Google verlinkt immer zuerst 2 mal falsch |
||
---|---|---|
#0
| ||
28.01.2008, 00:35
...neu hier
Beiträge: 1 |
||
|
||
28.01.2008, 11:54
Ehrenmitglied
Beiträge: 1441 |
#17
toppah
1. lade fixwareout (noch nicht anwenden) http://www.virus-protect.org/artikel/tools/fixwareout.html 2. hijackThis Schliesse alle Fenster und starte Hijack This Klicke: Do a Systemscan only Setze ein Häckchen in das Kästchen vor den genannten Eintrag und wähle fix checked Zitat O17 - HKLM\System\CCS\Services\Tcpip\..\{2257CB65-5CB8-4077-94F5-39CAF5A37138}: NameServer = 85.255.114.107,85.255.112.843. fixwareout anwenden - der Rechner wird neustarten - poste hier den Report, der erscheint 4. poste das Log von Combofix http://www.virus-protect.org/artikel/tools/combofix.html __________ Gruss Pinguin bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/ |
|
|
||
30.01.2008, 03:37
Member
Beiträge: 16 |
#18
selbes problem:
sobald ich was google und dann in den suchergebnise einen link anklicke, komm ich die ersten 2 versuche auf irgend eine website aber nicht die des linkes, bei 3 mal klappts es dann: hier mein HJT: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:02:38, on 29/01/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe D:\Program Files\DesktopEarth\DesktopEarth.exe C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Mozilla Firefox\firefox.exe E:\Downloads\HiJackThis202.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FLASHGET\jccatch.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FLASHGET\getflash.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe" O4 - Startup: AutorunsDisabled O4 - Startup: DesktopEarth AutoStart.lnk = ? O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe O4 - Startup: Thoosje Vista Sidebar.lnk = C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://olobova.spaces.live.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{3E568BDF-F037-40E2-9A03-0B77C923A338}: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\..\{BBEF5E70-0492-460C-9A08-C6EE4FDBDB81}: NameServer = 85.255.115.50,85.255.112.148 O17 - HKLM\System\CCS\Services\Tcpip\..\{C6454753-1FAE-4F92-BB91-408D5F73E9D9}: NameServer = 85.255.115.50,85.255.112.148 O17 - HKLM\System\CCS\Services\Tcpip\..\{CB14D303-DF55-4B0D-92D1-4E50ED49F8B6}: NameServer = 85.255.115.50,85.255.112.148 O17 - HKLM\System\CCS\Services\Tcpip\..\{EF56BEFE-2CB7-4700-82AB-45789445149F}: NameServer = 85.255.115.50,85.255.112.148 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe O24 - Desktop Component 0: (no name) - (no file) -- End of file - 8328 bytes was nun? selbe 3 schritte wie meine vorgaenger? |
|
|
||
30.01.2008, 08:38
Ehrenmitglied
Beiträge: 1441 |
#19
heiri
1. lade fixwareout (noch nicht anwenden) - http://www.virus-protect.org/artikel/tools/fixwareout.html 2. hijackThis Schliesse alle Fenster und starte Hijack This Klicke: Do a Systemscan only Setze ein Häckchen in das Kästchen vor den genannten Eintrag und wähle fix checked Zitat O17 - HKLM\System\CCS\Services\Tcpip\..\{3E568BDF-F037-40E2-9A03-0B77C923A338}: NameServer = 208.67.220.220,208.67.222.2223. fixwareout anwenden - der Rechner wird neustarten - poste hier den Report, der erscheint 4. poste das Log von Combofix http://www.virus-protect.org/artikel/tools/combofix.html + noch mal das log vom HijackThis __________ Gruss Pinguin bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/ |
|
|
||
30.01.2008, 09:40
Member
Beiträge: 16 |
#20
ok zuerst das fixwareout
Username "user" - 30/01/2008 14:28:27 [Fixwareout edited 9/01/2007] ~~~~~ Prerun check HKLM\SOFTWARE\~\Winlogon\ "System"="kdxhx.exe" HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{3E568BDF-F037-40E2-9A03-0B77C923A338} "DhcpNameServer"="85.255.115.50,85.255.112.148" <Value cleared. HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{C1FBE432-7536-4344-911E-F647AF518A1A} "DhcpNameServer"="85.255.115.50,85.255.112.148" <Value cleared. HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{C6454753-1FAE-4F92-BB91-408D5F73E9D9} "DhcpNameServer"="85.255.115.50,85.255.112.148" <Value cleared. HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{EF56BEFE-2CB7-4700-82AB-45789445149F} "DhcpNameServer"="85.255.115.50,85.255.112.148" <Value cleared. Could not flush the DNS Resolver Cache: Function failed during execution. System was rebooted successfully. ~~~~~ Postrun check HKLM\SOFTWARE\~\Winlogon\ "system"="" .... .... ~~~~~ Misc files. .... ~~~~~ Checking for older varients. .... ~~~~~ Other C:\WINDOWS\Temp\kdxhx.ren 73754 13/06/2007 ~~~~~ Current runs (hklm hkcu "run" Keys Only) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min" "KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\ 65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00 "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "RocketDock"="\"C:\\WINDOWS\\BricoPacks\\Vista Inspirat 2\\RocketDock\\RocketDock.exe\"" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled] "msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background" .... Hosts file was reset, If you use a custom hosts file please replace it... ~~~~~ End report ~~~~~ das comfix log: ComboFix 08-01-30.5 - user 2008-01-30 15:13:23.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.652 [GMT 8:00] Running from: G:\ComboFix.exe * Created a new restore point [color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color] . ((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 ))))))))))))))))))))))))))))))) . 2008-01-28 16:43 . 2008-01-28 16:44 <DIR> d-------- C:\Program Files\iTunes 2008-01-28 16:43 . 2008-01-28 16:43 <DIR> d-------- C:\Program Files\iPod 2008-01-28 16:42 . 2008-01-28 16:43 <DIR> d-------- C:\Program Files\QuickTime 2008-01-27 13:48 . 2008-01-27 13:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-01-25 05:23 . 2008-01-25 05:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TVU networks 2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx 2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts 2007-12-21 09:11 . 2007-12-21 09:11 <DIR> d-------- C:\Program Files\GermaniX Transcoder 2007-12-21 08:53 . 2007-12-21 08:53 <DIR> d-------- C:\Program Files\eRightSoft 2007-12-21 08:53 . 2007-12-21 08:53 <DIR> d-------- C:\Program Files\AviSynth 2.5 2007-12-19 08:52 . 2007-12-19 08:52 <DIR> d-------- C:\Program Files\Mp3tag 2007-12-19 08:52 . 2007-12-19 09:51 <DIR> d-------- C:\Documents and Settings\user\Application Data\Mp3tag 2007-12-18 08:18 . 2007-12-18 08:18 <DIR> d-------- C:\Documents and Settings\user\Application Data\Sync App Settings 2007-12-18 08:17 . 2007-12-18 08:17 <DIR> d-------- C:\Program Files\Allway Sync 2007-12-18 08:17 . 2007-12-18 08:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sync App Settings 2007-12-15 16:40 . 2007-12-15 21:09 <DIR> d-------- C:\Program Files\MP3Gain 2007-12-14 11:32 . 2007-12-14 11:32 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-29 23:32 --------- d-----w C:\Program Files\LogMeIn 2008-01-27 06:51 --------- d-----w C:\Program Files\CHIP System-Check-Tool 2008-01-27 06:49 --------- d-----w C:\Program Files\Microsoft ActiveSync 2008-01-27 05:48 --------- d-----w C:\Program Files\TVUPlayer 2008-01-27 05:48 --------- d-----w C:\Program Files\PPMate 2008-01-27 05:48 --------- d-----w C:\Program Files\Lavasoft 2008-01-23 02:42 --------- d-----w C:\Program Files\FlashGet 2008-01-23 02:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-01-19 14:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-01-19 08:48 --------- d-----w C:\Documents and Settings\user\Application Data\uTorrent 2008-01-15 19:08 --------- d-----w C:\Documents and Settings\user\Application Data\TVU networks 2008-01-09 15:29 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL 2008-01-09 15:29 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS 2008-01-09 15:29 360,064 ----a-w C:\WINDOWS\system32\dllcache\TCPIP.SYS 2008-01-09 15:15 --------- d-----w C:\Program Files\TVAnts 2008-01-06 15:30 --------- d-----w C:\Program Files\Microsoft.NET 2008-01-06 09:49 --------- d-----w C:\Documents and Settings\user\Application Data\Skype 2008-01-02 16:41 --------- d-----w C:\Documents and Settings\user\Application Data\SopCast 2007-12-14 04:43 1,894,400 ----a-w C:\WINDOWS\system32\mstscax.dll 2007-11-30 15:55 --------- d-----w C:\Program Files\Hurrican 2007-11-22 13:32 71,474 ----a-w C:\WINDOWS\BricoPackUninst.cmd 2007-11-22 13:32 5,611 ----a-w C:\WINDOWS\BricoPackFoldersDelete.cmd 2007-11-20 15:14 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll 2007-11-20 15:14 218,624 ----a-w C:\WINDOWS\system32\dllcache\uxtheme.dll 2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll 2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\dllcache\lsasrv.dll 2007-10-30 23:42 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll 2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll 2007-10-27 09:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll 2007-10-27 09:40 227,328 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll 2007-10-26 03:34 12,872,704 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll 2007-10-23 17:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll 2007-10-23 17:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll 2007-10-23 17:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll 2007-10-23 17:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll 2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\wininet.dll 2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll 2007-10-10 23:56 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll 2007-10-10 23:56 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll 2007-10-10 23:55 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll 2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll 2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll 2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2007-10-10 23:55 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll 2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll 2007-10-10 23:55 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll 2007-10-10 23:55 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll 2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll 2007-10-10 23:55 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll 2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll 2007-10-10 23:55 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll 2007-10-10 23:55 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll 2007-10-10 23:55 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll 2007-10-10 23:55 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll 2007-10-10 23:55 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll 2007-10-10 23:55 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll 2007-10-10 23:55 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll 2007-10-10 23:55 102,400 ----a-w C:\WINDOWS\system32\dllcache\occache.dll 2007-10-10 10:59 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2007-10-10 10:59 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe 2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe 2007-10-10 05:46 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll 2007-05-09 03:52 241,664 ----a-w C:\Program Files\Uninstall Ask Toolbar.dll 2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll 2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-06 00:00 15360] "RocketDock"="C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe" [2007-03-19 06:05 630784] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-11 07:39 249896] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048] C:\Documents and Settings\user\Start Menu\Programs\Startup\ DesktopEarth AutoStart.lnk - C:\Documents and Settings\user\Application Data\Microsoft\Installer\{DBA5E973-660D-4CBE-A469-F5C37FBF0CE4}\_C1A9BF9D98647632ED5172.exe [2006-12-16 19:56:22 29926] RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-19 06:05:02 630784] Thoosje Vista Sidebar.lnk - C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe [2007-10-22 08:28:57 524288] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "SynchronousMachineGroupPolicy"= 0 (0x0) "SynchronousUserGroupPolicy"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoStrCmpLogical"= 1 (0x1) "NoResolveSearch"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "GreyMSIAds"= 1 (0x1) "NoInstrumentation"= 0 (0x0) "NoSMBalloonTip"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] LMIinit.dll 2007-05-25 15:22 63040 C:\WINDOWS\system32\LMIinit.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^Shortcut to WinFlip.exe.lnk] path=C:\Documents and Settings\user\Start Menu\Programs\Startup\Shortcut to WinFlip.exe.lnk backup=C:\WINDOWS\pss\Shortcut to WinFlip.exe.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^TransBar.lnk] path=C:\Documents and Settings\user\Start Menu\Programs\Startup\TransBar.lnk backup=C:\WINDOWS\pss\TransBar.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^UberIcon.lnk] path=C:\Documents and Settings\user\Start Menu\Programs\Startup\UberIcon.lnk backup=C:\WINDOWS\pss\UberIcon.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^Y'z Shadow.lnk] path=C:\Documents and Settings\user\Start Menu\Programs\Startup\Y'z Shadow.lnk backup=C:\WINDOWS\pss\Y'z Shadow.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG] --a------ 2005-10-15 06:29 88203 C:\WINDOWS\agrsmmsg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] --a------ 2005-05-03 18:43 69632 C:\WINDOWS\ALCMTR.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-06 00:00 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent] --a------ 2005-11-15 19:44 1200128 C:\Program Files\Microsoft ActiveSync\wcescomm.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lingvo Launcher] --a------ 2004-09-21 06:00 118784 C:\Program Files\ABBYY Lingvo 10 First Step\Lvagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI] --a------ 2007-04-17 14:03 63048 C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2003-04-14 20:05 1498032 C:\Program Files\Messenger\MSMSGS.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr] --a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 12.0] C:\Program Files\Norton Ghost\Agent\VProTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NotebookHardwareControl] --a------ 2006-08-02 01:00 2203648 C:\Program Files\Notebook Hardware Control\nhc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch] --a------ 2005-07-15 10:52 1077322 C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] --a------ 2004-08-05 17:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] --a------ 2004-08-05 17:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck] --------- 2003-11-10 16:06 406016 C:\WINDOWS\system32\PSDrvCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock] --a------ 2007-03-19 06:05 630784 C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] --a------ 2007-03-21 14:49 16126464 C:\WINDOWS\RTHDCPL.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spontania Video Collaboration] C:\Program Files\Spontania Video Collaboration\SpontaniaVideoCollaboration.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2005-11-10 13:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFncKy] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD] --a------ 2004-12-30 00:32 65536 C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UberIcon] --a------ 2006-05-21 15:43 180224 C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] -ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "DirMS_Defragmentation"=2 (0x2) "LiveUpdate"=3 (0x3) "comHost"=3 (0x3) "usnjsvc"=3 (0x3) "Symantec Core LC"=2 (0x2) "StarWindService"=2 (0x2) "ose"=3 (0x3) "CFSvcs"=2 (0x2) "VideoAcceleratorEngine"=2 (0x2) "SQLAgent$PINNACLESYS"=3 (0x3) "MSSQLServerADHelper"=3 (0x3) "MSSQL$PINNACLESYS"=2 (0x2) "iPod Service"=3 (0x3) "LogMeIn"=2 (0x2) "LMIMaint"=2 (0x2) "Norton Ghost"=2 (0x2) "Automatic LiveUpdate Scheduler"=2 (0x2) "NetOp Host for NT Service"=2 (0x2) "aawservice"=2 (0x2) "MDM"=2 (0x2) "IDriverT"=3 (0x3) "Apple Mobile Device"=2 (0x2) "idsvc"=3 (0x3) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" "NotebookHardwareControl"="C:\Program Files\Notebook Hardware Control\nhc.exe" -quiet R1 NHostNT1;NetOp Driver 1 ver. 9.00 (2006157);C:\WINDOWS\system32\Drivers\NHOSTNT1.SYS [2006-06-06 09:00] R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-04-17 14:00] R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 11:55] R3 NHOSTNT3;NetOp Driver 3 ver. 9.00 (2006157) (NHOSTNT3);C:\WINDOWS\system32\Drivers\NHOSTNT3.SYS [2006-06-06 09:00] S3 cpuz126;cpuz126;C:\DOCUME~1\user\LOCALS~1\Temp\cpuz.sys [] S3 PciBus;PciBus;C:\WINDOWS\system32\drivers\PciBus.sys [] S3 WinPhlash;WinPhlash;C:\WINDOWS\TEMP\WINPHLASH\PHLASHNT.SYS [] S4 NetOp Host for NT Service;NetOp Helper ver. 9.00 (2006157);"C:\Program Files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE" [2006-06-06 09:00] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51ec9342-ff8d-11da-85cc-0013021a2f26}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{784fc0a2-4ff7-11dc-90fb-0013021a2f26}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs2.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8bf4f0e8-4f0a-11dc-90f8-0013021a2f26}] \Shell\Auto\command - sxs2.exe \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs2.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1cb23e8-4a46-11dc-90db-0013021a2f26}] \Shell\Auto\command - sxs2.exe \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs2.exe . Contents of the 'Scheduled Tasks' folder "2008-01-18 09:53:57 C:\WINDOWS\Tasks\1-Klick-Wartung.job" - C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe "2008-01-28 07:30:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-30 15:14:21 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156] -> C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.dll . Completion time: 2008-01-30 15:14:39 . 2008-01-09 04:20:54 --- E O F --- und das HJT: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:42:46, on 30/01/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe D:\Program Files\DesktopEarth\DesktopEarth.exe C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe C:\WINDOWS\explorer.exe E:\Downloads\HiJackThis202.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FLASHGET\jccatch.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FLASHGET\getflash.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe" O4 - Startup: AutorunsDisabled O4 - Startup: DesktopEarth AutoStart.lnk = ? O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe O4 - Startup: Thoosje Vista Sidebar.lnk = C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://olobova.spaces.live.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O24 - Desktop Component 0: (no name) - (no file) -- End of file - 5975 bytes Dieser Beitrag wurde am 30.01.2008 um 09:48 Uhr von heiri editiert.
|
|
|
||
30.01.2008, 10:15
Ehrenmitglied
Beiträge: 1441 |
#21
heiri
Start - Ausführen - regedit [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoStrCmpLogical"= 1 (0x1) - in 0 ändern "NoResolveSearch"= 1 (0x1) - in 0 ändern PC neustarten «« AVZ http://www.virus-protect.org/artikel/tools/avz.html mache einen Scan mit avz + poste den report __________ Gruss Pinguin bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/ |
|
|
||
30.01.2008, 10:39
Member
Beiträge: 16 |
#22
uuups das hab ich nicht gemacht vor dem scan!! nachholen und wieder scannen?:
Start - Ausführen - regedit [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoStrCmpLogical"= 1 (0x1) - in 0 ändern "NoResolveSearch"= 1 (0x1) - in 0 ändern PC neustarten nur dies habe upgedated aber keine laufwerk angewaehlt!? stand auch nicht in der beschreibung, hier das log VZ Antiviral Toolkit log; AVZ version is 4.29 Scanning started at 30/01/2008 17:33:51 Database loaded: signatures - 147597, NN profile(s) - 2, microprograms of healing - 55, signature database released 29.01.2008 21:50 Heuristic microprograms loaded: 370 SPV microprograms loaded: 9 Digital signatures of system files loaded: 68697 Heuristic analyzer mode: Medium heuristics level Healing mode: enabled Windows version: 5.1.2600, Service Pack 2 ; AVZ is launched with administrator rights System Recovery: enabled 1. Searching for Rootkits and programs intercepting API functions 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Analysis: ntdll.dll, export table found in section .text Analysis: user32.dll, export table found in section .text Analysis: advapi32.dll, export table found in section .text Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=08A500) Kernel TUKERNEL.EXE found in memory at address 804D7000 SDT = 80561500 KiST = 804E48B0 (284) Function NtCreateThread (35) intercepted (805849B2->F7B6166C), hook not defined Function NtOpenProcess (7A) intercepted (8057908C->F7B61658), hook not defined Function NtOpenThread (80) intercepted (805B132C->F7B6165D), hook not defined Function NtTerminateProcess (101) intercepted (8058C399->F7B61667), hook not defined Function NtWriteVirtualMemory (115) intercepted (8058698B->F7B61662), hook not defined Functions checked: 284, intercepted: 5, restored: 0 1.3 Checking IDT and SYSENTER Analysis for CPU 1 Analysis for CPU 2 Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Checking not performed: the extended monitoring driver (AVZPM) is not installed 2. Scanning memory Number of processes found: 24 Number of modules loaded: 301 Memory checking - complete 3. Scanning disks 4. Checking Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors detected 5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) C:\WINDOWS\system32\credui.dll --> Suspicion for a Keylogger or Trojan DLL C:\WINDOWS\system32\credui.dll>>> Behavioral analysis: Behaviour typical for keyloggers not detected Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs 6. Searching for opened TCP/UDP ports used by malicious programs Checking disabled by user 7. Heuristic system check Checking complete 8. Searching for vulnerabilities >> Services: potentially dangerous service allowed Alerter (Alerter) >> Services: potentially dangerous service allowed Schedule (Task Scheduler) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled Checking complete 9. Troubleshooting wizard >> Thaw-maut end of services is outside of admissible values Checking complete Files scanned: 325, extracted from archives: 0, malicious programs found 0, suspicions - 0 Scanning finished at 30/01/2008 17:34:26 Time of scanning: 00:00:36 If you have a suspicion on presence of viruses or questions on the suspected objects, you can address http://virusinfo.info conference falls ich was falsch gemacht ghabe nur melden ;-) danke fuer die hilfe anyway!!! |
|
|
||
30.01.2008, 11:57
Ehrenmitglied
Beiträge: 1441 |
#23
heiri
«« die Reg-Einträge kanst du noch umstellen - dann den Rechner neu starten «« Start > Ausfuehren --> reinschreiben --> cmd und ok. kopiere rein Code dir /s /a "c:\sxs2*.*" > c:\find.txt & start notepad c:\find.txtposte, was erscheint __________ Gruss Pinguin bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/ |
|
|
||
30.01.2008, 13:51
Member
Beiträge: 16 |
#24
bin jetzt am verseuchten rechner aber mit kubuntu gebootet online.
habe 2 probleme 1 ich komme nicht mehr ins web per windows 2 bei den register gibt es bei mir kein HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer!! bei mir gibts: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer dafuer fehlen dort: NoStrCmpLogical"= 1 (0x1) - in 0 ändern "NoResolveSearch"= 1 (0x1) - in 0 ändern |
|
|
||
30.01.2008, 14:31
Ehrenmitglied
Beiträge: 1441 |
#25
««
bei einwahlproblem die datei dsnbak.reg im fixwareout-verzeichnis auszuführen + Arbeitsplatz - Systemsteuerung - Netzwerk Eigenschaften von TCP/IP, Register Allgemein, Option: IP-Adresse automatisch + DNS-Server-Adresse automatisch beziehen - anhaken - dann berichte, wie es läuft... + poste das neue Log vom HijackThis __________ Gruss Pinguin bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/ |
|
|
||
30.01.2008, 15:13
Member
Beiträge: 16 |
#26
ok, internet laeuft und google brachte mich beim erstenmal direkt zur richtigen seite, solong so good.
hier das vom cmd: Volume in drive C has no label. Volume Serial Number is 8C28-F472 gibts noch was zum updaten oder nachinstalieren? hier noch das hjt: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:07:10, on 30/01/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe D:\Program Files\DesktopEarth\DesktopEarth.exe C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe C:\Program Files\Mozilla Firefox\firefox.exe E:\Downloads\HiJackThis202.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FLASHGET\jccatch.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FLASHGET\getflash.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe" O4 - Startup: AutorunsDisabled O4 - Startup: DesktopEarth AutoStart.lnk = ? O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe O4 - Startup: Thoosje Vista Sidebar.lnk = C:\Program Files\Thoosje Sidebar V2.3\Thoosje Vista Sidebar.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://olobova.spaces.live.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O24 - Desktop Component 0: (no name) - (no file) -- End of file - 6021 bytes Zitat [autorun] |
|
|
||
30.01.2008, 15:18
Ehrenmitglied
Beiträge: 1441 |
#27
««
suche: autorun.inf - rechtsklick - mit dem Texteditor öffnen - poste hier, was da steht «« das sieht bis hier ganz gut aus scanne mit kaspersky + poste den report http://board.protecus.de/t8642.htm __________ Gruss Pinguin bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/ |
|
|
||
30.01.2008, 15:28
Member
Beiträge: 16 |
#28
danke vielmals aber noch nich genug, ich hab noch einen 2 pc der bei mir im netz haengt als datenserver und vor allem mediaserver, es ist ein alter mit pentium 3 und deswegen hab ich keinen antivirus instaliert :-( dachte das brauchts nicht als server obwohl XP drau laeuft!!
hier mal das HJT: sieht aber fuer meine kenttnise gut aus, aber ich frage besser diech noch ;-) und sollte ich einen av instalieren? Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:39:40, on 30/01/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\atievxx.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\MusicIP\MusicIP Mixer\MusicMagicServer.exe C:\Program Files\Simese\Simese.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe E:\HiJackThis202.exe C:\WINDOWS\system32\cidaemon.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197526937161 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{C24AB7F9-BA40-435A-9AB6-156DBE546FFA}: NameServer = 192.168.1.1 O23 - Service: MusicIP Server - Unknown owner - C:\Program Files\MusicIP\MusicIP Mixer\MusicMagicServer.exe O23 - Service: SimeseServer - Mattic - C:\Program Files\Simese\Simese.exe -- End of file - 3048 bytes |
|
|
||
30.01.2008, 17:06
Ehrenmitglied
Beiträge: 6028 |
#29
Zu deinem ersten Rechner:
Java Dein Java software ist veraltet, Download jre-6u4-windows-i586-p-iftw.exe Scrolle runter nach ----> Java Runtime Environment (JRE) 6 Update 4 The Java SE Runtime Environment (JRE) allows end-users to run Java applications. Klicke auf Download Setze in haeckchen bei --->"Accept License Agreement". Klicke “Windows Offline Installation, Multi-language” um “jre-6u3-windows-i586-p.exe” zum Desktop zu installieren Schliesse alle Programme auch dein Webbrowser Ueber "Start -> Einstellungen -> Systemsteuerung -> Software Und entferne alle aeltere versionen von Java Runtime Environment (JRE of J2SE) Auch auf C:\Programme\Java entfernen! Nachdem alles entfernt wurde --->Rechner neu starten Installiere jetzt vom Desktop aus ---> jre-6u4-windows-i586-p-iftw.exe __________ MfG Argus |
|
|
||
30.01.2008, 17:17
Member
Beiträge: 16 |
#30
danke bin am java runter laden werde es gleich instalieren, unterdessen hat karpersky das da gefunden:
------------------------------------------------------------------------------- PROTOKOLL FÜR KASPERSKY ONLINE SCANNER Donnerstag, 31. Januar 2008 00:07:24 Betriebssystem: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Version von Kaspersky Online Scanner: 5.0.98.1 Letztes Update der Antiviren-Datenbanken: 30/01/2008 Anzahl der Einträge in den Antiviren-Datenbanken: 538096 ------------------------------------------------------------------------------- Scan-Einstellungen: Folgende Antiviren-Datenbanken zur Untersuchung verwenden: Erweiterte Archive untersuchen: ja Mail-Datenbanken untersuchen: ja Untersuchungsobjekt - Kritische Objekte: C:\WINDOWS C:\DOCUME~1\user\LOCALS~1\Temp\ Untersuchungsergebnisse: Untersuchte Objekte insgesamt: 20156 Viren gefunden: 2 Infizierte Objekte gefunden: 2 Verdächtige Objekte gefunden: 0 Untersuchungszeit: 00:14:55 Name des infizierten Objekts / Virusname / Letzte Aktion C:\WINDOWS\Debug\PASSWD.LOG Das Objekt ist gesperrt übersprungen C:\WINDOWS\Internet Logs\tvDebug.log Das Objekt ist gesperrt übersprungen C:\WINDOWS\SchedLgU.Txt Das Objekt ist gesperrt übersprungen C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Das Objekt ist gesperrt übersprungen C:\WINDOWS\Sti_Trace.log Das Objekt ist gesperrt übersprungen C:\WINDOWS\system32\CatRoot2\edb.log Das Objekt ist gesperrt übersprungen C:\WINDOWS\system32\CatRoot2\tmp.edb Das Objekt ist gesperrt übersprungen C:\WINDOWS\system32\config\AppEvent.Evt Das Objekt ist gesperrt übersprungen C:\WINDOWS\system32\config\DEFAULT Das Objekt ist gesperrt übersprungen C:\WINDOWS\system32\config\default.LOG Das Objekt ist gesperrt übersprungen C:\WINDOWS\system32\config\Internet.evt Das Objekt ist gesperrt übersprungen C:\WINDOWS\system32\config\SAM Das Objekt ist gesperrt übersprungen C:\WINDOWS\system32\config\SAM.LOG Das Objekt ist gesperrt übersprungen C:\WINDOWS\system32\config\SecEvent.Evt Das Objekt ist gesperrt übersprungen C:\WINDOWS\system32\config\SECURITY Das Objekt ist gesperrt übersprungen C:\WINDOWS\system32\config\SECURITY.LOG Das Objekt ist gesperrt übersprungen C:\WINDOWS\system32\config\SOFTWARE Das Objekt ist gesperrt übersprungen C:\WINDOWS\system32\config\software.LOG Das Objekt ist gesperrt übersprungen C:\WINDOWS\system32\config\SysEvent.Evt Das Objekt ist gesperrt übersprungen C:\WINDOWS\system32\config\SYSTEM Das Objekt ist gesperrt übersprungen C:\WINDOWS\system32\config\system.LOG Das Objekt ist gesperrt übersprungen C:\WINDOWS\system32\h323log.txt Das Objekt ist gesperrt übersprungen C:\WINDOWS\system32\LMIinit.dll.000.bak Infizierte Objekte: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a übersprungen C:\WINDOWS\system32\pCastCtl.dll Infizierte Objekte: not-a-virus:AdWare.Win32.Dudu.f übersprungen C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Das Objekt ist gesperrt übersprungen C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Das Objekt ist gesperrt übersprungen C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Das Objekt ist gesperrt übersprungen C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Das Objekt ist gesperrt übersprungen C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Das Objekt ist gesperrt übersprungen C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Das Objekt ist gesperrt übersprungen C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Das Objekt ist gesperrt übersprungen C:\WINDOWS\wiadebug.log Das Objekt ist gesperrt übersprungen C:\WINDOWS\wiaservc.log Das Objekt ist gesperrt übersprungen C:\WINDOWS\WindowsUpdate.log Das Objekt ist gesperrt übersprungen C:\DOCUME~1\user\LOCALS~1\Temp\Perflib_Perfdata_73c.dat Das Objekt ist gesperrt übersprungen C:\DOCUME~1\user\LOCALS~1\Temp\~DFF2C7.tmp Das Objekt ist gesperrt übersprungen Die Untersuchung wurde abgeschlossen. |
|
|
||
bitte helfen!!
hier mal die logfile von hijack:
Logfile of HijackThis v1.99.1
Scan saved at 00:24:59, on 28.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Programme\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Genie-Soft\GBMPro7Du\GBMAgent.exe
C:\Programme\AVG Anti-Spyware 7.5\avgas.exe
C:\Programme\PowerArchiver\PASTARTER.EXE
C:\Programme\SlySoft\AnyDVD\AnyDVD.exe
C:\Programme\DAEMON Tools Lite\daemon.exe
C:\Programme\Gemeinsame Dateien\Nero\Lib\NMBgMonitor.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AVG Anti-Spyware 7.5\guard.exe
C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programme\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\alg.exe
C:\Programme\Hewlett-Packard\Shared\HpqToaster.exe
C:\Programme\ICQ6\ICQ.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Real\RealPlayer\realplay.exe
C:\Kaspersky Lab Tool\setup_7.0.0.180_27.01.2008_03-57[1].exe
C:\Kaspersky Lab Tool\setup_7.0.0.180_27.01.2008_03-57[1].exe
C:\Programme\PowerArchiver\POWERARC.EXE
C:\DOKUME~1\Steffen\LOKALE~1\Temp\_PA358\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bild.de/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programme\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Programme\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BIH] C:\WINDOWS\system32\rundll32.exe bih.dll,InitGauge
O4 - HKLM\..\Run: [GBMPro7Agent] C:\Programme\Genie-Soft\GBMPro7Du\GBMAgent.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programme\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Programme\Gemeinsame Dateien\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programme\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVP] "C:\Kaspersky Lab Tool\setup_7.0.0.180_27.01.2008_03-57[1].exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Programme\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Programme\PowerArchiver\PASTARTER.EXE
O4 - HKCU\..\Run: [GBMPro7Agent] C:\Programme\Genie-Soft\GBMPro7Du\GBMAgent.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programme\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2257CB65-5CB8-4077-94F5-39CAF5A37138}: NameServer = 85.255.114.107,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A442902-43DF-4293-8997-A236CEEC5D29}: NameServer = 85.255.114.107,85.255.112.84
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.84
O17 - HKLM\System\CS1\Services\Tcpip\..\{2257CB65-5CB8-4077-94F5-39CAF5A37138}: NameServer = 85.255.114.107,85.255.112.84
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.84
O17 - HKLM\System\CS2\Services\Tcpip\..\{2257CB65-5CB8-4077-94F5-39CAF5A37138}: NameServer = 85.255.114.107,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.107 85.255.112.84
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Programme\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programme\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programme\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: setup_7.0.0.180_27.01.2008_03-57[1] - Unknown owner - C:\Kaspersky Lab Tool\setup_7.0.0.180_27.01.2008_03-57[1].exe" -r (file missing)