Hallo an alle!

Ich habe mal eine Frage an euch. Ich habe heute einen Logfile gemacht und soweit ist alles in Ordnung. Der einzigste Eintrag wo ein Problem aufgetaucht ist ist dieser:

O2 - BHO: (no name) - {B66A2D33-3722-47F2-A56E-4D6448D7F10D} - C:\WINDOWS\system32\mqg4dmod.dll
Unbekannt
Einige Programme sind hier schlecht. Das eingegebene Programm ([B66A2D33-3722-47F2-A56E-4D6448D7F10D] - Treffer: ) wurde überprüft. Trefferquote: 0,00%
Es liegt noch keine Besucherbewertung vor!
Nicht bekanntes Programm.

Kann mir vielleicht einer sagen was das sein könnte? Ich hoffe nichts böses

Danke und Liebe Grüße

xela

Hallo,
sieht bösartig aus, überprüfe mal die Datei C:\WINDOWS\system32\mqg4dmod.dll hier und poste das Ergebnis.
Poste außerdem das komplette HijackThis Log.


Grüße wildone

Danke für den Tip, jetzt kommt aber schon das nächste Problem. Ich bin der Englischen Sprache nicht wirklich mächtig. Zumindest nicht so auf Computer etc. bezogen. Bitte nicht auslachen, aber es wäre nett wenn du mir sagen könntest, wo genau ich was machen muss.

Danke und sorry.

Hier ein Logfile von heute:

Logfile of HijackThis v1.99.1
Scan saved at 18:11:59, on 10.06.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\Programme\avmwlanstick\WlanNetService.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\Programme\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Programme\Gemeinsame Dateien\PCSuite\DataLayer\DataLayer.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\avmwlanstick\wlangui.exe
C:\WINDOWS\system32\pctspk.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\GEMEIN~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Dokumente und Einstellungen\Ich\Eigene Dateien\Unzipped\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.iphpbb.com/board/fs-81104762nx18147.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=:
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O2 - BHO: (no name) - {B66A2D33-3722-47F2-A56E-4D6448D7F10D} - C:\WINDOWS\system32\mqg4dmod.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [DataLayer] C:\Programme\Gemeinsame Dateien\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AVMWlanClient] C:\Programme\avmwlanstick\wlangui.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\System32\BMUpdate.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programme\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google-Suche - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://c:\programme\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: AVM WLAN Connection Service - AVM Berlin - C:\Programme\avmwlanstick\WlanNetService.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Programme\Kerio\Personal Firewall\persfw.exe

Zitat:

Ich bin der Englischen Sprache nicht wirklich mächtig. Zumindest nicht so auf Computer etc. bezogen. Bitte nicht auslachen, aber es wäre nett wenn du mir sagen könntest, wo genau ich was machen muss.

Hallo,

auf den Link von Wildone klicken, im neuen Fenster den Button "Durchsuchen" klicken.
Diese Datei suchen: -->C:\WINDOWS\system32\mqg4dmod.dll
dann den Button "Öffnen" (das Fenster schliesst sich!), dann den Button "SEND", und abwarten bis die Auswertung der Datei fertig ist! (das Fenster geöffnet lassen!)
Dann folgende Tastenkombinationen nacheinander ausführen:
Strg+A (Bildschirm wird blau!)
Strg+C (jetzt hat er alles kopiert!)

und jetzt die Seite vom "Trojaner-Board" öffnen, bzw. einen Beitrag hier schreiben und die Tastenkombination "Strg+V" benutzen! Dann sollte der gesamte Inhalt erscheinen!

Gruß
Daniel

Danke Sunny für die wirklich idiotensichere Beschreibung. So hab ich es auch verstanden.

Hier die Auswertung und ich glaube das sieht gar nicht gut aus


VirusTotal
VirusTotal is a free file analisys service that works using several antivirus engines.


Select file :

Distribute
SSL


Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.
Menu:

* News Hot news in the virus/antivirus sector.
* Estadisticas Statistics of VirusTotal procesing.
* Virustotal More info about Virustotal.

STATUS: FINISHED
Complete scanning result of "mqg4dmod.dll", received in VirusTotal at 06.11.2006, 12:08:20 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.10 06.10.2006 ADSPY/Stud.A.1
Authentium 4.93.8 06.09.2006 no virus found
Avast 4.7.844.0 06.09.2006 Win32:Trojano-3384
AVG 386 06.09.2006 Adware Generic.LRH
BitDefender 7.2 06.11.2006 Trojan.Downloader.Agent.RG
CAT-QuickHeal 8.00 06.10.2006 no virus found
ClamAV devel-20060426 06.09.2006 no virus found
DrWeb 4.33 06.10.2006 Trojan.DownLoader.6588
eTrust-InoculateIT 23.72.33 06.10.2006 no virus found
eTrust-Vet 12.6.2250 06.09.2006 no virus found
Ewido 3.5 06.10.2006 Downloader.Small.cgu
Fortinet 2.77.0.0 06.11.2006 W32/Small.CGU!tr
F-Prot 3.16f 06.09.2006 no virus found
Ikarus 0.2.65.0 06.09.2006 AdWare.Stud.A
Kaspersky 4.0.2.24 06.11.2006 not-a-virus:AdWare.Win32.Stud.a
McAfee 4781 06.09.2006 potentially unwanted program Adware-KeenValue
Microsoft 1.1441 06.11.2006 no virus found
NOD32v2 1.1592 06.11.2006 Win32/Adware.BHO.AA
Norman 5.90.21 06.09.2006 W32/Stud.B
Panda 9.0.0.4 06.10.2006 Adware/KeenValue
Sophos 4.06.0 06.10.2006 no virus found
Symantec 8.0 06.11.2006 no virus found
TheHacker 5.9.8.157 06.10.2006 Adware/Stud.a
UNA 1.83 06.09.2006 Adware.Stud
VBA32 3.11.0 06.11.2006 suspected of Trojan-Downloader.Agent.49

Aditional Information
File size: 14241 bytes
MD5: 6fec2900b0bbc00f91763f23ae6a9f06
SHA1: 8265fe011b7dc6f04f46af07e716a2febecc5d13
VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
> Go to: Home Contactar En Español
www.virustotal.com :: ©Hispasec Sistemas 2004-06:: e-mail info@virustotal.com


Ich befürchte das Schlimmste

Hallo "xela",

gehe folgende Punkte Schritt für Schritt durch:

1.) Systemwiederherstllung deaktivieren --> so wirds gemacht

2.) Lade die folgende Tools: --> Killbox und Ad-Aware

3.) Benutze die Killbox, lösche damit folgende Datei, sie befindet sich hier: C:\WINDOWS\system32\mqg4dmod.dll (Haken bei "delete on reboot" Datei suchen, löschen, dann wirst du gefragt: Neustart(Restart)? Mit "yes" antworten.

4.) lass dann "Ad-Aware" über dein System laufen, und poste den Inhalt der Report Datei die am Ende des Scans erstellt wird! (genauso wie du es bei der Auswertung mit Virustotal gemacht hast!)

5.) Poste dann nochmal ein aktuelles Hijacklog (Anleitung nochmal in meiner Signatur zum nachlesen!)

Gruß
Daniel

So hier mein File von Ad-Aware Teil 1


Ad-Aware SE Build 1.06r1
Logfile Created on:Montag, 12. Juni 2006 10:08:32
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R111 08.06.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):38 total references
Tracking Cookie(TAC index:3):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


12.06.2006 10:08:32 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Dokumente und Einstellungen\Ich\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\adobe\acrobat reader\5.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\adobe\acrobat reader\6.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\ahead\cover designer\recent file list
Description : list of recently used files in ahead cover designer


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\ahead\nero - burning rom\recent file list
Description : list of recently used files in nero burning rom


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\google\navclient\1.1\history
Description : list of recently used search terms in the google toolbar


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\microsoft\internet explorer\main
Description : last save directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\microsoft\mediaplayer\medialibraryui
Description : last selected node in the microsoft windows media player media library


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\microsoft\office\9.0\excel\recent files
Description : list of recent files used by microsoft excel


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\microsoft\windows\currentversion\applets\paint\recent file list
Description : list of files recently opened using microsoft paint


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\realnetworks\realplayer\6.0\preferences
Description : list of recent clips in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\realnetworks\realplayer\6.0\preferences
Description : last login time in realplayer


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-1292428093-789336058-1957994488-1004\software\winrar\dialogedithistory\extrpath
Description : winrar "extract-to" history


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 572
ThreadCreationTime : 12.06.2006 07:39:15
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 624
ThreadCreationTime : 12.06.2006 07:39:17
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 648
ThreadCreationTime : 12.06.2006 07:39:17
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 692
ThreadCreationTime : 12.06.2006 07:39:17
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Anwendung für Dienste und Controller
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 704
ThreadCreationTime : 12.06.2006 07:39:17
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 848
ThreadCreationTime : 12.06.2006 07:39:18
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 908
ThreadCreationTime : 12.06.2006 07:39:18
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 948
ThreadCreationTime : 12.06.2006 07:39:18
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 984
ThreadCreationTime : 12.06.2006 07:39:19
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1068
ThreadCreationTime : 12.06.2006 07:39:19
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1188
ThreadCreationTime : 12.06.2006 07:39:20
BasePriority : Normal
FileVersion : 8.16
ProductVersion : 8.16
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : (C) 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LexBceS.exe

#:12 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1224
ThreadCreationTime : 12.06.2006 07:39:20
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:13 [lexpps.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1232
ThreadCreationTime : 12.06.2006 07:39:20
BasePriority : Normal
FileVersion : 8.16
ProductVersion : 8.16
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
LegalCopyright : (C) 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LEXPPS.EXE
Comments : MarkVision for Windows '95 New P2P Server (32-bit)

#:14 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1368
ThreadCreationTime : 12.06.2006 07:39:21
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : EXPLORER.EXE

#:15 [sched.exe]
FilePath : C:\Programme\AntiVir PersonalEdition Classic\
ProcessID : 1452
ThreadCreationTime : 12.06.2006 07:39:21
BasePriority : Normal


#:16 [avguard.exe]
FilePath : C:\Programme\AntiVir PersonalEdition Classic\
ProcessID : 1464
ThreadCreationTime : 12.06.2006 07:39:21
BasePriority : Normal


#:17 [igdctrl.exe]
FilePath : C:\Programme\FRITZ!DSL\
ProcessID : 1484
ThreadCreationTime : 12.06.2006 07:39:21
BasePriority : Normal
FileVersion : 1.00.01.2004
ProductVersion : 1.00.01.2004
ProductName : AVM IGD Service
CompanyName : AVM Berlin
FileDescription : AVM IGD Service
InternalName : igdctrl
LegalCopyright : © AVM Berlin 2004-2005
OriginalFilename : igdctrl.exe

#:18 [wlannetservice.exe]
FilePath : C:\Programme\avmwlanstick\
ProcessID : 1508
ThreadCreationTime : 12.06.2006 07:39:21
BasePriority : Normal
FileVersion : 1, 0, 17, 0
ProductVersion : 1, 0, 17, 0
ProductName : AVM AVMWlanService
CompanyName : AVM Berlin
InternalName : AVMWlanService
LegalCopyright : Copyright © AVM Berlin 2005
OriginalFilename : AVMWlanService.exe

#:19 [incdsrv.exe]
FilePath : C:\Programme\Ahead\InCD\
ProcessID : 1576
ThreadCreationTime : 12.06.2006 07:39:21
BasePriority : Normal
FileVersion : 4, 0, 1, 24
ProductVersion : 4, 0, 1, 24
ProductName : AHEAD Software incdsrv
CompanyName : AHEAD Software
FileDescription : incdsrv
InternalName : incdsrv
LegalCopyright : Copyright © 2003
OriginalFilename : incdsrv.exe

Teil 2

#:20 [persfw.exe]
FilePath : C:\Programme\Kerio\Personal Firewall\
ProcessID : 1696
ThreadCreationTime : 12.06.2006 07:39:22
BasePriority : Normal
FileVersion : 2, 1, 5, 0
ProductVersion : 2, 1, 5, 0
ProductName : Kerio Personal Firewall
CompanyName : Kerio Technologies
FileDescription : Kerio Personal Firewall Engine
InternalName : PERSFW
LegalCopyright : Copyright © 2002
OriginalFilename : PERSFW.exe

#:21 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1808
ThreadCreationTime : 12.06.2006 07:39:23
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:22 [wdfmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1868
ThreadCreationTime : 12.06.2006 07:39:23
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: dnsrv(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:23 [incd.exe]
FilePath : C:\Programme\Ahead\InCD\
ProcessID : 1980
ThreadCreationTime : 12.06.2006 07:39:25
BasePriority : Normal
FileVersion : 4, 0, 1, 24
ProductVersion : 4, 0, 1, 24
ProductName : InCD
CompanyName : Ahead Software AG
FileDescription : InCD
InternalName : InCD
LegalCopyright : Copyright (C) 2003 Ahead Software and its licensors
LegalTrademarks : InCD TM
OriginalFilename : InCD.exe

#:24 [instan~1.exe]
FilePath : C:\PROGRA~1\TEXTBR~1.0\Bin\
ProcessID : 1992
ThreadCreationTime : 12.06.2006 07:39:25
BasePriority : Normal


#:25 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2020
ThreadCreationTime : 12.06.2006 07:39:25
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Eine DLL-Datei als Anwendung ausführen
InternalName : rundll
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : RUNDLL.EXE

#:26 [jusched.exe]
FilePath : C:\Programme\Java\jre1.5.0_06\bin\
ProcessID : 2040
ThreadCreationTime : 12.06.2006 07:39:25
BasePriority : Normal


#:27 [realsched.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Real\Update_OB\
ProcessID : 132
ThreadCreationTime : 12.06.2006 07:39:25
BasePriority : Normal
FileVersion : 0.1.0.3249
ProductVersion : 0.1.0.3249
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004
LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:28 [pptd40nt.exe]
FilePath : C:\progra~1\scansoft\paperp~1\
ProcessID : 160
ThreadCreationTime : 12.06.2006 07:39:26
BasePriority : Normal
FileVersion : 6.5
ProductVersion : 6.5
ProductName : PaperPort
CompanyName : Scansoft Inc.
FileDescription : PaperPort Print to Desktop for NT
InternalName : PPTD40NT
LegalCopyright : Copyright © 1993-1999 Scansoft Inc.
OriginalFilename : PPTD40NT.EXE

#:29 [datalayer.exe]
FilePath : C:\Programme\Gemeinsame Dateien\PCSuite\DataLayer\
ProcessID : 168
ThreadCreationTime : 12.06.2006 07:39:26
BasePriority : Normal
FileVersion : 6, 60, 109, 3
ProductVersion : 6, 0
ProductName : Nokia PC Suite
CompanyName : Nokia Mobile Phones Ltd.
FileDescription : DataLayer 2.0 Module
InternalName : DataLayer 2.0
LegalCopyright : Copyright (c) 2005. Nokia. All rights reserved.
OriginalFilename : DataLayer.exe

#:30 [wlangui.exe]
FilePath : C:\Programme\avmwlanstick\
ProcessID : 232
ThreadCreationTime : 12.06.2006 07:39:26
BasePriority : Normal
FileVersion : 1, 0, 2, 18
ProductVersion : 1, 0, 0, 53
ProductName : AVM FRITZ!WLAN
CompanyName : AVM GmbH Berlin
FileDescription : FRITZ!WLAN
LegalCopyright : Copyright © 2005
OriginalFilename : WLANGui.exe
Comments : $ProjectRevision: 1.55 $

#:31 [pctspk.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 312
ThreadCreationTime : 12.06.2006 07:39:26
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : pctvoice Application
FileDescription : pctvoice MFC Application
InternalName : pctvoice
LegalCopyright : Copyright (C) 2001
OriginalFilename : pctvoice.EXE

#:32 [em_exec.exe]
FilePath : C:\Programme\Logitech\MouseWare\system\
ProcessID : 404
ThreadCreationTime : 12.06.2006 07:39:28
BasePriority : Normal
FileVersion : 9.79.025
ProductVersion : 9.79.025
ProductName : MouseWare
CompanyName : Logitech Inc.
FileDescription : Logitech Events Handler Application
InternalName : Em_Exec
LegalCopyright : (C) 1987-2003 Logitech. All rights reserved.
LegalTrademarks : Logitech® and MouseWare® are registered trademarks of Logitech Inc.
OriginalFilename : Em_Exec.exe
Comments : Created by the MouseWare team

#:33 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2920
ThreadCreationTime : 12.06.2006 07:39:50
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:34 [servic~1.exe]
FilePath : C:\PROGRA~1\GEMEIN~1\PCSuite\Services\
ProcessID : 2956
ThreadCreationTime : 12.06.2006 07:39:51
BasePriority : Normal
FileVersion : 6, 60, 36, 1
ProductVersion : 6.0
ProductName : Nokia Connectivity Library
CompanyName : Nokia.
FileDescription : ServiceLayer Module
InternalName : ServiceLayer
LegalCopyright : Copyright © 2002-2005 Nokia. All Rights Reserved.
OriginalFilename : ServiceLayer.exe

#:35 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3760
ThreadCreationTime : 12.06.2006 07:40:01
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:36 [spider.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3744
ThreadCreationTime : 12.06.2006 07:53:59
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Spider
InternalName : Spider
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : Spider

#:37 [winword.exe]
FilePath : C:\Programme\Microsoft Office\Office\
ProcessID : 1048
ThreadCreationTime : 12.06.2006 08:04:53
BasePriority : Normal


#:38 [ad-aware.exe]
FilePath : C:\Programme\Lavasoft\Ad-Aware SE Personal\
ProcessID : 2540
ThreadCreationTime : 12.06.2006 08:08:06
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 38


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 38


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 38


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 38



Deep scanning and examining files (C
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : ich@ehg-lexmark.hitbox[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\WINDOWS\Temp\Cookies\ich@ehg-lexmark.hitbox[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : ich@hitbox[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\WINDOWS\Temp\Cookies\ich@hitbox[1].txt

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 40


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
2 entries scanned.
New critical objects:0
Objects found so far: 40




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 40

10:22:47 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:14:14.689
Objects scanned:140494
Objects identified:2
Objects ignored:0
New critical objects:2

Und mein Hijack

Logfile of HijackThis v1.99.1
Scan saved at 10:46:24, on 12.06.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\Programme\avmwlanstick\WlanNetService.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\Programme\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Programme\Gemeinsame Dateien\PCSuite\DataLayer\DataLayer.exe
C:\Programme\avmwlanstick\wlangui.exe
C:\WINDOWS\system32\pctspk.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\GEMEIN~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spider.exe
C:\Programme\Microsoft Office\Office\WINWORD.EXE
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Ich\Eigene Dateien\Unzipped\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.iphpbb.com/board/fs-81104762nx18147.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=:
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O2 - BHO: (no name) - {B66A2D33-3722-47F2-A56E-4D6448D7F10D} - C:\WINDOWS\system32\mqg4dmod.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [DataLayer] C:\Programme\Gemeinsame Dateien\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AVMWlanClient] C:\Programme\avmwlanstick\wlangui.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\System32\BMUpdate.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programme\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google-Suche - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://c:\programme\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: AVM WLAN Connection Service - AVM Berlin - C:\Programme\avmwlanstick\WlanNetService.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Programme\Kerio\Personal Firewall\persfw.exe

Hallo "Xela"

fixe jetzt noch mit HijackThis folgende Zeillen:
(wenn das deine Startseite bleiben soll, NICHT FIXEN!!!)

Zitat:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.iphpbb.com/board/fs-81104762nx18147.html

Ansonsten nur das:

Zitat:

O2 - BHO: (no name) - {B66A2D33-3722-47F2-A56E-4D6448D7F10D} - C:\WINDOWS\system32\mqg4dmod.dll (file missing)

Ansonsten sieht dein Log wieder sauber aus
Um aber auf Nummer sicher zu gehen, lies dir folgende Anleitung gut durch: --> http://www.trojaner-board.de/showthread.php?t=24192
und poste dann anschliessend das ergebnis mit Hilfe der find.bat!

Gruß
Daniel

Hallo Daniel,

den Explorer und damit auch die Startseite benutze ich eh nicht, da ich den Browser Mozialla Firefox benutze, also ist das zumindest egal. Aber die Seite ist schon ok.

Ich habe jetzt den eScan gemacht, hat ganz schön lange gedauert und irgendwas scheint immernoch nicht ganz in Ordnung zu sein. Bitte schau nochmal drüber.

Und ne Frage hab ich auch noch. Was ist denn mit der Systemwiederherstellung? Soll die deaktiviert bleiben? Hab nicht so wirklich nen Plan für was die gut ist und ob ich die brauche

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Infektionsmeldungen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tue Jun 13 11:46:30 2006 => System found infected with bookmarkexpress Spyware/Adware (bmupdate.ini)! Action taken: No Action Taken.
Tue Jun 13 11:46:33 2006 => System found infected with bookmarkexpress Spyware/Adware (bmupdate.exe)! Action taken: No Action Taken.
Tue Jun 13 11:46:38 2006 => System found infected with bookmarkexpress Spyware/Adware (C:\WINDOWS\system32\bmupdate.exe)! Action taken: No Action Taken.
~~~~~~~~~~~
Dateien
~~~~~~~~~~~
~~~~ Infected files
~~~~~~~~~~~
Tue Jun 13 12:12:30 2006 => File C:\Dokumente und Einstellungen\Ich\Lokale Einstellungen\Temporary Internet Files\Content.IE5\TQPVSD79\teen[1].htm infected by "Trojan-Clicker.JS.Linker.h" Virus! Action Taken: No Action Taken.
~~~~~~~~~~~
~~~~ Offending files
~~~~~~~~~~~
Tue Jun 13 11:46:30 2006 => Offending file found: C:\WINDOWS\bmupdate.ini
Tue Jun 13 11:46:33 2006 => Offending file found: C:\WINDOWS\system32\bmupdate.exe
Tue Jun 13 11:46:38 2006 => Offending file found: C:\WINDOWS\system32\bmupdate.exe
~~~~~~~~~~~
~~~~ Tagged files
~~~~~~~~~~~
Tue Jun 13 11:46:41 2006 => File C:\!KillBox\mqg4dmod.dll tagged as "not-a-virus:AdWare.Win32.Stud.a". Action Taken: No Action Taken.
Tue Jun 13 13:27:23 2006 => File C:\WINDOWS\system32\BMUpdate.exe tagged as "not-a-virus:AdWare.Win32.BMCentral.a". Action Taken: No Action Taken.
~~~~~~~~~~~
Ordner
~~~~~~~~~~~
~~~~~~~~~~~
Registry
~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tue Jun 13 13:34:30 2006 => Total Errors: 6
Tue Jun 13 13:34:30 2006 => Time Elapsed: 01:50:20
Tue Jun 13 13:34:30 2006 => Total Objects Scanned: 70797
Tue Jun 13 11:25:50 2006 => Virus Database Date: 6/12/2006
Tue Jun 13 11:26:41 2006 => Virus Database Date: 6/13/2006
Tue Jun 13 11:42:24 2006 => Virus Database Date: 6/13/2006
Tue Jun 13 13:34:31 2006 => Virus Database Date: 6/13/2006
Tue Jun 13 13:42:59 2006 => Virus Database Date: 6/13/2006
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Und nu?

Schlimm oder halb schlimm?

Trau mich kaum noch was zu machen, besser gesagt meine Passwörter einzugeben.

Hilfe!

Bitte!

Wenn die Systemwiederherstellung deaktiviert ist, gehe ind en Abgesicherten Modus und lösche mittels Killbox noch folgende Dateien (du weißt nun ja wie du mehrere hintereinander löschen kannst).

Zitat:

C:\WINDOWS\bmupdate.ini
C:\WINDOWS\bmupdate.exe

Starte wieder neu im Abgesicherten Modus und lösche manuell den Ordner

Zitat:

C:\!KillBox\

Starte nun im normalen Modus und aktiviere wieder die Systemwiederherstellung.

Nun sollte das Gröbste weg sein.
Poste ein neues HJT-File.

mfg,
Markus

Hallo und Danke Markus!

Hier mein neuster HJT

Logfile of HijackThis v1.99.1
Scan saved at 10:02:53, on 15.06.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\Programme\avmwlanstick\WlanNetService.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\Programme\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\avmwlanstick\wlangui.exe
C:\WINDOWS\system32\pctspk.exe
C:\Programme\Winamp\Winampa.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\Programme\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Programme\Gemeinsame Dateien\PCSuite\DataLayer\DataLayer.exe
C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\GEMEIN~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Ich\Eigene Dateien\Unzipped\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.iphpbb.com/board/fs-81104762nx18147.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=:
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AVMWlanClient] C:\Programme\avmwlanstick\wlangui.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [routcnf] C:\Programme\Telekom\Eumex 504PC USB\routcnf.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programme\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [DataLayer] C:\Programme\Gemeinsame Dateien\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\System32\BMUpdate.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programme\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google-Suche - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://c:\programme\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O10 - Unknown file in Winsock LSP: c:\programme\fritz!dsl\sarah.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: AVM WLAN Connection Service - AVM Berlin - C:\Programme\avmwlanstick\WlanNetService.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Programme\Kerio\Personal Firewall\persfw.exe


Was das ist O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present weiß ich auch nicht?

Hallo xela,
dein O6-Eintrag stammt vermutlich daher :C:\Programme\avmwlanstick\WlanNetService.exe
Wenn du dich in ein Drahtlos-Netzwerk einwählst,ist das ok.
Irrlicht