Hi Leute

Ich brauche eure Hilfe. Ich habe einen Scan mit Avast Antivirus gemacht und er hat bei mir den Virus Win32 CTX gemeldet. Habe ich in den Virus Container verschoben.

Ausserdem meldet Spybot bei mir bei jedem Scan folgendes:

HKLM\System\ControlSet002\Services\mchlnjDrv
HKLM\System\ControlSet001\Services\mchlnjDrv
HKLM\System\CurrentControlSet\Services\mchlnjDrv

Die Einträge werden rot angezeigt und wenn ich diese Probleme behebe, tauchen sie beim nächsten Scan wieder auf.

Ich habe ein HijackThis Scan im abgesicherten Modus ausgeführt, hier das Logfile:

Logfile of HijackThis v1.99.1
Scan saved at 22:44:13, on 08.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Install\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.free-av.de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = fritz.box
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_10\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132885459056
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131832949937
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\smc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programme\Gemeinsame Dateien\Ulead Systems\DVD\ULCDRSvr.exe


Könnt ihr mir weiterhelfen, damit ich wieder ruhig schlafen kann? Danke schön im Voraus

Hallo nati81,

lade Dir clearprog 1.4.1 final und nimm eine Datenträgerbereinigung vor (Programm starten Häckchen bei "Alles Löschen" und auf "Löschen" klicken). Lösche ebenfalls den Quaratäne-Ordener Deines Antivir-Programmes.
Scanne dann Dein System mit Escan . Bitte erst aufmerkam lesen und dann scannen. Teile das Ergebnis mittels der "find.bat" mit.

dartus

Danke schön für den Hinweis Dartus :-) Tut mir leid ich kenne mich überhaupt nicht aus, deswegen nochmals danke für die Hilfe.
Den E-scan soll ich im abgesichertem Modus durchführen nehme ich an?

So habe jetzt einen Scan mit E-scan im abgesicherten Modus durchgeführt. Ein Virus wurde gefunden. Wie werde ich den los und wie korrigiere ich die Fehler, die er verursacht hat? Danke schonmal für Eure Hilfe

Hier das Logfile:

Fri Dec 09 00:07:57 2005 => ***** Scanning Registry and File system for Adware/Spyware *****
Fri Dec 09 00:07:57 2005 => Loading Spyware Signatures from new External Database (Size: 144468).

Fri Dec 09 00:08:08 2005 => Offending Folder found: C:\PROGRA~1\vvsn
Fri Dec 09 00:08:11 2005 => Object "WhenU.WeatherCast Spyware/Adware" found in File System! Action Taken: No Action Taken.


Fri Dec 09 00:08:56 2005 => ***** Scanning Registry for errors created because of Adware/Spyware *****
Fri Dec 09 00:08:56 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\asinst.dll". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/cardware/". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/public/". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".image". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".info/audio/". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".info/audio/2004-11-10%20Madrid,%20Spain/". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".info/audio/2005%20Benzin/". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".info/audio/2005%20Die%20Wasserreise%20(Reise%20Reise%20Orcman%20Edit)/". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".info/incoming/". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".info/video/". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".met". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sized". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".small". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".thumb". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".wlan_3030/". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".wlan_3030/firmware/". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Download Accelerator Plus (DAP)". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "IncrediMail Xe". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "InstallShield_{015D937D-9D52-45A4-BDAA-2413938C0564}". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "InterActual Player". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB834707". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB873339". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB883667". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB885835". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB886185". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB887472". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB887797". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB888111WXPSP2". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB898461". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB900930". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB902344". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Living Coral Wallpaper #3". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "SaveNow". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Spyware Doctor_is1". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "SysSnap". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{09C6BF52-6DBA-4A97-9939-B6C24E4738BF}". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{3248F0A8-6813-11D6-A77B-00B0D0150000}". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{56CA5D3B-3002-4E7B-90FE-071D8FDF3814}". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{A3B4A467-2DA6-404B-9F66-6C6B8DC6DC82}". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{B6F867E8-F092-4C5E-7D72-AC7057DBEF45}". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{C6F1E87D-F3E1-4874-97EC-F87DAB6D6878}". Action Taken: No Action Taken.

Fri Dec 09 00:09:01 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{E06B3BD8-3143-4555-A11C-4093F01F2348}". Action Taken: No Action Taken.

Fri Dec 09 00:09:06 2005 => Entry "HKCR\.csk" refers to invalid object "cskfile". Action Taken: No Action Taken.

Sorry ich poste es bei E-scan logs tut mir leid, dass ich es hier reingepostet habe :-(