Windows lahm! Herunterfahren nicht möglich!

#1 Hey Sabina,

ich schreibe hier für einen Freund! Er beklagt sich darüber, dass sein Windows XP Betriebsystem total lahm ist (==> Rechtsklick auf den Desktop ..3 Sekunden bis das Fenster erscheint!)
Die Arbeitsspeicherausleistung steigt bei kleinster Belastung(Ordner öffnen) auf 100%

Ein weiteres Problem:
Man fährt den PC normal herunter, und als er "Windows wird heruntergefahren" anzeigt, friert er ein, und man muss ihn manuell ausschalten!

Hier ist ein HiJackThis-Logfile:

Logfile of HijackThis v1.99.1
Scan saved at 17:20:58, on 16.03.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Programme\Java\jre1.5.0_11\bin\jusched.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
E:\Setups\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.arcor.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.arcor.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.arcor.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arcor.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.arcor.de
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.hardwareversand.de/6VYKM2IAGaHyhc/2/articledetail.jsp?aid=8562&agid=42
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: T-Online WLAN Adapter Steuerungsdienst (MZCCntrl) - T-Online International AG, Marmiko IT-Solutions GmbH - C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE



Vielleicht kannst mir helfen!

Gruß
Johannes

#2 1.
er soll Agnitum-Firewall deaktivieren/deinstallieren

2.
er soll dieses log posten
http://virus-protect.org/artikel/tools/combofix.html
__________
MfG Sabina

rund um die PC-Sicherheit

#3 1. Die Agnitum Firewall is nochtmehr da...war nurnoch der Ordner da(ohne Inhalt)

2.:

"Baggio" - 07-03-19 19:39:41 Service Pack 2
ComboFix 07-03-15.2 - Running from: "C:Dokumente und EinstellungenBaggioDesktop"

((((((((((((((((((((((((((((((( Files Created from 2007-02-19 to 2007-03-19 ))))))))))))))))))))))))))))))))))

2007-03-18 15:31118,832--a------C:WINDOWSsystem32SH W32.DLL
2007-03-17 19:45d--------C:ProgrammeLavasoft
2007-03-17 19:45d--------C:DOKUME~1BaggioANWEND~1La vasoft
2007-03-17 13:26368,912--a------C:WINDOWSsystem32vb ar332.dll
2007-03-17 09:55d--------C:DOKUME~1BaggioANWEND~1Op era
2007-03-17 09:54d--------C:ProgrammeOpera
2007-03-16 17:40d--------C:WINDOWSsystem32ActiveSca n
2007-03-16 17:18d--------C:DOKUME~1PILL~1Anwendungs daten
2007-03-16 17:18d--------C:DOKUME~1PILL~1ANWEND~1Op era
2007-03-16 17:09d--------C:ProgrammeWindows XP Optimizer
2007-03-13 18:13d--------C:CCleaner
2007-03-08 13:53d--------C:ProgrammeWLAN Monitor
2007-03-08 13:52d--------C:ProgrammeWLAN Quick-Starter
2007-03-03 11:03d--------C:ProgrammeKONAMI
2007-02-22 16:36d--------C:DOKUME~1PeterANWEND~1Sun

(((((((((((((((((((((((((((((((((((((((
((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))
))))))))))))

2007-03-18 15:30--------d--h-----C:Programmeinstall shield installation information
2007-03-16 17:31--------d--------C:Programmeelabora te bytes
2007-03-13 18:07--------d--------C:Programmemsn messenger
2007-03-13 18:07--------d--------C:Programmemesseng er plus! live
2007-03-11 12:15--------d--------C:Programmeicqlite
2007-02-17 12:13--------d--------C:Programmemicroso ft frontpage
2007-02-15 06:59--------d--------C:Programmejava
2007-01-29 17:54--------d--------C:Programmemicroso ft works
2007-01-28 10:020--a------C:WINDOWSnsreg.dat
2007-01-23 16:011152--a------C:WINDOWSmozver.dat
2007-01-20 17:06--------d--------C:Programmeolympus
2007-01-20 17:05--------d--------C:Programmequickti me
2007-01-19 12:5351056--a------C:WINDOWSsystem32sire nacm.dll
2007-01-08 19:0117408--a------C:WINDOWSsystem32corp ol.dll
2006-12-24 17:5798304--a------C:WINDOWSsystem32cmdl ineext.dll
2006-12-20 18:3763976--a------C:WINDOWSsystem32perf c007.dat
2006-12-20 18:37391574--a------C:WINDOWSsystem32per fh007.dat
2006-12-11 18:5562--ahs----C:DOKUME~1BaggioANWEND~1 desktop.ini

(((((((((((((((((((((((((((((((((((((((
( Reg Loading Points )))))))))))))))))))))))))))))))))))))))
)))))))

*Note* empty entries & legit default entries are not shown


"CTFMON.EXE"="C:WINDOWSsystem32ctfmon.ex e"
"msnmsgr"=""C:ProgrammeMSN Messengermsnmsgr.exe" /background"


"SigmatelSysTrayApp"="stsystra.exe"
"SunJavaUpdateSched"=""C:ProgrammeJavajr e1.5.0_11injusched.exe""
"avgnt"=""C:ProgrammeAntiVir PersonalEdition Classicvgnt.exe" /min"
"Broadcom Wireless Manager UI"="C:WINDOWSsystem32WLTRAY.exe"


"BearShare"=""C:ProgrammeBearShareBearSh are.exe" /pause"
"DeviceDiscovery"="C:ProgrammeHewlett-Pa ckardDigital Imaginginhpotdd01.exe"
"HP Component Manager"=""C:ProgrammeHPhpcoretechhpcmpm gr.exe""
"HP Software Update"=""C:ProgrammeHewlett-PackardHP Software UpdateHPWuSchd.exe""




"Installed"="1"


"NoChange"="1"
"Installed"="1"


"Installed"="1"




"key"="SOFTWAREMicrosoftWindowsCurrentVe rsionRun"
"item"="ElbyCheck"
"hkey"="HKLM"
"command"=""C:ProgrammeElaborate BytesCloneCDElbyCheck.exe" /L ElbyCDFL"
"inimapping"="0"


"key"="SOFTWAREMicrosoftWindowsCurrentVe rsionRun"
"item"="emMon"
"hkey"="HKLM"
"command"="C:WINDOWSemMon.exe"
"inimapping"="0"


"key"="SOFTWAREMicrosoftWindowsCurrentVe rsionRun"
"item"="ICQLite"
"hkey"="HKLM"
"command"=""C:ProgrammeICQLiteICQLite.ex e" -minimize"
"inimapping"="0"


"key"="SOFTWAREMicrosoftWindowsCurrentVe rsionRun"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:WINDOWSsystem32hkcmd.exe"
"inimapping"="0"


"key"="SOFTWAREMicrosoftWindowsCurrentVe rsionRun"
"item"="igfxpers"
"hkey"="HKLM"
"command"="C:WINDOWSsystem32igfxpers.exe "
"inimapping"="0"


"key"="SOFTWAREMicrosoftWindowsCurrentVe rsionRun"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:WINDOWSsystem32igfxtray.exe "
"inimapping"="0"


"key"="SOFTWAREMicrosoftWindowsCurrentVe rsionRun"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"=""C:ProgrammeMSN MessengerMsnMsgr.Exe" /background"
"inimapping"="0"


"wuauserv"=dword:00000002
"TapiSrv"=dword:00000003
"WmdmPmSN"=dword:00000003
"usnjsvc"=dword:00000003
"ProtectedStorage"=dword:00000002
"PolicyAgent"=dword:00000002
"ImapiService"=dword:00000003
"CiSvc"=dword:00000003
"BITS"=dword:00000003
"aspnet_state"=dword:00000003
"AppMgmt"=dword:00000003
"ALG"=dword:00000003
"RSVP"=dword:00000003


"appinit_dlls"="c:progra~1agnitumoutpos~ 1wl_hook.dll"


"WPDShServiceObj"="[AAA288BA-9A4C-45B0-9 5D7-94D524869DB5]"


"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


HTTPFilterREG_MULTI_SZ HTTPFilter
LocalServiceREG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistry upnphostSSDPSRV
NetworkServiceREG_MULTI_SZ DnsCache
DcomLaunchREG_MULTI_SZ DcomLaunchTermService
rpcssREG_MULTI_SZ RpcSs
imgsvcREG_MULTI_SZ StiSvc
termsvcsREG_MULTI_SZ TermService
WudfServiceGroupREG_MULTI_SZ WUDFSvc

***************************************
***************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

***************************************
***************************

Completion time: 07-03-19 19:44:14
C:ComboFix2.txt ... 07-03-19 17:19

#4 ««
http://virus-protect.org/artikel/tools/sdfix.html
im Normalmodus

RunThis.bat doppelt klicken
reinschreiben: 3

3 : wird Sophos geladen - waehle 6 - scanne und poste den scanreport
__________
MfG Sabina

rund um die PC-Sicherheit