANWEND~1\SlySoft
2007-03-13 16:37 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\Elaborate Bytes
2007-03-13 16:34 <DIR> d-------- C:\WINDOWS\pss
2007-03-13 16:32 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\SlySoft
2007-03-13 16:27 <DIR> d-------- C:\Programme\SlySoft
2007-03-13 16:17 <DIR> d-------- C:\Programme\DVD Shrink DE


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-11 17:22 177180 --a------ C:\DOKUME~1\GERHAR~1\ANWEND~1\cleanup!.log
2007-04-11 16:16 20128 --a------ C:\WINDOWS\system32\mghwtemp.sys
2007-04-06 19:21 -------- d--h----- C:\Programme\installshield installation information
2007-04-03 15:21 5976 --a------ C:\DOKUME~1\GERHAR~1\ANWEND~1\wklnhst.dat
2007-03-27 20:46 64596 --a------ C:\WINDOWS\system32\perfc007.dat
2007-03-27 20:46 392194 --a------ C:\WINDOWS\system32\perfh007.dat
2007-03-18 22:03 -------- d-------- C:\Programme\java
2007-03-08 17:36 579072 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 17:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 17:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 17:32 1843712 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-05 17:24 77000 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-03-01 01:05 86016 --a------ C:\WINDOWS\system32\elbycdio.dll
2007-02-28 22:56 15440 --a------ C:\WINDOWS\system32\drivers\ElbyCDIO.sys
2007-02-16 02:56 11984 --a------ C:\WINDOWS\system32\drivers\RegKill.sys
2007-02-11 17:42 78408 --a------ C:\DOKUME~1\GERHAR~1\ANWEND~1\gdipfontcachev1.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Programme\\Messenger\\msmsgs.exe\" /background"
"swg"="C:\\Programme\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"WMPNSCFG"="C:\\Programme\\Windows Media Player\\WMPNSCFG.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATICCC"="\"C:\\Programme\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"AGRSMMSG"="AGRSMMSG.exe"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"RTHDCPL"="RTHDCPL.EXE"
"KTPWare"="C:\\Programme\\Elantech\\ktp3.exe"
"MGSysCtrl"="C:\\Programme\\System Control Manager\\MGSysCtrl.exe"
"AV Wizard"="C:\\Programme\\MSI\\AV Wizard\\AVExe.exe"
"AntivirusRegistration"="C:\\Programme\\CA\\Etrust Antivirus\\Register.exe"
"Realtime Monitor"="C:\\PROGRA~1\\CA\\ETRUST~1\\realmon.exe -s"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"PCMService"="\"C:\\Programme\\CyberLink\\PowerCinema\\PCMService.exe\""
"AOLDialer"="C:\\Programme\\Gemeinsame Dateien\\AOL\\ACS\\AOLDial.exe"
"QuickTime Task"="\"C:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"InstantOn"="\"C:\\Programme\\CyberLink\\PowerCinema Linux\\ion_install.exe\" /c"
"OEM-Reset"=""
"SunJavaUpdateSched"="\"C:\\Programme\\Java\\jre1.5.0_11\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{630ad112-3bdf-11da-b17a-806d6172696f}]
Shell\AutoRun\command D:\Autorun.exe


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-11 18:43:04
C:\ComboFix-quarantined-files.txt ... 07-04-11 18:43
Seitenanfang Seitenende
11.04.2007, 19:09
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#93 Sott

Avenger
http://virus-protect.org/artikel/tools/avenger.html
Input script manually (anhaken)
kopiere in: View/edit script

Zitat

registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UDC6U_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UDC6_is1
HKEY_LOCAL_MACHINE\SOFTWARE\DriveCleaner 2006 Free

Folders to delete:
C:\Dokumente und Einstellungen\%UserName%\Anwendungsdaten\DriveCleaner 2006 Free
C:\Programme\Gemeinsame Dateien\DriveCleaner 2006 Free
C:\Programme\DriveCleaner 2006 Free
Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

««
scanne, lasse alles loeschen, was angezeigt wird + poste den scanreport
http://virus-protect.org/counterspy1.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
11.04.2007, 19:37
Stephan999
...neu hier

Beiträge: 6
#94 Hallo Sabine!
danke!
hier die Einträge von "datfindbat":

System32:
11.04.2007 18:33 63.350 perfc009.dat
11.04.2007 18:33 402.740 perfh009.dat
11.04.2007 18:33 76.264 perfc007.dat
11.04.2007 18:33 417.556 perfh007.dat
11.04.2007 18:33 970.772 PerfStringBackup.INI
11.04.2007 18:30 1.158 wpa.dbl
11.04.2007 18:28 55.080 vsconfig.xml
06.04.2007 13:24 4.212 zllictbl.dat
05.04.2007 14:54 265.416 FNTCACHE.DAT
09.03.2007 00:02 54.936 vsutil_loc0407.dll
09.03.2007 00:02 18.072 imslsp_install_loc0407.dll
09.03.2007 00:02 22.168 imsinstall_loc0407.dll
09.03.2007 00:02 394.192 vsdatant.sys
09.03.2007 00:01 1.087.216 zpeng24.dll
09.03.2007 00:01 71.408 zlcommdb.dll
09.03.2007 00:01 83.696 zlcomm.dll
09.03.2007 00:01 46.832 vswmi.dll
09.03.2007 00:01 100.080 vsxml.dll
09.03.2007 00:01 472.816 vsutil.dll
09.03.2007 00:01 71.408 vsregexp.dll
09.03.2007 00:01 276.208 vspubapi.dll
09.03.2007 00:01 104.176 vsmonapi.dll
09.03.2007 00:01 83.696 vsdata.dll
09.03.2007 00:01 157.424 vsinit.dll
08.03.2007 17:36 579.072 user32.dll
08.03.2007 17:36 40.960 mf3216.dll
08.03.2007 17:36 281.600 gdi32.dll
08.03.2007 17:32 1.843.712 win32k.sys
07.03.2007 22:36 12.619.736 MRT.exe
16.02.2007 23:43 122.142 TZLog.log
15.02.2007 19:01 337.280 WgaTray.exe
15.02.2007 19:01 1.476.992 LegitCheckControl.dll
15.02.2007 19:00 236.928 WgaLogon.dll
04.02.2007 12:16 185.952 rmoc3260.dll
04.02.2007 12:16 5.632 pndx5032.dll
04.02.2007 12:16 6.656 pndx5016.dll
04.02.2007 12:16 278.528 pncrt.dll
29.01.2007 10:58 60.416 tzchange.exe
25.01.2007 18:04 16.832 amcompat.tlb
25.01.2007 18:04 23.392 nscompat.tlb
23.01.2007 21:30 546.304 hhctrl.ocx
23.01.2007 12:23 9.132 jupdate-1.5.0_10-b03.log
19.01.2007 13:53 51.056 sirenacm.dll
12.01.2007 10:27 1.149.952 urlmon.dll
12.01.2007 10:27 6.054.400 ieframe.dll
12.01.2007 10:27 27.136 jsproxy.dll
12.01.2007 10:27 232.960 webcheck.dll
12.01.2007 10:27 477.696 mshtmled.dll
12.01.2007 10:27 670.720 mstime.dll
12.01.2007 10:27 3.580.416 mshtml.dll
12.01.2007 10:27 51.712 msfeedsbs.dll
12.01.2007 10:27 458.752 msfeeds.dll
12.01.2007 10:27 132.608 extmgr.dll
12.01.2007 10:27 822.784 wininet.dll
10.01.2007 18:42 1.040.384 ieframe.dll.mui
08.01.2007 20:04 105.984 url.dll
08.01.2007 20:04 102.400 occache.dll
08.01.2007 20:03 193.024 msrating.dll
08.01.2007 20:02 1.823.744 inetcpl.cpl
08.01.2007 20:02 266.752 iertutil.dll
08.01.2007 20:02 44.544 iernonce.dll
08.01.2007 20:02 161.792 ieakui.dll
08.01.2007 20:02 383.488 ieapfltr.dll
08.01.2007 20:02 153.088 ieakeng.dll
08.01.2007 20:02 230.400 ieaksie.dll
08.01.2007 20:02 384.000 iedkcs32.dll
08.01.2007 20:01 17.408 corpol.dll
08.01.2007 20:00 124.928 advpack.dll
08.01.2007 19:08 56.832 ie4uinit.exe
08.01.2007 19:08 13.824 ieudinit.exe

systemtemp:
11.04.2007 18:35 344 jusched.log
11.04.2007 18:31 16.384 Perflib_Perfdata_e2c.dat
11.04.2007 18:31 16.384 Perflib_Perfdata_330.dat
11.04.2007 18:31 16.384 Perflib_Perfdata_ec.dat
11.04.2007 11:28 2.048.000 AcrE4B.tmp
11.04.2007 10:50 0 8nm25.tmp

windows:
11.04.2007 18:34 1.587.481 WindowsUpdate.log
11.04.2007 18:28 0 0.log
11.04.2007 18:28 4.126 ModemLog_Motorola SM56 Data Fax Modem.txt
11.04.2007 18:27 159 wiadebug.log
11.04.2007 18:27 50 wiaservc.log
11.04.2007 18:27 2.048 bootstat.dat
11.04.2007 11:28 32.630 SchedLgU.Txt
10.04.2007 16:50 603 win.ini
09.04.2007 21:22 116 NeroDigital.ini
04.04.2007 20:59 302.615 comsetup.log
04.04.2007 20:59 182.663 ntdtcsetup.log
04.04.2007 20:59 139.961 iis6.log
04.04.2007 20:59 48.966 ocmsn.log
04.04.2007 20:59 1.355 imsins.log
04.04.2007 20:59 14.327 KB925902.log
04.04.2007 20:59 345.002 tsoc.log
04.04.2007 20:59 434.392 ocgen.log
04.04.2007 20:59 44.267 msgsocm.log
04.04.2007 20:59 900.643 FaxSetup.log
04.04.2007 20:59 992.559 setupapi.log
04.04.2007 20:59 71.938 updspapi.log
02.04.2007 23:21 150 cdplayer.ini
14.03.2007 01:56 12.189 KB929399.log
14.03.2007 01:56 1.374 imsins.BAK
14.03.2007 01:54 20.184 KB929338.log
09.03.2007 00:02 42.648 zllsputility_loc0407.dll
09.03.2007 00:02 75.512 zllsputility.exe
07.03.2007 00:03 71.695 wmsetup.log
28.02.2007 20:07 56.273 spupdsvc.log
28.02.2007 12:14 19.900 WgaNotify.log
16.02.2007 23:43 20.250 KB927779.log
16.02.2007 23:43 17.243 KB927802.log
16.02.2007 23:43 16.969 KB928255.log
16.02.2007 23:43 7.323 KB923723.log
16.02.2007 23:43 13.426 KB924667.log
16.02.2007 23:43 25.865 KB931836.log
16.02.2007 23:43 15.367 KB926436.log
16.02.2007 23:43 10.116 KB928090-IE7.log
16.02.2007 23:42 13.239 KB918118.log
16.02.2007 23:42 13.701 KB928843.log
10.02.2007 10:40 9.316 DPINST.LOG
04.02.2007 17:54 362 psnetwork.ini
04.02.2007 17:41 20 powerplayer.ini
04.02.2007 12:18 3.195 mozver.dat
25.01.2007 17:48 838 wmsetup10.log
25.01.2007 17:47 8.406 KB926239.log
25.01.2007 17:47 5.905 MSCompPackV1.log
25.01.2007 17:47 20.764 wmp11.log
25.01.2007 17:46 30.517 WMFDist11.log
25.01.2007 17:45 316.640 WMSysPr9.prx
25.01.2007 17:44 14.697 Wudf01000Inst.log
18.01.2007 16:12 177.015 DirectX.log
12.01.2007 00:15 219.639 setupact.log
10.01.2007 11:57 4.190 KB929969.log

temp
11.04.2007 18:30 409 WGANotify.settings
11.04.2007 18:30 255 WGAErrLog.txt
11.04.2007 18:27 256 ZLT00aa1.TMP
11.04.2007 18:27 256 ZLT00a9e.TMP
11.04.2007 09:42 0 T30DebugLogFile.txt
11.04.2007 09:41 256 ZLT077f4.TMP
11.04.2007 09:41 256 ZLT077eb.TMP

down
20.06.2006 21:46 1.939.064 IPSUploader.ocx
20.06.2006 21:46 322 IPSUploader.inf
20.02.2006 04:51 65 desktop.ini
18.11.2005 11:10 218.816 ExentCtl.ocx
14.02.2003 01:34 114.848 IDropENU.dll
14.02.2003 01:32 283.296 IDrop.ocx
20.01.2000 15:25 1.162 Microsoft XML Parser for Java.osd

c:
11.04.2007 19:30 0 sys.txt
11.04.2007 19:30 617 down.txt
11.04.2007 19:30 588 tmp.txt
11.04.2007 19:29 13.707 system.txt
11.04.2007 19:29 572 systemtemp.txt
11.04.2007 19:28 102.531 system32.txt
11.04.2007 18:27 1.071.828.992 hiberfil.sys
11.04.2007 18:27 1.610.612.736 pagefile.sys
11.04.2007 00:34 5.637 ComboFix.txt
11.04.2007 00:34 149 ComboFix-quarantined-files.txt
11.04.2007 00:30 5.600 ComboFix2.txt
10.04.2007 17:07 157 error.txt
13.02.2007 20:48 2.073.839.616 JAWS.ISO
09.02.2007 17:18 268 sqmdata18.sqm
09.02.2007 17:18 244 sqmnoopt18.sqm
06.02.2007 22:35 268 sqmdata17.sqm
06.02.2007 22:35 244 sqmnoopt17.sqm
25.01.2007 01:41 268 sqmdata16.sqm
25.01.2007 01:41 244 sqmnoopt16.sqm
20.01.2007 14:03 268 sqmdata15.sqm
20.01.2007 14:03 244 sqmnoopt15.sqm
08.01.2007 18:31 232 sqmdata14.sqm
08.01.2007 18:31 244 sqmnoopt14.sqm
08.01.2007 18:31 268 sqmdata13.sqm
08.01.2007 18:31 244 sqmnoopt13.sqm
04.01.2007 12:34 268 sqmdata12.sqm
04.01.2007 12:34 244 sqmnoopt12.sqm
01.01.2007 17:32 268 sqmdata11.sqm
01.01.2007 17:32 244 sqmnoopt11.sqm
Seitenanfang Seitenende
11.04.2007, 19:40
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#95 Stephan999

ich finde in diesem ellenlangen Thread deinen 1.Beitrag nicht mehr .
poste noch mal
1. das log vom Hijackthis
2. Combofix-log
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
11.04.2007, 19:43
Stephan999
...neu hier

Beiträge: 6
#96 kp:

hier mein Hijackthis-Logfile:

Logfile of HijackThis v1.99.1
Scan saved at 23:58:33, on 10.04.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\sm56hlpr.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\Java\jre1.5.0_10\bin\jusched.exe
C:\Programme\Winamp\winampa.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\sipgate X-Lite\sipgateXLite.exe
C:\Programme\DAEMON Tools\daemon.exe
C:\Programme\Rainlendar\Rainlendar.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Programme\RWTH Aachen\Cisco VPN Client\cvpnd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\MSN Messenger\usnsvc.exe
C:\Programme\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Programme\Outlook Express\msimn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Dokumente und Einstellungen\_Stephan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://red.clientapps.yahoo.com/customize/fuji/defaults/su/*http://www.yahoo

.com
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} -

C:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910}

- C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} -

C:\Programme\ICQToolbar\toolbaru.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} -

C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -

C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Verknüpfung mit der High Definition

Audio-Eigenschaftenseite] HDAShCut.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\cli.exe"

runtime -Delay
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl]

C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched]

"C:\Programme\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox]

C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [ppmate] C:\Programme\PPMate\PPMate\ppmate.exe -autoplay
O4 - HKLM\..\Run: [OfcpfwSvcs.exe] C:\WINDOWS\system32\OfcpfwSvcs.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition

Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone

Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programme\Yahoo!\Messenger\ypager.exe

-quiet
O4 - HKCU\..\Run: [XSC SIP Client] "C:\Programme\sipgate

X-Lite\sipgateXLite.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe"

-lang 1033
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame

Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Rainlendar.lnk = C:\Programme\Rainlendar\Rainlendar.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk =

C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft

Office\Office\OSA9.EXE
O4 - Global Startup: RWTH Aachen Cisco VPN Client.lnk = C:\Programme\RWTH

Aachen\Cisco VPN Client\vpngui.exe
O8 - Extra context menu item: &ICQ Toolbar Search -

res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Easy-WebPrint - Drucken -

res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck -

res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau -

res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen -

res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren -

res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} -

C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite -

{B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) -

http://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader.ca

b
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame

Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) -

Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) -

AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development

Group - C:\Programme\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision -

C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc.

- C:\Programme\RWTH Aachen\Cisco VPN Client\cvpnd.exe
O23 - Service: Firebird Server - MAGIX Instance

(FirebirdServerMAGIXInstance) - The Firebird Project -

C:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe



...und hier der Scanreport von Combofix:

"_Stephan" - 07-04-11 0:33:27 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Dokumente und Einstellungen\_Stephan\Desktop"


((((((((((((((((((((((((((((((( Files Created from 2007-03-11 to 2007-04-11 ))))))))))))))))))))))))))))))))))


2007-04-06 12:55 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-04-06 12:55 42,648 --a------ C:\WINDOWS\zllsputility_loc0407.dll
2007-04-06 12:55 22,168 --a------ C:\WINDOWS\system32\imsinstall_loc0407.dll
2007-04-06 12:55 18,072 --a------ C:\WINDOWS\system32\imslsp_install_loc0407.dll
2007-04-06 12:55 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-04-06 12:55 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-10 20:24 -------- d-------- C:\DOKUME~1\_Stephan\ANWEND~1\skype
2007-04-10 15:33 76264 --a------ C:\WINDOWS\system32\perfc007.dat
2007-04-10 15:33 417556 --a------ C:\WINDOWS\system32\perfh007.dat
2007-04-06 22:20 -------- d-------- C:\Programme\emule.de 0.46c v17
2007-04-06 13:24 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-03-09 00:02 54936 --a------ C:\WINDOWS\system32\vsutil_loc0407.dll
2007-03-08 17:36 579072 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 17:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 17:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 17:32 1843712 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 20:11 -------- d-------- C:\Programme\icqlite
2007-02-04 12:18 3195 --a------ C:\WINDOWS\mozver.dat
2007-01-19 13:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="C:\\Programme\\Yahoo!\\Messenger\\ypager.exe -quiet"
"XSC SIP Client"="\"C:\\Programme\\sipgate X-Lite\\sipgateXLite.exe\""
"DAEMON Tools"="\"C:\\Programme\\DAEMON Tools\\daemon.exe\" -lang 1033"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Verknüpfung mit der High Definition Audio-Eigenschaftenseite"="HDAShCut.exe"
"ATICCC"="\"C:\\Programme\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"SynTPEnh"="C:\\Programme\\Synaptics\\SynTP\\SynTPEnh.exe"
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"
"SMSERIAL"="sm56hlpr.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"RemoteControl"="C:\\Programme\\CyberLink\\PowerDVD\\PDVDServ.exe"
"SunJavaUpdateSched"="\"C:\\Programme\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"Easy-PrintToolBox"="C:\\Programme\\Canon\\Easy-PrintToolBox\\BJPSMAIN.EXE /logon"
"WinampAgent"="C:\\Programme\\Winamp\\winampa.exe"
"ppmate"="C:\\Programme\\PPMate\\PPMate\\ppmate.exe -autoplay"
"OfcpfwSvcs.exe"="C:\\WINDOWS\\system32\\OfcpfwSvcs.exe"
"avgnt"="\"C:\\Programme\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"ZoneAlarm Client"="\"C:\\Programme\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1f57b391-0cd6-11db-97a0-00030d4160e7}]
Shell\1\Command F:\.\RECYCLER\RECYCLER\autorun.exe
Shell\2\Command F:\.\RECYCLER\RECYCLER\autorun.exe
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-11 0:34:30
C:\ComboFix-quarantined-files.txt ... 07-04-11 00:34
C:\ComboFix2.txt ... 07-04-11 00:30
Seitenanfang Seitenende
11.04.2007, 21:01
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#97 Stephan999

ich finde nichts...
scanne mit ewido und poste den report
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.04.2007, 08:35
TommyK
Member

Beiträge: 13
#98 hi

hab nicht alles gefunden folgendes war beim scan nich vorhanden:

O2 - BHO: AlxTB BHO - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:\WINDOWS\system32\AlxTB1.dll (file missing)

O4 - HKLM\..\Run: [UERScw] C:\Programme\ErrorSafe Free\UERScw.exe -c

O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe

O4 - HKCU\..\Run: [Error Safe Free] C:\Programme\ErrorSafe Free\uers.exe /scan

O4 - HKLM\..\Policies\Explorer\Run: [pmsngr.exe] C:\Programme\Video ActiveX Object\pmsngr.exe



hab jetzt xpupdate.exe manuell gelöscht (ging auf einmal)

hab in C:\QooBox\Quarantine
Ordner entdeckt, die dateien mit .vir enthalten (soll ich die löschen?)





Hab jetzt einfach mal den avenger angewendet ----> die System Alert meldung ist weg !!!!!!

soll ich jetzt trotzdem mal weitermachen?????
Dieser Beitrag wurde am 12.04.2007 um 09:44 Uhr von TommyK editiert.
Seitenanfang Seitenende
12.04.2007, 10:05
Sott
...neu hier

Beiträge: 4
#99 Hi.
hat zwar etwas gedauert aber hier ist der scanreport von counterspy

Scan History Details
Start Date: 12.04.2007 09:23:39
End Date: 12.04.2007 10:00:00
Total Time: 36 Min 21 Sec
Detected security risks

Cookie: ATDMT.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\dokumente und einstellungen\gerhard flad\cookies\gerhard flad@atdmt[2].txt


Cookie: CGI-Bin Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\dokumente und einstellungen\gerhard flad\cookies\gerhard flad@cgi-bin[2].txt


Cookie: Com.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\dokumente und einstellungen\gerhard flad\cookies\gerhard flad@com[1].txt


Cookie: DoubleClick Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\dokumente und einstellungen\gerhard flad\cookies\gerhard flad@doubleclick[1].txt


Cookie: FastClick.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\dokumente und einstellungen\gerhard flad\cookies\gerhard flad@fastclick[2].txt


Cookie: Advertising.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\dokumente und einstellungen\gerhard flad\cookies\gerhard flad@advertising[2].txt


Cookie: Zedo Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\dokumente und einstellungen\gerhard flad\cookies\gerhard flad@zedo[2].txt


Cookie: Radar Spy Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\dokumente und einstellungen\gerhard flad\cookies\gerhard flad@tradedoubler[1].txt


Cookie: ad.yieldmanager Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\dokumente und einstellungen\gerhard flad\cookies\gerhard flad@ad.yieldmanager[1].txt


Backdoor.Rbot.steam Backdoor more information...
Details: Rbot is the name of a family of backdoor trojans, also known as worms, used by hackers to control a machine without the owner's knowledge.
Status: Quarantined

Files detected
F:\System Volume Information\_restore{03077374-A5AF-4C93-8A14-F7819B2EEF18}\RP1\A0000095.exe


DriveCleaner Rogue Security Program more information...
Details: DriveCleaner is a system cleaning program from Winsoftware that gives exaggerated reports of Thread to frighten the user into purchasing the software.
Status: Quarantined

Files detected
C:\DOKUMENTE UND EINSTELLUNGEN\ALL USERS\STARTMENü\PROGRAMME\DRIVECLEANER 2006 FREE\DriveCleaner 2006 deinstallieren.lnk
C:\DOKUMENTE UND EINSTELLUNGEN\ALL USERS\STARTMENü\PROGRAMME\DRIVECLEANER 2006 FREE\DriveCleaner 2006 Online Anleitung.lnk
C:\DOKUMENTE UND EINSTELLUNGEN\ALL USERS\STARTMENü\PROGRAMME\DRIVECLEANER 2006 FREE\DriveCleaner 2006 Online Hilfe.lnk
C:\DOKUMENTE UND EINSTELLUNGEN\ALL USERS\STARTMENü\PROGRAMME\DRIVECLEANER 2006 FREE\DriveCleaner 2006 Startseite.lnk
C:\DOKUMENTE UND EINSTELLUNGEN\ALL USERS\STARTMENü\PROGRAMME\DRIVECLEANER 2006 FREE\DriveCleaner 2006.lnk
C:\Dokumente und Einstellungen\Gerhard Flad\Desktop\DriveCleaner 2006 Free.lnk
C:\DOKUMENTE UND EINSTELLUNGEN\ALL USERS\STARTMENü\PROGRAMME\DRIVECLEANER 2006 FREE

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\UDCPCHK.UDCPCHK
HKEY_LOCAL_MACHINE\Software\Classes\UDCPCHK.UDCPCHK
HKEY_LOCAL_MACHINE\Software\Classes\UDCPCHK.UDCPCHK.1
HKEY_LOCAL_MACHINE\Software\Classes\UDCPCHK.UDCPCHK.1
HKEY_LOCAL_MACHINE\Software\Classes\UDCPCHK.UDCPCHK.1\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\UDCPCHK.UDCPCHK.1\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\UDCPCHK.UDCPCHK\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\UDCPCHK.UDCPCHK\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\UDCPCHK.UDCPCHK\CurVer
HKEY_LOCAL_MACHINE\Software\Classes\UDCPCHK.UDCPCHK\CurVer
HKEY_USERS\S-1-5-21-114340964-2133916176-2477730051-1006\SOFTWARE\DRIVECLEANER 2006 FREE
HKEY_USERS\S-1-5-21-114340964-2133916176-2477730051-1006\SOFTWARE\DRIVECLEANER 2006 FREE
HKEY_USERS\S-1-5-21-114340964-2133916176-2477730051-1006\SOFTWARE\DRIVECLEANER 2006 FREE
HKEY_USERS\S-1-5-21-114340964-2133916176-2477730051-1006\SOFTWARE\DRIVECLEANER 2006 FREE


Joke Program Joke Program more information...
Status: Deleted

Files detected
F:\RECYCLER\S-1-5-21-1390067357-842925246-1801674531-1004\Dp1\Intern\Jascha\Jascha\Lustix\GUN.EXE
F:\RECYCLER\S-1-5-21-1390067357-842925246-1801674531-1004\Dp1\Intern\Jascha\Jascha\Lustix\LANGEWEILE.EXE


Cookie: DriveCleaner Cookie (General) more information...
Status: Deleted

Cookies detected
c:\dokumente und einstellungen\gerhard flad\cookies\gerhard flad@drivecleaner[1].txt
c:\dokumente und einstellungen\gerhard flad\cookies\gerhard flad@drivecleaner[2].txt
Seitenanfang Seitenende
12.04.2007, 11:01
TommyK
Member

Beiträge: 13
#100

Zitat

TommyK postete
soll ich jetzt trotzdem mal weitermachen?????
--> hab einfach mal weitergemacht (kann ja nicht schaden) ;)

Hier die beiden Smitfraudfix Logs:


1:

SmitFraudFix v2.166

Scan done at 10:42:01,81, 12.04.2007
Run from C:\Dokumente und Einstellungen\Kraus\Desktop\Smitfraudfix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Programme\HHVcdV5Sys\VC5SecS.exe
C:\Programme\HHVcdV7Sys\VC7SecS.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\HHVcdV7Sys\VC7Play.exe
C:\Programme\HHVcdV5Sys\VC5Play.exe
C:\Programme\Browser MOUSE\mouse32a.exe
C:\Programme\Muiltmedia keyboard Utility\1.3\KbdAp32A.exe
C:\WINDOWS\system32\sstray.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Java\jre1.5.0_11\bin\jusched.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Programme\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\drives\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Kraus


»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Kraus\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOKUME~1\Kraus\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programme


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce MCP Networking Controller - Paketplaner-Miniport
DNS Server Search Order: 192.168.178.1

Description: IEEE 802.11g Wireless Cardbus/PCI Adapter - Paketplaner-Miniport
DNS Server Search Order: 192.168.178.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2529C612-801F-46BF-AF90-62819ACCE5EC}: DhcpNameServer=192.168.178.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C50B6C34-A289-413E-A58D-4AE8A928A642}: DhcpNameServer=192.168.178.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{2529C612-801F-46BF-AF90-62819ACCE5EC}: DhcpNameServer=192.168.178.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{C50B6C34-A289-413E-A58D-4AE8A928A642}: DhcpNameServer=192.168.178.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.178.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.178.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



2:


SmitFraudFix v2.166

Scan done at 10:47:44,50, 12.04.2007
Run from C:\Dokumente und Einstellungen\Kraus\Desktop\Neuer Ordner\Smitfraudfix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost
127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\drives\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2529C612-801F-46BF-AF90-62819ACCE5EC}: DhcpNameServer=192.168.178.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C50B6C34-A289-413E-A58D-4AE8A928A642}: DhcpNameServer=192.168.178.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{2529C612-801F-46BF-AF90-62819ACCE5EC}: DhcpNameServer=192.168.178.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{C50B6C34-A289-413E-A58D-4AE8A928A642}: DhcpNameServer=192.168.178.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.178.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.178.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End




Hier noch mal der Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:53:45, on 12.04.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Programme\HHVcdV5Sys\VC5SecS.exe
C:\Programme\HHVcdV7Sys\VC7SecS.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\HHVcdV7Sys\VC7Play.exe
C:\Programme\HHVcdV5Sys\VC5Play.exe
C:\Programme\Browser MOUSE\mouse32a.exe
C:\Programme\Muiltmedia keyboard Utility\1.3\KbdAp32A.exe
C:\WINDOWS\system32\sstray.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Java\jre1.5.0_11\bin\jusched.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programme\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Programme\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Programme\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Dokumente und Einstellungen\Kraus\Desktop\Neuer Ordner\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Programme\ICQToolbar\toolbaru.dll (file missing)
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - D:\Programme\ICQToolbar\toolbaru.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Programme\ICQToolbar\toolbaru.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VC7Player] C:\Programme\HHVcdV7Sys\VC7Play.exe
O4 - HKLM\..\Run: [VC5Player] "C:\Programme\HHVcdV5Sys\VC5Play.exe"
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Programme\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Programme\Muiltmedia keyboard Utility\1.3\KbdAp32A.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Cyber-shot Viewer-Medien-Prüfung.lnk = C:\Programme\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Kodak EasyShare Software.lnk = C:\Programme\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Programme\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Programme\Bonjour\ExplorerPlugin.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Programme\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Programme\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programme\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Bonjour Dienst (Bonjour Service) - Apple Computer, Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Virtual CD v5 Security service (VC5SecS) - H+H Software GmbH - C:\Programme\HHVcdV5Sys\VC5SecS.exe
O23 - Service: Virtual CD v7 Management Service (VC7SecS) - H+H Software GmbH - C:\Programme\HHVcdV7Sys\VC7SecS.exe

--
End of file - 7998 bytes


Hoffe das jetzt alles weg ist ;)
Seitenanfang Seitenende
12.04.2007, 11:13
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#101 TommyK

smitfraudfix hat noch was rausgeholt - gut gemacht ;)

scanne mit ewido und poste den report (danach alles, was gefunden wurde - loeschen lassen)
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.04.2007, 11:28
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#102 Sott

scanne mit ewido und poste den report (danach alles, was gefunden wurde - loeschen lassen)
http://virus-protect.org/onlinescan.html

+
poste das neue Log vom Hijackthis
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.04.2007, 11:32
TommyK
Member

Beiträge: 13
#103 des geht irgendwie ned der fängt an und bringt dann ne fehlermeldung:

Buffer overrun detected

Program: ...nd Einstellungen\Kraus\Desktop\Ewido_micro.exe

Abuffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated.


jetzt hab ichs noch mal neu gedownloadet und dann schnell das häkchen aus adware.driver cleaner rausgemacht, damit er weiterarbeitet
Dieser Beitrag wurde am 12.04.2007 um 11:36 Uhr von TommyK editiert.
Seitenanfang Seitenende
12.04.2007, 11:44
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#104 TommyK

fein ;)
wenn der scan durch ist, poste den report, dann lasse alles loeschen, was gefunden wurde
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
12.04.2007, 12:31
TommyK
Member

Beiträge: 13
#105 Ok hier der ewido report:

__________________________________________________
ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________


Name: TrackingCookie.Ivwbox
Path: C:\Dokumente und Einstellungen\Kraus\Cookies\kraus@ivwbox[2].txt
Risk: Medium

Name: TrackingCookie.Mediaplex
Path: C:\Dokumente und Einstellungen\Kraus\Cookies\kraus@mediaplex[1].txt
Risk: Medium

Name: TrackingCookie.Reliablestats
Path: C:\Dokumente und Einstellungen\Kraus\Cookies\kraus@stats1.reliablestats[1].txt
Risk: Medium

Name: Adware.SaveNow
Path: HKLM\SOFTWARE\Classes\WUSN.1
Risk: Medium

Name: Adware.DriveCleaner
Path: HKLM\SOFTWARE\DriveCleaner 2006 Free
Risk: Medium

Name: Adware.WinAntiVirus
Path: HKLM\SOFTWARE\WinAntiVirus Pro 2006
Risk: Medium

Name: Adware.WinAntiVirus
Path: HKLM\SYSTEM\CurrentControlSet\Services\vspf
Risk: Medium

Name: Adware.WinAntiVirus
Path: HKLM\SYSTEM\CurrentControlSet\Services\vspf\Security
Risk: Medium

Name: Adware.WinAntiVirus
Path: HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk
Risk: Medium

Name: Adware.WinAntiVirus
Path: HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk\Security
Risk: Medium

Name: Adware.NewDotNet
Path: HKU\.DEFAULT\Software\New.net
Risk: Medium

Name: Adware.Generic
Path: HKU\S-1-5-21-823518204-57989841-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A1DDC19-5893-43AB-A73F-F41A0F34D115}
Risk: Medium

Name: Adware.WinAntiVirus
Path: HKU\S-1-5-21-823518204-57989841-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4}
Risk: Medium

Name: Adware.NewDotNet
Path: HKU\S-1-5-21-823518204-57989841-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
Risk: Medium

Name: Adware.Generic
Path: HKU\S-1-5-21-823518204-57989841-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5D4831E0-5A7C-4A46-AFD5-A79AB8CE36C2}
Risk: Medium

Name: Adware.WinAntiVirus
Path: HKU\S-1-5-21-823518204-57989841-1801674531-1004\Software\WinAntiVirus Pro 2006
Risk: Medium

Name: Adware.WinAntiVirus
Path: HKU\S-1-5-21-823518204-57989841-1801674531-1004\Software\WinAntiVirus Pro 2006\Settings
Risk: Medium

Name: Adware.NewDotNet
Path: HKU\S-1-5-18\Software\New.net
Risk: Medium

Name: Adware.Agent
Path: C:\avenger\backup.zip/avenger/iedebug.dll
Risk: Medium

Name: Adware.Agent
Path: C:\avenger\backup.zip/avenger/iesettings.dll
Risk: Medium

Name: Adware.Agent
Path: C:\avenger\backup.zip/avenger/iesupport.dll
Risk: Medium

Name: TrackingCookie.Webtrendslive
Path: :mozilla.21:C:\Dokumente und Einstellungen\Kraus\Anwendungsdaten\Mozilla\Firefox\Profiles\pr3h4u3j.default\cookies.txt.old
Risk: Medium

Name: TrackingCookie.Reliablestats
Path: :mozilla.51:C:\Dokumente und Einstellungen\Kraus\Anwendungsdaten\Mozilla\Firefox\Profiles\pr3h4u3j.default\cookies.txt.old
Risk: Medium

Name: TrackingCookie.Reliablestats
Path: :mozilla.52:C:\Dokumente und Einstellungen\Kraus\Anwendungsdaten\Mozilla\Firefox\Profiles\pr3h4u3j.default\cookies.txt.old
Risk: Medium

Name: TrackingCookie.Reliablestats
Path: :mozilla.53:C:\Dokumente und Einstellungen\Kraus\Anwendungsdaten\Mozilla\Firefox\Profiles\pr3h4u3j.default\cookies.txt.old
Risk: Medium

Name: TrackingCookie.Reliablestats
Path: :mozilla.54:C:\Dokumente und Einstellungen\Kraus\Anwendungsdaten\Mozilla\Firefox\Profiles\pr3h4u3j.default\cookies.txt.old
Risk: Medium

Name: TrackingCookie.Reliablestats
Path: :mozilla.55:C:\Dokumente und Einstellungen\Kraus\Anwendungsdaten\Mozilla\Firefox\Profiles\pr3h4u3j.default\cookies.txt.old
Risk: Medium

Name: TrackingCookie.Mediaplex
Path: :mozilla.58:C:\Dokumente und Einstellungen\Kraus\Anwendungsdaten\Mozilla\Firefox\Profiles\pr3h4u3j.default\cookies.txt.old
Risk: Medium

Name: TrackingCookie.Statcounter
Path: :mozilla.64:C:\Dokumente und Einstellungen\Kraus\Anwendungsdaten\Mozilla\Firefox\Profiles\pr3h4u3j.default\cookies.txt.old
Risk: Medium

Name: Adware.NewDotNet
Path: C:\QooBox\Quarantine\WINDOWS\NDNuninstall6_38.exe.vir
Risk: Medium

Name: Adware.NewDotNet
Path: C:\QooBox\Quarantine\WINDOWS\NDNuninstall7_48.exe.vir
Risk: Medium

Name: Adware.SpySheriff
Path: C:\QooBox\Quarantine\WINDOWS\xpupdate.exe.vir
Risk: Medium

Name: Adware.SpySheriff
Path: C:\System Volume Information\_restore{5591E926-E39F-495D-894A-01E67DC02540}\RP462\A0201757.exe
Risk: Medium

Name: Adware.SpySheriff
Path: C:\System Volume Information\_restore{5591E926-E39F-495D-894A-01E67DC02540}\RP462\A0201758.exe
Risk: Medium

Name: Adware.WinFixer
Path: C:\System Volume Information\_restore{5591E926-E39F-495D-894A-01E67DC02540}\RP462\A0201759.exe
Risk: Medium

Name: Adware.Agent
Path: C:\System Volume Information\_restore{5591E926-E39F-495D-894A-01E67DC02540}\RP462\A0201798.dll
Risk: Medium

Name: Adware.Agent
Path: C:\System Volume Information\_restore{5591E926-E39F-495D-894A-01E67DC02540}\RP462\A0201799.dll
Risk: Medium

Name: Adware.Agent
Path: C:\System Volume Information\_restore{5591E926-E39F-495D-894A-01E67DC02540}\RP462\A0201800.dll
Risk: Medium
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren: