iexplorer.exe kommt immer wieder

#1 hiho hab gestern das Problem bei mir gefunden das sich der Prozess iexplorer.exe nicht beenden lässt da er nach geringer Zeit immer wieder kommt.
Hab auch schon die Suchfunktion genutzt aber nix passenden gefunden, da ich nicht netpumper oder sowas installiert habe.

Habe mein Hijacklogfile angehängt.

Zitat

Logfile of HijackThis v1.99.1
Scan saved at 18:20:20, on 29.01.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
D:\Programme\ICQLite\ICQLite.exe
C:\Programme\Razer\razerhid.exe
D:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
S:\steam\steam.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Razer\razerofa.exe
C:\Programme\iTunes\iTunes.exe
C:\Programme\iPod\bin\iPodService.exe
D:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Christoph1\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.1und1.de/Herzlich_Willkommen/b1/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.1und1.de/Herzlich_Willkommen/b1/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von 1 & 1 Internet AG
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [ICQ Lite] D:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [razer] C:\Programme\Razer\razerhid.exe
O4 - HKLM\..\Run: [AVP] "D:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [TransBar] D:\Programme\AKSoftware\TransBar\TransBar.exe /s
O4 - HKCU\..\Run: [Steam] "s:\steam\steam.exe" -silent
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Programme\ICQLite\ICQLite.exe -trayboot
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.1und1.de/Herzlich_Willkommen/b1/
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://www.giga.de/giga-stream-test/Rawflow.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095525329823
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{07FCF8BF-76FD-4805-94DA-24383CF454E0}: NameServer = 192.168.122.252,192.168.122.253
O17 - HKLM\System\CS1\Services\Tcpip\..\{07FCF8BF-76FD-4805-94DA-24383CF454E0}: NameServer = 192.168.122.252,192.168.122.253
O20 - AppInit_DLLs: x
=sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - D:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#2 qwerDenker

poste dieses log
http://virus-protect.org/artikel/tools/combofix.html
__________
MfG Sabina

rund um die PC-Sicherheit

#3 so hier ist der log:

"Christoph1" - 07-01-30 13:37:29 Service Pack 2
ComboFix 07-01-25 - Running from: "S:\"

((((((((((((((((((((((((((((((( Files Created from 2006-12-30 to 2007-01-30 ))))))))))))))))))))))))))))))))))


2007-01-28 09:30 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-01-27 23:02 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\Anwendungsdaten\AntiVir PersonalEdition Classic
2007-01-26 18:42 845,312 --a------ C:\WINDOWS\system32\Smab.dll
2007-01-26 18:42 719,872 --a------ C:\WINDOWS\system32\devil.dll
2007-01-26 18:42 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-01-26 18:42 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2007-01-26 18:42 66,560 --a------ C:\WINDOWS\MOTA113.exe
2007-01-26 18:42 502,784 --a------ C:\WINDOWS\x2.64.exe
2007-01-26 18:42 306,688 --a------ C:\WINDOWS\system32\avisynth.dll
2007-01-26 18:42 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2007-01-26 18:42 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2007-01-26 18:42 217,073 --a------ C:\WINDOWS\meta4.exe
2007-01-26 18:42 163,328 -r-hs---- C:\WINDOWS\system32\flvDX.dll
2007-01-26 18:42 <DIR> d--hs---- C:\WINDOWS\system32\ShellDHCP
2007-01-18 14:37 381,952 --a------ C:\DOKUME~1\CHRIST~1\Project1.exe
2007-01-16 14:41 <DIR> d-------- C:\DOKUME~1\CHRIST~1\Anwendungsdaten\dvdcss
2007-01-07 18:46 92,728 --a------ C:\WINDOWS\system32\bass.dll
2007-01-02 22:20 <DIR> d-------- C:\DOKUME~1\CHRIST~1\Anwendungsdaten\Hamachi


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-29 19:25 -------- d-------- C:\DOKUME~1\CHRIST~1\Anwendungsdaten\utorrent
2007-01-27 14:37 -------- d-------- C:\DOKUME~1\CHRIST~1\Anwendungsdaten\teamspeak2
2007-01-25 14:21 -------- d-------- C:\Programme\quicktime
2007-01-21 02:00 -------- d-------- C:\Programme\java
2007-01-16 20:00 -------- d-------- C:\DOKUME~1\CHRIST~1\Anwendungsdaten\adobeum
2007-01-16 15:46 17480 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-01-14 18:31 -------- d-------- C:\DOKUME~1\CHRIST~1\Anwendungsdaten\xfire
2006-12-23 16:52 -------- d--h----- C:\Programme\installshield installation information
2006-12-20 22:44 -------- d-------- C:\Programme\utorrent
2006-12-12 19:45 -------- d-------- C:\Programme\Gemeinsame Dateien\symantec shared
2006-12-12 18:49 -------- d-------- C:\Programme\Gemeinsame Dateien\wise installation wizard
2006-12-07 15:46 -------- d-------- C:\Programme\itunes
2006-12-07 15:45 -------- d-------- C:\Programme\ipod
2006-12-02 10:26 -------- d-------- C:\Programme\windows media connect 2
2006-12-02 01:56 -------- d-------- C:\Programme\ahead
2006-11-23 16:45 24072 --a------ C:\WINDOWS\system32\uxtuneup.dll
2006-11-13 15:05 253952 --------- C:\WINDOWS\setup1.exe
2006-11-09 16:26 1203 --a------ C:\WINDOWS\pcwkmm.bat
2006-11-08 06:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-01 17:42 94314 --a------ C:\WINDOWS\system32\klogon.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"TransBar"="D:\\Programme\\AKSoftware\\TransBar\\TransBar.exe /s"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"ICQ Lite"="D:\\Programme\\ICQLite\\ICQLite.exe -trayboot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ICQ Lite"="D:\\Programme\\ICQLite\\ICQLite.exe -minimize"
"razer"="C:\\Programme\\Razer\\razerhid.exe"
"AVP"="\"D:\\Programme\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"="D:\\Programme\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Jet Detection"="C:\\Programme\\Creative\\SBLive\\PROGRAM\\ADGJDet.exe"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"HotKey"="C:\\WINDOWS\\Twain_32\\SlimU2\\HotKey.exe"
"FLMK08KB"="C:\\Programme\\Medionkeyboard\\1.3\\MMKEYBD.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"KernelFaultCheck"="%systemroot%\\system32\\dumprep 0 -k"
"QuickTime Task"="\"C:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"razertra"="C:\\Programme\\Razer\\razertra.exe"
"razer"="C:\\Programme\\Razer\\razerhid.exe"
"iTunesHelper"="\"C:\\Programme\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Reader - Schnellstart.lnk]
"path"="C:\\Dokumente und Einstellungen\\All Users\\Startmenü\\Programme\\Autostart\\Adobe Reader - Schnellstart.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader - Schnellstart.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader - Schnellstart"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Ulead Kalendar Checker 4.0 SE.lnk]
"path"="C:\\Dokumente und Einstellungen\\All Users\\Startmenü\\Programme\\Autostart\\Ulead Kalendar Checker 4.0 SE.lnk"
"backup"="C:\\WINDOWS\\pss\\Ulead Kalendar Checker 4.0 SE.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\Programme\\Ulead Systems\\Ulead Photo Express 4.0 SE\\CalCheck.exe "
"item"="Ulead Kalendar Checker 4.0 SE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^Christoph1^Startmenü^Programme^Autostart^Yahoo! Widget Engine.lnk]
"path"="C:\\Dokumente und Einstellungen\\Christoph1\\Startmenü\\Programme\\Autostart\\Yahoo! Widget Engine.lnk"
"backup"="C:\\WINDOWS\\pss\\Yahoo! Widget Engine.lnkStartup"
"location"="Startup"
"command"="D:\\Config.Msi\\32db0fa.rbf "
"item"="Yahoo! Widget Engine"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLDial"
"hkey"="HKLM"
"command"="C:\\Programme\\Gemeinsame Dateien\\AOL\\ACS\\AOLDial.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CloneCDTray"
"hkey"="HKLM"
"command"="\"D:\\Programme\\CloneCD\\CloneCDTray.exe\" /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GhostStartTrayApp"
"hkey"="HKLM"
"command"="C:\\Programme\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GIGA F-Tasten]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GIGA F-Tasten"
"hkey"="HKCU"
"command"="D:\\Programme\\GIGA F-Tasten\\GIGA F-Tasten.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"D:\\Programme\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QD FastAndSafe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GhostStartTrayApp"
"hkey"="HKLM"
"command"="C:\\Programme\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Programme\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Programme\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Programme\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UleadBurningHelper"=dword:00000002
"SymWSC"=dword:00000002
"SQLAgent$SONY_MEDIAMGR"=dword:00000003
"Speed Disk service"=dword:00000002
"rpcapd"=dword:00000003
"ose"=dword:00000003
"NProtectService"=dword:00000002
"MSSQL$SONY_MEDIAMGR"=dword:00000003
"iPod Service"=dword:00000003
"IDriverT"=dword:00000003
"Creative Service for CDROM Access"=dword:00000002
"Boonty Games"=dword:00000003
"awhost32"=dword:00000003
"Adobe LM Service"=dword:00000003
"WMPNetworkSvc"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="x
=sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{af3fd9a8-1287-4159-9212-9a5b4494af70}"="ecosystems"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
UxTuneUp



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Klick-Wartung.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 07-01-30 13:45:20

#4 SDFix.zip entpacken
http://virus-protect.org/artikel/tools/sdfix.html
es erscheint folgende Meldung:

"The SDFix Folder has been extracted to %systemdrive% - Please run from that location.
(%systemdrive% = drive that contains the Windows directory - typically C:\SDFix )"

unter C:\ findet man nun den SDFix-Ordner

boote in den abgesicherten Modus (die Taste F8 drücken, während der Rechner neustartet)

gehe in den Ordner C:\SDFix

RunThis.bat doppelt klicken

schreibe: Y

folge allen Anweisungen, während gescannt wird - dann wird der Rechner neustarten
kopiere mit der rechten Maustaste den Text ab, der erscheint - und in den Beitrag,
__________
MfG Sabina

rund um die PC-Sicherheit

#5 Hier der Report:


SDFix: Version 1.63

30.01.2007 - 17:48:48,35

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:

Path:


Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\directx.exe - Deleted
C:\WINDOWS\system32\plugin1.dat - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Spiele\\Quake 3\\quake3.exe"="D:\\Spiele\\Quake 3\\quake3.exe:*:Enabled:quake3"
"D:\\Programme\\FRITZ!DSL\\FritzDsl.exe"="D:\\Programme\\FRITZ!DSL\\FritzDsl.exe:*:Enabled:FRITZ!web DSL"
"D:\\Programme\\ICQLite\\ICQLite.exe"="D:\\Programme\\ICQLite\\ICQLite.exe:*:Enabled:ICQLite"
"D:\\Programme\\Teamspeak2_RC2_server\\server_windows.exe"="D:\\Programme\\Teamspeak2_RC2_server\\server_windows.exe:*:Enabled:Server"
"D:\\Programme\\Anti-Leech\\ALIE_1.0.1.9\\alhlp.exe"="D:\\Programme\\Anti-Leech\\ALIE_1.0.1.9\\alhlp.exe:*:Enabled:Anti-Leech plugin helper program"
"D:\\Spiele\\CoD\\CoDMP.exe"="D:\\Spiele\\CoD\\CoDMP.exe:*:Enabled:CoDMP"
"D:\\Programme\\Anti-Leech\\ALIE_1.0.2.1\\alhlp.exe"="D:\\Programme\\Anti-Leech\\ALIE_1.0.2.1\\alhlp.exe:*:Enabled:Anti-Leech plugin helper program"
"D:\\Programme\\HLSW\\hlsw.exe"="D:\\Programme\\HLSW\\hlsw.exe:*:Enabled:HLSW"
"D:\\Programme\\Gamers.IRC\\mirc.exe"="D:\\Programme\\Gamers.IRC\\mirc.exe:*:Enabled:mIRC"
"D:\\Programme\\Ares\\Ares.exe"="D:\\Programme\\Ares\\Ares.exe:*:Enabled:Ares"
"D:\\Spiele\\Warcraft III\\Warcraft III.exe"="D:\\Spiele\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"D:\\Spiele\\Warcraft III\\war3.exe"="D:\\Spiele\\Warcraft III\\war3.exe:*:Enabled:Warcraft III"
"D:\\Programme\\Anti-Leech\\ALIE_1.0.2.2\\alhlp.exe"="D:\\Programme\\Anti-Leech\\ALIE_1.0.2.2\\alhlp.exe:*:Enabled:Anti-Leech plugin helper program"
"D:\\Programme\\Anti-Leech\\ALIE_1.0.2.3\\alhlp.exe"="D:\\Programme\\Anti-Leech\\ALIE_1.0.2.3\\alhlp.exe:*:Enabled:Anti-Leech plugin helper program"
"D:\\Spiele\\CounterStrike\\Counter-Strike Beta 5.2\\hl.exe"="D:\\Spiele\\CounterStrike\\Counter-Strike Beta 5.2\\hl.exe:*:Enabled:Half-Life Launcher"
"D:\\Spiele\\CounterStrike\\Half-Life Counter-Strike 1.5 - US Retail\\cstrike.exe"="D:\\Spiele\\CounterStrike\\Half-Life Counter-Strike 1.5 - US Retail\\cstrike.exe:*:Enabled:CounterStrike Launcher"
"D:\\Spiele\\CounterStrike\\Counter Strike Source\\hl2.exe"="D:\\Spiele\\CounterStrike\\Counter Strike Source\\hl2.exe:*:Enabled:hl2"
"C:\\Programme\\Windows Media Player\\wmplayer.exe"="C:\\Programme\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\WINDOWS\\system32\\svchost.exe"="C:\\WINDOWS\\system32\\svchost.exe:*:Enabled:Microsoft Update"
"D:\\Programme\\Net Tools\\nettools4.exe"="D:\\Programme\\Net Tools\\nettools4.exe:*:Enabled:Net Tools by Mohammad Ahmadi Bidakhvidi"
"D:\\Programme\\Cain\\Cain.exe"="D:\\Programme\\Cain\\Cain.exe:*:Enabled:Cain - Password Recovery Utility"
"D:\\Spiele\\Tactical Teams\\tacteams.exe"="D:\\Spiele\\Tactical Teams\\tacteams.exe:*:Enabled:tacteams"
"D:\\Spiele\\CounterStrike\\CounterStrike LanEdition\\hl.exe"="D:\\Spiele\\CounterStrike\\CounterStrike LanEdition\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Programme\\Internet Explorer\\iexplore.exe"="C:\\Programme\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Programme\\iTunes\\iTunes.exe"="C:\\Programme\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"="C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe:*isabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"D:\\Spiele\\Blobby Volley 1.8\\volley.exe"="D:\\Spiele\\Blobby Volley 1.8\\volley.exe:*:Enabled:volley"
"D:\\Programme\\salt-water Leecher.exe"="D:\\Programme\\salt-water Leecher.exe:*:Enabled:salt-water Leecher"
"D:\\Spiele\\AssaultForce100\\AssaultForce.exe"="D:\\Spiele\\AssaultForce100\\AssaultForce.exe:*:Enabled:AssaultForce"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8-Server"
"C:\\Programme\\utorrent\\utorrent.exe"="C:\\Programme\\utorrent\\utorrent.exe:*:Enabled:µTorrent"
"D:\\Programme\\Xfire\\xfire.exe"="D:\\Programme\\Xfire\\xfire.exe:*:Enabled:Xfire"
"D:\\Spiele\\Battlefield 2\\BF2.exe"="D:\\Spiele\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"D:\\Programme\\utorrent16.exe"="D:\\Programme\\utorrent16.exe:*:Enabled:µTorrent"
"S:\\Steam\\steamapps\\h5c2ho\\counter-strike\\hl.exe"="S:\\Steam\\steamapps\\h5c2ho\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Programme\\Sony\\Station\\LaunchPad\\LaunchPad.exe"="C:\\Programme\\Sony\\Station\\LaunchPad\\LaunchPad.exe:*isabled:LaunchPad"
"S:\\Steam\\steamapps\\qwerdenker\\counter-strike source\\hl2.exe"="S:\\Steam\\steamapps\\qwerdenker\\counter-strike source\\hl2.exe:*:Enabled:hl2"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\Dokumente und Einstellungen\Christoph1\Netzwerkumgebung\ftp.adobe.com\Desktop.ini
C:\Dokumente und Einstellungen\Christoph1\Netzwerkumgebung\ftp.thecpl.com\Desktop.ini
C:\WINDOWS\system32\flvDX.dll

Finished

#6 ««
scanne mit smitfraudfix - Option 1 und 2 ( lasse auch die Registry mitreinigen)
http://virus-protect.org/artikel/tools/smitfrautfix.html

poste hier die scanreporte
__________
MfG Sabina

rund um die PC-Sicherheit

#7 das kommt wenn ich 1 drücke

SmitFraudFix v2.137

Scan done at 18:38:52,45, 30.01.2007
Run from C:\Dokumente und Einstellungen\Christoph1\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\1024\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Christoph1


»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Christoph1\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOKUME~1\CHRIST~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programme


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{af3fd9a8-1287-4159-9212-9a5b4494af70}"="ecosystems"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=hex(1):78,00,01,00,3d,00,73,00,6f,00,63,00,6b,00,73,00,70,00,79,\


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


dies kamm bei 2:

SmitFraudFix v2.137

Scan done at 18:39:37,29, 30.01.2007
Run from C:\Dokumente und Einstellungen\Christoph1\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{af3fd9a8-1287-4159-9212-9a5b4494af70}"="ecosystems"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\1024\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End




Edit: ka wie es ging aber jetzt hab ich das Problem nicht mehr.

thx 4 support n1 forum für sowas kann ich nur empfehlen

mfg qwerDenker