Antjeomahe

[Nikita]

Von: antjeomahe
An: nikita
Verfasst am: Mo Jul 26, 2004 11:49 pm
Titel: esearch.cc Nachricht zitieren
hi,
wir haben uns die esearch-seite aufgehalst und waeren sehr dankbar, wenn du uns weiterhelfen koenntest...
anbei der hijack-scan.

vielen dank im voraus, antje

Logfile of HijackThis v1.98.0
Scan saved at 0.14.49, on 27/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AMD\PowerNow!\GemServ.exe
C:\Norman\NVC\BIN\Zanda.exe
C:\Program Files\AMD\PowerNow!\gemback.exe
C:\WINDOWS\system32\slserv.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\NORMAN\Nvc\BIN\NIP.EXE
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\NORMAN\Nvc\Bin\niu.exe
C:\kkk\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\anty\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\anty\IMPOST~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.esearch.cc/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.esearch.cc/s.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\anty\IMPOST~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\anty\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\anty\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://thenewsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\anty\IMPOST~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.esearch.cc/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {338A3408-E712-7AB8-8652-165579D5266C} - C:\WINDOWS\System32\bijqcx.dll
O2 - BHO: Shorty - {5C472352-90D0-4214-BF20-8E4A2B82F980} - C:\WINDOWS\win32app.dll
O2 - BHO: (no name) - {897A4573-E4F0-45A6-ADFF-344F596058C2} - C:\WINDOWS\System32\alkhh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [CnxTrApp] rundll32.exe "C:\Programmi\StarModem\StarModem USB Network\CnxTrApp.dll",AppEntry -REG "Conexant\Conexant USB Network"
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe" /0
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O16 - DPF: {037B3D58-D14A-4C41-BDFD-BD779B0B97BA} (vxiewer control) - http://www.thepaymentcentre.com/build/vxiewer.cab
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.173.250/howtosearch.chm::/searchinfoxyz.exe
O16 - DPF: {13112111-1224-1141-1451-111111113533} - file://c:\windows\system32\setup1.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O18 - Filter: text/html - {A2C87970-2118-4E0C-9579-F4E5AD8B8831} - C:\WINDOWS\System32\alkhh.dll
O18 - Filter: text/plain - {A2C87970-2118-4E0C-9579-F4E5AD8B8831} - C:\WINDOWS\System32\alkhh.dll

[Nikita]

fixe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\anty\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\anty\IMPOST~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.esearch.cc/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.esearch.cc/s.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\anty\IMPOST~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\anty\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\anty\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://thenewsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\anty\IMPOST~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.esearch.cc/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti

O2 - BHO: (no name) - {338A3408-E712-7AB8-8652-165579D5266C} - C:\WINDOWS\System32\bijqcx.dll
O2 - BHO: Shorty - {5C472352-90D0-4214-BF20-8E4A2B82F980} - C:\WINDOWS\win32app.dll
O2 - BHO: (no name) - {897A4573-E4F0-45A6-ADFF-344F596058C2} - C:\WINDOWS\System32\alkhh.dll

O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe

O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.173.250/howtosearch.chm::/searchinfoxyz.exe
O16 - DPF: {13112111-1224-1141-1451-111111113533} - file://c:\windows\system32\setup1.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O18 - Filter: text/html - {A2C87970-2118-4E0C-9579-F4E5AD8B8831} - C:\WINDOWS\System32\alkhh.dll
O18 - Filter: text/plain - {A2C87970-2118-4E0C-9579-F4E5AD8B8831} - C:\WINDOWS\System32\alkhh.dll

neustarten

#deinen Virenscanner kurz deaktivieren...und installiere Antivirus
http://www.free-av.de/

Konfiguriere den Antivirus AVGCtrl
Automatischen Scan stoppen,
Einstellungen hochschrauben (Suchen: ALLE DATEIN, Reperatur: OHNE RÜCKFRAGEN, Löschen bei fehlgeschlagener Reperatur: LÖSCHEN OHNE RÜCKFRAGEN, Unerwünschte Programme: ALLE ausser spiele, Heuristik: Win32 Heuristik Priorität hoch)

#Geh in den abgesicherten Modus...das ist wichtig !
http://www.bsi.de/av/texte/winsave.htm
und mache einen Vollscann mit dem Antivirus.

normal neustarten

Lade AdAware free, update und mache einen Vollscann
http://www.lavasoft.de/support/download/


#Lade von dieser Site SP
http://www.trojaner-info.de/anleitungen ... blank.html

#Loesche unter InternetOptionen die TemporaryInternetfiles und stelle einen neue Startseite ein.

#ueberpruefe
C:\WINDOWS\SOUNDMAN.EXE
mit KAspersky
http://www.kaspersky.com/remoteviruschk.html

Dann poste das Log noch einmal.

MfG
Nikita

[antjeomahe]

hallo,

erstmal vielen dank fuer die tipps!!

habe getan, was ich konnte, aber da ich nicht so bewandert, bin ist mir das loeschen der dateien im safe-mode nicht gelungen. seufz. wie muss ich das genau machen?

anbei das neue logfile und auch das von unserem alten pc. der hat auch ein problem.

momentan kommt auf jeden fall blank als startseite.

danke nochmal und bis bald,

gruesse antje

[Nikita]

Wo ist das Log ??????????'

Tip: du musst (jedenfalls in dieser Phase) nichts selbst loeschen...das machen die Scanner, die du installieren solltest, nach dem Fixen .

Nikita

[antjeomahe]

habe ich nachgeschickt...

[Nikita]

ich sehe es nicht ......

Nikita

[antjeomahe]

Logfile of HijackThis v1.98.0
Scan saved at 15.14.49, on 08/08/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIKEY32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\TWAIN_32\CSUSB192\WATCH.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fast-search.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.fast-search.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.fast-search.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.fast-search.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.fast-search.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.fast-search.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://fast-search.us/small.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.fast-search.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://fast-search.us/small.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.fast-search.us/
O2 - BHO: TX4 - {00000000-0001-1DBE-075A-39EC04BD88AF} - C:\WINDOWS\SYSTEM\AVICAP32.DLL
O2 - BHO: (no name) - {FFBD3F6F-0AC7-4520-8938-AFFBD7896A3F} - C:\WINDOWS\SYSTEM\FPM.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiKey] Atikey32.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~2\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~2\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [WinBoot] C:\WINDOWS\winboot.hta
O4 - HKLM\..\Run: [CnxTrApp] rundll32.exe c:\windows\Conexant\CnxTrApp.dll,AppEntryA -REG "Conexant\Conexant USB Network"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~2\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKCU\..\RunServices: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - Startup: Avvio Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\CSUSB192\WATCH.exe
O13 - WWW. Prefix: http://
O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://64.157.10.150/diallerfiles/014272.exe
O16 - DPF: {7142BA01-8BDF-11CF-9E23-0000E8A37440} (Surround Video Control Object) - http://www.ireland.travel.ie/seeireland ... svideo.cab
O16 - DPF: {53D602E4-66ED-4B03-A5B8-19E4F4F6F18F} (Tiphone Control) - http://fax.tiscali.it/netphone/ocx/tiphone.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://ww3.atlanteitaliano.it/ecwplugins/ncs.cab
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.173.250/howtosearch.chm::/searchinfoxyz.exe

[antjeomahe]

Logfile of HijackThis v1.98.0
Scan saved at 15.37.08, on 08/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AVPersonal\AVGUARD.EXE
C:\Programmi\AVPersonal\AVWUPSRV.EXE
C:\Program Files\AMD\PowerNow!\GemServ.exe
C:\Norman\NVC\BIN\Zanda.exe
C:\Program Files\AMD\PowerNow!\gemback.exe
C:\WINDOWS\system32\slserv.exe
C:\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Programmi\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\wuauclt.exe
C:\NORMAN\Nvc\Bin\niu.exe
C:\kkk\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\anty\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\anty\IMPOST~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\anty\IMPOST~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\anty\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\anty\IMPOST~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\anty\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [CnxTrApp] rundll32.exe "C:\Programmi\StarModem\StarModem USB Network\CnxTrApp.dll",AppEntry -REG "Conexant\Conexant USB Network"
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programmi\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe" /0
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

[antjeomahe]

so, die hatte ich mit pm geschickt. haste vielleicht noch nicht bekommen.
das erste ist vom anderen pc und das zweite von dem, an dem du schon gearbeitet hast.

gruss, antje

[Nikita]

1. Computer

Fixe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fast-search.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.fast-search.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.fast-search.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.fast-search.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.fast-search.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.fast-search.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://fast-search.us/small.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.fast-search.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://fast-search.us/small.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.fast-search.us/
O2 - BHO: TX4 - {00000000-0001-1DBE-075A-39EC04BD88AF} - C:\WINDOWS\SYSTEM\AVICAP32.DLL
O2 - BHO: (no name) - {FFBD3F6F-0AC7-4520-8938-AFFBD7896A3F} - C:\WINDOWS\SYSTEM\FPM.DLL (file missing)

O4 - HKLM\..\Run: [WinBoot] C:\WINDOWS\winboot.hta
O13 - WWW. Prefix: http://
O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://64.157.10.150/diallerfiles/014272.exe

O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.173.250/howtosearch.chm::/searchinfoxyz.exe


neustarten


Lade dieses Tool
http://www.diamondcs.com.au/index.php?page=apm
und Klicke die einzelnen Prozessean, und druecke auf <unload< sobald du folgendes findest:
C:\WINDOWS\SYSTEM\AVICAP32.DLL
C:\WINDOWS\SYSTEM\FPM.DLL

#Dann suche diese zwei dll mit der Suchfunktion und loesche sie.
........................................................................................................
http://spywarewarrior.com/files/cwshredder.zip
http://spywarewarrior.com/files/CWShredder.exe
CWShredder 1.59:
* Added new variant CWS.Docobj (uses filename docobj.exe, hijacks to
fast-search.us, also drops winstyle.css and....... winboot.hta)!!!!!

........................................................................................................

#lade dieses Tool
CoolWWWSearch.SmartKiller (v1/v2) MiniRemoval
http://www.majorgeeks.com/download4113.html

#Lade AdAware (free) und scanne <alle Dateien<
http://www.lavasoft.de/support/download/

#loesche mit ClearProg
http://www.clearprog.de/
- Cookies
- Verlauf
- Temporäre Internetfiles (Cache)

#Lade mwav.exe und scanne <alle Dateien< und <alle Folder<
http://www.mwti.net/antivirus/free_utilities.asp
(Poste dann, ob eine <Virus-Information< erschienen ist.

#Lade Firefox und surfe nur mit ihm...ist sicherer
http://www.firebird-browser.de/

#stelle unter <Internetoptionen ) eine neue Startseite ein und poste das neue Log (mit dem IE) noch mal.

mfg
Nikita

[Nikita]

Computer nr.2

Fixe:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\anty\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\anty\IMPOST~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\anty\IMPOST~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\anty\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\anty\IMPOST~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\anty\IMPOST~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

NEUSTARTEN


#Dieses Tool <Remove about blank< kann unter http://www.adwareaway.com/
heruntergeladen werden.
<Remouve about blank< scanne und dann starte den Computer neu

#Lade AdAware free und scanne <alle Dateien<
http://www.lavasoft.de/support/download/

#Lade mwav.exe und scanne <alle Dateien< und <alle Folder<
http://www.mwti.net/antivirus/free_utilities.asp
(Poste dann, ob eine <Virus-Information< erschienen ist.

#loesche mit ClearProg
http://www.clearprog.de/
- Cookies
- Verlauf
- Temporäre Internetfiles (Cache)


Stelle unter <InternetOptionen <eine neue Startseite ein und poste das Log noch mal.

Nikita

[antjeomahe]

hallo,

vielen dank erstmal. werde ich leider erst morgen machen koennen. melde mich dann wieder.

schoenen abend wuenscht dir antje

[antjeomahe]

hallo, nikita,

also, ich habe erstmal alles fuer pc 2 gemacht und hier ist das log:

Logfile of HijackThis v1.98.0
Scan saved at 15.21.15, on 09/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AVPersonal\AVGUARD.EXE
C:\Programmi\AVPersonal\AVWUPSRV.EXE
C:\Program Files\AMD\PowerNow!\GemServ.exe
C:\Norman\NVC\BIN\Zanda.exe
C:\Program Files\AMD\PowerNow!\gemback.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Programmi\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\kkk\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web.de
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [CnxTrApp] rundll32.exe "C:\Programmi\StarModem\StarModem USB Network\CnxTrApp.dll",AppEntry -REG "Conexant\Conexant USB Network"
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programmi\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe" /0
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

jetzt mach ich mich an den pc 1

gruesse, antje

[Nikita]

fixe noch
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)


Ansonsten : Glueckwunsch
Nikita

[antjeomahe]

Hi nikita,

dankeschoen, mit deiner hilfe - denn ich verstehe ja nicht viel davon. muss mich mal besser belesen!

Hier folgt das log von pc 1. hat etwas laenger gedauert, der ist furchtbar langsam mit all den neuen programmen drauf...

Zwei sachen habe ich nicht hingekriegt:

das apm habe ich 2mal runtergeladen und auch das coolwwwsearch.smartkiller, aber beide male funktionierten sie nicht!??

das andere habe ich alles gemacht - keine virusmeldung.

also, das log:

Logfile of HijackThis v1.98.0
Scan saved at 18.30.23, on 09/08/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIKEY32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\TWAIN_32\CSUSB192\WATCH.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web.de
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiKey] Atikey32.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~2\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~2\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [CnxTrApp] rundll32.exe c:\windows\Conexant\CnxTrApp.dll,AppEntryA -REG "Conexant\Conexant USB Network"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~2\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - Startup: Avvio Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\CSUSB192\WATCH.exe
O16 - DPF: {7142BA01-8BDF-11CF-9E23-0000E8A37440} (Surround Video Control Object) - http://www.ireland.travel.ie/seeireland ... svideo.cab
O16 - DPF: {53D602E4-66ED-4B03-A5B8-19E4F4F6F18F} (Tiphone Control) - http://fax.tiscali.it/netphone/ocx/tiphone.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://ww3.atlanteitaliano.it/ecwplugins/ncs.cab

viele gruesse, antje