Trojaner-Board - Bitte dringend um Hilfe!!!

Trojaner-Board (https://www.trojaner-board.de/)

- Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)

- - Bitte dringend um Hilfe!!! (https://www.trojaner-board.de/22747-bitte-dringend-um-hilfe.html)

Bitte dringend um Hilfe!!!

Hallo,
mein PC spinnt seit einigen Wochen. wenn ich z.b. über google auf eine seite will, komm ich plötzlich auf eine ganz andere seite (z.b. adultfriendfinder, porno-search.com und so ein quatsch), mein computer wird auch langsam. und es kommt ne "warnmeldung" unten rechts im bidschirm, die sagt "your computer might be at risk!" da ich in solchen sachen nur ein laie bin, bitte ich DRINGEND UM HILFE!!!! ich selbst weiss leider nicht, wie ich den PC von evtl. VIREN, SPYWARE ETC befreien kann... Ich habe schon Norton Antivirus, lavasoft Add-Aware, Anti-Vir etc. ausprobiert... jedoch ohne erfolg.
manchmal zeigt mir zonealarm an, dass er irgendwelche spyware gefunden hat und diese dann gelöscht hat...

ich hab mal ne hijackthis-logfile gepostet...vielleicht kann mir ja einer von euch helfen. DANKE IM VORAUS!!!

LOG FILE

Logfile of HijackThis v1.98.2
Scan saved at 12:01:17, on 14.10.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\locator.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\PROFIL~1.EXE
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\kernel.exe
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\sc_watch.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Dokumente und Einstellungen\***\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.google.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - h**p://software-dl.real.com/245f322aa69067388805/netzip/RdxIE601_de.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{82CD7480-0CE8-46E8-8FC7-A6796655F7C8}: NameServer = 195.95.218.19,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{A12CA277-1D33-4C7A-AC7D-F7EA61255549}: NameServer = 195.95.218.19,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{E792BA6B-A06E-4760-AE0E-C9BD1B5CB77C}: NameServer = 195.95.218.19,85.255.112.6
O18 - Protocol: haufereader - {39198710-62F7-42CD-9458-069843FA5D32} - C:\Programme\Haufe\HaufeReader\HRInstmon.dll

MfG
Chef

[edit]
links entfernt
[/edit]

Servus, chef!
Poste bitte ein Logfile mit der aktuellen HighJackthis Version 1.99.1 http://www.trojaner-board.de/showthread.php?t=17493
Außerdem achte darauf, dass Deine links editiert sind (http-->h**p)
http://www.trojaner-board.de/announcement.php?f=20
stupormundi

hier nochmal der LOG-FILE

Logfile of HijackThis v1.99.1
Scan saved at 12:45:52, on 14.10.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\locator.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\PROFIL~1.EXE
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\kernel.exe
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\sc_watch.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Programme\Winrar\WinRAR.exe
C:\Programme\HijackThis1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.google.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://h**p://software-dl.real.com/2...dxIE601_de.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{82CD7480-0CE8-46E8-8FC7-A6796655F7C8}: NameServer = 195.95.218.19,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{A12CA277-1D33-4C7A-AC7D-F7EA61255549}: NameServer = 195.95.218.19,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{E792BA6B-A06E-4760-AE0E-C9BD1B5CB77C}: NameServer = 195.95.218.19,85.255.112.6
O18 - Protocol: haufereader - {39198710-62F7-42CD-9458-069843FA5D32} - C:\Programme\Haufe\HaufeReader\HRInstmon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Hallo,

Zitat:

O17 - HKLM\System\CCS\Services\Tcpip\..\{82CD7480-0CE8-46E8-8FC7-A6796655F7C8}: NameServer = 195.95.218.19,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{A12CA277-1D33-4C7A-AC7D-F7EA61255549}: NameServer = 195.95.218.19,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{E792BA6B-A06E-4760-AE0E-C9BD1B5CB77C}: NameServer = 195.95.218.19,85.255.112.6

Diese Einträge sind sehr suspekt. Oder befindest du dich in der Ukraine?

Fixe diese Einträg sowie den O6-Eintrag uns poste ein neues HjT-Log zusammen mit der Virus-Log-Information von eScan.

Hi,

ich hab die Einträge gefixt, die du genannt hast und ein logfile von HijackThis und Escan gemacht:

Hier erst einmal der HJT LOGFILE:

Logfile of HijackThis v1.99.1
Scan saved at 21:00:42, on 15.10.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\locator.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\T-Online\T-Online_Software_5\eMail\Mail.exe
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\PROFIL~1.EXE
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\kernel.exe
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\sc_watch.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\HijackThis1\HijackThis.exe
C:\WINDOWS\System32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.google.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - h**p://software-dl.real.com/245f322aa69067388805/netzip/RdxIE601_de.cab
O18 - Protocol: haufereader - {39198710-62F7-42CD-9458-069843FA5D32} - C:\Programme\Haufe\HaufeReader\HRInstmon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Hi,

ich hab ein logfile von Escan gemacht:

TEIL 1

Fri Oct 14 21:51:44 2005 => ***** Scanning Registry and File system for Adware/Spyware *****
Fri Oct 14 21:51:44 2005 => Loading Spyware Signatures from new External Database (Size: 145065).
Fri Oct 14 21:52:07 2005 => Indexed Spyware Databases Successfully Created...

INFECTED

Fri Oct 14 21:52:35 2005 => System found infected with adware.toolbar.sbsoft.h Spyware/Adware ({08bec6aa-49fc-4379-3587-4b21e286c19e})! Action taken: No Action Taken.
Fri Oct 14 21:52:35 2005 => System found infected with adware.toolbar.sbsoft.h Spyware/Adware ({08bec6aa-49fc-4379-3587-4b21e286c19e})! Action taken: No Action Taken.
Fri Oct 14 21:52:35 2005 => System found infected with netster Spyware/Adware ({56336bcb-3d8a-11d6-a00b-0050da18de71})! Action taken: No Action Taken.
Fri Oct 14 21:52:55 2005 => Offending file found: C:\WINDOWS\conscorr.ini
Fri Oct 14 21:52:55 2005 => System found infected with ezula Spyware/Adware (conscorr.ini)! Action taken: No Action Taken.

Fri Oct 14 21:52:58 2005 => Offending file found: C:\WINDOWS\System32\thehun.dll
Fri Oct 14 21:52:58 2005 => System found infected with pp.dll - p0rn malware Spyware/Adware (thehun.dll)! Action taken: No Action Taken.

Fri Oct 14 21:52:58 2005 => Offending file found: C:\WINDOWS\System32\wwwbar.dll
Fri Oct 14 21:52:58 2005 => System found infected with wwwbar Spyware/Adware (wwwbar.dll)! Action taken: No Action Taken.

Fri Oct 14 21:53:13 2005 => Offending file found: C:\Dokumente und Einstellungen\ram\Favoriten\links\ebay.url
Fri Oct 14 21:53:13 2005 => System found infected with ezula Spyware/Adware (ebay.url)! Action taken: No Action Taken.

Fri Oct 14 21:53:31 2005 => ***** Scanning Registry for errors created because of Adware/Spyware *****
Fri Oct 14 21:53:31 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL". Action Taken: No Action Taken.

Fri Oct 14 21:53:31 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\RdxIE.dll". Action Taken: No Action Taken.

Fri Oct 14 21:55:21 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ga_main.exe" refers to invalid object "". Action Taken: No Action Taken.

Fri Oct 14 21:55:34 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Programme\Gemeinsame Dateien\Symantec Shared\Script Blocking\". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".05/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".05Websites,_Shops,_Magazine". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".2005". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".CCD". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".crmlog". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".cue". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/home/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/log/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/tmp/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/usr/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/usr/include/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/usr/include/php/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/usr/kerberos/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/usr/kerberos/lib/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/var/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/web/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/web/first-magazin/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/web/first-magazin/Assets/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/web/first-magazin/Backups/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/web/first-magazin/Preview/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/web/first-magazin/Preview/Autogen/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/web/first-magazin/Recovery/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/web/first-magazin/Styles/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/web/first-magazin/Styles/Airbrushed%20-%20Gold/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/web/first-magazin/Styles/Airbrushed%20-%20Gold/backgrounds/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/web/first-magazin/Styles/Airbrushed%20-%20Gold/lines/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/web/first-magazin/Styles/Aztec/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/web/first-magazin/Styles/Aztec/Images/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/web/first-magazin/Styles/bfdl/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/web/first-magazin/Styles/bfdl/Images/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/web/first-magazin/Styles/Cityscape%20-%20Gold-1/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".de/web/first-magazin/Styles/Cityscape%20-%20Gold-1/secondary%20buttons%20rollover%20highlighted/". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".dlr". Action Taken: No Action Taken.

Fri Oct 14 21:55:36 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ds". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".Ebene". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".est". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".logs/". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".logs/2005/". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".logs/2005/07/". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".mpga". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".MZZZZZZZ". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".pf". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".query". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sdp". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sfap0". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sfk". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ssm". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sw". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".try". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".VIR". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object "OpenWithList". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Ad-aware 6 Personal". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "BargainBuddy". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "bridge". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Browser Helper". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Day of Defeat". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "eMule.de 30e v10 webservice_is1". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "JD-350". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "kazaalite202_is1". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB828028". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KYRO". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mozilla Firefox (1.0.2)". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "msbb". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Quick Home Search". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Skinner". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "SX-35F and SX-35V Win95". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "T-Online Direktanwahl". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "TraXEx". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Windows SR 2.0". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Yahoo! Companion". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{1526D87C-A955-4FAB-BF18-697BA457E352}". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{3075C5C3-0807-4924-AF8F-FF27052C12AE}". Action Taken: No Action Taken.

Fri Oct 14 21:55:37 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{47D5D869-FE57-4F2F-A358-83CFAA7B4968}". Action Taken: No Action Taken.

Fri Oct 14 21:55:38 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{ABEB838C-A1A7-4C5D-B7E1-8B4314600137}". Action Taken: No Action Taken.

Fri Oct 14 21:55:38 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{ABEB838C-A1A7-4C5D-B7E1-8B4314600205}". Action Taken: No Action Taken.

Fri Oct 14 21:55:38 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{AF8A478C-1A48-4ae0-8464-4851CD5DBB9B}". Action Taken: No Action Taken.

Fri Oct 14 21:56:11 2005 => Entry "HKCR\CLSID\{D98E820F-6ACD-4dc0-921E-9841E3D8B4A7}" refers to invalid object "E:\player\WMMP.EXE". Action Taken: No Action Taken.

Fri Oct 14 21:56:15 2005 => Entry "HKCR\CLSID\{F4C6D6E0-A8FB-4281-BE24-1662D646FE2B}" refers to invalid object "E:\player\WMMP.EXE". Action Taken: No Action Taken.

Fri Oct 14 21:56:16 2005 => Entry "HKCR\CLSID\{FBE840E5-13A5-4cff-B2A9-4D1E64A17FF2}" refers to invalid object "E:\player\WMMP.EXE". Action Taken: No Action Taken.

Fri Oct 14 21:56:31 2005 => Entry "HKCR\ed2k\shell\open\command" refers to invalid object ""G:\eMule.de\emule.exe" "%1"". Action Taken: No Action Taken.

Fri Oct 14 21:56:34 2005 => Entry "HKCR\magnet\shell\open\command" refers to invalid object ""G:\Kazaa Lite\KMagnet.exe" "%L"". Action Taken: No Action Taken.

Hallo Chef,

editiere auch die aktiven Links im 3. HJT Log-File.
Anschließend führst du die Find.bat aus und postest uns die gewünschte Virus Log Information, da deine Anhänge nicht übersichtlich sind und auch nicht jeder diese unbedingt öffnen will.

EDIT:
Links wurden zwischenzeitlich von dir entschärft. :daumenhoc

TEIL 2

Sat Oct 15 00:28:55 2005 => Scanning File C:\WINDOWS\system32\dmscript.dll
Sat Oct 15 00:28:55 2005 => Scanning File C:\WINDOWS\system32\dmserver.dll
Sat Oct 15 00:28:55 2005 => Scanning File C:\WINDOWS\system32\dmstyle.dll
Sat Oct 15 00:28:55 2005 => Scanning File C:\WINDOWS\system32\dmsxw.exe
Sat Oct 15 00:28:55 2005 => File C:\WINDOWS\system32\dmsxw.exe infected by "Trojan-Dropper.Win32.Vidro.x" Virus! Action Taken: No Action Taken.

Sat Oct 15 00:28:55 2005 => Scanning File C:\WINDOWS\system32\dmsynth.dll
Sat Oct 15 00:28:55 2005 => Scanning File C:\WINDOWS\system32\dmukc.exe
Sat Oct 15 00:28:55 2005 => File C:\WINDOWS\system32\dmukc.exe infected by "Trojan-Dropper.Win32.Vidro.x" Virus! Action Taken: No Action Taken.

Sat Oct 15 00:28:55 2005 => Scanning File C:\WINDOWS\system32\dmusic.dll
Sat Oct 15 00:28:56 2005 => Scanning File C:\WINDOWS\system32\dmutil.dll
Sat Oct 15 00:28:56 2005 => Scanning File C:\WINDOWS\system32\dmvhh.exe
Sat Oct 15 00:28:56 2005 => File C:\WINDOWS\system32\dmvhh.exe infected by "Trojan-Dropper.Win32.Vidro.x" Virus! Action Taken: No Action Taken.

Sat Oct 15 00:28:56 2005 => Scanning File C:\WINDOWS\system32\dmview.ocx
Sat Oct 15 00:28:56 2005 => Scanning File C:\WINDOWS\system32\dmvru.exe
Sat Oct 15 00:28:56 2005 => File C:\WINDOWS\system32\dmvru.exe infected by "Trojan-Dropper.Win32.Vidro.x" Virus! Action Taken: No Action Taken.

Sat Oct 15 00:28:56 2005 => Scanning File C:\WINDOWS\system32\dmvuy.exe
Sat Oct 15 00:28:56 2005 => File C:\WINDOWS\system32\dmvuy.exe infected by "Trojan-Dropper.Win32.Vidro.x" Virus! Action Taken: No Action Taken.

Sat Oct 15 00:28:56 2005 => Scanning File C:\WINDOWS\system32\dmxvo.exe
Sat Oct 15 00:28:56 2005 => File C:\WINDOWS\system32\dmxvo.exe infected by "Trojan-Dropper.Win32.Vidro.x" Virus! Action Taken: No Action Taken.

Sat Oct 15 00:32:22 2005 => Scanning File C:\WINDOWS\system32\vdkzr.exe
Sat Oct 15 00:32:22 2005 => File C:\WINDOWS\system32\vdkzr.exe infected by "Trojan.Win32.DNSChanger.aa" Virus! Action Taken: No Action Taken.

Sat Oct 15 00:33:12 2005 => Scanning File C:\WINDOWS\Web\desktop.html
Sat Oct 15 00:33:12 2005 => File C:\WINDOWS\Web\desktop.html infected by "Trojan.Win32.TopAntiSpyware.a" Virus! Action Taken: No Action Taken.

Sat Oct 15 00:28:54 2005 => Scanning File C:\WINDOWS\system32\dmgqk.exe
Sat Oct 15 00:28:54 2005 => File C:\WINDOWS\system32\dmgqk.exe infected by "Trojan-Dropper.Win32.Vidro.x" Virus! Action Taken: No Action Taken.

Sat Oct 15 00:28:54 2005 => Scanning File C:\WINDOWS\system32\dmime.dll
Sat Oct 15 00:28:54 2005 => Scanning File C:\WINDOWS\system32\dmintf.dll
Sat Oct 15 00:28:54 2005 => Scanning File C:\WINDOWS\system32\dmizl.exe
Sat Oct 15 00:28:54 2005 => File C:\WINDOWS\system32\dmizl.exe infected by "Trojan-Dropper.Win32.Vidro.x" Virus! Action Taken: No Action Taken.

Sat Oct 15 00:28:54 2005 => Scanning File C:\WINDOWS\system32\dmkks.exe
Sat Oct 15 00:28:54 2005 => File C:\WINDOWS\system32\dmkks.exe infected by "Trojan-Dropper.Win32.Vidro.x" Virus! Action Taken: No Action Taken.

Sat Oct 15 00:28:54 2005 => Scanning File C:\WINDOWS\system32\dmloader.dll
Sat Oct 15 00:28:54 2005 => Scanning File C:\WINDOWS\system32\dmnup.exe
Sat Oct 15 00:28:54 2005 => File C:\WINDOWS\system32\dmnup.exe infected by "Trojan-Dropper.Win32.Vidro.x" Virus! Action Taken: No Action Taken.

Sat Oct 15 00:28:54 2005 => Scanning File C:\WINDOWS\system32\dmocx.dll
Sat Oct 15 00:28:55 2005 => Scanning File C:\WINDOWS\system32\dmplo.exe
Sat Oct 15 00:28:55 2005 => File C:\WINDOWS\system32\dmplo.exe infected by "Trojan-Dropper.Win32.Vidro.x" Virus! Action Taken: No Action Taken.

Sat Oct 15 00:28:55 2005 => Scanning File C:\WINDOWS\system32\dmpxx.exe
Sat Oct 15 00:28:55 2005 => File C:\WINDOWS\system32\dmpxx.exe infected by "Trojan-Dropper.Win32.Vidro.x" Virus! Action Taken: No Action Taken.

Sat Oct 15 00:28:55 2005 => Scanning File C:\WINDOWS\system32\dmpyv.exe
Sat Oct 15 00:28:55 2005 => File C:\WINDOWS\system32\dmpyv.exe infected by "Trojan-Dropper.Win32.Vidro.x" Virus! Action Taken: No Action Taken.

Sat Oct 15 00:28:55 2005 => Scanning File C:\WINDOWS\system32\dmremote.exe
Sat Oct 15 00:28:55 2005 => Scanning File C:\WINDOWS\system32\dmrko.exe
Sat Oct 15 00:28:55 2005 => File C:\WINDOWS\system32\dmrko.exe infected by "Trojan-Dropper.Win32.Vidro.x" Virus! Action Taken: No Action Taken.

TAGGED

Fri Oct 14 22:06:13 2005 => Scanning File C:\Dokumente und Einstellungen\ram\Desktop\backups\backup-20050919-195456-261.dll
Fri Oct 14 22:06:13 2005 => File C:\Dokumente und Einstellungen\ram\Desktop\backups\backup-20050919-195456-261.dll tagged as "not-a-virus:AdWare.Win32.SBSoft.h". Action Taken: No Action Taken.

Sat Oct 15 00:31:04 2005 => Scanning File C:\WINDOWS\system32\pbmcn.dll
Sat Oct 15 00:31:04 2005 => File C:\WINDOWS\system32\pbmcn.dll tagged as "not-a-virus:AdWare.Win32.SBSoft.h". Action Taken: No Action Taken.

HJT LOGFILE NEU

Logfile of HijackThis v1.99.1
Scan saved at 21:21:53, on 15.10.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\locator.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\T-Online\T-Online_Software_5\eMail\Mail.exe
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\PROFIL~1.EXE
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\kernel.exe
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\sc_watch.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\HijackThis1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.google.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - h**p://software-dl.real.com/245f322aa69067388805/netzip/RdxIE601_de.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{82CD7480-0CE8-46E8-8FC7-A6796655F7C8}: NameServer = 195.95.218.19,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{A12CA277-1D33-4C7A-AC7D-F7EA61255549}: NameServer = 195.95.218.19,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{E792BA6B-A06E-4760-AE0E-C9BD1B5CB77C}: NameServer = 195.95.218.19,85.255.112.6
O18 - Protocol: haufereader - {39198710-62F7-42CD-9458-069843FA5D32} - C:\Programme\Haufe\HaufeReader\HRInstmon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Ach komm Chef, warum tust du uns nicht den Gefallen und postest nach Ausführung der Find.bat, die Virus Log Information?

@Chef

http://www.sophos.com/virusinfo/anal...ojsmalloy.html
lade Adaware
und Spybot
beide programme updaten

system und IE updaten auf sp2 bestellen auf CD

beide programme nacheinander scannen lassen, löschen was vorgeschlagen wird.

Alle Funde Teil 2 löschen.

neu booten, neues HJT logfile posten
chaosman