Logefile bitte auswerten

Carina · 13.04.2008, 12:26

Der Rechner ist emlich langsam und reagiert nicht immer auf, ich sags mal so, "Anweisungen".
Vielleicht könnt ihr ja was aus der LogFile lesen ;P

Danke schonmal, Carina

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:22:38, on 13.04.2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\Program Files\Common Files\aol\1198937620\ee\aolsoftware.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Packard Bell\SetUpMyPC\SmpSys.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\MHotkey.exe
C:\Windows\CDCtr.exe
C:\Windows\ModHidKey.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9b.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myownstartpage.net/?cm=941393&lt=1&it=2008-02-25%2007%3A09%3A43&dt=2008-03-13%2021%3A10%3A38&q=http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Google\Google_BAE\BAE.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [LchMHotkey] LchMHKey.exe
O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1198937620\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [toolbar_eula_launcher] C:\Program Files\Packard Bell\GOOGLE_EULA\EULALauncher.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SNPSTD2] C:\Windows\vsnpstd2.exe
O4 - HKLM\..\Run: [AntiSpyKit 5.3] "C:\Program Files\AntiSpyKit 5.3\AntiSpyKit 5.3.exe" /h
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [SmpcSys] C:\Program Files\Packard Bell\SetUpMyPC\SmpSys.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0 VR\AOL.EXE" -b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4064A105-5699-4BD5-90CB-23C00F65283E}: NameServer = 195.50.140.178 195.50.140.114
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Kennwortprüfung (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\OmniServ.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 11899 bytes

Vista_User · 13.04.2008, 12:53

Bitte bei www.virustotal.com prüfen lassen und Ergebnis posten:

C:\Windows\CDCtr.exe
C:\Windows\ModHidKey.exe
C:\Program Files\AntiSpyKit 5.3\AntiSpyKit 5.3.exe

Carina · 13.04.2008, 13:28

Also ich weiß ja nich ob ich das jetzt so richtig gemacht hab, weil bisher hab ich noch nix über virustotal hochladen und posten müssen. Sorry wenns zu viel etc ist

C:\Windows\CDCtr.exe:

MD5: 65fc386691e979eaf3bea00ac76bd646
Datum 2008.03.01 00:57:14 (CET) [>43D]
Ergebnisse 2/32
Permalink: analisis/689d0da69182091cda813117baec6df9

C:\Windows\ModHidKey.exe:

Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.4.12.0 2008.04.11 -
AntiVir 7.6.0.85 2008.04.11 -
Authentium 4.93.8 2008.04.13 -
Avast 4.8.1169.0 2008.04.13 -
AVG 7.5.0.516 2008.04.12 -
BitDefender 7.2 2008.04.13 -
CAT-QuickHeal 9.50 2008.04.12 -
ClamAV 0.92.1 2008.04.13 -
DrWeb 4.44.0.09170 2008.04.12 -
eSafe 7.0.15.0 2008.04.09 -
eTrust-Vet 31.3.5692 2008.04.11 -
Ewido 4.0 2008.04.13 -
F-Prot 4.4.2.54 2008.04.13 -
F-Secure 6.70.13260.0 2008.04.13 -
FileAdvisor 1 2008.04.13 -
Fortinet 3.14.0.0 2008.04.13 -
Ikarus T3.1.1.26 2008.04.13 -
Kaspersky 7.0.0.125 2008.04.13 -
McAfee 5272 2008.04.11 -
Microsoft 1.3408 2008.04.13 -
NOD32v2 3021 2008.04.12 -
Norman 5.80.02 2008.04.12 -
Panda 9.0.0.4 2008.04.13 -
Prevx1 V2 2008.04.13 -
Rising 20.39.62.00 2008.04.13 -
Sophos 4.28.0 2008.04.13 -
Sunbelt 3.0.1041.0 2008.04.12 -
Symantec 10 2008.04.13 -
TheHacker 6.2.92.276 2008.04.12 -
VBA32 3.12.6.4 2008.04.13 -
VirusBuster 4.3.26:9 2008.04.12 -
Webwasher-Gateway 6.6.2 2008.04.11 -
weitere Informationen
File size: 53248 bytes
MD5...: 4344109811efa460352083ef5255c5cc
SHA1..: dd0e79ba0d983c7a372a8bb0c9a1a47de86b1d8d
SHA256: 40cd0f85d9c9ec974cf6deade0632bc878e7f5255fa8dd4baf438496bc48f78c
SHA512: 9ea643ce52f12207ed52264fca014b24234f3c0fa7908e30e1384e60b3333adf
6e0f2dcd7dc430d898a1abb3a556a572399aacb3bb8adc974910cf331ce1381e
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401705
timedatestamp.....: 0x455431bb (Fri Nov 10 08:00:59 2006)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x6868 0x7000 6.38 758ee6ce1c235eb9ef094599484585db
.rdata 0x8000 0x25ca 0x3000 4.69 3fae3bedbffd5a32a028fda110508a0b
.data 0xb000 0x19fc 0x1000 2.29 83c6b297cbafec00f885691a0b8f484f
.rsrc 0xd000 0xaec 0x1000 3.89 c936577389b763194595a4b90a114ae7

( 2 imports )
> USER32.dll: GetMessageA, TranslateMessage, DispatchMessageA, LoadIconA, LoadCursorA, RegisterClassExA, LoadStringA, DefWindowProcA, GetRawInputData, GetRawInputDeviceInfoA, FindWindowA, PostMessageA, BeginPaint, GetClientRect, DrawTextA, EndPaint, PostQuitMessage, CreateWindowExA, RegisterRawInputDevices, ShowWindow, UpdateWindow
> KERNEL32.dll: TlsGetValue, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, GetLocaleInfoA, MultiByteToWideChar, RtlUnwind, GetOEMCP, GetACP, GetCPInfo, GetCommandLineA, HeapFree, GetVersionExA, HeapAlloc, GetProcessHeap, GetStartupInfoA, GetLastError, RaiseException, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetProcAddress, GetModuleHandleA, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, HeapDestroy, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, Sleep, HeapSize, LoadLibraryA, InitializeCriticalSection

( 0 exports )

C:\Program Files\AntiSpyKit 5.3\AntiSpyKit 5.3.exe:

Wollte hochladen, dann kam diese Meldung:

0 bytes size received / Se ha recibido un archivo vacio

nochdigger · 13.04.2008, 13:52

Hallo

sagt dir das hier etwas

Zitat:

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

Whois abfrage:
OrgName: Freedom Networks LLC
OrgID: FNL-6
Address: 50 Freemont St.
Address: 16 Floor
City: San Francisco
StateProv: CA
PostalCode: 94105
Country: US

Scanne dein System bitte mit Blacklight
ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
und poste das Log.

MFG

Carina · 13.04.2008, 14:27

Nein sagt mir gar nichts. Was ist das?!

Also ich hab den Scan ez durchlaufen lassen. Mir wird nur angezeigt:

Scan tragets:
Hidden processes
Hidden files on folders

Status:
Scan completed
No hidden items were found

Summary:
Hidden items found: 0
Items queued for renaming: 0

nochdigger · 13.04.2008, 16:13

Hallo

aus deiner Antwort schließe ich, dass du o.g. Einträge nicht kennst

Lade dir mal den Ccleaner
http://www.trojaner-board.de/51464-a...-ccleaner.html

Anschließend lass Combofix dein System bereinigen
Ein Leitfaden und Tutorium zur Nutzung von ComboFix

Lass dann Malwarebytes dein System bereinigen
http://www.trojaner-board.de/51187-m...i-malware.html

Poste bitte die Logs dann sehen wir weiter.

MFG

Sabina · 13.04.2008, 16:17

Hallo,

deaktiviere zeitweilig den Spybot - Search & Destroy\TeaTimer.exe

1.
mit dem HijackThis löschen ("fixen")
Klicke: "Do a system scan only"
Setze ein Häckchen in das Kästchen vor den genannten Eintrag
und wähle fix checked.

Zitat:

O4 - HKLM\..\Run: [AntiSpyKit 5.3] "C:\Program Files\AntiSpyKit 5.3\AntiSpyKit 5.3.exe" /h

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

2.
wende fixwareout an + poste nach Neustart den Report
FixWareout

3.
wende Combofix an (Warnmeldung wegklicken) + poste den Report hier, der erstellt wird
combofix

Carina · 13.04.2008, 17:19

Als hab erstmal nochdigegrs Anweisungen befolgt. Nich dass da was durchnander kommt und ich dann noch mehr kaputt mach als nötig.
Habe mit CCleaner alles bereinigt, und ComboFix durchlaufen lassen.
Hier die LogFile:

ComboFix 08-04-12.10 - anDy 2008-04-13 18:02:15.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1031.18.170 [GMT 2:00]
ausgeführt von:: C:\Users\anDy\Downloads\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Helper
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://216.40.219.141
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_PortProxy

((((((((((((((((((((((( Dateien erstellt von 2008-03-13 bis 2008-04-13 ))))))))))))))))))))))))))))))
.

Keine neuen Dateien erstellt in diesem Zeitraum

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 16:09 --------- d-----w C:\Program Files\Symantec
2008-04-13 16:09 --------- d-----w C:\Program Files\Google
2008-04-13 15:50 --------- d-----w C:\Program Files\WinMX
2008-04-13 15:48 --------- d-----w C:\ProgramData\Symantec
2008-04-13 15:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-13 15:42 --------- d-----w C:\Users\anDy\AppData\Roaming\Packard Bell
2008-04-13 15:42 --------- d-----w C:\Program Files\Common Files\aol
2008-04-13 15:34 --------- d-----w C:\Program Files\CCleaner
2008-04-13 11:20 --------- d-----w C:\Program Files\Trend Micro
2008-04-10 15:03 --------- d-----w C:\Program Files\Windows Mail
2008-04-06 19:21 --------- d-----w C:\ProgramData\eMule
2008-04-06 19:21 --------- d-----w C:\Program Files\eMule
2008-04-06 18:28 --------- d-----w C:\Program Files\Common Files\Nero
2008-04-06 18:25 --------- d-----w C:\ProgramData\Nero
2008-04-06 18:11 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-25 06:20 --------- d-----w C:\Users\anDy\AppData\Roaming\ArcSoft
2008-03-24 03:26 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-03-24 03:18 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-24 01:10 --------- d-----w C:\ProgramData\Avira
2008-03-24 01:10 --------- d-----w C:\Program Files\Avira
2008-03-04 09:07 --------- d-----w C:\Users\anDy\AppData\Roaming\Roxio
2008-03-04 08:52 --------- d-----w C:\ProgramData\Sonic
2008-03-03 10:37 --------- d-----w C:\Users\anDy\AppData\Roaming\Skype
2008-03-03 10:15 --------- d-----w C:\ProgramData\NVIDIA
2008-03-03 10:10 --------- d-----w C:\Program Files\Microsoft Works
2008-03-03 10:10 --------- d-----w C:\Program Files\AOL 9.0 VR
2008-03-03 09:56 --------- d-----w C:\Users\anDy\AppData\Roaming\AOL
2008-03-03 09:40 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-03 09:21 --------- d-----w C:\Users\anDy\AppData\Roaming\Avant Profiles
2008-03-03 09:21 --------- d-----w C:\Program Files\Avant Browser
2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-19 05:10 620,088 ----a-w C:\Windows\System32\ci.dll
2008-02-17 09:29 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2008-02-15 17:43 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-15 17:43 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-02-14 23:19 944,184 ----a-w C:\Windows\System32\winload.exe
2008-02-14 17:48 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-02-14 17:48 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-14 17:48 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-14 17:48 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-02-14 17:48 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-02-14 17:48 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-02-14 17:48 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-02-14 17:47 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-14 17:47 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-14 17:47 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-14 17:47 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-02-14 17:47 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-14 17:46 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-14 17:46 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-14 17:46 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-14 17:46 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-02-14 17:46 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-14 17:46 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-14 17:46 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2007-12-30 21:30 174 --sha-w C:\Program Files\desktop.ini
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 17:26 1232896]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 14:34 2159104 C:\Windows\System32\oobefldr.dll]
"SmpcSys"="C:\Program Files\Packard Bell\SetUpMyPC\SmpSys.exe" [2006-10-23 16:49 1092152]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:55 5674352]
"Shareaza"="C:\Program Files\Shareaza\Shareaza.exe" [2007-02-05 05:05 4354048]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:35 125440]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-09-20 15:35 1410344]
"AOL Fast Start"="C:\Program Files\AOL 9.0 VR\AOL.exe" [2006-11-20 12:36 50736]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-12-30 13:09 1006264]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 11:57 3784704 C:\Windows\RtHDVCpl.exe]
"LchMHotkey"="LchMHKey.exe" [2007-01-22 17:59 36864 C:\Windows\LchMHKey.exe]
"ATSwpNav"="C:\Program Files\Fingerprint Sensor\ATSwpNav -run" [ ]
"HostManager"="C:\Program Files\Common Files\AOL\1198937620\ee\AOLSoftware.exe" [2006-11-14 15:47 50736]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-20 22:08 228088]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-10-24 23:08 107112]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-10-27 01:18 22696]
"OmniPass"="C:\Program Files\Softex\OmniPass\scureapp.exe" [2006-12-20 17:32 2519040]
"toolbar_eula_launcher"="C:\Program Files\Packard Bell\GOOGLE_EULA\EULALauncher.exe" [2007-01-10 11:00 18944]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51 1836328]
"SNPSTD2"="C:\Windows\vsnpstd2.exe" [2004-08-30 18:37 286720]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-12 06:28 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-12 06:28 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-12 06:28 81920]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-03-24 03:13 249896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{A3367982-B344-479B-AA35-3A33A7840CEA}C:\\program files\\msn messenger\\msnmsgr.exe"= UDP:C:\program files\msn messenger\msnmsgr.exe:Messenger
"UDP Query User{6F053477-7E83-4037-90B1-19376FFADCAD}C:\\program files\\msn messenger\\msnmsgr.exe"= TCP:C:\program files\msn messenger\msnmsgr.exe:Messenger
"{28199D40-E047-4DBF-9281-36FA58428F72}"= UDP:C:\Program Files\Shareaza\Shareaza.exe:Shareaza
"{D8D8E468-0E03-4C9F-A864-F5D75C6CCEEB}"= TCP:C:\Program Files\Shareaza\Shareaza.exe:Shareaza
"TCP Query User{EED8EBE4-95C7-457A-898B-1D09022DD721}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule
"UDP Query User{22584FC7-92C8-4D3E-A2EE-7C9A573E5534}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080325.002\IDSvix86.sys [2008-02-13 18:18]
R3 ovt530;Webcam Classic;C:\Windows\system32\Drivers\ov530vid.sys [2005-03-15 18:04]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-10-30 20:55]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-12-06 10:51]
S3 snpstd2;Trust WB-3100P Portable Webcam;C:\Windows\system32\DRIVERS\snpstd2.sys [2004-10-14 19:12]
S4 FLMCKUSB;AuthenTec TruePrint USB Driver (AES3400, AES3500, AES4000);C:\Windows\system32\drivers\flmckusb.sys [2006-07-27 18:00]

*Newly Created Service* - COMHOST
.
Inhalt des "geplante Tasks" Ordners
"2008-04-13 16:00:01 C:\Windows\Tasks\Erweiterte Garantie.job"
- C:\Program Files\Packard Bell\SetupmyPC\PBCarNot.exe
"2008-04-13 16:00:01 C:\Windows\Tasks\Recovery DVD Creator.job"
- C:\Program Files\Packard Bell\SetupMyPc\MCDCheck.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 18:11:25
Windows 6.0.6000 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************

Sabina · 13.04.2008, 17:40

Hallo,

1.
mit dem HijackThis löschen ("fixen")
Klicke: "Do a system scan only"
Setze ein Häckchen in das Kästchen vor den genannten Eintrag
und wähle fix checked. + PC neustarten

Zitat:

falls es noch vorhanden ist
O4 - HKLM\..\Run: [AntiSpyKit 5.3] "C:\Program Files\AntiSpyKit 5.3\AntiSpyKit 5.3.exe" /h

unbedingt fixen
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

fixwareout funktioniert leider nicht auf vista, hab ich gerade gesehen.
deshalb fixe die Einträge mit HijackThis + starte den Rechner neu + poste ein neues Log von HijackThis

Carina · 13.04.2008, 18:08

Also ich hab die letzten beiden Dateien löschen können, die Andere war nicht mehr vorhanden.
Hier der neue HijackThisLog:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:04:46, on 13.04.2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\Program Files\Common Files\aol\1198937620\ee\aolsoftware.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Packard Bell\SetUpMyPC\SmpSys.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\MHotkey.exe
C:\Windows\CDCtr.exe
C:\Windows\ModHidKey.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [LchMHotkey] LchMHKey.exe
O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1198937620\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [toolbar_eula_launcher] C:\Program Files\Packard Bell\GOOGLE_EULA\EULALauncher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SNPSTD2] C:\Windows\vsnpstd2.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SmpcSys] C:\Program Files\Packard Bell\SetUpMyPC\SmpSys.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0 VR\AOL.EXE" -b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4064A105-5699-4BD5-90CB-23C00F65283E}: NameServer = 195.50.140.178 195.50.140.114
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Kennwortprüfung (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\OmniServ.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8885 bytes

Kann mir vllt. jemand sagen, was es mit damit auf sich hat?

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

Whois abfrage:
OrgName: Freedom Networks LLC
OrgID: FNL-6
Address: 50 Freemont St.
Address: 16 Floor
City: San Francisco
StateProv: CA
PostalCode: 94105
Country: US

Woher kommt das, was kann es anrichten etc?

Sabina · 13.04.2008, 18:46

Hallo,

«
die Internetverbindung wurde zu einem Provider in San Francisco umgeleitet.
Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

-------------------------------------------------------------------------------------

1.
Start - Ausführen - Kopiere rein: Combofix /U
klicke "OK"
Ausführen bei Vista : Windows Taste + R drücken

2.
lade Windowsdefender + scanne
Windows Defender

dann sollte wieder alles o.k. sein

Carina · 13.04.2008, 18:55

So Defender läuft.
Kann es irgendwelche Folgen haben, wegen dieser Umleitung??

Danke schonmal für die schnelle Hilfe, echt super!

Sabina · 13.04.2008, 18:58

die falsche Tcpip ist ja nun ausgelöscht, überprüfe in den nächsten Tagen mit hijackthis, ob sie nicht etwa wieder auftaucht.
In diesem Fall melde dich wieder.
Alles Gute

13.04.2008, 14:27	#5
Carina Gesperrt	Logefile bitte auswerten Nein sagt mir gar nichts. Was ist das?! Also ich hab den Scan ez durchlaufen lassen. Mir wird nur angezeigt: Scan tragets: Hidden processes Hidden files on folders Status: Scan completed No hidden items were found Summary: Hidden items found: 0 Items queued for renaming: 0 Geändert von Carina (13.04.2008 um 14:28 Uhr) Grund: Schreibfehler ;P

13.04.2008, 18:55	#12
Carina Gesperrt	Logefile bitte auswerten So Defender läuft. Kann es irgendwelche Folgen haben, wegen dieser Umleitung?? Danke schonmal für die schnelle Hilfe, echt super!

Logefile bitte auswerten

Log-Analyse und Auswertung: Logefile bitte auswerten