|
Plagegeister aller Art und deren Bekämpfung: seltsame Seiten poppen hochWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
11.08.2006, 12:40 | #1 |
| seltsame Seiten poppen hoch Hallo liebe Gemeinde, ich bin ganz neu im Forum und ganz besonders unglücklich über diese verdammten Seiten, die ständig bei mir hochpoppen z.B. Aufforderungen in englischer Sprache zum Laden von Spyware- Antiprogrammen. Kann mir bitte jemand Auskunft geben, wie ich diese komischen Seiten eleminieren kann. Anbei mein Logfile: Logfile of HijackThis v1.99.1 Scan saved at 13:31:00, on 11.08.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe C:\Programme\Eset\nod32krn.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\Programme\CyberLink\PowerDVD\PDVDServ.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\Dit.exe C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\zHotkey.exe C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe C:\Programme\Eset\nod32kui.exe C:\Programme\HP\HP Software Update\HPWuSchd2.exe C:\Programme\HP\hpcoretech\hpcmpmgr.exe C:\Programme\HP\Digital Imaging\Promotions\HPpromo.exe C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe C:\Programme\1&1\1&1 EasyLogin\EasyLogin.exe C:\Programme\Spybot - Search & Destroy\TeaTimer.exe C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\eHome\ehmsas.exe C:\Programme\WinZip\WZQKPICK.EXE C:\Programme\Hardcopy\hardcopy.exe C:\WINDOWS\System32\svchost.exe C:\Programme\HP\hpcoretech\comp\hptskmgr.exe C:\WINDOWS\system32\smartdrv.exe C:\WINDOWS\system32\officescan.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\winlogon.exe C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE C:\WINDOWS\system32fab.exe C:\Dokumente und Einstellungen\Klaus\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.de/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.de/ O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [Verknüpfung mit der High Definition Audio-Eigenschaftenseite] HDAudPropShortcut.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [Dit] Dit.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [CHotkey] zHotkey.exe O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe O4 - HKLM\..\Run: [Acronis*True*Image Monitor] "C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe" O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe" O4 - HKLM\..\Run: [nod32kui] "C:\Programme\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [HP Software Update] C:\Programme\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPpromo psc 2400 series] "C:\Programme\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 2400 series" -r O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [1&1 EasyLogin] "C:\Programme\1&1\1&1 EasyLogin\EasyLogin.exe" HIDE O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: Hardcopy.LNK = C:\Programme\Hardcopy\hardcopy.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O12 - Plugin for .avi: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .MPG: C:\Programme\Internet Explorer\PLUGINS\npqtplugin3.dll O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.de/ O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094397783342 O17 - HKLM\System\CCS\Services\Tcpip\..\{E967E449-0E28-4558-A0F0-594AD3A0A298}: NameServer = 192.168.178.1,195.20.224.234 O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: CA-Lizenz-Client (CA_LIC_CLNT) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe O23 - Service: CA-Lizenzserver (CA_LIC_SRVR) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe O23 - Service: Ereignisprotokoll-Überwachung (LogWatch) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programme\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe |
11.08.2006, 13:00 | #2 |
| seltsame Seiten poppen hoch Hallo,
__________________mal eine Frage im Vorfeld, hast du ein einigermaßen aktuelles Image im True Image in der Hinterhand? Ansonsten postest du mal ein Log von Silentrunners. Grüße Wildone |
11.08.2006, 13:37 | #3 |
| seltsame Seiten poppen hoch Hallo hier mein Log von Silent Runners. Image von Acronis liegt vor.
__________________Gruß klamaeu "Silent Runners.vbs", revision 46, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "H/PC Connection Agent" = ""C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"" [MS] "1&1 EasyLogin" = ""C:\Programme\1&1\1&1 EasyLogin\EasyLogin.exe" HIDE" ["1&1 Internet AG"] "SpybotSD TeaTimer" = "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS] "Verknüpfung mit der High Definition Audio-Eigenschaftenseite" = "HDAudPropShortcut.exe" ["Windows (R) Server 2003 DDK provider"] "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "RemoteControl" = "C:\Programme\CyberLink\PowerDVD\PDVDServ.exe" ["Cyberlink Corp."] "QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"] "Dit" = "Dit.exe" ["ICSI Technology Ltd."] "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS] "CHotkey" = "zHotkey.exe" [empty string] "DXDllRegExe" = "dxdllreg.exe" [file not found] "Acronis*True*Image Monitor" = ""C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe"" ["Acronis"] "Acronis Scheduler2 Service" = ""C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe"" ["Acronis"] "nod32kui" = ""C:\Programme\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "] "HP Software Update" = "C:\Programme\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."] "HP Component Manager" = ""C:\Programme\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"] "HPpromo psc 2400 series" = ""C:\Programme\HP\Digital Imaging\Promotions\HPpromo.exe" /N "psc 2400 series" -r" ["hp"] "TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = (no title provided) -> {HKLM...CLSID} = "Yahoo! Companion BHO" \InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "AcroIEHlprObj Class" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Programme\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {HKLM...CLSID} = "Portable Media Devices" \InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS] "{DCED20BE-3645-11D4-BC95-00C04F0E0588}" = "InoShell" -> {HKLM...CLSID} = "InoShell" \InProcServer32\(Default) = "C:\Programme\CA\eTrust Antivirus\InoShell.dll" [file not found] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {HKLM...CLSID} = "Desktop Explorer" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {HKLM...CLSID} = "nView Desktop Context Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office\OLKFSTUB.DLL" [MS] "{B089FE88-FB52-11d3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension" -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Programme\Eset\nodshex.dll" ["Eset "] "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band" -> {HKLM...CLSID} = "Shell Search Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universelle Plug & Play-Geräte" -> {HKLM...CLSID} = "Universelle Plug & Play-Geräte" \InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS] "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] "{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588}" -> {HKLM...CLSID} = "InoShell" \InProcServer32\(Default) = "C:\Programme\CA\eTrust Antivirus\InoShell.dll" [file not found] NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11d3-BDF1-0050DA34150D}" -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Programme\Eset\nodshex.dll" ["Eset "] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588}" -> {HKLM...CLSID} = "InoShell" \InProcServer32\(Default) = "C:\Programme\CA\eTrust Antivirus\InoShell.dll" [file not found] QuickFinderMenu\(Default) = "{C0E10002-0028-0005-C0E1-C0E1C0E1C0E1}" -> {HKLM...CLSID} = "QuickFinder Shell Extension" \InProcServer32\(Default) = "C:\Programme\WordPerfect Office 12\Programs\PFSE120.DLL" ["Corel Corporation"] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11d3-BDF1-0050DA34150D}" -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Programme\Eset\nodshex.dll" ["Eset "] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Dokumente und Einstellungen\Klaus\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\AquaReal.scr" [null data] Startup items in "Klaus" & "All Users" startup folders: ------------------------------------------------------- C:\Dokumente und Einstellungen\Klaus\Startmenü\Programme\Autostart "Hardcopy" -> shortcut to: "C:\Programme\Hardcopy\hardcopy.exe" ["sw4you, Siegfried Weckmann"] C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "HP Digital Imaging Monitor" -> shortcut to: "C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."] "Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office\OSA9.EXE -b -l" [MS] "WinZip Quick Pick" -> shortcut to: "C:\Programme\WinZip\WZQKPICK.EXE" ["WinZip Computing LP"] Enabled Scheduled Tasks: ------------------------ "{45E69EE5-15F0-40B5-9C19-EF3F69A12543}_MICROSTARPC_Klaus" -> launches: "C:\WINDOWS\system32\mobsync.exe /Schedule="{45E69EE5-15F0-40B5-9C19-EF3F69A12543}_MICROSTARPC_Klaus"" [MS] "{A5F8E3B9-E507-4CF1-9657-EB2E854C973C}_MICROSTARPC_Klaus" -> launches: "C:\WINDOWS\system32\mobsync.exe /Schedule="{A5F8E3B9-E507-4CF1-9657-EB2E854C973C}_MICROSTARPC_Klaus"" [MS] "{C046C64A-0382-44E1-A752-8CD6596AD713}_MICROSTARPC_Klaus" -> launches: "C:\WINDOWS\system32\mobsync.exe /Schedule="{C046C64A-0382-44E1-A752-8CD6596AD713}_MICROSTARPC_Klaus"" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: imon.dll ["Eset "], 01 - 03, 21 %SystemRoot%\system32\mswsock.dll [MS], 04 - 20 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\programme\google\googletoolbar2.dll" ["Google Inc."] "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" -> {HKLM...CLSID} = "Yahoo! Companion" \InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\ "ButtonText" = "Mobilen Favoriten erstellen" "CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}" -> {HKLM...CLSID} = "Create Mobile Favorite" \InProcServer32\(Default) = "C:\Programme\Microsoft ActiveSync\inetrepl.dll" [MS] {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\ "MenuText" = "Mobilen Favoriten erstellen..." "CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}" -> {HKLM...CLSID} = "Create Mobile Favorite" \InProcServer32\(Default) = "C:\Programme\Microsoft ActiveSync\inetrepl.dll" [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://www.microsoft.de/ Missing lines (compared with English-language version): [Strings]: 1 line Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Acronis Scheduler2 Service, AcrSch2Svc, ""C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe"" ["Acronis"] C-DillaCdaC11BA, C-DillaCdaC11BA, "C:\WINDOWS\system32\drivers\CDAC11BA.EXE" ["Macrovision"] Ereignisprotokoll-Überwachung, LogWatch, "C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe" ["Computer Associates"] HTTP-SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]} Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS] Media Center-Planerdienst, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS] NOD32 Kernel Service, NOD32krn, "C:\Programme\Eset\nod32krn.exe" ["Eset "] NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"] Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzlnt09\Driver = "hpzlnt09.dll" ["HP"] Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 23 seconds, including 4 seconds for message boxes) |
11.08.2006, 13:44 | #4 |
| seltsame Seiten poppen hoch Nachtrag: habe gestern das Image von Acronis aufgespielt und dann war zunächst keine Spyware zu erkennen ich dachte schon, dass ich es überstanden hätte, doch heute morgen trat das Ganze wieder auf. Gruß klamaeu |
11.08.2006, 14:01 | #5 |
| seltsame Seiten poppen hoch Hallo, hmm, interessante Sache, ich habe keinen Schimmer wie sich die Viecher starten. Aber beende mal folgende Prozesse im Taskmanager und überprüfe die zugehörigen Dateien hier und poste das jeweilige Ergebnis: C:\WINDOWS\system32\smartdrv.exe C:\WINDOWS\system32\officescan.exe C:\WINDOWS\system32fab.exe C:\WINDOWS\AquaReal.scr Außerdem machst du mal folgendes (ich hoffe einfach mal das die Englischkenntnisse ausreichen) und hängst die Datei runkeys.txt als Anhang deinem Posting an (über Anhänge verwalten). Grüße Wildone |
11.08.2006, 15:55 | #6 |
| seltsame Seiten poppen hoch Hallo, anbei die Logs die zu untersuchen waren, im Taskmanager konnte ich die vier Dateien leider nicht finden und deshalb auch nicht killen. Mit dem Tool GetRunKey.zip bin ich nicht zurecht gekommen aber vielleicht genügen die Logfiles, um mir mitzuteilen wie es jetzt weiter geht. Im voraus besten Dank, Gruß klamaeu VirusTotalVirusTotal is a free file analisys service that works using several antivirus engines. Select file : DistributeSSL Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.Menu: News Hot news in the virus/antivirus sector. Estadisticas Statistics of VirusTotal procesing. Virustotal More info about Virustotal. STATUS: FINISHEDComplete scanning result of "smartdrv.exe", received in VirusTotal at 08.11.2006, 15:50:06 (CET). Antivirus Version Update Result AntiVir 6.35.1.0 08.11.2006 no virus found Authentium 4.93.8 08.11.2006 no virus found Avast 4.7.844.0 08.10.2006 no virus found AVG 386 08.10.2006 no virus found BitDefender 7.2 08.11.2006 Adware.Trojfact.A CAT-QuickHeal 8.00 08.11.2006 no virus found ClamAV devel-20060426 08.11.2006 no virus found DrWeb 4.33 08.11.2006 no virus found eTrust-InoculateIT 23.72.93 08.11.2006 Win32/Cadux.AW!Trojan eTrust-Vet 30.3.3012 08.11.2006 Win32/Cadux.AW Ewido 4.0 08.11.2006 no virus found Fortinet 2.77.0.0 08.11.2006 W32/FakeAlert.D!tr F-Prot 3.16f 08.10.2006 no virus found F-Prot4 4.2.1.29 08.10.2006 no virus found Ikarus 0.2.65.0 08.11.2006 no virus found Kaspersky 4.0.2.24 08.11.2006 no virus found McAfee 4826 08.10.2006 TFactory Microsoft 1.1508 08.04.2006 no virus found NOD32v2 1.1703 08.11.2006 no virus found Norman 5.90.23 08.11.2006 no virus found Panda 9.0.0.4 08.11.2006 Adware/SpySheriff Sophos 4.08.0 08.11.2006 Troj/Tfactory-A Symantec 8.0 08.11.2006 no virus found TheHacker 5.9.8.190 08.10.2006 no virus found UNA 1.83 08.10.2006 no virus found VBA32 3.11.0 08.11.2006 no virus found VirusBuster 4.3.7:9 08.11.2006 Trojan.DL.Agent.DTE Aditional Information File size: 11268 bytes MD5: bc98f69ae2950746e60f97b289be2fd0 SHA1: d680d7fb860e3d5887016f57182c56f17d2edc74 packers: UPX VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware. > Go to: Home Contactar En Español -------------------------------------------------------------------------------- www.virustotal.com :: ©Hispasec Sistemas 2004-06:: e-mail info@virustotal.com ========================================================= VirusTotalVirusTotal is a free file analisys service that works using several antivirus engines. Select file : DistributeSSL Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.Menu: News Hot news in the virus/antivirus sector. Estadisticas Statistics of VirusTotal procesing. Virustotal More info about Virustotal. STATUS: FINISHEDComplete scanning result of "officescan.exe", received in VirusTotal at 08.11.2006, 16:07:48 (CET). Antivirus Version Update Result AntiVir 6.35.1.0 08.11.2006 no virus found Authentium 4.93.8 08.11.2006 no virus found Avast 4.7.844.0 08.10.2006 no virus found AVG 386 08.10.2006 no virus found BitDefender 7.2 08.11.2006 Adware.TrojFact.A CAT-QuickHeal 8.00 08.11.2006 no virus found ClamAV devel-20060426 08.11.2006 no virus found DrWeb 4.33 08.11.2006 no virus found eTrust-InoculateIT 23.72.93 08.11.2006 Win32/Cadux.AS!Trojan eTrust-Vet 30.3.3012 08.11.2006 Win32/Cadux.AS Ewido 4.0 08.11.2006 no virus found Fortinet 2.77.0.0 08.11.2006 W32/FakeAlert.D!tr F-Prot 3.16f 08.10.2006 no virus found F-Prot4 4.2.1.29 08.10.2006 no virus found Ikarus 0.2.65.0 08.11.2006 no virus found Kaspersky 4.0.2.24 08.11.2006 no virus found McAfee 4826 08.10.2006 TFactory Microsoft 1.1508 08.04.2006 no virus found NOD32v2 1.1703 08.11.2006 no virus found Norman 5.90.23 08.11.2006 no virus found Panda 9.0.0.4 08.11.2006 Adware/SpySheriff Sophos 4.08.0 08.11.2006 Troj/Tfactory-A Symantec 8.0 08.11.2006 no virus found TheHacker 5.9.8.190 08.10.2006 no virus found UNA 1.83 08.10.2006 no virus found VBA32 3.11.0 08.11.2006 no virus found VirusBuster 4.3.7:9 08.11.2006 Trojan.Renos.AK Aditional Information File size: 94208 bytes MD5: 866c840392b5c227502d68dd994a78da SHA1: a3fc70b60ee979b88e39c04d6876d2833b337132 packers: UPX VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware. > Go to: Home Contactar En Español -------------------------------------------------------------------------------- www.virustotal.com :: ©Hispasec Sistemas 2004-06:: e-mail info@virustotal.com ========================================================== VirusTotalVirusTotal is a free file analisys service that works using several antivirus engines. Select file : DistributeSSL Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.Menu: News Hot news in the virus/antivirus sector. Estadisticas Statistics of VirusTotal procesing. Virustotal More info about Virustotal. STATUS: FINISHEDComplete scanning result of "system32fab.exe", received in VirusTotal at 08.11.2006, 16:29:55 (CET). Antivirus Version Update Result AntiVir 6.35.1.0 08.11.2006 TR/FakeAlert.CY Authentium 4.93.8 08.11.2006 no virus found Avast 4.7.844.0 08.10.2006 no virus found AVG 386 08.10.2006 Generic.YTP BitDefender 7.2 08.11.2006 Trojan.FakeAlert.CY CAT-QuickHeal 8.00 08.11.2006 no virus found ClamAV devel-20060426 08.11.2006 no virus found DrWeb 4.33 08.11.2006 no virus found eTrust-InoculateIT 23.72.93 08.11.2006 Win32/Cadux.4qo!Trojan eTrust-Vet 30.3.3012 08.11.2006 Win32/Cadux.AU Ewido 4.0 08.11.2006 no virus found Fortinet 2.77.0.0 08.11.2006 W32/FakeAlert.D!tr F-Prot 3.16f 08.10.2006 no virus found F-Prot4 4.2.1.29 08.10.2006 no virus found Ikarus 0.2.65.0 08.11.2006 no virus found Kaspersky 4.0.2.24 08.11.2006 no virus found McAfee 4826 08.10.2006 FakeAlert-D Microsoft 1.1508 08.04.2006 no virus found NOD32v2 1.1703 08.11.2006 no virus found Norman 5.90.23 08.11.2006 W32/Renos.GH Panda 9.0.0.4 08.11.2006 Adware/SpySheriff Sophos 4.08.0 08.11.2006 Troj/Tfactory-A Symantec 8.0 08.11.2006 no virus found TheHacker 5.9.8.190 08.10.2006 no virus found UNA 1.83 08.10.2006 Trojan.Win32.FakeAlert.D8F7 VBA32 3.11.0 08.11.2006 no virus found VirusBuster 4.3.7:9 08.11.2006 no virus found Aditional Information File size: 17920 bytes MD5: fe1d064142a24f817fc5d5f52e92b953 SHA1: 8fcb9211611b05dcaebc5b3bc62dd09f7ebf0388 packers: UPX VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware. > Go to: Home Contactar En Español -------------------------------------------------------------------------------- www.virustotal.com :: ©Hispasec Sistemas 2004-06:: e-mail info@virustotal.com ======================================================== VirusTotalVirusTotal is a free file analisys service that works using several antivirus engines. Select file : DistributeSSL Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.Menu: News Hot news in the virus/antivirus sector. Estadisticas Statistics of VirusTotal procesing. Virustotal More info about Virustotal. STATUS: FINISHEDComplete scanning result of "AquaReal.scr", received in VirusTotal at 08.11.2006, 15:35:52 (CET). Antivirus Version Update Result AntiVir 6.35.1.0 08.11.2006 no virus found Authentium 4.93.8 08.11.2006 no virus found Avast 4.7.844.0 08.10.2006 no virus found AVG 386 08.10.2006 no virus found BitDefender 7.2 08.11.2006 no virus found CAT-QuickHeal 8.00 08.11.2006 no virus found ClamAV devel-20060426 08.11.2006 no virus found DrWeb 4.33 08.11.2006 no virus found eTrust-InoculateIT 23.72.93 08.11.2006 no virus found eTrust-Vet 30.3.3012 08.11.2006 no virus found Ewido 4.0 08.11.2006 no virus found Fortinet 2.77.0.0 08.11.2006 no virus found F-Prot 3.16f 08.10.2006 no virus found F-Prot4 4.2.1.29 08.10.2006 no virus found Ikarus 0.2.65.0 08.11.2006 no virus found Kaspersky 4.0.2.24 08.11.2006 no virus found McAfee 4826 08.10.2006 no virus found Microsoft 1.1508 08.04.2006 no virus found NOD32v2 1.1703 08.11.2006 no virus found Norman 5.90.23 08.11.2006 no virus found Panda 9.0.0.4 08.11.2006 no virus found Sophos 4.08.0 08.11.2006 no virus found Symantec 8.0 08.11.2006 no virus found TheHacker 5.9.8.190 08.10.2006 no virus found UNA 1.83 08.10.2006 no virus found VBA32 3.11.0 08.11.2006 no virus found VirusBuster 4.3.7:9 08.10.2006 no virus found Aditional Information File size: 1032192 bytes MD5: 928e184245ac947eec55e7ff85100e62 SHA1: a73e51846531ed882afdb2054abdbcb03fd6484f VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware. > Go to: Home Contactar En Español -------------------------------------------------------------------------------- www.virustotal.com :: ©Hispasec Sistemas 2004-06:: e-mail info@virustotal.com |
11.08.2006, 16:45 | #8 |
| seltsame Seiten poppen hoch Hallo, anbei das Log von SmitFraudFix v2.81. Das Anlegen des zweiten Log hat nicht geklappt. Vielleicht habe ich auch etwas falsch gemacht. Kannst du mit diesen allen meinen logs was anfangen? Gruß klamaeu SmitFraudFix v2.81 Scan done at 17:40:18,35, 11.08.2006 Run from C:\temp\eigene dateien1 OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End |
11.08.2006, 21:16 | #9 |
| seltsame Seiten poppen hoch Nachtrag: Ich habe mit der Taste 2 im Programm SmitFraudFix v2.81 versucht den Clean-Vorgang zu starten. Das hat auch soweit funktioniert, nur kam in etwa so die Meldung: "Der Pfad kann nicht gefunden werden....." Woran kann das liegen? Gruß klamaeu |
11.08.2006, 21:29 | #10 |
| seltsame Seiten poppen hoch Hallo, das liegt wahrscheinlich daran das du smitfraudfix nicht in einen eigenen Ordner entpack hast sondern in Winzip startest, ändere das. Grüße Wildone |
12.08.2006, 09:51 | #11 |
| seltsame Seiten poppen hoch Hallo, ich habe einen Ordner im Laufwerk C neu angelegt und das zip-File hierhin kopiert. Bin dann in den abgesicherten Modus gegangen und habe das File mittels winzip entpackt. Nach anklicken von SmitfraudFix.cmd kam das Fenster mit den auszuwählenden Möglichkeiten. Nach Anklicken von Clear (Taste 2) kam abermals die Meldung: "Das System kann den angegebenen Pfad nicht finden.." oder so ähnlich. Was kann ich noch weiter tun? Gruß klamaeu |
12.08.2006, 10:25 | #12 |
| seltsame Seiten poppen hoch Hallo, sind in dem Ordner den du angelegt hast die einzelnen Dateien (smitfraud.cmd usw.) oder ist dort die smitfraudfix.zip und diese führst du dann aus? Grüße Wildone |
12.08.2006, 10:34 | #13 |
| seltsame Seiten poppen hoch Hallo, in dem Ordner mit Namen smit befindet sich ein weiterer Ordner namens SmitfraudFix (mit den ganzen Unterprogrammen) und die Datei SmitfraudFix.zip. Gruß klamaeu |
12.08.2006, 10:38 | #14 |
| seltsame Seiten poppen hoch Hallo, hmm, dann bin ich ratlos, versuche es mal mit Smitrem (siehe Anleitung). Aber ich befürchte das ganze wird auf eine manuelle Beseitigung hinauslaufen. Grüße Wildone |
12.08.2006, 11:12 | #15 |
| seltsame Seiten poppen hoch Hallo Wildone, vielen Dank für Deine Bemühungen und Tipps. Ich habe das Programm Smitfraudfix wie bereits gesagt verwendet und Dir geschrieben, dass das Cleaning mit der Taste 2 nicht funktionierte. Gleichwohl habe ich die Registry mit der Taste 4 (oder war es 3?) bereinigt und siehe da, bis jetzt traten keine weiteren Warnungen von Spyware mehr auf. Natürlich bin ich jetzt froh, dass dem so ist, aber konnte man eigentlich an den diversen Logs was erkennen?? Ansonsten nochmal vielen Dank und ein schönes Wochenende aus Karlsruhe Gruß klamaeu |
Themen zu seltsame Seiten poppen hoch |
adobe, bho, computer, cyberlink, dateien, desktop, drivers, einstellungen, explorer, google, hijack, hijackthis, internet, internet explorer, logfile, messenger, microsoft, neu, nvidia, rundll, seiten, seltsame seite, software, system, windows, windows xp, windows\system32\drivers, yahoo |