Diverse Trojaner: eScan- & HJT-Logs posted

joyful · 03.10.2005, 18:15

Hallo Zusammen
1. toller Service, welcher hier geboten wird :aplaus:

2. absolut neu hier - allfällige Regelverstösse sind auf Unwissen zurückzuführen

3. meine Probleme: Trojan Dropper Win32.Vidro.u und Vidro.x sowie Win32.qhost.df

4. mein escan log

infected
Mon Oct 03 16:47:55 2005 => System found infected with adware.toolbar.sbsoft.h Spyware/Adware ({08bec6aa-49fc-4379-3587-4b21e286c19e})! Action taken: No Action Taken.
Mon Oct 03 16:47:55 2005 => System found infected with adware.toolbar.sbsoft.h Spyware/Adware ({08bec6aa-49fc-4379-3587-4b21e286c19e})! Action taken: No Action Taken.
Mon Oct 03 16:47:55 2005 => System found infected with adware.toolbar.sbsoft.h Spyware/Adware ({08bec6aa-49fc-4379-3587-4b21e286c19e})! Action taken: No Action Taken.
Mon Oct 03 16:47:55 2005 => System found infected with alexa Spyware/Adware ({c95fe080-8f5d-11d2-a20b-00aa003c157a})! Action taken: No Action Taken.
Mon Oct 03 16:47:58 2005 => Offending file found: C:\WINDOWS\system32\libeay32_1-1-0_ddr.dll
Mon Oct 03 16:47:58 2005 => System found infected with cydoor Spyware/Adware (libeay32_1-1-0_ddr.dll)! Action taken: No Action Taken.

Mon Oct 03 16:47:58 2005 => Offending file found: C:\WINDOWS\system32\ssleay32_1-1-0_ddr.dll
Mon Oct 03 16:47:58 2005 => System found infected with cydoor Spyware/Adware (ssleay32_1-1-0_ddr.dll)! Action taken: No Action Taken.

Mon Oct 03 16:47:58 2005 => Offending file found: C:\WINDOWS\system32\stlport_4_0_0_ddr.dll
Mon Oct 03 16:47:58 2005 => System found infected with cydoor Spyware/Adware (stlport_4_0_0_ddr.dll)! Action taken: No Action Taken.

Mon Oct 03 16:47:58 2005 => Offending file found: C:\WINDOWS\system32\xerces-c_1_40_0_ddr.dll
Mon Oct 03 16:47:58 2005 => System found infected with cydoor Spyware/Adware (xerces-c_1_40_0_ddr.dll)! Action taken: No Action Taken.

Mon Oct 03 16:47:58 2005 => Offending file found: C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\temporary internet files\content.ie5\etulq96n\common[1].js
Mon Oct 03 16:47:58 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.

Mon Oct 03 16:47:58 2005 => Offending file found: C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\temporary internet files\content.ie5\j3lxj3py\common[1].js
Mon Oct 03 16:47:58 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.

Mon Oct 03 16:47:58 2005 => Offending file found: C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\temporary internet files\content.ie5\p45olmph\common[1].js
Mon Oct 03 16:47:58 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.

Mon Oct 03 16:47:58 2005 => Offending file found: C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\temporary internet files\content.ie5\qdxncb4s\common[1].js
Mon Oct 03 16:47:58 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.

Mon Oct 03 16:47:58 2005 => Offending file found: C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temporary Internet Files\content.ie5\etulq96n\common[1].js
Mon Oct 03 16:47:58 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.

Mon Oct 03 16:47:58 2005 => Offending file found: C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temporary Internet Files\content.ie5\j3lxj3py\common[1].js
Mon Oct 03 16:47:58 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.

Mon Oct 03 16:47:58 2005 => Offending file found: C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temporary Internet Files\content.ie5\p45olmph\common[1].js
Mon Oct 03 16:47:58 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.

Mon Oct 03 16:47:58 2005 => Offending file found: C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temporary Internet Files\content.ie5\qdxncb4s\common[1].js
Mon Oct 03 16:47:58 2005 => System found infected with whenu.savenow Spyware/Adware (common[1].js)! Action taken: No Action Taken.

Mon Oct 03 16:48:02 2005 => System found infected with cydoor Spyware/Adware (cfd.exe)! Action taken: No Action Taken.

Mon Oct 03 16:48:02 2005 => System found infected with cydoor Spyware/Adware (cfd.exe)! Action taken: No Action Taken.
--------------------------------
tagged
Mon Oct 03 16:47:23 2005 => File C:\WINDOWS\System32\ycnvi.dll tagged as "not-a-virus:AdWare.Win32.SBSoft.h". Action Taken: No Action Taken.
Mon Oct 03 16:49:52 2005 => File C:\WINDOWS\system32\ntfsnlpa.exe tagged as "not-a-virus:AdWare.Win32.Msnagent.b". Action Taken: No Action Taken.
Mon Oct 03 16:50:10 2005 => File C:\WINDOWS\system32\rdsndin.exe tagged as "not-a-virus:AdWare.Win32.FindSpy.a". Action Taken: No Action Taken.
Mon Oct 03 17:51:38 2005 => File C:\WINDOWS\SYSTEM32\ntfsnlpa.exe tagged as "not-a-virus:AdWare.Win32.Msnagent.b". Action Taken: No Action Taken.
Mon Oct 03 17:52:11 2005 => File C:\WINDOWS\SYSTEM32\rdsndin.exe tagged as "not-a-virus:AdWare.Win32.FindSpy.a". Action Taken: No Action Taken.
--------------------------------
summary
Mon Oct 03 17:53:31 2005 => ***** Scanning complete. *****

Mon Oct 03 17:53:31 2005 => Total Objects Scanned: 70176
Mon Oct 03 17:53:31 2005 => Total Virus(es) Found: 29
Mon Oct 03 17:53:31 2005 => Total Disinfected Files: 0
Mon Oct 03 17:53:31 2005 => Total Files Renamed: 0
Mon Oct 03 17:53:31 2005 => Total Deleted Objects: 0
Mon Oct 03 17:53:31 2005 => Total Errors: 226
Mon Oct 03 17:53:31 2005 => Time Elapsed: 01:06:29
Mon Oct 03 17:53:31 2005 => Virus Database Date: 2005/09/27
Mon Oct 03 17:53:31 2005 => Virus Database Count: 151405

Mon Oct 03 17:53:31 2005 => Scan Completed.
--------------------------------------------------------------------------

joyful · 03.10.2005, 18:19

Fortsetzung:

5. mein HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 18:09:21, on 03.10.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Bases_X\mwavscan.com
C:\Bases_X\kavss.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Dokumente und Einstellungen\Administrator\Lokale Einstellungen\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = h**p://www.euro.dell.com/
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ycnvi.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ycnvi.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0L2.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [VirusScan] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MMTray] C:\Programme\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programme\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TerraTec Remote Control] "C:\Programme\Gemeinsame Dateien\TerraTec\Remote\TTTVRC.exe"
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Programme\Gemeinsame Dateien\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Programme\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programme\cablecom hispeed security package\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programme\cablecom hispeed security package\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Programme\cablecom hispeed security package\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Programme\cablecom hispeed security package\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [gabber] slamm.exe
O4 - HKLM\..\Run: [RtlFindVal] runload32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Logitech Desktop Messenger Agent.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TraXEx 2.1.lnk = C:\Programme\traxex\TraXEx.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O9 - Extra button: Webfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Website-&Liste anzeigen - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Webseitenfilter &aussetzen - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Diese Website &sperren - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Diese Website &zulassen - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - h**p://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - h**p://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125961586296
O16 - DPF: {6F1AF9D5-68BB-4A81-93F1-481CB8AB0D0B} (PhotocolorUploader Control) - h**p://web1.photocolor.net/ActiveX/PhotocolorUploader.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - h**p://secure2.comned.com/signuptemplates/securelogin-devel.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FA91837-D0A3-4BB0-9FCE-F6226CA5A647}: NameServer = 195.95.218.34,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4BBC45B-C3FA-490D-8372-91E7EF4B3C32}: NameServer = 195.95.218.34,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{FEF149C8-E76A-4E93-BFE5-7A745EC24991}: NameServer = 195.95.218.34,85.255.112.7
O18 - Protocol: bw+0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {8B5549D7-B7AC-441C-8C0C-99635E08925A} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: cablecom hispeed security package (BackWeb Plug-in - 9038346) - Unknown owner - C:\PROGRA~1\CABLEC~1\backweb\9038346\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programme\cablecom hispeed security package\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Programme\cablecom hispeed security package\backweb\9038346\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure h**p Server (fsh**ps) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\FSPC\fsh**ps\fsh**ps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--------------------------------------------------------------------------
6. Vielen Dank für Eure Hilfe, Inputs und Anweisungen

Cheers Joyful

chaosman · 03.10.2005, 19:07

@joyful
lade clearprog
alle Häkchen bei IE und windows setzen, löschen
lade Adaware , update es.
Update spybot
lade LSP-Fix

wechsle in den abgesicherten modus, scanne mit spybot und Adaware.
Fixe danach mit HJT
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ycnvi.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ycnvi.dll
O4 - HKLM\..\Run: [gabber] slamm.exe
O4 - HKLM\..\Run: [RtlFindVal] runload32.exe
alle O18 einträge

lösche dananch manuell
C:\WINDOWS\System32\ycnvi.dll
runload32.exe
slamm.exe
C:\WINDOWS\system32\ntfsnlpa.exe
C:\WINDOWS\system32\rdsndin.exe
lasse Lsp-Fix laufen, wenn dein Inet nicht geht
Anleitung http://www.bleepingcomputer.com/forums/topic3272.html

neue escan durchführen

chaosman

joyful · 03.10.2005, 22:24

Zweiter Scan

HJT-Logfile

Logfile of HijackThis v1.99.1
Scan saved at 23:13:43, on 03.10.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Interapple\5 Clicks\Spider.exe
C:\Bases_X\mwavscan.com
C:\Bases_X\kavss.exe
C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\Temporäres Verzeichnis 1 für hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = h**p://www.euro.dell.com/
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0L2.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [VirusScan] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MMTray] C:\Programme\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programme\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TerraTec Remote Control] "C:\Programme\Gemeinsame Dateien\TerraTec\Remote\TTTVRC.exe"
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Programme\Gemeinsame Dateien\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Programme\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programme\cablecom hispeed security package\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programme\cablecom hispeed security package\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Programme\cablecom hispeed security package\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Programme\cablecom hispeed security package\FSGUI\ispnews.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Logitech Desktop Messenger Agent.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TraXEx 2.1.lnk = C:\Programme\traxex\TraXEx.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O9 - Extra button: Webfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Website-&Liste anzeigen - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Webseitenfilter &aussetzen - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Diese Website &sperren - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Diese Website &zulassen - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - h**p://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://h**p://update.microsoft.com/w...?1125961586296
O16 - DPF: {6F1AF9D5-68BB-4A81-93F1-481CB8AB0D0B} (PhotocolorUploader Control) - http://web1.photocolor.net/ActiveX/P...orUploader.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://h**p://secure2.comned.com/sig...ogin-devel.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FA91837-D0A3-4BB0-9FCE-F6226CA5A647}: NameServer = 195.95.218.34,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4BBC45B-C3FA-490D-8372-91E7EF4B3C32}: NameServer = 195.95.218.34,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{FEF149C8-E76A-4E93-BFE5-7A745EC24991}: NameServer = 195.95.218.34,85.255.112.7
O23 - Service: cablecom hispeed security package (BackWeb Plug-in - 9038346) - Unknown owner - C:\PROGRA~1\CABLEC~1\backweb\****\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programme\cablecom hispeed security package\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Programme\cablecom hispeed security package\backweb\****\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Die IP-Adress (fett im log markiert) müsste ich die kennen?

Danke und Gruss
Joyful

joyful · 03.10.2005, 22:25

Chaosman,

Besten Dank, das ging ja fix!

Übrigens war mein escan log vom "19:15 posting" unvollständig...sorry.

Hier mein Kommentar zu den einzelnen Schritten in rot:

wechsle in den abgesicherten modus, scanne mit spybot und Adaware.
spyboot = clean
adaware results = adware.toolband, coolwebsearch, alexa
=> alles entfernt

Fixe danach mit HJT
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ycnvi.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ycnvi.dll
O4 - HKLM\..\Run: [gabber] slamm.exe
O4 - HKLM\..\Run: [RtlFindVal] runload32.exe
alle O18 einträge
alle einträge gefixed
lösche dananch manuell
C:\WINDOWS\System32\ycnvi.dll
Datei nicht mehr vorhanden
slamm.exe
registereintrag nicht mehr vorhandenrunload32.exe
registereintrag nicht mehr vorhanden
C:\WINDOWS\system32\ntfsnlpa.exe
manuell gelöschtrunload32.exe
C:\WINDOWS\system32\rdsndin.exe
manuell gelöschtrunload32.exe
lasse Lsp-Fix laufen, wenn dein Inet nicht geht
Anleitung h**p://www.bleepingcomputer.com/forums/topic3272.html

neue escan durchführen

chaosman

neuer escan log (Zweiter Scan):
infected
Mon Oct 03 21:46:50 2005 => ***** Scanning Registry and File system for Adware/Spyware *****
Mon Oct 03 21:46:50 2005 => Loading Spyware Signatures from new External Database (Size: 144406).
Mon Oct 03 21:46:50 2005 => Indexed Spyware Databases Successfully Created...

Mon Oct 03 21:53:40 2005 => Offending file found: C:\WINDOWS\system32\libeay32_1-1-0_ddr.dll
Mon Oct 03 21:53:40 2005 => System found infected with cydoor Spyware/Adware (libeay32_1-1-0_ddr.dll)! Action taken: No Action Taken.

Mon Oct 03 21:53:40 2005 => Offending file found: C:\WINDOWS\system32\ssleay32_1-1-0_ddr.dll
Mon Oct 03 21:53:40 2005 => System found infected with cydoor Spyware/Adware (ssleay32_1-1-0_ddr.dll)! Action taken: No Action Taken.

Mon Oct 03 21:53:40 2005 => Offending file found: C:\WINDOWS\system32\stlport_4_0_0_ddr.dll
Mon Oct 03 21:53:40 2005 => System found infected with cydoor Spyware/Adware (stlport_4_0_0_ddr.dll)! Action taken: No Action Taken.

Mon Oct 03 21:53:40 2005 => Offending file found: C:\WINDOWS\system32\xerces-c_1_40_0_ddr.dll
Mon Oct 03 21:53:40 2005 => System found infected with cydoor Spyware/Adware (xerces-c_1_40_0_ddr.dll)! Action taken: No Action Taken.

Mon Oct 03 21:53:42 2005 => System found infected with cydoor Spyware/Adware (cfd.exe)! Action taken: No Action Taken.

Mon Oct 03 21:53:43 2005 => System found infected with cydoor Spyware/Adware (cfd.exe)! Action taken: No Action Taken.

Mon Oct 03 21:54:18 2005 => File C:\WINDOWS\system32\CSXWR.0XE infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
Mon Oct 03 21:54:26 2005 => File C:\WINDOWS\system32\DMPUF.0XE infected by "Trojan-Dropper.Win32.Vidro.x" Virus! Action Taken: No Action Taken.
Mon Oct 03 21:54:36 2005 => File C:\WINDOWS\system32\HCLEAN32.0XE infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.
Mon Oct 03 23:02:26 2005 => File C:\WINDOWS\SYSTEM32\CSXWR.0XE infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
Mon Oct 03 23:02:48 2005 => File C:\WINDOWS\SYSTEM32\DMPUF.0XE infected by "Trojan-Dropper.Win32.Vidro.x" Virus! Action Taken: No Action Taken.
Mon Oct 03 23:03:11 2005 => File C:\WINDOWS\SYSTEM32\HCLEAN32.0XE infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.

--------------------------------
tagged
none

--------------------------------
summary
Mon Oct 03 23:05:55 2005 => Total Objects Scanned: 70087
Mon Oct 03 23:05:55 2005 => Total Virus(es) Found: 12
Mon Oct 03 23:05:55 2005 => Total Disinfected Files: 0
Mon Oct 03 23:05:55 2005 => Total Files Renamed: 0
Mon Oct 03 23:05:55 2005 => Total Deleted Objects: 0
Mon Oct 03 23:05:55 2005 => Total Errors: 227
Mon Oct 03 23:05:55 2005 => Time Elapsed: 01:19:46
Mon Oct 03 23:05:55 2005 => Virus Database Date: 2005/09/27
Mon Oct 03 23:05:55 2005 => Virus Database Count: 151405

Mon Oct 03 23:05:56 2005 => Scan Completed.

--------------------------------------------------------------------------

Vielen Dank & good night!
Joyful

joyful · 04.10.2005, 13:33

Hallo zusammen

Gibt es noch Rettung für mich und meine Kiste? Es riecht stark nach Neuaufsetzen, obwohl mir das gewaltig stinkt.

Danke fürs feedback
Joyful

***********************************

Hier der dritte escan-log (diesmal mit admin-rights ).

infected
Tue Oct 04 13:04:39 2005 => ***** Scanning Registry and File system for Adware/Spyware *****
Tue Oct 04 13:04:39 2005 => Loading Spyware Signatures from new External Database (Size: 144406).
Tue Oct 04 13:04:39 2005 => Indexed Spyware Databases Successfully Created...

Tue Oct 04 13:04:44 2005 => System found infected with adware.toolbar.sbsoft.h Spyware/Adware ({08bec6aa-49fc-4379-3587-4b21e286c19e})! Action taken: No Action Taken.
Tue Oct 04 13:04:46 2005 => Offending Key found: HKCU\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\clocksync !!!
Tue Oct 04 13:04:46 2005 => Object "clocksync Spyware/Adware" found in File System! Action Taken: No Action Taken.

Tue Oct 04 13:04:46 2005 => Offending Key found: HKCU\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\weathercast !!!
Tue Oct 04 13:04:46 2005 => Object "whenu.weathercast Spyware/Adware" found in File System! Action Taken: No Action Taken.

Tue Oct 04 13:04:46 2005 => Offending Key found: HKCU\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\whenu !!!
Tue Oct 04 13:04:46 2005 => Object "whenu/savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.

Tue Oct 04 13:04:46 2005 => Offending Key found: HKCU\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\whenusearch !!!
Tue Oct 04 13:04:46 2005 => Object "whenu/search Spyware/Adware" found in File System! Action Taken: No Action Taken.

Tue Oct 04 13:04:46 2005 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\clocksync !!!
Tue Oct 04 13:04:46 2005 => Object "clocksync Spyware/Adware" found in File System! Action Taken: No Action Taken.

Tue Oct 04 13:04:46 2005 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\weathercast !!!
Tue Oct 04 13:04:46 2005 => Object "whenu.weathercast Spyware/Adware" found in File System! Action Taken: No Action Taken.

Tue Oct 04 13:04:46 2005 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\whenu !!!
Tue Oct 04 13:04:46 2005 => Object "whenu/savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.

Tue Oct 04 13:04:46 2005 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\whenusearch !!!
Tue Oct 04 13:04:46 2005 => Object "whenu/search Spyware/Adware" found in File System! Action Taken: No Action Taken.

Tue Oct 04 13:04:47 2005 => Offending file found: C:\WINDOWS\system32\libeay32_1-1-0_ddr.dll
Tue Oct 04 13:04:47 2005 => System found infected with cydoor Spyware/Adware (libeay32_1-1-0_ddr.dll)! Action taken: No Action Taken.

Tue Oct 04 13:04:48 2005 => Offending file found: C:\WINDOWS\system32\ssleay32_1-1-0_ddr.dll
Tue Oct 04 13:04:48 2005 => System found infected with cydoor Spyware/Adware (ssleay32_1-1-0_ddr.dll)! Action taken: No Action Taken.

Tue Oct 04 13:04:48 2005 => Offending file found: C:\WINDOWS\system32\stlport_4_0_0_ddr.dll
Tue Oct 04 13:04:48 2005 => System found infected with cydoor Spyware/Adware (stlport_4_0_0_ddr.dll)! Action taken: No Action Taken.

Tue Oct 04 13:04:48 2005 => Offending file found: C:\WINDOWS\system32\xerces-c_1_40_0_ddr.dll
Tue Oct 04 13:04:48 2005 => System found infected with cydoor Spyware/Adware (xerces-c_1_40_0_ddr.dll)! Action taken: No Action Taken.

Tue Oct 04 13:04:51 2005 => System found infected with cydoor Spyware/Adware (cfd.exe)! Action taken: No Action Taken.

Tue Oct 04 13:04:51 2005 => System found infected with cydoor Spyware/Adware (cfd.exe)! Action taken: No Action Taken.

Tue Oct 04 13:05:27 2005 => File C:\WINDOWS\system32\CSXWR.0XE infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.
Tue Oct 04 13:05:34 2005 => File C:\WINDOWS\system32\DMPUF.0XE infected by "Trojan-Dropper.Win32.Vidro.x" Virus! Action Taken: No Action Taken.
Tue Oct 04 13:05:44 2005 => File C:\WINDOWS\system32\HCLEAN32.0XE infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.

Tue Oct 04 14:09:16 2005 => File C:\WINDOWS\SYSTEM32\CSXWR.0XE infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken.

Tue Oct 04 14:09:38 2005 => File C:\WINDOWS\SYSTEM32\DMPUF.0XE infected by "Trojan-Dropper.Win32.Vidro.x" Virus! Action Taken: No Action Taken.
Tue Oct 04 14:10:02 2005 => File C:\WINDOWS\SYSTEM32\HCLEAN32.0XE infected by "Trojan.Win32.Qhost.df" Virus! Action Taken: No Action Taken.

-------------------------------
tagged
none
--------------------------------
summary
Tue Oct 04 14:12:54 2005 => ***** Scanning complete. *****

Tue Oct 04 14:12:54 2005 => Total Objects Scanned: 69251
Tue Oct 04 14:12:54 2005 => Total Virus(es) Found: 21
Tue Oct 04 14:12:54 2005 => Total Disinfected Files: 0
Tue Oct 04 14:12:54 2005 => Total Files Renamed: 0
Tue Oct 04 14:12:54 2005 => Total Deleted Objects: 0
Tue Oct 04 14:12:54 2005 => Total Errors: 262
Tue Oct 04 14:12:54 2005 => Time Elapsed: 01:10:53
Tue Oct 04 14:12:54 2005 => Virus Database Date: 2005/09/27
Tue Oct 04 14:12:54 2005 => Virus Database Count: 151405

Tue Oct 04 14:12:54 2005 => Scan Completed.
--------------------------------------------------------------------------

HJT-Log
Logfile of HijackThis v1.99.1
Scan saved at 14:28:56, on 04.10.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Bases_X\mwavscan.com
C:\Bases_X\kavss.exe
C:\Programme\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.hattrick.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0L2.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [VirusScan] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MMTray] C:\Programme\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programme\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TerraTec Remote Control] "C:\Programme\Gemeinsame Dateien\TerraTec\Remote\TTTVRC.exe"
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Programme\Gemeinsame Dateien\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Programme\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programme\cablecom hispeed security package\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programme\cablecom hispeed security package\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Programme\cablecom hispeed security package\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Programme\cablecom hispeed security package\FSGUI\ispnews.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] \Program\
O4 - HKCU\..\Run: [JAguAr] br0ken.exe
O4 - HKCU\..\Run: [StartCpl] _ctcp.exe
O4 - HKCU\..\Run: [TemplateDongle] DCC_send.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: QuickShelf Deutsch 3.0.lnk = C:\Programme\Microsoft Nachschlagewerke\LexiROM 3.0\QS97D.EXE
O4 - Global Startup: Logitech Desktop Messenger Agent.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TraXEx 2.1.lnk = C:\Programme\traxex\TraXEx.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Dictionary - h**p://www.ezreference.com/_/ie-com-sp.htm
O8 - Extra context menu item: &Encyclopedia - h**p://www.ezreference.com/_/ie-com-e-sp.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Webfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Website-&Liste anzeigen - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Webseitenfilter &aussetzen - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Diese Website &sperren - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Diese Website &zulassen - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - h**p://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - h**p://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125961586296
O16 - DPF: {6F1AF9D5-68BB-4A81-93F1-481CB8AB0D0B} (PhotocolorUploader Control) - h**p://web1.photocolor.net/ActiveX/PhotocolorUploader.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - h**p://secure2.comned.com/signuptemplates/securelogin-devel.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FA91837-D0A3-4BB0-9FCE-F6226CA5A647}: NameServer = 195.95.218.34,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4BBC45B-C3FA-490D-8372-91E7EF4B3C32}: NameServer = 195.95.218.34,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{FEF149C8-E76A-4E93-BFE5-7A745EC24991}: NameServer = 195.95.218.34,85.255.112.7
O23 - Service: cablecom hispeed security package (BackWeb Plug-in - edit) - Unknown owner - C:\PROGRA~1\CABLEC~1\backweb\edit\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programme\cablecom hispeed security package\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Programme\cablecom hispeed security package\backweb\edit\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure h**p Server (fsh**ps) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\FSPC\fsh**ps\fsh**ps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

joyful · 04.10.2005, 22:06

Habe mich schlauer gemacht, trotzdem brauche ich noch etwas Hilfe, und zwar zu folgenden Fragen:

1a) Wie erkenne ich, ob ein Trojaner bereits aktiv war und somit das System kompromittiert ist? Vermute ich richtig, dass das im HJT-Log ersichtlich sein müsste?

1b) Falls sich Verdacht gem. 1a) bestätigt erübrigen sich wohl Erklärungen zu Punkte 2ff) und es heisst zurück zum Start bzw. zu h**p://tinyurl.com/8xwze

2) e-scan identifiziert drei *.oxe-Dateien als infiziert - falls diese vom Anti-Viren-Programm umbenannt wurden, können die ja gelöscht werden; aber sind zusätzliche Registereinträge zu modifizieren? Wie? Google, f-secure, McAfee & Co. helfen hier nicht weiter.

3) Wie kommte es, dass

Zitat:

Zitat von joyful

Tue Oct 04 13:04:44 2005 => System found infected with adware.toolbar.sbsoft.h Spyware/Adware ({08bec6aa-49fc-4379-3587-4b21e286c19e})! Action taken: No Action Taken.

weiterhin nicht gesäubert ist, obwohl folgendes gefixed wurde

Zitat:

Zitat von joyful

O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ycnvi.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ycnvi.dll
O4 - HKLM\..\Run: [gabber] slamm.exe
O4 - HKLM\..\Run: [RtlFindVal] runload32.exe
alle O18 einträge
alle einträge gefixed
lösche dananch manuell
C:\WINDOWS\System32\ycnvi.dll
Datei nicht mehr vorhanden
slamm.exe
registereintrag nicht mehr vorhanden
runload32.exe
registereintrag nicht mehr vorhanden
C:\WINDOWS\system32\ntfsnlpa.exe
manuell gelöscht
C:\WINDOWS\system32\rdsndin.exe
manuell gelöscht

Wildone · 04.10.2005, 22:35

Hallo,
also im klassischen Sinne ist dein Computer wohl nicht kompromittiert, dieser Begriff wird eigentlich eher bei Backdoorbefall verwendet, wenn dritte zugriff auf deinen Computer hatten/haben, dies scheint mir bei dir nicht der Fall. Aber ich denke du hast ziemlich hartnäckige Ad/Spyware an bord, mal schauen ob ich dir da behilflich sein kann, ich versuche es mal.
zu 2.) Ja die solltest du alle löschen, ob noch weitere Registryeinträge zu bearbeiten sind kann ich gerade nicht sehen.
Dann gehe mal mit Start>>Ausführen Regedit in die Registry und lösche die von Escan angeführten Registryeinträge (HKCU=Hkey current user):

Offending Key found: HKCU\software\microsoft\windows\currentversion\exp lorer\menuorder\start menu\programs\clocksync !!!
.
.
.
.
dann im abgesicherten Modus (F8 beim booten) folgende Dateien löschen:
C:\WINDOWS\system32\libeay32_1-1-0_ddr.dll
C:\WINDOWS\system32\ssleay32_1-1-0_ddr.dll
C:\WINDOWS\system32\stlport_4_0_0_ddr.dll
C:\WINDOWS\system32\xerces-c_1_40_0_ddr.dll
cfd.exe (suchen)

dann am besten noch mal Ewido drüberlaufen lassen und ein neues Escan Log (vorher die MWAV.LOG löschen)
und HijackThis log posten.

Grüße Wildone

joyful · 04.10.2005, 23:52

well done Wildone,
und das zu später Stunde

,
hiermit sei ein virtuelles Feierabendbier spendiert

Ergebnis unten sieht soweit gut aus.

Besten Dank!
Joyful

Zitat:

Zitat von Wildone

Dann gehe mal mit Start>>Ausführen Regedit in die Registry und lösche die von Escan angeführten Registryeinträge (HKCU=Hkey current user):
Offending Key found: HKCU\software\microsoft\windows\currentversion\exp lorer\menuorder\start menu\programs\clocksync !!!

=> erledigt (im abgesicherten Modus)

Zitat:

Zitat von Wildone

dann im abgesicherten Modus (F8 beim booten) folgende Dateien löschen:
C:\WINDOWS\system32\libeay32_1-1-0_ddr.dll
C:\WINDOWS\system32\ssleay32_1-1-0_ddr.dll
C:\WINDOWS\system32\stlport_4_0_0_ddr.dll
C:\WINDOWS\system32\xerces-c_1_40_0_ddr.dll
cfd.exe (suchen)

=> nicht gelöscht, weil's mir plötzlich dämmerte und deshalb mal recherchierte. Dazu folgendes:

Process File
cfd or cfd.exe
Process Name
Motive Client Foundation
Description
cfd.exe is a process belonging to a trouble-shooting software from Motive Communications. It enables your broadband provider to offer easy installation and ongoing services to your computer.
Comment
Das habe ich mal approved, als ich hispeed-internet aufgesetzt habe - somit verlässliche Quelle und Datenschutz ist (faktisch) gewährleistet.

Schliesslich die aktuellen logs:
Ad-Aware
clean

Ewido-log
SBSoft wurde gesäubert!
4 cookie.falkag wurden gesäubert

e-scan log
posting folgt Morgen

HJT-log
Logfile of HijackThis v1.99.1
Scan saved at 00:24:05, on 05.10.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ewido\security suite\SecuritySuite.exe
C:\Programme\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Programme\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = H**P://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = H**P://www.hattrick.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = H**P://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0L2.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [VirusScan] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MMTray] C:\Programme\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programme\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TerraTec Remote Control] "C:\Programme\Gemeinsame Dateien\TerraTec\Remote\TTTVRC.exe"
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Programme\Gemeinsame Dateien\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Programme\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programme\cablecom hispeed security package\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programme\cablecom hispeed security package\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Programme\cablecom hispeed security package\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Programme\cablecom hispeed security package\FSGUI\ispnews.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] \Program\
O4 - HKCU\..\Run: [JAguAr] br0ken.exe
O4 - HKCU\..\Run: [StartCpl] _ctcp.exe
O4 - HKCU\..\Run: [TemplateDongle] DCC_send.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: QuickShelf Deutsch 3.0.lnk = C:\Programme\Microsoft Nachschlagewerke\LexiROM 3.0\QS97D.EXE
O4 - Global Startup: Logitech Desktop Messenger Agent.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TraXEx 2.1.lnk = C:\Programme\traxex\TraXEx.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Dictionary - H**P://www.ezreference.com/_/ie-com-sp.htm
O8 - Extra context menu item: &Encyclopedia - H**P://www.ezreference.com/_/ie-com-e-sp.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Webfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Website-&Liste anzeigen - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Webseitenfilter &aussetzen - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Diese Website &sperren - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Diese Website &zulassen - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - H**P://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - H**P://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125961586296
O16 - DPF: {6F1AF9D5-68BB-4A81-93F1-481CB8AB0D0B} (PhotocolorUploader Control) - H**P://web1.photocolor.net/ActiveX/PhotocolorUploader.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - H**P://secure2.comned.com/signuptemplates/securelogin-devel.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5FA91837-D0A3-4BB0-9FCE-F6226CA5A647}: NameServer = 195.95.218.34,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4BBC45B-C3FA-490D-8372-91E7EF4B3C32}: NameServer = 195.95.218.34,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{FEF149C8-E76A-4E93-BFE5-7A745EC24991}: NameServer = 195.95.218.34,85.255.112.7
O23 - Service: cablecom hispeed security package (BackWeb Plug-in - 9038346) - Unknown owner - C:\PROGRA~1\CABLEC~1\backweb\9038346\Program\SERVIC~1.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programme\ewido\security suite\ewidoguard.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programme\cablecom hispeed security package\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Programme\cablecom hispeed security package\backweb\9038346\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure H**P Server (fsH**Ps) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\FSPC\fsH**Ps\fsH**Ps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Wildone · 05.10.2005, 00:06

Hallo,
lass mal diesen Remover bei dir laufen, und erstelle danach ein neues HijackThis Log.

Grüße wildone

joyful · 05.10.2005, 01:30

Morgen allerseits,

Zitat:

Zitat von Wildone

Hallo,
lass mal diesen Remover bei dir laufen, und erstelle danach ein neues HijackThis Log.

Grüße wildone

Zum sicher sein:
- Welches ist der zu fixenden Zufallsschlüssel, falls es einen gibt?
- Wo/wie kann ich die DNS Server Einstellung zurückstellen?
- Wo kann ich meine permanente IP-Adress offline abfragen?

Ausserdem gehören folgende Schlüssel zur wareout-spyware. Soll ich die mit "regedit" löschen?

O4 - HKCU\..\Run: [StartCpl] _ctcp.exe
O4 - HKCU\..\Run: [TemplateDongle] DCC_send.exe

Danke und Gruss!
Joyful

joyful · 05.10.2005, 09:18

Ich schon wieder...

Okay, die IP-Abfrage konnte ich klären:
Ausführen
command.com
ipconfig/all

Remover
Der DNS-Server Eintrag ist identisch mit dem HJT-Log O17. Ich weiss weder meine ursprünglichen IP Adressen noch wie ich das rausfinden kann.

=> Anleitung gemäss Remover bis und mit 5. abgearbeitet.

WareOut Registry Value:
O4 - HKCU\..\Run: [JAguAr] br0ken.exe
O4 - HKCU\..\Run: [StartCpl] _ctcp.exe
O4 - HKCU\..\Run: [TemplateDongle] DCC_send.exe

=> Schlüssel löschen? Dateien nicht mehr vorhanden, evt. durch ad-aware, ewido o.ä. gelöscht.

Wildone · 05.10.2005, 09:38

Hallo,
vergiss die Punkte sechs und sieben, sowohl die Zufallsschlüssel als auch die DNS-Veränderungen sind bei dir nicht vorhanden, nur das Tool solltest du mal laufen lassen.
Wenn die schlüssel immernoch da sind, diese mit HijackThis fixen, am besten im abgesicherten Modus.
Neues Log posten, dieses mal im normalen Modus erstellt.

[EDIT]
Sehe gerade das ich bei dir die O17 Einträge übersehen habe. die solltest du auch alle fixen, da du nicht mit einem Netzwerk ins Internet gehst, hast du auch keinen "eigenen" DNS Eintrag, also kein Problem.
[/EDIT]

Grüße Wildone

joyful · 05.10.2005, 14:18

Hi Wildone
1. Remover => ist gelaufen
2. Schlüssel inkl. O17 => mit HijackThis gefixed
3. Mit Ad-aware, spyboot s&d, XoftSpy gescannt => clean
4. E-scan => läuft noch, wird später geposted
5. Neues HJT-Log im normalen Modus erstellt => geposted

Herzlichen Dank!
Joyful

HJT-Log
Logfile of HijackThis v1.99.1
Scan saved at 14:55:08, on 05.10.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe
C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0L2.EXE
C:\Programme\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Programme\Logitech\iTouch\iTouch.exe
C:\Programme\Gemeinsame Dateien\TerraTec\Remote\TTTVRC.exe
C:\Programme\Gemeinsame Dateien\InterVideo\SchSvr\SchSvr.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\cablecom hispeed security package\Common\FSM32.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\Programme\traxex\TraXEx.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\Programme\ewido\security suite\ewidoctrl.exe
C:\Programme\ewido\security suite\ewidoguard.exe
C:\Programme\cablecom hispeed security package\Anti-Virus\fsgk32st.exe
C:\Programme\cablecom hispeed security package\backweb\9038346\program\fsbwsys.exe
C:\Programme\cablecom hispeed security package\Anti-Virus\FSGK32.EXE
C:\Programme\cablecom hispeed security package\Anti-Virus\fssm32.exe
C:\Programme\cablecom hispeed security package\Common\FSMA32.EXE
C:\Programme\cablecom hispeed security package\Common\FSMB32.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\cablecom hispeed security package\Common\FCH32.EXE
C:\Programme\cablecom hispeed security package\Common\FAMEH32.EXE
C:\Programme\cablecom hispeed security package\FSPC\fspc.exe
C:\Programme\cablecom hispeed security package\Anti-Virus\fsav32.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\cablecom hispeed security package\FWES\Program\fsdfwd.exe
C:\Programme\cablecom hispeed security package\FSGUI\fsguiexe.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.hattrick.org/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0L2.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [VirusScan] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MMTray] C:\Programme\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programme\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TerraTec Remote Control] "C:\Programme\Gemeinsame Dateien\TerraTec\Remote\TTTVRC.exe"
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Programme\Gemeinsame Dateien\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Programme\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programme\cablecom hispeed security package\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programme\cablecom hispeed security package\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Programme\cablecom hispeed security package\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Programme\cablecom hispeed security package\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] \Program\
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: QuickShelf Deutsch 3.0.lnk = C:\Programme\Microsoft Nachschlagewerke\LexiROM 3.0\QS97D.EXE
O4 - Global Startup: Logitech Desktop Messenger Agent.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TraXEx 2.1.lnk = C:\Programme\traxex\TraXEx.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Dictionary - h**p://www.ezreference.com/_/ie-com-sp.htm
O8 - Extra context menu item: &Encyclopedia - h**p://www.ezreference.com/_/ie-com-e-sp.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Webfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Website-&Liste anzeigen - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Webseitenfilter &aussetzen - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Diese Website &sperren - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Diese Website &zulassen - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Programme\cablecom hispeed security package\FSPC\fspcmsie.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - h**p://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - h**p://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125961586296
O16 - DPF: {6F1AF9D5-68BB-4A81-93F1-481CB8AB0D0B} (PhotocolorUploader Control) - h**p://web1.photocolor.net/ActiveX/PhotocolorUploader.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - h**p://secure2.comned.com/signuptemplates/securelogin-devel.cab
O23 - Service: cablecom hispeed security package (BackWeb Plug-in - 9038346) - Unknown owner - C:\PROGRA~1\CABLEC~1\backweb\9038346\Program\SERVIC~1.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programme\ewido\security suite\ewidoguard.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programme\cablecom hispeed security package\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Programme\cablecom hispeed security package\backweb\9038346\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure h**p Server (fsh**ps) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\FSPC\fsh**ps\fsh**ps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programme\cablecom hispeed security package\Common\FSMA32.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

e-scan log
läuft noch

joyful · 05.10.2005, 22:52

Und hier noch der e-scan log

Betreffend Cydoor:

Zitat:

Zitat von joyful

Process File
cfd or cfd.exe
Process Name
Motive Client Foundation
Description
cfd.exe is a process belonging to a trouble-shooting software from Motive Communications. It enables your broadband provider to offer easy installation and ongoing services to your computer.
Comment
Das habe ich mal approved, als ich hispeed-internet aufgesetzt habe - somit verlässliche Quelle und Datenschutz ist (faktisch) gewährleistet.

Was hat's mit all den "whenu.irgenwas" Schlüssel auf sich?

Ansonsten sollte mein System wieder clean sein.
Danke für die Rückmeldung.

Cheers Joy

-------------------------------
infected
-------------------------------
Wed Oct 05 00:49:08 2005 => ***** Scanning Registry and File system for Adware/Spyware *****
Wed Oct 05 00:49:08 2005 => Loading Spyware Signatures from new External Database (Size: 144406).
Wed Oct 05 00:49:08 2005 => Indexed Spyware Databases Successfully Created...

Wed Oct 05 00:49:10 2005 => Offending Key found: HKCU\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\weathercast !!!
Wed Oct 05 00:49:14 2005 => Object "whenu.weathercast Spyware/Adware" found in File System! Action Taken: No Action Taken.

Wed Oct 05 00:49:14 2005 => Offending Key found: HKCU\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\whenu !!!
Wed Oct 05 00:49:14 2005 => Object "whenu/savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.

Wed Oct 05 00:49:14 2005 => Offending Key found: HKCU\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\whenusearch !!!
Wed Oct 05 00:49:14 2005 => Object "whenu/search Spyware/Adware" found in File System! Action Taken: No Action Taken.

Wed Oct 05 00:49:14 2005 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\weathercast !!!
Wed Oct 05 00:49:14 2005 => Object "whenu.weathercast Spyware/Adware" found in File System! Action Taken: No Action Taken.

Wed Oct 05 00:49:14 2005 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\whenu !!!
Wed Oct 05 00:49:14 2005 => Object "whenu/savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.

Wed Oct 05 00:49:14 2005 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\whenusearch !!!
Wed Oct 05 00:49:14 2005 => Object "whenu/search Spyware/Adware" found in File System! Action Taken: No Action Taken.

Wed Oct 05 00:49:16 2005 => Offending file found: C:\WINDOWS\system32\libeay32_1-1-0_ddr.dll
Wed Oct 05 00:49:16 2005 => System found infected with cydoor Spyware/Adware (libeay32_1-1-0_ddr.dll)! Action taken: No Action Taken.

Wed Oct 05 00:49:16 2005 => Offending file found: C:\WINDOWS\system32\ssleay32_1-1-0_ddr.dll
Wed Oct 05 00:49:16 2005 => System found infected with cydoor Spyware/Adware (ssleay32_1-1-0_ddr.dll)! Action taken: No Action Taken.

Wed Oct 05 00:49:16 2005 => Offending file found: C:\WINDOWS\system32\stlport_4_0_0_ddr.dll
Wed Oct 05 00:49:16 2005 => System found infected with cydoor Spyware/Adware (stlport_4_0_0_ddr.dll)! Action taken: No Action Taken.

Wed Oct 05 00:49:16 2005 => Offending file found: C:\WINDOWS\system32\xerces-c_1_40_0_ddr.dll
Wed Oct 05 00:49:16 2005 => System found infected with cydoor Spyware/Adware (xerces-c_1_40_0_ddr.dll)! Action taken: No Action Taken.

Wed Oct 05 00:49:22 2005 => System found infected with cydoor Spyware/Adware (cfd.exe)! Action taken: No Action Taken.

Wed Oct 05 00:49:22 2005 => System found infected with cydoor Spyware/Adware (cfd.exe)! Action taken: No Action Taken.

-------------------------------
tagged
-------------------------------
none

-------------------------------
summary
-------------------------------
Wed Oct 05 17:01:22 2005 => ***** Scanning complete. *****

Wed Oct 05 17:01:22 2005 => Total Objects Scanned: 69499
Wed Oct 05 17:01:22 2005 => Total Virus(es) Found: 12
Wed Oct 05 17:01:22 2005 => Total Disinfected Files: 0
Wed Oct 05 17:01:22 2005 => Total Files Renamed: 0
Wed Oct 05 17:01:22 2005 => Total Deleted Objects: 0
Wed Oct 05 17:01:22 2005 => Total Errors: 258
Wed Oct 05 17:01:22 2005 => Time Elapsed: 01:10:42
Wed Oct 05 17:01:22 2005 => Virus Database Date: 2005/09/27
Wed Oct 05 17:01:22 2005 => Virus Database Count: 151405

Wed Oct 05 17:01:22 2005 => Scan Completed.

Diverse Trojaner: eScan- & HJT-Logs posted

Log-Analyse und Auswertung: Diverse Trojaner: eScan- & HJT-Logs posted