Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung

Plagegeister aller Art und deren Bekämpfung: TR/Hijacker.gen in C:\WINDOWS\Temp\****.tmp\svchost.exe

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 26.04.2010, 21:46   #16
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
TR/Hijacker.gen  in C:\WINDOWS\Temp\****.tmp\svchost.exe - Standard

TR/Hijacker.gen in C:\WINDOWS\Temp\****.tmp\svchost.exe



Dann probiers mal so:

1.) Lade Dir von hier Avenger:
Swandog46's Public Anti-Malware Tools (Download, linksseitig)

2.) Entpack das zip-Archiv, führe die Datei "avenger.exe" aus (unter Vista per Rechtsklick => als Administrator ausführen). Die Haken unten wie abgebildet setzen:



3.) Kopiere Dir exakt die Zeilen aus dem folgenden Code-Feld:
Code:
ATTFilter
registry keys to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00442EC8-157D-4596-8102-C01D4FDAFB02}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B05EAD5-831C-8AA9-3141-47E428312C83}

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | jeqnrusotet

files to delete:
C:\WINDOWS\system32\tlcgrqddwsjaaycvh.dll
C:\WINDOWS\system32\hrpzypds.dll
         
4.) Geh in "The Avenger" nun oben auf "Load Script", dort auf "Paste from Clipboard".

5.) Der Code-Text hier aus meinem Beitrag müsste nun unter "Input Script here" in "The Avenger" zu sehen sein.

6.) Falls dem so ist, klick unten rechts auf "Execute". Bestätige die nächste Abfrage mit "Ja", die Frage zu "Reboot now" (Neustart des Systems) ebenso.

7.) Nach dem Neustart erhältst Du ein LogFile von Avenger eingeblendet. Kopiere dessen Inhalt und poste ihn hier.

8.) Die Datei c:\avenger\backup.zip bei file-upload.net hochladen und hier verlinken
__________________
Logfiles bitte immer in CODE-Tags posten

Alt 27.04.2010, 19:45   #17
BTT
 
TR/Hijacker.gen  in C:\WINDOWS\Temp\****.tmp\svchost.exe - Standard

TR/Hijacker.gen in C:\WINDOWS\Temp\****.tmp\svchost.exe



Hallo Arne,

wie du sehen kannst, hat er eine der dateien nicht finden können... liegt aber vermutlich daran, dass mein avira mit dem neuesten update das ding C:\WINDOWS\system32\hrpzypds.dllals malware erkannt hat und es in die quarantäne gesteckt hat...

In der Datei 'C:\WINDOWS\system32\hrpzypds.dll'
wurde ein Virus oder unerwünschtes Programm 'TR/BHO.aftj' [trojan] gefunden.
Ausgeführte Aktion: Datei in Quarantäne verschieben

(hab ich eben festgestellt, nachdem ich mich gewundert habe, dass es nicht da ist.. drück ja bei allen meldungen schon nur noch aus reflex auf "in quarantäne verschieben") =)

deshalb im anschluss auch noch mal ein aktuelles osam log zum drüberschauen(da steht dann auch "file not found")...

liebe grüße,

*beate

so hier das avenger log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
hxxp://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\tlcgrqddwsjaaycvh.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\hrpzypds.dll" not found!
Deletion of file "C:\WINDOWS\system32\hrpzypds.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00442EC8-157D-4596-8102-C01D4FDAFB02}" deleted successfully.
Registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B05EAD5-831C-8AA9-3141-47E428312C83}" deleted successfully.
Registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|jeqnrusotet" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


und der link zum backup:

hxxp://www.file-upload.net/download-2470850/backup.zip.html



osam

Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 20:42:49 on 27.04.2010

OS: Windows XP Professional Service Pack 2 (Build 2600)
Default Browser: Microsoft Corporation Internet Explorer 8.00.6001.18702

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries


[Common]
-----( %SystemRoot%\Tasks )-----
"AppleSoftwareUpdate.job" - "Apple Inc." - C:\Programme\Apple Software Update\SoftwareUpdate.exe
"GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe
"GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe

[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"ASFConfig.cpl" - "Broadcom Corporation" - C:\WINDOWS\system32\ASFConfig.cpl
"BACSCPL.cpl" - ? - C:\WINDOWS\system32\BACSCPL.cpl
"DMdm32.cpl" - ? - C:\WINDOWS\system32\DMdm32.cpl
"DxCpl.cpl" - "Knowles Acoustics" - C:\WINDOWS\system32\DxCpl.cpl
"infocardcpl.cpl" - "Microsoft Corporation" - C:\WINDOWS\system32\infocardcpl.cpl
"ISUSPM.cpl" - "InstallShield Software Corporation" - C:\WINDOWS\system32\ISUSPM.cpl
"jpicpl32.cpl" - "Sun Microsystems, Inc." - C:\WINDOWS\system32\jpicpl32.cpl
"NicConfigSvc.cpl" - "Dell Inc." - C:\WINDOWS\system32\NicConfigSvc.cpl
"nvcpl.cpl" - "NVIDIA Corporation" - C:\WINDOWS\system32\nvcpl.cpl
"nvtuicpl.cpl" - "NVIDIA Corporation" - C:\WINDOWS\system32\nvtuicpl.cpl
"plotman.cpl" - "Autodesk, Inc." - C:\WINDOWS\system32\plotman.cpl
"stacgui.cpl" - "SigmaTel, Inc." - C:\WINDOWS\system32\stacgui.cpl
"styleman.cpl" - "Autodesk, Inc." - C:\WINDOWS\system32\styleman.cpl
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----
"Adobe Version Cue CS3" - "Adobe Systems Incorporated" - C:\Programme\Gemeinsame Dateien\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.cpl
"Avira AntiVir Personal - Free Antivirus " - "Avira GmbH" - C:\PROGRA~1\Avira\ANTIVI~1\avconfig.cpl
"Avira AntiVir PersonalEdition Classic " - "Avira GmbH" - C:\PROGRA~1\Avira\ANTIVI~1\avconfig.cpl
"QuickTime" - "Apple Inc." - C:\Programme\QuickTime\QTSystem\QuickTime.cpl

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"AEGIS Protocol (IEEE 802.1x) v3.6.0.0" (AegisP) - "Meetinghouse Data Communications" - C:\WINDOWS\System32\DRIVERS\AegisP.sys
"APPDRV" (APPDRV) - "Dell Inc" - C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
"avgio" (avgio) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avgio.sys
"avgntflt" (avgntflt) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avgntflt.sys
"avipbb" (avipbb) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avipbb.sys
"BASFND" (BASFND) - "Broadcom Corporation" - C:\Programme\Broadcom\ASFIPMon\BASFND.sys
"catchme" (catchme) - ? - C:\cofi\catchme.sys (File not found)
"Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys (File not found)
"Cisco Systems IPsec Driver" (CVPNDRVA) - "Cisco Systems, Inc." - C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
"DLABMFSM" (DLABMFSM) - "Roxio" - C:\WINDOWS\System32\DLA\DLABMFSM.SYS
"DLABOIOM" (DLABOIOM) - "Roxio" - C:\WINDOWS\System32\DLA\DLABOIOM.SYS
"DLACDBHM" (DLACDBHM) - "Roxio" - C:\WINDOWS\System32\Drivers\DLACDBHM.SYS
"DLADResM" (DLADResM) - "Roxio" - C:\WINDOWS\System32\DLA\DLADResM.SYS
"DLAIFS_M" (DLAIFS_M) - "Roxio" - C:\WINDOWS\System32\DLA\DLAIFS_M.SYS
"DLAOPIOM" (DLAOPIOM) - "Roxio" - C:\WINDOWS\System32\DLA\DLAOPIOM.SYS
"DLAPoolM" (DLAPoolM) - "Roxio" - C:\WINDOWS\System32\DLA\DLAPoolM.SYS
"DLARTL_M" (DLARTL_M) - "Roxio" - C:\WINDOWS\System32\Drivers\DLARTL_M.SYS
"DLAUDFAM" (DLAUDFAM) - "Roxio" - C:\WINDOWS\System32\DLA\DLAUDFAM.SYS
"DLAUDF_M" (DLAUDF_M) - "Roxio" - C:\WINDOWS\System32\DLA\DLAUDF_M.SYS
"DRVMCDB" (DRVMCDB) - "Sonic Solutions" - C:\WINDOWS\System32\Drivers\DRVMCDB.SYS
"DRVNDDM" (DRVNDDM) - "Roxio" - C:\WINDOWS\System32\Drivers\DRVNDDM.SYS
"DXEC01" (DXEC01) - "Knowles Acoustics" - C:\WINDOWS\System32\drivers\dxec01.sys
"lbrtfdc" (lbrtfdc) - ? - C:\WINDOWS\system32\drivers\lbrtfdc.sys (File not found)
"PBADRV" (PBADRV) - "Dell Inc" - C:\WINDOWS\System32\DRIVERS\PBADRV.sys
"PCIDump" (PCIDump) - ? - C:\WINDOWS\system32\drivers\PCIDump.sys (File not found)
"PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys (File not found)
"PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys (File not found)
"PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys (File not found)
"PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys (File not found)
"PxHelp20" (PxHelp20) - "Sonic Solutions" - C:\WINDOWS\System32\Drivers\PxHelp20.sys
"ssmdrv" (ssmdrv) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\ssmdrv.sys
"vsdatant" (vsdatant) - "Zone Labs LLC" - C:\WINDOWS\system32\vsdatant.sys
"WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys (File not found)
"WIRELESS USB Filter Driver" (TF0801) - ? - C:\WINDOWS\System32\DRIVERS\TF0801.sys (File found, but it contains no detailed information)
"WLAN-Transport" (s24trans) - "Intel Corporation" - C:\WINDOWS\System32\DRIVERS\s24trans.sys

[Explorer]
-----( HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{BDEADF00-C265-11d0-BCED-00A0C90AB50F} "Webordner" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
-----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )-----
{89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" - "Microsoft Corporation" - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{8A0BC933-7552-42E2-A228-3BE055777227} "AcColumnHandler" - "Autodesk" - C:\Programme\Gemeinsame Dateien\Autodesk Shared\AcShellEx\AcShellExtension.dll
{9F2C5BFD-3CB1-419F-9F5F-90B32ADD5BA8} "AdpShellExt Class" - "Autodesk, Inc." - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Shell\AdpWShellExt.dll
{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll
-----( HKLM\Software\Classes\Protocols\Filter )-----
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
-----( HKLM\Software\Classes\Protocols\Handler )-----
{314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll
{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{8A0BC933-7552-42E2-A228-3BE055777227} "AcColumnHandler" - "Autodesk" - C:\Programme\Gemeinsame Dateien\Autodesk Shared\AcShellEx\AcShellExtension.dll
{4B392032-A759-43ED-9469-377C80A4472D} "AcDgnImageExtractor" - "Autodesk" - C:\Programme\Gemeinsame Dateien\Autodesk Shared\AcDgnCOM18.dll
{5800AD5B-72C1-477B-9A08-CA112DF06D97} "AcInfoTipHandler" - "Autodesk" - C:\Programme\Gemeinsame Dateien\Autodesk Shared\AcShellEx\AcShellExtension.dll
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} "Acrobat Elements Context Menu" - "Adobe Systems Inc." - C:\Programme\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll
{36A21736-36C2-4C11-8ACB-D4136F2B57BD} "AcSignIcon" - "Autodesk, Inc." - C:\WINDOWS\system32\AcSignIcon.dll
{AC1DB655-4F9A-4c39-8AD2-A65324A4C446} "ACTHUMBNAIL" - "Autodesk, Inc." - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Thumbnail\AcThumbnail16.dll
{42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" - ? - deskpan.dll (File not found)
{1CDB2949-8F65-4355-8456-263E7C208A5D} "Desktop Explorer" - "NVIDIA Corporation" - C:\WINDOWS\system32\nvshell.dll
{1E9B04FB-F9E5-4718-997B-B8DA88302A47} "Desktop Explorer Menu" - "NVIDIA Corporation" - C:\WINDOWS\system32\nvshell.dll
{1D2680C9-0E2A-469d-B787-065558BC7D43} "Fusion Cache" - "Microsoft Corporation" - c:\WINDOWS\system32\mscoree.dll
{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "IE User Assist" - ? - (File not found | COM-object registry key not found)
{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} "iTunes" - "Apple Inc." - C:\Programme\iTunes\iTunesMiniPlayer.dll
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" - ? - (File not found | COM-object registry key not found)
{1E9B04FB-F9E5-4718-997B-B8DA88302A48} "nView Desktop Context Menu" - "NVIDIA Corporation" - C:\WINDOWS\system32\nvshell.dll
{0006F045-0000-0000-C000-000000000046} "Outlook-Dateisymbolerweiterung" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL
{5E44E225-A408-11CF-B581-008029601108} "Roxio DragToDisc Shell Extension" - "Roxio" - C:\Programme\Roxio\Drag-to-Disc\Shellex.dll
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\shlext.dll
{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll
{764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" - ? - (File not found | COM-object registry key not found)
{e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll
{B41DB860-8EE4-11D2-9906-E49FADC173CA} "WinRAR" - ? - C:\Programme\WinRAR\rarext.dll (File found, but it contains no detailed information)

[Internet Explorer]
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
<binary data> "Adobe PDF" - "Adobe Systems Incorporated" - C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
ITBar7Height "ITBar7Height" - ? - (File not found | COM-object registry key not found)
<binary data> "ITBar7Layout" - ? - (File not found | COM-object registry key not found)
<binary data> "ITBarLayout" - ? - (File not found | COM-object registry key not found)
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{C45B1500-7B63-47C2-AB25-C28CB46AFDEE} "Music Manager" - "LoudEye" - C:\WINDOWS\Downloaded Program Files\MusicManagerPlugin.ocx / hxxp://img.od2.com/Installation/PluginName/MusicManager/MusicManagerPlugin.CAB
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars )-----
{182EC0BE-5110-49C8-A062-BEB1D02A220B} "Adobe PDF" - "Adobe Systems Incorporated" - C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} "ClsidExtension" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll
{77BF5300-1474-4EC7-9980-D32B190E9B07} "ClsidExtension" - "Skype Technologies S.A." - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
{53707962-6F74-2D53-2644-206D7942484F} "ClsidExtension" - "Safer Networking Limited" - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
{77BF5300-1474-4EC7-9980-D32B190E9B07} "Skype" - "Skype Technologies S.A." - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{00442EC8-157D-4596-8102-C01D4FDAFB02} "adHlpr Object" - ? - C:\WINDOWS\system32\hrpzypds.dll (File not found)
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
{5B05EAD5-831C-8AA9-3141-47E428312C83} "hotrevenue browser enhancer" - ? - C:\WINDOWS\system32\tlcgrqddwsjaaycvh.dll (File not found)

[LSA Providers]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Lsa )-----
"Authentication packages" - "Wave Systems Corp." - C:\WINDOWS\system32\wvauth.dll

[Logon]
-----( %AllUsersProfile%\Startmenü\Programme\Autostart )-----
"Adobe Acrobat - Schnellstart.lnk" - "Adobe Systems Incorporated" - C:\Programme\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe (Shortcut exists | File exists)
"Adobe Reader Synchronizer.lnk" - "Adobe Systems Incorporated" - C:\Programme\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe (Shortcut exists | File exists)
"Cisco Systems VPN Client.lnk" - "Cisco Systems, Inc." - C:\Programme\Cisco Systems\VPN Client\vpngui.exe (Shortcut exists | File exists)
"desktop.ini" - ? - C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
"Digital Line Detect.lnk" - "Avanquest Software " - C:\Programme\Digital Line Detect\DLG.exe (Shortcut exists | File exists)
"Microsoft Office.lnk" - "Microsoft Corporation" - C:\Programme\Microsoft Office\Office\OSA9.EXE (Shortcut exists | File exists)
-----( %UserProfile%\Startmenü\Programme\Autostart )-----
"desktop.ini" - ? - C:\Dokumente und Einstellungen\BT\Startmenü\Programme\Autostart\desktop.ini
-----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )-----
"SpybotSD TeaTimer" - "Safer-Networking Ltd." - C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"Acrobat Assistant 8.0" - "Adobe Systems Inc." - "C:\Programme\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
"Adobe ARM" - "Adobe Systems Incorporated" - "C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher" - "Adobe Systems Incorporated" - "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Adobe_ID0EYTHM" - "Adobe Systems Incorporated" - C:\PROGRA~1\GEMEIN~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
"avgnt" - "Avira GmbH" - "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
"Dell QuickSet" - "Dell Inc" - C:\Programme\Dell\QuickSet\quickset.exe
"Document Manager" - ? - C:\Programme\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
"ECenter" - " " - C:\Dell\E-Center\EULALauncher.exe
"IntelWireless" - "Intel Corporation" - "C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
"IntelZeroConfig" - "Intel Corporation" - "C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe"
"ISUSPM Startup" - "InstallShield Software Corporation" - C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler" - "InstallShield Software Corporation" - "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start
"iTunesHelper" - "Apple Inc." - "C:\Programme\iTunes\iTunesHelper.exe"
"KADxMain" - "Knowles Acoustics" - C:\WINDOWS\system32\KADxMain.exe
"NVHotkey" - "NVIDIA Corporation" - rundll32.exe nvHotkey.dll,Start
"nwiz" - "NVIDIA Corporation" - nwiz.exe /installquiet
"PDVDDXSrv" - "CyberLink Corp." - "C:\Programme\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
"QuickTime Task" - "Apple Inc." - "C:\Programme\QuickTime\qttask.exe" -atboottime
"RoxioDragToDisc" - "Roxio" - "C:\Programme\Roxio\Drag-to-Disc\DrgToDsc.exe"
"SecureUpgrade" - "Wave Systems Corp." - C:\Programme\Wave Systems Corp\SecureUpgrade.exe
"SigmatelSysTrayApp" - "SigmaTel, Inc." - stsystra.exe
"SunJavaUpdateSched" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\jusched.exe

[Print Monitors]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )-----
"Adobe PDF Port" - "Adobe Systems Incorporated." - C:\WINDOWS\system32\AdobePDF.dll

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
"Adobe Version Cue CS3 {de_DE} " (Adobe Version Cue CS3) - "Adobe Systems Incorporated" - C:\Programme\Gemeinsame Dateien\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
"Akamai NetSession Interface" (Akamai) - ? - c:\programme\gemeinsame dateien\akamai\rswin_3653.dll (File found, but it contains no detailed information)
"Apple Mobile Device" (Apple Mobile Device) - "Apple Inc." - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
"ASP.NET State Service" (aspnet_state) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
"Autodesk Network Licensing Service" (Autodesk Network Licensing Service) - "Autodesk, Inc." - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskNetSrv.exe
"Avira AntiVir Guard" (AntiVirService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avguard.exe
"Avira AntiVir Planer" (AntiVirSchedulerService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\sched.exe
"Bonjour-Dienst" (Bonjour Service) - "Apple Inc." - C:\Programme\Bonjour\mDNSResponder.exe
"Broadcom ASF IP and SMBIOS Mailbox Monitor" (ASFIPmon) - "Broadcom Corporation" - C:\Programme\Broadcom\ASFIPMon\AsfIpMon.exe
"Cisco Systems, Inc. VPN Service" (CVPND) - "Cisco Systems, Inc." - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
"FLEXnet Licensing Service" (FLEXnet Licensing Service) - "Macrovision Europe Ltd." - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
"Google Update Service (gupdate1c9dd74ef138af0)" (gupdate1c9dd74ef138af0) - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe
"Intel(R) PROSet/Wireless Event Log" (EvtEng) - "Intel Corporation" - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
"Intel(R) PROSet/Wireless Registry Service" (RegSrvc) - "Intel Corporation" - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
"Intel(R) PROSet/Wireless Service" (S24EventMonitor) - "Intel Corporation " - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
"Intel(R) PROSet/Wireless SSO Service" (WLANKEEPER) - "Intel(R) Corporation" - C:\Programme\Intel\Wireless\Bin\WLKeeper.exe
"iPod-Dienst" (iPod Service) - "Apple Inc." - C:\Programme\iPod\bin\iPodService.exe
"NICCONFIGSVC" (NICCONFIGSVC) - "Dell Inc." - C:\Programme\Dell\QuickSet\NICCONFIGSVC.exe
"NTRU TSS v1.2.1.12 TCS" (tcsd_win32.exe) - ? - C:\Programme\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe (File found, but it contains no detailed information)
"SecureStorageService" (SecureStorageService) - "Wave Systems Corp." - C:\Programme\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
"SigmaTel Audio Service" (STacSV) - "SigmaTel, Inc." - C:\Programme\SigmaTel\C-Major Audio\WDM\StacSV.exe
"stllssvr" (stllssvr) - "MicroVision Development, Inc." - C:\Programme\Gemeinsame Dateien\SureThing Shared\stllssvr.exe
"Windows CardSpace" (idsvc) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
"Windows Presentation Foundation Font Cache 3.0.0.0" (FontCache3.0.0.0) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe

[Winlogon]
-----( HKCU\Control Panel\IOProcs )-----
"MVB" - ? - mvfs32.dll (File not found)

[Winsock Providers]
-----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries )-----
"mdnsNSP" - "Apple Inc." - C:\Programme\Bonjour\mdnsNSP.dll
-----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries )-----
"Wave Systems Kerberos LSP" - "Wave Systems Corp." - C:\WINDOWS\system32\biolsp.dll

===[ Logfile end ]=========================================[ Logfile end ]===

If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru
__________________


Alt 27.04.2010, 19:48   #18
BTT
 
TR/Hijacker.gen  in C:\WINDOWS\Temp\****.tmp\svchost.exe - Standard

TR/Hijacker.gen in C:\WINDOWS\Temp\****.tmp\svchost.exe



falls ich also die datei wiederherstellen muss, um sie endgültig zu killen.. sagst du mir bescheid, ne!? =) sorry, dass ich hier schon wieder komplikationen verursache... :-/
__________________

Alt 27.04.2010, 19:51   #19
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
TR/Hijacker.gen  in C:\WINDOWS\Temp\****.tmp\svchost.exe - Standard

TR/Hijacker.gen in C:\WINDOWS\Temp\****.tmp\svchost.exe



Die Einträge werden in OSAM zwar noch angezeigt, aber nun am Ende mit file not found, weil wir die Dateien entfernt haben.

Code:
ATTFilter
{00442EC8-157D-4596-8102-C01D4FDAFB02} "adHlpr Object" - ? - C:\WINDOWS\system32\hrpzypds.dll (File not found)
{5B05EAD5-831C-8AA9-3141-47E428312C83} "hotrevenue browser enhancer" - ? - C:\WINDOWS\system32\tlcgrqddwsjaaycvh.dll (File not found)
         
Nochmal mit OSAM fixen, dann sollten sie hoffentlich komplett weg sein.
__________________
Logfiles bitte immer in CODE-Tags posten

Alt 27.04.2010, 19:56   #20
BTT
 
TR/Hijacker.gen  in C:\WINDOWS\Temp\****.tmp\svchost.exe - Standard

TR/Hijacker.gen in C:\WINDOWS\Temp\****.tmp\svchost.exe



hey again!

ja, das war schon klar, dass sie in osam nicht mehr angezeigt werden, weil sie hoffentlich für immer weg sind!!!! =) Dachte nur, dass da evtl ja doch noch reste sein könnten, da der avenger die eine datei ja auch vor dem fixen schon nicht finden konnte.. (keine ahnung, ob avira den trojaner gründlich genug entfernt...)

werde mich jetzt direkt noch mal ans fixen mit osam setzen..

merci schon mal fürs schnelle antworten!!!

*beate


Alt 27.04.2010, 20:18   #21
BTT
 
TR/Hijacker.gen  in C:\WINDOWS\Temp\****.tmp\svchost.exe - Standard

TR/Hijacker.gen in C:\WINDOWS\Temp\****.tmp\svchost.exe



also die mistdinger werden immer noch aufgelistet....!!! grrr!!! zwar weiterhin als not found, was ja gut ist, aber trotzdem.. grrr!!! =)

grüße,
*beate



"Beweis" =)

(Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B05EAD5-831C-8AA9-3141-47E428312C83} hotrevenue browser enhancer C:\WINDOWS\system32\tlcgrqddwsjaaycvh.dll
(Success) HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00442EC8-157D-4596-8102-C01D4FDAFB02} adHlpr Object C:\WINDOWS\system32\hrpzypds.dll



Osam

Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 21:15:30 on 27.04.2010

OS: Windows XP Professional Service Pack 2 (Build 2600)
Default Browser: Microsoft Corporation Internet Explorer 8.00.6001.18702

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries


[Common]
-----( %SystemRoot%\Tasks )-----
"AppleSoftwareUpdate.job" - "Apple Inc." - C:\Programme\Apple Software Update\SoftwareUpdate.exe
"GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe
"GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe

[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"ASFConfig.cpl" - "Broadcom Corporation" - C:\WINDOWS\system32\ASFConfig.cpl
"BACSCPL.cpl" - ? - C:\WINDOWS\system32\BACSCPL.cpl
"DMdm32.cpl" - ? - C:\WINDOWS\system32\DMdm32.cpl
"DxCpl.cpl" - "Knowles Acoustics" - C:\WINDOWS\system32\DxCpl.cpl
"infocardcpl.cpl" - "Microsoft Corporation" - C:\WINDOWS\system32\infocardcpl.cpl
"ISUSPM.cpl" - "InstallShield Software Corporation" - C:\WINDOWS\system32\ISUSPM.cpl
"jpicpl32.cpl" - "Sun Microsystems, Inc." - C:\WINDOWS\system32\jpicpl32.cpl
"NicConfigSvc.cpl" - "Dell Inc." - C:\WINDOWS\system32\NicConfigSvc.cpl
"nvcpl.cpl" - "NVIDIA Corporation" - C:\WINDOWS\system32\nvcpl.cpl
"nvtuicpl.cpl" - "NVIDIA Corporation" - C:\WINDOWS\system32\nvtuicpl.cpl
"plotman.cpl" - "Autodesk, Inc." - C:\WINDOWS\system32\plotman.cpl
"stacgui.cpl" - "SigmaTel, Inc." - C:\WINDOWS\system32\stacgui.cpl
"styleman.cpl" - "Autodesk, Inc." - C:\WINDOWS\system32\styleman.cpl
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----
"Adobe Version Cue CS3" - "Adobe Systems Incorporated" - C:\Programme\Gemeinsame Dateien\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.cpl
"Avira AntiVir Personal - Free Antivirus " - "Avira GmbH" - C:\PROGRA~1\Avira\ANTIVI~1\avconfig.cpl
"Avira AntiVir PersonalEdition Classic " - "Avira GmbH" - C:\PROGRA~1\Avira\ANTIVI~1\avconfig.cpl
"QuickTime" - "Apple Inc." - C:\Programme\QuickTime\QTSystem\QuickTime.cpl

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"AEGIS Protocol (IEEE 802.1x) v3.6.0.0" (AegisP) - "Meetinghouse Data Communications" - C:\WINDOWS\System32\DRIVERS\AegisP.sys
"APPDRV" (APPDRV) - "Dell Inc" - C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
"avgio" (avgio) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avgio.sys
"avgntflt" (avgntflt) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avgntflt.sys
"avipbb" (avipbb) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avipbb.sys
"BASFND" (BASFND) - "Broadcom Corporation" - C:\Programme\Broadcom\ASFIPMon\BASFND.sys
"catchme" (catchme) - ? - C:\cofi\catchme.sys (File not found)
"Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys (File not found)
"Cisco Systems IPsec Driver" (CVPNDRVA) - "Cisco Systems, Inc." - C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
"DLABMFSM" (DLABMFSM) - "Roxio" - C:\WINDOWS\System32\DLA\DLABMFSM.SYS
"DLABOIOM" (DLABOIOM) - "Roxio" - C:\WINDOWS\System32\DLA\DLABOIOM.SYS
"DLACDBHM" (DLACDBHM) - "Roxio" - C:\WINDOWS\System32\Drivers\DLACDBHM.SYS
"DLADResM" (DLADResM) - "Roxio" - C:\WINDOWS\System32\DLA\DLADResM.SYS
"DLAIFS_M" (DLAIFS_M) - "Roxio" - C:\WINDOWS\System32\DLA\DLAIFS_M.SYS
"DLAOPIOM" (DLAOPIOM) - "Roxio" - C:\WINDOWS\System32\DLA\DLAOPIOM.SYS
"DLAPoolM" (DLAPoolM) - "Roxio" - C:\WINDOWS\System32\DLA\DLAPoolM.SYS
"DLARTL_M" (DLARTL_M) - "Roxio" - C:\WINDOWS\System32\Drivers\DLARTL_M.SYS
"DLAUDFAM" (DLAUDFAM) - "Roxio" - C:\WINDOWS\System32\DLA\DLAUDFAM.SYS
"DLAUDF_M" (DLAUDF_M) - "Roxio" - C:\WINDOWS\System32\DLA\DLAUDF_M.SYS
"DRVMCDB" (DRVMCDB) - "Sonic Solutions" - C:\WINDOWS\System32\Drivers\DRVMCDB.SYS
"DRVNDDM" (DRVNDDM) - "Roxio" - C:\WINDOWS\System32\Drivers\DRVNDDM.SYS
"DXEC01" (DXEC01) - "Knowles Acoustics" - C:\WINDOWS\System32\drivers\dxec01.sys
"lbrtfdc" (lbrtfdc) - ? - C:\WINDOWS\system32\drivers\lbrtfdc.sys (File not found)
"PBADRV" (PBADRV) - "Dell Inc" - C:\WINDOWS\System32\DRIVERS\PBADRV.sys
"PCIDump" (PCIDump) - ? - C:\WINDOWS\system32\drivers\PCIDump.sys (File not found)
"PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys (File not found)
"PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys (File not found)
"PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys (File not found)
"PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys (File not found)
"PxHelp20" (PxHelp20) - "Sonic Solutions" - C:\WINDOWS\System32\Drivers\PxHelp20.sys
"ssmdrv" (ssmdrv) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\ssmdrv.sys
"vsdatant" (vsdatant) - "Zone Labs LLC" - C:\WINDOWS\system32\vsdatant.sys
"WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys (File not found)
"WIRELESS USB Filter Driver" (TF0801) - ? - C:\WINDOWS\System32\DRIVERS\TF0801.sys (File found, but it contains no detailed information)
"WLAN-Transport" (s24trans) - "Intel Corporation" - C:\WINDOWS\System32\DRIVERS\s24trans.sys

[Explorer]
-----( HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{BDEADF00-C265-11d0-BCED-00A0C90AB50F} "Webordner" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
-----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )-----
{89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" - "Microsoft Corporation" - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{8A0BC933-7552-42E2-A228-3BE055777227} "AcColumnHandler" - "Autodesk" - C:\Programme\Gemeinsame Dateien\Autodesk Shared\AcShellEx\AcShellExtension.dll
{9F2C5BFD-3CB1-419F-9F5F-90B32ADD5BA8} "AdpShellExt Class" - "Autodesk, Inc." - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Shell\AdpWShellExt.dll
{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll
-----( HKLM\Software\Classes\Protocols\Filter )-----
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
-----( HKLM\Software\Classes\Protocols\Handler )-----
{314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll
{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{8A0BC933-7552-42E2-A228-3BE055777227} "AcColumnHandler" - "Autodesk" - C:\Programme\Gemeinsame Dateien\Autodesk Shared\AcShellEx\AcShellExtension.dll
{4B392032-A759-43ED-9469-377C80A4472D} "AcDgnImageExtractor" - "Autodesk" - C:\Programme\Gemeinsame Dateien\Autodesk Shared\AcDgnCOM18.dll
{5800AD5B-72C1-477B-9A08-CA112DF06D97} "AcInfoTipHandler" - "Autodesk" - C:\Programme\Gemeinsame Dateien\Autodesk Shared\AcShellEx\AcShellExtension.dll
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} "Acrobat Elements Context Menu" - "Adobe Systems Inc." - C:\Programme\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll
{36A21736-36C2-4C11-8ACB-D4136F2B57BD} "AcSignIcon" - "Autodesk, Inc." - C:\WINDOWS\system32\AcSignIcon.dll
{AC1DB655-4F9A-4c39-8AD2-A65324A4C446} "ACTHUMBNAIL" - "Autodesk, Inc." - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Thumbnail\AcThumbnail16.dll
{42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" - ? - deskpan.dll (File not found)
{1CDB2949-8F65-4355-8456-263E7C208A5D} "Desktop Explorer" - "NVIDIA Corporation" - C:\WINDOWS\system32\nvshell.dll
{1E9B04FB-F9E5-4718-997B-B8DA88302A47} "Desktop Explorer Menu" - "NVIDIA Corporation" - C:\WINDOWS\system32\nvshell.dll
{1D2680C9-0E2A-469d-B787-065558BC7D43} "Fusion Cache" - "Microsoft Corporation" - c:\WINDOWS\system32\mscoree.dll
{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "IE User Assist" - ? - (File not found | COM-object registry key not found)
{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} "iTunes" - "Apple Inc." - C:\Programme\iTunes\iTunesMiniPlayer.dll
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" - ? - (File not found | COM-object registry key not found)
{1E9B04FB-F9E5-4718-997B-B8DA88302A48} "nView Desktop Context Menu" - "NVIDIA Corporation" - C:\WINDOWS\system32\nvshell.dll
{0006F045-0000-0000-C000-000000000046} "Outlook-Dateisymbolerweiterung" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL
{5E44E225-A408-11CF-B581-008029601108} "Roxio DragToDisc Shell Extension" - "Roxio" - C:\Programme\Roxio\Drag-to-Disc\Shellex.dll
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\shlext.dll
{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll
{764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" - ? - (File not found | COM-object registry key not found)
{e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll
{B41DB860-8EE4-11D2-9906-E49FADC173CA} "WinRAR" - ? - C:\Programme\WinRAR\rarext.dll (File found, but it contains no detailed information)

[Internet Explorer]
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
<binary data> "Adobe PDF" - "Adobe Systems Incorporated" - C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
ITBar7Height "ITBar7Height" - ? - (File not found | COM-object registry key not found)
<binary data> "ITBar7Layout" - ? - (File not found | COM-object registry key not found)
<binary data> "ITBarLayout" - ? - (File not found | COM-object registry key not found)
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{C45B1500-7B63-47C2-AB25-C28CB46AFDEE} "Music Manager" - "LoudEye" - C:\WINDOWS\Downloaded Program Files\MusicManagerPlugin.ocx / hxxp://img.od2.com/Installation/PluginName/MusicManager/MusicManagerPlugin.CAB
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars )-----
{182EC0BE-5110-49C8-A062-BEB1D02A220B} "Adobe PDF" - "Adobe Systems Incorporated" - C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} "ClsidExtension" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll
{77BF5300-1474-4EC7-9980-D32B190E9B07} "ClsidExtension" - "Skype Technologies S.A." - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
{53707962-6F74-2D53-2644-206D7942484F} "ClsidExtension" - "Safer Networking Limited" - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
{77BF5300-1474-4EC7-9980-D32B190E9B07} "Skype" - "Skype Technologies S.A." - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{00442EC8-157D-4596-8102-C01D4FDAFB02} "adHlpr Object" - ? - C:\WINDOWS\system32\hrpzypds.dll (File not found)
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
{5B05EAD5-831C-8AA9-3141-47E428312C83} "hotrevenue browser enhancer" - ? - C:\WINDOWS\system32\tlcgrqddwsjaaycvh.dll (File not found)

[LSA Providers]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Lsa )-----
"Authentication packages" - "Wave Systems Corp." - C:\WINDOWS\system32\wvauth.dll

[Logon]
-----( %AllUsersProfile%\Startmenü\Programme\Autostart )-----
"Adobe Acrobat - Schnellstart.lnk" - "Adobe Systems Incorporated" - C:\Programme\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe (Shortcut exists | File exists)
"Adobe Reader Synchronizer.lnk" - "Adobe Systems Incorporated" - C:\Programme\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe (Shortcut exists | File exists)
"Cisco Systems VPN Client.lnk" - "Cisco Systems, Inc." - C:\Programme\Cisco Systems\VPN Client\vpngui.exe (Shortcut exists | File exists)
"desktop.ini" - ? - C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
"Digital Line Detect.lnk" - "Avanquest Software " - C:\Programme\Digital Line Detect\DLG.exe (Shortcut exists | File exists)
"Microsoft Office.lnk" - "Microsoft Corporation" - C:\Programme\Microsoft Office\Office\OSA9.EXE (Shortcut exists | File exists)
-----( %UserProfile%\Startmenü\Programme\Autostart )-----
"desktop.ini" - ? - C:\Dokumente und Einstellungen\BT\Startmenü\Programme\Autostart\desktop.ini
-----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )-----
"SpybotSD TeaTimer" - "Safer-Networking Ltd." - C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"Acrobat Assistant 8.0" - "Adobe Systems Inc." - "C:\Programme\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
"Adobe ARM" - "Adobe Systems Incorporated" - "C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher" - "Adobe Systems Incorporated" - "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Adobe_ID0EYTHM" - "Adobe Systems Incorporated" - C:\PROGRA~1\GEMEIN~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
"avgnt" - "Avira GmbH" - "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
"Dell QuickSet" - "Dell Inc" - C:\Programme\Dell\QuickSet\quickset.exe
"Document Manager" - ? - C:\Programme\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
"ECenter" - " " - C:\Dell\E-Center\EULALauncher.exe
"IntelWireless" - "Intel Corporation" - "C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
"IntelZeroConfig" - "Intel Corporation" - "C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe"
"ISUSPM Startup" - "InstallShield Software Corporation" - C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler" - "InstallShield Software Corporation" - "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start
"iTunesHelper" - "Apple Inc." - "C:\Programme\iTunes\iTunesHelper.exe"
"KADxMain" - "Knowles Acoustics" - C:\WINDOWS\system32\KADxMain.exe
"NVHotkey" - "NVIDIA Corporation" - rundll32.exe nvHotkey.dll,Start
"nwiz" - "NVIDIA Corporation" - nwiz.exe /installquiet
"PDVDDXSrv" - "CyberLink Corp." - "C:\Programme\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
"QuickTime Task" - "Apple Inc." - "C:\Programme\QuickTime\qttask.exe" -atboottime
"RoxioDragToDisc" - "Roxio" - "C:\Programme\Roxio\Drag-to-Disc\DrgToDsc.exe"
"SecureUpgrade" - "Wave Systems Corp." - C:\Programme\Wave Systems Corp\SecureUpgrade.exe
"SigmatelSysTrayApp" - "SigmaTel, Inc." - stsystra.exe
"SunJavaUpdateSched" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\jusched.exe

[Print Monitors]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )-----
"Adobe PDF Port" - "Adobe Systems Incorporated." - C:\WINDOWS\system32\AdobePDF.dll

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
"Adobe Version Cue CS3 {de_DE} " (Adobe Version Cue CS3) - "Adobe Systems Incorporated" - C:\Programme\Gemeinsame Dateien\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
"Akamai NetSession Interface" (Akamai) - ? - c:\programme\gemeinsame dateien\akamai\rswin_3653.dll (File found, but it contains no detailed information)
"Apple Mobile Device" (Apple Mobile Device) - "Apple Inc." - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
"ASP.NET State Service" (aspnet_state) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
"Autodesk Network Licensing Service" (Autodesk Network Licensing Service) - "Autodesk, Inc." - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskNetSrv.exe
"Avira AntiVir Guard" (AntiVirService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avguard.exe
"Avira AntiVir Planer" (AntiVirSchedulerService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\sched.exe
"Bonjour-Dienst" (Bonjour Service) - "Apple Inc." - C:\Programme\Bonjour\mDNSResponder.exe
"Broadcom ASF IP and SMBIOS Mailbox Monitor" (ASFIPmon) - "Broadcom Corporation" - C:\Programme\Broadcom\ASFIPMon\AsfIpMon.exe
"Cisco Systems, Inc. VPN Service" (CVPND) - "Cisco Systems, Inc." - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
"FLEXnet Licensing Service" (FLEXnet Licensing Service) - "Macrovision Europe Ltd." - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
"Google Update Service (gupdate1c9dd74ef138af0)" (gupdate1c9dd74ef138af0) - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe
"Intel(R) PROSet/Wireless Event Log" (EvtEng) - "Intel Corporation" - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
"Intel(R) PROSet/Wireless Registry Service" (RegSrvc) - "Intel Corporation" - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
"Intel(R) PROSet/Wireless Service" (S24EventMonitor) - "Intel Corporation " - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
"Intel(R) PROSet/Wireless SSO Service" (WLANKEEPER) - "Intel(R) Corporation" - C:\Programme\Intel\Wireless\Bin\WLKeeper.exe
"iPod-Dienst" (iPod Service) - "Apple Inc." - C:\Programme\iPod\bin\iPodService.exe
"NICCONFIGSVC" (NICCONFIGSVC) - "Dell Inc." - C:\Programme\Dell\QuickSet\NICCONFIGSVC.exe
"NTRU TSS v1.2.1.12 TCS" (tcsd_win32.exe) - ? - C:\Programme\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe (File found, but it contains no detailed information)
"SecureStorageService" (SecureStorageService) - "Wave Systems Corp." - C:\Programme\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
"SigmaTel Audio Service" (STacSV) - "SigmaTel, Inc." - C:\Programme\SigmaTel\C-Major Audio\WDM\StacSV.exe
"stllssvr" (stllssvr) - "MicroVision Development, Inc." - C:\Programme\Gemeinsame Dateien\SureThing Shared\stllssvr.exe
"Windows CardSpace" (idsvc) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
"Windows Presentation Foundation Font Cache 3.0.0.0" (FontCache3.0.0.0) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe

[Winlogon]
-----( HKCU\Control Panel\IOProcs )-----
"MVB" - ? - mvfs32.dll (File not found)

[Winsock Providers]
-----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries )-----
"mdnsNSP" - "Apple Inc." - C:\Programme\Bonjour\mdnsNSP.dll
-----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries )-----
"Wave Systems Kerberos LSP" - "Wave Systems Corp." - C:\WINDOWS\system32\biolsp.dll

===[ Logfile end ]=========================================[ Logfile end ]===

If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru

Alt 27.04.2010, 21:08   #22
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
TR/Hijacker.gen  in C:\WINDOWS\Temp\****.tmp\svchost.exe - Standard

TR/Hijacker.gen in C:\WINDOWS\Temp\****.tmp\svchost.exe



Dann machen wir das jetzt über ein Live-System:

Systemscan mit OTLPE
  • Lade Dir zuerst ISOBurner herunter und installiere es.
  • Lade Dir dann OTLPE.iso von Oldtimer und brenne sie per Imagebrennfunktion auf eine leere CD-R.
  • Bei Verwendung von ISOBurner reicht ein Doppelklick auf OTLPE.iso.
  • Boote nun den infizierten Rechner von der OTLPE-CD (evtl. Reihenfolge im BIOS umstellen).
  • Dein System sollte nun einen REATOGO-X-PE Desktop anzeigen.
  • Starte OTLPE mit einem Doppelklick auf das OTLPE Icon.
  • "Do you wish to load the remote registry" und "Do you wish to load remote user profile(s) for scanning" mit Yes beantworten.
  • Entsichere die Box "Automatically Load All Remaining Users" wenn sie gewählt ist und drücke OK.
  • Im Block "Drivers" Use SafeList auswählen und dann mit Run Scan den Scan starten.
  • Nach dem Scan wird ein Logfile erstellt (C:\OTL.txt)
  • Kopiere dieses auf einen USB-Stick und poste es hier.
__________________
Logfiles bitte immer in CODE-Tags posten

Alt 27.04.2010, 21:15   #23
BTT
 
TR/Hijacker.gen  in C:\WINDOWS\Temp\****.tmp\svchost.exe - Standard

TR/Hijacker.gen in C:\WINDOWS\Temp\****.tmp\svchost.exe



oh wow! das klingt jetzt ja schon etwas komplizierter.. =)

noch eine frage: heißt das ich soll das log-file über nen anderen (nicht infizierten) rechner hier im forum posten?? oder warum muss ich es auf einen usb-stick ziehen?? + dann werd ich doch mal suchen, wie ich meinen pc von der cd aus boote..! hab ich nämlich auch noch nie gemacht...

grüße,

*beate

Alt 27.04.2010, 21:23   #24
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
TR/Hijacker.gen  in C:\WINDOWS\Temp\****.tmp\svchost.exe - Standard

TR/Hijacker.gen in C:\WINDOWS\Temp\****.tmp\svchost.exe



Äh nee, das ist nur ein Standardtext. Du kannst das Log auch vom Rechner aus posten, den wir analysieren wollen. Wenn Du einen anderen Rechner hast, wäre das aber vom Vorteil, weil Du dann OTLPE so anlassen kannst.
__________________
Logfiles bitte immer in CODE-Tags posten

Geändert von cosinus (27.04.2010 um 21:57 Uhr)

Alt 27.04.2010, 21:49   #25
BTT
 
TR/Hijacker.gen  in C:\WINDOWS\Temp\****.tmp\svchost.exe - Icon27

TR/Hijacker.gen in C:\WINDOWS\Temp\****.tmp\svchost.exe



oh mann!! ich hasse spanisches internet!!!! ich downloade gerade mit wahnsinnsgeschwindigkeit... kann also noch ein bissl ewig (!) dauern...

Alt 28.04.2010, 01:42   #26
BTT
 
TR/Hijacker.gen  in C:\WINDOWS\Temp\****.tmp\svchost.exe - Standard

TR/Hijacker.gen in C:\WINDOWS\Temp\****.tmp\svchost.exe



so,.. war bis auf das downloaden doch nicht so schwer...! hab jetzt auch den sinn des usb-sticks verstanden.. ..hat halt etwas gedauert bis ich kapiert hatte, wie das konzept "von der cd-booten" funktioniert..

und wieder ein wenig schlauer...!

lieber gruß,

*b

Alt 28.04.2010, 07:50   #27
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
TR/Hijacker.gen  in C:\WINDOWS\Temp\****.tmp\svchost.exe - Standard

TR/Hijacker.gen in C:\WINDOWS\Temp\****.tmp\svchost.exe



Okay. Starte den Rechner wieder von der CD und warte bis der Desktop von Reatogo mit OTLPE fertig ist. Wenn dem so ist bitte wieder OTLPE öffnen und unten in die Box das hier kopieren:

Code:
ATTFilter
:OTL
O2 - BHO: (adHlpr Object) - {00442EC8-157D-4596-8102-C01D4FDAFB02} - C:\WINDOWS\System32\hrpzypds.dll File not found
O2 - BHO: (hotrevenue browser enhancer) - {5B05EAD5-831C-8AA9-3141-47E428312C83} - C:\WINDOWS\System32\tlcgrqddwsjaaycvh.dll File not found
O3 - HKU\Beate_ON_C\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
[2010/04/24 14:03:59 | 000,048,272 | ---- | M] () -- C:\WINDOWS\System32\xslfyxbzjoe.exe
:Commands
[PURITY]
[RESETHOSTS]
[EMPTYTEMP]
         
Nach dem Einfügen auf den Button Run Fix klicken und das Logfile speichern.
Du kannst danach den Rechner wieder normal von der Festplatte starten und mal mit OSAM kontrollieren, ob die Einträge wirklich weg sind.
__________________
Logfiles bitte immer in CODE-Tags posten

Alt 29.04.2010, 19:42   #28
BTT
 
TR/Hijacker.gen  in C:\WINDOWS\Temp\****.tmp\svchost.exe - Standard

TR/Hijacker.gen in C:\WINDOWS\Temp\****.tmp\svchost.exe



Hallo Arne,

so files sind gefixt und erscheinen auch nicht mehr bei osam!! yeah!

hier die logs (anhängen ging grad irgendwie nicht)

liebe grüße,
*beate

OTL

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00442EC8-157D-4596-8102-C01D4FDAFB02}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00442EC8-157D-4596-8102-C01D4FDAFB02}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B05EAD5-831C-8AA9-3141-47E428312C83}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B05EAD5-831C-8AA9-3141-47E428312C83}\ deleted successfully.
Registry value HKEY_USERS\Beate_ON_C\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
C:\WINDOWS\system32\xslfyxbzjoe.exe moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Beate
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 28117 bytes
->FireFox cache emptied: 6831582 bytes
->Flash cache emptied: 5768 bytes

User: BT
->Temp folder emptied: 6615077 bytes
->Temporary Internet Files folder emptied: 101961504 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 54817890 bytes
->Flash cache emptied: 1406 bytes

User: Default User
->Temp folder emptied: 32768 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 41 bytes

User: Eclipse_dont_use

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 49286 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 766 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 4528519 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 393496 bytes

Total Files Cleaned = 167.00 mb


OTLPE by OldTimer - Version 3.1.38.0 log created on 04292010_212135


und OSAM auch noch mal für dich.. =)

Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 20:33:47 on 29.04.2010

OS: Windows XP Professional Service Pack 2 (Build 2600)
Default Browser: Microsoft Corporation Internet Explorer 8.00.6001.18702

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries


[Common]
-----( %SystemRoot%\Tasks )-----
"AppleSoftwareUpdate.job" - "Apple Inc." - C:\Programme\Apple Software Update\SoftwareUpdate.exe
"GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe
"GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe

[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"ASFConfig.cpl" - "Broadcom Corporation" - C:\WINDOWS\system32\ASFConfig.cpl
"BACSCPL.cpl" - ? - C:\WINDOWS\system32\BACSCPL.cpl
"DMdm32.cpl" - ? - C:\WINDOWS\system32\DMdm32.cpl
"DxCpl.cpl" - "Knowles Acoustics" - C:\WINDOWS\system32\DxCpl.cpl
"infocardcpl.cpl" - "Microsoft Corporation" - C:\WINDOWS\system32\infocardcpl.cpl
"ISUSPM.cpl" - "InstallShield Software Corporation" - C:\WINDOWS\system32\ISUSPM.cpl
"jpicpl32.cpl" - "Sun Microsystems, Inc." - C:\WINDOWS\system32\jpicpl32.cpl
"NicConfigSvc.cpl" - "Dell Inc." - C:\WINDOWS\system32\NicConfigSvc.cpl
"nvcpl.cpl" - "NVIDIA Corporation" - C:\WINDOWS\system32\nvcpl.cpl
"nvtuicpl.cpl" - "NVIDIA Corporation" - C:\WINDOWS\system32\nvtuicpl.cpl
"plotman.cpl" - "Autodesk, Inc." - C:\WINDOWS\system32\plotman.cpl
"stacgui.cpl" - "SigmaTel, Inc." - C:\WINDOWS\system32\stacgui.cpl
"styleman.cpl" - "Autodesk, Inc." - C:\WINDOWS\system32\styleman.cpl
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----
"Adobe Version Cue CS3" - "Adobe Systems Incorporated" - C:\Programme\Gemeinsame Dateien\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.cpl
"Avira AntiVir Personal - Free Antivirus " - "Avira GmbH" - C:\PROGRA~1\Avira\ANTIVI~1\avconfig.cpl
"Avira AntiVir PersonalEdition Classic " - "Avira GmbH" - C:\PROGRA~1\Avira\ANTIVI~1\avconfig.cpl
"QuickTime" - "Apple Inc." - C:\Programme\QuickTime\QTSystem\QuickTime.cpl

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"AEGIS Protocol (IEEE 802.1x) v3.6.0.0" (AegisP) - "Meetinghouse Data Communications" - C:\WINDOWS\System32\DRIVERS\AegisP.sys
"APPDRV" (APPDRV) - "Dell Inc" - C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
"avgio" (avgio) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avgio.sys
"avgntflt" (avgntflt) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avgntflt.sys
"avipbb" (avipbb) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\avipbb.sys
"BASFND" (BASFND) - "Broadcom Corporation" - C:\Programme\Broadcom\ASFIPMon\BASFND.sys
"catchme" (catchme) - ? - C:\cofi\catchme.sys (File not found)
"Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys (File not found)
"Cisco Systems IPsec Driver" (CVPNDRVA) - "Cisco Systems, Inc." - C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
"DLABMFSM" (DLABMFSM) - "Roxio" - C:\WINDOWS\System32\DLA\DLABMFSM.SYS
"DLABOIOM" (DLABOIOM) - "Roxio" - C:\WINDOWS\System32\DLA\DLABOIOM.SYS
"DLACDBHM" (DLACDBHM) - "Roxio" - C:\WINDOWS\System32\Drivers\DLACDBHM.SYS
"DLADResM" (DLADResM) - "Roxio" - C:\WINDOWS\System32\DLA\DLADResM.SYS
"DLAIFS_M" (DLAIFS_M) - "Roxio" - C:\WINDOWS\System32\DLA\DLAIFS_M.SYS
"DLAOPIOM" (DLAOPIOM) - "Roxio" - C:\WINDOWS\System32\DLA\DLAOPIOM.SYS
"DLAPoolM" (DLAPoolM) - "Roxio" - C:\WINDOWS\System32\DLA\DLAPoolM.SYS
"DLARTL_M" (DLARTL_M) - "Roxio" - C:\WINDOWS\System32\Drivers\DLARTL_M.SYS
"DLAUDFAM" (DLAUDFAM) - "Roxio" - C:\WINDOWS\System32\DLA\DLAUDFAM.SYS
"DLAUDF_M" (DLAUDF_M) - "Roxio" - C:\WINDOWS\System32\DLA\DLAUDF_M.SYS
"DRVMCDB" (DRVMCDB) - "Sonic Solutions" - C:\WINDOWS\System32\Drivers\DRVMCDB.SYS
"DRVNDDM" (DRVNDDM) - "Roxio" - C:\WINDOWS\System32\Drivers\DRVNDDM.SYS
"DXEC01" (DXEC01) - "Knowles Acoustics" - C:\WINDOWS\System32\drivers\dxec01.sys
"lbrtfdc" (lbrtfdc) - ? - C:\WINDOWS\system32\drivers\lbrtfdc.sys (File not found)
"PBADRV" (PBADRV) - "Dell Inc" - C:\WINDOWS\System32\DRIVERS\PBADRV.sys
"PCIDump" (PCIDump) - ? - C:\WINDOWS\system32\drivers\PCIDump.sys (File not found)
"PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys (File not found)
"PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys (File not found)
"PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys (File not found)
"PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys (File not found)
"PxHelp20" (PxHelp20) - "Sonic Solutions" - C:\WINDOWS\System32\Drivers\PxHelp20.sys
"sptd" (sptd) - "Duplex Secure Ltd." - C:\WINDOWS\System32\Drivers\sptd.sys (File is exclusively opened, access blocked)
"ssmdrv" (ssmdrv) - "Avira GmbH" - C:\WINDOWS\System32\DRIVERS\ssmdrv.sys
"vsdatant" (vsdatant) - "Zone Labs LLC" - C:\WINDOWS\system32\vsdatant.sys
"WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys (File not found)
"WIRELESS USB Filter Driver" (TF0801) - ? - C:\WINDOWS\System32\DRIVERS\TF0801.sys (File found, but it contains no detailed information)
"WLAN-Transport" (s24trans) - "Intel Corporation" - C:\WINDOWS\System32\DRIVERS\s24trans.sys

[Explorer]
-----( HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{BDEADF00-C265-11d0-BCED-00A0C90AB50F} "Webordner" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
-----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )-----
{89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" - "Microsoft Corporation" - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{8A0BC933-7552-42E2-A228-3BE055777227} "AcColumnHandler" - "Autodesk" - C:\Programme\Gemeinsame Dateien\Autodesk Shared\AcShellEx\AcShellExtension.dll
{9F2C5BFD-3CB1-419F-9F5F-90B32ADD5BA8} "AdpShellExt Class" - "Autodesk, Inc." - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Shell\AdpWShellExt.dll
{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll
-----( HKLM\Software\Classes\Protocols\Filter )-----
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
-----( HKLM\Software\Classes\Protocols\Handler )-----
{314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll
{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{8A0BC933-7552-42E2-A228-3BE055777227} "AcColumnHandler" - "Autodesk" - C:\Programme\Gemeinsame Dateien\Autodesk Shared\AcShellEx\AcShellExtension.dll
{4B392032-A759-43ED-9469-377C80A4472D} "AcDgnImageExtractor" - "Autodesk" - C:\Programme\Gemeinsame Dateien\Autodesk Shared\AcDgnCOM18.dll
{5800AD5B-72C1-477B-9A08-CA112DF06D97} "AcInfoTipHandler" - "Autodesk" - C:\Programme\Gemeinsame Dateien\Autodesk Shared\AcShellEx\AcShellExtension.dll
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} "Acrobat Elements Context Menu" - "Adobe Systems Inc." - C:\Programme\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll
{36A21736-36C2-4C11-8ACB-D4136F2B57BD} "AcSignIcon" - "Autodesk, Inc." - C:\WINDOWS\system32\AcSignIcon.dll
{AC1DB655-4F9A-4c39-8AD2-A65324A4C446} "ACTHUMBNAIL" - "Autodesk, Inc." - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Thumbnail\AcThumbnail16.dll
{42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" - ? - deskpan.dll (File not found)
{1CDB2949-8F65-4355-8456-263E7C208A5D} "Desktop Explorer" - "NVIDIA Corporation" - C:\WINDOWS\system32\nvshell.dll
{1E9B04FB-F9E5-4718-997B-B8DA88302A47} "Desktop Explorer Menu" - "NVIDIA Corporation" - C:\WINDOWS\system32\nvshell.dll
{1D2680C9-0E2A-469d-B787-065558BC7D43} "Fusion Cache" - "Microsoft Corporation" - c:\WINDOWS\system32\mscoree.dll
{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "IE User Assist" - ? - (File not found | COM-object registry key not found)
{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} "iTunes" - "Apple Inc." - C:\Programme\iTunes\iTunesMiniPlayer.dll
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" - ? - (File not found | COM-object registry key not found)
{1E9B04FB-F9E5-4718-997B-B8DA88302A48} "nView Desktop Context Menu" - "NVIDIA Corporation" - C:\WINDOWS\system32\nvshell.dll
{0006F045-0000-0000-C000-000000000046} "Outlook-Dateisymbolerweiterung" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL
{5E44E225-A408-11CF-B581-008029601108} "Roxio DragToDisc Shell Extension" - "Roxio" - C:\Programme\Roxio\Drag-to-Disc\Shellex.dll
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\shlext.dll
{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll
{764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" - ? - (File not found | COM-object registry key not found)
{e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" - "Microsoft Corporation" - c:\WINDOWS\system32\dfshim.dll
{B41DB860-8EE4-11D2-9906-E49FADC173CA} "WinRAR" - ? - C:\Programme\WinRAR\rarext.dll (File found, but it contains no detailed information)

[Internet Explorer]
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
<binary data> "Adobe PDF" - "Adobe Systems Incorporated" - C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
ITBar7Height "ITBar7Height" - ? - (File not found | COM-object registry key not found)
<binary data> "ITBar7Layout" - ? - (File not found | COM-object registry key not found)
<binary data> "ITBarLayout" - ? - (File not found | COM-object registry key not found)
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{C45B1500-7B63-47C2-AB25-C28CB46AFDEE} "Music Manager" - "LoudEye" - C:\WINDOWS\Downloaded Program Files\MusicManagerPlugin.ocx / hxxp://img.od2.com/Installation/PluginName/MusicManager/MusicManagerPlugin.CAB
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars )-----
{182EC0BE-5110-49C8-A062-BEB1D02A220B} "Adobe PDF" - "Adobe Systems Incorporated" - C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} "ClsidExtension" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll
{77BF5300-1474-4EC7-9980-D32B190E9B07} "ClsidExtension" - "Skype Technologies S.A." - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
{53707962-6F74-2D53-2644-206D7942484F} "ClsidExtension" - "Safer Networking Limited" - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
{77BF5300-1474-4EC7-9980-D32B190E9B07} "Skype" - "Skype Technologies S.A." - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
{00442EC8-157D-4596-8102-C01D4FDAFB02} "{00442EC8-157D-4596-8102-C01D4FDAFB02}" - ? - (File not found | COM-object registry key not found)
{5B05EAD5-831C-8AA9-3141-47E428312C83} "{5B05EAD5-831C-8AA9-3141-47E428312C83}" - ? - (File not found | COM-object registry key not found)

[LSA Providers]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Lsa )-----
"Authentication packages" - "Wave Systems Corp." - C:\WINDOWS\system32\wvauth.dll

[Logon]
-----( %AllUsersProfile%\Startmenü\Programme\Autostart )-----
"Adobe Acrobat - Schnellstart.lnk" - "Adobe Systems Incorporated" - C:\Programme\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe (Shortcut exists | File exists)
"Adobe Reader Synchronizer.lnk" - "Adobe Systems Incorporated" - C:\Programme\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe (Shortcut exists | File exists)
"Cisco Systems VPN Client.lnk" - "Cisco Systems, Inc." - C:\Programme\Cisco Systems\VPN Client\vpngui.exe (Shortcut exists | File exists)
"desktop.ini" - ? - C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
"Digital Line Detect.lnk" - "Avanquest Software " - C:\Programme\Digital Line Detect\DLG.exe (Shortcut exists | File exists)
"Microsoft Office.lnk" - "Microsoft Corporation" - C:\Programme\Microsoft Office\Office\OSA9.EXE (Shortcut exists | File exists)
-----( %UserProfile%\Startmenü\Programme\Autostart )-----
"desktop.ini" - ? - C:\Dokumente und Einstellungen\BT\Startmenü\Programme\Autostart\desktop.ini
-----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )-----
"SpybotSD TeaTimer" - "Safer-Networking Ltd." - C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"Acrobat Assistant 8.0" - "Adobe Systems Inc." - "C:\Programme\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
"Adobe ARM" - "Adobe Systems Incorporated" - "C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher" - "Adobe Systems Incorporated" - "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Adobe_ID0EYTHM" - "Adobe Systems Incorporated" - C:\PROGRA~1\GEMEIN~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
"avgnt" - "Avira GmbH" - "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
"Dell QuickSet" - "Dell Inc" - C:\Programme\Dell\QuickSet\quickset.exe
"Document Manager" - ? - C:\Programme\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
"ECenter" - " " - C:\Dell\E-Center\EULALauncher.exe
"IntelWireless" - "Intel Corporation" - "C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
"IntelZeroConfig" - "Intel Corporation" - "C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe"
"ISUSPM Startup" - "InstallShield Software Corporation" - C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler" - "InstallShield Software Corporation" - "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start
"iTunesHelper" - "Apple Inc." - "C:\Programme\iTunes\iTunesHelper.exe"
"KADxMain" - "Knowles Acoustics" - C:\WINDOWS\system32\KADxMain.exe
"NVHotkey" - "NVIDIA Corporation" - rundll32.exe nvHotkey.dll,Start
"nwiz" - "NVIDIA Corporation" - nwiz.exe /installquiet
"PDVDDXSrv" - "CyberLink Corp." - "C:\Programme\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
"QuickTime Task" - "Apple Inc." - "C:\Programme\QuickTime\qttask.exe" -atboottime
"RoxioDragToDisc" - "Roxio" - "C:\Programme\Roxio\Drag-to-Disc\DrgToDsc.exe"
"SecureUpgrade" - "Wave Systems Corp." - C:\Programme\Wave Systems Corp\SecureUpgrade.exe
"SigmatelSysTrayApp" - "SigmaTel, Inc." - stsystra.exe
"SunJavaUpdateSched" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\jusched.exe

[Print Monitors]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )-----
"Adobe PDF Port" - "Adobe Systems Incorporated." - C:\WINDOWS\system32\AdobePDF.dll

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
"Adobe Version Cue CS3 {de_DE} " (Adobe Version Cue CS3) - "Adobe Systems Incorporated" - C:\Programme\Gemeinsame Dateien\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
"Akamai NetSession Interface" (Akamai) - ? - c:\programme\gemeinsame dateien\akamai\rswin_3653.dll (File found, but it contains no detailed information)
"Apple Mobile Device" (Apple Mobile Device) - "Apple Inc." - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
"ASP.NET State Service" (aspnet_state) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
"Autodesk Network Licensing Service" (Autodesk Network Licensing Service) - "Autodesk, Inc." - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskNetSrv.exe
"Avira AntiVir Guard" (AntiVirService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\avguard.exe
"Avira AntiVir Planer" (AntiVirSchedulerService) - "Avira GmbH" - C:\Programme\Avira\AntiVir Desktop\sched.exe
"Bonjour-Dienst" (Bonjour Service) - "Apple Inc." - C:\Programme\Bonjour\mDNSResponder.exe
"Broadcom ASF IP and SMBIOS Mailbox Monitor" (ASFIPmon) - "Broadcom Corporation" - C:\Programme\Broadcom\ASFIPMon\AsfIpMon.exe
"Cisco Systems, Inc. VPN Service" (CVPND) - "Cisco Systems, Inc." - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
"FLEXnet Licensing Service" (FLEXnet Licensing Service) - "Macrovision Europe Ltd." - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
"Google Update Service (gupdate1c9dd74ef138af0)" (gupdate1c9dd74ef138af0) - "Google Inc." - C:\Programme\Google\Update\GoogleUpdate.exe
"Intel(R) PROSet/Wireless Event Log" (EvtEng) - "Intel Corporation" - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
"Intel(R) PROSet/Wireless Registry Service" (RegSrvc) - "Intel Corporation" - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
"Intel(R) PROSet/Wireless Service" (S24EventMonitor) - "Intel Corporation " - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
"Intel(R) PROSet/Wireless SSO Service" (WLANKEEPER) - "Intel(R) Corporation" - C:\Programme\Intel\Wireless\Bin\WLKeeper.exe
"iPod-Dienst" (iPod Service) - "Apple Inc." - C:\Programme\iPod\bin\iPodService.exe
"NICCONFIGSVC" (NICCONFIGSVC) - "Dell Inc." - C:\Programme\Dell\QuickSet\NICCONFIGSVC.exe
"NTRU TSS v1.2.1.12 TCS" (tcsd_win32.exe) - ? - C:\Programme\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe (File found, but it contains no detailed information)
"SecureStorageService" (SecureStorageService) - "Wave Systems Corp." - C:\Programme\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
"SigmaTel Audio Service" (STacSV) - "SigmaTel, Inc." - C:\Programme\SigmaTel\C-Major Audio\WDM\StacSV.exe
"stllssvr" (stllssvr) - "MicroVision Development, Inc." - C:\Programme\Gemeinsame Dateien\SureThing Shared\stllssvr.exe
"Windows CardSpace" (idsvc) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
"Windows Presentation Foundation Font Cache 3.0.0.0" (FontCache3.0.0.0) - "Microsoft Corporation" - c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe

[Winlogon]
-----( HKCU\Control Panel\IOProcs )-----
"MVB" - ? - mvfs32.dll (File not found)

[Winsock Providers]
-----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries )-----
"mdnsNSP" - "Apple Inc." - C:\Programme\Bonjour\mdnsNSP.dll
-----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries )-----
"Wave Systems Kerberos LSP" - "Wave Systems Corp." - C:\WINDOWS\system32\biolsp.dll

===[ Logfile end ]=========================================[ Logfile end ]===

If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru

Alt 29.04.2010, 19:52   #29
BTT
 
TR/Hijacker.gen  in C:\WINDOWS\Temp\****.tmp\svchost.exe - Standard

TR/Hijacker.gen in C:\WINDOWS\Temp\****.tmp\svchost.exe



Muss ich jetzt noch irgendwas bestimmtes zusätzlich machen?? Letzter "Rundumcheck" sozusagen??




Und vielleicht könntest du mir auch doch noch zu folgendem Problem einen tipp geben!?!

hatte schon mal in einem der früheren postings geschrieben, dass ich beim start von windows nach folgender Trojanermeldung:

In der Datei 'C:\WINDOWS\system32\uukgdrpr.dll'
wurde ein Virus oder unerwünschtes Programm 'TR/BHO.315392' [trojan] gefunden.
Ausgeführte Aktion: Datei in Quarantäne verschieben

immer einen fehler gemeldet bekomme:

Fehler beim Laden von uukgdrpr.dll
Das angegebene Modul wurde nicht gefunden

(ist ja auch klar, wenn ich das teil in die quarantäne geschickt habe..,)

Die Frage ist jetzt, ob ich die Datei wiederherstellen kann, ohne befürchten zu müssen, dass der "Spaß" von vorne anfängt..!?

liebe Grüße,

*beate

Alt 29.04.2010, 20:01   #30
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
TR/Hijacker.gen  in C:\WINDOWS\Temp\****.tmp\svchost.exe - Standard

TR/Hijacker.gen in C:\WINDOWS\Temp\****.tmp\svchost.exe



Zitat:
Die Frage ist jetzt, ob ich die Datei wiederherstellen kann, ohne befürchten zu müssen, dass der "Spaß" von vorne anfängt..!?
NEIN!! Nicht wiederherstellen, diese dll-Datei ist doch ein Schädling!!

Ich würde noch einen Durchgang mit Combofix vorschlagen. Geh wieder nach der schon geposteten Anleitung vor, lad aber combofix bitte neu herunter und lösch die alte cofi.exe weil das Tool sehr oft aktualisiert wird.
__________________
Logfiles bitte immer in CODE-Tags posten

Antwort

Themen zu TR/Hijacker.gen in C:\WINDOWS\Temp\****.tmp\svchost.exe
... =), 0 bytes, antivir, antivir guard, auswerten, avira, bho, bonjour, desktop, dllhost.exe, document, gupdate, hijacker.gen, hijackthis, hkus\s-1-5-18, internet, internet explorer, jusched.exe, langsam, monitor, nt.dll, pdf-datei, programm, prozesse, registry, rundll, scan, server, software, suchlauf, svchost.exe, temp ordner, trojan.renos, trojaner, versteckte objekte, verweise, virus, virus gefunden, warnung, windows, wuauclt.exe



Ähnliche Themen: TR/Hijacker.gen in C:\WINDOWS\Temp\****.tmp\svchost.exe


  1. [TR/CoinMiner bzw. Trojan.Agent.Gen] svchost.exe und lsass.exe in Windows\Temp
    Plagegeister aller Art und deren Bekämpfung - 21.03.2015 (17)
  2. TrojWare.Win32.Buzus.carj in C:\Windows\Temp\HInfo.exe bzw. C:\Windows\Temp\restart.exe
    Plagegeister aller Art und deren Bekämpfung - 27.09.2012 (2)
  3. Windows Live Trojaner und SVchost.exe im Temp-ordner
    Plagegeister aller Art und deren Bekämpfung - 26.12.2011 (1)
  4. Bekomme hartnäckigen Trojaner nicht weg! C:\Windows\Temp\imgs.tmp\svchost.exe
    Log-Analyse und Auswertung - 25.07.2010 (9)
  5. tr downloader.gen C:\WINDOWS\Temp\cmqk.tmp\svchost.exe
    Plagegeister aller Art und deren Bekämpfung - 05.07.2010 (13)
  6. C:\Windows\Temp\pgsi.tmp\svchost.exe TR/Hijacker.Gen funde (mehere)
    Plagegeister aller Art und deren Bekämpfung - 30.06.2010 (3)
  7. TR\Crypt.ZPACK.Gen in C:\Windows\Temp\gsxm.tmp\svchost.exe
    Plagegeister aller Art und deren Bekämpfung - 01.05.2010 (1)
  8. TR/Crypt.ZPACK.Gen C:\WINDOWS\Temp\uagx.tmp\svchost.exe
    Plagegeister aller Art und deren Bekämpfung - 01.05.2010 (1)
  9. Trojaner TR/Crypt.ZPACK.gen in C:/WINDOWS/TEMP/xxxx.temp/svchost.exe
    Plagegeister aller Art und deren Bekämpfung - 30.04.2010 (33)
  10. Antivir meldet TR/Crypt.ZPACK.Gen in C/Windows/Temp/xxxx.tmp/svchost.exe
    Plagegeister aller Art und deren Bekämpfung - 26.04.2010 (2)
  11. Avira meldet TR/Crypt.ZPACK.Gen in C:\Windows\Temp\xxxx.tmp\svchost.exe
    Plagegeister aller Art und deren Bekämpfung - 24.04.2010 (1)
  12. Avira meldet TR/Hijacker.gen in C:\WINDOWS\Temp\****.tmp\svchost.exe
    Plagegeister aller Art und deren Bekämpfung - 24.04.2010 (1)
  13. Antivir meldet TR/Crypt.ZPACK.Gen in C/Windows/Temp/xxxx.tmp/svchost.exe
    Plagegeister aller Art und deren Bekämpfung - 24.04.2010 (4)
  14. antimalware doctor + C:\Windows\Temp\xxx.tmp\svchost.exe
    Log-Analyse und Auswertung - 21.04.2010 (1)
  15. TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe
    Plagegeister aller Art und deren Bekämpfung - 17.04.2010 (53)
  16. TR/Crypt.ZPACK.Gen in C:\Temp\bcot.tmp\svchost.exe , C:\Temp\qmub.tmp\svchost.exe usw
    Plagegeister aller Art und deren Bekämpfung - 12.04.2010 (1)
  17. Meldung trojan-spy.win32.agent.bepe alle 5 Min in c:\windows\temp\xxx.tmp\svchost.exe
    Plagegeister aller Art und deren Bekämpfung - 02.04.2010 (1)

Zum Thema TR/Hijacker.gen in C:\WINDOWS\Temp\****.tmp\svchost.exe - Dann probiers mal so: 1.) Lade Dir von hier Avenger: Swandog46's Public Anti-Malware Tools (Download, linksseitig) 2.) Entpack das zip-Archiv, führe die Datei "avenger.exe" aus (unter Vista per Rechtsklick => - TR/Hijacker.gen in C:\WINDOWS\Temp\****.tmp\svchost.exe...
Archiv
Du betrachtest: TR/Hijacker.gen in C:\WINDOWS\Temp\****.tmp\svchost.exe auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.