HiJackThis Log kontrollieren bitte...

#0
07.02.2007, 13:32
...neu hier

Beiträge: 8
#1 Mein Computer ist am verrecken. Könnte sich von euch jemand mal mein Highjack this log ansehen und mir sagen welche Dateien wohl malware sind?!?

danke im voraus; Dhirri und seine Viri!

Logfile of HijackThis v1.99.1
Scan saved at 13:06:28, on 07.02.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\acer\eRecovery\Monitor.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Cablecom Assistant\bin\cablecom_assistant.exe
C:\Program Files\Cablecom Assistant\bin\mpbtn.exe
C:\PROGRA~1\Motive\ASSTCO~1\MOTIVE~1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\CABLEC~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Documents and Settings\Dhiraj Sabharwal\Bureau\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.ch/0SEDECH/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ch/0SEDECH/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Lexmark Symbolleiste - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\CABLEC~1\SMARTB~1\DExec.exe 180000 C:\PROGRA~1\CABLEC~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [BearFlix] "C:\Program Files\BearFlix\BearFlix.exe" /pause
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [UDial] C:\WINDOWS\system32/udial.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [VoipDiscount] "C:\Program Files\VoipDiscount.com\VoipDiscount\VoipDiscount.exe" -nosplash -minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: cablecom assistant.lnk = C:\Program Files\Cablecom Assistant\bin\matcli.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
Seitenanfang Seitenende
07.02.2007, 13:36
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
Seitenanfang Seitenende
07.02.2007, 13:51
...neu hier

Themenstarter

Beiträge: 8
#3 Hier das ComboFix Log:

"Dhiraj Sabharwal" - 07-02-07 13:43:57 Service Pack 2
ComboFix 07-02-07 - Running from: "C:\Program Files\Mozilla Firefox"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Safety Bar
C:\WINDOWS\system32\components


((((((((((((((((((((((((((((((( Files Created from 2007-01-07 to 2007-02-07 ))))))))))))))))))))))))))))))))))


2007-02-06 09:23 491,619 ---hs---- C:\WINDOWS\system32\ststv.ini2
2007-02-05 12:17 37,376 -ra------ C:\WINDOWS\system32\udial.exe
2007-02-05 10:51 483,167 -r-hs---- C:\WINDOWS\system32\ststv.bak1
2007-02-05 10:51 44,165 -ra------ C:\WINDOWS\system32\jwmyfjcc.dll
2007-02-05 10:51 277,189 -r-hs---- C:\WINDOWS\system32\vtsts.dll
2007-02-05 10:46 22,555 -r-hs---- C:\WINDOWS\system32\tuvsspn.dll

2007-01-16 19:04 5,504 -ra------ C:\WINDOWS\system32\drivers\MSTEE.sys
2007-01-16 19:03 85,376 -ra------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2007-01-16 19:03 19,328 -ra------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-01-16 19:03 17,024 -ra------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-01-16 19:03 15,360 -ra------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-01-16 19:03 11,136 -ra------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-01-16 19:03 10,880 -ra------ C:\WINDOWS\system32\drivers\NdisIP.sys
2007-01-16 19:02 59,264 -ra------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-01-16 19:00 912,768 -ra------ C:\WINDOWS\system32\drivers\LV302AV.SYS
2007-01-16 19:00 54,784 -ra------ C:\WINDOWS\system32\vfwwdm32.dll
2007-01-16 19:00 372,736 -ra------ C:\WINDOWS\system32\LVUI2RC.dll
2007-01-16 19:00 22,016 -ra------ C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-01-16 19:00 204,800 -ra------ C:\WINDOWS\system32\LVUI2.dll
2007-01-16 19:00 204,800 -ra------ C:\WINDOWS\system32\lvcodec2.dll
2007-01-16 19:00 2,180,096 -ra------ C:\WINDOWS\system32\drivers\LVSVF2.sys
2007-01-16 19:00 106,496 -ra------ C:\WINDOWS\system32\lvcoinst.dll
2007-01-16 11:04 12,288 -ra------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-01-12 18:44 <REP> d-------- C:\WINDOWS\ie7updates


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-07 11:03 12 --a------ C:\WINDOWS\bthservsdp.dat
2007-01-17 17:05 50802 -ra------ C:\WINDOWS\system32\perfc00c.dat
2007-01-17 17:05 372620 -ra------ C:\WINDOWS\system32\perfh00c.dat
2007-01-06 23:39 3179 --a------ C:\WINDOWS\mozver.dat
2006-12-07 06:29 2374472 -r------- C:\WINDOWS\system32\wmvcore.dll
2006-11-08 06:07 679424 -ra------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 -r------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 -r------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 -r------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 -ra------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 -ra------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 -r------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 -ra------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 -ra------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 -ra------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 -ra------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 -ra------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 -ra------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 -ra------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 -ra------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 -ra------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 -ra------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 -ra------ C:\WINDOWS\system32\ieakui.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"VoipDiscount"="\"C:\\Program Files\\VoipDiscount.com\\VoipDiscount\\VoipDiscount.exe\" -nosplash -minimized"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"LaunchApp"="Alaunch"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"EPM-DM"="c:\\acer\\epm\\epm-dm.exe"
"ePowerManagement"="C:\\Acer\\ePM\\ePM.exe boot"
"LManager"="C:\\Program Files\\Launch Manager\\QtZgAcer.EXE"
"eRecoveryService"="C:\\Windows\\System32\\Check.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\CABLEC~1\\SMARTB~1\\DExec.exe 180000 C:\\PROGRA~1\\CABLEC~1\\SMARTB~1\\MotiveSB.exe"
"BearShare"="\"C:\\Program Files\\BearShare\\BearShare.exe\" /pause"
"TkBellExe"="\"C:\\Program Files\\Fichiers communs\\Real\\Update_OB\\realsched.exe\" -osboot"
"ccApp"="\"C:\\Program Files\\Fichiers communs\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"lxcrmon.exe"="\"C:\\Program Files\\Lexmark 2400 Series\\lxcrmon.exe\""
"EzPrint"="\"C:\\Program Files\\Lexmark 2400 Series\\ezprint.exe\""
"FaxCenterServer"="\"C:\\Program Files\\Lexmark Fax Solutions\\fm3032.exe\" /s"
"LXCRCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCRtime.dll,_RunDLLEntry@16"
"BearFlix"="\"C:\\Program Files\\BearFlix\\BearFlix.exe\" /pause"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"UDial"="C:\\WINDOWS\\system32/udial.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{0AFEA888-B97B-4EDE-AC47-1FEE31D5CEE5}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvsspn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsts
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wintuh32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Dhiraj Sabharwal.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1135948210.job
C:\WINDOWS\tasks\XoftSpy.job
C:\WINDOWS\tasks\Auf Updates fr Windows Live Toolbar prfen.job


********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16????????????????
?????????????????????????????????????????????
?????????????????????????????????????????????????????????????????????????????????
?????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-07 13:49:29


O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
Seitenanfang Seitenende
07.02.2007, 13:53
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#4 dirri

stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

das script ist fuer ein deutsches BS gedacht - dennoch wende es an...

Kopiere diese 6 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
08.02.2007, 18:40
...neu hier

Themenstarter

Beiträge: 8
#5 ok, hier sind die 3 letzten Monate bis November:

Le volume dans le lecteur C s'appelle ACER
Le num‚ro de s‚rie du volume est 320D-180E

R‚pertoire de C:\WINDOWS\system32

08.02.2007 18:34 495.140 ststv.ini2
08.02.2007 17:45 692 eRLog.ini
08.02.2007 09:55 500.812 ststv.bak2
07.02.2007 14:01 96 mcrh.tmp
05.02.2007 12:19 491.084 ststv.tmp
05.02.2007 12:19 491.084 ststv.ini
05.02.2007 11:10 1.158 wpa.dbl
05.02.2007 10:52 37.376 udial.exe
05.02.2007 10:51 44.165 jwmyfjcc.dll
05.02.2007 10:51 483.167 ststv.bak1
05.02.2007 10:51 277.189 vtsts.dll
05.02.2007 10:46 22.555 tuvsspn.dll

17.01.2007 17:05 41.842 perfc009.dat
17.01.2007 17:05 316.184 perfh009.dat
17.01.2007 17:05 372.620 perfh00C.dat
17.01.2007 17:05 782.766 PerfStringBackup.INI
17.01.2007 17:05 50.802 perfc00C.dat
17.01.2007 08:45 263.024 FNTCACHE.DAT
16.01.2007 19:01 1.503 lvcoinst.log
06.01.2007 23:37 8.832 jupdate-1.5.0_10-b03.log
03.01.2007 00:19 10.980.776 MRT.exe


ist das das Richtige? hab da keinen wirklichen plan..;)
Seitenanfang Seitenende
09.02.2007, 00:02
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#6 dirri

1.
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop.
Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden. Die Datei "fixme.reg" auf dem Desktop doppelklicken und der Registry mit "ja" oder "yes" beifügen

Zitat

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0AFEA888-B97B-4EDE-AC47-1FEE31D5CEE5}]
2.
scanne mit vundofix
http://virus-protect.org/artikel/tools/vundofixx.html

3.
Avenger
Input script manually (anhaken)
kopiere in: View/edit script
http://virus-protect.org/artikel/tools/avenger.html

Zitat

Registry values to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks|{0AFEA888-B97B-4EDE-AC47-1FEE31D5CEE5}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run|UDial

registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0AFEA888-B97B-4EDE-AC47-1FEE31D5CEE5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0AFEA888-B97B-4EDE-AC47-1FEE31D5CEE5}
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvsspn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsts
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wintuh32

Files to delete:
C:\WINDOWS\system32\ststv.ini2
C:\WINDOWS\system32\eRLog.ini
C:\WINDOWS\system32\ststv.bak2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ststv.tmp
C:\WINDOWS\system32\ststv.ini
C:\WINDOWS\system32\udial.exe
C:\WINDOWS\system32\jwmyfjcc.dll
C:\WINDOWS\system32\ststv.bak1
C:\WINDOWS\system32\vtsts.dll
C:\WINDOWS\system32\tuvsspn.dll
Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

««
Klicke: Start -Ausführen- schreib rein: cmd
dann kopiere in das schwarze DOS-Fenster:

del %windir%\temp\*.* /f

klicke "enter"
schreibe Y

««
http://virus-protect.org/artikel/tools/sdfix.html
SDFix.zip entpacken

es erscheint folgende Meldung:

"The SDFix Folder has been extracted to %systemdrive% - Please run from that location.
(%systemdrive% = drive that contains the Windows directory - typically C:\SDFix )"

unter C:\ findet man nun den SDFix-Ordner

boote in den abgesicherten Modus (die Taste F8 drücken, während der Rechner neustartet)

gehe in den Ordner C:\SDFix

RunThis.bat doppelt klicken

schreibe: Y

folge allen Anweisungen, während gescannt wird - dann wird der Rechner neustarten
kopiere mit der rechten Maustaste den Text ab, der erscheint - und in den Beitrag,


**
scanne mit ewido und poste den scanreport
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
09.02.2007, 03:36
...neu hier

Themenstarter

Beiträge: 8
#7 Das hab ich jetzt erhalten:

SDFix: Version 1.63

09.02.2007 - 3:21:50,54

Microsoft Windows XP [version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:

Path:


Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\Installer\{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}\_SHCT_Sprint.exe.exe - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare\\BearShare.exe:*:Enabled:BearShare"
"C:\\Program Files\\VoipDiscount.com\\VoipDiscount\\VoipDiscount.exe"="C:\\Program Files\\VoipDiscount.com\\VoipDiscount\\VoipDiscount.exe:*:Enabled:VoipDiscount"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\System32\\lxcrcoms.exe"="C:\\WINDOWS\\System32\\lxcrcoms.exe:*:Enabled:Lexmark Communications System"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\TEMP\\win303D.tmp.exe"="C:\\WINDOWS\\TEMP\\win303D.tmp.exe:*:Enabled:win303D.tmp"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\WINDOWS\system32\NTICDMK32.dll
C:\WINDOWS\system32\NTIMPEG2.dll
C:\WINDOWS\system32\ntiembed.dll
C:\Program Files\Fichiers communs\Adobe\ESD\DLMCleanup.exe
C:\hiberfil.sys
C:\Documents and Settings\Dhiraj Sabharwal\Local Settings\Temp\BITF0.tmp
C:\Documents and Settings\Dhiraj Sabharwal\Bureau\Universit‚ de Fribourg\Medienwissenschaft\Medienkunde Seminar Dirri Work\Proseminararbeit Medienrechtliche Bedingung Zensur CHina\~WRL3677.tmp
C:\Documents and Settings\Dhiraj Sabharwal\Bureau\Universit‚ de Fribourg\Medienwissenschaft\Medienkunde Seminar Dirri Work\Proseminararbeit Medienrechtliche Bedingung Zensur CHina\~WRL4009.tmp
C:\Documents and Settings\Dhiraj Sabharwal\Application Data\Microsoft\Word\~WRL2138.tmp
C:\Program Files\InterActual\InterActual Player\iti1E.tmp

Finished
Seitenanfang Seitenende
09.02.2007, 10:44
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#8 dirri

Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als listen.bat mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden. --> die listen.bat doppelt klicken--> kopiere den Text, der erscheint

Zitat

cd\
dir "C:\WINDOWS\Temp" >>files.txt
dir "C:\Temp" >>files.txt
dir "C:\Program Files" >>files.txt
dir "C:\Documents and Settings\%Username%\Local Settings\Temp" >>files.txt
dir "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5" >>files.txt
dir "C:\Documents and Settings\%Username%\Local Settings\Temporary Internet Files\Content.IE5" >>files.txt
dir "C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5" >>files.txt
dir "C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5" >>files.txt
notepad files.txt

__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
09.02.2007, 13:19
...neu hier

Themenstarter

Beiträge: 8
#9 Tut mir leid aber der Text für den Editor funktionier bei mir nicht. Da kommt folgendes hinstehen:
Windows findet 'cd\' nicht...

Und ausserdem verstehe ich nicht ganz mit was für einem Programm ich den Text als listen.bat abspeichern soll. Sorry für die Anfängerfragen...;)
Seitenanfang Seitenende
09.02.2007, 14:02
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#10 findest du den texteditor ? das Notepad ? Start - Zubehör - Editor
dort musst du das script reinkopieren und so abspeichern, wie oben erklaert.
versuche es mal
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
09.02.2007, 14:45
...neu hier

Themenstarter

Beiträge: 8
#11 Le volume dans le lecteur C s'appelle ACER
Le num‚ro de s‚rie du volume est 320D-180E

R‚pertoire de C:\WINDOWS\Temp

28.12.2004 05:07 <REP> .
28.12.2004 05:07 <REP> ..
09.02.2007 11:52 0 WGAErrLog.txt
09.02.2007 11:58 409 WGANotify.settings
2 fichier(s) 409 octets
2 R‚p(s) 1.793.720.320 octets libres
Le volume dans le lecteur C s'appelle ACER
Le num‚ro de s‚rie du volume est 320D-180E

R‚pertoire de C:\Temp

23.09.2005 14:07 <REP> .
23.09.2005 14:07 <REP> ..
0 fichier(s) 0 octets
2 R‚p(s) 1.793.720.320 octets libres
Le volume dans le lecteur C s'appelle ACER
Le num‚ro de s‚rie du volume est 320D-180E

R‚pertoire de C:\Program Files

28.12.2004 05:11 <REP> .
28.12.2004 05:11 <REP> ..
28.12.2004 05:11 <REP> Fichiers communs
28.12.2004 05:16 <REP> Windows NT
28.12.2004 05:16 <REP> MSN
28.12.2004 05:16 <REP> MSN Gaming Zone
28.12.2004 05:16 <REP> Messenger
28.12.2004 05:16 <REP> Windows Media Player
28.12.2004 05:16 <REP> Online Services
28.12.2004 05:17 <REP> ComPlus Applications
28.12.2004 05:17 <REP> Internet Explorer
28.12.2004 05:17 <REP> Outlook Express
28.12.2004 05:17 <REP> NetMeeting
28.12.2004 05:17 <REP> Movie Maker
28.12.2004 05:18 <REP> Services en ligne
28.12.2004 05:20 <REP> microsoft frontpage
28.12.2004 05:20 <REP> xerox
28.12.2004 05:25 <REP> Intel
28.12.2004 05:28 <REP> CONEXANT
28.12.2004 05:30 <REP> Synaptics
28.12.2004 05:31 <REP> Acer Inc
28.12.2004 05:32 <REP> Adobe
28.12.2004 05:36 <REP> CyberLink
28.12.2004 05:37 <REP> NewTech Infosystems
07.09.2005 03:13 <REP> ATI Technologies
07.09.2005 03:14 <REP> Launch Manager
07.09.2005 03:15 <REP> acer
03.05.2006 01:23 <REP> iTunes
03.05.2006 01:23 <REP> iPod
08.06.2006 18:11 <REP> DIFX
12.09.2005 15:06 <REP> PCFriendly
23.09.2005 14:09 <REP> Hewlett-Packard
27.09.2006 14:49 <REP> lx_cats
09.10.2005 20:04 <REP> Microsoft Office
09.10.2005 20:05 <REP> Microsoft.NET
17.10.2005 22:09 <REP> MSN Messenger
03.05.2006 01:24 <REP> QuickTime
26.11.2006 20:48 <REP> Windows Live Toolbar
11.05.2006 21:49 <REP> WinZip
11.05.2006 22:09 <REP> WinRAR
17.10.2005 22:40 <REP> Winamp
14.05.2006 12:57 <REP> Terayon
06.01.2007 23:35 <REP> Java
31.01.2007 19:22 <REP> CleanUp!
06.07.2006 01:03 <REP> ZkeSoft
28.07.2006 19:35 <REP> Ahead
24.10.2006 14:16 <REP> Messenger Plus! Live
02.08.2006 19:42 <REP> LimeWire
08.11.2006 08:52 <REP> a-squared Free
29.08.2006 22:36 <REP> FileZilla
17.09.2006 10:26 <REP> Last.fm
27.09.2006 14:42 <REP> Abbyy FineReader 6.0 Sprint
27.09.2006 14:43 <REP> Lexmark 2400 Series
27.09.2006 14:43 <REP> Lexmark Toolbar
27.09.2006 14:45 <REP> Lexmark Fax Solutions
08.10.2006 21:00 <REP> Gabest
08.10.2006 21:00 <REP> AviSynth 2.5
17.11.2006 18:26 <REP> MySpace
08.10.2006 22:03 <REP> Dvd-to-avi
20.10.2006 18:19 <REP> XoftSpy
09.10.2006 16:23 <REP> Azureus
19.11.2006 03:12 <REP> MSXML 4.0
26.11.2006 20:50 <REP> Windows Live Favorites
26.11.2006 23:14 <REP> CDex_170b2
10.11.2005 17:29 <REP> Yahoo!
29.11.2005 12:52 <REP> BroadJump
29.11.2005 13:14 <REP> Common Files
29.11.2005 13:15 <REP> Cablecom Assistant
29.11.2005 13:16 <REP> Motive
29.11.2005 17:39 <REP> Skype
29.11.2005 19:07 <REP> BearShare
30.11.2005 23:20 <REP> DivX
30.11.2005 23:20 <REP> Google
05.12.2005 12:48 <REP> Mozilla Firefox
05.12.2005 12:52 <REP> Microsoft AntiSpyware
06.12.2005 01:39 <REP> IrfanView
07.01.2006 16:24 <REP> InterActual
26.01.2006 22:39 <REP> Power Tab Software
07.02.2006 23:27 <REP> Xtreme Desktop
20.03.2006 18:12 <REP> Lavasoft
20.03.2006 20:12 <REP> Real
21.03.2006 13:08 <REP> Symantec
21.03.2006 13:09 <REP> Norton AntiVirus
21.03.2006 13:52 <REP> SymNetDrv
0 fichier(s) 0 octets
84 R‚p(s) 1.793.720.320 octets libres
Le volume dans le lecteur C s'appelle ACER
Le num‚ro de s‚rie du volume est 320D-180E

R‚pertoire de C:\Documents and Settings\Dhiraj Sabharwal\Local Settings\Temp

07.09.2005 03:12 <REP> .
07.09.2005 03:12 <REP> ..
08.02.2007 18:30 <REP> MessengerCache
02.02.2007 23:54 247 1F1205F7.TMP
09.02.2007 11:57 524.288 ~DFCC4D.tmp
09.02.2007 03:16 16.384 ~DFCF3.tmp
09.02.2007 11:57 458.752 ~DFA608.tmp
09.02.2007 11:56 16.384 ~DFA728.tmp
09.02.2007 04:49 16.384 ~DF99A1.tmp
09.02.2007 11:56 16.384 ~DF275B.tmp
09.02.2007 01:15 <REP> Google Toolbar
09.02.2007 01:15 <REP> WLTB Custom Button Feeds
09.02.2007 02:57 32.768 ~DFE714.tmp
09.02.2007 02:43 <REP> Rar$EX00.906
09.02.2007 11:59 512 jusched.log
09.02.2007 11:57 512 ~DFCC5E.tmp
09.02.2007 03:42 <REP> ewido_signatures
19.01.2007 23:54 17.976.688 Install_Messenger.exe
09.02.2007 13:53 <REP> VBE
09.02.2007 14:01 <REP> msohtml
09.02.2007 14:01 <REP> msohtml1
11 fichier(s) 19.059.303 octets
10 R‚p(s) 1.793.720.320 octets libres
Le volume dans le lecteur C s'appelle ACER
Le num‚ro de s‚rie du volume est 320D-180E

R‚pertoire de C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5

28.12.2004 05:23 <REP> .
28.12.2004 05:23 <REP> ..
0 fichier(s) 0 octets
2 R‚p(s) 1.793.720.320 octets libres
Le volume dans le lecteur C s'appelle ACER
Le num‚ro de s‚rie du volume est 320D-180E

R‚pe
Seitenanfang Seitenende
10.02.2007, 16:01
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#12 1.
du hast noch nicht den scanreport vom ewido gepostet

2.
poste noch mal die Logs von datfindbat
http://virus-protect.org/datfindbat.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
10.02.2007, 18:36
...neu hier

Themenstarter

Beiträge: 8
#13 Le volume dans le lecteur C s'appelle ACER
Le num‚ro de s‚rie du volume est 320D-180E

R‚pertoire de C:\WINDOWS\system32

09.02.2007 11:55 692 eRLog.ini
05.02.2007 11:10 1.158 wpa.dbl
17.01.2007 17:05 372.620 perfh00C.dat
17.01.2007 17:05 782.766 PerfStringBackup.INI
17.01.2007 17:05 316.184 perfh009.dat
17.01.2007 17:05 41.842 perfc009.dat
17.01.2007 17:05 50.802 perfc00C.dat
17.01.2007 08:45 263.024 FNTCACHE.DAT
16.01.2007 19:01 1.503 lvcoinst.log
06.01.2007 23:37 8.832 jupdate-1.5.0_10-b03.log
03.01.2007 00:19 10.980.776 MRT.exe
07.12.2006 06:29 2.374.472 wmvcore.dll
17.11.2006 19:27 1.048.576 ieframe.dll.mui
17.11.2006 19:26 12.288 advpack.dll.mui
16.11.2006 14:10 15.072 spmsg.dll
09.11.2006 15:07 127.078 javaws.exe
09.11.2006 15:07 49.265 jpicpl32.cpl
09.11.2006 13:28 53.346 javaw.exe
09.11.2006 13:28 49.248 java.exe
08.11.2006 06:07 679.424 inetcomm.dll
07.11.2006 21:03 670.720 mstime.dll
07.11.2006 21:03 1.162.240 urlmon.dll
07.11.2006 21:03 458.752 msfeeds.dll
07.11.2006 21:03 50.688 msfeedsbs.dll
07.11.2006 21:03 6.049.280 ieframe.dll
07.11.2006 21:03 27.136 jsproxy.dll
07.11.2006 21:03 475.648 mshtmled.dll
07.11.2006 21:03 156.160 msls31.dll
07.11.2006 21:03 191.488 iepeers.dll
07.11.2006 21:03 413.696 vbscript.dll
07.11.2006 21:03 180.736 ieui.dll
07.11.2006 21:03 131.584 extmgr.dll
07.11.2006 21:03 818.688 wininet.dll
07.11.2006 21:03 231.424 webcheck.dll
07.11.2006 21:03 3.577.856 mshtml.dll
07.11.2006 03:27 382.976 iedkcs32.dll
07.11.2006 03:27 229.376 ieaksie.dll
07.11.2006 03:26 152.064 ieakeng.dll
07.11.2006 03:26 71.680 admparse.dll
07.11.2006 03:26 55.296 iesetup.dll
07.11.2006 03:26 13.312 ieudinit.exe
07.11.2006 03:26 43.008 iernonce.dll
07.11.2006 03:26 54.784 ie4uinit.exe
07.11.2006 03:26 92.672 inseng.dll
07.11.2006 03:26 123.904 advpack.dll
07.11.2006 03:25 161.792 ieakui.dll
07.11.2006 03:24 56.483 ieuinit.inf
04.11.2006 14:14 1.245.696 msxml4.dll
29.10.2006 21:44 2 stera.job
24.10.2006 12:15 82 url.dat
20.10.2006 18:45 2 stera.log

20.10.2006 02:38 716.800 sxs.dll
17.10.2006 12:06 443.904 html.iec
17.10.2006 12:06 78.336 ieencode.dll
17.10.2006 12:05 206.336 WinFXDocObj.exe
17.10.2006 12:05 1.817.088 inetcpl.cpl
17.10.2006 12:05 105.984 url.dll
17.10.2006 12:05 192.000 msrating.dll
17.10.2006 12:05 40.960 licmgr10.dll
17.10.2006 12:04 101.376 occache.dll



ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________


Name: TrackingCookie.Mediaplex
Path: C:\Documents and Settings\Dhiraj Sabharwal\Cookies\dhiraj_sabharwal@mediaplex[1].txt
Risk: Medium

Name: TrackingCookie.Serving-sys
Path: C:\Documents and Settings\Dhiraj Sabharwal\Cookies\dhiraj_sabharwal@serving-sys[2].txt
Risk: Medium

Name: TrackingCookie.Doubleclick
Path: C:\Documents and Settings\Dhiraj Sabharwal\Cookies\dhiraj_sabharwal@doubleclick[1].txt
Risk: Medium

Name: TrackingCookie.Atdmt
Path: C:\Documents and Settings\Dhiraj Sabharwal\Cookies\dhiraj_sabharwal@atdmt[2].txt
Risk: Medium

Name: TrackingCookie.Serving-sys
Path: C:\Documents and Settings\Dhiraj Sabharwal\Cookies\dhiraj_sabharwal@bs.serving-sys[2].txt
Risk: Medium

Name: TrackingCookie.Reliablestats
Path: C:\Documents and Settings\Dhiraj Sabharwal\Cookies\dhiraj_sabharwal@stats1.reliablestats[2].txt
Risk: Medium

Name: TrackingCookie.Doubleclick
Path: C:\Documents and Settings\Dhiraj Sabharwal\Cookies\dhiraj_sabharwal@doubleclick[2].txt
Risk: Medium

Name: TrackingCookie.Ivwbox
Path: C:\Documents and Settings\Dhiraj Sabharwal\Cookies\dhiraj_sabharwal@ivwbox[2].txt
Risk: Medium

Name: TrackingCookie.Weborama
Path: C:\Documents and Settings\Dhiraj Sabharwal\Cookies\dhiraj_sabharwal@weborama[2].txt
Risk: Medium

Name: TrackingCookie.Atdmt
Path: C:\Documents and Settings\Dhiraj Sabharwal\Cookies\dhiraj_sabharwal@atdmt[3].txt
Risk: Medium

Name: TrackingCookie.Serving-sys
Path: C:\Documents and Settings\Dhiraj Sabharwal\Cookies\dhiraj_sabharwal@serving-sys[3].txt
Risk: Medium

Name: TrackingCookie.Serving-sys
Path: C:\Documents and Settings\Dhiraj Sabharwal\Cookies\dhiraj_sabharwal@bs.serving-sys[3].txt
Risk: Medium

Name: Adware.Generic
Path: HKLM\SOFTWARE\Classes\CLSID\{052b12f7-86fa-4921-8482-26c42316b522}
Risk: Medium

Name: Adware.Isearch
Path: HKLM\SOFTWARE\Classes\CLSID\{a43385f0-7113-496d-96d7-b9b550e3fcca}
Risk: Medium

Name: Adware.WinAntiVirus
Path: HKLM\SYSTEM\CurrentControlSet\Services\FWSvc
Risk: Medium

Name: Adware.WinAntiVirus
Path: HKLM\SYSTEM\CurrentControlSet\Services\FWSvc\Security
Risk: Medium

Name: Adware.WinAntiVirus
Path: HKLM\SYSTEM\CurrentControlSet\Services\FWSvc\Enum
Risk: Medium

Name: Adware.WinAntiVirus
Path: HKLM\SYSTEM\CurrentControlSet\Services\vspf
Risk: Medium

Name: Adware.WinAntiVirus
Path: HKLM\SYSTEM\CurrentControlSet\Services\vspf\Security
Risk: Medium

Name: Adware.WinAntiVirus
Path: HKLM\SYSTEM\CurrentControlSet\Services\vspf\Enum
Risk: Medium

Name: Adware.WinAntiVirus
Path: HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk
Risk: Medium

Name: Adware.WinAntiVirus
Path: HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk\Security
Risk: Medium

Name: Adware.WinAntiVirus
Path: HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk\Enum
Risk: Medium

Name: Adware.Generic
Path: HKU\S-1-5-21-2607219965-4166594964-4242986888-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{052B12F7-86FA-4921-8482-26C42316B522}
Risk: Medium

Name: Adware.WinAntiVirus
Path: HKU\S-1-5-21-2607219965-4166594964-4242986888-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4}
Risk: Medium

Name: Adware.180Solutions
Path: HKU\S-1-5-21-2607219965-4166594964-4242986888-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{56F1D444-11BF-4879-A12B-79CF0177F038}
Risk: Medium

Name: Adware.Isearch
Path: HKU\S-1-5-21-2607219965-4166594964-4242986888-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A43385F0-7113-496D-96D7-B9B550E3FCCA}
Risk: Medium

Name: Adware.180Solutions
Path: HKU\S-1-5-21-2607219965-4166594964-4242986888-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EA0D26BD-9029-431A-86E0-83152D67828A}
Risk: Medium

Name: Dialer.Small
Path: C:\Documents and Settings\Dhiraj Sabharwal\Local Settings\Temporary Internet Files\Content.IE5\4P30A0V7\srvdai[1].exe
Risk: High

Name: Dialer.Small
Path: C:\Documents and Settings\Dhiraj Sabharwal\Local Settings\Temporary Internet Files\Content.IE5\CS9JU5U1\srvdlb[1].exe
Risk: High

Name: Dialer.Small
Path: C:\Documents and Settings\Dhiraj Sabharwal\Local Settings\Temporary Internet Files\Content.IE5\0N6RIGKQ\srvdpm[1].exe
Risk: High

Name: Dialer.Small
Path: C:\Documents and Settings\Dhiraj Sabharwal\Local Settings\Temporary Internet Files\Content.IE5\0N6RIGKQ\srvvhb[1].exe
Risk: High

Name: TrackingCookie.Yieldmanager
Path: :mozilla.28:C:\Documents and Settings\Dhiraj Sabharwal\Application Data\Mozilla\Firefox\Profiles\569pvl6i.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Yieldmanager
Path: :mozilla.29:C:\Documents and Settings\Dhiraj Sabharwal\Application Data\Mozilla\Firefox\Profiles\569pvl6i.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Yieldmanager
Path: :mozilla.30:C:\Documents and Settings\Dhiraj Sabharwal\Application Data\Mozilla\Firefox\Profiles\569pvl6i.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Yieldmanager
Path: :mozilla.31:C:\Documents and Settings\Dhiraj Sabharwal\Application Data\Mozilla\Firefox\Profiles\569pvl6i.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Yieldmanager
Path: :mozilla.32:C:\Documents and Settings\Dhiraj Sabharwal\Application Data\Mozilla\Firefox\Profiles\569pvl6i.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Mediaplex
Path: :mozilla.50:C:\Documents and Settings\Dhiraj Sabharwal\Application Data\Mozilla\Firefox\Profiles\569pvl6i.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Ivwbox
Path: :mozilla.52:C:\Documents and Settings\Dhiraj Sabharwal\Application Data\Mozilla\Firefox\Profiles\569pvl6i.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Tradedoubler
Path: :mozilla.59:C:\Documents and Settings\Dhiraj Sabharwal\Application Data\Mozilla\Firefox\Profiles\569pvl6i.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Doubleclick
Path: :mozilla.61:C:\Documents and Settings\Dhiraj Sabharwal\Application Data\Mozilla\Firefox\Profiles\569pvl6i.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Serving-sys
Path: :mozilla.95:C:\Documents and Settings\Dhiraj Sabharwal\Application Data\Mozilla\Firefox\Profiles\569pvl6i.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Serving-sys
Path: :mozilla.96:C:\Documents and Settings\Dhiraj Sabharwal\Application Data\Mozilla\Firefox\Profiles\569pvl6i.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Serving-sys
Path: :mozilla.97:C:\Documents and Settings\Dhiraj Sabharwal\Application Data\Mozilla\Firefox\Profiles\569pvl6i.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Serving-sys
Path: :mozilla.98:C:\Documents and Settings\Dhiraj Sabharwal\Application Data\Mozilla\Firefox\Profiles\569pvl6i.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Serving-sys
Path: :mozilla.99:C:\Documents and Settings\Dhiraj Sabharwal\Application Data\Mozilla\Firefox\Profiles\569pvl6i.default\cookies.txt
Risk: Medium

Name: TrackingCookie.Serving-sys
Path: :mozilla.100:C:\Documents and Settings\Dhiraj Sabharwal\Application Data\Mozilla\Firefox\Profiles\569pvl6i.default\cookies.txt
Risk: Medium

Name: Adware.180Solutions
Path: C:\Program Files\BearShare\BearShareZangoInstaller.exe/clientax.dll
Risk: Medium

Name: Adware.180Solutions
Path: C:\Program Files\BearShare\BearShareZangoInstaller.exe/clientax.dll
Risk: Medium

Name: Adware.Zango
Path: C:\Program Files\Mozilla Firefox\plugins\npclntax.dll
Risk: Medium

Name: Downloader.Zlob.bfb
Path: C:\System Volume Information\_restore{2854697A-944D-4967-AF79-9FE82B61526D}\RP311\A0040016.exe
Risk: High

Name: Trojan.Dialer.rt
Path: C:\System Volume Information\_restore{2854697A-944D-4967-AF79-9FE82B61526D}\RP311\A0040026.exe
Risk: High

Name: Trojan.Dialer.rt
Path: C:\System Volume Information\_restore{2854697A-944D-4967-AF79-9FE82B61526D}\RP312\A0040102.EXE
Risk: High

Name: Trojan.Dialer.rt
Path: C:\System Volume Information\_restore{2854697A-944D-4967-AF79-9FE82B61526D}\RP313\A0040158.exe
Risk: High

Name: Trojan.Dialer.rt
Path: C:\System Volume Information\_restore{2854697A-944D-4967-AF79-9FE82B61526D}\RP314\A0040202.EXE
Risk: High

Name: Trojan.Dialer.rt
Path: C:\System Volume Information\_restore{2854697A-944D-4967-AF79-9FE82B61526D}\RP314\A0040215.exe
Risk: High

Name: Trojan.Dialer.rt
Path: C:\System Volume Information\_restore{2854697A-944D-4967-AF79-9FE82B61526D}\RP315\A0040248.exe
Risk: High

Name: Trojan.Dialer.rt
Path: C:\System Volume Information\_restore{2854697A-944D-4967-AF79-9FE82B61526D}\RP315\A0040263.exe
Risk: High

Name: Trojan.Dialer.rt
Path: C:\System Volume Information\_restore{2854697A-944D-4967-AF79-9FE82B61526D}\RP316\A0040277.exe
Risk: High

Name: Trojan.Dialer.rt
Path: C:\System Volume Information\_restore{2854697A-944D-4967-AF79-9FE82B61526D}\RP316\A0040331.exe
Risk: High

Name: Trojan.Dialer.rt
Path: C:\System Volume Information\_restore{2854697A-944D-4967-AF79-9FE82B61526D}\RP317\A0040358.EXE
Risk: High

Name: Trojan.Dialer.rt
Path: C:\System Volume Information\_restore{2854697A-944D-4967-AF79-9FE82B61526D}\RP317\A0040374.exe
Risk: High

Name: Trojan.Dialer.rt
Path: C:\System Volume Information\_restore{2854697A-944D-4967-AF79-9FE82B61526D}\RP317\A0040693.exe
Risk: High

Name: Trojan.Dialer.rt
Path: C:\System Volume Information\_restore{2854697A-944D-4967-AF79-9FE82B61526D}\RP318\A0040724.EXE
Risk: High

Name: Trojan.Dialer.rt
Path: C:\System Volume Information\_restore{2854697A-944D-4967-AF79-9FE82B61526D}\RP318\A0040737.exe
Risk: High

Name: Trojan.Dialer.rt
Path: C:\System Volume Information\_restore{2854697A-944D-4967-AF79-9FE82B61526D}\RP319\A0040751.EXE
Risk: High

Name: Downloader.Zlob.bfb
Path: C:\System Volume Information\_restore{2854697A-944D-4967-AF79-9FE82B61526D}\RP319\A0040754.exe
Risk: High

Name: Trojan.Dialer.rt
Path: C:\System Volume Information\_restore{2854697A-944D-4967-AF79-9FE82B61526D}\RP320\A0040773.exe
Risk: High

Name: Trojan.Dialer.rt
Path: C:\System Volume Information\_restore{2854697A-944D-4967-AF79-9FE82B61526D}\RP320\A0040805.EXE
Risk: High

Name: Trojan.Dialer.rt
Path: C:\System Volume Information\_restore{2854697A-944D-4967-AF79-9FE82B61526D}\RP320\A0040888.exe
Risk: High

Name: Trojan.Dialer.rt
Path: C:\System Volume Information\_restore{2854697A-944D-4967-AF79-9FE82B61526D}\RP321\A0041227.exe
Risk: High

Name: Trojan.Agent.vg
Path: C:\System Volume Information\_restore{2854697A-944D-4967-AF79-9FE82B61526D}\RP321\A0041279.dll
Risk: High

Name: Trojan.Dialer.rt
Path: C:\avenger\backup.zip/avenger/udial.exe
Risk: High
Seitenanfang Seitenende
10.02.2007, 18:43
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#14 dirri

Avenger
kopiere rein:

Zitat

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\FWSvc
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk
HKLM\SYSTEM\CurrentControlSet\Services\vspf
HKLM\SOFTWARE\Classes\CLSID\{052b12f7-86fa-4921-8482-26c42316b522}
HKLM\SOFTWARE\Classes\CLSID\{a43385f0-7113-496d-96d7-b9b550e3fcca}

Files to delete:
C:\Program Files\Mozilla Firefox\plugins\npclntax.dll
C:\WINDOWS\system32\stera.job
C:\WINDOWS\system32\url.dat
C:\WINDOWS\system32\stera.log

Folders to delete:
C:\Program Files\BearShare
C:\Documents and Settings\Dhiraj Sabharwal\Local Settings\Temporary Internet Files\Content.IE5\4P30A0V7
C:\Documents and Settings\Dhiraj Sabharwal\Local Settings\Temporary Internet Files\Content.IE5\CS9JU5U1
C:\Documents and Settings\Dhiraj Sabharwal\Local Settings\Temporary Internet Files\Content.IE5\0N6RIGKQ

»»
Arbeitsplatz --> Rechtsklick, dann auf Eigenschaften --> Reiter Systemwiederherstellung --> Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.
(dann wieder aktivieren)

»»
scanne noch mal mit ewido und lass alles loeschen, was noch angezeigt wird

»»
loesche C:\avenger\backup.zip + leere den Papierkorb



'
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
02.03.2007, 12:23
...neu hier

Themenstarter

Beiträge: 8
#15 Hat alles geklappt!! Vielen, vielen Dank!!!

Hammer Arbeit die ihr hier leistet!!
Seitenanfang Seitenende