escan logfile...bitte mal schauen...

Sandrafds · 24.09.2005, 18:35

Hallo,
seit ein paar tagen startet mein pc von alleine neu...und wenn ich auf irgendwelche fenster klicke, macht er die nur ne viertelsekunde auf und schließt sie sofort wieder. nun, da dachte ich mir ich untersuch ihn mal einwenig. wär nur klasse wenn ich davon auch ahnung hätte. nunja...habs also hijackthis mal durchlaufen lassen...und dann escan. nun zu meiner frage

kann mir bitte jemand nähere auskunft zu meinem mwav.log geben?

Sat Sep 24 17:32:57 2005 => System found infected with bearshare Spyware/Adware ({558ec983-bedb-9168-b2de-31dbf0ee543e})! Action taken: No Action Taken.

Sat Sep 24 17:33:01 2005 => Offending value found in HKLM\Software\magnet\handlers\bearshare !!!
Sat Sep 24 17:33:01 2005 => Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.

Sat Sep 24 17:33:01 2005 => Offending value found in HKLM\Software\Licenses !!!
Sat Sep 24 17:33:01 2005 => Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.

Sat Sep 24 17:33:01 2005 => Offending value found in HKLM\Software\Licenses !!!
Sat Sep 24 17:33:01 2005 => Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.

Sat Sep 24 17:33:19 2005 => Offending file found: C:\WINDOWS\iun6002.exe
Sat Sep 24 17:33:19 2005 => System found infected with zipitpro Spyware/Adware (C:\WINDOWS\iun6002.exe)! Action taken: No Action Taken.

Sat Sep 24 17:33:29 2005 => ***** Scanning Registry for errors created because of Adware/Spyware *****
Sat Sep 24 17:33:30 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\DIMM.DLL". Action Taken: No Action Taken.

Sat Sep 24 17:33:30 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\InterVideo\Common\Bin\IVIPromotion.exe". Action Taken: No Action Taken.

Sat Sep 24 17:33:30 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Ahead\NeroDigital\settings.xml". Action Taken: No Action Taken.

Sat Sep 24 17:33:31 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\LBTKA.EXE" refers to invalid object "". Action Taken: No Action Taken.

Sat Sep 24 17:33:32 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Adobe\Acrobat 6.0\TempIccProfiles\". Action Taken: No Action Taken.

Sat Sep 24 17:33:32 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Adobe\Acrobat 6.0\TempIccProfiles\Non-Recommended\". Action Taken: No Action Taken.

Sat Sep 24 17:33:33 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Nokia\Nokia PC Suite 5\". Action Taken: No Action Taken.

Sat Sep 24 17:33:33 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Nokia\Nokia PC Suite 5\Lang\". Action Taken: No Action Taken.

Sat Sep 24 17:33:33 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Gemeinsame Dateien\Nokia\". Action Taken: No Action Taken.

Sat Sep 24 17:33:33 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Nokia\Nokia PC Suite 5\Components\PhoneBrowserComponents\". Action Taken: No Action Taken.

Sat Sep 24 17:33:33 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Nokia\Nokia PC Suite 5\Components\". Action Taken: No Action Taken.

Sat Sep 24 17:33:33 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Nokia\Nokia PC Suite 5\Components\PhoneBrowserComponents\Lang\". Action Taken: No Action Taken.

Sat Sep 24 17:33:33 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Gemeinsame Dateien\Nokia\MPDB40\". Action Taken: No Action Taken.

Sat Sep 24 17:33:33 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\TMPGEnc\TMPGEnc 3.0 XPress\". Action Taken: No Action Taken.

Sat Sep 24 17:33:33 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\TMPGEnc\". Action Taken: No Action Taken.

Sat Sep 24 17:33:33 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Eidos Interactive\TRAOD\". Action Taken: No Action Taken.

Sat Sep 24 17:33:33 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Eidos Interactive\". Action Taken: No Action Taken.

Sat Sep 24 17:33:34 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "InstallShield_{93656878-FF8B-4935-99BB-F3F260037C57}". Action Taken: No Action Taken.

Sat Sep 24 17:33:34 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "IrfanView". Action Taken: No Action Taken.

Sat Sep 24 17:33:34 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "IsoBuster_is1". Action Taken: No Action Taken.

Sat Sep 24 17:33:34 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KoolPlaya". Action Taken: No Action Taken.

Sat Sep 24 17:33:34 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{7B63B2922B174135AFC0E1377DD81EC2}". Action Taken: No Action Taken.

Sat Sep 24 17:33:34 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{8ADFC4160D694100B5B8A22DE9DCABD9}". Action Taken: No Action Taken.

Sat Sep 24 17:33:34 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{A4D7B764-4140-11D4-88EB-0050DA3579C0}". Action Taken: No Action Taken.

Sat Sep 24 17:33:37 2005 => Entry "HKCR\CLSID\{86FC1FD1-BCF3-11D1-B76F-58BB04C10000}" refers to invalid object "E:\RUNTIME\mDxEmul.mom". Action Taken: No Action Taken.

Sat Sep 24 17:33:37 2005 => Entry "HKCR\CLSID\{86FC1FD3-BCF3-11D1-B76F-58BB04C10000}" refers to invalid object "E:\RUNTIME\mDxEmul.mom". Action Taken: No Action Taken.

Sat Sep 24 17:33:38 2005 => Entry "HKCR\CLSID\{FACF11A2-5095-11D3-A9DE-00C0268E5C48}" refers to invalid object "E:\RUNTIME\mDxEmul.mom". Action Taken: No Action Taken.

Sat Sep 24 17:33:38 2005 => Entry "HKCR\TypeLib\{0CEBAFA2-A5F8-11D1-B76F-58BB04C10000}" refers to invalid object "E:\RUNTIME\Md8Rntm.exe". Action Taken: No Action Taken.

Sat Sep 24 17:33:38 2005 => Entry "HKCR\TypeLib\{1257CD33-90D0-11D1-A197-080009AB3411}" refers to invalid object "E:\RUNTIME\Md8Rntm.exe". Action Taken: No Action Taken.

Sat Sep 24 17:33:39 2005 => Entry "HKCR\TypeLib\{143C9CF1-E3E7-11D1-A1D2-080009AB3411}" refers to invalid object "E:\RUNTIME\Md8Rntm.exe". Action Taken: No Action Taken.

Sat Sep 24 17:33:39 2005 => Entry "HKCR\TypeLib\{19362773-E965-11D1-A1F0-080009AB3411}" refers to invalid object "E:\RUNTIME\Md8Rntm.exe". Action Taken: No Action Taken.

Sat Sep 24 17:33:39 2005 => Entry "HKCR\TypeLib\{3E895E71-0C27-11D2-A212-080009AB3411}" refers to invalid object "E:\RUNTIME\Md8Rntm.exe". Action Taken: No Action Taken.

Sat Sep 24 17:33:39 2005 => Entry "HKCR\TypeLib\{67800A63-C222-11D1-A1B3-080009AB3411}" refers to invalid object "E:\RUNTIME\Md8Rntm.exe". Action Taken: No Action Taken.

Sat Sep 24 17:33:39 2005 => Entry "HKCR\TypeLib\{86FC1FC2-BCF3-11D1-B76F-58BB04C10000}" refers to invalid object "E:\RUNTIME\mDxEmul.mom". Action Taken: No Action Taken.

Sat Sep 24 17:33:39 2005 => Entry "HKCR\TypeLib\{9F3595E2-B5CC-11D1-B76F-58BB04C10000}" refers to invalid object "E:\RUNTIME\Md8Rntm.exe". Action Taken: No Action Taken.

Sat Sep 24 17:33:39 2005 => Entry "HKCR\TypeLib\{9FD46A24-F9E8-11D1-A204-080009AB3411}" refers to invalid object "E:\RUNTIME\Md8Rntm.exe". Action Taken: No Action Taken.

Sat Sep 24 17:33:39 2005 => Entry "HKCR\TypeLib\{C8E100B3-6D59-11D1-A181-080009AB3411}" refers to invalid object "E:\RUNTIME\Md8Rntm.exe". Action Taken: No Action Taken.

Sat Sep 24 17:33:39 2005 => Entry "HKCR\TypeLib\{FD6E3405-67CB-11D1-A17E-080009AB3411}" refers to invalid object "E:\RUNTIME\Md8Rntm.exe". Action Taken: No Action Taken.

Sat Sep 24 17:33:40 2005 => Entry "HKCR\.pcb" refers to invalid object "PCBFile". Action Taken: No Action Taken.

Sat Sep 24 17:33:40 2005 => Entry "HKCR\.xmd" refers to invalid object "xmd". Action Taken: No Action Taken.

Sat Sep 24 17:33:40 2005 => Entry "HKCR\DSP.DSP" refers to invalid object "{9C123EA9-AEC9-4f75-BBC0-7565FA1398966}". Action Taken: No Action Taken.

Sat Sep 24 17:33:40 2005 => Entry "HKCR\DSP.DSPDMOProp_Chorus.1" refers to invalid object "{6F63B172-5543-4593-91CE-EDBA65B9FACDB}". Action Taken: No Action Taken.

Sat Sep 24 17:33:41 2005 => Entry "HKCR\Kavvlg.Kavvlg" refers to invalid object "{5A61B58E-2B0A-4B67-A882-FFC6FEAF12EE}". Action Taken: No Action Taken.

Sat Sep 24 17:33:41 2005 => Entry "HKCR\Kavvlg.Kavvlg.1" refers to invalid object "{5A61B58E-2B0A-4B67-A882-FFC6FEAF12EE}". Action Taken: No Action Taken.

Sat Sep 24 17:33:41 2005 => Entry "HKCR\KoolPlayaFile\shell\open\command" refers to invalid object "E:\Koolplaya.exe "%1"". Action Taken: No Action Taken.

Sat Sep 24 17:33:41 2005 => Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.

Sat Sep 24 17:33:41 2005 => Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.

Sat Sep 24 17:33:41 2005 => Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.

Sat Sep 24 17:33:42 2005 => Entry "HKCR\RECORDING.RecordingCtrl.1" refers to invalid object "{42A3A9AB-F7B4-40B1-B2AA-F31E35459D4A}". Action Taken: No Action Taken.

achja, und was ist zipitpro Spyware/Adware (C:\WINDOWS\iun6002.exe) genau? wo fängt man sich denn so wat ein?

vielen dank im voraus...

stupormundi · 26.09.2005, 07:17

Servus, sandrafds!
Schon versucht, die unerwünschte Adware durch Deinstallation in der Systemsteuerung-->Software zu entfernen?
Die Datei
Zitat:

Zitat:

C:\WINDOWS\iun6002.exe

mit der killbox
http://www.bleepingcomputer.com/files/killbox.php mit der Option "delete on reboot" im abgesicherten modus bei abgeschalteter Systemwiederherstellung http://www.systemwiederherstellung-d...indows-xp.html zu löschen!
Lass anschließend mal Spybot S&D http://security.kolla.de/ und/oder Adaware http://www.lavasoft.de/ im abgesicherten Modus laufen und entferne, was vorgeschlagen wird.
Für die Meldungen wegen der ungültigen Verweise in der Registry benutze RegSeeker http://www.winload.de/download/26877...1.35.1203.html mit der Option "Clean the registry"
Danach nach temp. Ordner, Papierkorb leeren und anschließend die Systemwiederherstellung wieder einschalten!
Anschließend poste ein HJT-Logfile nach Cidres Anleitung http://www.trojaner-board.de/showthread.php?t=17493
Bis dann, stupormundi

Sandrafds · 26.09.2005, 20:01

so, alles gemacht. allerdings findet nix meine blöde bearshare spyware. ich hab das schon ewig nicht mehr auf´m pc. und nix hat bisher deswegen alarm geschlagen. weder ad-aware noch regfreeze noch sonstwas. nur escan schlägt alarm... nunja...eine bitte hab ich noch: bitte nicht mein total veraltetes system auslachen und meine hundert sicherheitsprogs

ich weiß...ist nicht der hit...ist aber alles was ich habe...

Logfile of HijackThis v1.99.1
Scan saved at 20:50:06, on 26.09.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Securepoint Personal Firewall\driver\spfirewallsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\SLEE81.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Trojancheck 6.2\tcguard.exe
C:\unzipped\rebuilt.anydvd\AnyDVD.exe
C:\Programme\D-Tools\daemon.exe
C:\programme\securepoint personal firewall\bin\sppfw.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\QuickTime\qttask.exe
C:\Programme\NOPOPUP\NoPopUp 2003\nopopup.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\unzipped\RegSeeker\RegSeeker\RegSeeker.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\regedit.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.osnanet.de/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Trojancheck 6 Guard] C:\Programme\Trojancheck 6.2\tcguard.exe
O4 - HKLM\..\Run: [AnyDVD] C:\unzipped\rebuilt.anydvd\AnyDVD.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Securepoint Personal Firewall] c:\programme\securepoint personal firewall\bin\sppfw.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NoPopUp] C:\Programme\NOPOPUP\NoPopUp 2003\nopopup.exe /autorun
O4 - HKCU\..\Run: [NBJ] "C:\Programme\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: RegFreeze.lnk = C:\Programme\RegFreeze\regfreeze.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Google-Suche - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://c:\programme\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://webmail.osnanet.de
O16 - DPF: {24311111-1111-1121-1111-111191113457} -
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Steganos Live Encryption Engine 8.1 [Service] (SLEE_81_SERVICE) - Unknown owner - C:\WINDOWS\System32\SLEE81.exe
O23 - Service: Securepoint Personal Firewall (spfirewallsvc) - Securepoint Latinoamerica S.A. de C.V. - C:\Programme\Securepoint Personal Firewall\driver\spfirewallsvc.exe

vielen dank...

chaosman · 26.09.2005, 20:16

@Sandrafds
update dein system und IE
wechsle danach in den abgesicherten modus und fixe mit HJT
O16 - DPF: {24311111-1111-1121-1111-111191113457} -
neu booten, neues HJT logfile posten

chaosman

Sandrafds · 29.09.2005, 19:06

da bin ich wieder...

mit systemupdaten war nicht viel, da ich so´n nettes modem habe...du weißt schon 56 kb...ähm das würde 10 stunden dauern...aber da ich bald dsl hab...hol ich das dann schnell nach...

Logfile of HijackThis v1.99.1
Scan saved at 09:12:43, on 28.09.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Securepoint Personal Firewall\driver\spfirewallsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\SLEE81.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Trojancheck 6.2\tcguard.exe
C:\unzipped\rebuilt.anydvd\AnyDVD.exe
C:\Programme\D-Tools\daemon.exe
C:\programme\securepoint personal firewall\bin\sppfw.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\NOPOPUP\NoPopUp 2003\nopopup.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.osnanet.de/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Trojancheck 6 Guard] C:\Programme\Trojancheck 6.2\tcguard.exe
O4 - HKLM\..\Run: [AnyDVD] C:\unzipped\rebuilt.anydvd\AnyDVD.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Securepoint Personal Firewall] c:\programme\securepoint personal firewall\bin\sppfw.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NoPopUp] C:\Programme\NOPOPUP\NoPopUp 2003\nopopup.exe /autorun
O4 - HKCU\..\Run: [NBJ] "C:\Programme\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: RegFreeze.lnk = C:\Programme\RegFreeze\regfreeze.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Google-Suche - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://c:\programme\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://webmail.osnanet.de
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido\security suite\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Steganos Live Encryption Engine 8.1 [Service] (SLEE_81_SERVICE) - Unknown owner - C:\WINDOWS\System32\SLEE81.exe
O23 - Service: Securepoint Personal Firewall (spfirewallsvc) - Securepoint Latinoamerica S.A. de C.V. - C:\Programme\Securepoint Personal Firewall\driver\spfirewallsvc.exe

bearshare hab ich mittlerweile gefunden und enfernt auch, ebenso C:\WINDOWS\iun6002.exe...dafür hab ich jetzt angeblich ezula daruf...GRRRRRRRRRRRR

escan logfile...bitte mal schauen...

Plagegeister aller Art und deren Bekämpfung: escan logfile...bitte mal schauen...