Hallo liebe Leute,

erst mal vorab: Dies ist meine erste Anfrage in einem Forum, also wenn ich nicht alles richtig mache bitte ich um Nachsicht.

Es sieht so aus als hätte ich mir etwas eingefangen.....Lt. Scan von dem Programm F-Secure liegt kein Problem vor. Auch der Onlinescan mit der Beta Version von F-Secure hat zu keinem Ergebnis geführt. Allerdings habe ich einen Browser Hijacker da Links v. Zeit zu Zeit auf einschlägige Hardcore Seiten umgeleitet werden und sich Bookmarks eigenständig erstellt haben. Unter anderem auch Bookmarks zu Spyware Scannern.
Die meisten Ergebnisse habe ich mit Spy Doctor. Diese Software findet u.a.:
Trojan.Downloader.Ruins in multipler Ausführung und Trojan.Qhosts auch an mehreren Stellen.
Am meisten Sorge macht mir dieser Eintrag:
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run##dmjck.exe Hoch"
Diese "dmjck.exe" nennt sich bei jedem Systemstart anders und läßt sich auch nicht zu Diagnose an: "http://virusscan.jotti.org/" hochladen. Selbst dann nicht wenn ich die Firewall deaktiviere. Anbei mein HijackThis Logfile.

Logfile of HijackThis v1.99.1
Scan saved at 17:42:17, on 18.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programme\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Programme\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Programme\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\PROGRA~1\Firebird\V1_5_1\bin\fbguard.exe
C:\Programme\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Programme\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Programme\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Programme\F-Secure Internet Security\Common\FSMA32.EXE
C:\Programme\Intel\Intel Application Accelerator\iaantmon.exe
C:\Programme\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programme\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Programme\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Programme\F-Secure Internet Security\FSPC\fspc.exe
C:\Programme\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\PROGRA~1\Firebird\V1_5_1\bin\fbserver.exe
C:\Programme\F-Secure Internet Security\FSPC\fshttps\fshttps.exe
C:\Programme\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Programme\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\WINDOWS\System32\alg.exe
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programme\Intel\Intel Application Accelerator\iaanotif.exe
C:\Programme\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\iRiver\HSeries\iHPDetect.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\Programme\F-Secure Internet Security\Common\FSM32.EXE
C:\Programme\F-Secure Internet Security\FSGUI\ispnews.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Programme\Psion\PsiWin\Psconsv.exe
C:\Programme\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\PROGRA~1\Psion\PsiWin\Elogerr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\DOKUME~1\OLIVER~1\LOKALE~1\Temp\Temporäres Verzeichnis 6 für hijackthis_199.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Programme\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Programme\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iHP-100] C:\Programme\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programme\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programme\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Programme\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Programme\F-Secure Internet Security\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [dmnps.exe] C:\WINDOWS\system32\dmnps.exe
O4 - HKLM\..\Run: [dmtgc.exe] C:\WINDOWS\system32\dmtgc.exe
O4 - HKLM\..\Run: [dmhzn.exe] C:\WINDOWS\system32\dmhzn.exe
O4 - HKLM\..\Run: [dmfcm.exe] C:\WINDOWS\system32\dmfcm.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: F-Secure 2006.lnk = C:\Programme\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PsiWin 2.3 Verbindungsserver.lnk = C:\Programme\Psion\PsiWin\Psconsv.exe
O4 - Global Startup: Zahlungserinnerung.lnk = C:\PROFI\wzed.exe
O8 - Extra context menu item: Dieses Popup &blockieren - C:\Programme\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Webfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Webfilter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: IE-Schutzschild - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programme\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE-Schutzschild... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programme\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O15 - Trusted Zone: *.windowsupdate.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1137004066562
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5DB3F944-9690-40DC-BBC9-A4F10FD0D4F0}: NameServer = 192.168.0.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: F-Secure 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programme\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Programme\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\PROGRA~1\Firebird\V1_5_1\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\PROGRA~1\Firebird\V1_5_1\bin\fbserver.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Programme\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programme\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Programme\F-Secure Internet Security\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programme\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Programme\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe

Die Hotline von F-secure konnte mir bis dato nicht behilflich sein, also hoffe ich hier auf Hilfe. Nebenbei bemerkt bin ich nicht gerade ein PC-Experte
Aber vielleicht habt Ihr ja eine Idee die ich umsetzen kann.

Herzlichen Dank vorab
oliver

Benutze die Editierfunktion und vervollständige das HJT-Log. Die Angaben zur HJT-Version sowie zum Betriebssystem gehören auch dazu.

@felix1

O.K. habe ich erledigt.

Hoffe ist jetzt so weit in Ordnung.

Danke für den Hinweis!

oliver

Hallo,
bin mir nicht ganz sicher ob Blacklight im Paket von F-Secure dabei ist, wenn nicht, besorge es dir hier und poste das Log (wird automatisch im selben Pfad erstellt, fsbl**.txt).


Grüße Wildone

Hallo Wildone,

Blacklite ist bei F-Secure inclusive und wurde auch noch in der Beta Version v. Onlinescan gefahren.

Grüße
oliver

Hallo,
kannst du mit Blacklight ein Log erstellen und posten?
Oder, falls das nicht funktioniert, weil inklusive, postest du ein Log von Silentrunners.


Grüße Wildone

Hallo Wildone,

anbei das Protokoll von Silent Runners:

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SunJavaUpdateSched" = "C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe" [null data]
"IAAnotif" = "C:\Programme\Intel\Intel Application Accelerator\iaanotif.exe" ["Intel Corporation"]
"ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"CTSysVol" = "C:\Programme\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r" ["Creative Technology Ltd"]
"P17Helper" = "Rundll32 P17.dll,P17Helper" [MS]
"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"DVDLauncher" = ""C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe"" ["CyberLink Corp."]
"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"iHP-100" = "C:\Programme\iRiver\HSeries\iHPDetect.exe" ["Reigncom, Jonadan Jeon"]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"InCD" = "C:\Programme\Ahead\InCD\InCD.exe" ["Nero AG"]
"F-Secure Manager" = ""C:\Programme\F-Secure Internet Security\Common\FSM32.EXE" /splash" ["F-Secure Corporation"]
"F-Secure TNB" = ""C:\Programme\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW" ["F-Secure Corporation"]
"F-Secure Startup Wizard" = ""C:\Programme\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot" ["F-Secure Corporation"]
"News Service" = ""C:\Programme\F-Secure Internet Security\FSGUI\ispnews.exe"" ["F-Secure Corporation"]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"WinampAgent" = "C:\Programme\Winamp\winampa.exe" [null data]
"dmnps.exe" = "C:\WINDOWS\system32\dmnps.exe" [file not found]
"dmtgc.exe" = "C:\WINDOWS\system32\dmtgc.exe" [file not found]
"dmhzn.exe" = "C:\WINDOWS\system32\dmhzn.exe" [file not found]
"dmfcm.exe" = "C:\WINDOWS\system32\dmfcm.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office\OLKFSTUB.DLL" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{3a9ae750-cf44-11cf-8835-0020afc04e78}" = "Psion-Arbeitsplatz"
-> {HKLM...CLSID} = "Psion-Arbeitsplatz"
\InProcServer32\(Default) = "C:\PROGRA~1\Psion\PsiWin\pw32expl.dll" ["Symbian Ltd."]
"{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Eigene Telefone"
-> {HKLM...CLSID} = "Eigene Telefone"
\InProcServer32\(Default) = "C:\Programme\Sony Ericsson\Mobile\File Manager\fmgrgui.dll" ["Teleca Software Solutions AB"]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universelle Plug & Play-Geräte"
-> {HKLM...CLSID} = "Universelle Plug & Play-Geräte"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {HKLM...CLSID} = "Bluetooth-Umgebung"
\InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["WIDCOMM, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{10020E84-840F-474A-9B5C-B043F0EBFC65}" = "iRivEncShlExt extension"
-> {HKLM...CLSID} = "iRivEncShlExt Class"
\InProcServer32\(Default) = "C:\Programme\iRiver\HSeries\iRivEncrypt.dll" [empty string]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {HKLM...CLSID} = "Shell Extension for CDRW"
\InProcServer32\(Default) = "C:\Programme\Ahead\InCD\incdshx.dll" ["Nero AG"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csnlp.exe" [file not found]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
iRivEncrypt\(Default) = "{10020E84-840F-474A-9B5C-B043F0EBFC65}"
-> {HKLM...CLSID} = "iRivEncShlExt Class"
\InProcServer32\(Default) = "C:\Programme\iRiver\HSeries\iRivEncrypt.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
iRivEncrypt\(Default) = "{10020E84-840F-474A-9B5C-B043F0EBFC65}"
-> {HKLM...CLSID} = "iRivEncShlExt Class"
\InProcServer32\(Default) = "C:\Programme\iRiver\HSeries\iRivEncrypt.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\***\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\ERAGON~1.SCR" [file not found]


Startup items in "***" & "All Users" startup folders:
-----------------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"F-Secure 2006" -> shortcut to: "C:\Programme\F-Secure Internet Security\backweb\4476822\Program\fspex.exe -startup" ["F-Secure Internet Security 2005"]
"Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"PsiWin 2.3 Verbindungsserver" -> shortcut to: "C:\Programme\Psion\PsiWin\Psconsv.exe" ["Symbian Ltd."]
"Zahlungserinnerung" -> shortcut to: "C:\PROFI\wzed.exe" [null data]


Enabled Scheduled Tasks:
------------------------

"1-Click Maintenance" -> launches: "C:\Programme\TuneUp Utilities 2004\SystemOptimizer.exe /schedulestart" [file not found]
"ISP-Anmeldungserinnerung 1" -> launches: "C:\WINDOWS\system32\OOBE\OOBEBALN.EXE /sys /i /n:1" [MS]
"Scheduled scanning task" -> launches: "C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exe /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=C:\PROGRA~1\F-SECU~1\ANTI-V~1\report.txt " ["F-Secure Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 22
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

{200DB664-75B5-47C0-8B45-A44ACCF73C00}\
"ButtonText" = "Webfilter"
"CLSIDExtension" = "{D68926FD-18FD-4B0E-A1C7-917D13FAB760}"
-> {HKLM...CLSID} = "F-Secure Parental Control COM button"
\InProcServer32\(Default) = "C:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll" ["F-Secure Corporation"]

{200DB664-75B5-47C0-8B45-A44ACCF73F01}\
"MenuText" = "Webfilter"
"CLSIDExtension" = "{D68926FD-18FD-4B0E-A1C7-917D13FAB760}"
-> {HKLM...CLSID} = "F-Secure Parental Control COM button"
\InProcServer32\(Default) = "C:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll" ["F-Secure Corporation"]

{300DB664-75B5-47C0-8B45-A44ACCF73C00}\
"ButtonText" = "IE-Schutzschild"
"MenuText" = "IE-Schutzschild..."
"CLSIDExtension" = "{0928F506-07E8-470c-979D-147C296D4879}"
-> {HKLM...CLSID} = "F-Secure IE Shield COM button"
\InProcServer32\(Default) = "C:\Programme\F-Secure Internet Security\Anti-Spyware\ieshield.dll" ["F-Secure Corporation"]

{CCA281CA-C863-46EF-9331-5C8D4460577F}\
"ButtonText" = "@btrez.dll,-4015"
"MenuText" = "@btrez.dll,-4017"
"Script" = "C:\Programme\Belkin\Bluetooth Software\btsendto_ie.htm" [null data]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Bluetooth Service, btwdins, "C:\Programme\Belkin\Bluetooth Software\bin\btwdins.exe" ["WIDCOMM, Inc."]
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\system32\CTsvcCDA.EXE" ["Creative Technology Ltd"]
F-Secure 2006, BackWeb Plug-in - 4476822, "C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE" ["F-Secure Internet Security 2005"]
F-Secure Anti-Virus Firewall Daemon, FSDFWD, ""C:\Programme\F-Secure Internet Security\FWES\Program\fsdfwd.exe"" ["F-Secure Corporation"]
F-Secure HTTP Server, fshttps, ""C:\Programme\F-Secure Internet Security\FSPC\fshttps\fshttps.exe"" ["F-Secure Corporation"]
F-Secure Management Agent, FSMA, ""C:\Programme\F-Secure Internet Security\Common\FSMA32.EXE"" ["F-Secure Corporation"]
Firebird Guardian - DefaultInstance, FirebirdGuardianDefaultInstance, "C:\PROGRA~1\Firebird\V1_5_1\bin\fbguard.exe -s" ["The Firebird Project"]
Firebird Server - DefaultInstance, FirebirdServerDefaultInstance, "C:\PROGRA~1\Firebird\V1_5_1\bin\fbserver.exe -s" ["The Firebird Project"]
fsbwsys, fsbwsys, ""C:\Programme\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe"" ["F-Secure Corp."]
FSGKHS, F-Secure Gatekeeper Handler Starter, ""C:\Programme\F-Secure Internet Security\Anti-Virus\fsgk32st.exe"" ["F-Secure Corporation"]
IAA Event Monitor, IAANTMon, "C:\Programme\Intel\Intel Application Accelerator\iaantmon.exe" ["Intel Corporation"]
InCD Helper, InCDsrv, "C:\Programme\Ahead\InCD\InCDsrv.exe" ["Nero AG"]
Symantec Core LC, Symantec Core LC, "C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\system32\MsPMSPSv.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Bluetooth-Druckeranschluss\Driver = "bthcrp.dll" ["WIDCOMM, Inc."]
DataTech Fax Port\Driver = "dtmon.dll" [null data]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
PDF995 Monitor\Driver = "pdfmon.dll" [null data]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 37 seconds, including 18 seconds for message boxes)

Grüße
oliver

Hallo,
mache mal folgendes:
Lade dir dieses Programm runter. Den Rest mal auf Englisch, sollte aber trotzdem verständlich sein.

* Save it to your desktop and run it.
* Click Next, then Install, make sure "Run fixit" is checked and click Finish.
* The fix will begin; follow the prompts.
* You will be asked to reboot your computer; please do so.
* Your system may take longer than usual to load; this is normal.
* Once the desktop loads please post the text that will open (report.txt) and a new silent runners log and new HijackThis log.


Grüße Wildone

Hallo Wildone,

hier die Protokolle:


Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mcfmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Random Runs removed from HKLM
"dmnps.exe"=-
"dmtgc.exe"=-
"dmhzn.exe"=-
"dmfcm.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\DMFCM.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\DMFCM.EXE 44.106 2004-08-04


Logfile of HijackThis v1.99.1
Scan saved at 19:57:03, on 18.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Programme\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Programme\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\PROGRA~1\Firebird\V1_5_1\bin\fbguard.exe
C:\Programme\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Programme\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Programme\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Programme\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Programme\F-Secure Internet Security\Common\FSMA32.EXE
C:\Programme\Intel\Intel Application Accelerator\iaantmon.exe
C:\Programme\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programme\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\Explorer.EXE
C:\Programme\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Programme\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Programme\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Programme\F-Secure Internet Security\FSPC\fspc.exe
C:\PROGRA~1\Firebird\V1_5_1\bin\fbserver.exe
C:\Programme\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Programme\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programme\Intel\Intel Application Accelerator\iaanotif.exe
C:\Programme\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\iRiver\HSeries\iHPDetect.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\Programme\F-Secure Internet Security\Common\FSM32.EXE
C:\Programme\F-Secure Internet Security\FSGUI\FSSW.EXE
C:\Programme\F-Secure Internet Security\FSGUI\ispnews.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Psion\PsiWin\Psconsv.exe
C:\Programme\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\PROGRA~1\Psion\PsiWin\Elogerr.exe
C:\Dokumente und Einstellungen\Oliver Maassen\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Programme\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Programme\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iHP-100] C:\Programme\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programme\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programme\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Programme\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Programme\F-Secure Internet Security\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: F-Secure 2006.lnk = C:\Programme\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PsiWin 2.3 Verbindungsserver.lnk = C:\Programme\Psion\PsiWin\Psconsv.exe
O4 - Global Startup: Zahlungserinnerung.lnk = C:\PROFI\wzed.exe
O8 - Extra context menu item: Dieses Popup &blockieren - C:\Programme\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Webfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Webfilter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: IE-Schutzschild - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programme\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE-Schutzschild... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programme\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O15 - Trusted Zone: *.windowsupdate.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137004066562
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5DB3F944-9690-40DC-BBC9-A4F10FD0D4F0}: NameServer = 192.168.0.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: F-Secure 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programme\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Programme\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\PROGRA~1\Firebird\V1_5_1\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\PROGRA~1\Firebird\V1_5_1\bin\fbserver.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Programme\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programme\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Programme\F-Secure Internet Security\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programme\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Programme\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe


"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SunJavaUpdateSched" = "C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe" [null data]
"IAAnotif" = "C:\Programme\Intel\Intel Application Accelerator\iaanotif.exe" ["Intel Corporation"]
"ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"CTSysVol" = "C:\Programme\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r" ["Creative Technology Ltd"]
"P17Helper" = "Rundll32 P17.dll,P17Helper" [MS]
"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"DVDLauncher" = ""C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe"" ["CyberLink Corp."]
"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"iHP-100" = "C:\Programme\iRiver\HSeries\iHPDetect.exe" ["Reigncom, Jonadan Jeon"]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"InCD" = "C:\Programme\Ahead\InCD\InCD.exe" ["Nero AG"]
"F-Secure Manager" = ""C:\Programme\F-Secure Internet Security\Common\FSM32.EXE" /splash" ["F-Secure Corporation"]
"F-Secure TNB" = ""C:\Programme\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW" ["F-Secure Corporation"]
"F-Secure Startup Wizard" = ""C:\Programme\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot" ["F-Secure Corporation"]
"News Service" = ""C:\Programme\F-Secure Internet Security\FSGUI\ispnews.exe"" ["F-Secure Corporation"]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"WinampAgent" = "C:\Programme\Winamp\winampa.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office\OLKFSTUB.DLL" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{3a9ae750-cf44-11cf-8835-0020afc04e78}" = "Psion-Arbeitsplatz"
-> {HKLM...CLSID} = "Psion-Arbeitsplatz"
\InProcServer32\(Default) = "C:\PROGRA~1\Psion\PsiWin\pw32expl.dll" ["Symbian Ltd."]
"{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Eigene Telefone"
-> {HKLM...CLSID} = "Eigene Telefone"
\InProcServer32\(Default) = "C:\Programme\Sony Ericsson\Mobile\File Manager\fmgrgui.dll" ["Teleca Software Solutions AB"]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universelle Plug & Play-Geräte"
-> {HKLM...CLSID} = "Universelle Plug & Play-Geräte"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {HKLM...CLSID} = "Bluetooth-Umgebung"
\InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["WIDCOMM, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{10020E84-840F-474A-9B5C-B043F0EBFC65}" = "iRivEncShlExt extension"
-> {HKLM...CLSID} = "iRivEncShlExt Class"
\InProcServer32\(Default) = "C:\Programme\iRiver\HSeries\iRivEncrypt.dll" [empty string]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {HKLM...CLSID} = "Shell Extension for CDRW"
\InProcServer32\(Default) = "C:\Programme\Ahead\InCD\incdshx.dll" ["Nero AG"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
"System" = (value not set)

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
iRivEncrypt\(Default) = "{10020E84-840F-474A-9B5C-B043F0EBFC65}"
-> {HKLM...CLSID} = "iRivEncShlExt Class"
\InProcServer32\(Default) = "C:\Programme\iRiver\HSeries\iRivEncrypt.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
iRivEncrypt\(Default) = "{10020E84-840F-474A-9B5C-B043F0EBFC65}"
-> {HKLM...CLSID} = "iRivEncShlExt Class"
\InProcServer32\(Default) = "C:\Programme\iRiver\HSeries\iRivEncrypt.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Oliver Maassen\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\ERAGON~1.SCR" [file not found]


Startup items in "Oliver Maassen" & "All Users" startup folders:
-----------------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"F-Secure 2006" -> shortcut to: "C:\Programme\F-Secure Internet Security\backweb\4476822\Program\fspex.exe -startup" ["F-Secure Internet Security 2005"]
"Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"PsiWin 2.3 Verbindungsserver" -> shortcut to: "C:\Programme\Psion\PsiWin\Psconsv.exe" ["Symbian Ltd."]
"Zahlungserinnerung" -> shortcut to: "C:\PROFI\wzed.exe" [null data]


Enabled Scheduled Tasks:
------------------------

"1-Click Maintenance" -> launches: "C:\Programme\TuneUp Utilities 2004\SystemOptimizer.exe /schedulestart" [file not found]
"ISP-Anmeldungserinnerung 1" -> launches: "C:\WINDOWS\system32\OOBE\OOBEBALN.EXE /sys /i /n:1" [MS]
"Scheduled scanning task" -> launches: "C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exe /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=C:\PROGRA~1\F-SECU~1\ANTI-V~1\report.txt " ["F-Secure Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 22
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

{200DB664-75B5-47C0-8B45-A44ACCF73C00}\
"ButtonText" = "Webfilter"
"CLSIDExtension" = "{D68926FD-18FD-4B0E-A1C7-917D13FAB760}"
-> {HKLM...CLSID} = "F-Secure Parental Control COM button"
\InProcServer32\(Default) = "C:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll" ["F-Secure Corporation"]

{200DB664-75B5-47C0-8B45-A44ACCF73F01}\
"MenuText" = "Webfilter"
"CLSIDExtension" = "{D68926FD-18FD-4B0E-A1C7-917D13FAB760}"
-> {HKLM...CLSID} = "F-Secure Parental Control COM button"
\InProcServer32\(Default) = "C:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll" ["F-Secure Corporation"]

{300DB664-75B5-47C0-8B45-A44ACCF73C00}\
"ButtonText" = "IE-Schutzschild"
"MenuText" = "IE-Schutzschild..."
"CLSIDExtension" = "{0928F506-07E8-470c-979D-147C296D4879}"
-> {HKLM...CLSID} = "F-Secure IE Shield COM button"
\InProcServer32\(Default) = "C:\Programme\F-Secure Internet Security\Anti-Spyware\ieshield.dll" ["F-Secure Corporation"]

{CCA281CA-C863-46EF-9331-5C8D4460577F}\
"ButtonText" = "@btrez.dll,-4015"
"MenuText" = "@btrez.dll,-4017"
"Script" = "C:\Programme\Belkin\Bluetooth Software\btsendto_ie.htm" [null data]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Bluetooth Service, btwdins, "C:\Programme\Belkin\Bluetooth Software\bin\btwdins.exe" ["WIDCOMM, Inc."]
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\system32\CTsvcCDA.EXE" ["Creative Technology Ltd"]
F-Secure 2006, BackWeb Plug-in - 4476822, "C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE" ["F-Secure Internet Security 2005"]
F-Secure Anti-Virus Firewall Daemon, FSDFWD, ""C:\Programme\F-Secure Internet Security\FWES\Program\fsdfwd.exe"" ["F-Secure Corporation"]
F-Secure HTTP Server, fshttps, ""C:\Programme\F-Secure Internet Security\FSPC\fshttps\fshttps.exe"" ["F-Secure Corporation"]
F-Secure Management Agent, FSMA, ""C:\Programme\F-Secure Internet Security\Common\FSMA32.EXE"" ["F-Secure Corporation"]
Firebird Guardian - DefaultInstance, FirebirdGuardianDefaultInstance, "C:\PROGRA~1\Firebird\V1_5_1\bin\fbguard.exe -s" ["The Firebird Project"]
Firebird Server - DefaultInstance, FirebirdServerDefaultInstance, "C:\PROGRA~1\Firebird\V1_5_1\bin\fbserver.exe -s" ["The Firebird Project"]
fsbwsys, fsbwsys, ""C:\Programme\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe"" ["F-Secure Corp."]
FSGKHS, F-Secure Gatekeeper Handler Starter, ""C:\Programme\F-Secure Internet Security\Anti-Virus\fsgk32st.exe"" ["F-Secure Corporation"]
IAA Event Monitor, IAANTMon, "C:\Programme\Intel\Intel Application Accelerator\iaantmon.exe" ["Intel Corporation"]
InCD Helper, InCDsrv, "C:\Programme\Ahead\InCD\InCDsrv.exe" ["Nero AG"]
Symantec Core LC, Symantec Core LC, "C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\system32\MsPMSPSv.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Bluetooth-Druckeranschluss\Driver = "bthcrp.dll" ["WIDCOMM, Inc."]
DataTech Fax Port\Driver = "dtmon.dll" [null data]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
PDF995 Monitor\Driver = "pdfmon.dll" [null data]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 21 seconds, including 5 seconds for message boxes)

Schon eine Idee was da bei mir los ist?!

Grüße
oliver

Hallo,
ja habe schon eine Ahnung. Eigentlich sollte das Problem auch schon gelöst sein, oder gibt es noch Symptome (Umleitungen etc.)?

Überprüfe mal folgende Datei hier und poste das Ergebnis.
C:\WINDOWS\SYSTEM32\DMFCM.EXE

Poste mal außerdem noch den Inhalt der Datei C:\WINDOWS\system32\drivers\etc\hosts (mit dem Texteditor öffnen).


Grüße Wildone

Hallo Wildone,

hier das Ergebnis (Die Zeit zählt runter): Your file "DMFCM.EXE" is queued in position: 11. Estimated start time is between 14 and 64 seconds.

...und hier die andere:

127.0.0.1 localhost

kannst Du mir auch mal verraten was da los ist bzw. war ?!

Habe noch keine Tests mit dem Browser gemacht aus Angst ich könnte mir noch mehr verseuchen.

Saluti
oliver

Hallo,
schwierig zu erklären, du hast einen Hijacker der sich mit Rootkittechnologie für die normalen Windowsanwendungen unsichtbar macht.

Zitat:

hier das Ergebnis (Die Zeit zählt runter): Your file "DMFCM.EXE" is queued in position: 11. Estimated start time is between 14 and 64 seconds.

Scherzkeks, du wartest so lange bis du dran bist(ca. 1 bis zwei minuten), und das Ergebnis, das dann kommt, postest du.

Zitat:

Habe noch keine Tests mit dem Browser gemacht aus Angst ich könnte mir noch mehr verseuchen.

Mach mal ein paar Tests.


Grüße Wildone

Hallo Wildone,

uups, war wohl ein bischen schnelle. Das Ergebnis sieht natürlich anders aus....
Hab nicht gecheckt, dass das Programm noch ein bisschen Zeit brauchte um analysiert zu werden.

So siehts aus:

Complete scanning result of "DMFCM.EXE", received in VirusTotal at 05.18.2006, 20:17:08 (CET).

Antivirus Version Update Result
AntiVir 6.34.1.27 05.18.2006 Heuristic/Trojan.Downloader
Avast 4.6.695.0 05.18.2006 Win32:Small-EK
AVG 386 05.18.2006 no virus found
BitDefender 7.2 05.18.2006 no virus found
CAT-QuickHeal 8.00 05.17.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 05.18.2006 no virus found
DrWeb 4.33 05.18.2006 no virus found
eTrust-InoculateIT 23.72.11 05.18.2006 no virus found
eTrust-Vet 12.4.2215 05.18.2006 no virus found
Ewido 3.5 05.18.2006 Trojan.Pakes
Fortinet 2.77.0.0 05.17.2006 suspicious
F-Prot 3.16c 05.18.2006 no virus found
Ikarus 0.2.65.0 05.18.2006 no virus found
Kaspersky 4.0.2.24 05.18.2006 no virus found
McAfee 4765 05.18.2006 no virus found
Microsoft 1.1440 05.18.2006 no virus found
NOD32v2 1.1546 05.18.2006 a variant of Win32/Small.FB
Norman 5.90.17 05.18.2006 no virus found
Panda 9.0.0.4 05.18.2006 Trj/Ruins.L
Sophos 4.05.0 05.18.2006 no virus found
Symantec 8.0 05.18.2006 no virus found
TheHacker 5.9.7.144 05.16.2006 no virus found
UNA 1.83 05.18.2006 no virus found
VBA32 3.11.0 05.18.2006 Trojan.Win32.Pakes

Saluti
oliver

Hallo Wildone,

dachte doch tatsächlich, dass das Programm wartet um wieder zu attakieren...

Ich mach jetz mal ein paar Tests und melde mich dann.

Saluti
oliver

Hallo,
lösche die Datei DMFCM.EXE (falls es nicht auf dem normalen Weg geht, machst du es mit killbox mit "delete file on reboot").
Und danach testest du mal an ob es noch Umleitungen gibt.


Grüße Wildone