Logfile of HijackThis v1.99.1
Scan saved at 18:30:29, on 25.12.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\eScan\TRAYSSER.EXE
C:\Programme\ewido anti-malware\ewidoctrl.exe
C:\Programme\ewido anti-malware\ewidoguard.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\PROGRA~1\eScan\TRAYICOS.EXE
C:\PROGRA~1\eScan\MAILDISP.EXE
C:\PROGRA~1\eScan\AVPMWrap.EXE
C:\PROGRA~1\eScan\avpm.exe
C:\PROGRA~1\eScan\SPOOLER.EXE
C:\PROGRA~1\eScan\MAILSCAN.EXE
C:\PROGRA~1\eScan\kavss.exe
C:\PROGRA~1\eScan\AvpM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Dokumente und Einstellungen\XXXX\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {789E6ACA-7D9C-0143-CDA9-054F4543DB2C} - C:\WINDOWS\javabx.dll
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\Programme\eScan\LAUNCH.EXE"
O4 - HKLM\..\Run: [eScan Updater] C:\PROGRA~1\eScan\TRAYICOS.EXE /App
O4 - HKLM\..\Run: [eScan Monitor] C:\PROGRA~1\eScan\AVPMWrap.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'mwtsp.dll' missing
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - h**p://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - h**p://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - h**p://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EC1CA3D-759B-4139-A954-3B8BC2E9EF5C}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BE14023-1AC4-4FD2-AA4E-3E9C572525E4}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{75527333-9AB0-4543-8FDD-2F5A709CFE27}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EC1CA3D-759B-4139-A954-3B8BC2E9EF5C}: NameServer = 192.168.0.1
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe
O23 - Service: eScan Server-Updater (eScan-trayicos) - MicroWorld Technologies Inc. - C:\PROGRA~1\eScan\TRAYSSER.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programme\ewido anti-malware\ewidoguard.exe
O23 - Service: eScan Monitor Service (KAVMonitorService) - Kaspersky Labs. - C:\PROGRA~1\eScan\avpm.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2004\WinStylerThemeSvc.exe
REGEDIT4
; Registry Search by Bobbi Flekman
; Version: 1.0.2.1
; Results at 25.12.2005 18:23:31 for strings:
; '11fßä�#·ºÄÖ`i'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000]
"Service"=" 11Fßä�#·ºÄÖ`I"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000]
"Service"=" 11Fßä�#·ºÄÖ`I"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ 11Fßä�#·ºÄÖ`I]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ 11Fßä�#·ºÄÖ`I\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY__11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I\0000]
"Service"=" 11Fßä�#·ºÄÖ`I"
; End Of The Log...
---------------------------------------------------------
ewido anti-malware - Scan Report
---------------------------------------------------------
+ Erstellt am: 17:22:22, 25.12.2005
+ Report-Checksumme: F227BBE0
+ Scanergebnis:
HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\CLSID\{88A231A2-F032-EDB4-2CC3-64FC896F8F22} -> Spyware.CoolWebSearch : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\CLSID\{EDB041DC-4D4D-649F-F3B9-249E35ABBEF0} -> Spyware.CoolWebSearch : Gesäubert mit Backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE -> Spyware.CoolWebSearch : Gesäubert mit Backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Spyware.CoolWebSearch : Gesäubert mit Backup
HKU\S-1-5-21-602162358-1060284298-504175379-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EDB041DC-4D4D-649F-F3B9-249E35ABBEF0} -> Spyware.CoolWebSearch : Gesäubert mit Backup
C:\Programme\AVPersonal\INFECTED\IPKX.EXE.VIR -> Downloader.Agent.td : Gesäubert mit Backup
C:\Programme\AVPersonal\INFECTED\ipkx.VIR -> Downloader.Agent.td : Gesäubert mit Backup
C:\Programme\AVPersonal\INFECTED\IPTF.EXE.VIR -> Trojan.Agent.bi : Gesäubert mit Backup
C:\Programme\AVPersonal\INFECTED\NTWM32.EXE.VIR -> Downloader.Agent.td : Gesäubert mit Backup
C:\Programme\AVPersonal\INFECTED\SDKOS.EXE.VIR -> Trojan.Agent.bi : Gesäubert mit Backup
C:\Programme\eScan\scaninst.exe -> Heuristic.Win32.AVKiller : Gesäubert mit Backup
::Report Ende
"Silent Runners.vbs", revision 41, h**p://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AVGCtrl" = ""C:\Programme\AVPersonal\AVGNT.EXE" /min" ["H+BEDV Datentechnik GmbH"]
"MailScan Dispatcher" = ""C:\Programme\eScan\LAUNCH.EXE"" ["MicroWorld Technologies Inc."]
"eScan Updater" = "C:\PROGRA~1\eScan\TRAYICOS.EXE /App" ["MicroWorld Technologies Inc."]
"eScan Monitor" = "C:\PROGRA~1\eScan\AVPMWrap.EXE" ["MicroWorld Technologies Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{789E6ACA-7D9C-0143-CDA9-054F4543DB2C}\(Default) = "Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\javabx.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6 DragDrop Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6 Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6 Property Sheet Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]
HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinAce\arcext.dll" ["e-merge GmbH"]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Grüne Idylle.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssstars.scr" [MS]
Enabled Scheduled Tasks:
------------------------
"1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2004\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
mwtsp.dll ["MicroWorld Technologies Inc."], 01 - 19, 39
%SystemRoot%\system32\mswsock.dll [MS], 20 - 22, 25 - 38
%SystemRoot%\system32\rsvpsp.dll [MS], 23 - 24
Toolbars, Explorer Bars, Extensions:
------------------------------------
Explorer Bars
Dormant Explorer Bars in "View, Explorer Bar" menu
HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
Missing lines (compared with English-language version):
HIJACK WARNING! "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found]
All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------
AntiVir Service, AntiVirService, ""C:\Programme\AVPersonal\AVGUARD.EXE"" ["H+BEDV Datentechnik GmbH"]
AntiVir Update, AVWUpSrv, ""C:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"]
Dienst für Seriennummern der tragbaren Medien, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\MsPMSNSv.dll" [MS]}
EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
eScan Monitor Service, KAVMonitorService, "C:\PROGRA~1\eScan\avpm.exe /service" ["Kaspersky Labs."]
eScan Server-Updater, eScan-trayicos, "C:\PROGRA~1\eScan\TRAYSSER.EXE" ["MicroWorld Technologies Inc."]
ewido security suite control, ewido security suite control, "C:\Programme\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Programme\ewido anti-malware\ewidoguard.exe" ["ewido networks"]
HTTP-SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
Netzwerkversorgungsdienst, xmlprov, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\xmlprov.dll" [MS]}
Office Source Engine, ose, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE"" [MS]
TuneUp WinStyler Theme Service, TUWinStylerThemeSvc, ""C:\Programme\TuneUp Utilities 2004\WinStylerThemeSvc.exe"" ["TuneUp Software GmbH"]
Verwaltungsdienst für die Verwaltung logischer Datenträger, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
WMI-Leistungsadapter, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
EPSON V3 2KMonitor352\Driver = "E_SL2352.DLL" ["SEIKO EPSON CORPORATION"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 20 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 15 seconds.
---------- (total run time: 70 seconds)
Würde ich das von eScan noch posten, würde das eindeutig den Rahmen sprengen.
Aber eScan hat nix gefunden.
Ich habe in der Software-Umgebung einen Eintrag namens Home Search Assistent gefunden.
[edit]
links entfernt
[/edit] |
