Hijack probleme!!

von **GorunNova** am 11.09.2004, 11:17

Das mein log hab schon ma bissen rumprobiert aber fataler weise ging mein Inet danach nich mehr könnt ihr mir bitte sagen was weg muss??

Logfile of HijackThis v1.98.2
Scan saved at 10:39:57, on 11.09.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Programme\Web_Rebates\WebRebates0.exe
C:\Program Files\Winad Client\Winad.exe
C:\Programme\ISTsvc\istsvc.exe
C:\WINDOWS\System32\kpnszr.exe
C:\Program Files\Winad Client\WinClt.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\addkm32.exe
C:\WINDOWS\system32\mfccr.exe
C:\Programme\Web_Rebates\WebRebates1.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Ranma\Desktop\hijackthis1982\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cffwi.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cffwi.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cffwi.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cffwi.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cffwi.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cffwi.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cffwi.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {78397146-034F-3E67-9127-DD62A91D02AD} - C:\WINDOWS\ipae.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Programme\ISTbar\istbar.dll
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [WebRebates0] "C:\Programme\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [IST Service] C:\Programme\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [vajolv] C:\WINDOWS\System32\kpnszr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [mfccr.exe] C:\WINDOWS\system32\mfccr.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Programme\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [mhgiyimxky] C:\WINDOWS\System32\kpnszr.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOKUME~1\Ranma\LOKALE~1\Temp\djtopr1150.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aers] C:\Dokumente und Einstellungen\Ranma\Anwendungsdaten\rapr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Reboot.exe
O8 - Extra context menu item: Web Rebates - file://C:\Programme\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Programme\SideFind\sidefind.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file. ... 96baabe1d6
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares ... egular.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{28A835C9-3F90-4B66-9234-ED82C781659A}: NameServer = 192.168.0.1,0.0.0.0
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

von **Nikita** am 11.09.2004, 13:32

DAS BESTE IST EINE KOMPLETTE NEUINSTALLATION !
...........................................................................................................

scanne mit dem HijackThis, hake an, was ich poste und <fix<

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cffwi.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cffwi.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cffwi.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cffwi.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cffwi.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cffwi.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cffwi.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {78397146-034F-3E67-9127-DD62A91D02AD} - C:\WINDOWS\ipae.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Programme\ISTbar\istbar.dll
vorher im Taskmanager deaktivieren:
O4 - HKLM\..\Run: [WebRebates0] "C:\Programme\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [IST Service] C:\Programme\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [vajolv] C:\WINDOWS\System32\kpnszr.exe
O4 - HKLM\..\Run: [mfccr.exe] C:\WINDOWS\system32\mfccr.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Programme\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [mhgiyimxky] C:\WINDOWS\System32\kpnszr.exe
O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOKUME~1\Ranma\LOKALE~1\Temp\djtopr1150.exe"
O4 - HKCU\..\Run: [Aers] C:\Dokumente und Einstellungen\Ranma\Anwendungsdaten\rapr.exe
O8 - Extra context menu item: Web Rebates - file://C:\Programme\Web_Rebates\Sy1150\Tp1150\scri1150a.
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Programme\SideFind\sidefin
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie
Dialer:
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-do
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

neustarten

#Lade die zip-Datei und oeffne sie,Doppelklick und "yes" zur Registry hinzufuegen, (so werden alle Dateien sichtbar)
http://www.davehigham.zen.co.uk/downloads/xphidden.zip

#Loesche:
C:\Programme\ISTbar\istbar.dll
C:\WINDOWS\twaintec.dll
C:\WINDOWS\ipae.dll
C:\Programme\Web_Rebates\WebRebates0.exe
C:\Programme\Web_Rebates\WebRebates1.exe
C:\Program Files\Winad Client\Winad.exe
C:\WINDOWS\System32\kpnszr.exe
C:\Program Files\Winad Client\WinClt.exe
C:\WINDOWS\addkm32.exe
C:\WINDOWS\system32\mfccr.exe
C:\WINDOWS\msopt.dll

<HijackThis<Config<Misc Tools<Delete a file on reboot< reinkopieren:
C:\WINDOWS\msopt.dll
PC neustarten

#Lade den "eScan"
http://www.mwti.net/antivirus/free_utilities.asp
suche mit der Suchfunktion von Windows eine "kavupd.exe" und anklicken.(kann auch im Temporary-Ordner sein)
Start<Ausfuehren< %temp%
Es oeffnet sich ein DOS-Fenster und es wird ein Update ausgeführt (dauert ein bisschen)
#Gehe unbedingt in den abgesicherten Modus (!)
http://www.bsi.de/av/texte/winsave.htm
#suche "mwav.exe und starte so den< eScan<. Alle Häkchen setzen und "Clean-Scan" klicken.

#Nach dem Scann, gehe wieder in den Normalmodus , scanne noch mal und poste alles, was als <deleted< und <renamed< und <no action taken< gefunden wurde das neue Log vom HijackThis noch mal.

Deaktiviere die Wiederherstellung vorher
http://service1.symantec.com/SUPPORT/IN ... 7105707924

mfg
Nikita

von **GorunNova** am 11.09.2004, 15:44

THX!!

Für die vielen guten tips schon nach der ausführung des ersten schrits ist meine start seite wieder frei grade leuft der escan durch!

und das is mein log nach ausfürugn des ersten schrits!

Logfile of HijackThis v1.98.2
Scan saved at 15:41:57, on 11.09.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\DOKUME~1\Ranma\LOKALE~1\Temp\mwavscan.com
C:\DOKUME~1\Ranma\LOKALE~1\Temp\kavss.exe
C:\Dokumente und Einstellungen\Ranma\Desktop\hijackthis1982\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xtqxa.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xtqxa.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xtqxa.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xtqxa.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xtqxa.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xtqxa.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xtqxa.dll/sp.html#29126
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Reboot.exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.advnt01.com/dialer/ger_nopop.exe
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{28A835C9-3F90-4B66-9234-ED82C781659A}: NameServer = 192.168.0.1,0.0.0.0
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)

Edit:
Das is der Escan log!

File C:\PROGRA~2\INTERN~1\actalert.exe infected by "TrojanDownloader.Win32.Dyfuca.cr" Virus. Action Taken: File Deleted.
File C:\WINDOWS\addkm32.exe infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\system32\mfccr.exe infected by "TrojanDownloader.Win32.Agent.cd" Virus. Action Taken: File Deleted.
File C:\WINDOWS\mfcnx32.dll infected by "TrojanDownloader.Win32.Agent.an" Virus. Action Taken: File Deleted.
File C:\WINDOWS\2_0_1browserhelper2.dll infected by "TrojanClicker.Win32.Delf.r" Virus. Action Taken: File Deleted.
File C:\WINDOWS\alchem.exe infected by "TrojanDownloader.Win32.Agent.bc" Virus. Action Taken: File Deleted.
File C:\WINDOWS\cffwi.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: File Deleted.
File C:\WINDOWS\ipae.dll infected by "TrojanDownloader.Win32.Agent.an" Virus. Action Taken: File Deleted.
File C:\WINDOWS\localNRD.dll infected by "not-a-virus:AdvWare.BiSpy.n" Virus. Action Taken: File Renamed.
File C:\WINDOWS\msopt.dll infected by "TrojanDownloader.Win32.Small.kq" Virus. Action Taken: File Deleted.
File C:\WINDOWS\nwdsjqf.exe infected by "TrojanDownloader.Win32.Agent.bc" Virus. Action Taken: File Deleted.
File C:\WINDOWS\n_udbzkb.log infected by "TrojanDownloader.Win32.Agent.cd" Virus. Action Taken: File Deleted.
File C:\WINDOWS\preInsln.exe infected by "not-a-virus:AdvWare.BiSpy.o" Virus. Action Taken: File Renamed.
File C:\WINDOWS\SiSUSBrg.exe infected by "TrojanDownloader.Win32.Agent.bc" Virus. Action Taken: File Deleted.
File C:\WINDOWS\twaintec.dll infected by "not-a-virus:AdvWare.BiSpy.o" Virus. Action Taken: File Renamed.
File C:\WINDOWS\System32\apuc.dll infected by "not-a-virus:AdvWare.Exact.a" Virus. Action Taken: File Renamed.
File C:\WINDOWS\System32\exdl.exe infected by "not-a-virus:AdvWare.Exact" Virus. Action Taken: File Renamed.
File C:\WINDOWS\System32\exul.exe infected by "not-a-virus:AdvWare.Exact.a" Virus. Action Taken: File Renamed.
File C:\WINDOWS\System32\iprqp.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\kpnszr.exe infected by "TrojanDownloader.Win32.Agent.ae" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\msau32.exe infected by "TrojanDownloader.Win32.Agent.cd" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\polall1m.exe infected by "TrojanDownloader.Win32.Agent.ae" Virus. Action Taken: File Deleted.
File C:\WINDOWS\System32\xtqxa.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: File Deleted.
File C:\Dokumente und Einstellungen\Ranma\Anwendungsdaten\rapr.exe infected by "not-a-virus:AdvWare.PurityScan.t" Virus. Action Taken: File Renamed.
File C:\Dokumente und Einstellungen\Ranma\Desktop\hijackthis1982\backups\backup-20040911-144427-104.dll infected by "not-a-virus:AdvWare.Winad" Virus. Action Taken: File Renamed.
File C:\Dokumente und Einstellungen\Ranma\Desktop\hijackthis1982\backups\backup-20040911-144427-365.dll infected by "TrojanDownloader.Win32.Agent.an" Virus. Action Taken: File Deleted.
File C:\Dokumente und Einstellungen\Ranma\Desktop\hijackthis1982\backups\backup-20040911-144427-541.dll infected by "not-a-virus:AdvWare.MediaTickets.d" Virus. Action Taken: File Renamed.
File C:\Dokumente und Einstellungen\Ranma\Desktop\hijackthis1982\backups\backup-20040911-144427-851.dll infected by "TrojanDownloader.Win32.IstBar.gen" Virus. Action Taken: File Deleted.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temp\alchem.cab infected by "TrojanDownloader.Win32.Alchemic" Virus. Action Taken: File Deleted.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temp\alchem.exe infected by "TrojanDownloader.Win32.Alchemic" Virus. Action Taken: File Deleted.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temp\bb.exe infected by "not-a-virus:AdvWare.Exact.a" Virus. Action Taken: File Renamed.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temp\conscorr.cab infected by "TrojanDownloader.Win32.Stubby.c" Virus. Action Taken: File Deleted.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temp\conscorr.exe infected by "TrojanDownloader.Win32.Stubby.c" Virus. Action Taken: File Deleted.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temp\iinstall.exe infected by "TrojanDownloader.Win32.IstBar.gen" Virus. Action Taken: File Deleted.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temp\powerscan.exe infected by "not-a-virus:AdvWare.PowerScan.b" Virus. Action Taken: File Renamed.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temp\sidefind.exe infected by "TrojanDownloader.Win32.IstBar.gen" Virus. Action Taken: File Deleted.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temp\THI4755.tmp\localNrd.cab infected by "not-a-virus:AdvWare.BiSpy.n" Virus. Action Taken: File Renamed.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temp\THI4755.tmp\localNRD.dll infected by "not-a-virus:AdvWare.BiSpy.n" Virus. Action Taken: File Renamed.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temp\THI4755.tmp\polall1l.exe infected by "TrojanDownloader.Win32.Agent.ae" Virus. Action Taken: File Deleted.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temp\THI4755.tmp\preInsln.exe infected by "not-a-virus:AdvWare.BiSpy.o" Virus. Action Taken: File Renamed.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temp\THI53D3.tmp\polall1m.exe infected by "TrojanDownloader.Win32.Agent.ae" Virus. Action Taken: File Deleted.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temp\THI53D3.tmp\preInsTT.exe infected by "not-a-virus:AdvWare.BiSpy.f" Virus. Action Taken: File Renamed.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temp\THI53D3.tmp\twaintec.cab infected by "not-a-virus:AdvWare.BiSpy.o" Virus. Action Taken: File Renamed.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temp\THI53D3.tmp\twaintec.dll infected by "not-a-virus:AdvWare.BiSpy.o" Virus. Action Taken: File Renamed.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temp\THI7A49.tmp\multimpp.cab infected by "not-a-virus:AdvWare.BiSpy.o" Virus. Action Taken: File Renamed.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temp\THI7A49.tmp\multimpp.dll infected by "not-a-virus:AdvWare.BiSpy.o" Virus. Action Taken: File Renamed.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temporary Internet Files\Content.IE5\01234567\ger_nopop[1].exe infected by "Trojan.Win32.Dialer.dc" Virus. Action Taken: File Deleted.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temporary Internet Files\Content.IE5\01234567\istbar_mainstream[1].dll infected by "TrojanDownloader.Win32.IstBar.dh" Virus. Action Taken: File Deleted.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temporary Internet Files\Content.IE5\01234567\main[1].chm infected by "TrojanDownloader.JS.Weis.b" Virus. Action Taken: File Deleted.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temporary Internet Files\Content.IE5\01234567\MediaTicketsInstaller[1].cab infected by "not-a-virus:AdvWare.MediaTickets.d" Virus. File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2L2TK7IP\bb[1].exe infected by "not-a-virus:AdvWare.Exact.a" Virus. Action Taken: File Renamed.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2L2TK7IP\bridge-c7[2].cab infected by "not-a-virus:AdvWare.Winad" Virus. Action Taken: File Renamed.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2L2TK7IP\f29126[1].hta infected by "TrojanDropper.VBS.Inor.br" Virus. Action Taken: File Deleted.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2L2TK7IP\istsvc[1].exe infected by "TrojanDownloader.Win32.IstBar.fr" Virus. Action Taken: File Deleted.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2L2TK7IP\powerscan[1].exe infected by "not-a-virus:AdvWare.PowerScan.b" Virus. Action Taken: File Renamed.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temporary Internet Files\Content.IE5\2L2TK7IP\sidefind13[1].dll infected by "not-a-virus:AdvWare.ToolBar.SideFind" Virus. Action Taken: File Renamed.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temporary Internet Files\Content.IE5\89ABCDEF\bdl14122[1].exe infected by "Trojan.Win32.Revop.c" Virus. Action Taken: File Deleted.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temporary Internet Files\Content.IE5\89ABCDEF\better_new[1].exe infected by "not-a-virus:AdvWare.BetterInternet" Virus. Action Taken: File Renamed.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temporary Internet Files\Content.IE5\89ABCDEF\ClientCom[1].dll infected by "not-a-virus:AdvWare.Winad" Virus. Action Taken: File Renamed.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temporary Internet Files\Content.IE5\89ABCDEF\frodo[1].htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temporary Internet Files\Content.IE5\89ABCDEF\msits[1].exe infected by "TrojanDownloader.Win32.WinShow.am" Virus. Action Taken: File Deleted.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temporary Internet Files\Content.IE5\89ABCDEF\n-udd[1].htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GHIJKLMN\0006_regular[1].cab infected by "TrojanDownloader.Win32.IstBar.gen" Virus. Action Taken: File Deleted.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GHIJKLMN\patch8028[1].exe infected by "not-a-virus:AdvWare.Exact" Virus. Action Taken: File Renamed.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GHIJKLMN\sfbho13[1].dll infected by "not-a-virus:AdvWare.ToolBar.SideFind" Virus. Action Taken: File Renamed.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GHIJKLMN\sidefind[1].exe infected by "TrojanDownloader.Win32.IstBar.gen" Virus. Action Taken: File Deleted.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GHIJKLMN\system[1].exe infected by "TrojanDownloader.Win32.WinShow.al" Virus. Action Taken: File Deleted.
File C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temporary Internet Files\Content.IE5\GHIJKLMN\thnall1l[1].exe infected by "not-a-virus:AdvWare.BetterInternet" Virus. Action Taken: File Renamed.
File C:\Program Files\Internet Optimizer\update\actalert.exe infected by "TrojanDownloader.Win32.Dyfuca.cr" Virus. Action Taken: File Deleted.
File C:\Program Files\Winad Client\ClientCom.dll infected by "not-a-virus:AdvWare.Winad" Virus. Action Taken: File Renamed.
File C:\Program Files\Winad Client\Winad.exe infected by "not-a-virus:AdvWare.Winad" Virus. Action Taken: File Renamed.
File C:\Programme\BullsEye Network\bin\bargains.exe infected by "not-a-virus:AdvWare.Exact.a" Virus. Action Taken: File Renamed.
File C:\Programme\ISTbar\istbar.dll infected by "TrojanDownloader.Win32.IstBar.dh" Virus. Action Taken: File Deleted.
File C:\Programme\ISTsvc\istsvc.exe infected by "TrojanDownloader.Win32.IstBar.fr" Virus. Action Taken: File Deleted.
File C:\Programme\SideFind\sfbho.dll infected by "not-a-virus:AdvWare.ToolBar.SideFind" Virus. Action Taken: File Renamed.
File C:\Programme\SideFind\sidefind.dll infected by "not-a-virus:AdvWare.ToolBar.SideFind" Virus. Action Taken: File Renamed.
File C:\Programme\SideFind\update\sidefind.exe infected by "TrojanDownloader.Win32.IstBar.gen" Virus. Action Taken: File Deleted.
File C:\Programme\Web_Rebates\disp1150.exe infected by "not-a-virus:AdvWare.WebRebates.b" Virus. Action Taken: File Renamed.
File C:\Programme\Web_Rebates\WebRebates0.exe infected by "not-a-virus:AdvWare.HelpExpress" Virus. Action Taken: File Renamed.
File C:\Programme\Web_Rebates\WebRebates1.exe infected by "not-a-virus:AdvWare.WebRebates.b" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001529.exe infected by "not-a-virus:AdvWare.Exact" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001530.exe infected by "not-a-virus:AdvWare.Exact" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001535.dll infected by "not-a-virus:AdvWare.BiSpy.o" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001536.dll infected by "not-a-virus:AdvWare.BiSpy.o" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001537.dll infected by "not-a-virus:AdvWare.MediaTickets.d" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001539.dll infected by "TrojanDownloader.Win32.Agent.an" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001540.dll infected by "TrojanDownloader.Win32.IstBar.gen" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001542.exe infected by "TrojanDownloader.Win32.Agent.bc" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001553.exe infected by "TrojanDownloader.Win32.Dyfuca.cr" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001554.exe infected by "TrojanDownloader.Win32.Agent.bq" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001555.exe infected by "TrojanDownloader.Win32.Agent.cd" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001556.dll infected by "TrojanClicker.Win32.Delf.r" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001557.exe infected by "TrojanDownloader.Win32.Agent.bc" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001558.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001559.dll infected by "TrojanDownloader.Win32.Agent.an" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001560.dll infected by "not-a-virus:AdvWare.BiSpy.n" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001561.dll infected by "TrojanDownloader.Win32.Small.kq" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001562.exe infected by "TrojanDownloader.Win32.Agent.bc" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001563.exe infected by "not-a-virus:AdvWare.BiSpy.o" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001564.exe infected by "TrojanDownloader.Win32.Agent.bc" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001565.dll infected by "not-a-virus:AdvWare.BiSpy.o" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001566.dll infected by "not-a-virus:AdvWare.Exact.a" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001567.exe infected by "not-a-virus:AdvWare.Exact" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001568.exe infected by "not-a-virus:AdvWare.Exact.a" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001569.dll infected by "TrojanDownloader.Win32.WinShow.ak" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001570.exe infected by "TrojanDownloader.Win32.Agent.ae" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001571.exe infected by "TrojanDownloader.Win32.Agent.ae" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001572.exe infected by "not-a-virus:AdvWare.PurityScan.t" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001573.dll infected by "not-a-virus:AdvWare.Winad" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001574.dll infected by "TrojanDownloader.Win32.Agent.an" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001575.dll infected by "not-a-virus:AdvWare.MediaTickets.d" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001576.dll infected by "TrojanDownloader.Win32.IstBar.gen" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001577.exe infected by "TrojanDownloader.Win32.Dyfuca.cr" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001578.dll infected by "not-a-virus:AdvWare.Winad" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001579.exe infected by "not-a-virus:AdvWare.Winad" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001580.exe infected by "not-a-virus:AdvWare.Exact.a" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001581.dll infected by "TrojanDownloader.Win32.IstBar.dh" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001582.exe infected by "TrojanDownloader.Win32.IstBar.fr" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001583.dll infected by "not-a-virus:AdvWare.ToolBar.SideFind" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001584.dll infected by "not-a-virus:AdvWare.ToolBar.SideFind" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001585.exe infected by "TrojanDownloader.Win32.IstBar.gen" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001586.exe infected by "not-a-virus:AdvWare.WebRebates.b" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001587.exe infected by "not-a-virus:AdvWare.HelpExpress" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{4BF8AC7B-C483-4907-B8E9-E086DDC9669C}\RP3\A0001588.exe infected by "not-a-virus:AdvWare.WebRebates.b" Virus. Action Taken: File Renamed.
File C:\temp\Installer2.exe infected by "TrojanDropper.Win32.Delf.z" Virus. Action Taken: File Deleted.
File C:\temp\msbb.exe infected by "not-a-virus:AdvWare.180Solutions" Virus. Action Taken: File Renamed.
File C:\temp\msbbhook.dll infected by "not-a-virus:AdvWare.180Solutions" Virus. Action Taken: File Renamed.
File C:\temp\WebRebates_Auto_InstallSilent_Euro.exe infected by "not-a-virus:AdvWare.WebRebates.b" Virus. Action Taken: File Renamed.

von **Nikita** am 11.09.2004, 15:52

Poste DAS NEUE HIJACKTHIS-LOG !!!!!!!!

______________________________________________________________
das alte:
fixe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xtqxa.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xtqxa.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xtqxa.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xtqxa.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xtqxa.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xtqxa.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xtqxa.dll/sp.html#29126
R3 - Default URLSearchHook is missing

Dialer:
O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.advnt01.com/dialer/ger_nopop.exe
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll (file missing)

neustarten

Loesche, falls du es findest:

* feat2.dll - size: 91,136 bytes
* mshp.dll - size: 71,168 bytes
* msopt.dll - size: 12,800 bytes
* f2install.exe - size: 26,624 bytes
* msits.exe - size: 6,656 bytes
* service.exe - size: 9,216 bytes
* dict.dat
* keywords.dat

#mit mwav.exe alles scannen und Virenlog posten + neues Log vom HijackThis.

mfg
Nikita

http://www3.ca.com/securityadvisor/viru ... x?id=39520

von **GorunNova** am 11.09.2004, 16:05

Escan log:

Hat keine viren gefunden!

Sat Sep 11 16:02:03 2004 => ***** Scanning Memory Files *****
Sat Sep 11 16:02:03 2004 => Scanning File C:\WINDOWS\system32\services.exe
Sat Sep 11 16:02:03 2004 => Scanning File C:\WINDOWS\system32\lsass.exe
Sat Sep 11 16:02:04 2004 => Scanning File C:\WINDOWS\system32\svchost.exe
Sat Sep 11 16:02:04 2004 => Scanning File C:\WINDOWS\System32\svchost.exe
Sat Sep 11 16:02:04 2004 => Scanning File C:\WINDOWS\system32\userinit.exe
Sat Sep 11 16:02:04 2004 => Scanning File C:\WINDOWS\Explorer.EXE
Sat Sep 11 16:02:04 2004 => Scanning File C:\WINDOWS\system32\spoolsv.exe
Sat Sep 11 16:02:04 2004 => Scanning File C:\PROGRA~1\ELABOR~1\CloneCD\CLONEC~1.EXE
Sat Sep 11 16:02:04 2004 => Scanning File C:\PROGRA~2\INTERN~1\optimize.exe
Sat Sep 11 16:02:04 2004 => Scanning File C:\WINDOWS\System32\RUNDLL32.EXE
Sat Sep 11 16:02:04 2004 => Scanning File C:\WINDOWS\System32\RunDll32.exe
Sat Sep 11 16:02:04 2004 => Scanning File C:\Programme\Messenger\msmsgs.exe
Sat Sep 11 16:02:04 2004 => Scanning File C:\WINDOWS\System32\ctfmon.exe
Sat Sep 11 16:02:04 2004 => Scanning File C:\PROGRA~1\ICQ\ICQ.exe
Sat Sep 11 16:02:04 2004 => Scanning File C:\WINDOWS\System32\nvsvc32.exe
Sat Sep 11 16:02:05 2004 => Scanning File C:\DOKUME~1\Ranma\LOKALE~1\Temp\mwavscan.com
Sat Sep 11 16:02:05 2004 => Scanning File C:\DOKUME~1\Ranma\LOKALE~1\Temp\kavss.exe

Sat Sep 11 16:02:05 2004 => ***** Scanning Registry Files *****
Sat Sep 11 16:02:05 2004 => Scanning HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Sat Sep 11 16:02:05 2004 => Scanning HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects
Sat Sep 11 16:02:05 2004 => Scanning HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sat Sep 11 16:02:05 2004 => Scanning HKCU\Control Panel\Desktop
Sat Sep 11 16:02:05 2004 => Scanning HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sat Sep 11 16:02:06 2004 => Scanning HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Sat Sep 11 16:02:06 2004 => Scanning HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
Sat Sep 11 16:02:06 2004 => Scanning HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Sat Sep 11 16:02:06 2004 => Scanning HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sat Sep 11 16:02:06 2004 => Scanning HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Sat Sep 11 16:02:06 2004 => Scanning HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
Sat Sep 11 16:02:06 2004 => Scanning HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Sat Sep 11 16:02:06 2004 => Scanning HKCR\txtfile\shell\open\command
Sat Sep 11 16:02:06 2004 => Scanning HKCR\comfile\shell\open\command
Sat Sep 11 16:02:06 2004 => Scanning HKCR\exefile\shell\open\command
Sat Sep 11 16:02:06 2004 => Scanning HKCR\dllfile\shell\open\command
Sat Sep 11 16:02:06 2004 => Scanning HKCR\batfile\shell\open\command
Sat Sep 11 16:02:06 2004 => Scanning HKCR\piffile\shell\open\command
Sat Sep 11 16:02:06 2004 => Scanning HKCR\scrfile\shell\open\command
Sat Sep 11 16:02:06 2004 => Scanning HKCR\scrfile\shell\config\command
Sat Sep 11 16:02:06 2004 => Scanning HKCR\regfile\shell\open\command

Sat Sep 11 16:02:06 2004 => ***** Scanning StartUp Folders *****

Sat Sep 11 16:02:06 2004 => ***** Scanning C:\Dokumente und Einstellungen\Ranma\Startmenü\Programme\Autostart Folder *****
Sat Sep 11 16:02:06 2004 => Scanning Folder: C:\Dokumente und Einstellungen\Ranma\Startmenü\Programme\Autostart\*.*

Sat Sep 11 16:02:06 2004 => ***** Scanning C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart Folder *****
Sat Sep 11 16:02:06 2004 => Scanning Folder: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\*.*

Sat Sep 11 16:02:06 2004 => ***** Scanning Service Files *****
Sat Sep 11 16:02:06 2004 => Scanning HKLM\SYSTEM\CurrentControlSet\Services
Sat Sep 11 16:02:10 2004 => ERROR!!! Invalid Entry C:\WINDOWS\addkm32.exe /s in SYSTEM\CurrentControlSet\Services\O?’ŽrtñåÈ²$Ó...

Sat Sep 11 16:02:14 2004 => ***** Scanning System32 Folders *****
Sat Sep 11 16:02:14 2004 => Scanning C:\WINDOWS Directory
Sat Sep 11 16:02:14 2004 => Scanning Folder: C:\WINDOWS\*.*
Sat Sep 11 16:02:18 2004 => Scanning C:\WINDOWS\System32 Directory
Sat Sep 11 16:02:19 2004 => Scanning Folder: C:\WINDOWS\System32\*.*

Sat Sep 11 16:03:40 2004 => ***** Checking for specific ITW Viruses *****
Sat Sep 11 16:03:40 2004 => Checking for Welchia Virus...
Sat Sep 11 16:03:40 2004 => Checking for LovGate Virus...
Sat Sep 11 16:03:40 2004 => Checking for CodeRed Virus...
Sat Sep 11 16:03:40 2004 => Checking for OpaServ Virus...
Sat Sep 11 16:03:40 2004 => Checking for Sobig.e Virus...
Sat Sep 11 16:03:40 2004 => Checking for Winupie Virus...
Sat Sep 11 16:03:40 2004 => Checking for Swen Virus...
Sat Sep 11 16:03:40 2004 => Checking for JS.Fortnight Virus...
Sat Sep 11 16:03:40 2004 => Checking for Novarg Virus...
Sat Sep 11 16:03:40 2004 => Checking for Pagabot Virus...
Sat Sep 11 16:03:40 2004 => Checking for Parite.b Virus...
Sat Sep 11 16:03:40 2004 => Checking for Parite.a Virus...

Sat Sep 11 16:03:40 2004 => ***** Scanning complete. *****
Sat Sep 11 16:03:40 2004 => Total Number of Files Scanned: 2065
Sat Sep 11 16:03:40 2004 => Total Number of Virus(es) Found: 0
Sat Sep 11 16:03:40 2004 => Total Number of Disinfected Files: 0
Sat Sep 11 16:03:40 2004 => Total Number of Files Renamed: 0
Sat Sep 11 16:03:40 2004 => Total Number of Deleted Files: 0
Sat Sep 11 16:03:40 2004 => Total Number of Errors: 1
Sat Sep 11 16:03:40 2004 => Time Elapsed: 00:01:36
Sat Sep 11 16:03:40 2004 => Virus Database Date: 2004/09/08
Sat Sep 11 16:03:40 2004 => Virus Database Count: 103467

Sat Sep 11 16:03:40 2004 => Scan Completed.

Hijack log:

Logfile of HijackThis v1.98.2
Scan saved at 16:05:45, on 11.09.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Ranma\Desktop\hijackthis1982\HijackThis.exe

O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Reboot.exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{28A835C9-3F90-4B66-9234-ED82C781659A}: NameServer = 192.168.0.1,0.0.0.0

von **Nikita** am 11.09.2004, 16:07

Nun haben sich die Logs anscheinend ueberschnitten: vor dem Scann mit mwav.exe oder danach ??? hast du das zweite Log\dritte Log gepostet.
...........................................................................................................................
3. Log

Fixe:
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

neustarten
..........................................................................................................................
<Optimize Adult Content Dialler
This program is a registered security risk and should be removed immediately.

#Registry
Start<Ausfuehren<regedit (oben links ist die Suchfunktion der Registry)

loesche rechts, wenn es da ist:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Internet Optimizer"="C:\Program Files\Internet Optimizer\optimize.exe"
# HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer
# HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA
# HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media
# HKEY_USERS\.DEFAULT\SOFTWARE\Avenue Media

NEUSTARTEN

1. Click Start > Control Panel.
2. In the Control Panel window, double-click Add or Remove Programs.
# Click "Internet Optimizer."

........................................................................................................................
2.Deaktiviere die Wiederherstellung (!)
http://service1.symantec.com/SUPPORT/IN ... 7105707924

3.
Start<Ausfuehren<%temp%
Loesche ALLE Dateien und leere ALLE Ordner (nicht die Ordner selbst loeschen)

ZUM BEISPIEL:
C:\Dokumente und Einstellungen\Ranma\Lokale Einstellungen\Temporary Internet Files\Content.IE5
C:\temp\Installer2.exe
C:\temp\msbb.exe
C:\temp\msbbhook.dll
C:\temp\WebRebates_Auto_InstallSilent_Euro.exe
.....
......
......
usw.

#scanne
AdAware (free)
http://www.lavasoft.de/support/download/

#IE Spyad
http://www.pctipp.ch/downloads/dl/27634.asp
IE Spyad legt x-verschiedene unseriöse Webseiten direkt in die Eingeschränkte Zone des Internet Explorers.
Immer mehr Webseiten wollen Ihnen teuren Software-Schrott unterjubeln. Ob Spyware, Adware, billige Porno-Seiten oder teure Dialer - es gibt nichts, was unseriöse Gestalten nicht zum Kauf anbieten. Und da sie genau wissen, dass Sie nicht auf ihre luschen Angebote reinfallen, versuchen sie es mit Tricks.

#Dann poste das neue Log noch mal.

mfg
Nikita

http://sarc.com/avcenter/venc/data/pf/a ... zer.b.html

von **GorunNova** am 11.09.2004, 16:37

Ich habe das zeug fom Inet Optimizer aus der reg gelöcht einige der eintrege die du genant hast waren nich vorhanden ich denke die wurden von einen der zahlreichen virenscaner die ich hab durchlaufen lassen erwicht hir sind die neuen logs!

Logfile of HijackThis v1.98.2
Scan saved at 16:31:02, on 11.09.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Ranma\Desktop\hijackthis1982\HijackThis.exe

O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Reboot.exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{28A835C9-3F90-4B66-9234-ED82C781659A}: NameServer = 192.168.0.1,0.0.0.0

und das Escan log:

Hat kein viren log gefschrieben darum das hauptscan log:

Sat Sep 11 16:35:32 2004 => ***** Scanning Memory Files *****
Sat Sep 11 16:35:32 2004 => Scanning File C:\WINDOWS\system32\services.exe
Sat Sep 11 16:35:32 2004 => Scanning File C:\WINDOWS\system32\lsass.exe
Sat Sep 11 16:35:32 2004 => Scanning File C:\WINDOWS\system32\svchost.exe
Sat Sep 11 16:35:32 2004 => Scanning File C:\WINDOWS\System32\svchost.exe
Sat Sep 11 16:35:33 2004 => Scanning File C:\WINDOWS\Explorer.EXE
Sat Sep 11 16:35:33 2004 => Scanning File C:\WINDOWS\system32\spoolsv.exe
Sat Sep 11 16:35:33 2004 => Scanning File C:\PROGRA~1\ELABOR~1\CloneCD\CLONEC~1.EXE
Sat Sep 11 16:35:33 2004 => Scanning File C:\WINDOWS\System32\RUNDLL32.EXE
Sat Sep 11 16:35:33 2004 => Scanning File C:\WINDOWS\System32\RunDll32.exe
Sat Sep 11 16:35:33 2004 => Scanning File C:\Programme\Messenger\msmsgs.exe
Sat Sep 11 16:35:33 2004 => Scanning File C:\WINDOWS\System32\ctfmon.exe
Sat Sep 11 16:35:33 2004 => Scanning File C:\PROGRA~1\ICQ\ICQ.exe
Sat Sep 11 16:35:33 2004 => Scanning File C:\WINDOWS\System32\nvsvc32.exe
Sat Sep 11 16:35:33 2004 => Scanning File C:\PROGRA~1\INTERN~1\iexplore.exe
Sat Sep 11 16:35:33 2004 => Scanning File C:\PROGRA~1\INTERN~1\iexplore.exe
Sat Sep 11 16:35:33 2004 => Scanning File C:\DOKUME~1\Ranma\LOKALE~1\Temp\mwavscan.com
Sat Sep 11 16:35:33 2004 => Scanning File C:\DOKUME~1\Ranma\LOKALE~1\Temp\kavss.exe

Sat Sep 11 16:35:33 2004 => ***** Scanning Registry Files *****
Sat Sep 11 16:35:33 2004 => Scanning HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Sat Sep 11 16:35:34 2004 => Scanning HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects
Sat Sep 11 16:35:34 2004 => Scanning HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sat Sep 11 16:35:34 2004 => Scanning HKCU\Control Panel\Desktop
Sat Sep 11 16:35:34 2004 => Scanning HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sat Sep 11 16:35:34 2004 => Scanning HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Sat Sep 11 16:35:34 2004 => Scanning HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
Sat Sep 11 16:35:34 2004 => Scanning HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Sat Sep 11 16:35:34 2004 => Scanning HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sat Sep 11 16:35:34 2004 => Scanning HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Sat Sep 11 16:35:34 2004 => Scanning HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
Sat Sep 11 16:35:34 2004 => Scanning HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Sat Sep 11 16:35:34 2004 => Scanning HKCR\txtfile\shell\open\command
Sat Sep 11 16:35:34 2004 => Scanning HKCR\comfile\shell\open\command
Sat Sep 11 16:35:34 2004 => Scanning HKCR\exefile\shell\open\command
Sat Sep 11 16:35:34 2004 => Scanning HKCR\dllfile\shell\open\command
Sat Sep 11 16:35:34 2004 => Scanning HKCR\batfile\shell\open\command
Sat Sep 11 16:35:34 2004 => Scanning HKCR\piffile\shell\open\command
Sat Sep 11 16:35:34 2004 => Scanning HKCR\scrfile\shell\open\command
Sat Sep 11 16:35:34 2004 => Scanning HKCR\scrfile\shell\config\command
Sat Sep 11 16:35:34 2004 => Scanning HKCR\regfile\shell\open\command

Sat Sep 11 16:35:34 2004 => ***** Scanning StartUp Folders *****

Sat Sep 11 16:35:34 2004 => ***** Scanning C:\Dokumente und Einstellungen\Ranma\Startmenü\Programme\Autostart Folder *****
Sat Sep 11 16:35:34 2004 => Scanning Folder: C:\Dokumente und Einstellungen\Ranma\Startmenü\Programme\Autostart\*.*

Sat Sep 11 16:35:34 2004 => ***** Scanning C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart Folder *****
Sat Sep 11 16:35:34 2004 => Scanning Folder: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\*.*

Sat Sep 11 16:35:34 2004 => ***** Scanning Service Files *****
Sat Sep 11 16:35:34 2004 => Scanning HKLM\SYSTEM\CurrentControlSet\Services
Sat Sep 11 16:35:37 2004 => ERROR!!! Invalid Entry C:\WINDOWS\addkm32.exe /s in SYSTEM\CurrentControlSet\Services\O?’ŽrtñåÈ²$Ó...

Sat Sep 11 16:35:39 2004 => ***** Scanning System32 Folders *****
Sat Sep 11 16:35:39 2004 => Scanning C:\WINDOWS Directory
Sat Sep 11 16:35:39 2004 => Scanning Folder: C:\WINDOWS\*.*
Sat Sep 11 16:35:41 2004 => Scanning C:\WINDOWS\System32 Directory
Sat Sep 11 16:35:41 2004 => Scanning Folder: C:\WINDOWS\System32\*.*

Sat Sep 11 16:36:31 2004 => ***** Checking for specific ITW Viruses *****
Sat Sep 11 16:36:31 2004 => Checking for Welchia Virus...
Sat Sep 11 16:36:31 2004 => Checking for LovGate Virus...
Sat Sep 11 16:36:31 2004 => Checking for CodeRed Virus...
Sat Sep 11 16:36:31 2004 => Checking for OpaServ Virus...
Sat Sep 11 16:36:31 2004 => Checking for Sobig.e Virus...
Sat Sep 11 16:36:31 2004 => Checking for Winupie Virus...
Sat Sep 11 16:36:31 2004 => Checking for Swen Virus...
Sat Sep 11 16:36:31 2004 => Checking for JS.Fortnight Virus...
Sat Sep 11 16:36:31 2004 => Checking for Novarg Virus...
Sat Sep 11 16:36:31 2004 => Checking for Pagabot Virus...
Sat Sep 11 16:36:31 2004 => Checking for Parite.b Virus...
Sat Sep 11 16:36:31 2004 => Checking for Parite.a Virus...

Sat Sep 11 16:36:31 2004 => ***** Scanning complete. *****
Sat Sep 11 16:36:31 2004 => Total Number of Files Scanned: 2067
Sat Sep 11 16:36:31 2004 => Total Number of Virus(es) Found: 0
Sat Sep 11 16:36:31 2004 => Total Number of Disinfected Files: 0
Sat Sep 11 16:36:31 2004 => Total Number of Files Renamed: 0
Sat Sep 11 16:36:31 2004 => Total Number of Deleted Files: 0
Sat Sep 11 16:36:31 2004 => Total Number of Errors: 1
Sat Sep 11 16:36:31 2004 => Time Elapsed: 00:00:58
Sat Sep 11 16:36:31 2004 => Virus Database Date: 2004/09/08
Sat Sep 11 16:36:31 2004 => Virus Database Count: 103467

Sat Sep 11 16:36:31 2004 => Scan Completed.

von **Nikita** am 11.09.2004, 16:56

"TrojanDownloader.Win32.Agent
C:\WINDOWS\addkm32.exe
...................................................................................................
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
-->>SYSTEM\CurrentControlSet\Services\O?’ŽrtñåÈ²$Ó...
O?’ŽrtñåÈ²$Ó...

Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fix.reg auf dem Desktop speichern.
------------------------------------------------------------------------------------------------------------------
Code:
REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O?*001E*2019*017DRT*00F1*00E5*00C8*00B2$*000E*00D3]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O?’ŽrtñåÈ²$Ó]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\½O.#ž‚„

von **GorunNova** am 13.09.2004, 15:27

Den eintrag hab ich nich gefunden die datei ihrgend wie auch nich aber weiter probleme sind bisher nich aufgetreten!

Die windows updates sind drauf!

von **Nikita** am 13.09.2004, 17:36

gehe in die Registry
Start<Ausfuehren<regedit

suche unter ALLEN Schluesseln diesen Eintrag:

CurrentControlSet\Services\O?’ŽrtñåÈ²$Ó...

MFG
Nikita

von **M1-OVERK!LL** am 13.09.2004, 17:39

und dann????

Haste überhaupt n Virenschutz???

von **Gabi** am 13.09.2004, 18:07

@ M1-OVERK!LL

lass das mal nikita machen bitten, der kennt sich aus, da nutzt nämlich auch kein virenscanner und einfach so löschen ist eben auch nicht.
meiner ist auch verseucht, ich weiß von was ich rede.

Gabi

Hijack probleme!!

Hijack probleme!!

C:\WINDOWS\addkm32.exe - Services\O?’ŽrtñåÈ²$Ó

Ähnliche Themen

Wer ist online?

Hijack probleme!!

Hijack probleme!!

C:\WINDOWS\addkm32.exe - Services\O?’ŽrtñåÈ²$Ó

Ähnliche Themen

Wer ist online?

C:\WINDOWS\addkm32.exe - Services\O?’ŽrtñåÈ²$Ó