Bitte checkt mal diesen HJT Log, befürchte Schlimmes

[moostee]

Hi @all


ich habe plötzlich zwei Symbole unten rechts in der Leiste und ständig diese Popup Information in der steht

"Critical Sytem Error!

Your computer is infected with malicious ware, what can cause serious risk for your system security!
........................

Click "OK" to get software and special offers on antivirus software."

Natürlich habe ich es nicht angelickt. Aber ich kann troztdem, zeitgleich seit dem Erscheinen der Symbole in der Taslleiste, mein Hintergrundbild nicht mehr ändern. Statt dessen habe ich da als Hintergrundbild wieder ein Info darüber, dass mein PC infiziert sei und ein Link, das mich zu der Seite mit dem folgendem URL führt:

h**p://www[dot]topadwarereviews[dot]com/?adv=196&ads=d (edit YHN)


Ich habe Ad Aware laufen lassen, hat aber nichts gebracht. Nachfolgend poste ich mein HJT Log. Ich wäre euch sehr dankbar, wenn ihr mir helfen könntet.

viele Grüße




Logfile of HijackThis v1.99.1
Scan saved at 23:17:27, on 27.02.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Norton Internet Security\ISSVC.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Winamp\winampa.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Programme\Java\jre1.5.0_01\bin\jusched.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programme\NETGEAR\wlancfg4.exe
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
C:\Programme\X-Micro WLAN 11g Adapter\WLANPRO.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Cisco Systems\VPN Client\vpngui.exe
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\Rar$EX00.313\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.fh-offenburg.de/hrz/vpn.htm#installation
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programme\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = ?
O4 - Global Startup: X-Micro WLAN 11g Adapter Configuration Utility.lnk = ?
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FEFCA66C-5C50-4452-A5EC-FCFCF4012C1A}: NameServer = 141.79.128.4,129.143.2.10
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programme\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Nikita]

moostee

stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

Kopiere diese 4 Textdateien. Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html

[moostee]

Hallo Nikita,

vielen Dank erst einmal!

Ich habe als Erstes CleanUp laufen lassen. Er hat satte 200 MB Schrott entsorgt. Hier nun die Logs:


Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: B4A1-697C

Verzeichnis von C:\WINDOWS\system32

27.02.2006 20:27 100 LuResult.txt
27.02.2006 19:21 2.206 wpa.dbl
26.02.2006 15:10 0 wupdmgr.tmp
26.02.2006 15:10 4.132 loader.exe
26.02.2006 14:50 0 paytime.exe
26.02.2006 14:49 11.043 azebar.xml
31.01.2006 14:35 91.904 S32EVNT1.DLL
23.01.2006 18:59 3.351 qtplugin.log
20.11.2005 13:30 383.254 perfh009.dat
20.11.2005 13:30 53.608 perfc009.dat
20.11.2005 13:30 394.500 perfh007.dat
20.11.2005 13:30 64.598 perfc007.dat
20.11.2005 13:30 906.552 PerfStringBackup.INI




___________________________________________




Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: B4A1-697C

Verzeichnis von C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp

28.02.2006 19:15 204 jusched.log
1 Datei(en) 204 Bytes
0 Verzeichnis(se), 20.346.048.512 Bytes frei



___________________________________________




Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: B4A1-697C

Verzeichnis von C:\WINDOWS

28.02.2006 19:21 355.258 WindowsUpdate.log
28.02.2006 19:18 885.467 setupapi.log
28.02.2006 19:16 54.156 QTFont.qfn
28.02.2006 19:15 0 0.log
28.02.2006 19:14 2.048 bootstat.dat
28.02.2006 19:13 32.638 SchedLgU.Txt
27.02.2006 21:22 1.409 QTFont.for
27.02.2006 20:52 1.452 LUINSTALL.LOG
27.02.2006 20:23 207.658 svcpack.log
26.02.2006 15:20 4.528 security.html
26.02.2006 14:50 0 ms1.exe
26.02.2006 14:50 0 tool5.exe
26.02.2006 14:50 0 tool4.exe
26.02.2006 14:50 0 tool3.exe
26.02.2006 14:50 0 tool1.exe
26.02.2006 14:50 0 toolbar.exe
26.02.2006 14:50 0 secure32.html
26.02.2006 14:50 0 country.exe
26.02.2006 14:50 0 tool2.exe




__________________________________________




Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: B4A1-697C

Verzeichnis von C:\

28.02.2006 19:29 0 sys.txt
28.02.2006 19:28 6.031 system.txt
28.02.2006 19:27 288 systemtemp.txt
28.02.2006 19:26 96.505 system32.txt
28.02.2006 19:14 268.013.568 hiberfil.sys
28.02.2006 19:14 402.653.184 pagefile.sys
18.06.2005 11:54 211 boot.ini




alles nur die letzten 3 Monate.



Vielen Dank nochmals und schöne Grüße

moostee

[Nikita]

moostee

bevor es ans loeschen geht----> poste bitte die C:\WINDOWS\
bis Dezember, damit ich alle Viren erwische ...du warst sehr "knapp, was das 3.Log betrifft....

C:\WINDOWS\system32\wupdmgr.tmp
C:\WINDOWS\system32\loader.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\system32\azebar.xml
C:\WINDOWS\security.html
C:\WINDOWS\ms1.exe
C:\WINDOWS\tool5.exe
C:\WINDOWS\tool4.exe
C:\WINDOWS\tool3.exe
C:\WINDOWS\tool1.exe
C:\WINDOWS\toolbar.exe
C:\WINDOWS\secure32.html
C:\WINDOWS\country.exe
C:\WINDOWS\tool2.exe

[moostee]

Hi,

ich habe mal zwischenzeitlich Kasparsky Online Scann durchgeführt, hier das Ergebnis:



-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, February 28, 2006 8:59:19 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 28/02/2006
Kaspersky Anti-Virus database records: 168373
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\

Scan Statistics:
Total number of scanned objects: 13106
Number of viruses found: 2
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 00:12:15

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\loadadv728.exe Infected: Trojan-Downloader.Win32.Small.ckj skipped
C:\WINDOWS\osaupd.exe Infected: not-virus:Hoax.Win32.Renos.bk skipped
C:\WINDOWS\wupdmgr.exe Infected: not-virus:Hoax.Win32.Renos.bk skipped

Scan process completed.



________________________________________



-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, February 28, 2006 9:54:43 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 28/02/2006
Kaspersky Anti-Virus database records: 168373
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 40769
Number of viruses found: 9
Number of infected objects: 26
Number of suspicious objects: 0
Duration of the scan process: 00:53:54

Infected Object Name / Virus Name / Last Action
C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-7e4442f4-3561a309.class Infected: Trojan.Java.ClassLoader.Dummy.d skipped
C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-43404e4a-47be8bfe.class Infected: Exploit.Java.ByteVerify skipped
C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-47723671-66337e3f.zip/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-47723671-66337e3f.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-47723671-66337e3f.zip ZIP: infected - 2 skipped
C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-5c362d1c-5e968b17.zip/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped
C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-5c362d1c-5e968b17.zip/Counter.class Infected: Trojan.Java.ClassLoader.h skipped
C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-5c362d1c-5e968b17.zip/Parser.class Infected: Trojan.Java.ClassLoader.d skipped
C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-5c362d1c-5e968b17.zip ZIP: infected - 3 skipped
C:\System Volume Information\_restore{F9057EEF-53D1-4489-B271-CF395C92E9BF}\RP82\A0028176.exe Infected: not-virus:Hoax.Win32.Renos.bk skipped
C:\System Volume Information\_restore{F9057EEF-53D1-4489-B271-CF395C92E9BF}\RP82\A0028184.exe Infected: not-virus:Hoax.Win32.Renos.bk skipped
C:\System Volume Information\_restore{F9057EEF-53D1-4489-B271-CF395C92E9BF}\RP82\A0028202.exe Infected: not-virus:Hoax.Win32.Renos.bk skipped
C:\System Volume Information\_restore{F9057EEF-53D1-4489-B271-CF395C92E9BF}\RP82\A0028620.exe Infected: not-virus:Hoax.Win32.Renos.bk skipped
C:\System Volume Information\_restore{F9057EEF-53D1-4489-B271-CF395C92E9BF}\RP82\A0028819.exe Infected: not-virus:Hoax.Win32.Renos.bk skipped
C:\System Volume Information\_restore{F9057EEF-53D1-4489-B271-CF395C92E9BF}\RP82\A0028830.exe Infected: not-virus:Hoax.Win32.Renos.bk skipped
C:\System Volume Information\_restore{F9057EEF-53D1-4489-B271-CF395C92E9BF}\RP82\A0028862.exe Infected: not-virus:Hoax.Win32.Renos.bk skipped
C:\System Volume Information\_restore{F9057EEF-53D1-4489-B271-CF395C92E9BF}\RP83\snapshot\MFEX-1.DAT Infected: not-virus:Hoax.Win32.Renos.bk skipped
C:\WINDOWS\loadadv728.exe Infected: Trojan-Downloader.Win32.Small.ckj skipped
C:\WINDOWS\osaupd.exe Infected: not-virus:Hoax.Win32.Renos.bk skipped
C:\WINDOWS\wupdmgr.exe Infected: not-virus:Hoax.Win32.Renos.bk skipped
D:\Alter Rechner\Programme\Norton AntiVirus\Quarantine\34253E4C/doc_data-text.txt .pif Infected: Email-Worm.Win32.Sober.k skipped
D:\Alter Rechner\Programme\Norton AntiVirus\Quarantine\34253E4C ZIP: infected - 1 skipped
D:\Alter Rechner\Programme\Norton AntiVirus\Quarantine\34253E4C CryptFF: infected - 1 skipped
D:\Alter Rechner\Programme\Norton AntiVirus\Quarantine\34286848.zip/doc_data-text.txt .pif Infected: Email-Worm.Win32.Sober.k skipped
D:\Alter Rechner\Programme\Norton AntiVirus\Quarantine\34286848.zip ZIP: infected - 1 skipped
D:\Alter Rechner\Programme\Norton AntiVirus\Quarantine\34286848.zip CryptFF: infected - 1 skipped

Scan process completed.


___________________________________________



Was das 3. Log betrifft hast du recht, ich muss mich beim Kopieren vertan haben. Hier nochmal nachträglich das 3. Log (3 Monate):





Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: B4A1-697C

Verzeichnis von C:\WINDOWS

28.02.2006 20:41 889.020 setupapi.log
28.02.2006 20:04 54.156 QTFont.qfn
28.02.2006 20:04 1.409 QTFont.for
28.02.2006 19:21 355.258 WindowsUpdate.log
28.02.2006 19:15 0 0.log
28.02.2006 19:14 2.048 bootstat.dat
28.02.2006 19:13 32.638 SchedLgU.Txt
27.02.2006 20:52 1.452 LUINSTALL.LOG
27.02.2006 20:23 207.658 svcpack.log
26.02.2006 15:20 4.528 security.html
26.02.2006 14:50 0 ms1.exe
26.02.2006 14:50 0 tool5.exe
26.02.2006 14:50 0 tool4.exe
26.02.2006 14:50 0 tool3.exe
26.02.2006 14:50 0 tool1.exe
26.02.2006 14:50 0 toolbar.exe
26.02.2006 14:50 0 secure32.html
26.02.2006 14:50 0 country.exe
26.02.2006 14:50 0 tool2.exe
26.02.2006 14:50 0 kl1.exe
26.02.2006 14:50 0 uniq
26.02.2006 14:49 5.185 loadadv728.exe
26.02.2006 14:49 28.032 drsmartload95a.exe
26.02.2006 14:49 12.344 azesearch.bmp
23.02.2006 23:03 1.125 winamp.ini
22.02.2006 20:20 61.511 wmsetup.log
31.01.2006 15:21 30 popcinfo.dat
03.10.2005 19:17 995 wiadebug.log
03.10.2005 13:13 50 wiaservc.log


viele Grüße

moostee

[moostee]

Niikiiiiitaaaaaaaaa

Wie soll ich jetzt fortfahren??

Ich habe mal eigenständig versucht die Dateien, die Du zitiert hast, mit Hilfe von Killbox zu löschen. Die u.a. Dateien tauchten aber immer wieder auf, sie ließen sich nicht löschen...


C:\WINDOWS\security.html

C:\WINDOWS\system32\wupdmgr.tmp


Ausserdem sind da -glaube ich- noch einige andere Viren o.ä., siehe Kasparsky Report.


Danke im Voraus und Gruß

moostee

[Nikita]

*

öffne das HijackThis -- Button "scan" -- vor die Einträge Häkchen setzen -- Button "Fix checked" --> HijackThis geoeffnet halten

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_01\bin\jusched.exe
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab

1.
http://virus-protect.org/killbox.html

C:\WINDOWS\system32\wupdmgr.tmp
C:\WINDOWS\system32\loader.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\system32\azebar.xml
C:\WINDOWS\ms1.exe
C:\WINDOWS\tool5.exe
C:\WINDOWS\tool4.exe
C:\WINDOWS\tool3.exe
C:\WINDOWS\tool1.exe
C:\WINDOWS\toolbar.exe
C:\WINDOWS\secure32.html
C:\WINDOWS\country.exe
C:\WINDOWS\tool2.exe
C:\WINDOWS\kl1.exe
C:\WINDOWS\uniq
C:\WINDOWS\loadadv728.exe
C:\WINDOWS\drsmartload95a.exe
C:\WINDOWS\azesearch.bmp
C:\WINDOWS\osaupd.exe
C:\WINDOWS\wupdmgr.exe

PC neustarten

nach dem Neustart suche: C:\!KillBox
und loesche alle dort befindlichen Dateien manuell

2.
Arbeitsplatz-->Rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.
(dann wieder aktivieren)

3.
Java-Cache leeren:

C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\jar\

4.
dann scanne noch mal mit Kaspersky

5.
poste das Log vom Silentrunner
http://virus-protect.org/silentrunner.html

[moostee]

Hi,

ich verstehe nicht ganz, wann ich bei Punkt 2. -siehe unten- das Häckhen wieder rausnehmen soll um Systemwiederherstellung auf allen Laufwerken wieder zu aktivieren. Etwa nach Punkt 3. ? Nach dem ich den Cache geleert habe?

gruß
moostee

[Nikita]

Haekchen raus --> Haekchen wieder ein (wenn du willst, kannst du die Systemwiederherstellung auch erst wieder nach der Reinigung aktivieren)


mache auch noch bitte folgendes:
http://virus-protect.org/artikel/tools/regsearch.html

Download Registry Search by Bobbi Flekman
http://www.bleepingcomputer.com/files/regsearch.php
und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren)

AdwareSheriff

in edit und klicke "Ok".
Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn.

[Kennymccormick]

Hallo zusammen...
ich habe heute mal wieder Ad Aware durchlaufen lassen und war geschockt.
Ich habe irgendwelche Programme drauf die andauern Seiten im Browser aufrufen ich poste hier mal den Log könnt ihr mir sagen wie undwas ich tun kann und ob die "letzte" Lösung die Formatierung abhilfe schaffen könnte???
Großes Dankeschön im Vorraus...

Ad-Aware SE Build 1.06r1
Logfile Created on:Donnerstag, 2. März 2006 22:06:54
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R93 22.02.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Adware.Freeprod Toolbar(TAC index:3):17 total references
CmdServices(TAC index:4):44 total references
CoolWebSearch(TAC index:10):6 total references
MRU List(TAC index:0):23 total references
Targetsavers(TAC index:8):4 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


02.03.2006 22:06:54 - Scan started. (Smart mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 520
ThreadCreationTime : 02.03.2006 17:45:56
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 604
ThreadCreationTime : 02.03.2006 17:45:59
BasePriority : High


CoolWebSearch Object Recognized!
Type : Process
Data : jtno0753e.dll
TAC Rating : 10
Category : Malware
Comment : wqapi.dll
Object : C:\WINDOWS\system32\


Warning! CoolWebSearch Object found in memory(C:\WINDOWS\system32\jtno0753e.dll)


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 648
ThreadCreationTime : 02.03.2006 17:45:59
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Anwendung für Dienste und Controller
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : services.exe

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 668
ThreadCreationTime : 02.03.2006 17:45:59
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 856
ThreadCreationTime : 02.03.2006 17:46:00
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 908
ThreadCreationTime : 02.03.2006 17:46:00
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [ccproxy.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Symantec Shared\
ProcessID : 1172
ThreadCreationTime : 02.03.2006 17:46:01
BasePriority : Normal
FileVersion : 103.0.4.3
ProductVersion : 103.0.4.3
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Network Proxy Service
InternalName : ccProxy
LegalCopyright : Copyright (c) 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccProxy.exe

#:8 [ccsetmgr.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Symantec Shared\
ProcessID : 1184
ThreadCreationTime : 02.03.2006 17:46:01
BasePriority : Normal
FileVersion : 103.0.6.5
ProductVersion : 103.0.6.5
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright (c) 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:9 [issvc.exe]
FilePath : C:\Programme\Norton Internet Security\
ProcessID : 1196
ThreadCreationTime : 02.03.2006 17:46:01
BasePriority : Normal
FileVersion : 8.0.5.14
ProductVersion : 8.0
ProductName : Norton Internet Security
CompanyName : Symantec Corporation
FileDescription : IS Service
InternalName : ISSVC.exe
LegalCopyright : Copyright (c) 2004 Symantec Corporation
OriginalFilename : ISSVC.exe

#:10 [sndsrvc.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Symantec Shared\
ProcessID : 1208
ThreadCreationTime : 02.03.2006 17:46:01
BasePriority : Normal
FileVersion : 5.5.1.6
ProductVersion : 5.5
ProductName : Symantec Security Drivers
CompanyName : Symantec Corporation
FileDescription : Network Driver Service
InternalName : SndSrvc
LegalCopyright : Copyright 2002, 2003, 2004 Symantec Corporation
OriginalFilename : SndSrvc.exe

#:11 [spbbcsvc.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\
ProcessID : 1224
ThreadCreationTime : 02.03.2006 17:46:02
BasePriority : Normal
FileVersion : 1,0,1,47
ProductVersion : 1,0,1,47
ProductName : SPBBC
CompanyName : Symantec Corporation
FileDescription : SPBBC Service
InternalName : SPBBCSvc
LegalCopyright : Copyright (c) 2004 Symantec Corporation. All rights reserved.
OriginalFilename : SPBBCSvc.exe

#:12 [ccevtmgr.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Symantec Shared\
ProcessID : 1272
ThreadCreationTime : 02.03.2006 17:46:02
BasePriority : Normal
FileVersion : 103.0.6.5
ProductVersion : 103.0.6.5
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright (c) 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:13 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1592
ThreadCreationTime : 02.03.2006 17:46:03
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:14 [command.exe]
FilePath : C:\WINDOWS\SG9tZXIgU2ltcHNvbg\
ProcessID : 1704
ThreadCreationTime : 02.03.2006 17:46:03
BasePriority : Normal


CmdServices Object Recognized!
Type : Process
Data : command.exe
TAC Rating : 4
Category : Adware
Comment :
Object : C:\WINDOWS\SG9tZXIgU2ltcHNvbg\


Warning! "C:\WINDOWS\SG9tZXIgU2ltcHNvbg\command.exe"Process could not be terminated!

#:15 [navapsvc.exe]
FilePath : C:\Programme\Norton Internet Security\Norton AntiVirus\
ProcessID : 1772
ThreadCreationTime : 02.03.2006 17:46:05
BasePriority : Normal
FileVersion : 11.0.16.2
ProductVersion : 11.0.16
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP Copyright © 2004 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE

#:16 [netmon.exe]
FilePath : C:\Programme\Network Monitor\
ProcessID : 1796
ThreadCreationTime : 02.03.2006 17:46:05
BasePriority : Normal


#:17 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2008
ThreadCreationTime : 02.03.2006 17:46:06
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:18 [symlcsvc.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\
ProcessID : 2036
ThreadCreationTime : 02.03.2006 17:46:06
BasePriority : Normal
FileVersion : 1, 8, 54, 478
ProductVersion : 1, 8, 54, 478
ProductName : Symantec Core Component
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
LegalCopyright : Copyright (C) 2003
OriginalFilename : symlcsvc.exe

#:19 [ccapp.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Symantec Shared\
ProcessID : 2472
ThreadCreationTime : 02.03.2006 17:46:29
BasePriority : Normal
FileVersion : 103.0.6.5
ProductVersion : 103.0.6.5
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec User Session
InternalName : ccApp
LegalCopyright : Copyright (c) 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

CmdServices Object Recognized!
Type : Process
Data : asappsrv.dll
TAC Rating : 4
Category : Adware
Comment :
Object : C:\WINDOWS\SG9tZXIgU2ltcHNvbg\
FileVersion : 2.1.3.466
ProductVersion : 1.0.0.0


#:20 [cli.exe]
FilePath : C:\Programme\ATI Technologies\ATI.ACE\
ProcessID : 2504
ThreadCreationTime : 02.03.2006 17:46:30
BasePriority : Normal


CmdServices Object Recognized!
Type : Process
Data : asappsrv.dll
TAC Rating : 4
Category : Adware
Comment :
Object : C:\WINDOWS\SG9tZXIgU2ltcHNvbg\
FileVersion : 2.1.3.466
ProductVersion : 1.0.0.0


#:21 [hpcmpmgr.exe]
FilePath : C:\Programme\HP\hpcoretech\
ProcessID : 2540
ThreadCreationTime : 02.03.2006 17:46:30
BasePriority : Normal
FileVersion : 1.76.0
ProductVersion : 1.76.0
ProductName : hp coretech (COmponent REuse TECHnology)
CompanyName : Hewlett-Packard Company
FileDescription : HP Framework Component Manager Service
InternalName : HPComponentManagerService module
LegalCopyright : Copyright (C) Hewlett-Packard. 2002-2003
OriginalFilename : HPCmpMgr.exe

CmdServices Object Recognized!
Type : Process
Data : asappsrv.dll
TAC Rating : 4
Category : Adware
Comment :
Object : C:\WINDOWS\SG9tZXIgU2ltcHNvbg\
FileVersion : 2.1.3.466
ProductVersion : 1.0.0.0


#:22 [daemon.exe]
FilePath : C:\Programme\Daemon-Tools\
ProcessID : 2636
ThreadCreationTime : 02.03.2006 17:46:31
BasePriority : Normal


CmdServices Object Recognized!
Type : Process
Data : asappsrv.dll
TAC Rating : 4
Category : Adware
Comment :
Object : C:\WINDOWS\SG9tZXIgU2ltcHNvbg\
FileVersion : 2.1.3.466
ProductVersion : 1.0.0.0


#:23 [cli.exe]
FilePath : C:\Programme\ATI Technologies\ATI.ACE\
ProcessID : 2660
ThreadCreationTime : 02.03.2006 17:46:32
BasePriority : Normal


CmdServices Object Recognized!
Type : Process
Data : asappsrv.dll
TAC Rating : 4
Category : Adware
Comment :
Object : C:\WINDOWS\SG9tZXIgU2ltcHNvbg\
FileVersion : 2.1.3.466
ProductVersion : 1.0.0.0


#:24 [toadimon.exe]
FilePath : C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\
ProcessID : 3436
ThreadCreationTime : 02.03.2006 18:22:22
BasePriority : Normal
FileVersion : 6.23.10
ProductVersion : 6.00
ProductName : T-Online Verbindungsassistent
CompanyName : T-Online International AG, Marmiko IT-Solutions GmbH
FileDescription : T-Online Verbindungsassistent Monitor
InternalName : ToADiMon
LegalCopyright : Copyright © T-Online International AG 2001-2005, Copyright © Marmiko IT-Solutions GmbH 2000-2005
OriginalFilename : ToADiMon.EXE

CmdServices Object Recognized!
Type : Process
Data : asappsrv.dll
TAC Rating : 4
Category : Adware
Comment :
Object : C:\WINDOWS\SG9tZXIgU2ltcHNvbg\
FileVersion : 2.1.3.466
ProductVersion : 1.0.0.0


#:25 [dllhost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3508
ThreadCreationTime : 02.03.2006 18:23:02
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : COM Surrogate
InternalName : dllhost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : dllhost.exe

#:26 [kernel.exe]
FilePath : C:\PROGRA~1\T-Online\T-ONLI~2\BASIS-~1\Basis2\
ProcessID : 2208
ThreadCreationTime : 02.03.2006 18:25:15
BasePriority : Normal
FileVersion : 2.6.0.6
ProductVersion : xx.xx.xx.xxxx
ProductName : T-Online Basissoftware
CompanyName : T-Online
FileDescription : T-Online StartCenter 6.0
InternalName : T-Online Software
LegalCopyright : Copyright 2001
OriginalFilename : kernel.exe

CmdServices Object Recognized!
Type : Process
Data : asappsrv.dll
TAC Rating : 4
Category : Adware
Comment :
Object : C:\WINDOWS\SG9tZXIgU2ltcHNvbg\
FileVersion : 2.1.3.466
ProductVersion : 1.0.0.0


#:27 [notifier.exe]
FilePath : C:\PROGRA~1\T-Online\T-ONLI~2\Notifier\
ProcessID : 3920
ThreadCreationTime : 02.03.2006 18:25:17
BasePriority : Normal


CmdServices Object Recognized!
Type : Process
Data : asappsrv.dll
TAC Rating : 4
Category : Adware
Comment :
Object : C:\WINDOWS\SG9tZXIgU2ltcHNvbg\
FileVersion : 2.1.3.466
ProductVersion : 1.0.0.0


#:28 [profil~1.exe]
FilePath : C:\PROGRA~1\T-Online\T-ONLI~2\BASIS-~1\Basis2\
ProcessID : 1056
ThreadCreationTime : 02.03.2006 18:31:18
BasePriority : Normal
FileVersion : 2.6.0.8
ProductVersion : xx.xx.xx.xxxx
ProductName : T-Online Basissoftware
CompanyName : T-Online
FileDescription : T-Online Profilverwaltung
InternalName : Profilemgr
LegalCopyright : Copyright 2001
OriginalFilename : profilemgr.exe

CmdServices Object Recognized!
Type : Process
Data : asappsrv.dll
TAC Rating : 4
Category : Adware
Comment :
Object : C:\WINDOWS\SG9tZXIgU2ltcHNvbg\
FileVersion : 2.1.3.466
ProductVersion : 1.0.0.0


#:29 [update.exe]
FilePath : C:\PROGRAMME\T-ONLINE\T-ONLINE_SOFTWARE_6\BASIS-SOFTWARE\BASIS2\
ProcessID : 404
ThreadCreationTime : 02.03.2006 18:47:59
BasePriority : Normal
FileVersion : 2.05.00.0004
ProductVersion : 6.00.00.0012
ProductName : T-Online Basissoftware
CompanyName : T-Online
FileDescription : T-Online Update-Client
InternalName : TOSW-Update
LegalCopyright : Copyright 2001
OriginalFilename : update.exe

CmdServices Object Recognized!
Type : Process
Data : asappsrv.dll
TAC Rating : 4
Category : Adware
Comment :
Object : C:\WINDOWS\SG9tZXIgU2ltcHNvbg\
FileVersion : 2.1.3.466
ProductVersion : 1.0.0.0


#:30 [icqlite.exe]
FilePath : C:\Programme\ICQLite\
ProcessID : 3124
ThreadCreationTime : 02.03.2006 20:38:53
BasePriority : Normal
FileVersion : 20, 32, 2415, 0
ProductVersion : 20, 32, 2415, 0
ProductName : ICQLite
CompanyName : ICQ Ltd.
FileDescription : ICQLite
InternalName : ICQ Lite
LegalCopyright : Copyright (C) 2002
OriginalFilename : ICQLite.exe

CmdServices Object Recognized!
Type : Process
Data : asappsrv.dll
TAC Rating : 4
Category : Adware
Comment :
Object : C:\WINDOWS\SG9tZXIgU2ltcHNvbg\
FileVersion : 2.1.3.466
ProductVersion : 1.0.0.0


#:31 [ad-aware.exe]
FilePath : D:\Programme\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3836
ThreadCreationTime : 02.03.2006 21:02:01
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

CmdServices Object Recognized!
Type : Process
Data : asappsrv.dll
TAC Rating : 4
Category : Adware
Comment :
Object : C:\WINDOWS\SG9tZXIgU2ltcHNvbg\
FileVersion : 2.1.3.466
ProductVersion : 1.0.0.0


#:32 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 2488
ThreadCreationTime : 02.03.2006 21:03:02
BasePriority : Normal
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : EXPLORER.EXE

CmdServices Object Recognized!
Type : Process
Data : asappsrv.dll
TAC Rating : 4
Category : Adware
Comment :
Object : C:\WINDOWS\SG9tZXIgU2ltcHNvbg\
FileVersion : 2.1.3.466
ProductVersion : 1.0.0.0


CoolWebSearch Object Recognized!
Type : Process
Data : guard.tmp
TAC Rating : 10
Category : Malware
Comment : wqapi.dll
Object : C:\WINDOWS\system32\


Warning! CoolWebSearch Object found in memory(C:\WINDOWS\system32\guard.tmp)


#:33 [browser.exe]
FilePath : C:\PROGRAMME\T-ONLINE\T-ONLINE_SOFTWARE_6\BROWSER\
ProcessID : 2200
ThreadCreationTime : 02.03.2006 21:05:15
BasePriority : Normal
FileVersion : 6, 0, 0, 15
ProductVersion : 6, 0, 0, 15
ProductName : T-Online Browser
CompanyName : T-Online International AG
FileDescription : T-Online Browser 6.0
InternalName : T-Online Browser 6.0
LegalCopyright : Copyright © T-Online International AG
OriginalFilename : T-Online Browser 6.0

CmdServices Object Recognized!
Type : Process
Data : asappsrv.dll
TAC Rating : 4
Category : Adware
Comment :
Object : C:\WINDOWS\SG9tZXIgU2ltcHNvbg\
FileVersion : 2.1.3.466
ProductVersion : 1.0.0.0


Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 17


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 17


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 17

Adware.Freeprod Toolbar Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\toolbar
Value : {77fbf9b8-1d37-4ff2-9ced-192d8e3aba6f}

Adware.Freeprod Toolbar Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1454471165-651377827-725345543-500\software\microsoft\internet explorer\toolbar\Webbrowser
Value : {77fbf9b8-1d37-4ff2-9ced-192d8e3aba6f}


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19



Deep scanning and examining files...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19

Targetsavers Object Recognized!
Type : File
Data : tsuninst.exe
TAC Rating : 8
Category : Malware
Comment :
Object : C:\WINDOWS\System32\



Disk Scan Result for C:\WINDOWS\System32
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 20

CmdServices Object Recognized!
Type : File
Data : cmdinst.exe
TAC Rating : 4
Category : Adware
Comment :
Object : C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\
FileVersion : 1.0.1
CompanyName :
FileDescription : Command Desktop Setup
LegalCopyright :
Comments : This installation was built with Inno Setup: http://www.innosetup.com


CmdServices Object Recognized!
Type : File
Data : temp.fr6165
TAC Rating : 4
Category : Adware
Comment :
Object : C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\
FileVersion : 2.1.3.466
ProductVersion : 1.0.0.0


CoolWebSearch Object Recognized!
Type : File
Data : temp.fr941A
TAC Rating : 10
Category : Malware
Comment :
Object : C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\



CmdServices Object Recognized!
Type : File
Data : temp.frE22C
TAC Rating : 4
Category : Adware
Comment :
Object : C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\



Targetsavers Object Recognized!
Type : File
Data : tsinstall_4_0_4_0_b4.exe
TAC Rating : 8
Category : Malware
Comment :
Object : C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\



Disk Scan Result for C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 25


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
31 entries scanned.
New critical objects:0
Objects found so far: 25



MRU List Object Recognized!
Location: : C:\Dokumente und Einstellungen\Administrator\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : S-1-5-21-1454471165-651377827-725345543-500\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : S-1-5-21-1454471165-651377827-725345543-500\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-1454471165-651377827-725345543-500\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-1454471165-651377827-725345543-500\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-1454471165-651377827-725345543-500\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1454471165-651377827-725345543-500\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1454471165-651377827-725345543-500\software\microsoft\mediaplayer\medialibraryui
Description : last selected node in the microsoft windows media player media library


MRU List Object Recognized!
Location: : S-1-5-21-1454471165-651377827-725345543-500\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1454471165-651377827-725345543-500\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1454471165-651377827-725345543-500\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1454471165-651377827-725345543-500\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-1454471165-651377827-725345543-500\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-1454471165-651377827-725345543-500\software\microsoft\windows\currentversion\applets\paint\recent file list
Description : list of files recently opened using microsoft paint


MRU List Object Recognized!
Location: : S-1-5-21-1454471165-651377827-725345543-500\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad


MRU List Object Recognized!
Location: : S-1-5-21-1454471165-651377827-725345543-500\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-1454471165-651377827-725345543-500\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-1454471165-651377827-725345543-500\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-1454471165-651377827-725345543-500\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : S-1-5-21-1454471165-651377827-725345543-500\software\microsoft\windows media\wmsdk\general
Description : windows media sdk



Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\downloadmanager

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Enable Browser Extensions

CoolWebSearch Object Recognized!
Type : File
Data : wbemess.log
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINDOWS\System32\wbem\logs\



CmdServices Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}
Value : DisplayName

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}
Value : DisplayVersion

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}
Value : NoModify

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}
Value : NoRemove

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}
Value : NoRepair

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}
Value : UninstallString

CmdServices Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\services\cmdservice

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\services\cmdservice
Value : Start

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\services\cmdservice
Value : ErrorControl

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\services\cmdservice
Value : ImagePath

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\services\cmdservice
Value : DisplayName

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\services\cmdservice
Value : ObjectName

CmdServices Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\cmdservice

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\cmdservice
Value : Start

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\cmdservice
Value : ErrorControl

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\cmdservice
Value : ImagePath

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\cmdservice
Value : DisplayName

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\cmdservice
Value : ObjectName

CmdServices Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}
Value : DisplayName

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}
Value : DisplayVersion

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}
Value : NoModify

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}
Value : NoRemove

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}
Value : NoRepair

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}
Value : UninstallString

Adware.Freeprod Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolband.xbtb04715

Adware.Freeprod Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolband.xbtb04715.1

Adware.Freeprod Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : xbtb04715.ietoolbar

Adware.Freeprod Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : xbtb04715.ietoolbar.1

Adware.Freeprod Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : xbtb04715.xbtb04715

Adware.Freeprod Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : xbtb04715.xbtb04715.1

Adware.Freeprod Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\xbtb04715

Adware.Freeprod Toolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\xbtb04715.xbtb04715toolbar

Adware.Freeprod Toolbar Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\xbtb04715.xbtb04715toolbar
Value : UninstallString

Adware.Freeprod Toolbar Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\toolbar\webbrowser
Value : {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F}

Adware.Freeprod Toolbar Object Recognized!
Type : RegData
Data : 0
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main\featurecontrol\feature_localmachine_lockdown
Value : iexplore.exe
Data : 0

Adware.Freeprod Toolbar Object Recognized!
Type : Folder
TAC Rating : 3
Category : Adware
Comment : Adware.Freeprod Toolbar
Object : C:\Programme\Gemeinsame Dateien\InetGet

Adware.Freeprod Toolbar Object Recognized!
Type : Folder
TAC Rating : 3
Category : Adware
Comment : Adware.Freeprod Toolbar
Object : C:\Programme\Gemeinsame Dateien\Windows

Adware.Freeprod Toolbar Object Recognized!
Type : Folder
TAC Rating : 3
Category : Adware
Comment : Adware.Freeprod Toolbar
Object : C:\Programme\Toolbar888

Adware.Freeprod Toolbar Object Recognized!
Type : File
Data : id.id
TAC Rating : 3
Category : Adware
Comment :
Object : C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\



Targetsavers Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\tsa

Targetsavers Object Recognized!
Type : RegValue
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\tsa
Value : UninstallString

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 46
Objects found so far: 94

22:09:46 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:02:51.984
Objects scanned:78764
Objects identified:55
Objects ignored:0
New critical objects:55

[moostee]

Hallo Nikita,


auf zum nächsten Kampf

Hier zunächst der Kasparsky Report:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, March 02, 2006 10:05:36 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 2/03/2006
Kaspersky Anti-Virus database records: 168822
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 38058
Number of viruses found: 2
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 00:48:27

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\_restore{F9057EEF-53D1-4489-B271-CF395C92E9BF}\RP84\snapshot\MFEX-1.DAT Infected: not-virus:Hoax.Win32.Renos.bk skipped
C:\WINDOWS\osaupd.exe Infected: not-virus:Hoax.Win32.Renos.bk skipped
C:\WINDOWS\system32\shell386.exe Infected: Trojan-Downloader.Win32.VB.xj skipped
C:\WINDOWS\wupdmgr.exe Infected: not-virus:Hoax.Win32.Renos.bk skipped

Scan process completed.

______________________________________________




dann der Silentrunners Report:


"Silent Runners.vbs", revision 43, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Zone Labs Client" = "C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe" ["Zone Labs Inc."]
"ccApp" = ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = "AcroIEToolbarHelper Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\security.html"


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Acrobat Assistant" -> shortcut to: "C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe" ["Adobe Systems Inc."]
"Cisco Systems VPN Client" -> shortcut to: "C:\Programme\Cisco Systems\VPN Client\vpngui.exe "-user_logon"" ["Cisco Systems, Inc."]
"MA111 Configuration Utility" -> shortcut to: "C:\Programme\NETGEAR\wlancfg4.exe" [null data]
"X-Micro WLAN 11g Adapter Configuration Utility" -> shortcut to: "C:\Programme\X-Micro WLAN 11g Adapter\WLANPRO.exe" [empty string]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Meinen Computer prüfen - Administrator" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Programme\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 27
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\ = "Adobe PDF" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Cisco Systems, Inc. VPN Service, CVPND, ""C:\Programme\Cisco Systems\VPN Client\cvpnd.exe"" ["Cisco Systems, Inc."]
ISSvc, ISSVC, ""C:\Programme\Norton Internet Security\ISSVC.exe"" ["Symantec Corporation"]
Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
Norton AntiVirus Auto-Protect-Dienst, navapsvc, ""C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 39 seconds, including 4 seconds for message boxes)



_______________________________________________




und zuletzt der RegSearch, wobei ich micht ganz sicher bin, ob ich alles richtig gemacht habe. Ich habe bei "Enter search strings" das Wort AdwareSheriff reingeschrieben, dann auf ok!

Hier das Resultat:

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.0.1

; Results at 02.03.2006 22:17:26 for strings:
; 'adwaresheriff'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...

______________________________________________



Auf "System Volume Information" kann ich nicht zugreifen. Und die u.a drei Dateien habe ich mit Killbox gelöscht aber sie tauchten immer wieder auf. Ich habe sie im gesicherten Modus mehrmals gelöscht, vergebens. Was kannst Du mir jetzt empfehlen?


C:\WINDOWS\osaupd.exe
C:\WINDOWS\system32\shell386.exe
C:\WINDOWS\wupdmgr.exe



viele Dank und viele Grüße

moostee

[Nikita]

moostee

Gehe in die Registry
Start-->Ausfuehren --> regedit


HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\security.html" <--loeschen

loesche mit der Killbox:

C:\WINDOWS\osaupd.exe
C:\WINDOWS\security.html
C:\System Volume Information\_restore{F9057EEF-53D1-4489-B271-CF395C92E9BF}\RP84\snapshot\MFEX-1.DAT
C:\WINDOWS\system32\shell386.exe
C:\WINDOWS\system32\wupdmgr.tmp
C:\WINDOWS\wupdmgr.exe


Arbeitsplatz-->Rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.