Google leitet auf Werbeseiten weiter. Bitte Log-File auswerten!

KEEGAN · 14.01.2008, 22:58

Hallo,

mein Problem lautet wie folgt:
Ich gebe bei Google eine Suchanfrage ein, Resultate sind normal. Beim anklicken der Links werde ich aber auf allemöglichen Suchmaschinen und Pornoseiten weitergeleitet. Search and Destroy hat das System schon überprüft und auch 2 Dateien entfernt, geholfen hat es aber nichts. Hoffe hier kann mir jemand helfen.

Hier mein Log-File:

Logfile of HijackThis v1.99.1
Scan saved at 22:52:22, on 14.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\NJEEVES.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programme\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Programme\DAEMON Tools\daemon.exe
C:\Norman\Npm\bin\ZLH.EXE
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\Norman\Nvc\bin\cclaw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Windows Live\Messenger\usnsvc.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = h**p://www.wxdieptvmxnbjsmwibtx.org/27wFGVmeEDEc_KU0SVrzyCN3ahQbNKckp2yHTNil_tiKb/0jBLs1isqhqUPB6k4Z.cgi
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Programme\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Programme\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programme\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Acrobat - Schnellstart.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Schnellstart.lnk = C:\Programme\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: In Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: In vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - h**p://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - h**p://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {14F65762-96FB-44B9-8DAC-93845F377A0E} (FileSharingCtrl Class) - h**p://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/de/filesharingctrl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - h**p://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - h**p://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - h**p://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130000995859
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - h**p://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - h**p://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - h**p://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - h**p://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - h**p://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - h**p://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Print Spooler Service (e0eueyuivnemp) - Unknown owner - C:\WINDOWS\system32\qrvp.exe (file missing)
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Unknown owner - C:\Programme\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Spam Personal\KAV\KAVSVC.exe (file missing)
O23 - Service: MrobeService - Unknown owner - C:\WINDOWS\system32\MRobeService.exe (file missing)
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Programme\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programme\Analog Devices\SoundMAX\SMAgent.exe

Chris4You · 15.01.2008, 08:20

Hmm,

einige seltsame Einträge:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = h**p://www.wxdieptvmxnbjsmwibtx.org/27wFGVmeEDEc_KU0SVrzyCN3ahQbNKckp2yHTNil_tiK b/0jBLs1isqhqUPB6k4Z.cgi
Unbekannt
O23 - Service: Print Spooler Service (e0eueyuivnemp) - Unknown owner - C:\WINDOWS\system32\qrvp.exe (file missing)

Fixe diese Einträge mit HJ:
Öffne das HijackThis -- Button "scan" -- vor den unten genannten Einträge(n) Häkchen setzen -- Button "Fix checked" -- PC neustarten
Achtung: Alle Anwendungen bis auf HJ müssen geschlossen sein, ein eventuell aktiver Teatimer von Spybot muss unbedingt deaktiviert sein!)

Zitat:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = h**p://www.wxdieptvmxnbjsmwibtx.org/27wFGVmeEDEc_KU0SVrzyCN3ahQbNKckp2yHTNil_tiK b/0jBLs1isqhqUPB6k4Z.cgi
Unbekannt
O23 - Service: Print Spooler Service (e0eueyuivnemp) - Unknown owner - C:\WINDOWS\system32\qrvp.exe (file missing)

Poste das Hosts-File:
Lade das Host-file (C:\WINDOWS\system32\drivers\etc\hosts) in einen Texteditor (im Explorer drauf klicken, rechte Maus, senden an -> editor).
Kopiere den Inhalt und poste ihn hier...

Dr. Web:
Zusaetzlich bitte noch CureIT nutzen Anleitung: Anleitung: DrWeb - CureIt - Anleitung
Aber bitte den Download von hier nutzen http://freedrweb.com/?lng=de
Poste das Log von Cureit...

chris

KEEGAN · 15.01.2008, 22:38

Log von Cureit:

mdmar1.PNF C:\WINDOWS\inf Modifikation von VBS.LoveLetter Verschoben.

In der Hosts-Datei stehen zu viele Links, total hätte der Post dann 200'000 Zeichen... Kann ich gar nicht alle einfügen.

Chris4You · 16.01.2008, 07:56

Hi,

ein derart großes Hostsfile ist nicht normal, ich denke da haben wir Deine Umleitungen erwischt. Sichere das Hostsfile (kopiere es z.B. nach Hosts.bak),
arbeite dann folgendes ab:

http://www.funkytoad.com/content/view/13/
Lade die Datei "HostsXpert" auspacken und führe zuerst ein Backup
des aktullen Hostsfiles durch. Danach "Restore MS Hosts".
Neu booten, Hostfile nochmals kontrolliern und Internet ausprobieren.
Falls das Internet nichtmehr läuft, altes Hostfile ("Restore") zurückholen
und den Inhalt vom Hostsfile posten (ggf. packen).

chris

KEEGAN · 16.01.2008, 20:34

Mein neues Hosts-File hat nur noch diesen Eintrag:

Zitat:

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost

Die Weiterleitungen gibt es aber immer noch!

Chris4You · 17.01.2008, 07:25

Hi,

dann müssen wir tiefer einsteigen...
Hast Du eine SW neulich installiert, die sowas mitbringen könnte (Werbefinanziert?)...

ComboFix:
Lade es von http://download.bleepingcomputer.com/sUBs/ComboFix.exe und speichert es auf den Desktop.
Alle Fenster schliessen und combofix.exe starten und bestätige die folgende Abfrage mit 1 und drücke Enter.

Der Scan mit Combofix kann einige Zeit in Anspruch nehmen, also habe etwas Geduld. Während des Scans bitte nichts am Rechner unternehmen
Es kann möglich sein, dass der Rechner zwischendurch neu gestartet wird.
Nach Scanende wird ein Report angezeigt, den bitte kopieren und in deinem Thread einfuegen.

Silentrunner:
Ziparchive in ein Verzeichnis auspacken, mit Doppelklick starten, "ja" auswählen.
Die erstellte Datei findet sich im gleichen Verzeichnis wo das Script hinkopiert wurde, bitte in Editor laden und posten.
http://www.silentrunners.org/Silent%20Runners.zip

Abschließend noch ein neues HJ-Log, allerdings mit der 2.02-Version posten:
http://www.trojaner-board.de/51130-anleitung-hijackthis.html

chris

KEEGAN · 17.01.2008, 13:51

Combofix-Report:

Zitat:

ComboFix 08-01-17.5 - Besitzer 2008-01-17 13:15:56.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.209 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Besitzer\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\kdedy.exe

.
((((((((((((((((((((((( Dateien erstellt von 2007-12-17 bis 2008-01-17 ))))))))))))))))))))))))))))))
.

2008-01-17 13:08 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 18:41 . 2008-01-15 18:41 <DIR> d-------- C:\Dokumente und Einstellungen\Besitzer\DoctorWeb
2008-01-14 22:26 . 2008-01-14 22:26 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\fssg
2008-01-11 16:03 . 2008-01-11 16:05 49 --a------ C:\tmp.bat
2007-12-24 15:42 . 2007-12-24 15:42 <DIR> d-------- C:\Programme\Clickster
2007-12-20 18:37 . 2008-01-17 13:33 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-20 18:37 . 2007-12-20 18:37 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-20 15:15 . 2007-12-20 15:15 <DIR> d-------- C:\Programme\Security Task Manager
2007-12-20 15:15 . 2007-12-20 15:20 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\SecTaskMan
2007-12-19 19:18 . 2007-12-19 20:10 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2007-12-19 18:56 . 2007-12-19 18:59 <DIR> d--hsc--- C:\Programme\Gemeinsame Dateien\WindowsLiveInstaller
2007-12-19 18:55 . 2007-12-19 19:00 <DIR> d-------- C:\Programme\Windows Live
2007-12-19 18:55 . 2007-12-19 18:55 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\WLInstaller
2007-12-17 18:40 . 2007-12-17 18:40 <DIR> d-------- C:\Programme\QuickTime
2007-12-17 18:03 . 2007-12-17 18:03 <DIR> d-------- C:\Dokumente und Einstellungen\Besitzer\Anwendungsdaten\vlc
2007-12-17 18:02 . 2007-12-17 18:02 <DIR> d-------- C:\Programme\VLC_Player

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 18:15 --------- d-----w C:\Dokumente und Einstellungen\Besitzer\Anwendungsdaten\SolidDocuments
2008-01-11 17:47 --------- d-----w C:\Dokumente und Einstellungen\Besitzer\Anwendungsdaten\temp
2008-01-10 21:28 --------- d-----w C:\Programme\Spiele
2008-01-10 17:06 --------- d--h--w C:\Programme\InstallShield Installation Information
2007-12-04 17:48 --------- d-----w C:\Programme\K-Lite Codec Pack
2007-11-23 18:23 --------- d-----w C:\Programme\LimeWire
2006-09-04 21:17 4,096 ----a-w C:\Dokumente und Einstellungen\Besitzer\log.dat
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Programme\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:57 15360]
"MSMSGS"="C:\Programme\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"SpybotSD TeaTimer"="C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ICQ Lite"="C:\Programme\ICQLite\ICQLite.exe" [2006-05-07 17:49 3139164]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Programme\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 15:28 790528]
"SoundMAX"="C:\Programme\Analog Devices\SoundMAX\Smax4.exe" [2003-05-30 08:42 585728]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 16:22 7618560]
"nwiz"="nwiz.exe" [2006-06-01 16:22 1519616 C:\WINDOWS\system32\nwiz.exe]
"anvshell"="anvshell.exe" [2003-07-24 08:19 380928 C:\WINDOWS\anvshell.exe]
"LiveNote"="livenote.exe" [2002-07-11 14:31 40960 C:\WINDOWS\livenote.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 01:17 188416]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"Acrobat Assistant 7.0"="C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 20:52 483328]
"DAEMON Tools"="C:\Programme\DAEMON Tools\daemon.exe" [2005-11-08 23:00 128920]
"Norman ZANDA"="C:\Norman\Npm\bin\ZLH.exe" [2007-08-09 13:39 183352]
"ICQ Lite"="C:\Programme\ICQLite\ICQLite.exe" [2006-05-07 17:49 3139164]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 16:22 86016]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2007-06-17 19:47 180269]
"iTunesHelper"="C:\Programme\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"QuickTime Task"="C:\Programme\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:57 15360]

R1 ANVIOCTL;ANVIOCTL;C:\WINDOWS\system32\DRIVERS\anvioctl.sys [2003-07-04 05:45]
R1 Klmc;Klmc;C:\WINDOWS\system32\drivers\klmc.sys [2005-08-04 14:40]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-04-21 22:20]
R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-11-04 16:05]
R1 SSHDRV86;SSHDRV86;C:\WINDOWS\system32\drivers\SSHDRV86.sys [2005-05-18 16:52]
R2 Ndiskio;Ndiskio;C:\Norman\Nse\bin\NDISKIO.SYS [2007-01-02 09:55]
R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2007-09-06 09:45]
R3 nvcoas;Norman Virus Control on-access component;C:\Norman\Nvc\bin\nvcoas.exe [2007-12-12 11:45]
R3 NVCScheduler;Norman Virus Control Scheduler;C:\Norman\Nvc\BIN\NVCSCHED.EXE [2007-05-23 12:23]
S2 e0eueyuivnemp;Print Spooler Service;C:\WINDOWS\system32\qrvp.exe []
S2 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\system32\Drivers\WNMFLT.SYS []
S3 7f662d68-d809-4ba3-8e41-ede4573614f5;7f662d68-d809-4ba3-8e41-ede4573614f5;D:\Player\cds300.dll []
S3 camvid20;Philips ToUcam Camera; Video;C:\WINDOWS\system32\DRIVERS\camdrv21.sys []
S3 nvcfsr;nvcfsr;C:\Norman\Nvc\bin\nvcfsr.sys [2007-01-09 14:25]
S3 nvcoafl51;nvcoafl51;C:\Norman\Nvc\bin\nvcoafl51.sys [2007-01-09 14:25]
S3 nvcoaft51;nvcoaft51;C:\Norman\Nvc\bin\nvcoaft51.sys [2007-01-09 14:25]
S3 nvcoarc51;nvcoarc51;C:\Norman\Nvc\bin\nvcoarc51.sys [2007-01-09 14:25]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{02a9b619-5229-11db-b5be-806d6172696f}]
\Shell\AutoRun\command - D:\RunGame.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{26B441A2-C727-C117-0100-020304000306}]
C:\WINDOWS\system32\Winlog.exe
.
Inhalt des "geplante Tasks" Ordners
"2008-01-11 16:15:01 C:\WINDOWS\Tasks\1-Klick-Wartung.job"
- C:\Programme\TuneUp Utilities 2006\SystemOptimizer.exe
"2008-01-11 17:16:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programme\Apple Software Update\SoftwareUpdate.exe
"2008-01-14 18:27:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1097083596.job"
- C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 13:32:57
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-01-17 13:39:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-17 12:39:15
.
2008-01-09 15:03:13 --- E O F ---

KEEGAN · 17.01.2008, 13:53

Silentrunner-Skript:

Zitat:

"Silent Runners.vbs", revision 55, h**p://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""C:\Programme\Windows Live\Messenger\MsnMsgr.Exe" /background" [MS]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Programme\Messenger\msmsgs.exe" /background" [MS]
"SpybotSD TeaTimer" = "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"ICQ Lite" = "C:\Programme\ICQLite\ICQLite.exe -trayboot" ["ICQ Ltd."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMAXPnP" = "C:\Programme\Analog Devices\SoundMAX\SMax4PNP.exe" ["Analog Devices, Inc."]
"SoundMAX" = ""C:\Programme\Analog Devices\SoundMAX\Smax4.exe" /tray" ["Analog Devices, Inc."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"anvshell" = "anvshell.exe" ["AsusTeK Computer Inc."]
"LiveNote" = "livenote.exe" [null data]
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" ["HP"]
"SunJavaUpdateSched" = ""C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"Acrobat Assistant 7.0" = ""C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"" ["Adobe Systems Inc."]
"DAEMON Tools" = ""C:\Programme\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]
"Norman ZANDA" = "C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH" ["Norman ASA"]
"ICQ Lite" = ""C:\Programme\ICQLite\ICQLite.exe" -minimize" ["ICQ Ltd."]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"iTunesHelper" = ""C:\Programme\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"QuickTime Task" = ""C:\Programme\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{259F616C-A300-44F5-B04A-ED001A26C85C}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Solid Converter PDF"
\InProcServer32\(Default) = "C:\Programme\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll" ["VoyagerSoft, LLC"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
-> {HKLM...CLSID} = "ImageExtractorShellExt Class"
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Visio11\VISSHE.DLL" [null data]
"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"
-> {HKLM...CLSID} = "CInfoTipShellExt Class"
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Visio11\VISSHE.DLL" [null data]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Programme\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{259F616C-A300-44F5-B04A-ED001A26C85C}" = "SolidConverter extension"
-> {HKLM...CLSID} = "Solid Converter PDF"
\InProcServer32\(Default) = "C:\Programme\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll" ["VoyagerSoft, LLC"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"PFDNNT C:\WINDOWS\system32\pavipc.dll" [file not found]|"PFDNNT C:\WINDOWS\system32\SYSTOOLS.DLL" [file not found]|"PFDNNT C:\WINDOWS\system32\PavSHook.dll" [file not found]|"PFDNNT C:\WINDOWS\system32\drivers\pavdrv51.sys" [file not found]|"PFDNNT C:\WINDOWS\system32\TpUtil.dll" [file not found]|"PFDNNT C:\WINDOWS\system32\avldr.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\apvxdwin.exe" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\avcic.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\borlndmm.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\cc3250mt.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\COMFLTNT.DLL" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\Config.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\icl_cfg.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\icl_mtr.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\icl_trf.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\InstLSP.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\Langm5.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\LocalSrv.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\PAV2WSC.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\PAVALE.DLL" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\PavAMW.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\pavexcfg.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\PavFtp.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\PavHttp.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\pavim.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\pavlsp.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\PavMiCli.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\PavNntp.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\pavoepl.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\PavPop3.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\PAVSCR.DLL" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\PavSmtp.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\pavsrvdl.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\Pavtftp.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\PavTrc.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\PavWeb.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\PavWmail.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\PLATC.DLL" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\PLATCTRL.BPL" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\PLATMSG.DLL" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\PNDCTRLA.BPL" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\PSAEng.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\PSAUI.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\Pskads.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\pskalloc.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\Pskas.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\pskavs.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\pskcmp.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\pskfss.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\PSKHTML.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\pskmfs.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\pskpack.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\PSKSCF.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\pskutil.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\pskvfile.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\pskvfs.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\pskvm.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\PSWLabel.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\PSWLRes.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\RsdnAPI.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\ScanObjs.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\SrvLoad.exe" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\StoreMan.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\TPConf.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\UtilPlat.dll" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\vcl50.bpl" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\vclx50.bpl" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\WebProxy.exe" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam\MshConf" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam" [file not found]|"PFDNNT C:\Programme\Panda Software\Panda Platinum 2006 Internet Security" [file not found]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
NVC\(Default) = "{D5507020-DB45-11d1-A5F0-00600872F78D}"
-> {HKLM...CLSID} = "Norman Virus Control Shell Extension"
\InProcServer32\(Default) = "C:\Norman\Nvc\BIN\NVCSE.DLL" ["Norman Data Defense Systems"]
SolidConverterPDF\(Default) = "{259F616C-A300-44F5-B04A-ED001A26C85C}"
-> {HKLM...CLSID} = "Solid Converter PDF"
\InProcServer32\(Default) = "C:\Programme\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll" ["VoyagerSoft, LLC"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
NVC\(Default) = "{D5507020-DB45-11d1-A5F0-00600872F78D}"
-> {HKLM...CLSID} = "Norman Virus Control Shell Extension"
\InProcServer32\(Default) = "C:\Norman\Nvc\BIN\NVCSE.DLL" ["Norman Data Defense Systems"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
NVC\(Default) = "{D5507020-DB45-11d1-A5F0-00600872F78D}"
-> {HKLM...CLSID} = "Norman Virus Control Shell Extension"
\InProcServer32\(Default) = "C:\Norman\Nvc\BIN\NVCSE.DLL" ["Norman Data Defense Systems"]
SolidConverterPDF\(Default) = "{259F616C-A300-44F5-B04A-ED001A26C85C}"
-> {HKLM...CLSID} = "Solid Converter PDF"
\InProcServer32\(Default) = "C:\Programme\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll" ["VoyagerSoft, LLC"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Besitzer\Anwendungsdaten\Mozilla\Firefox\Desktop Hintergrund.bmp"

Startup items in "Besitzer" & "All Users" startup folders:
----------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Acrobat - Schnellstart" -> shortcut to: "C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat.exe" [null data]
"Microsoft Office OneNote 2003 Schnellstart" -> shortcut to: "C:\Programme\Microsoft Office\OFFICE11\ONENOTEM.EXE /tsr" [MS]

Enabled Scheduled Tasks:
------------------------

"1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart" [file not found]
"AppleSoftwareUpdate" -> launches: "C:\Programme\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"FRU Task #Hewlett-Packard#hp psc 1200 series#1097083596" -> launches: "C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -I "#Hewlett-Packard#hp psc 1200 series#1097083596"" [empty string]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

KEEGAN · 17.01.2008, 13:54

Silentrunner-Skript Teil 2:

Zitat:

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
"{259F616C-A300-44F5-B04A-ED001A26C85C}" = (no title provided)
-> {HKLM...CLSID} = "Solid Converter PDF"
\InProcServer32\(Default) = "C:\Programme\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll" ["VoyagerSoft, LLC"]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

Miscellaneous IE Hijack Points
------------------------------

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Apple Mobile Device, Apple Mobile Device, ""C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
iPod-Dienst, iPod Service, "C:\Programme\iPod\bin\iPodService.exe" ["Apple Inc."]
Norman eLogger service 6, eLoggerSvc6, ""C:\Norman\Npm\bin\ELOGSVC.EXE"" ["Norman ASA"]
Norman NJeeves, Norman NJeeves, "C:\Norman\Npm\bin\NJEEVES.EXE" ["Norman ASA"]
Norman Virus Control on-access component, nvcoas, "C:\Norman\Nvc\bin\nvcoas.exe" ["Norman ASA"]
Norman Virus Control Scheduler, NVCScheduler, "C:\Norman\Nvc\BIN\NVCSCHED.EXE" ["Norman ASA"]
Norman ZANDA, Norman ZANDA, ""C:\Norman\Npm\Bin\Zanda.exe"" ["Norman ASA"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
SolidPDFConverterReadSpool, ScReadSpool, "C:\Programme\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe" ["VoyagerSoft, LLC"]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Programme\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]

Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
hpzlnt07\Driver = "hpzlnt07.dll" ["HP"]
hpzsnt07\Driver = "hpzsnt07.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

---------- (launch time: 2008-01-17 13:43:35)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 58 seconds, including 10 seconds for message boxes)

KEEGAN · 17.01.2008, 13:57

Die Weiterleitungen scheinen jetzt weg zu sein! Vielen Dank für die Hilfe, werde dieses Forum sicher weiterempfehlen!

Neues Logfile:

Zitat:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:49, on 2008-01-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\ELOGSVC.EXE
C:\Norman\Npm\Bin\Zanda.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\Programme\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Norman\Npm\bin\NJEEVES.EXE
C:\Norman\Nvc\bin\nvcoas.exe
C:\Norman\Nvc\BIN\NVCSCHED.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programme\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Programme\DAEMON Tools\daemon.exe
C:\Norman\Npm\bin\ZLH.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Norman\Nvc\BIN\NIP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Norman\Nvc\bin\cclaw.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Besitzer\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Programme\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Programme\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programme\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat - Schnellstart.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Schnellstart.lnk = C:\Programme\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: In Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: In vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - h**p://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - h**p://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {14F65762-96FB-44B9-8DAC-93845F377A0E} (FileSharingCtrl Class) - h**p://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/de/filesharingctrl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - h**p://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - h**p://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - h**p://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130000995859
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - h**p://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - h**p://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - h**p://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - h**p://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - h**p://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - h**p://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Print Spooler Service (e0eueyuivnemp) - Unknown owner - C:\WINDOWS\system32\qrvp.exe (file missing)
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Unknown owner - C:\Programme\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Spam Personal\KAV\KAVSVC.exe (file missing)
O23 - Service: MrobeService - Unknown owner - C:\WINDOWS\system32\MRobeService.exe (file missing)
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Programme\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programme\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 11986 bytes

Chris4You · 17.01.2008, 14:42

Hi,

prüfe diese Files bitte noch online:
virustotal
Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen (oder gleich die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf "Send"... jetzt abwarten - dann mit der rechten Maustaste den Text markieren -> kopieren - einfügen
http://www.virustotal.com/flash/index_en.html

Zitat:

C:\WINDOWS\system32\Winlog.exe
D:\RunGame.exe
C:\WINDOWS\system32\qrvp.exe
C:\WINDOWS\QTFont.qfn

Poste das Ergebnis jeweils mit Filename!

Noch eine Frage:
Du hattest Panda-Platin auf Deinem Rechner und es deinstalliert?
Auf jeden Fall hat es einigen Müll zurückgelassen...

Chris

KEEGAN · 17.01.2008, 18:05

Zitat:

C:\WINDOWS\QTFont.qfn:

Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.1.17.11 2008.01.17 -
AntiVir 7.6.0.48 2008.01.17 -
Authentium 4.93.8 2008.01.17 -
Avast 4.7.1098.0 2008.01.16 -
AVG 7.5.0.516 2008.01.17 -
BitDefender 7.2 2008.01.17 -
CAT-QuickHeal 9.00 2008.01.17 -
ClamAV 0.91.2 2008.01.17 -
DrWeb 4.44.0.09170 2008.01.17 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5465 2008.01.17 -
Ewido 4.0 2008.01.17 -
FileAdvisor 1 2008.01.17 -
Fortinet 3.14.0.0 2008.01.17 -
F-Prot 4.4.2.54 2008.01.16 -
F-Secure 6.70.13260.0 2008.01.17 -
Ikarus T3.1.1.20 2008.01.17 -
Kaspersky 7.0.0.125 2008.01.17 -
McAfee 5210 2008.01.17 -
Microsoft 1.3109 2008.01.17 -
NOD32v2 2802 2008.01.17 -
Norman 5.80.02 2008.01.17 -
Panda 9.0.0.4 2008.01.17 -
Rising 20.27.31.00 2008.01.17 -
Sophos 4.24.0 2008.01.17 -
Sunbelt 2.2.907.0 2008.01.17 -
Symantec 10 2008.01.17 -
TheHacker 6.2.9.189 2008.01.17 -
VBA32 3.12.2.5 2008.01.15 -
VirusBuster 4.3.26:9 2008.01.17 -
Webwasher-Gateway 6.6.2 2008.01.17 -
weitere Informationen
File size: 54156 bytes
MD5: dba91cd5a3a68302967c03213e52bde8
SHA1: 8188a5832590c810b08ee3a2f1567afcdd094108
PEiD: -

Bei den drei anderen Dateien kam folgende Meldung:

Zitat:

0 bytes size received / Se ha recibido un archivo vacio

Chris4You · 18.01.2008, 07:33

Hi,

Okay, dann entfernen wir erstmal den seltsamen Spooler-Dienst:
"Print Spooler Service (e0eueyuivnemp)"

Hijackthis, fixen:
Öffne das HijackThis -- Button "scan" -- vor den unten genannten Einträge(n) Häkchen setzen -- Button "Fix checked" -- PC neustarten
Achtung: Alle Anwendungen bis auf HJ müssen geschlossen sein, ein eventuell aktiver Teatimer von Spybot muss unbedingt deaktiviert sein!)

Zitat:

O23 - Service: Print Spooler Service (e0eueyuivnemp) - Unknown owner - C:\WINDOWS\system32\qrvp.exe (file missing)

Die zwei anderen sind tief in der Registry vergraben, d.h. über Regedit such und löschen oder, da die Files ja gelöscht sind, stehen lassen und ein Registry-Cleaningtool drüber laufen lassen...
http://www.ccleaner.com/ccleaner-20

Chris

Google leitet auf Werbeseiten weiter. Bitte Log-File auswerten!

Log-Analyse und Auswertung: Google leitet auf Werbeseiten weiter. Bitte Log-File auswerten!