Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   Pc komplett kaputt (https://www.trojaner-board.de/27155-pc-komplett-kaputt.html)

Darkbeat2 26.02.2006 00:27
Pc komplett kaputt
 
Guten Abend.

Probleme: Backdoor TRojaner eingefangen
Av-tools: Kaspersky (ist eben gerade gestorben)

Gefundene Objekte (die vor dem 1. neustart gekillt wurden)
Ordner: System32
- wsock32.sys
- scvhost.exe
- Nzilvzb679.ini

Symtome:
- 3 Files wurden in system32 detected
- keine Rechte mehr, obwohl ich Admin bin
- Abgesicherter Modus geht nicht mehr, weil nach 5 Sekunden loginscreen
neu gestartet wird (also kann ich nicht in die regedit)
- Kaspersky wurde kurz und schmerzlos gekillt

Alle Updates:
- Service Pack 2 + alle bis dahin erschienenen Updates
- Kaspersky personal pro wurde ständig geupdatet

Gescannt wurde vor dem 1. Neustart mit:
- Bitdefender online
- Kaspersky Antivirus

Was ich will:

Ich werde mein System neu aufsetzten, aber ich muss ihn erstmal für ein paar Tage stabil hinbekommen mit allen Rechten, weil ich Daten sichern muss

Wildone 26.02.2006 00:41
Hallo,
das ein Neuaufsetzen unumgänglich ist hast du ja schon bemerkt. Warum brauchst du für die Datensicherung bestimmte Rechte?
Wir können ja mal ein wenig rumspielen, mal schauen ob man die Lage kurzfristig verbessern kann. Lass mal die tools Rootkitrevealer(Log über File>>Save), während dem scan nichts anderes machen, und F-Secure Blacklight (Textdatei wird automatisch nach dem Scan erstellt fsbl**.txt) laufen und poste die jeweiligen Logs.

Außerdem postest du noch ein HijackThis Log.

Grüße Wildone

Darkbeat2 26.02.2006 00:56
Logfile of HijackThis v1.99.1
Scan saved at 00:48:42, on 26.02.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5299.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Programme\NetLimiter\NetLimiter.exe
C:\Programme\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\Programme\cFosSpeed\cFosSpeed.exe
C:\Programme\ASUS\WLAN Card Utilities\Center.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programme\Logitech\Video\LogiTray.exe
C:\Programme\Viewpoint\Viewpoint Toolbar V35\FotomatDeviceConnect.exe
C:\Programme\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Programme\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\palstart.exe
C:\Programme\cFosSpeed\spd.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Programme\Logitech\Video\FxSvr2.exe
C:\Programme\Outlook Express\msimn.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Spybot - Search & Destroy\SpybotSD.exe
C:\Programme\WinRAR\WinRAR.exe
C:\Dokumente und Einstellungen\Philip\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.teleos-web.de:8080
F3 - REG:win.ini: load=C:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\scvhost.exe
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Programme\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Sicherung\webcam\snagit\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {40FB69E1-9B7B-453F-B238-37D8E9528929} - (no file)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programme\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Programme\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Programme\Viewpoint\Viewpoint Toolbar V35\ViewBarBHO.dll
O2 - BHO: (no name) - {DC9377A2-2E8D-44A1-99DB-F8A821DF254D} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Programme\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Sicherung\webcam\snagit\SnagItIEAddin.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Programme\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\system32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NetLimiter] C:\Programme\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Programme\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [cFosSpeed] C:\Programme\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Control Center] C:\Programme\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programme\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programme\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ViewpointPhotosDeviceConnect] C:\Programme\Viewpoint\Viewpoint Toolbar V35\FotomatDeviceConnect.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Programme\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Programme\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Programme\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\newdotnet6_98.dll,ClientStartup -s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programme\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - Startup: CamTrack.lnk = C:\Programme\DigitalPeers\CamTrack\dptracker.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: palstart.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Viewpoint Search - res://C:\Programme\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Programme\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: => Albion Crosslinks - file:///G:\www.appzplanet.com\config.htm
O8 - Extra context menu item: =>Book - file:///G:\www.appzplanet.com\book.htm
O8 - Extra context menu item: =>Convert - file:///G:\www.appzplanet.com\convert.htm
O8 - Extra context menu item: =>Currency - file:///G:\www.appzplanet.com\currency.htm
O8 - Extra context menu item: =>Email - file:///G:\www.appzplanet.com\email.htm
O8 - Extra context menu item: =>ISBN - file:///G:\www.appzplanet.com\isbn.htm
O8 - Extra context menu item: =>Movie - file:///G:\www.appzplanet.com\movie.htm
O8 - Extra context menu item: =>Music - file:///G:\www.appzplanet.com\music.htm
O8 - Extra context menu item: =>Other - file:///G:\www.appzplanet.com\other.htm
O8 - Extra context menu item: =>Search - file:///G:\www.appzplanet.com\search.htm
O8 - Extra context menu item: =>Stock Symbol - file:///G:\www.appzplanet.com\stock.htm
O8 - Extra context menu item: =>Translate - file:///G:\www.appzplanet.com\translate.htm
O8 - Extra context menu item: =>UPC - file:///G:\www.appzplanet.com\upc.htm
O8 - Extra context menu item: =>URL - file:///G:\www.appzplanet.com\url.htm
O8 - Extra context menu item: Add selected links to Link Container - C:\PROGRA~1\ANTIVI~1\WEBFIL~1\System\Scripts\off_collector_sel.htm
O8 - Extra context menu item: Alles mit FlashGet laden - C:\Programme\FlashGet\jc_all.htm
O8 - Extra context menu item: Mit FlashGet laden - C:\Programme\FlashGet\jc_link.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\Microsoft Office\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Show domain links - C:\PROGRA~1\ANTIVI~1\WEBFIL~1\System\Scripts\off_domain_links.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Programme\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Programme\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Programme\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programme\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: XM2002® - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Programme\IPPS\XM2002®\XM2002.exe
O9 - Extra 'Tools' menuitem: &XM2002® - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Programme\IPPS\XM2002®\XM2002.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: LinkLister - {63A59C7F-65C5-4fe9-AAD1-C9E508E9FBFB} - C:\Programme\LinkLister\lltrial.exe (HKCU)
O9 - Extra 'Tools' menuitem: LinkLister - {63A59C7F-65C5-4fe9-AAD1-C9E508E9FBFB} - C:\Programme\LinkLister\lltrial.exe (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E5730030} - G:\www.appzplanet.com\url.htm (HKCU)
O9 - Extra 'Tools' menuitem: =>URL - {FFFE661B-CF3F-4248-BF00-BA00E5730030} - G:\www.appzplanet.com\url.htm (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E5730040} - G:\www.appzplanet.com\upc.htm (HKCU)
O9 - Extra 'Tools' menuitem: =>UPC - {FFFE661B-CF3F-4248-BF00-BA00E5730040} - G:\www.appzplanet.com\upc.htm (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E5730050} - G:\www.appzplanet.com\translate.htm (HKCU)
O9 - Extra 'Tools' menuitem: =>Translate - {FFFE661B-CF3F-4248-BF00-BA00E5730050} - G:\www.appzplanet.com\translate.htm (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E5730060} - G:\www.appzplanet.com\stock.htm (HKCU)
O9 - Extra 'Tools' menuitem: =>Stock Symbol - {FFFE661B-CF3F-4248-BF00-BA00E5730060} - G:\www.appzplanet.com\stock.htm (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E5730065} - G:\www.appzplanet.com\search.htm (HKCU)
O9 - Extra 'Tools' menuitem: =>Search - {FFFE661B-CF3F-4248-BF00-BA00E5730065} - G:\www.appzplanet.com\search.htm (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E5730070} - G:\www.appzplanet.com\other.htm (HKCU)
O9 - Extra 'Tools' menuitem: =>Other - {FFFE661B-CF3F-4248-BF00-BA00E5730070} - G:\www.appzplanet.com\other.htm (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E5730080} - G:\www.appzplanet.com\music.htm (HKCU)
O9 - Extra 'Tools' menuitem: =>Music - {FFFE661B-CF3F-4248-BF00-BA00E5730080} - G:\www.appzplanet.com\music.htm (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E5730090} - G:\www.appzplanet.com\movie.htm (HKCU)
O9 - Extra 'Tools' menuitem: =>Movie - {FFFE661B-CF3F-4248-BF00-BA00E5730090} - G:\www.appzplanet.com\movie.htm (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E57300A0} - G:\www.appzplanet.com\isbn.htm (HKCU)
O9 - Extra 'Tools' menuitem: =>ISBN - {FFFE661B-CF3F-4248-BF00-BA00E57300A0} - G:\www.appzplanet.com\isbn.htm (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E57300B0} - G:\www.appzplanet.com\email.htm (HKCU)
O9 - Extra 'Tools' menuitem: =>Email - {FFFE661B-CF3F-4248-BF00-BA00E57300B0} - G:\www.appzplanet.com\email.htm (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E57300C0} - G:\www.appzplanet.com\currency.htm (HKCU)
O9 - Extra 'Tools' menuitem: =>Currency - {FFFE661B-CF3F-4248-BF00-BA00E57300C0} - G:\www.appzplanet.com\currency.htm (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E57300D0} - G:\www.appzplanet.com\convert.htm (HKCU)
O9 - Extra 'Tools' menuitem: =>Convert - {FFFE661B-CF3F-4248-BF00-BA00E57300D0} - G:\www.appzplanet.com\convert.htm (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E57300E0} - G:\www.appzplanet.com\book.htm (HKCU)
O9 - Extra 'Tools' menuitem: =>Book - {FFFE661B-CF3F-4248-BF00-BA00E57300E0} - G:\www.appzplanet.com\book.htm (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E57300F0} - G:\www.appzplanet.com\config.htm (HKCU)
O9 - Extra 'Tools' menuitem: => Albion Crosslinks - {FFFE661B-CF3F-4248-BF00-BA00E57300F0} - G:\www.appzplanet.com\config.htm (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.de/scan/Msie/bitdefender.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D440666-94D6-4A7A-8B20-4CE8517A7BE5}: NameServer = 212.62.68.34 212.62.64.34
O17 - HKLM\System\CS1\Services\Tcpip\..\{3D440666-94D6-4A7A-8B20-4CE8517A7BE5}: NameServer = 212.62.68.34 212.62.64.34
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSN Messenger\msgrapp.dll" (file missing)
O20 - Winlogon Notify: SABWinLogon - C:\Programme\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - C:\Programme\cFosSpeed\spd.exe" -service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Programme\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: Windows-Firewall/Gemeinsame Nutzung der Internetverbindung (SharedAccess) - Unknown owner - C:\WINDOWS\C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

Darkbeat2 26.02.2006 01:09
mit dem rootreveal oder wie das ding heisst ist mir der schlüssel aufgefallen:

HKLM\S-1-5-21-746137067-789336058-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:Q:\Funer\k-gerzr45\Vapbzvat\Tnzref Rqvgvba O14 Shyy Cnpx (Yrrpure rzhyr unpx ab hcybnq 26.02.2006 01:00 16 bytes Hidden from Windows API.

Wildone 26.02.2006 01:10
Hallo,
da haben wir ja schon ein paar Sachen. Fixe (Haken davor und auf "fix checked") mal folgende Sachen:
F3 - REG:win.ini: load=C:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\scvhost.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\newdotnet6_98.dll,ClientStart up -s
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1


Poste dann mal ein neues Log Kommst du danach wieder in die Registry?


Grüße Wildone

Darkbeat2 26.02.2006 01:17
F-secure blacklight hat nichts gefunden, ich setze haken vor die sachen, danke für die schnelle hilfe, ich poste dann neuen hijack

Logfile of HijackThis v1.99.1
Scan saved at 01:11:56, on 26.02.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5299.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Programme\NetLimiter\NetLimiter.exe
C:\Programme\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\Programme\cFosSpeed\cFosSpeed.exe
C:\Programme\ASUS\WLAN Card Utilities\Center.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programme\Logitech\Video\LogiTray.exe
C:\Programme\Viewpoint\Viewpoint Toolbar V35\FotomatDeviceConnect.exe
C:\Programme\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Programme\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MESSEN~1\msmsgs.exe
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\palstart.exe
C:\Programme\cFosSpeed\spd.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Programme\Logitech\Video\FxSvr2.exe
C:\Programme\Outlook Express\msimn.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Spybot - Search & Destroy\SpybotSD.exe
C:\Dokumente und Einstellungen\Philip\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.teleos-web.de:8080
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Programme\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Sicherung\webcam\snagit\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {40FB69E1-9B7B-453F-B238-37D8E9528929} - (no file)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programme\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Programme\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Programme\Viewpoint\Viewpoint Toolbar V35\ViewBarBHO.dll
O2 - BHO: (no name) - {DC9377A2-2E8D-44A1-99DB-F8A821DF254D} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Programme\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Sicherung\webcam\snagit\SnagItIEAddin.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Programme\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\system32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NetLimiter] C:\Programme\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Programme\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [cFosSpeed] C:\Programme\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Control Center] C:\Programme\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programme\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programme\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ViewpointPhotosDeviceConnect] C:\Programme\Viewpoint\Viewpoint Toolbar V35\FotomatDeviceConnect.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Programme\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Programme\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Programme\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\newdotnet6_98.dll,ClientStartup -s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programme\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - Startup: CamTrack.lnk = C:\Programme\DigitalPeers\CamTrack\dptracker.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: palstart.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Programme\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Programme\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add selected links to Link Container - C:\PROGRA~1\ANTIVI~1\WEBFIL~1\System\Scripts\off_collector_sel.htm
O8 - Extra context menu item: Alles mit FlashGet laden - C:\Programme\FlashGet\jc_all.htm
O8 - Extra context menu item: Mit FlashGet laden - C:\Programme\FlashGet\jc_link.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\Microsoft Office\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Show domain links - C:\PROGRA~1\ANTIVI~1\WEBFIL~1\System\Scripts\off_domain_links.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Programme\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Programme\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Programme\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Programme\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: XM2002® - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Programme\IPPS\XM2002®\XM2002.exe
O9 - Extra 'Tools' menuitem: &XM2002® - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Programme\IPPS\XM2002®\XM2002.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: LinkLister - {63A59C7F-65C5-4fe9-AAD1-C9E508E9FBFB} - C:\Programme\LinkLister\lltrial.exe (HKCU)
O9 - Extra 'Tools' menuitem: LinkLister - {63A59C7F-65C5-4fe9-AAD1-C9E508E9FBFB} - C:\Programme\LinkLister\lltrial.exe (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E5730030} - G:\www.appzplanet.com\url.htm (HKCU)
O9 - Extra 'Tools' menuitem: =>URL - {FFFE661B-CF3F-4248-BF00-BA00E5730030} - G:\www.appzplanet.com\url.htm (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E5730040} - G:\www.appzplanet.com\upc.htm (HKCU)
O9 - Extra 'Tools' menuitem: =>UPC - {FFFE661B-CF3F-4248-BF00-BA00E5730040} - G:\www.appzplanet.com\upc.htm (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E5730050} - G:\www.appzplanet.com\translate.htm (HKCU)
O9 - Extra 'Tools' menuitem: =>Translate - {FFFE661B-CF3F-4248-BF00-BA00E5730050} - G:\www.appzplanet.com\translate.htm (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E5730060} - G:\www.appzplanet.com\stock.htm (HKCU)
O9 - Extra 'Tools' menuitem: =>Stock Symbol - {FFFE661B-CF3F-4248-BF00-BA00E5730060} - G:\www.appzplanet.com\stock.htm (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E5730065} - G:\www.appzplanet.com\search.htm (HKCU)
O9 - Extra 'Tools' menuitem: =>Search - {FFFE661B-CF3F-4248-BF00-BA00E5730065} - G:\www.appzplanet.com\search.htm (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E5730070} - G:\www.appzplanet.com\other.htm (HKCU)
O9 - Extra 'Tools' menuitem: =>Other - {FFFE661B-CF3F-4248-BF00-BA00E5730070} - G:\www.appzplanet.com\other.htm (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E5730080} - G:\www.appzplanet.com\music.htm (HKCU)
O9 - Extra 'Tools' menuitem: =>Music - {FFFE661B-CF3F-4248-BF00-BA00E5730080} - G:\www.appzplanet.com\music.htm (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E5730090} - G:\www.appzplanet.com\movie.htm (HKCU)
O9 - Extra 'Tools' menuitem: =>Movie - {FFFE661B-CF3F-4248-BF00-BA00E5730090} - G:\www.appzplanet.com\movie.htm (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E57300A0} - G:\www.appzplanet.com\isbn.htm (HKCU)
O9 - Extra 'Tools' menuitem: =>ISBN - {FFFE661B-CF3F-4248-BF00-BA00E57300A0} - G:\www.appzplanet.com\isbn.htm (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E57300B0} - G:\www.appzplanet.com\email.htm (HKCU)
O9 - Extra 'Tools' menuitem: =>Email - {FFFE661B-CF3F-4248-BF00-BA00E57300B0} - G:\www.appzplanet.com\email.htm (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E57300C0} - G:\www.appzplanet.com\currency.htm (HKCU)
O9 - Extra 'Tools' menuitem: =>Currency - {FFFE661B-CF3F-4248-BF00-BA00E57300C0} - G:\www.appzplanet.com\currency.htm (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E57300D0} - G:\www.appzplanet.com\convert.htm (HKCU)
O9 - Extra 'Tools' menuitem: =>Convert - {FFFE661B-CF3F-4248-BF00-BA00E57300D0} - G:\www.appzplanet.com\convert.htm (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E57300E0} - G:\www.appzplanet.com\book.htm (HKCU)
O9 - Extra 'Tools' menuitem: =>Book - {FFFE661B-CF3F-4248-BF00-BA00E57300E0} - G:\www.appzplanet.com\book.htm (HKCU)
O9 - Extra button: (no name) - {FFFE661B-CF3F-4248-BF00-BA00E57300F0} - G:\www.appzplanet.com\config.htm (HKCU)
O9 - Extra 'Tools' menuitem: => Albion Crosslinks - {FFFE661B-CF3F-4248-BF00-BA00E57300F0} - G:\www.appzplanet.com\config.htm (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.de/scan/Msie/bitdefender.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D440666-94D6-4A7A-8B20-4CE8517A7BE5}: NameServer = 212.62.68.34 212.62.64.34
O17 - HKLM\System\CS1\Services\Tcpip\..\{3D440666-94D6-4A7A-8B20-4CE8517A7BE5}: NameServer = 212.62.68.34 212.62.64.34
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSN Messenger\msgrapp.dll" (file missing)
O20 - Winlogon Notify: SABWinLogon - C:\Programme\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - C:\Programme\cFosSpeed\spd.exe" -service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Programme\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: Windows-Firewall/Gemeinsame Nutzung der Internetverbindung (SharedAccess) - Unknown owner - C:\WINDOWS\C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

Darkbeat2 26.02.2006 01:20
Danke, regedit geht wieder, habe diableCMD schlüssel gefunden ist auf 1, wie soll ich damit umgehen?

Wildone 26.02.2006 01:28
Hallo,
hast du manuell die Links aktiviert? Gehe mal in dein Log und editiere sie, aus http, hxxp oder aus www w*w machen.
Den hier:
O23 - Service: Windows-Firewall/Gemeinsame Nutzung der Internetverbindung (SharedAccess) - Unknown owner - C:\WINDOWS\C:\WINDOWS\system32\svchost.exe (file missing)
kannst du auch noch fixen, übrigens ist der Backdoor den du dir gefangen hast auch schon fast ein Jahr alt, ist mir schleierhaft wie du dir den bei allen Patches plus Kaspersky gefangen hast.

Nutze dann für das Neuaufsetzen folgende Anleitung. Außerdem solltest du keine ausführbaren Dateien (exe, com, scr, pif, bat...) auf das neue System übernehmen.

Zitat:
Danke, regedit geht wieder, habe diableCMD schlüssel gefunden ist auf 1, wie soll ich damit umgehen?
Na wenn du sie wieder aktivieren willst ihn auf 0 setzen.

Grüße Wildone

Darkbeat2 26.02.2006 01:33
Danke vielmals, es funzt erstmal alles soweit wieder, bis ich Montag Reset mache. Gibts noch ne datei im system32 ordner, das mit dem scvchost? weil ich kann sie nicht finden, vielleicht hat die kaspersky ja schon vorm ersten reboot weg gemacht (waren ja 3 dateien bei)

Darkbeat2 26.02.2006 01:40
Du hattest recht, 2 Updates haben gefehlt (muss wohl irgend nen Elter die utomatischen Updates ausgeschaltet haben) ^^

Wildone 26.02.2006 01:41
Hallo,
also die dateien sollte Kaspersky ja schon beseitigt haben. Welche weiteren Änderungen an der Registry vorgenommen wurden oder welche Dateien noch ev. nachgeladen wurden kann dir niemand sagen, deswegen ist das Neuaufsetzen ja auch die einzig sinnvolle Maßnahme.
Was du mal noch machen kannst:
lösche falls vorhanden die Datei:

C:\Windows\System32\ckl009.dat

und noch:
start -> Ausführen -> regedit
Wechsle dort in das "Verzeichnis"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess

Dort sollte der Eintrag "ImagePath" den Wert "%SystemRoot%\system32\svchost.exe -k netsvcs" haben. Wenn nicht, ändere es entsprechend um. Schließe jetzt Regedit wieder.


Grüße Wildone


Alle Zeitangaben in WEZ +1. Es ist jetzt 07:12 Uhr.

Copyright ©2000-2024, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28