TR/Agent.EM
 

Running processes:
C:\WINDOWS\System32\smss. exe
C:\WINDOWS\system32\winlo gon.exe
C:\WINDOWS\system32\servi ces.exe
C:\WINDOWS\system32\lsass .exe
C:\WINDOWS\System32\Ati2e vxx.exe
C:\WINDOWS\system32\svcho st.exe
C:\WINDOWS\System32\svcho st.exe
C:\WINDOWS\system32\spool sv.exe
C:\Programme\AVPersonal\A VWUPSRV.EXE
C:\WINDOWS\System32\drive rs\CDAC11BA.EXE
C:\PROGRA~1\CACHEM~1\Cach emanXP.exe
C:\WINDOWS\System32\gears ec.exe
C:\WINDOWS\System32\LckFl dService.exe
C:\Programme\NMapWin\bin\ nmapserv.exe
C:\Programme\Advanced Registry Doctor\RegManServ.exe
C:\WINDOWS\System32\svcho st.exe
C:\WINDOWS\system32\ZoneL abs\vsmon.exe
C:\WINDOWS\system32\Ati2e vxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDl l32.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\spool \drivers\w32x86\3\hpztsb0 5.exe
C:\Programme\QuickTime\qt task.exe
C:\Programme\iTunes\iTune sHelper.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\re alsched.exe
C:\Programme\DU Meter\DUMeter.exe
C:\Programme\Winamp\winam pa.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.e xe
C:\Programme\ICQLite\ICQL ite.exe
C:\Programme\Java\jre1.5. 0_02\bin\jusched.exe
C:\Programme\Microsoft IntelliType Pro\type32.exe
C:\Programme\AVPersonal\A VGNT.EXE
C:\Programme\MSN Messenger\msnmsgr.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programme\iPod\bin\iPo dService.exe
C:\Programme\AVPersonal\A VGUARD.EXE
C:\Programme\Trojancheck 6\tcguard.exe
C:\Programme\STK007\STK00 7M.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\WinRAR\WinRA R.exe
C:\DOKUME~1\Benutzer\LOKA LE~1\Temp\Rar$EX03.047\Hi jackThis.exe

R1 - HKCU\Software\Microsoft\I nternet Explorer,SearchURL = http://static.vpptechnologies.co m...landing.html?s=
R1 - HKCU\Software\Microsoft\I nternet Explorer\Main,Search Bar = http://static.vpptechnologies.co m...landing.html?s=
R1 - HKCU\Software\Microsoft\I nternet Explorer\Main,Search Page = http://static.vpptechnologies.co m...landing.html?s=
R0 - HKCU\Software\Microsoft\I nternet Explorer\Main,Start Page = http://www.gmx.net/de
R1 - HKCU\Software\Microsoft\I nternet Explorer\Search,SearchAss istant = http://static.vpptechnologies.co m...landing.html?s=
R0 - HKLM\Software\Microsoft\I nternet Explorer\Search,SearchAss istant = http://static.vpptechnologies.co m...landing.html?s=
R1 - HKCU\Software\Microsoft\I nternet Explorer\Main,Start Page_bak = http://www.gmx.de/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acroba t 6.0\Reader\ActiveX\AcroIE Helper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googl etoolbar2.dll
O2 - BHO: Class - {DA211C7E-80D9-4852-98A8-572088007AC3} - C:\WINDOWS\winhe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm .ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googl etoolbar2.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool \drivers\w32x86\3\hpztsb0 5.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qt task.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTune sHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\re alsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroC heck.exe
O4 - HKLM\..\Run: [DU Meter] C:\Programme\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winam pa.exe
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Programme\RivaTuner\Ri vaTuner.exe" /S
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.e xe"
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQL ite.exe -minimize
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5. 0_02\bin\jusched.exe
O4 - HKLM\..\Run: [type32] "C:\Programme\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Programme\Elaborate Bytes\CloneDVD\ElbyCheck. exe" /L ElbyDelay
O4 - HKLM\..\Run: [LogonStudio] "C:\Programme\WinCustomize \LogonStudio\logonstudio. exe" /RANDOM
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Programme\Stardock\Win Customize\BootSkin\BootSk in.exe" /StartupJobs
O4 - HKLM\..\Run: [iexplore.exe] C:\Programme\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\A VGNT.EXE" /min
O4 - HKLM\..\Run: [Trojancheck 6 Guard] C:\Programme\Trojancheck 6\tcguard.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\ Skype.exe" /nosplash /minimized
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQL ite.exe -trayboot
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Erinnerungen für Microsoft Works-Kalender.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: STK007 PNP Monitor.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\programme\google\Googl eToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\programme\google\Googl eToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programme\google\Googl eToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\programme\google\Googl eToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\programme\google\Googl eToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5. 0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5. 0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQL ite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQL ite.exe
O9 - Extra button: XM2002® - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Programme\IPPS\XM2002® \XM2002.exe (file missing)
O9 - Extra 'Tools' menuitem: &XM2002® - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Programme\IPPS\XM2002® \XM2002.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MS MSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MS MSGS.EXE
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontro l) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O16 - DPF: {1B51CC54-F369-460B-9184-22D51ABCF807} (empfaenger Element) - http://www.privat-akt.com/download/empfaengerProj1.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/p...s/GSManager.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...bin/AvSniff.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - http://netcam.ccc.edu/kxhcm10.ocx
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.Main Screen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01017a2...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://god.t-online.de/download/ExentCtl.ocx
O16 - DPF: {70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942} (Innotive Cibrowser Control 1.1) - http://ibrow01.streamfarm.net/plugin/cibrowser11.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureContro l) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyharem.com/stream/mmp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloa dControl Class) - http://messenger.msn.com/download/m...ownload er.cab
O16 - DPF: {BBCACFA8-B901-451E-A606-0FE678814967} (control to view directory & upload images) - http://www.uboot.com/h/int/applet/p...otoUploader.CAB
O16 - DPF: {D62B5127-8D03-4175-BA71-E0041595DA4B} (UDConnect Class) - http://03.sharedsource.org/html/Tri..._1.0.0.2ie.cab?
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edges u.../ITDetector.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/active...ol_v1-0-3-0.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\netsi.exe (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\A VGUARD.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2e vxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2s gag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\A VWUPSRV.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drive rs\CDAC11BA.EXE
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\PROGRA~1\CACHEM~1\Cach emanXP.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gears ec.exe
O23 - Service: GFI LANguard N.S.S. 5.0 attendant service - Unknown owner - C:\Programme\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe" -service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPo dService.exe
O23 - Service: LckFldService - Unknown owner - C:\WINDOWS\System32\LckFl dService.exe
O23 - Service: NMap - Unknown owner - C:\Programme\NMapWin\bin\ nmapserv.exe
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Programme\Advanced Registry Doctor\RegManServ.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rp capd.exe" -d -f "%ProgramFiles%\WinPcap\rp capd.ini (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2004\WinStylerThemeSvc.ex e
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneL abs\vsmon.exe
_____________
Anm.
Aktive Links editiert!
Beachte zukünftig die Hinweise dieser Anleitung: HiJackThis.


LG Cidre
S-Mod TB

1. Entschärfe die Links, damit sich niemand durch versehentliches Anklicken auch noch solchen Müll einfängt.
2. Poste das HJT-Logfile vollständig.
3. Entferne persönliche Angaben.

sry das wusste ich nicht


Biserl netter gehts doch auch

Naja, da das Problem mit den Links generell besteht, sind die Reaktionen dann manchmal so. Deine hat ja Cidre geändert.
Aber wo ist das komplette HJT-Log :mad:

Hallo Manhunt,

das Programm "Trojancheck 6" ist recht alt und die Definitionen ebenfalls.
Mein Rat wäre eine Deinstallation.

Wechsel nun in den abgesicherten Modus bei deaktivierter Systemwiederherstellung http://www.systemwiederherstellung-d...indows-xp.html und fixe folgende Einträge (Scan mit HJT, Häckchen vor Eintrag und auf fix checked klicken):

Falls Dir die "R"-Einträge unbekannt sind (den "R3" auf jeden Fall)
O2 - BHO: Class - {DA211C7E-80D9-4852-98A8-572088007AC3} - C:\WINDOWS\winhe.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe (file missing
O9 - Extra button: XM2002® - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Programme\IPPS\XM2002® \XM2002.exe (file missing)
O9 - Extra 'Tools' menuitem: &XM2002® - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Programme\IPPS\XM2002® \XM2002.exe (file missing)
O16 - DPF: {1B51CC54-F369-460B-9184-22D51ABCF807} (empfaenger Element) - http://www.privat-akt.com/download/empfaengerProj1.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10
Control) - http://netcam.ccc.edu/kxhcm10.ocx
O16 - DPF: {BBCACFA8-B901-451E-A606-0FE678814967} (control to view directory & upload images) - http://www.uboot.com/h/int/applet/p...otoUploader.CAB
O16 - DPF: {D62B5127-8D03-4175-BA71-E0041595DA4B} (UDConnect Class) - http://03.sharedsource.org/html/Tri..._1.0.0.2ie.cab?
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01017a2...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942} (Innotive Cibrowser Control 1.1) - http://ibrow01.streamfarm.net/plugin/cibrowser11.cab
O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyharem.com/stream/mmp.cab
sowie weiter "016"-Einträge, die nicht kennst bzw. nicht mehr brauchst
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\netsi.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rp capd.exe" -d -f "%ProgramFiles%\WinPcap\rp capd.ini (file missing)

Lösche manuell:
C:\WINDOWS\netsi.exe
C:\WINDOWS\winhe.dll

Führe danach Escan durch (bitte Anleitung genau durchlesen) und lösche alle Funde.

Papierkorb leeren

Neues Logfile mit Kopfzeilen, aus denen Dein System ersichtlich ist

dartus

@dartus

Danke jetzt geht wieder alles.