pc installiert und startet eigenständig Anwendungen

OMER · 27.08.2008, 13:46

hi,

ich habe das problem, dass mein pc eigenständig irgendwelche Anwendungen installiert und startet (z.B. Antivir XP 2008, AOL Dial in) mit sicherheit handelt es sich aber nicht um antivir 2008 XP. weiteres problem ist, dass ich keine scans ausführen kann. sowohl antivir (habe mit dem bei mir vorinstallierten etrust antivir versucht) als auch spy/ad ware (ad aware bricht nach einer bestimmten zeit ab und programm stürzt ab)
bei google kann ich keine suchergebnisse öffnen. beim anklicken öffnet er eigenständig andere seiten, aber schon in bezug mit dem suchbegriff. ich kann auch mein deskophintergrund nicht ändern, die option wurde bei eigenschaften deaktiviert

ich hoffe ihr könnt weiterhelfen

hier logfile aus hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:03:18, on 27.08.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\Dit.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\Programme\Gemeinsame Dateien\AOL\1203702677\ee\aolsoftware.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\webHancer\Programs\whAgent.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe
C:\Programme\Logitech\QuickCam10\QuickCam10.exe
C:\Programme\Remote Control Pro\RCPServer.exe
C:\WINDOWS\system32\lphcnr5j0ej2n.exe
C:\Programme\rhcjr5j0ej2n\rhcjr5j0ej2n.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Windows Media Player\WMPNSCFG.exe
C:\Programme\ICQ6\ICQ.exe
C:\dokumente und einstellungen\medion\lokale einstellungen\anwendungsdaten\wmycc.exe
C:\Programme\Veoh Networks\Veoh\VeohClient.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\pphcnr5j0ej2n.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\CA\eTrust Antivirus\InoRpc.exe
C:\Programme\CA\eTrust Antivirus\InoRT.exe
C:\Programme\CA\eTrust Antivirus\InoTask.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
C:\Programme\Windows Live\Messenger\msnmsgr.exe
C:\Programme\Gemeinsame Dateien\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Windows Live\Messenger\usnsvc.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT1576177
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de
R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Programme\Freecorder\tbFre1.dll
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
R3 - URLSearchHook: livetvbar Toolbar - {ad55c869-668e-457c-b270-0cfb2f61116f} - C:\Programme\livetvbar\tblive.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Programme\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Programme\Freecorder\tbFre1.dll
O2 - BHO: 375013 helper - {74F7DB6B-86E9-4B91-9D9F-B0D954D7AA5B} - C:\WINDOWS\system32\375013\375013.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: livetvbar Toolbar - {ad55c869-668e-457c-b270-0cfb2f61116f} - C:\Programme\livetvbar\tblive.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Programme\Freecorder\tbFre1.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Programme\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: livetvbar Toolbar - {ad55c869-668e-457c-b270-0cfb2f61116f} - C:\Programme\livetvbar\tblive.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AntivirusRegistration] C:\Programme\CA\Etrust Antivirus\Register.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HostManager] C:\Programme\Gemeinsame Dateien\AOL\1203702677\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Programme\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Remote Control Pro] C:\Programme\Remote Control Pro\RCPServer.exe
O4 - HKLM\..\Run: [lphcnr5j0ej2n] C:\WINDOWS\system32\lphcnr5j0ej2n.exe
O4 - HKLM\..\Run: [SMrhcjr5j0ej2n] C:\Programme\rhcjr5j0ej2n\rhcjr5j0ej2n.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSetup] C:\DOKUME~1\Medion\LOKALE~1\Temp\QuickCam_11.0.0\setup.exe /skip_all_checks /p /start /restart /l:deu
O4 - HKCU\..\Run: [Instant Access] C:\WINDOWS\system32\nsinet.exe /res
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ICQ] "C:\Programme\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [wmycc] "c:\dokumente und einstellungen\medion\lokale einstellungen\anwendungsdaten\wmycc.exe" wmycc
O4 - HKCU\..\Run: [Veoh] "C:\Programme\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Programme\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download with Xilisoft Download YouTube Video - C:\Programme\Xilisoft\Download YouTube Video\upod_link.HTM
O8 - Extra context menu item: In neuer Registerkarte im Hintergrund öffnen - res://C:\Programme\Windows Live Toolbar\Components\de-de\msntabres.dll.mui/229?d8f2a52997324421b577ad1c5966fda3
O8 - Extra context menu item: In neuer Registerkarte im Vordergrund öffnen - res://C:\Programme\Windows Live Toolbar\Components\de-de\msntabres.dll.mui/230?d8f2a52997324421b577ad1c5966fda3
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: In Windows Live Writer in &Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Programme\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Programme\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {0e921e80-267a-42aa-aee4-60b9a1222a44} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {0e921e80-267a-42aa-aee4-60b9a1222a44} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.de
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110880546187
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {DF1C8E21-4045-4D67-B528-335F1A4F0DE9} - http://es6-scripts.dlv4.com/binaries/egaccess4/egaccess4_1073_em_XP.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9AE2FF8-35DF-4C5B-B467-B5938B4EE82E}: NameServer = 195.50.140.252 195.50.140.114
O22 - SharedTaskScheduler: hruska - {747e1fbe-b70f-441d-bbca-6e536c04924a} - C:\WINDOWS\system32\sozctue.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoTask.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Control Pro (RCPServer) - Alchemy Lab - C:\Programme\Remote Control Pro\rcpserver.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 13323 bytes

Chris4You · 27.08.2008, 13:52

Hi,

äh, das dauert etwas länger bis ich mich da durchgewühlt habe...

Iiick, Du hast einen RemoteServer drauf...
Das sieht nach Neuaufsetzen aus... oder ist das Absicht?

chris

OMER · 27.08.2008, 14:09

neuaufsetzen habe ich weniger lust, nur wenn echt nichts mehr geht.
und ja remote server ist absicht. es geht um den pc von meinem kleinen bruder und ich wollte mal zuerst von einem anderem ort versuchen ihm zu helfen. hatte gedacht er hat ein kleineres problem, wo ich nicht unbedingt vor ort sein muss. aber wie ich jetzt merke sieht die sache ernster aus.

ps: übrigens; ich hab logfile nochmal geändert. in dem davor hatte ich paar anwendungen per taskmanager geschlossen. hab nochmal neugestartet und nochmal logfile erstellt damit die anwendungen wieder da sind und im logfile enthalten sind.

Chris4You · 27.08.2008, 14:10

Hi,

nur für die Datensicherung!
Ist das mit dem Remoteserver jetzt Absicht oder nicht?
Wird der Rechner beruflich genutzt (Firma?), denn zerschiesst Dir das nachfolgende Script u. U. was...

Your Risk...

Bitte folgende Files prüfen:

Zitat:

C:\WINDOWS\system32\nsinet.exe
C:\WINDOWS\system32\lphcnr5j0ej2n.exe
C:\Programme\rhcjr5j0ej2n\rhcjr5j0ej2n.exe
C:\WINDOWS\system32\375013\375013.dll

http://www.virustotal.com/flash/index_en.html
Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen (oder gleich die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf "Send"... jetzt abwarten - dann mit der rechten Maustaste den Text markieren -> kopieren - einfügen
Bitte poste das Ergebniss mit Filename!

Also:
Anleitung Avenger (by swandog46)

1.) Lade dir das Tool Avenger und speichere es auf dem Desktop:

2.) Das Programm so einstellen wie es auf dem Bild zu sehen ist.

Kopiere nun folgenden Text in das weiße Feld:
(bei -> "input script here")

Code:

ATTFilter

Registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run|lphcnr5j0ej2n
HKLM\Software\Microsoft\Windows\CurrentVersion\Run|SMrhcjr5j0ej2n
HKLM\Software\Microsoft\Windows\CurrentVersion\Run|webHancer Agent
 
Files to delete:
C:\WINDOWS\system32\nsinet.exe
C:\WINDOWS\system32\lphcnr5j0ej2n.exe
C:\Programme\rhcjr5j0ej2n\rhcjr5j0ej2n.exe
C:\WINDOWS\system32\375013\375013.dll

Folders to delete:
C:\Programme\ShoppingReport
C:\Program Files\webHancer
C:\Programme\rhcjr5j0ej2n

3.) Schliesse nun alle Programme (vorher notfalls abspeichern!) und Browser-Fenster, nach dem Ausführen des Avengers wird das System neu gestartet.

4.) Um den Avenger zu starten klicke auf -> Execute
Dann bestätigen mit "Yes" das der Rechner neu startet!

5.) Nachdem das System neu gestartet ist, findest du hier einen Report vom Avenger -> C:\avenger.txt
Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.

Hijackthis, fixen:
öffne das HijackThis -- Button "scan" -- vor den nachfolgenden Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten
Beim fixen müssen alle Programme geschlossen sein!

Code:

ATTFilter

O22 - SharedTaskScheduler: hruska - {747e1fbe-b70f-441d-bbca-6e536c04924a} - C:\WINDOWS\system32\sozctue.dll (file missing)
O16 - DPF: {DF1C8E21-4045-4D67-B528-335F1A4F0DE9} - http://es6-scripts.dlv4.com/binaries/egaccess4/egaccess4_1073_em_XP.cab
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.de
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Programme\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Programme\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O4 - HKCU\..\Run: [wmycc] "c:\dokumente und einstellungen\medion\lokale einstellungen\anwendungsdaten\wmycc.exe" wmycc
O4 - HKCU\..\Run: [Instant Access] C:\WINDOWS\system32\nsinet.exe /res
O4 - HKLM\..\Run: [lphcnr5j0ej2n] C:\WINDOWS\system32\lphcnr5j0ej2n.exe
O4 - HKLM\..\Run: [SMrhcjr5j0ej2n] C:\Programme\rhcjr5j0ej2n\rhcjr5j0ej2n.exe
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: 375013 helper - {74F7DB6B-86E9-4B91-9D9F-B0D954D7AA5B} - C:\WINDOWS\system32\375013\375013.dll
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Programme\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT1576177

Bitte MAM und Combofix installieren, MAM updaten, dann offline gehen und beide Nacheinander
laufen und alles bereinigen lassen. Danach Online gehen und Logs posten.
ACHTUNG: Der RemoteSErverläuft noch als Service, falls das nicht Absicht ist,
muß folgender Dienst beendet und gelöscht werden:
O23 - Service: Remote Control Pro (RCPServer) - Alchemy Lab - C:\Programme\Remote Control Pro\rcpserver.exe

Ich habe Dir nur den RunKey rausgenommen, die SW ist ebenfalls noch auf dem Rechner!

MAM:
Anleitung hier: http://www.trojaner-board.de/51187-malwarebytes-anti-malware.html
Nutze aber bitte diesen Downloadlink http://filepony.de/download-malwarebytes_anti_malware/.

CombFix:
Lade ComboFix von http://download.bleepingcomputer.com/sUBs/ComboFix.exe und speichert es auf den Desktop.
Alle Fenster schliessen und combofix.exe starten und bestätige die folgende Abfrage mit 1 und drücke Enter.

Der Scan mit Combofix kann einige Zeit in Anspruch nehmen, also habe etwas Geduld. Während des Scans bitte nichts am Rechner unternehmen
Es kann möglich sein, dass der Rechner zwischendurch neu gestartet wird.
Nach Scanende wird ein Report angezeigt, den bitte kopieren und in deinem Thread einfuegen.
Weitere Anleitung unter:http://www.bleepingcomputer.com/combofix/de/wie-combofix-benutzt-wird

Chris
Ps.: Java, IE (IE7) und Windows (SP3) könnte auch mal ein Update vertragen!

Edit: Remote Server aus den Scripts entfernt...
Bitte alles abarbeiten, das hier ist Antivirus 2008 (C:\Programme\rhcjr5j0ej2n\rhcjr5j0ej2n.exe) (denke ich mal...;o)

OMER · 27.08.2008, 15:50

C:\WINDOWS\system32\nsinet.exe

Code:

ATTFilter

Antivirus Version letzte aktualisierung Ergebnis 
AhnLab-V3 - - - 
AntiVir - - DIAL/140760.A.2 
Authentium - - W32/InstAccess.B.gen!Eldorado 
Avast - - Win32:Dialer-gen 
AVG - - Dialer.28.BM 
BitDefender - - - 
CAT-QuickHeal - - PornDialer.InstantAccess.dcm (Not a Virus) 
ClamAV - - - 
DrWeb - - - 
eSafe - - Suspicious File 
eTrust-Vet - - - 
Ewido - - - 
F-Prot - - W32/InstAccess.B.gen!Eldorado 
F-Secure - - Porn-Dialer.Win32.InstantAccess.dcm 
Fortinet - - Dial/InstantAccess 
GData - - Win32:Dialer-gen 
Ikarus - - Dialer.Win32.InstantAccess 
Kaspersky - - not-a-virus:Porn-Dialer.Win32.InstantAccess.dcm 
McAfee - - Generic Dropper.az 
Microsoft - - Dialer:Win32/InstantAccess 
NOD32v2 - - - 
Norman - - - 
Panda - - Generic Trojan 
Prevx1 - - Malicious Software 
Rising - - - 
Sophos - - InstantAccess 
Sunbelt - - EGroup.InstantAccess 
Symantec - - - 
TheHacker - - Trojan/Dialer.InstantAccess.dcm 
TrendMicro - - - 
VBA32 - - Porn-Dialer.Win32.InstantAccess.dcm 
VirusBuster - - - 
Webwasher-Gateway - - Dialer.140760.A.2 
weitere Informationen 
MD5: 932358cef85cf21f818a2a804994edb3 
SHA1: 74f4337d19c3df40927966a748e5ab358602a37b 
SHA256: e10641928e77b29c0acd5129814143006937e1026b79397f9c740bafddb76d78 
SHA512: b78d237abe99279f6f91e797bd6a23c79bd60a46f318ed712b57eace9552a8606c4204f6dac0e83e660bf16d061f9b21437abc67ac1472564d0967fafbfdcffe

C:\WINDOWS\system32\lphcnr5j0ej2n.exe

Code:

ATTFilter

Antivirus Version letzte aktualisierung Ergebnis 
AhnLab-V3 2008.8.21.0 2008.08.26 - 
AntiVir 7.8.1.23 2008.08.26 TR/Dldr.Small.gae 
Authentium 5.1.0.4 2008.08.25 - 
Avast 4.8.1195.0 2008.08.25 - 
AVG 8.0.0.161 2008.08.26 Downloader.FraudLoad.N 
BitDefender 7.2 2008.08.26 Trojan.Peed.JSB 
CAT-QuickHeal 9.50 2008.08.25 (Suspicious) - DNAScan 
ClamAV 0.93.1 2008.08.26 - 
DrWeb 4.44.0.09170 2008.08.26 - 
eSafe 7.0.17.0 2008.08.24 Suspicious File 
eTrust-Vet 31.6.6048 2008.08.25 - 
Ewido 4.0 2008.08.25 - 
F-Prot 4.4.4.56 2008.08.26 - 
F-Secure 7.60.13501.0 2008.08.26 Backdoor.Win32.Agent.qcd 
Fortinet 3.14.0.0 2008.08.26 - 
GData 2.0.7306.1023 2008.08.20 - 
Ikarus T3.1.1.34.0 2008.08.26 - 
K7AntiVirus 7.10.428 2008.08.25 - 
Kaspersky 7.0.0.125 2008.08.26 Backdoor.Win32.Agent.qcd 
McAfee 5369 2008.08.25 - 
Microsoft 1.3807 2008.08.25 Trojan:Win32/Tibs.HP 
NOD32v2 3387 2008.08.26 Win32/TrojanDownloader.FakeAlert.HJ 
Norman 5.80.02 2008.08.25 - 
Panda 9.0.0.4 2008.08.25 - 
PCTools 4.4.2.0 2008.08.25 - 
Prevx1 V2 2008.08.26 Malicious Software 
Rising 20.59.10.00 2008.08.26 - 
Sophos 4.32.0 2008.08.26 - 
Sunbelt 3.1.1582.1 2008.08.26 - 
Symantec 10 2008.08.26 Downloader.MisleadApp 
TheHacker 6.3.0.6.060 2008.08.23 - 
TrendMicro 8.700.0.1004 2008.08.26 - 
VBA32 3.12.8.4 2008.08.25 - 
ViRobot 2008.8.25.1348 2008.08.25 - 
VirusBuster 4.5.11.0 2008.08.25 - 
Webwasher-Gateway 6.6.2 2008.08.26 Trojan.Dldr.Small.gae 
weitere Informationen 
File size: 199168 bytes 
MD5...: 609e59d17a35e514caea543868134d7a 
SHA1..: eb5db8bc5ae5687361549197b55a4f56c5a394e5 
SHA256: d566ad1822c2246a943a5c448dcc1b09b3ba1440d6c690391aa5ecc9f80e6cd4 
SHA512: 7ffd7e65d75f112694607b152c93fc3d93ab10afabd1b55bd1ff5c1d1a5c0c33
ae37aa3375d02c9d3647bdddee6959c1984b8149b87d3e958311204ff1ade818 
PEiD..: - 
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4066c9
timedatestamp.....: 0x48a5befd (Fri Aug 15 17:38:05 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xecfb 0x9200 7.99 67795eee06789c0a2f8e2358e9a8e0b6
.rdata 0x10000 0x3cd3 0x1800 7.97 b3c34e7072bce1c86ac8b15408500f54
.data 0x14000 0xb66fa 0x22c00 8.00 349e385fc500f5fdf2e5a7ea28e0072b
.rsrc 0xcb000 0xf000 0x3000 6.62 d2f28c23e77dbea4100179f07bcfc66f

( 4 imports ) 
> wsock32.dll: bind, WSAStartup, listen
> kernel32.dll: CreatePipe, TerminateProcess, VirtualProtect
> gdi32.dll: SetRelAbs, StretchBlt, SetICMMode, ResetDCW, UpdateColors, SaveDC, TextOutW, SetDIBColorTable
> shell32.dll: SHAppBarMessage, StrRChrIA, StrStrIA

( 0 exports ) 
 
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=609e59d17a35e514caea543868134d7a 
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=680727080024C31B0AFE03FAF8934C0036A45F5C

C:\Programme\rhcjr5j0ej2n\rhcjr5j0ej2n.exe

Code:

ATTFilter

Antivirus Version letzte aktualisierung Ergebnis 
AhnLab-V3 2008.8.21.0 2008.08.25 - 
AntiVir 7.8.1.23 2008.08.25 - 
Authentium 5.1.0.4 2008.08.25 - 
Avast 4.8.1195.0 2008.08.24 - 
AVG 8.0.0.161 2008.08.25 Downloader.FraudLoad 
BitDefender 7.2 2008.08.25 - 
CAT-QuickHeal 9.50 2008.08.22 (Suspicious) - DNAScan 
ClamAV 0.93.1 2008.08.25 - 
DrWeb 4.44.0.09170 2008.08.25 - 
eSafe 7.0.17.0 2008.08.24 - 
eTrust-Vet 31.6.6047 2008.08.25 - 
Ewido 4.0 2008.08.25 - 
F-Prot 4.4.4.56 2008.08.25 - 
F-Secure 7.60.13501.0 2008.08.25 Trojan.Win32.Monder.gen 
Fortinet 3.14.0.0 2008.08.25 - 
GData 2.0.7306.1023 2008.08.20 Trojan.Win32.Monder.gen 
Ikarus T3.1.1.34.0 2008.08.25 - 
K7AntiVirus 7.10.427 2008.08.23 - 
Kaspersky 7.0.0.125 2008.08.25 Trojan.Win32.Monder.gen 
McAfee 5368 2008.08.22 - 
Microsoft 1.3807 2008.08.25 - 
NOD32v2 3384 2008.08.25 a variant of Win32/TrojanDownloader.FakeAlert.HH 
Panda 9.0.0.4 2008.08.25 - 
PCTools 4.4.2.0 2008.08.25 - 
Prevx1 V2 2008.08.25 Malicious Software 
Rising 20.59.00.00 2008.08.25 - 
Sophos 4.32.0 2008.08.25 Mal/EncPk-CZ 
Sunbelt 3.1.1575.1 2008.08.23 - 
Symantec 10 2008.08.25 - 
TheHacker 6.3.0.6.060 2008.08.23 - 
TrendMicro 8.700.0.1004 2008.08.25 - 
VBA32 3.12.8.4 2008.08.25 Malware-Cryptor.Win32.Rp 
ViRobot 2008.8.22.1346 2008.08.22 - 
VirusBuster 4.5.11.0 2008.08.24 - 
Webwasher-Gateway 6.6.2 2008.08.25 - 
weitere Informationen 
File size: 831488 bytes 
MD5...: fab3e144bfd713104799bef3b9c903b6 
SHA1..: 186857083ba8c330314b9396eff0b5c23fd08eaa 
SHA256: 77eec921fd09bc5505933ce59b4ea28006724b5a87952c95faae960fc709a380 
SHA512: a433f29e132223c07731a8f5e1c4e3abcd023f5309bc9e430ffe29ad34b8bf40
12a49abc41b7a800f003c8e0b472cfff4f3505791e31d4e416ad7781f3db5519 
PEiD..: - 
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401cbf
timedatestamp.....: 0x48b2609f (Mon Aug 25 07:34:55 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x984264 0x3000 4.93 44bd1b837a0e4feac1ff3522b23877f1
DATA 0x986000 0xb2478 0xb3000 7.99 53c055f17c6dd087af050afb12012b07
.rsrc 0xa39000 0x13000 0x13000 4.69 0f0439064d04fe96e396687d398c1a8a
.idata 0xa4c000 0x600 0x1000 0.72 e1742759eaca71ac68ac44a250b2761d
.pack32 0xa4d000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

( 3 imports ) 
> kernel32.dll: WritePrivateProfileStructW, DisconnectNamedPipe
> user32.dll: ArrangeIconicWindows, EnumThreadWindows
> gdi32.dll: GdiInitSpool, SetBrushOrgEx, GdiGetLocalFont, CheckColorsInGamut, EngLockSurface

( 0 exports ) 
 
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=F289CB51008292C5B0B50C9BB6150800B995898E

C:\WINDOWS\system32\375013\375013.dll

Code:

ATTFilter

Antivirus Version letzte aktualisierung Ergebnis 
AhnLab-V3 - - - 
AntiVir - - TR/Dldr.Zlob.ABMP.9 
Authentium - - - 
Avast - - Win32:E404 
AVG - - Lop.4.K 
BitDefender - - Trojan.Downloader.Zlob.ABMP 
CAT-QuickHeal - - TrojanDownloader.Zlob.gen 
ClamAV - - - 
DrWeb - - Adware.Pors 
eSafe - - - 
eTrust-Vet - - Win32/Warefof.J 
Ewido - - - 
F-Prot - - - 
F-Secure - - - 
FileAdvisor - - High threat detected 
Fortinet - - - 
Ikarus - - Trojan-Downloader 
Kaspersky - - not-a-virus:AdWare.Win32.E404.t 
McAfee - - Puper.dll 
Microsoft - - BrowserModifier:Win32/E404 
NOD32v2 - - Win32/BHO.NDD 
Norman - - W32/DLoader.GJPY 
Panda - - Trj/Downloader.TCF 
Prevx1 - - Lop.4.K 
Rising - - - 
Sophos - - Mal/Generic-A 
Sunbelt - - BHO.e404.Hijacker 
Symantec - - Trackware.ProSearch 
TheHacker - - - 
VBA32 - - Win32.BHO.NDD 
VirusBuster - - Trojan.DL.Zlob.ITW 
Webwasher-Gateway - - Trojan.Dldr.Zlob.ABMP.9 
weitere Informationen 
MD5: 088278d03470789b2cd1adcb6764fdd5 
SHA1: ba64b8b66ee05809e24b9b7e41d652e351734ef5 
SHA256: d3c1ee49c583700eba0dcc923339fd369ed55e8bd2ac3352517bc89531189357 
SHA512: d2923026635dc8cdb14dc936e21d76985916737691ba96d481a7a8f1ba6c69274a371d194251c19c8cd338ff388bdd0843488e32d15ca2baf2b779df4cac8627

avenger.txt

Code:

ATTFilter

//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Wed Aug 27 16:13:07 2008

16:13:07: Error: Invalid script.  A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "tdssserv" found!
ImagePath:  \systemroot\system32\drivers\tdssserv.sys 
Start Type:  1 (System)

Rootkit scan completed.


Error:  file "C:\WINDOWS\system32\nsinet.exe" not found!
Deletion of file "C:\WINDOWS\system32\nsinet.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\WINDOWS\system32\lphcnr5j0ej2n.exe" deleted successfully.
File "C:\Programme\rhcjr5j0ej2n\rhcjr5j0ej2n.exe" deleted successfully.
File "C:\WINDOWS\system32\375013\375013.dll" deleted successfully.
Folder "C:\Programme\ShoppingReport" deleted successfully.
Folder "C:\Program Files\webHancer" deleted successfully.
Folder "C:\Programme\rhcjr5j0ej2n" deleted successfully.
Registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|lphcnr5j0ej2n" deleted successfully.
Registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|SMrhcjr5j0ej2n" deleted successfully.
Registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|webHancer Agent" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

so, nach dem ich das gemacht hab, wollte ich die bisherigen ergebnisse posten aber: internet verbindung ging nicht mehr. besser gesagt; bei netzwerkverbindungen steht zwar, dass die verbindung hergestellt wurde aber ich kann weder mit opera noch mit firefox noch mit ie irgendeine seite öffnen. icq, msn & co gehen auch nicht. komisch. hab mir diesen avenger text nochmal durchgelesen und dann hab gedacht wo dieses "error file not found" ist, verbesser ich mal die zeile von dir. die datei hieß "c/windows/system32nsinet.exe" und nicht "c/windows/system32/nsinet.exe"
hab gedacht vielleicht liegts ja daran dass ich keine verbindung herstellen kann.

danach wieder avenger durchführen lassen mit den selben zeilen von dir nur die kleine verbesserung:

Code:

ATTFilter

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "tdssserv" found!
ImagePath:  \systemroot\system32\drivers\tdssserv.sys 
Start Type:  1 (System)

Rootkit scan completed.

File "C:\WINDOWS\system32nsinet.exe" deleted successfully.

Error:  file "C:\WINDOWS\system32\lphcnr5j0ej2n.exe" not found!
Deletion of file "C:\WINDOWS\system32\lphcnr5j0ej2n.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not open file "C:\Programme\rhcjr5j0ej2n\rhcjr5j0ej2n.exe"
Deletion of file "C:\Programme\rhcjr5j0ej2n\rhcjr5j0ej2n.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
  --> bad path / the parent directory does not exist


Error:  file "C:\WINDOWS\system32\375013\375013.dll" not found!
Deletion of file "C:\WINDOWS\system32\375013\375013.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  folder "C:\Programme\ShoppingReport" not found!
Deletion of folder "C:\Programme\ShoppingReport" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  folder "C:\Program Files\webHancer" not found!
Deletion of folder "C:\Program Files\webHancer" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  folder "C:\Programme\rhcjr5j0ej2n" not found!
Deletion of folder "C:\Programme\rhcjr5j0ej2n" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not delete registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|lphcnr5j0ej2n"
Deletion of registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|lphcnr5j0ej2n" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not delete registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|SMrhcjr5j0ej2n"
Deletion of registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|SMrhcjr5j0ej2n" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not delete registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|webHancer Agent"
Deletion of registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|webHancer Agent" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.

erfolglos, immernoch keine verbindung. poste gerade vom laptop aus...

edit: übrigens; antivir 2008 startet aber schonmal nicht mehr, gutes zeichen. desktop hintergrund kann ich immernoch nicht verändern. da ist auch so ein bild von einer fehlermeldung / viruswarnung

"warning spyware deteceted on your computer
warning win32/adware.virtumonde detected on your computer
warning win32/privacyremover.m64 detected on your computer" steht noch n bissl text dazu aber das ist die überschrift. das bild sieht so aus als ob eine anwendung gestartet wurde... mit x und minimieren / maximieren oben. ist aber wie gesagt nur ein bild

Chris4You · 27.08.2008, 21:57

Hi,

um das Internet kümmern wir uns später, DU hast noch einiges auf dem Rechner!

Daher unbedingt MAM installieren und laufen lassen und danach Combofix!
Poste beide Logs, MAM wird noch einiges killen.

Die Internetverbindung hängt mit dem "WebHancer" zusammen...
(-> Hijacked Internet access by WebHancer->http://www.pctipp.ch/index.cfm?pid=1377&pk=24523
Entweder neu installieren, oder wir fahren das HJ-Backup dafür zurück, oder
wir versuchen die Winsock zu reparieren -> http://www.snapfiles.com/get/lspfix.html...)

So, für LSP-Fix:
LSPfix wird Dir Reparatur Vorschläge machen falls es nötig ist
gehe n i c h t in den Advanced Mode - befolge nur
die Vorschläge - beachte Warnungen "IF YOU REALLY KNOW WHAT YOU ARE DOING !"
wenn du das siehst machst du besser Nix - sonst kannst Du Dein Netzwerkteil von Windows
zu Fuss neumachen - das ist kein Spass !
Eigentlich sollte das problemlos funktionieren, da die gelöschte Datei eindeutig identifiziert werden kann und die Kette neu gebildet werden kann (wenn der Rest OK ist!)

chris

OMER · 28.08.2008, 10:45

combofix.txt:

Code:

ATTFilter

ComboFix 08-08-26.03 - Medion 2008-08-27 18:03:08.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1031.18.1576 [GMT 2:00]
ausgeführt von:: H:\ComboFix.exe
 * Neuer Wiederherstellungspunkt wurde erstellt

Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.

((((((((((((((((((((((((((((((((((((   Weitere L”schungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Dokumente und Einstellungen\All Users\Desktop\crazy girls.lnk
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Antivirus XP 2008
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Antivirus XP 2008.lnk
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Antivirus XP 2008\License Agreement.lnk
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Antivirus XP 2008\Uninstall.lnk
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\macromedia\Flash Player\#SharedObjects\VNLL9R24\static.youku.com
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\macromedia\Flash Player\#SharedObjects\VNLL9R24\static.youku.com\v1.0.0233\v\swf\qplayer.swf\youku.sol
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol
C:\Dokumente und Einstellungen\Medion\Favoriten\Videos.url
C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Anwendungsdaten\wmycc.dat
C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Anwendungsdaten\wmycc.exe
C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Anwendungsdaten\wmycc_nav.dat
C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Anwendungsdaten\wmycc_navps.dat
C:\Dokumente und Einstellungen\Medion\Startmenü\crazy girls.lnk
C:\WINDOWS\system32\a.exe
C:\WINDOWS\system32\softwares.dll

.
(((((((((((((((((((((((((((((((((((((((   Treiber/Dienste   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSREST.SYS
-------\Legacy_TDSSSERV
-------\Legacy_XPROTECTOR
-------\Service_tdssserv
-------\Service_XPROTECTOR


(((((((((((((((((((((((   Dateien erstellt von 2008-07-27 bis 2008-08-27  ))))))))))))))))))))))))))))))
.

2008-08-27 17:07 . 2008-08-27 17:07	<DIR>	d--------	C:\Programme\Malwarebytes' Anti-Malware
2008-08-27 17:07 . 2008-08-27 17:07	<DIR>	d--------	C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\Malwarebytes
2008-08-27 17:07 . 2008-08-27 17:07	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-08-27 17:07 . 2008-08-17 15:01	38,472	--a------	C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-27 17:07 . 2008-08-17 15:01	17,144	--a------	C:\WINDOWS\system32\drivers\mbam.sys
2008-08-27 14:33 . 2008-08-27 14:33	<DIR>	d--------	C:\Programme\Trend Micro
2008-08-27 14:16 . 2008-08-27 14:16	<DIR>	d--------	C:\Programme\Lavasoft
2008-08-27 14:16 . 2008-08-27 14:16	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft
2008-08-27 14:15 . 2008-08-27 14:15	<DIR>	d--------	C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-08-26 20:40 . 2008-08-26 20:40	<DIR>	d--------	C:\Programme\Windows Live Safety Center
2008-08-26 19:55 . 2008-08-26 19:55	<DIR>	d--------	C:\Programme\xp-AntiSpy
2008-08-25 17:29 . 2008-08-27 15:18	11,264	--ahs----	C:\WINDOWS\system32\Thumbs.db
2008-08-22 22:02 . 2008-08-22 22:05	<DIR>	d--------	C:\Programme\Remote Control Pro
2008-08-22 21:06 . 2008-08-22 21:06	<DIR>	d--------	C:\WINDOWS\system32\sounds
2008-08-22 21:06 . 2008-08-22 21:06	<DIR>	d--------	C:\WINDOWS\system32\logs
2008-08-22 21:06 . 2008-08-22 21:06	<DIR>	d--------	C:\WINDOWS\system32\download
2008-08-22 21:06 . 2008-08-22 21:08	31	--a------	C:\WINDOWS\system32\value.ini
2008-08-22 19:38 . 2008-08-22 19:38	<DIR>	d--------	C:\Programme\livetvbar
2008-08-22 19:38 . 2008-08-22 19:38	674,138	--a------	C:\WINDOWS\unins000.exe
2008-08-22 19:38 . 2008-08-22 19:38	9,588	--a------	C:\WINDOWS\unins000.dat
2008-08-22 19:38 . 2008-07-30 06:13	128	--a------	C:\WINDOWS\Free Movies OnDemand.url
2008-08-22 19:38 . 2008-07-18 00:36	128	--a------	C:\WINDOWS\Boost Your PC Performance!.url
2008-08-18 10:10 . 2008-08-18 10:10	<DIR>	d--------	C:\Programme\SpeedSim
2008-08-18 10:10 . 2008-08-18 10:10	<DIR>	d--------	C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\SpeedSim
2008-08-17 20:15 . 2008-08-17 20:15	<DIR>	d--------	C:\Programme\MauZ Php Editor
2008-08-17 20:01 . 2008-08-24 17:07	67	--a------	C:\WINDOWS\SpotAuditor.INI
2008-08-17 19:53 . 2008-08-17 19:56	<DIR>	d--------	C:\Programme\Nsasoft
2008-08-16 08:45 . 2008-08-16 08:45	<DIR>	d--------	C:\Programme\Veoh Networks
2008-08-12 03:02 . 2008-08-12 03:02	<DIR>	d--------	C:\WINDOWS\SQLTools9_KB948109_ENU
2008-08-12 03:00 . 2008-08-12 03:00	<DIR>	d--------	C:\WINDOWS\SQL9_KB948109_ENU
2008-08-11 22:36 . 2008-08-22 10:25	<DIR>	d--------	C:\Programme\Microsoft Silverlight
2008-08-11 22:14 . 2008-08-12 03:02	<DIR>	d--------	C:\Programme\Microsoft SQL Server
2008-08-11 21:58 . 2008-08-11 21:58	<DIR>	d--------	C:\Programme\Microsoft Synchronization Services
2008-08-11 21:51 . 2008-08-11 21:51	<DIR>	d--------	C:\Programme\Microsoft.NET
2008-08-11 21:51 . 2008-08-11 21:59	<DIR>	d--------	C:\Programme\Microsoft Visual Studio 9.0
2008-08-11 21:51 . 2008-08-11 22:00	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft Help
2008-08-11 21:50 . 2008-08-11 21:50	<DIR>	d--------	C:\Programme\Microsoft SDKs
2008-08-11 21:47 . 2008-08-11 21:47	<DIR>	d--------	C:\WINDOWS\system32\XPSViewer
2008-08-11 21:47 . 2008-08-11 21:47	<DIR>	d--------	C:\Programme\Reference Assemblies
2008-08-11 21:47 . 2008-08-11 21:47	<DIR>	d--------	C:\Programme\MSBuild
2008-08-11 21:45 . 2006-06-29 13:07	14,048	---------	C:\WINDOWS\system32\spmsg2.dll
2008-08-11 21:39 . 2008-08-11 21:39	<DIR>	d--------	C:\Programme\MSXML 6.0
2008-08-10 17:37 . 2008-08-10 17:37	<DIR>	d--------	C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ICQ Toolbar
2008-08-09 18:47 . 2008-08-26 20:09	<DIR>	d--------	C:\Programme\ICQToolbar
2008-08-09 18:46 . 2008-08-09 18:51	<DIR>	d--------	C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ICQ
2008-08-09 18:44 . 2008-08-09 18:51	<DIR>	d--------	C:\Programme\ICQ6
2008-08-04 12:46 . 2008-08-04 12:46	<DIR>	d--------	C:\Programme\1964
2008-08-02 16:01 . 2008-08-02 16:01	<DIR>	d--------	C:\Programme\weblin
2008-08-02 16:00 . 2008-08-02 16:02	<DIR>	d--------	C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\zweitgeist
2008-08-02 14:58 . 2008-08-03 22:06	<DIR>	d--------	C:\Programme\mupen64 0.5
2008-07-27 18:57 . 2008-07-27 18:57	<DIR>	d--------	C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\Xilisoft Corporation
2008-07-27 18:54 . 2008-07-27 18:54	<DIR>	d--------	C:\Programme\Xilisoft

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-27 16:08	17,408	----a-w	C:\WINDOWS\system32\drivers\USBCRFT.SYS
2008-08-26 10:42	---------	d-----w	C:\Programme\Windows Live
2008-08-25 15:47	9,248	----a-w	C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\wklnhst.dat
2008-08-24 15:09	---------	d---a-w	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP
2008-08-22 17:51	---------	d--h--w	C:\Programme\InstallShield Installation Information
2008-08-10 17:02	---------	d-----w	C:\Programme\eMule
2008-08-01 13:24	---------	d-----w	C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\temp
2008-07-28 19:06	---------	d-----w	C:\Programme\DivX
2008-07-23 14:27	---------	d-----w	C:\Programme\Gemeinsame Dateien\DVDVideoSoft
2008-07-23 14:26	---------	d-----w	C:\Programme\DVDVideoSoft
2008-07-19 18:14	22,004	----a-w	C:\WINDOWS\system32\winwizard.dll
2008-07-18 18:39	587,776	----a-w	C:\WINDOWS\WLXPGSS.SCR
2008-07-18 14:40	---------	d-----w	C:\Programme\AOL 9.0
2008-07-10 16:09	---------	d-----w	C:\Programme\Freecorder
2008-07-09 21:13	---------	d-----w	C:\Programme\Fox
2008-07-09 17:18	---------	d-----w	C:\Programme\Eidos Interactive
2008-07-09 17:14	---------	d-----w	C:\Programme\Infogrames
2008-07-08 11:15	---------	d-----w	C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\DivX
2008-07-07 20:30	253,952	----a-w	C:\WINDOWS\system32\es.dll
2008-07-01 15:06	35,328	----a-w	C:\WINDOWS\system32\cygz.dll
2008-07-01 15:06	35,328	----a-w	C:\WINDOWS\cygz.dll
2008-07-01 15:06	1,126,281	----a-w	C:\WINDOWS\system32\cygwin1.dll
2008-07-01 15:06	1,126,281	----a-w	C:\WINDOWS\cygwin1.dll
2008-06-24 16:22	74,240	----a-w	C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38	665,088	----a-w	C:\WINDOWS\system32\wininet.dll
2008-06-20 17:39	247,296	----a-w	C:\WINDOWS\system32\mswsock.dll
2008-06-18 17:52	161,096	----a-w	C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-06-11 00:07	524,288	----a-w	C:\WINDOWS\system32\DivXsm.exe
2008-06-11 00:07	3,596,288	----a-w	C:\WINDOWS\system32\qt-dx331.dll
2008-06-11 00:07	129,784	------w	C:\WINDOWS\system32\pxafs.dll
2008-06-11 00:07	120,056	------w	C:\WINDOWS\system32\pxcpyi64.exe
2008-06-11 00:07	118,520	------w	C:\WINDOWS\system32\pxinsi64.exe
2008-06-11 00:04	200,704	----a-w	C:\WINDOWS\system32\ssldivx.dll
2008-06-11 00:04	1,044,480	----a-w	C:\WINDOWS\system32\libdivx.dll
2008-05-21 09:52	4,500,672	----a-w	C:\Programme\FLV PlayerRCATSetup.exe
2008-05-21 09:52	2,725,048	----a-w	C:\Programme\FLV PlayerFCSetup.exe
2008-05-21 09:51	411,248	----a-w	C:\Programme\FLV PlayerRCSetup.exe
2008-02-27 20:26	59,456	----a-w	C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2005-03-15 14:17	8	--sh--r	C:\WINDOWS\system32\2976313739.sys
.

((((((((((((((((((((((((((((   Autostart Punkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "C:\Programme\Freecorder\tbFre1.dll" [2008-07-10 18:09 1569304]
"{ad55c869-668e-457c-b270-0cfb2f61116f}"= "C:\Programme\livetvbar\tblive.dll" [2008-07-10 14:04 1600024]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CLASSES_ROOT\clsid\{ad55c869-668e-457c-b270-0cfb2f61116f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2008-07-10 18:09	1569304	--a------	C:\Programme\Freecorder\tbFre1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ad55c869-668e-457c-b270-0cfb2f61116f}]
2008-07-10 14:04	1600024	--a------	C:\Programme\livetvbar\tblive.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "C:\Programme\Freecorder\tbFre1.dll" [2008-07-10 18:09 1569304]
"{ad55c869-668e-457c-b270-0cfb2f61116f}"= "C:\Programme\livetvbar\tblive.dll" [2008-07-10 14:04 1600024]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CLASSES_ROOT\clsid\{ad55c869-668e-457c-b270-0cfb2f61116f}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "C:\Programme\Freecorder\tbFre1.dll" [2008-07-10 18:09 1569304]
"{AD55C869-668E-457C-B270-0CFB2F61116F}"= "C:\Programme\livetvbar\tblive.dll" [2008-07-10 14:04 1600024]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CLASSES_ROOT\clsid\{ad55c869-668e-457c-b270-0cfb2f61116f}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"WMPNSCFG"="C:\Programme\Windows Media Player\WMPNSCFG.exe" [2006-11-03 09:56 204288]
"ICQ"="C:\Programme\ICQ6\ICQ.exe" [2008-04-01 12:40 172280]
"Veoh"="C:\Programme\Veoh Networks\Veoh\VeohClient.exe" [2008-04-01 18:35 3587120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-02-24 08:32 5537792]
"AOLDialer"="C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe" [2007-06-21 14:42 70952]
"PCMService"="C:\Programme\Home Cinema\PowerCinema\PCMService.exe" [2004-11-09 06:14 81920]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"AntivirusRegistration"="C:\Programme\CA\Etrust Antivirus\Register.exe" [2005-01-31 16:09 458752]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [2004-06-26 01:17 504080]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"HostManager"="C:\Programme\Gemeinsame Dateien\AOL\1203702677\ee\AOLSoftware.exe" [2006-09-26 02:52 50736]
"LogitechCommunicationsManager"="C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe" [2007-05-17 10:52 505368]
"LogitechQuickCamRibbon"="C:\Programme\Logitech\QuickCam10\QuickCam10.exe" [2007-05-17 10:53 780312]
"RealTray"="C:\Programme\Real\RealPlayer\RealPlay.exe" [2008-05-24 10:19 26112]
"Remote Control Pro"="C:\Programme\Remote Control Pro\RCPServer.exe" [2007-09-17 10:57 491520]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 11:50 88363 C:\WINDOWS\AGRSMMSG.exe]
"nwiz"="nwiz.exe" [2005-02-24 08:32 1495040 C:\WINDOWS\system32\nwiz.exe]
"CHotkey"="mHotkey.exe" [2004-02-24 15:05 508416 C:\WINDOWS\mHotkey.exe]
"ledpointer"="CNYHKey.exe" [2004-02-03 18:15 5794816 C:\WINDOWS\CNYHKey.exe]
"Dit"="Dit.exe" [2004-07-20 19:18 90112 C:\WINDOWS\Dit.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-03-05 19:12 68856 C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Programme\\Messenger\\msmsgs.exe"=
"C:\\Programme\\AOL 9.0\\AOL.exe"=
"C:\\Programme\\AOL 9.0\\WAOL.exe"=
"C:\\Programme\\Gemeinsame Dateien\\AOL\\ACS\\AOLACSD.exe"=
"C:\\Programme\\Gemeinsame Dateien\\AOL\\ACS\\AOLDIAL.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Programme\\CA\\eTrust Antivirus\\InocIT.exe"=
"C:\\Programme\\CA\\eTrust Antivirus\\Realmon.exe"=
"C:\\Programme\\CA\\eTrust Antivirus\\InoRpc.exe"=
"C:\\Programme\\NetMeeting\\Conf.exe"=
"C:\\Programme\\eMule\\emule.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
"C:\\Programme\\Gemeinsame Dateien\\aol\\1203702677\\ee\\aolsoftware.exe"=
"C:\\Programme\\Reality Pump\\World War III Black Gold\\Setup.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"D:\\Programme\\BearShare\\BearShare.exe"=
"C:\\Dokumente und Einstellungen\\Medion\\Desktop\\Spiele\\Warcraft III.exe"=
"D:\\Warcraft III\\Warcraft III.exe"=
"D:\\Warcraft III\\War3.exe"=
"C:\\Programme\\Opera\\Opera.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programme\\ICQ6\\ICQ.exe"=
"C:\\Programme\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Programme\\Remote Control Pro\\RCPServer.exe"=
"C:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programme\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-02-22 11:19]
R2 RCPServer;Remote Control Pro;C:\Programme\Remote Control Pro\rcpserver.exe [2007-09-17 10:57]
R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2004-10-06 15:10]
R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2004-10-01 14:58]
R3 PRISM_A00;CREATIX 802.11g Driver;C:\WINDOWS\system32\DRIVERS\PRISMA00.sys [2004-01-16 10:31]
R3 Rcphook;Rcphook;C:\WINDOWS\system32\DRIVERS\rcpmini.sys [2007-02-23 04:19]
R3 UKBFLT;UKBFLT;C:\WINDOWS\system32\DRIVERS\UKBFLT.sys [2003-12-19 18:13]
S3 CardReaderFilter;Card Reader Filter;C:\WINDOWS\system32\Drivers\USBCRFT.SYS [2008-08-27 18:08]
.
Inhalt des "geplante Tasks" Ordners
.
- - - - Entfernte verwaiste Registrierungseintr„ge - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl
MSConfigStartUp-Felix - C:\Program Files\ScreenMates\felix2.exe
MSConfigStartUp-scvhost - mirc.exe


.
------- Zus„tzlicher Scan -------
.
FireFox -: Profile - C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\Mozilla\Firefox\Profiles\io3igo61.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1576177&SearchSource=3&q=
FF -: plugin - C:\Programme\Java\jre1.5.0_01\bin\NPJava11.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_01\bin\NPJava12.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_01\bin\NPJava13.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_01\bin\NPJava14.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_01\bin\NPJava32.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_01\bin\NPJPI150_01.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_01\bin\NPOJI610.dll
FF -: plugin - C:\Programme\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - C:\Programme\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-27 18:08:42
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
------------------------ Weitere, laufende Prozesse ------------------------
.
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\Programme\Gemeinsame Dateien\logishrd\LVMVFM\LVPrcSrv.exe
C:\Programme\Gemeinsame Dateien\aol\ACS\AOLacsd.exe
C:\Programme\CA\Etrust Antivirus\InoRpc.exe
C:\Programme\CA\Etrust Antivirus\InoRT.exe
C:\Programme\Gemeinsame Dateien\logishrd\LVCOMSER\LVComSer.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\COMMON~1\X10\Common\X10nets.exe
C:\Programme\Gemeinsame Dateien\logishrd\LVCOMSER\LVComSer.exe
C:\Programme\Gemeinsame Dateien\logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-08-27 18:12:21 - PC wurde neu gestartet
ComboFix-quarantined-files.txt  2008-08-27 16:12:15

Pre-Run: 14 Verzeichnis(se), 189,837,086,720 Bytes frei
Post-Run: 18 Verzeichnis(se), 190,295,973,888 Bytes frei

284	--- E O F ---	2008-08-22 08:25:10

OMER · 28.08.2008, 10:47

nochmals HijackThis log:

Code:

ATTFilter

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:47, on 28.08.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\Dit.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Programme\Gemeinsame Dateien\AOL\1203702677\ee\AOLSoftware.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\CA\eTrust Antivirus\InoRpc.exe
C:\Programme\CA\eTrust Antivirus\InoRT.exe
C:\Programme\CA\eTrust Antivirus\InoTask.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Programme\Gemeinsame Dateien\Logishrd\LQCVFX\COCIManager.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Picture It! Premium 10\pi.exe
C:\Programme\Opera\Opera.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Programme\Freecorder\tbFre1.dll
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
R3 - URLSearchHook: livetvbar Toolbar - {ad55c869-668e-457c-b270-0cfb2f61116f} - C:\Programme\livetvbar\tblive.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Programme\Freecorder\tbFre1.dll
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: livetvbar Toolbar - {ad55c869-668e-457c-b270-0cfb2f61116f} - C:\Programme\livetvbar\tblive.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Programme\Freecorder\tbFre1.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Programme\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: livetvbar Toolbar - {ad55c869-668e-457c-b270-0cfb2f61116f} - C:\Programme\livetvbar\tblive.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AntivirusRegistration] C:\Programme\CA\Etrust Antivirus\Register.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HostManager] C:\Programme\Gemeinsame Dateien\AOL\1203702677\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Programme\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Veoh] "C:\Programme\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [ICQ] "C:\Programme\ICQ6\ICQ.exe" silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Programme\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download with Xilisoft Download YouTube Video - C:\Programme\Xilisoft\Download YouTube Video\upod_link.HTM
O8 - Extra context menu item: In neuer Registerkarte im Hintergrund öffnen - res://C:\Programme\Windows Live Toolbar\Components\de-de\msntabres.dll.mui/229?d8f2a52997324421b577ad1c5966fda3
O8 - Extra context menu item: In neuer Registerkarte im Vordergrund öffnen - res://C:\Programme\Windows Live Toolbar\Components\de-de\msntabres.dll.mui/230?d8f2a52997324421b577ad1c5966fda3
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: In Windows Live Writer in &Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {0e921e80-267a-42aa-aee4-60b9a1222a44} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {0e921e80-267a-42aa-aee4-60b9a1222a44} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110880546187
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9AE2FF8-35DF-4C5B-B467-B5938B4EE82E}: NameServer = 195.50.140.252 195.50.140.114
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoTask.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 10367 bytes

danke für alles, scheint eigentlich jetzt alles prima zu funktionieren

ist noch etwas nötig?

internet funktioniert ohne probleme, hintergrund kann geändert werden, keine software mehr die starten

und sorry wenn ich zweimal hintereinander poste; forum zeigt mir an dass meine nachricht zu lang war. mbam log hab ich auch aber den kann ich nicht auch nicht posten, weil der allein 65000 zeichen enthält. 25000 sind erlaubt wie ich gerade gesehen habe...

Chris4You · 28.08.2008, 13:23

Hi,

Achtung!
ComboFix zeigt noch eine Datei (Treiber!) an, die zu einem Rootkit gehören könnte:
C:\WINDOWS\system32\drivers\oreans32.sys
->http://virus-protect.org/artikel/dienste/oreans32.html

Bitte umgehend online prüfen lassen, kann aber sein das MAM sie erwischt hat (log liegt nicht vor, poste einfach nur die Funde von MAM)...

Das HJ-Log sieht gut aus, bitte noch kurz den MBR prüfen:
MBR-Rootkit

Lade den MBR-Rootkitscanner von GMER auf Deine Bootplatte:
http://www2.gmer.net/mbr/mbr.exe
Merke Dir das Verzeichnis wo Du ihn runtergeladen hast;
Start->Ausführen->cmd
Wechsle in das Verzeichnis des Downloads und starte durch Eingabe
von mbr das Programm...

Das Ergebnis sollte so aussehen:

Zitat:

D:\Downloads>mbr
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

In dem Verzeichnis wo mbr.exe liegt findest Du das Log,

poste es im Thread;

chris

OMER · 28.08.2008, 14:24

mam log:

Infizierte Registrierungsschlüssel:

Code:

ATTFilter

HKEY_CLASSES_ROOT\e404.e404mgr (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\e404.e404mgr.1 (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbax (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbax.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\whiehelperobj.whiehelperobj.1 (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0ec085a8-9818-43b7-b975-ec7555eda4d2} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1a74c41c-0837-4fbe-ba50-621eb70f01ce} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{25297614-1b76-4c2c-82c6-62738aa0e8f0} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{37f89457-1208-4670-9245-58c62bd6d870} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{45477032-abd0-454d-9ce4-ea34c10322f8} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{69e34747-0b27-4b30-ae20-1023bf29e246} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{79be5b3b-80b2-4b77-a042-efc90f6e0de7} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7c0ec6bf-81b9-4fe0-9447-4ed29a36bf5d} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7ebb34cf-1728-4136-a968-48f231dad1b4} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{88daa291-b413-4c46-b378-3be66f65369e} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8ad9ad05-36be-4e40-ba62-5422eb0d02fb} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{936a2f4a-53f8-4d2f-92aa-2f9de889841c} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aebf09e2-0c15-43c8-99bf-928c645d98a0} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{afcc3fa7-82a9-42d5-a405-78711e97a5d6} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c89435b0-cdfe-11d3-976a-00e02913a9e0} (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cc05a4a3-7b28-488f-ab02-6aaedb86accf} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d8560ac2-21b5-4c1a-bdd4-bd12bc83b082} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e80114aa-6653-4952-9e97-5f1dc63bee0f} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f9109a2a-432b-4add-a6fa-06ba22dcd2d9} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fca3958a-8d38-4d14-8b81-ccd7f68a8a01} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{E94EB13E-D78F-0857-7734-5E67A49FFFF1} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{74f7db6b-86e9-4b91-9d9f-b0d954d7aa5b} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9ccbb35-d123-4a31-affc-9b2933132116} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a16ad1e9-f69a-45af-9462-b1c286708842} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{20ea9658-6bc3-4599-a87d-6371fe9295fc} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c8cb3870-cdfe-11d3-976a-00e02913a9e0} (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{cdca70d8-c6a6-49ee-9bed-7429d6c477a2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d136987f-e1c4-4ccc-a220-893df03ec5df} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e343edfc-1e6c-4cb5-aa29-e9c922641c80} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{cbd02e9b-37ef-47d2-96b0-3abbb2eb92bf} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74f7db6b-86e9-4b91-9d9f-b0d954d7aa5b} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcjr5j0ej2n (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcjr5j0ej2n (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NetProject (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\whiehelperobj.whiehelperobj (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\webHancer (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:

Code:

ATTFilter

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysrest32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:

Code:

ATTFilter

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

OMER · 28.08.2008, 14:25

Infizierte Verzeichnisse:

Code:

ATTFilter

C:\Programme\Instant Access (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Center (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1004882125 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1004882125\es6-external-api.dlv4.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1004882125\es6-external-api.dlv4.com\js (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1004882125\es6-www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1004882125\es6-www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1004882125\es6-www.0texkax7c6hzuidk.com\custom (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1004882125\es6-www.0texkax7c6hzuidk.com\custom\4160 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1004882125\es6-www.0texkax7c6hzuidk.com\custom\4160\EN (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1004882125\www.rapid-pass.net (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\es6-external-api.dlv4.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\es6-external-api.dlv4.com\js (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\es6-www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\es6-www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\es6-www.0texkax7c6hzuidk.com\custom (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\es6-www.0texkax7c6hzuidk.com\custom\4239 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\es6-www.0texkax7c6hzuidk.com\custom\4239\EN (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\fp.pc-on-internet.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\fp.pc-on-internet.com\50240 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\fp.pc-on-internet.com\50240\images (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\fp.pc-on-internet.com\50240\images\EN (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\www.rapid-pass.net (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\es6-external-api.dlv4.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\es6-external-api.dlv4.com\js (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\es6-www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\es6-www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\es6-www.0texkax7c6hzuidk.com\custom (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\es6-www.0texkax7c6hzuidk.com\custom\4239 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\es6-www.0texkax7c6hzuidk.com\custom\4239\EN (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\fp.pc-on-internet.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\fp.pc-on-internet.com\50310 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\fp.pc-on-internet.com\50310\images (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\fp.pc-on-internet.com\50310\images\EN (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\www.rapid-pass.net (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\es6-external-api.dlv4.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\es6-external-api.dlv4.com\js (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\es6-www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\es6-www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\es6-www.0texkax7c6hzuidk.com\custom (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\es6-www.0texkax7c6hzuidk.com\custom\4282 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\es6-www.0texkax7c6hzuidk.com\custom\4282\EN (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\fp.pc-on-internet.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\fp.pc-on-internet.com\50214 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\fp.pc-on-internet.com\50214\images (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\fp.pc-on-internet.com\50214\images\EN (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\www.rapid-pass.net (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\es6-external-api.dlv4.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\es6-external-api.dlv4.com\js (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\es6-scripts.nccgateway.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\es6-scripts.nccgateway.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\es6-scripts.nccgateway.com\custom (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\es6-scripts.nccgateway.com\custom\3423 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\es6-scripts.nccgateway.com\custom\3423\DE (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com\enter (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com\enter\2 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com\enter\2\en (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\www.waypointcash.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\www.waypointcash.com\conversion (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\www.waypointcash.com\images (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\es6-external-api.dlv4.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\es6-external-api.dlv4.com\js (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\es6-www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\es6-www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\es6-www.0texkax7c6hzuidk.com\custom (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\es6-www.0texkax7c6hzuidk.com\custom\4239 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\es6-www.0texkax7c6hzuidk.com\custom\4239\EN (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\fp.pc-on-internet.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\fp.pc-on-internet.com\50240 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\fp.pc-on-internet.com\50240\images (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\fp.pc-on-internet.com\50240\images\EN (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\www.rapid-pass.net (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\686377647 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\686377647\es6-external-api.dlv4.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\686377647\es6-external-api.dlv4.com\js (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\686377647\es6-www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\686377647\es6-www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\686377647\es6-www.0texkax7c6hzuidk.com\custom (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\686377647\es6-www.0texkax7c6hzuidk.com\custom\4282 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\686377647\es6-www.0texkax7c6hzuidk.com\custom\4282\EN (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\686377647\fp.pc-on-internet.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\686377647\fp.pc-on-internet.com\50214 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\686377647\fp.pc-on-internet.com\50214\images (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\686377647\fp.pc-on-internet.com\50214\images\EN (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\686377647\www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\686377647\www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\697300669 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\697300669\es6-external-api.dlv4.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\697300669\es6-external-api.dlv4.com\js (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\697300669\es6-www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\697300669\es6-www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\697300669\es6-www.0texkax7c6hzuidk.com\custom (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\697300669\es6-www.0texkax7c6hzuidk.com\custom\4282 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\697300669\es6-www.0texkax7c6hzuidk.com\custom\4282\EN (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\697300669\www.rapid-pass.net (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\es6-external-api.dlv4.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\es6-external-api.dlv4.com\js (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\es6-www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\es6-www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\es6-www.0texkax7c6hzuidk.com\custom (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\es6-www.0texkax7c6hzuidk.com\custom\4160 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\es6-www.0texkax7c6hzuidk.com\custom\4160\EN (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\EN (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\es6-external-api.dlv4.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\es6-external-api.dlv4.com\js (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\es6-www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\es6-www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\es6-www.0texkax7c6hzuidk.com\custom (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\es6-www.0texkax7c6hzuidk.com\custom\4239 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\es6-www.0texkax7c6hzuidk.com\custom\4239\EN (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\fp.pc-on-internet.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\fp.pc-on-internet.com\50289 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\fp.pc-on-internet.com\50289\images (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\fp.pc-on-internet.com\50289\images\EN (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\es6-external-api.dlv4.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\es6-external-api.dlv4.com\js (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\es6-www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\es6-www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\es6-www.0texkax7c6hzuidk.com\custom (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\es6-www.0texkax7c6hzuidk.com\custom\4239 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\es6-www.0texkax7c6hzuidk.com\custom\4239\EN (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\fp.pc-on-internet.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\fp.pc-on-internet.com\50285 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\fp.pc-on-internet.com\50285\images (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\fp.pc-on-internet.com\50285\images\EN (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\www.0texkax7c6hzuidk.com (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\www.0texkax7c6hzuidk.com\Common (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\www.rapid-pass.net (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\375013 (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ShoppingReport\cs\res1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\rhcjr5j0ej2n (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\rhcjr5j0ej2n\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\rhcjr5j0ej2n\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\rhcjr5j0ej2n\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\rhcjr5j0ej2n\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\rhcjr5j0ej2n\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\rhcjr5j0ej2n\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\rhcjr5j0ej2n\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\rhcjr5j0ej2n\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\rhcjr5j0ej2n\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\rhcjr5j0ej2n\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

OMER · 28.08.2008, 14:27

Infizierte Dateien: part1

Code:

ATTFilter

C:\Avenger\375013.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Avenger\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (Adware.Shopper) -> Quarantined and deleted successfully.
C:\Avenger\webHancer\whAgent_update.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Avenger\webHancer\Programs\whinstaller.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\ShprInstaller.exe (Adware.Shopper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mirc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Center\Crazy Girls.upd (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Center\GAMES-DESKTOP.COM.upd (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Center\NoCreditCard.upd (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Center\SERIALPLAYERS.upd (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Center\tray1.ico (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1004882125\es6-external-api.dlv4.com\js\9929ec563323f5ceac29c2322fcf5448 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1004882125\es6-www.0texkax7c6hzuidk.com\Common\57f0b682532374280e3060e40d979931.html (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1004882125\es6-www.0texkax7c6hzuidk.com\Common\57f0b682532374280e3060e40d979931.html_0.loginvis (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1004882125\es6-www.0texkax7c6hzuidk.com\custom\4160\4160_dialer.ico (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1004882125\es6-www.0texkax7c6hzuidk.com\custom\4160\EN\button1.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1004882125\es6-www.0texkax7c6hzuidk.com\custom\4160\EN\button2.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1004882125\es6-www.0texkax7c6hzuidk.com\custom\4160\EN\button3.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1004882125\es6-www.0texkax7c6hzuidk.com\custom\4160\EN\button4.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1004882125\www.rapid-pass.net\472bbe77dffbe6b3c6719420a65b2af4 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\es6-external-api.dlv4.com\js\7635c85abc78b057c79a2da8d4102715 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\es6-www.0texkax7c6hzuidk.com\Common\539b9a5ee7256bdec05490088b05f09b.html (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\es6-www.0texkax7c6hzuidk.com\custom\4239\4239_dialer.ico (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button1.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button2.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button3.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button4.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\fp.pc-on-internet.com\4679f5172fb0650bf4c57b98af103a24.html (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\fp.pc-on-internet.com\4679f5172fb0650bf4c57b98af103a24.html_0.loginvis (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\fp.pc-on-internet.com\50240\images\background.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\fp.pc-on-internet.com\50240\images\index_02.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\fp.pc-on-internet.com\50240\images\index_03.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\fp.pc-on-internet.com\50240\images\index_05.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\fp.pc-on-internet.com\50240\images\index_06.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\fp.pc-on-internet.com\50240\images\EN\index_01.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\1034914229\www.rapid-pass.net\77054f311e0bcccb48f8f8b6dcad5147 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\Crazy Girls.lnk (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\es6-external-api.dlv4.com\js\59c27f4241eb59d6a79e36cbf79aa4ea (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\es6-www.0texkax7c6hzuidk.com\Common\1d3d21fe1af6ddff012e8c9913c24087.html (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\es6-www.0texkax7c6hzuidk.com\custom\4239\4239_dialer.ico (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button1.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button2.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button3.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button4.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\fp.pc-on-internet.com\a72e3b78bf5fa5498dd72cc5fa015e73.html (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\fp.pc-on-internet.com\a72e3b78bf5fa5498dd72cc5fa015e73.html_0.loginvis (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\fp.pc-on-internet.com\50310\images\index_02.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\fp.pc-on-internet.com\50310\images\index_05.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\fp.pc-on-internet.com\50310\images\index_07.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\fp.pc-on-internet.com\50310\images\EN\index_01.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\fp.pc-on-internet.com\50310\images\EN\index_03.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\fp.pc-on-internet.com\50310\images\EN\index_06.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\106594365\www.rapid-pass.net\c3d15f128cbf70612e4e917e01d03ef1 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\SERIALPLAYERS.lnk (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\es6-external-api.dlv4.com\js\0a892e7975b9125f0170b1032a84950f (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\es6-www.0texkax7c6hzuidk.com\Common\9a92b5efdefde64ecdc6854e957a50d8.html (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\es6-www.0texkax7c6hzuidk.com\custom\4282\EN\button1.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\es6-www.0texkax7c6hzuidk.com\custom\4282\EN\button2.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\es6-www.0texkax7c6hzuidk.com\custom\4282\EN\button3.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\es6-www.0texkax7c6hzuidk.com\custom\4282\EN\button4.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\fp.pc-on-internet.com\4b944aab33bdf096511ca2557a259f93.html (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\fp.pc-on-internet.com\4b944aab33bdf096511ca2557a259f93.html_0.loginvis (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\fp.pc-on-internet.com\50214\images\index_02.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\fp.pc-on-internet.com\50214\images\index_04.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\fp.pc-on-internet.com\50214\images\EN\index_01.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\247277506\www.rapid-pass.net\a4a70b22b8556df7681dd57b2e524977 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\NoCreditCard.lnk (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\es6-external-api.dlv4.com\js\b830d28dcbd21e27168b26b1d0a7d995 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\es6-scripts.nccgateway.com\Common\8ad12a29c1d434a475ac973813e182f0.html (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\es6-scripts.nccgateway.com\custom\3423\DE\button1.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\es6-scripts.nccgateway.com\custom\3423\DE\button2.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\es6-scripts.nccgateway.com\custom\3423\DE\button3.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\es6-scripts.nccgateway.com\custom\3423\DE\button4.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\bcc54009de2268c98be4ba8ae65126cd.html (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\bcc54009de2268c98be4ba8ae65126cd.html_0.loginvis (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com\enter\2\en\avatars_01.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com\enter\2\en\avatars_02.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com\enter\2\en\avatars_03.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com\enter\2\en\avatars_04.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com\enter\2\en\avatars_05.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com\enter\2\en\avatars_08.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com\enter\2\en\avatars_09.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com\enter\2\en\avatars_10.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com\enter\2\en\avatars_11.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\traffic.waypointcash.com\avatarsplanet.com\enter\2\en\avatars_12.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\www.waypointcash.com\conversion\2c179372da6c88c98ab6faa72752a5f4 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\380672410\www.waypointcash.com\images\waypointlogo.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\Crazy Girls.lnk (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\es6-external-api.dlv4.com\js\48df84da4b77ecf6924632fcc818843a (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\es6-www.0texkax7c6hzuidk.com\Common\1b51321b6e8a12496893fc0de4b3b1a7.html (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\es6-www.0texkax7c6hzuidk.com\custom\4239\4239_dialer.ico (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button1.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button2.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button3.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button4.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\fp.pc-on-internet.com\4679f5172fb0650bf4c57b98af103a24.html (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\fp.pc-on-internet.com\4679f5172fb0650bf4c57b98af103a24.html_0.loginvis (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\fp.pc-on-internet.com\50240\images\background.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\fp.pc-on-internet.com\50240\images\index_02.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\fp.pc-on-internet.com\50240\images\index_03.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\fp.pc-on-internet.com\50240\images\index_05.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\fp.pc-on-internet.com\50240\images\index_06.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\fp.pc-on-internet.com\50240\images\EN\index_01.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\445847055\www.rapid-pass.net\9ef61a8670423bb3ff98a81724a791b1 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\686377647\SERIALPLAYERS.lnk (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\686377647\es6-external-api.dlv4.com\js\0a892e7975b9125f0170b1032a84950f (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\686377647\es6-www.0texkax7c6hzuidk.com\Common\9a92b5efdefde64ecdc6854e957a50d8.html (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\686377647\es6-www.0texkax7c6hzuidk.com\custom\4282\EN\button1.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\686377647\es6-www.0texkax7c6hzuidk.com\custom\4282\EN\button2.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\686377647\es6-www.0texkax7c6hzuidk.com\custom\4282\EN\button3.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\686377647\es6-www.0texkax7c6hzuidk.com\custom\4282\EN\button4.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\686377647\fp.pc-on-internet.com\4b944aab33bdf096511ca2557a259f93.html (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\686377647\fp.pc-on-internet.com\4b944aab33bdf096511ca2557a259f93.html_0.loginvis (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\686377647\fp.pc-on-internet.com\50214\images\index_02.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\686377647\fp.pc-on-internet.com\50214\images\index_04.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\686377647\fp.pc-on-internet.com\50214\images\EN\index_01.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\697300669\es6-external-api.dlv4.com\js\0ce2b669c62b5774d02ea575cd62e2ca (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\697300669\es6-www.0texkax7c6hzuidk.com\Common\de508d2db454349e88ca85a1d0f14161.html (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\697300669\es6-www.0texkax7c6hzuidk.com\Common\de508d2db454349e88ca85a1d0f14161.html_0.loginvis (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\697300669\es6-www.0texkax7c6hzuidk.com\custom\4282\4282_dialer.ico (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\697300669\es6-www.0texkax7c6hzuidk.com\custom\4282\EN\button1.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\697300669\es6-www.0texkax7c6hzuidk.com\custom\4282\EN\button2.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\697300669\es6-www.0texkax7c6hzuidk.com\custom\4282\EN\button3.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\697300669\es6-www.0texkax7c6hzuidk.com\custom\4282\EN\button4.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\697300669\www.rapid-pass.net\ce179c3bc7e9bf830fb8356f04656799 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\es6-external-api.dlv4.com\js\74250fa7fb4bb8c3c57a077689965be4 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\es6-www.0texkax7c6hzuidk.com\Common\9634e9b170f1ba239f184cdc9b70edff.html (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\es6-www.0texkax7c6hzuidk.com\custom\4160\EN\button1.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\es6-www.0texkax7c6hzuidk.com\custom\4160\EN\button2.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\es6-www.0texkax7c6hzuidk.com\custom\4160\EN\button3.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\es6-www.0texkax7c6hzuidk.com\custom\4160\EN\button4.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\e75806ffaf4bc15271fe4b6bf0bde9da.html (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\e75806ffaf4bc15271fe4b6bf0bde9da.html_0.loginvis (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\00.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\bando.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\bando_bas.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\bando_haut.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.

OMER · 28.08.2008, 14:28

Infizierte Dateien: part2

Code:

ATTFilter

C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\bas.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\d.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\g.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\EN\fun1.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\EN\fun2.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\EN\fun3.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\EN\fun4.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\EN\jeu1.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\EN\jeu2.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\EN\jeu3.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\833765547\fp.pc-on-internet.com\3041\images\EN\titre.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\es6-external-api.dlv4.com\js\aad489aac54d0b29e73883640085dc0f (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\es6-www.0texkax7c6hzuidk.com\Common\63885fa5bec2f3fb6a6c07d33647a12b.html (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button1.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button2.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button3.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button4.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\fp.pc-on-internet.com\7b41db1988d377317bd9c144ee5484a1.html (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\fp.pc-on-internet.com\7b41db1988d377317bd9c144ee5484a1.html_0.loginvis (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\fp.pc-on-internet.com\50289\images\background.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\fp.pc-on-internet.com\50289\images\index_03.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\fp.pc-on-internet.com\50289\images\index_04.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\fp.pc-on-internet.com\50289\images\index_06.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\fp.pc-on-internet.com\50289\images\index_07.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\fp.pc-on-internet.com\50289\images\EN\index_01.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\876173103\fp.pc-on-internet.com\50289\images\EN\index_02.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\Crazy Girls.lnk (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\es6-external-api.dlv4.com\js\524e8a29aa9e313e8f33665b30c634d5 (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\es6-www.0texkax7c6hzuidk.com\Common\6c24ac195839b644a21431eb28d4b3cc.html (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\es6-www.0texkax7c6hzuidk.com\custom\4239\4239_dialer.ico (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button1.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button2.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button3.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\es6-www.0texkax7c6hzuidk.com\custom\4239\EN\button4.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\fp.pc-on-internet.com\e0db83b4abfc4c7879316854addaae3b.html (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\fp.pc-on-internet.com\e0db83b4abfc4c7879316854addaae3b.html_0.loginvis (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\fp.pc-on-internet.com\50285\images\index_03.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\fp.pc-on-internet.com\50285\images\index_04.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\fp.pc-on-internet.com\50285\images\index_06.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\fp.pc-on-internet.com\50285\images\index_07.jpg (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\fp.pc-on-internet.com\50285\images\EN\index_01.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\fp.pc-on-internet.com\50285\images\EN\index_02.gif (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\Instant Access\Dialer\961592046\www.rapid-pass.net\4344b8e5b6a324bd6e124d535f34199d (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\ShoppingReport\cs\res1\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysrest32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\blphcnr5j0ej2n.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcnr5j0ej2n.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pphcnr5j0ej2n.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nvs2.inf (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Desktop\Antivirus XP 2008.lnk (Rogue.Antivirus) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Anwendungsdaten\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.tt15.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.ttE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Medion\Lokale Einstellungen\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

[CODE]Malwarebytes' Anti-Malware 1.25
Datenbank Version: 1062
Windows 5.1.2600 Service Pack 2

17:58:21 27.08.2008
mbam-log-08-27-2008 (17-58-21).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|E:\|)
Durchsuchte Objekte: 291063
Laufzeit: 34 minute(s), 56 second(s)

Infizierte Speicherprozesse: 1
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 66
Infizierte Registrierungswerte: 5
Infizierte Dateiobjekte der Registrierung: 2
Infizierte Verzeichnisse: 172
Infizierte Dateien: 217

Infizierte Speicherprozesse:
C:\WINDOWS\system32\sysrest32.exe (Rootkit.Agent) -> Unloaded process successfully.

OMER · 28.08.2008, 14:35

C:\WINDOWS\system32\drivers\oreans32.sys

Code:

ATTFilter

Antivirus	Version	letzte aktualisierung	Ergebnis
AhnLab-V3	-	-	-
AntiVir	-	-	-
Authentium	-	-	-
Avast	-	-	-
AVG	-	-	-
BitDefender	-	-	-
CAT-QuickHeal	-	-	Rootkit.Agent.ad
ClamAV	-	-	-
DrWeb	-	-	-
eSafe	-	-	-
eTrust-Vet	-	-	-
Ewido	-	-	-
F-Prot	-	-	-
F-Secure	-	-	-
Fortinet	-	-	-
GData	-	-	-
Ikarus	-	-	-
K7AntiVirus	-	-	Backdoor.Win32.SdBot.AEFU
Kaspersky	-	-	-
McAfee	-	-	-
Microsoft	-	-	-
NOD32v2	-	-	-
Norman	-	-	-
Panda	-	-	-
PCTools	-	-	Rootkit.Agent
Prevx1	-	-	-
Rising	-	-	-
Sophos	-	-	-
Sunbelt	-	-	-
Symantec	-	-	-
TheHacker	-	-	-
TrendMicro	-	-	-
VBA32	-	-	-
ViRobot	-	-	Trojan.Win32.NTRootkit.33952
VirusBuster	-	-	-
Webwasher-Gateway	-	-	-

mbr log

Zitat:

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Chris4You · 28.08.2008, 15:27

Hi,

ich denke wir killen das Teil...

Zieh Deinem Bruder die Ohren lang, so ein verseuchtes Teil...

Also:
Anleitung Avenger (by swandog46)

1.) Lade dir das Tool Avenger und speichere es auf dem Desktop:

2.) Das Programm so einstellen wie es auf dem Bild zu sehen ist.

Kopiere nun folgenden Text in das weiße Feld:
(bei -> "input script here")

Code:

ATTFilter

Files to delete:
C:\WINDOWS\system32\drivers\oreans32.sys

registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\oreans32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oreans32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32

3.) Schliesse nun alle Programme (vorher notfalls abspeichern!) und Browser-Fenster, nach dem Ausführen des Avengers wird das System neu gestartet.

4.) Um den Avenger zu starten klicke auf -> Execute
Dann bestätigen mit "Yes" das der Rechner neu startet!

5.) Nachdem das System neu gestartet ist, findest du hier einen Report vom Avenger -> C:\avenger.txt
Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.

chris

pc installiert und startet eigenständig Anwendungen

Log-Analyse und Auswertung: pc installiert und startet eigenständig Anwendungen