Kann ich das entfernen?

moony · 03.02.2005, 23:37

Hi!
Hab mal zwei Fragen dazu was ich ohne Bedenken entfernen kann und was eher nicht. Hab das ganze mal auswerten lassen ... Aber ich kann mit diesen Einträgen nich wirklich viel anfangen

Daher die Frage, ob ichs einfach löschen kann?

O14 - IERESET.INF: START_PAGE_URL=http://www.arcor.de
Possibly nasty
Possibly nasty
This entry should be fixed if this address does not belong to your PC-manufacturer or your 'Internet-Service-Provider (ISP)'. This entry should be fixed if 'http://www.arcor.de' is not your PC-manufacturer or your 'Internet-Service-Provider (ISP)'.

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\INCRED~1\INCRED~1\bin\resources\WebMenuImg.htm
Safe.
Safe.
The entry &Add animation to IncrediMail Style Box has been identified as safe. If the entry '&Add animation to IncrediMail Style Box ' is not needed anymore, it should be fixed.

O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
Safe.
Safe.
The entry &Google Search has been identified as safe.
If the entry '&Google Search ' is not needed anymore, it should be fixed.

O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
Safe.
Safe.
The entry Im Cache gespeicherte Seite has been identified as safe. If the entry 'Im Cache gespeicherte Seite ' is not needed anymore, it should be fixed.

O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
Safe.
Safe.
The entry Verweisseiten has been identified as safe.
If the entry 'Verweisseiten ' is not needed anymore, it should be fixed.

O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
Safe.
Safe.
The entry Ähnliche Seiten has been identified as safe.
If the entry 'Ähnliche Seiten ' is not needed anymore, it should be fixed.

O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQ\ICQLite\ICQLite.exe
Safe.
Safe.
The entry ICQ 4.1 has been identified as safe.
If the entry 'ICQ 4.1 ' is not needed anymore, it should be fixed.

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQ\ICQLite\ICQLite.exe Safe.
Safe.
The entry ICQ Lite has been identified as safe.
If the entry 'ICQ Lite ' is not needed anymore, it should be fixed.

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
Safe.
Safe.
The entry Real.com has been identified as safe.
If the entry 'Real.com ' is not needed anymore, it should be fixed.

O17 - HKLM\System\CCS\Services\Tcpip\..\{A48E95A8-076E-4804-A9AD-C302F5F9BD7B}: NameServer = 192.168.120.252,192.168.120.253
Safe.
Safe.
If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.
The entered IP or Domain '192.168.120.252,192.168.120.253' has been identified as safe.

Und vor allem, kann ich folgendes auch einfach entfernen??

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
Safe.
Safe.
This page has been identified as safe.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
Safe.
Safe.
This page has been identified as safe.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
Safe.
Safe.
This page has been identified as safe.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
Safe.
Safe.
This page has been identified as safe.

Wär euch dankbar für eure Hilfe!

LG Moony

Tom59 · 03.02.2005, 23:53

@moony...

lade dir bitte

http://www.trojaner-board.de/51130-a...ijackthis.html

herunter und poste das logfile hierhier...

anders sind keine vernünftigen Aussagen zu machen...

du hast einige Probleme!!!

lg

Tom59

moony · 04.02.2005, 01:15

Hm, na das hab ich doch ...
Das Logfile hab ich dann hier reinkopiert -> http://www.hijackthis.de/index.php
und dann kamen unter anderem die Sachen raus, die ich unten reinkopiert hab. Und ich bin mir nicht sicher, ob ichs entfernen kann oder nicht, oder ob ichs gar nich entfernen brauche, weil ich mich ja mit dem ganzen nicht auskenne ... Hmmm ...

Aber ich kann das Logfile gernen auch nochmal reinkopiern..

Logfile of HijackThis v1.99.0
Scan saved at 23:13:48, on 03.02.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\0900 Warner\w0svc.exe
C:\WINDOWS\System32\alg.exe
C:\Programme\ewido\security suite\ewidoctrl.exe
C:\Programme\Kerio Firewall\Personal Firewall 4\kpf4ss.exe
C:\Programme\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Programme\Kerio Firewall\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Kerio Firewall\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Dit.exe
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\0900WA~1\WARN0900.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\WINDOWS\DitExp.exe
D:\ICQ\ICQLite\ICQLite.exe
C:\Programme\Winamp\winampa.exe
C:\Programme\FRITZ!\IWatch.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Programme\Windows Media Player\wmplayer.exe
C:\DOKUME~1\...\LOKALE~1\Temp\ARC1088\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arcor.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.arcor.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [0900 Warner] C:\PROGRA~1\0900WA~1\WARN0900.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [ICQ Lite] D:\ICQ\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\ICQ\ICQLite\ICQLite.exe -trayboot
O4 - Startup: FRITZ!web.lnk = C:\Programme\FRITZ!\FriWeb32.exe
O4 - Global Startup: ISDNWatch.lnk = C:\Programme\FRITZ!\IWatch.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\INCRED~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQ\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQ\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.arcor.de
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093790713796
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A48E95A8-076E-4804-A9AD-C302F5F9BD7B}: NameServer = 192.168.120.252,192.168.120.253
O23 - Service: 0190/0900 Warner Überwachungsdienst - Mirko Böer - C:\Programme\0900 Warner\w0svc.exe
O23 - Service: AVM FRITZ!web Routing Service - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido\security suite\ewidoctrl.exe
O23 - Service: Kerio Personal Firewall 4 - Kerio Technologies - C:\Programme\Kerio Firewall\Personal Firewall 4\kpf4ss.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst - Symantec Corporation - C:\Programme\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Programme\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

LG Moony

Tom59 · 04.02.2005, 22:11

@moony

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

...solltest du mit "hjt" fixen...und mache bitte ein windowsupdate, damit dein BS auf den neuesten Stand kommt...

sicherheitshalber noch mal dieses...

http://www.trojaner-board.de/42731-escan-anleitung.html

lg

Tom59

Kann ich das entfernen?

Log-Analyse und Auswertung: Kann ich das entfernen?