explorer.exe stürzt ab/lädt neu

macbeth · 15.06.2008, 22:51

Hallo Forum,

dies ist mein erster Eintrag hier (wie Ihr ja sehen könnt)

Nach 2 Jahren ohne Viren hat es mich nun auch erwischt - so glaube ich zumindest. Nach dem logon in Windows startet die explorer.exe immer wieder neu.

Nun habe ich mal HijackThis durchlaufen lassen, und sehe da eigentlich nix böses (muss aber gestehen, dass ich nicht viel Ahnung habe).

Ich wäre Euch so dankbar, wenn Ihr mir helfen könntet - ich muss doch morgen in der Uni wieder mitschreiben....

Im Voraus sehr vielen Dank!!!!!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:24:25, on 15.06.2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\CNAB4RPK.EXE

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\WINDOWS\system32\UAService.exe

C:\WINDOWS\system32\UAService7.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Launchy\Launchy.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\TuneUp Utilities 2006\Integrator.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

G:\HiJackThis.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168120904062

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--

End of file - 7413 bytes

BataAlexander · 16.06.2008, 00:03

Launchy hab ich schon in Zusammenhang mit Problemen gehört. Kann hier aber am SP3 liegen.

Deckards System Scanner (DSS)

Hier gibt es das Tool -> dss.exe

* Schließe alle Anwendungen
* Doppelklicke dss.exe um das Programm zu starten
* Wenn der Scan abgeschlossen ist wird sich ein Notepad mit dem Inhalt
der main.txt öffnen.
Ein weiteres Logfile, die extra.txt liegt im Verzeichnis
c:\Deckard\SystemScanner\extra.txt
* Kopiere den Inhalt der beiden Logfiles in diesen Thread, bitte als [CODE][/CODE]

Was Deckards System Scanner macht:

* Es Erstellt einen System Wiederherstellungspunkt
* es säubert die temporären Dateien, Downloaded Program Files, Internet
Cache Dateien und es leert den Mülleimer auf allen Laufwerken.

macbeth · 16.06.2008, 00:36

Hallo BataAlexander,

vielen Dank für deinen post.

Also:

Ich habe Spybot Search&Destroy noch einmal laufen lassen > hat einige Probleme gefunden.
AntiVir XP dann auch noch einmal > nix.
Im SafeMode tritt das Problem auch auf.
Dann habe ich Knoppicillin runtergeladen und von CD laufen lassen. Hat auch ein paar Sachen gefunden.

Kann jetzt wieder "normal" booten - jedoch ist die Auslastung immer bei 40-50%, ohne dass ich was offen habe. Ich werde jetzt mal deinen Vorschlag probieren. Habe vielen Dank!

So, hier:

Code:

ATTFilter

Deckard's System Scanner v20071014.68

Run by Toni on 2008-06-16 01:38:16

Computer is in Normal Mode.

--------------------------------------------------------------------------------



-- System Restore --------------------------------------------------------------



Successfully created a Deckard's System Scanner Restore Point.





-- Last 5 Restore Point(s) --

283: 2008-06-15 23:38:34 UTC - RP571 - Deckard's System Scanner Restore Point

282: 2008-06-14 19:02:31 UTC - RP570 - Last known good configuration

281: 2008-06-14 19:02:15 UTC - RP569 - Software Distribution Service 3.0

280: 2008-06-14 19:02:15 UTC - RP568 - System Checkpoint

279: 2008-06-14 19:02:15 UTC - RP567 - Installed Windows Media Player Firefox Plugin





-- First Restore Point -- 

1: 2008-06-14 18:56:54 UTC - RP289 - Installed Adobe Photoshop Lightroom.





Backed up registry hives.

Performed disk cleanup.







-- HijackThis Clone ------------------------------------------------------------





Emulating logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2008-06-16 01:39:49

Platform: Windows XP Service Pack 3 (5.01.2600)

MSIE: Internet Explorer (7.00.6000.16674)

Boot mode: Normal



Running processes:

C:\WINDOWS\system32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\UAService.exe

C:\WINDOWS\system32\UAService7.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

C:\WINDOWS\system32\CNAB4RPK.EXE

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe

C:\WINDOWS\system32\alg.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

G:\dss.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie?hl={SUB_RFC1766}

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie?hl={SUB_RFC1766}

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.com/preferences?hl={SUB_RFC1766}

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1FBF1F47-46AE-4578-BAEB-06E3D7B7F57E} - C:\WINDOWS\system32\fcccdaxw.dll (file missing)

O2 - BHO: (no name) - {39CEF1D5-A3CE-443C-A113-8CC473D46259} - C:\WINDOWS\system32\qoMeCSKe.dll (file missing)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\Program Files\TEXTware\QUICKfind\PlugIns\IEHelp.dll

O2 - BHO: (no name) - {E0580FD9-2BA1-4679-A259-8154202C3038} - C:\WINDOWS\system32\cbXQiIxY.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

O4 - HKLM\..\RunOnce: [SpybotDeletingA5588] command /c del "C:\WINDOWS\system32\fcccdaxw.dll_old"

O4 - HKLM\..\RunOnce: [SpybotDeletingC5379] cmd /c del "C:\WINDOWS\system32\fcccdaxw.dll_old"

O4 - HKLM\..\RunOnce: [SpybotDeletingA7819] command /c del "C:\WINDOWS\system32\qoMeCSKe.dll_old"

O4 - HKLM\..\RunOnce: [SpybotDeletingC5181] cmd /c del "C:\WINDOWS\system32\qoMeCSKe.dll_old"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)

O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - (file missing)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe

O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/fhg.CAB

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168120904062

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll

O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL

O18 - Protocol: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - C:\WINDOWS\system32\textwareilluminatorbaseProtocol.dll

O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

O20 - Winlogon Notify: cbXQiIxY - C:\WINDOWS\system32\cbXQiIxY.dll

O20 - Winlogon Notify: winrnt32 - C:\WINDOWS\system32\winrnt32.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe





--

End of file - 9938 bytes



-- File Associations -----------------------------------------------------------



.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*

.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*

.js - JSFile - DefaultIcon - C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe,2

.js - JSFile - shell\open\command - "C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe" "%1"





-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------



R2 Sentinel - c:\windows\system32\drivers\sentinel.sys



S3 BLKWGU(Belkin) (Belkin Wireless G USB Network Adapter(Belkin)) - c:\windows\system32\drivers\blkwgu.sys (file missing)

S3 btaudio (Bluetooth Audio Device) - c:\windows\system32\drivers\btaudio.sys (file missing)

S3 BTDriver (Bluetooth Virtual Communications Driver) - c:\windows\system32\drivers\btport.sys (file missing)

S3 btwhid - c:\windows\system32\drivers\btwhid.sys (file missing)

S3 BTWUSB (WIDCOMM USB Bluetooth Driver) - c:\windows\system32\drivers\btwusb.sys (file missing)

S3 LMouKE (Logitech SetPoint Mouse Filter Driver) - c:\windows\system32\drivers\lmouke.sys (file missing)

S3 ZDPSp50 (ZDPSp50 NDIS Protocol Driver) - c:\windows\system32\drivers\zdpsp50.sys (file missing)





-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------



R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - c:\program files\antivir personaledition classic\sched.exe <Not Verified; Avira GmbH; AntiVir Workstation>

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

R2 Bonjour Service (Bonjour-Dienst) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

R2 ForceWare Intelligent Application Manager (IAM) - c:\program files\nvidia corporation\networkaccessmanager\bin\nsvcappflt.exe <Not Verified; ; app_filter Module>

R2 ForcewareWebInterface (Forceware Web Interface) - "c:\program files\nvidia corporation\networkaccessmanager\apache group\apache2\bin\apache.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>

R2 nSvcLog (ForceWare user log service) - c:\program files\nvidia corporation\networkaccessmanager\bin\nsvclog.exe <Not Verified; NVIDIA; NVIDIA nSvcLog>

R2 TUWinStylerThemeSvc (TuneUp WinStyler Theme Service) - "c:\program files\tuneup utilities 2006\winstylerthemesvc.exe" <Not Verified; TuneUp Software GmbH; TuneUp Utilities>

R2 UserAccess (SecuROM User Access Service) - c:\windows\system32\uaservice.exe

R2 UserAccess7 (SecuROM User Access Service (V7)) - c:\windows\system32\uaservice7.exe





-- Device Manager: Disabled ----------------------------------------------------



Class GUID: 

Description: 

Device ID: ACPI\AWY0001\2&DABA3FF&0

Manufacturer: 

Name: 

PNP Device ID: ACPI\AWY0001\2&DABA3FF&0

Service: 



Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Cisco Systems VPN Adapter

Device ID: ROOT\NET\0000

Manufacturer: Cisco Systems

Name: Cisco Systems VPN Adapter

PNP Device ID: ROOT\NET\0000

Service: CVirtA





-- Scheduled Tasks -------------------------------------------------------------



2008-06-16 01:07:38       330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job

2008-06-12 23:51:01       284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

2008-06-06 17:16:11       388 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job





-- Files created between 2008-05-16 and 2008-06-16 -----------------------------



2027-09-14 15:29:06         0 d--h----- C:\WINDOWS\PIF

2008-06-16 01:09:45       344 --ahs---- C:\WINDOWS\system32\eKSCeMoq.ini2

2008-06-16 00:41:36         0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-06-16 00:15:36         0 dr-h----- C:\Documents and Settings\Toni\Recent

2008-06-14 20:56:43    596916 --ahs---- C:\WINDOWS\system32\wxadcccf.ini2

2008-06-14 20:51:33     32256 --a------ C:\WINDOWS\system32\winrnt32.dll

2008-06-14 20:51:22     34304 --a------ C:\WINDOWS\system32\cbXQiIxY.dll

2008-06-13 00:16:34         0 d-------- C:\Program Files\PhotomatixPro3

2008-05-22 20:26:19         0 d-------- C:\Documents and Settings\Toni\Application Data\vlc

2008-05-22 20:02:05         0 d-------- C:\Program Files\VideoLAN

2008-05-20 17:41:52         0 d-------- C:\Program Files\Bonjour

2008-05-20 17:41:46         0 d-------- C:\Program Files\Airfoil Speakers





-- Find3M Report ---------------------------------------------------------------



2008-06-14 12:12:15         0 d-------- C:\Program Files\Mozilla Thunderbird

2008-06-14 11:52:36         0 d-------- C:\Program Files\OALD

2008-06-02 22:56:35       341 --a------ C:\WINDOWS\system32\lsprst7.dll

2008-05-25 21:31:49       664 --a------ C:\WINDOWS\system32\d3d9caps.dat

2008-05-15 02:06:50         0 --a------ C:\WINDOWS\system32\ssprs.dll

2008-05-15 02:06:50         0 --a------ C:\WINDOWS\system32\serauth2.dll

2008-05-15 02:06:50         0 --a------ C:\WINDOWS\system32\serauth1.dll

2008-05-15 02:06:50         0 --a------ C:\WINDOWS\system32\nsprs.dll

2008-05-15 02:06:50      1024 --a------ C:\WINDOWS\system32\clauth2.dll

2008-05-15 02:06:50      1024 --a------ C:\WINDOWS\system32\clauth1.dll

2008-05-15 02:04:33      1025 --a------ C:\WINDOWS\system32\sysprs7.dll

2008-05-11 01:18:14         0 d-------- C:\Program Files\Messenger

2008-05-11 01:17:57         0 d-------- C:\Program Files\Movie Maker

2008-05-11 01:15:35         0 d-------- C:\Program Files\Windows NT

2008-05-07 18:53:42         0 d-------- C:\Documents and Settings\Toni\Application Data\ICQ

2008-05-07 15:13:51         0 d-------- C:\Program Files\ICQ6

2008-05-07 15:08:23         0 d--h----- C:\Program Files\InstallShield Installation Information

2008-05-01 20:51:24         0 d-------- C:\Program Files\Common Files\Adobe

2008-05-01 20:51:04         0 d-------- C:\Documents and Settings\Toni\Application Data\Adobe

2008-05-01 20:45:49         0 d-------- C:\Program Files\Common Files

2008-04-24 01:19:57         0 d-------- C:\Documents and Settings\Toni\Application Data\Mask Pro 4.0

2008-04-22 18:11:29         0 d-------- C:\Documents and Settings\Toni\Application Data\Launchy

2008-04-22 18:11:21         0 d-------- C:\Program Files\Launchy

2008-04-20 23:35:33         0 d-------- C:\Program Files\Apple Software Update

2008-04-17 21:55:33         0 d-------- C:\Program Files\Langenscheidt

2008-04-12 16:04:31       268 -r-h----- C:\Documents and Settings\Toni\Application Data\Documentation





-- Registry Dump ---------------------------------------------------------------



*Note* empty entries & legit default entries are not shown





[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1FBF1F47-46AE-4578-BAEB-06E3D7B7F57E}]

			C:\WINDOWS\system32\fcccdaxw.dll



[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39CEF1D5-A3CE-443C-A113-8CC473D46259}]

			C:\WINDOWS\system32\qoMeCSKe.dll



[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0580FD9-2BA1-4679-A259-8154202C3038}]

14.06.2008 20:51	34304	--a------	C:\WINDOWS\system32\cbXQiIxY.dll



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [24.01.2006 12:15]

"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [20.05.2005 03:11]

"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [07.09.2005 16:35]

"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [03.06.2004 10:51]

"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [14.04.2008 23:32]



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [14.04.2008 02:12]

"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28.01.2008 11:43]



[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]

"Spybot - Search & Destroy"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

"SpybotDeletingA5588"=command /c del "C:\WINDOWS\system32\fcccdaxw.dll_old"

"SpybotDeletingC5379"=cmd /c del "C:\WINDOWS\system32\fcccdaxw.dll_old"

"SpybotDeletingA7819"=command /c del "C:\WINDOWS\system32\qoMeCSKe.dll_old"

"SpybotDeletingC5181"=cmd /c del "C:\WINDOWS\system32\qoMeCSKe.dll_old"



C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

ColorVisionStartup.lnk - C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe [1/31/2006 12:23:15 PM]



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoRecentDocsNetHood"=1 (0x1)

"ClearRecentDocsOnExit"=1 (0x1)



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{E0580FD9-2BA1-4679-A259-8154202C3038}"= C:\WINDOWS\system32\cbXQiIxY.dll [14.06.2008 20:51 34304]



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXQiIxY] 

cbXQiIxY.dll 14.06.2008 20:51 34304 C:\WINDOWS\system32\cbXQiIxY.dll



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy] 

C:\WINDOWS\System32\dimsntfy.dll 



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrnt32] 

winrnt32.dll 14.06.2008 20:51 32256 C:\WINDOWS\system32\winrnt32.dll



[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

"Authentication Packages"= msv1_0 C:\WINDOWS\system32\qoMeCSKe



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]

@="Service"



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]

@="Volume shadow copy"



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"TuneUp MemOptimizer"="C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" autostart

"E06DDXRC_2352296"="C:\Program Files\Microsoft Encarta\Encarta 2006 Enzyklopaedie\EDICT.EXE" -m

"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

"ICQ"="C:\PROGRA~1\ICQ6\ICQ.exe" silent

"Airfoil Speakers"="C:\Program Files\Airfoil Speakers\AirfoilSpeakers.exe"



[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"nwiz"=nwiz.exe /install

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

"ScanSoft OmniPage 16-reminder"="C:\Program Files\ScanSoft\OmniPage16\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\OmniPage 16\Ereg\Ereg.ini"

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" -hide

"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

eapsvcs	eaphost

dot3svc	dot3svc



HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs

UxTuneUp

napagent

hkmsvc









-- Hosts -----------------------------------------------------------------------



127.0.0.1	www.007guard.com

127.0.0.1	007guard.com

127.0.0.1	008i.com

127.0.0.1	www.008k.com

127.0.0.1	008k.com

127.0.0.1	www.00hq.com

127.0.0.1	00hq.com

127.0.0.1	010402.com

127.0.0.1	www.032439.com

127.0.0.1	032439.com



8724 more entries in hosts file.





-- End of Deckard's System Scanner: finished at 2008-06-16 01:41:27 ------------

macbeth · 16.06.2008, 00:50

Hier die andere.

Habt tausend Dank für eure Hilfe!

Code:

ATTFilter

Deckard's System Scanner v20071014.68

Extra logfile - please post this as an attachment with your post.

--------------------------------------------------------------------------------



-- System Information ----------------------------------------------------------



Microsoft Windows XP Professional (build 2600) SP 3.0

Architecture: X86; Language: English



CPU 0: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+

Percentage of Memory in Use: 24%

Physical Memory (total/avail): 2030.48 MiB / 1534.9 MiB

Pagefile Memory (total/avail): 3365.38 MiB / 3011.55 MiB

Virtual Memory (total/avail): 2047.88 MiB / 1907.26 MiB



C: is Fixed (NTFS) - 298.08 GiB total, 132.39 GiB free. 

D: is CDROM (No Media)

G: is Removable (FAT)



\\.\PHYSICALDRIVE0 - ST3320620AS - 298.09 GiB - 1 partition

  \PARTITION0 (bootable) - Installable File System - 298.08 GiB - C:



\\.\PHYSICALDRIVE1 - VBTM Store'n'go USB Device - 949.15 MiB - 1 partition

  \PARTITION0 (bootable) - Win95 w/Extended Int 13 - 953.5 MiB - G:







-- Security Center -------------------------------------------------------------



AUOptions is scheduled to auto-install.





-- Environment Variables -------------------------------------------------------



ALLUSERSPROFILE=C:\Documents and Settings\All Users

APPDATA=C:\Documents and Settings\Toni\Application Data

CLASSPATH=.;C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip

CLIENTNAME=Console

CommonProgramFiles=C:\Program Files\Common Files

COMPUTERNAME=FELIX

ComSpec=C:\WINDOWS\system32\cmd.exe

FP_NO_HOST_CHECK=NO

HOMEDRIVE=C:

HOMEPATH=\Documents and Settings\Toni

LOGONSERVER=\\FELIX

NUMBER_OF_PROCESSORS=2

OS=Windows_NT

Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adobe\AGL;C:\PROGRA~1\COMMON~1\AUTODE~1;C:\Program Files\QuickTime\QTSystem\

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

PROCESSOR_ARCHITECTURE=x86

PROCESSOR_IDENTIFIER=x86 Family 15 Model 75 Stepping 2, AuthenticAMD

PROCESSOR_LEVEL=15

PROCESSOR_REVISION=4b02

ProgramFiles=C:\Program Files

PROMPT=$P$G

QTJAVA=C:\Program Files\Java\jre1.5.0_10\lib\ext\QTJava.zip

SESSIONNAME=Console

SystemDrive=C:

SystemRoot=C:\WINDOWS

TEMP=C:\DOCUME~1\Toni\LOCALS~1\Temp

TMP=C:\DOCUME~1\Toni\LOCALS~1\Temp

USERDOMAIN=FELIX

USERNAME=Toni

USERPROFILE=C:\Documents and Settings\Toni

windir=C:\WINDOWS





-- User Profiles ---------------------------------------------------------------



Toni (admin)

Administrator (admin)

Guest (guest)





-- Add/Remove Programs ---------------------------------------------------------



 --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0

 --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER

 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}

Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe

Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe

Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}

Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}

Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}

Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log

Adobe Stock Photos 1.0 --> MsiExec.exe /I{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A}

Airfoil Speakers --> "C:\Program Files\Airfoil Speakers\Uninstall Airfoil Speakers.exe"

Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}

Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}

Athlon 64 Processor Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9 

AutoCAD 2000 - Deutsch --> C:\WINDOWS\unin0407.exe -fC:\PROGRA~1\ACAD2000\DeIsL1.isu -c"C:\PROGRA~1\ACAD2000\unacad.dll

Avira AntiVir Personal ñ Free Antivirus --> C:\Program Files\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE

Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}

Canon LBP2900 --> C:\Program Files\Canon\PrnUninstall\Canon LBP2900\CNAB4UN.EXE

Cisco Systems VPN Client 5.0.02.0090 --> MsiExec.exe /X{871DF2BE-41D2-4334-AC33-839AF16FC8FE}

DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC

DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER

DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER

DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER

DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN

Duden Korrektor PLUS --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{910BEE2C-3C2F-4DC0-9FF0-61DD5F5E8E47} 

DVD Decrypter (Remove Only) --> "C:\Program Files\DVDrips\DVDdecrypter\uninstall.exe"

DVD Shrink 3.2 --> "C:\Program Files\DVDrips\DVDshrink\unins000.exe"

e-Dictionaries --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4737AD9F-13AA-4E4C-B86F-B631D557F6A7}\setup.exe" anything

English Pronouncing Dictionary --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Cambridge\EPD\Uninst.isu"

Exif-Viewer 2.44 --> C:\WINDOWS\uninstall\Exif-Viewer\setup.exe

FileZilla Client 3.0.8.1 --> C:\Program Files\FileZilla FTP Client\uninstall.exe

Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9  -removeonly

Google SketchUp 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98736A65-3C79-49EC-B7E9-A3C77774B0E6}\setup.exe" -l0x9  -removeonly

Google SketchUp 6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}\setup.exe" -l0x9  -removeonly

High Definition Audio Driver Package - KB888111 --> C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe

HijackThis 2.0.2 --> "G:\HijackThis.exe" /uninstall

Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"

ICQ6 --> "C:\Program Files\InstallShield Installation Information\{60DE4033-9503-48D1-A483-7846BD217CA9}\setup.exe" -runfromtemp -l0x0009 -removeonly

IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe

iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}

J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}

L&H TTS3000 Deutsch --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\LHTTSGED.inf, Uninstall

Launchy 2.0 --> "C:\Program Files\Launchy\unins000.exe"

Lightroom --> MsiExec.exe /I{D4134B0B-EA9B-4835-A77A-60BEE6277101}

Macromedia Dreamweaver MX 2004 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{05BB2EC5-6BEF-4DDC-9E75-BEE7B161157A}\Setup.exe" -l0x9 mmUninstall

Macromedia Flash MX 2004 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F353D44-73BB-4971-B31D-F7642E9E9531}\Setup.exe" -l0x9 UNINSTALL

Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"

Microsoft Encarta 2006 Enzyklop‰die --> MsiExec.exe /I{06100000-3E21-46D6-9A91-D927BA08F41D}

Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}

Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"

Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}

Mozilla Firefox (2.0.0.14) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe

Mozilla Thunderbird (2.0.0.14) --> C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe

MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}

Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL

NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI

NVIDIA ForceWare Network Access Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{1F6423DE-7959-4178-80E0-023C7EAA5347} /l1033 

Office-Bibliothek 4.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{54971F17-9D16-4D43-95D6-3A86E3D20EDB}\setup.exe"  -uninst 

PC-Bibliothek --> C:\WINDOWS\unin0407.exe -f"c:\program files\Duden\DeIsL1.isu"  -c"c:\program files\Duden\_ISREG32.DLL"

Photomatix Pro version 3.0.3RC2 --> "C:\Program Files\PhotomatixPro3\unins000.exe"

PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe"  -uninstall

QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}

RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0

RipIt4Me --> C:\Program Files\DVDrips\RipIt4Me\Uninstal.exe

ScanSoft OmniPage 16 --> MsiExec.exe /I{DF74C7BA-5C9F-4F17-8B6F-5ECE08280F34}

ScanSoft PDF Create! 4 --> MsiExec.exe /I{67EC0AB2-8CF7-4415-9F70-7FBC593C0D5E}

Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}

Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}

SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe" -l0x9  -removeonly

Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}

Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"

Spyder2 --> C:\WINDOWS\unvise32.exe C:\Program Files\ColorVision\Spyder2\uninstal.log

TuneUp Utilities 2006 --> MsiExec.exe /I{868D7896-99D4-4513-BC62-2B3AD3E24926}

VideoLAN VLC media player 0.8.6f --> C:\Program Files\VideoLAN\VLC\uninstall.exe

Visual C++ 8.0 CRT (x86) WinSXS MSM --> MsiExec.exe /I{98CB24AD-52FB-DB5F-FF1F-C8B3B9A1E18E}

Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}

Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"

Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"

Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}

Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe

XML Paper Specification Shared Components Pack 1.0 --> 

xp-AntiSpy 3.93 --> C:\Program Files\xp-AntiSpy\uninst.exe





-- Application Event Log -------------------------------------------------------



Event Record #/Type6444 / Warning

Event Submitted/Written: 06/16/2008 01:03:25 AM

Event ID/Source: 1524 / Userenv

Event Description:

Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



Event Record #/Type6357 / Warning

Event Submitted/Written: 06/16/2008 00:16:39 AM

Event ID/Source: 1524 / Userenv

Event Description:

Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



Event Record #/Type6355 / Warning

Event Submitted/Written: 06/16/2008 00:15:42 AM

Event ID/Source: 1524 / Userenv

Event Description:

Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



Event Record #/Type6118 / Warning

Event Submitted/Written: 06/15/2008 11:07:16 PM

Event ID/Source: 1524 / Userenv

Event Description:

Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



Event Record #/Type6117 / Error

Event Submitted/Written: 06/15/2008 10:09:54 PM

Event ID/Source: 8193 / VSS

Event Description:

Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x80040206.







-- Security Event Log ----------------------------------------------------------



No Errors/Warnings found.





-- System Event Log ------------------------------------------------------------



No Errors/Warnings found.





-- End of Deckard's System Scanner: finished at 2008-06-16 01:41:27 ------------

BataAlexander · 16.06.2008, 00:57

Ich werde erst morgen dazu kommen die Logs durchzusehen.

macbeth · 16.06.2008, 01:05

Zitat:

Zitat von BataAlexander

Ich werde erst morgen dazu kommen die Logs durchzusehen.

Wow. Ihr seid ja lieb hier! Mache Dir bitte keinen unnötigen Stress!

Tausend Dank! Eigentlich funzt (es scheint wieder alles normal - bin aber sehr skeptisch!!!) es im Moment wieder - ich poste noch mal die aktuelle HiJackThis...

macbeth · 16.06.2008, 01:09

So. Hier die neuere Version. Ich traue dem Braten noch nicht!!!

Code:

ATTFilter

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 02:01:04, on 16.06.2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\CNAB4RPK.EXE

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\UAService.exe

C:\WINDOWS\system32\UAService7.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1FBF1F47-46AE-4578-BAEB-06E3D7B7F57E} - C:\WINDOWS\system32\fcccdaxw.dll (file missing)

O2 - BHO: (no name) - {39CEF1D5-A3CE-443C-A113-8CC473D46259} - C:\WINDOWS\system32\qoMeCSKe.dll (file missing)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll

O2 - BHO: (no name) - {E0580FD9-2BA1-4679-A259-8154202C3038} - C:\WINDOWS\system32\cbXQiIxY.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVision\Utility\ColorVisionStartup.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168120904062

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O20 - Winlogon Notify: cbXQiIxY - C:\WINDOWS\SYSTEM32\cbXQiIxY.dll

O20 - Winlogon Notify: winrnt32 - C:\WINDOWS\SYSTEM32\winrnt32.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe



--

End of file - 8665 bytes

Hier noch Bilder des Taskmanagers und des Autostarts (welche Einträge kann ich eigentlich löschen? *hmmmm?*):

BataAlexander · 16.06.2008, 07:14

Gehe wiefolgt vor

Bitte öffne Deine HijackThis nochmal und scanne. Check die klickboxen neben den Einträgen die untenstehend gelistet sind.

O2 - BHO: (no name) - {1FBF1F47-46AE-4578-BAEB-06E3D7B7F57E} - C:\WINDOWS\system32\fcccdaxw.dll (file missing)
O2 - BHO: (no name) - {39CEF1D5-A3CE-443C-A113-8CC473D46259} - C:\WINDOWS\system32\qoMeCSKe.dll
O2 - BHO: (no name) - {E0580FD9-2BA1-4679-A259-8154202C3038} - C:\WINDOWS\system32\cbXQiIxY.dll
O20 - Winlogon Notify: cbXQiIxY - C:\WINDOWS\SYSTEM32\cbXQiIxY.dll
O20 - Winlogon Notify: winrnt32 - C:\WINDOWS\SYSTEM32\winrnt32.dll

(file missing)dann Klicke Fix Checked. Schließe HiJackThis. Reboot im abgesicherten Modus.

Benutze den Windows Explorer (um dahin zu kommen, mache einen Rechtsklick auf dem Start Button und klicke auf "Explorer"), bitte lösche diese Dateien (wenn vorhanden):

C:\WINDOWS\system32\eKSCeMoq.ini2
C:\WINDOWS\system32\wxadcccf.ini2
C:\WINDOWS\system32\winrnt32.dll
C:\WINDOWS\system32\cbXQiIxY.dll
C:\WINDOWS\system32\ssprs.dll
C:\WINDOWS\system32\serauth2.dll
C:\WINDOWS\system32\serauth1.dll
C:\WINDOWS\system32\nsprs.dll
C:\WINDOWS\system32\clauth2.dll
C:\WINDOWS\system32\clauth1.dll
C:\WINDOWS\system32\sysprs7.dll
C:\WINDOWS\system32\fcccdaxw.dll
C:\WINDOWS\system32\qoMeCSKe.dll

Dann starte den Rechner im normalen Modus neu.

Markiere die Dateien dann wiefolgt

Beispiele:
C:\WINDOWS\system32\qoMeCSKe.dll ->gefunden, gelöscht
C:\WINDOWS\system32\qoMeCSKe.dll -> nicht gefunden, nicht gelöscht
C:\WINDOWS\system32\qoMeCSKe.dll -> gefunden, nicht löschbar

Dann lasse Malwarebytes laufen und poste dessen Logfile zusammen mit einem neuen HijackThis Logfile.

macbeth · 16.06.2008, 16:23

EDIT:

Habe Spybot im abgesicherten Modus laufen lassen - 4 Funde, die ich gelöscht habe. Danach ging es. Dann habe ich mich an deine Liste gemacht. Also:

Beispiel: bla bla bla ... (gefunden?, gelöscht?)

C:\WINDOWS\system32\eKSCeMoq.ini2 (nein, nein)
C:\WINDOWS\system32\wxadcccf.ini2 (nein, nein)
C:\WINDOWS\system32\winrnt32.dll (ja, konnte nicht)
C:\WINDOWS\system32\cbXQiIxY.dll (ja, konnte nicht)
C:\WINDOWS\system32\ssprs.dll (ja, ja) > was ist mit ssprs.tgz?
C:\WINDOWS\system32\serauth2.dll (ja, ja)
C:\WINDOWS\system32\serauth1.dll (ja, ja)
C:\WINDOWS\system32\nsprs.dll (ja, ja) > was ist mit nsprs.tgz?
C:\WINDOWS\system32\clauth2.dll (ja, ja)
C:\WINDOWS\system32\clauth1.dll (ja, ja)
C:\WINDOWS\system32\sysprs7.dll (ja, ja) > was ist mit sysprs7.tgz?
C:\WINDOWS\system32\fcccdaxw.dll (nein, nein)
C:\WINDOWS\system32\qoMeCSKe.dll (ja, ja) > aber mit _old hinter .dll ??

Mache weiter...

"Alter" Post:

Hallo.

Wenn ich im abgesicherten Modus starte, dann lädt er auch wieder die explorer.exe, nur um sie 2 Sekunden später wieder zu schließen. Komisch - gestern ging es kurz.

Habe es geschafft, die von Dir angegebenen Einträge mit HijackThis zu löschen. Er gab aber eine Fehlermeldung, dass diese Programme in Benutzung sind und somit nicht gelöscht werden können. Trotzdem scheinen sie nun verschwunden zu sein.

Ist halt schwierig, im Explorer irgendwo hinzukommen, wenn der explorer immer abschmiert. Da muss man sehr schnell sein...

Ich versuche es weiter! Habt vielen Dank für die tolle Hilfe!

BataAlexander · 16.06.2008, 18:29

Bitte lasse Malwarebytes einmal wie beschrieben durchlaufen und poste das Logfile.

macbeth · 16.06.2008, 18:58

Zitat:

Zitat von BataAlexander

Bitte lasse Malwarebytes einmal wie beschrieben durchlaufen und poste das Logfile.

Ja. Ist in Arbeit.

PC

ICH
Der scannt schon seit 2 Stunden - bis jetzt noch nix. Ich werde etwas posten, sobald er fertig ist.

PS:
Also, Spybot hat "Virtumonde" gefunden. Einmal in HKEY_LOCAL_MCHINE\Software\... und eine .dll in Windows\system32\rqRLbyxv.dll_old. Beide sollte er eigentlich gelöscht haben, mal sehen.

Ich weiß gar nicht, wie ich Dir danken soll - mal abwarten. SUPER!

macbeth · 16.06.2008, 19:17

Na jetzt geht es abba los!!

Also, Malwarebytes ist komplett durchgelaufen. Hat um die 7 Probleme gefunden, manche konnte er nicht reparieren - erst Neustart erforderlich. Also, Neustart. Jetzt meldet sich AntiVir XP sofort nach dem Start (explorer.exe noch nicht einmal geladen) und sagt:

C:\WINDOWS\system32\cbXQIxY.dll
Is the Trojan horse TR/Trash.Gen

An dem Punkt bin ich nun. Was soll ich AntiVir sagen? Löschen? Deny access? Move to quarantine? ...?

Vielen Dank!

macbeth · 16.06.2008, 20:47

Hier die Log:

Code:

ATTFilter

Malwarebytes' Anti-Malware 1.17

Datenbank Version: 861



20:03:01 16.06.2008

mbam-log-6-16-2008 (20-03-01).txt



Scan Art: Komplett Scan (C:\|)

Objekte gescannt: 173667

Scan Dauer: 1 hour(s), 41 minute(s), 27 second(s)



Infizierte Speicher Prozesse: 0

Infizierte Speicher Module: 2

Infizierte Registrierungsschl¸ssel: 5

Infizierte Registrierungswerte: 1

Infizierte Datei Objekte der Registrierung: 1

Infizierte Verzeichnisse: 0

Infizierte Dateien: 3



Infizierte Speicher Prozesse:

(Keine Malware Objekte gefunden)



Infizierte Speicher Module:

C:\WINDOWS\system32\cbXQiIxY.dll (Trojan.Vundo) -> Unloaded module successfully.

C:\WINDOWS\system32\hgGabawv.dll (Trojan.Vundo) -> Unloaded module successfully.



Infizierte Registrierungsschl¸ssel:

HKEY_CLASSES_ROOT\CLSID\{e0580fd9-2ba1-4679-a259-8154202c3038} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e0580fd9-2ba1-4679-a259-8154202c3038} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbxqiixy (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully.



Infizierte Registrierungswerte:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e0580fd9-2ba1-4679-a259-8154202c3038} (Trojan.Vundo) -> Quarantined and deleted successfully.



Infizierte Datei Objekte der Registrierung:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.



Infizierte Verzeichnisse:

(Keine Malware Objekte gefunden)



Infizierte Dateien:

C:\WINDOWS\system32\cbXQiIxY.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\hgGabawv.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

AntiVir schlägt jetzt im Minutentakt Alarm. Ich move die Dateien immer in die Quarantäne.

BataAlexander · 17.06.2008, 01:07

Hat Malwar3bytes den Rechner neu gestartet?
Lass es dann bitte noch einmal laufen poste auch dieses Logfile.

Filelist

1. Lade das filelist.zip auf deinen Desktop herunter.
2. Entpacke die Zip-Datei auf deinen Desktop (mit einem Packprogramm), öffne die nun auf deinem Destop vorhandene filelist.bat mit einem Doppelklick auf die Datei
3. Dein Editor (Textverarbeitungsprogramm) wird sich öffnen
4. Markiere von diesem Inhalt aus jedem Verzeichnis jeweils die letzten 30 Tage, wähle kopieren, füge diese Dateien in deinem nächsten Beitrag ein.

Dies sind die Verzeichnisse von denen wir jeweils die letzten 30 Tage sehen wollen:
Verzeichnis von C:\
Verzeichnis von C:\WINDOWS\system32
Verzeichnis von C:\WINDOWS
Verzeichnis von C:\WINDOWS\Prefetch (Windows XP)
Verzeichnis von C:\WINDOWS\tasks
Verzeichnis von C:\WINDOWS\Temp
Verzeichnis von C:\DOCUME~1\Name\LOCALS~1\Temp
Credits to Karl83 / KarlKarl

Ist die Datei zu groß, lade sie bei File-Upload.net - Ihr kostenloser File Hoster! hoch und poste den Link.

Dann poste noch ein neues HijackThis Logfile.

macbeth · 17.06.2008, 13:14

Mal wieder herzlichen Dank für eure Hilfe!

Also:

Nummer 1

Code:

ATTFilter

Malwarebytes' Anti-Malware 1.17

Datenbank Version: 861



13:39:07 17.06.2008

mbam-log-6-17-2008 (13-39-07).txt



Scan Art: Komplett Scan (C:\|)

Objekte gescannt: 184700

Scan Dauer: 1 hour(s), 30 minute(s), 6 second(s)



Infizierte Speicher Prozesse: 0

Infizierte Speicher Module: 0

Infizierte Registrierungsschl¸ssel: 1

Infizierte Registrierungswerte: 0

Infizierte Datei Objekte der Registrierung: 0

Infizierte Verzeichnisse: 0

Infizierte Dateien: 0



Infizierte Speicher Prozesse:

(Keine Malware Objekte gefunden)



Infizierte Speicher Module:

(Keine Malware Objekte gefunden)



Infizierte Registrierungsschl¸ssel:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully.



Infizierte Registrierungswerte:

(Keine Malware Objekte gefunden)



Infizierte Datei Objekte der Registrierung:

(Keine Malware Objekte gefunden)



Infizierte Verzeichnisse:

(Keine Malware Objekte gefunden)



Infizierte Dateien:

(Keine Malware Objekte gefunden)

16.06.2008, 00:57	#5
BataAlexander > MalwareDB	explorer.exe stürzt ab/lädt neu Ich werde erst morgen dazu kommen die Logs durchzusehen. __________________ If every computer is running a diverse ecosystem, crackers will have no choice but to resort to small-scale, targetted attacks, and the days of mass-market malware will be over[...]. Stuart Udall

16.06.2008, 18:29	#10
BataAlexander > MalwareDB	explorer.exe stürzt ab/lädt neu Bitte lasse Malwarebytes einmal wie beschrieben durchlaufen und poste das Logfile. __________________ If every computer is running a diverse ecosystem, crackers will have no choice but to resort to small-scale, targetted attacks, and the days of mass-market malware will be over[...]. Stuart Udall

explorer.exe stürzt ab/lädt neu

Log-Analyse und Auswertung: explorer.exe stürzt ab/lädt neu