Trojaner "TR/Spy.Agent.42496"

#0
20.11.2007, 15:43
...neu hier

Beiträge: 5
#1 1. Temp besietigt

2. ComboFix im Edit, keine aktuelle Version :/

3. HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:54:23, on 20.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Programme\Gemeinsame Dateien\NMSAccessU.exe
C:\WINDOWS\system32\oodag.exe
C:\Apps\Softex\OmniPass\Omniserv.exe
C:\Programme\Gemeinsame Dateien\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Programme\Gemeinsame Dateien\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Programme\Gemeinsame Dateien\Ulead Systems\DVD\ULCDRSvr.exe
C:\Programme\Gemeinsame Dateien\VMware\VMware Virtual Image Editing\vmount2.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\Programme\Fingerprint Sensor\ATSwpNav.exe
C:\progra~1\softwin\bitdef~1\bdnagent.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Programme\QuickTime\qttask.exe
C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Tools\Blasc\BLASC.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\plazes.com\Plazer 2.0\plazes.plazer.2.0.exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Last.fm\LastFMHelper.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Programme\PDF-XChange SDK EndUser\PDFSaver.exe
C:\Programme\Miranda IM\miranda32.exe
C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE
C:\Programme\Secunia\PSI (BETA)\PSI.exe
C:\Apps\Softex\OmniPass\OPXPApp.exe
C:\Programme\Microsoft ActiveSync\WCESMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Programme\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Programme\Gemeinsame Dateien\Teleca Shared\Generic.exe
C:\Programme\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe
c:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\Programme\Softwin\BitDefender8\vsserv.exe
C:\Programme\Opera\Opera.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wow-raiders.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ads_optimizer - {9C8A568E-4201-478a-8536-526CF371D2E2} - C:\WINDOWS\system32\nsx1B9.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Programme\Megaupload\Mega Manager\MegaIEMn.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NECHotkey] mHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Programme\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ATSwpNav] "C:\Programme\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "c:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StartCCC] C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [{13-31-15-5F-ZN}] E:\Dokumente und Einstellungen\podssuwe\Lokale Einstellungen\Temp\TIP2D002.exe P2D002
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [BLASC] "D:\Tools\Blasc\BLASC.exe" silent
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Spamihilator] "C:\Programme\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [plazes.plazer.2.0] "C:\Programme\plazes.com\Plazer 2.0\plazes.plazer.2.0.exe" /winstart
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Programme\Octoshape Streaming Services\podssuwe\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Miranda IM.lnk = C:\Programme\Miranda IM\miranda32.exe
O4 - Startup: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: plazes launcher (.NET version).lnk = D:\Tools\Plazes\PlazesLauncher.exe
O4 - Startup: Secunia PSI (BETA).lnk = C:\Programme\Secunia\PSI (BETA)\PSI.exe
O4 - Startup: TA_Start.lnk = E:\Dokumente und Einstellungen\podssuwe\Lokale Einstellungen\Temp\TIP2D002.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Programme\Last.fm\LastFMHelper.exe
O4 - Global Startup: PDF-Capture.lnk = C:\Programme\PDF-XChange SDK EndUser\PDFSaver.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\ger.htm
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} (Photosynth Class) - http://media.labs.live.com/all/ps/_code_/Photosynth.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Programme\Gemeinsame Dateien\NMSAccessU.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Apps\Softex\OmniPass\Omniserv.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Programme\Gemeinsame Dateien\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Programme\Gemeinsame Dateien\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Programme\Gemeinsame Dateien\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Programme\Roxio\WinOnCD 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Programme\Gemeinsame Dateien\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Programme\Gemeinsame Dateien\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programme\Gemeinsame Dateien\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Programme\Gemeinsame Dateien\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Programme\Softwin\BitDefender8\vsserv.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Programme\Gemeinsame Dateien\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 14397 bytes

4. datfind

Verzeichnis von C:\WINDOWS\system32

20.11.2007 12:21 1.158 wpa.dbl
20.11.2007 12:18 227.271 OODBS.lor
13.11.2007 16:20 1.683.256 FNTCACHE.DAT
12.11.2007 18:12 17 msnav32.ax
05.11.2007 20:18 16.832 amcompat.tlb
05.11.2007 20:18 23.392 nscompat.tlb
02.11.2007 08:12 18.238.072 MRT.exe
30.10.2007 23:57 40.733 rightonadz-uninst.exe
30.10.2007 20:03 79.875 adssite-remove.exe
30.10.2007 19:15 139.264 nsx1B9.dll
30.10.2007 17:31 75.776 gzmrotate.dll
29.10.2007 16:07 373.760 xpsp3res.dll
28.10.2007 20:29 418.914 perfh007.dat
28.10.2007 20:29 75.968 perfc007.dat
28.10.2007 20:29 63.188 perfc009.dat
28.10.2007 20:29 403.968 perfh009.dat
28.10.2007 20:29 974.566 PerfStringBackup.INI
25.10.2007 17:42 8.501.248 shell32.dll
23.10.2007 11:36 5.628 jupdate-1.6.0_03-b05.log
08.10.2007 14:39 233.472 REX Shared Library.dll
08.10.2007 14:39 368.640 ReWire.dll
29.09.2007 04:21 9.854.976 atioglx2.dll
29.09.2007 04:07 356.352 ATIDEMGX.dll
29.09.2007 04:06 268.800 ati2dvag.dll
29.09.2007 03:58 143.360 atipdlxx.dll
29.09.2007 03:58 122.880 Oemdspif.dll
29.09.2007 03:58 26.112 Ati2mdxx.exe
29.09.2007 03:58 43.520 ati2edxx.dll
29.09.2007 03:57 122.880 ati2evxx.dll
29.09.2007 03:56 483.328 ati2evxx.exe
29.09.2007 03:55 53.248 ATIDDC.DLL
29.09.2007 03:49 307.200 atiiiexx.dll
29.09.2007 03:47 172.032 atiok3x2.dll
29.09.2007 03:47 3.130.720 ati3duag.dll
29.09.2007 03:36 1.593.600 ativvaxx.dll
29.09.2007 03:23 5.435.392 atioglxx.dll
29.09.2007 03:22 376.832 atikvmag.dll
29.09.2007 03:20 17.408 atitvo32.dll
29.09.2007 03:14 499.712 ati2cqag.dll
28.09.2007 20:05 593.920 ati2sgag.exe
24.09.2007 22:31 139.264 javaws.exe
24.09.2007 22:31 69.632 javacpl.cpl
24.09.2007 21:30 135.168 javaw.exe
24.09.2007 21:30 135.168 java.exe
16.09.2007 01:00 40.315 gzmrot-uninst.exe
10.09.2007 08:23 2.776 psi.inf
31.08.2007 14:04 222.488 snapapi.dll
29.08.2007 10:51 249.852 TZLog.log
21.08.2007 07:16 683.520 inetcomm.dll
20.08.2007 18:58 75.264 ninjaext.dll
20.08.2007 10:55 102.400 occache.dll
20.08.2007 10:55 105.984 url.dll
20.08.2007 10:55 1.152.000 urlmon.dll
20.08.2007 10:55 824.832 wininet.dll
20.08.2007 10:55 671.232 mstime.dll
20.08.2007 10:55 232.960 webcheck.dll
20.08.2007 10:55 3.584.512 mshtml.dll
20.08.2007 10:55 193.024 msrating.dll
20.08.2007 10:55 477.696 mshtmled.dll
20.08.2007 10:55 52.224 msfeedsbs.dll
20.08.2007 10:55 459.264 msfeeds.dll
20.08.2007 10:55 6.058.496 ieframe.dll
20.08.2007 10:55 1.824.768 inetcpl.cpl
20.08.2007 10:55 44.544 iernonce.dll
20.08.2007 10:55 267.776 iertutil.dll
20.08.2007 10:55 27.648 jsproxy.dll
20.08.2007 10:55 383.488 ieapfltr.dll
20.08.2007 10:55 230.400 ieaksie.dll
20.08.2007 10:55 384.512 iedkcs32.dll
20.08.2007 10:55 214.528 dxtrans.dll
20.08.2007 10:55 132.608 extmgr.dll
20.08.2007 10:55 63.488 icardie.dll
20.08.2007 10:55 153.088 ieakeng.dll
20.08.2007 10:55 124.928 advpack.dll
17.08.2007 11:19 13.824 ieudinit.exe
17.08.2007 11:19 63.488 ie4uinit.exe
17.08.2007 08:34 161.792 ieakui.dll
16.08.2007 00:55 139 iiSetup.log
14.08.2007 22:11 156.671 atiicdxx.dat

5. Pfad: C:\\WINDOWS\system32\ntos.exe
Dieser Beitrag wurde am 20.11.2007 um 15:56 Uhr von nextnexus editiert.
Seitenanfang Seitenende
20.11.2007, 16:28
Ehrenmitglied
Avatar Argus

Beiträge: 6028
#2 Schliesse alle Fenster und starte Hijack This
Klicke: Do a Systemscan only
Setze ein Häckchen in das Kästchen vor den genannten Eintrag bei

F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: ads_optimizer - {9C8A568E-4201-478a-8536-526CF371D2E2} - C:\WINDOWS\system32\nsx1B9.dll
O4 - HKLM\..\Run: [{13-31-15-5F-ZN}] E:\Dokumente und Einstellungen\podssuwe\Lokale Einstellungen\Temp\TIP2D002.exe P2D002
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 –u
O4 - Startup: TA_Start.lnk = E:\Dokumente und Einstellungen\podssuwe\Lokale Einstellungen\Temp\TIP2D002.exe

klicke: Fix checked
Dein Internet Explorer muss geschlossen wenn Du Fix Checked klickst

Download: RVAXO by Smeenk,zum Desktop
Danach doppelklicken
Öffne die Datei RVAXO und doppelklick “RVAXO.cmd”
Moeglich startet der Uninstaller von ein Roquescanner schliesse es nicht ab aber lass es seine Arbeit tun
Dein Rechner wird neu gestartet,wenn nicht
Rechner neu starten und nochmals “RVAXO.cmd” doppelklicken
Poste nachher den logfile C:\ RVAXO-results.login dein folgender Bericht

SDFix
Download SDFix zum Desktop

Starte im abgesicherten Modus:
http://www.bsi.bund.de/av/texte/wiederher.htm

SDFix.zip entpacken
unter C:\ findet man nun den SDFix-Ordner

Doppelklick RunThis.bat
Schreibe: Y folge allen Anweisungen
Dann wird der Rechner neustarten
SDFix entfernt jetzt die gefundene Objekte
Kopiere den Inhalt des Berichts SophosReport.txt ” der jetzt auf dein Desktop steht in diesen Thread
Und ein log von Hijack This

NoteEs werden zwei Virenscanner benutzt,einer zuviel!
__________
MfG Argus
Seitenanfang Seitenende
20.11.2007, 16:42
...neu hier

Themenstarter

Beiträge: 5
#3 ----------------RVAXO.exe first run-------------

Files found:

C:\WINDOWS\system32\rightonadz-uninst.exe
C:\WINDOWS\system32\ninjaext.dll
C:\WINDOWS\system32\adssite-remove.exe
C:\WINDOWS\system32\gzmrot-uninst.exe
C:\WINDOWS\system32\gzmrotate.dll

Uninstallers Rogue scanners:


Folders Found:


Hosts-file was reset, If you use a custom hosts file please replace it...

--------------RVAXO.exe last run---------------

Files found:

C:\WINDOWS\system32\ntos.exe
Folders Found:

C:\WINDOWS\system32\wsnpoem
--------------RVAXO.exe finished----------------
Dieser Beitrag wurde am 20.11.2007 um 16:55 Uhr von nextnexus editiert.
Seitenanfang Seitenende
20.11.2007, 17:00
Ehrenmitglied
Avatar Argus

Beiträge: 6028
#4 Oeffne die Datei RVAXO auf dein Desktop
Doppleklick Uninstall.cmd um alles von RVAXO zu entfernen
__________
MfG Argus
Seitenanfang Seitenende
20.11.2007, 17:20
...neu hier

Themenstarter

Beiträge: 5
#5 SDFix wie beschreiben ausgeführt. Nach Reboot konnte er Pfade nicht finden. Die Trojaner Meldung kommt aber nicht mehr.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:20, on 2007-11-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Programme\Gemeinsame Dateien\NMSAccessU.exe
C:\WINDOWS\system32\oodag.exe
C:\Apps\Softex\OmniPass\Omniserv.exe
C:\Programme\Gemeinsame Dateien\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Programme\Gemeinsame Dateien\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Programme\Gemeinsame Dateien\Ulead Systems\DVD\ULCDRSvr.exe
C:\Programme\Gemeinsame Dateien\VMware\VMware Virtual Image Editing\vmount2.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Apps\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\Programme\Fingerprint Sensor\ATSwpNav.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Tools\Blasc\BLASC.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\plazes.com\Plazer 2.0\plazes.plazer.2.0.exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Programme\Last.fm\LastFMHelper.exe
C:\Programme\PDF-XChange SDK EndUser\PDFSaver.exe
C:\Programme\Miranda IM\miranda32.exe
C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE
C:\Programme\Secunia\PSI (BETA)\PSI.exe
C:\Programme\Microsoft ActiveSync\WCESMgr.exe
C:\Programme\Skype\Plugin Manager\SkypePM.exe
C:\Programme\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Programme\Gemeinsame Dateien\Teleca Shared\Generic.exe
C:\Programme\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Programme\Opera\Opera.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wow-raiders.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Programme\Megaupload\Mega Manager\MegaIEMn.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NECHotkey] mHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Programme\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ATSwpNav] "C:\Programme\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StartCCC] C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [BLASC] "D:\Tools\Blasc\BLASC.exe" silent
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Spamihilator] "C:\Programme\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [plazes.plazer.2.0] "C:\Programme\plazes.com\Plazer 2.0\plazes.plazer.2.0.exe" /winstart
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Programme\Octoshape Streaming Services\podssuwe\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Miranda IM.lnk = C:\Programme\Miranda IM\miranda32.exe
O4 - Startup: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: plazes launcher (.NET version).lnk = D:\Tools\Plazes\PlazesLauncher.exe
O4 - Startup: Secunia PSI (BETA).lnk = C:\Programme\Secunia\PSI (BETA)\PSI.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Programme\Last.fm\LastFMHelper.exe
O4 - Global Startup: PDF-Capture.lnk = C:\Programme\PDF-XChange SDK EndUser\PDFSaver.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\ger.htm
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} (Photosynth Class) - http://media.labs.live.com/all/ps/_code_/Photosynth.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Programme\Gemeinsame Dateien\NMSAccessU.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Apps\Softex\OmniPass\Omniserv.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Programme\Gemeinsame Dateien\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Programme\Gemeinsame Dateien\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Programme\Gemeinsame Dateien\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Programme\Roxio\WinOnCD 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Programme\Gemeinsame Dateien\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Programme\Gemeinsame Dateien\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programme\Gemeinsame Dateien\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Programme\Gemeinsame Dateien\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 13018 bytes
Seitenanfang Seitenende
20.11.2007, 19:55
Ehrenmitglied
Avatar Argus

Beiträge: 6028
#6 Schliesse alle Fenster und starte Hijack This
Klicke: Do a Systemscan only
Setze ein Häckchen in das Kästchen vor den genannten Eintrag bei

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,

klicke: Fix checked
Dein Internet Explorer muss geschlossen wenn Du Fix Checked klickst

Download Avenger zum Desktop
Alle Fenster muessen geschlossen sein
Starte Avenger
Anhaken “ Input script manually
Die "Lupe" rechts anklicken - View/edit script (wird sich öffnen)
kopiere rein:

Files to delete:
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\ntos.exe


Klicke die grüne Ampel
das Script wird nun ausgeführt, dann wird der PC nach Bestätigung (yes) neustarten
nach dem Neustart erscheint ein Log vom Avenger, kopiere es ab - mit rechtem Mausklick - kopieren - einfügen
__________
MfG Argus
Seitenanfang Seitenende
20.11.2007, 22:55
...neu hier

Themenstarter

Beiträge: 5
#7 Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\uxcnj^bq

*******************

Script file located at: \??\C:\sidufumw.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\wsnpoem not found!
Deletion of file C:\WINDOWS\system32\wsnpoem failed!

Could not process line:
C:\WINDOWS\system32\wsnpoem
Status: 0xc0000034



File C:\WINDOWS\system32\ntos.exe not found!
Deletion of file C:\WINDOWS\system32\ntos.exe failed!

Could not process line:
C:\WINDOWS\system32\ntos.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.
Seitenanfang Seitenende
21.11.2007, 13:02
Ehrenmitglied
Avatar Argus

Beiträge: 6028
#8 DSS
Download dss zum Desktop
Doppelklick dss.exe
Kopiere den Inhalt des Berichts C:/ main.txt in dein folgender Bericht
__________
MfG Argus
Seitenanfang Seitenende
21.11.2007, 14:12
...neu hier

Themenstarter

Beiträge: 5
#9 Deckard's System Scanner v20071014.68
Run by podssuwe on 2007-11-21 14:07:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as podssuwe.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:09, on 2007-11-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Programme\Gemeinsame Dateien\NMSAccessU.exe
C:\WINDOWS\system32\oodag.exe
C:\Apps\Softex\OmniPass\Omniserv.exe
C:\Programme\Gemeinsame Dateien\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Programme\Gemeinsame Dateien\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Programme\Gemeinsame Dateien\Ulead Systems\DVD\ULCDRSvr.exe
C:\Programme\Gemeinsame Dateien\VMware\VMware Virtual Image Editing\vmount2.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\Programme\Fingerprint Sensor\ATSwpNav.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Tools\Blasc\BLASC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\plazes.com\Plazer 2.0\plazes.plazer.2.0.exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programme\Last.fm\LastFMHelper.exe
C:\Programme\PDF-XChange SDK EndUser\PDFSaver.exe
C:\Programme\Miranda IM\miranda32.exe
C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE
C:\Programme\Secunia\PSI (BETA)\PSI.exe
C:\Programme\Microsoft ActiveSync\WCESMgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Apps\Softex\OmniPass\OPXPApp.exe
C:\Programme\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Programme\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Programme\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Teleca Shared\Generic.exe
C:\Programme\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
E:\Dokumente und Einstellungen\podssuwe\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\podssuwe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wow-raiders.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Programme\Megaupload\Mega Manager\MegaIEMn.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NECHotkey] mHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Programme\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ATSwpNav] "C:\Programme\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StartCCC] C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [BLASC] "D:\Tools\Blasc\BLASC.exe" silent
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Spamihilator] "C:\Programme\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [plazes.plazer.2.0] "C:\Programme\plazes.com\Plazer 2.0\plazes.plazer.2.0.exe" /winstart
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Programme\Octoshape Streaming Services\podssuwe\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Miranda IM.lnk = C:\Programme\Miranda IM\miranda32.exe
O4 - Startup: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: plazes launcher (.NET version).lnk = D:\Tools\Plazes\PlazesLauncher.exe
O4 - Startup: Secunia PSI (BETA).lnk = C:\Programme\Secunia\PSI (BETA)\PSI.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Programme\Last.fm\LastFMHelper.exe
O4 - Global Startup: PDF-Capture.lnk = C:\Programme\PDF-XChange SDK EndUser\PDFSaver.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\ger.htm
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} (Photosynth Class) - http://media.labs.live.com/all/ps/_code_/Photosynth.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Programme\Gemeinsame Dateien\NMSAccessU.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Apps\Softex\OmniPass\Omniserv.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Programme\Gemeinsame Dateien\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Programme\Gemeinsame Dateien\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Programme\Gemeinsame Dateien\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Programme\Roxio\WinOnCD 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Programme\Gemeinsame Dateien\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Programme\Gemeinsame Dateien\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programme\Gemeinsame Dateien\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Programme\Gemeinsame Dateien\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 12963 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20071120-160054-198 F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\ntos.exe,
backup-20071120-160208-739 F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
backup-20071120-164837-274 O4 - HKLM\..\Run: [{13-31-15-5F-ZN}] E:\Dokumente und Einstellungen\podssuwe\Lokale Einstellungen\Temp\TIP2D002.exe P2D002
backup-20071120-164837-419 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
backup-20071120-164837-449 O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
backup-20071120-224808-936 F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 vstor2 (Vstor2 Virtual Storage Driver) - c:\programme\gemeinsame dateien\vmware\vmware virtual image editing\vstor2.sys <Not Verified; VMware, Inc.; VMware Workstation>
R3 PSI - c:\windows\system32\drivers\psi_mf.sys <Not Verified; Secunia; Secunia Personal Software Inspector>

S3 BDFsDrv - c:\programme\softwin\bitdefender8\bdfsdrv.sys (file missing)
S3 BDRsDrv - c:\programme\softwin\bitdefender8\bdrsdrv.sys (file missing)
S3 catchme - e:\dokume~1\podssuwe\lokale~1\temp\catchme.sys (file missing)
S3 FILESpy - c:\programme\softwin\bitdefender8\filespy.sys (file missing)
S3 REGSpy - c:\programme\softwin\bitdefender8\regspy.sys (file missing)
S3 VMnetAdapter (VMware Virtual Ethernet Adapter Driver) - c:\windows\system32\drivers\vmnetadapter.sys <Not Verified; VMware, Inc.; VMware virtual network adapter driver (32-bit)>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (AntiVir PersonalEdition Classic Planer) - "c:\programme\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; Scheduler>
R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - c:\programme\bonjour\mdnsresponder.exe <Not Verified; Apple Computer, Inc.; Bonjour>
R2 NMSAccessU - c:\programme\gemeinsame dateien\nmsaccessu.exe
R2 vmount2 (VMware Virtual Mount Manager Extended) - "c:\programme\gemeinsame dateien\vmware\vmware virtual image editing\vmount2.exe" <Not Verified; VMware, Inc.; VMware Workstation>
R2 x10nets (X10 Device Network Service) - c:\progra~1\common~1\x10\common\x10nets.exe <Not Verified; X10; x10 Module>

S3 FLEXnet Licensing Service - "c:\programme\gemeinsame dateien\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-11-21 14:00:00 234 --a------ C:\WINDOWS\Tasks\Erweiterte Garantie.job


-- Files created between 2007-10-21 and 2007-11-21 -----------------------------

2007-11-21 14:01:20 0 d-------- E:\Deckard
2007-11-20 17:13:04 1582 --a------ E:\Dokumente und Einstellungen\podssuwe\clean.reg
2007-11-20 17:03:50 0 d-------- C:\WINDOWS\ERUNT
2007-11-20 15:19:12 0 d-------- C:\Programme\Trend Micro
2007-11-15 20:24:34 0 d-------- C:\Programme\Avira
2007-11-14 13:21:10 0 d-------- C:\Programme\Microsoft CAPICOM 2.1.0.2
2007-11-13 16:57:04 0 d-------- C:\Programme\MSECache
2007-11-13 16:12:45 0 d-------- C:\Programme\Microsoft Works
2007-11-09 22:40:04 0 d-------- C:\Programme\JKDefrag
2007-11-09 22:37:36 0 d-------- C:\Programme\NT Registry Optimizer
2007-11-06 19:49:01 0 d-------- C:\Programme\Last.fm
2007-11-06 19:17:22 0 d-------- C:\Programme\Citrix
2007-11-05 17:40:54 0 d-------- C:\Programme\Windows Media Connect 2
2007-11-05 17:39:30 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-11-05 16:15:38 0 d-------- C:\Programme\Gemeinsame Dateien\Acronis
2007-11-05 16:15:38 0 d-------- C:\Programme\Acronis
2007-10-29 13:48:43 0 d-------- C:\Programme\Secunia
2007-10-23 16:52:42 0 --a------ C:\WINDOWS\ativpsrm.bin


-- Find3M Report ---------------------------------------------------------------

2007-11-21 14:06:43 0 d-------- E:\Dokumente und Einstellungen\podssuwe\Anwendungsdaten\Skype
2007-11-21 13:42:33 0 d-------- E:\Dokumente und Einstellungen\podssuwe\Anwendungsdaten\uTorrent
2007-11-06 19:38:51 0 d--h----- C:\Programme\InstallShield Installation Information
2007-11-06 19:17:27 0 d-------- E:\Dokumente und Einstellungen\podssuwe\Anwendungsdaten\ICAClient
2007-11-05 16:15:38 0 d-------- C:\Programme\Gemeinsame Dateien
2007-10-28 20:29:56 418914 --a------ C:\WINDOWS\system32\perfh007.dat
2007-10-28 20:29:56 75968 --a------ C:\WINDOWS\system32\perfc007.dat
2007-10-23 11:36:13 0 d-------- C:\Programme\Java
2007-10-20 14:00:43 0 d-------- C:\Programme\Opera
2007-10-20 13:52:23 0 d--h----- C:\Programme\Zero G Registry
2007-10-20 13:52:14 0 d-------- C:\Programme\steam application launcher
2007-10-18 10:06:18 0 d-------- C:\Programme\Microsoft ActiveSync
2007-10-18 09:53:42 0 d-------- C:\Programme\Octoshape Streaming Services
2007-10-18 09:52:26 0 d-------- C:\Programme\FrostWire
2007-10-18 09:52:09 0 d-------- C:\Programme\East West
2007-10-08 14:40:07 0 d-------- E:\Dokumente und Einstellungen\podssuwe\Anwendungsdaten\Propellerhead Software
2007-10-08 14:39:48 233472 --a------ C:\WINDOWS\system32\REX Shared Library.dll <Not Verified; Propellerhead Software AB; REX SDK>
2007-10-08 14:39:48 368640 --a------ C:\WINDOWS\system32\ReWire.dll <Not Verified; Propellerhead Software AB; ReWire>
2007-10-04 12:04:15 0 d-------- E:\Dokumente und Einstellungen\podssuwe\Anwendungsdaten\Miranda IM
2007-10-04 12:04:09 0 d-------- C:\Programme\Miranda IM
2007-10-02 12:35:57 0 d-------- E:\Dokumente und Einstellungen\podssuwe\Anwendungsdaten\Megaupload
2007-10-02 12:25:44 0 d-------- C:\Programme\Megaupload
2007-10-02 12:25:11 0 d-------- E:\Dokumente und Einstellungen\podssuwe\Anwendungsdaten\InstallShield
2007-09-28 20:05:00 593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2007-09-22 13:46:41 0 d-------- C:\Programme\PDF-XChange SDK EndUser
2007-09-04 14:31:32 3936 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 14:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 14:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 14:00]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:34]
"NECHotkey"="mHotkey.exe" [2006-01-11 10:29 C:\WINDOWS\mHotkey.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"AzMixerSel"="C:\Programme\Realtek\InstallShield\AzMixerSel.exe" [2005-06-08 15:55]
"RTHDCPL"="RTHDCPL.EXE" [2005-06-29 12:25 C:\WINDOWS\RTHDCPL.EXE]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"ATSwpNav"="C:\Programme\Fingerprint Sensor\ATSwpNav -run" []
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2006-03-10 01:47]
"StartCCC"="C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35]
"Sony Ericsson PC Suite"="C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 09:14]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2006-03-10 01:43]
"TrueImageMonitor.exe"="C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-14 02:52]
"AcronisTimounterMonitor"="C:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-09-14 03:02]
"Acronis Scheduler2 Service"="C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe" [2007-09-14 02:55]
"avgnt"="C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-11-15 20:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BLASC"="D:\Tools\Blasc\BLASC.exe" [2007-10-26 16:08]
"Skype"="C:\Programme\Skype\Phone\Skype.exe" [2007-08-17 02:45]
"Spamihilator"="C:\Programme\Spamihilator\spamihilator.exe" []
"plazes.plazer.2.0"="C:\Programme\plazes.com\Plazer 2.0\plazes.plazer.2.0.exe" [2007-09-05 13:41]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~3\wcescomm.exe" [2006-06-26 20:09]
"Octoshape Streaming Services"="C:\Programme\Octoshape Streaming Services\podssuwe\OctoshapeClient.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00]

E:\Dokumente und Einstellungen\podssuwe\Startmen\Programme\Autostart\
Adobe Gamma.lnk - C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 18:16:50]
Miranda IM.lnk - C:\Programme\Miranda IM\miranda32.exe [2007-10-18 03:27:14]
OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Apps\Softex\OmniPass\opxpgina.dll 2005-08-12 17:01 49152 C:\APPS\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^SharpReader.lnk]
path=E:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\SharpReader.lnk
backup=C:\WINDOWS\pss\SharpReader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"C:\Programme\Google\Google Talk\googletalk.exe" /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"C:\Programme\ICQLite\ICQLite.exe" -minimize

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OmniPass]
C:\Apps\Softex\OmniPass\scureapp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmpcSys]
C:\APPS\SMP\SmpSys.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
D:\Tools\Spybot - Search & Destroy\TeaTimer.exe




-- End of Deckard's System Scanner: finished at 2007-11-21 14:10:24 ------------
Seitenanfang Seitenende
21.11.2007, 14:37
Ehrenmitglied
Avatar Argus

Beiträge: 6028
#10 Entferne die Backups von Hijack This
C:\PROGRA~1\TRENDM~1\HIJACK~1\backups

Kein ntos.exe mehr zu sehen

Systemwiederherstellung
Arbeitsplatz-->Rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.
Neu Starten
Dann wieder aktivieren (Häkchen entfernen)

Benutze mal ein Onlinescanner
http://www.kaspersky.com/de/virusscanner

Solltest deine passwoerter aendern!
__________
MfG Argus
Seitenanfang Seitenende