Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Hijack-logfile....pc langsam (https://www.trojaner-board.de/53405-hijack-logfile-pc-langsam.html)

stefanr. 03.06.2008 22:17
Hijack-logfile....pc langsam
 
N'abend! Habe folgendes Problem... Mein PC ist in letzter Zeit Sau-lahm, besonders während er die dateien aus dem autostart lädt...ausserdem nimmt er bei einem posting wie diesem hier beim tippen nicht jeden buchstabn an und der cursor flackert.

Hier mal mein logfile

Logfile of HijackThis v1.99.1
Scan saved at 23:07:46, on 03.06.2008
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Power Manager\PM.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\explorer.exe
C:\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "c:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [recinfo245] c:\RecInfo\RecInfo.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [fsc-reg] C:\ProgramData\fsc-reg\fscreg.exe 20080525
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\******~1\AppData\Local\Temp\tuvSiGVP.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\******~1\AppData\Local\Temp\efcDUkLf.dll,c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [cc9780b8] rundll32.exe "C:\Users\******~1\AppData\Local\Temp\ywskqpjg.dll",b
O4 - HKCU\..\Run: [BMcfa4b324] Rundll32.exe "C:\Users\******~1\AppData\Local\Temp\yfjyucli.dll",s
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: FSCLBaseUpdaterService - Unknown owner - C:\Program Files\Fujitsu Siemens Computers\FSCLounge\FSCWBaseUpdaterService\2\FSCWBaseUpdaterService.exe
O23 - Service: Symantec IS Kennwortprüfung (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: IviRegMgr - InterVideo - c:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe



schönen dank schonmal im vorraus!
Ausserdem öffnet mein inetexplorer immer wieder neue fenster und öffnet about:blank :/

myrtille 04.06.2008 20:38
Hi,
arbeite bitte folgendes ab:

Erstelle ein Hijackthis log mit der aktuellen Version!

Deinstalliere danach eines deiner Antivirenprogramme. Mehrere Antivirenprogramme verringern die Sicherheit deines Systems und bremsen es aus.
Solltest du Symantec deinstallieren wollen, nutze bitte das Removaltool. Antivir kann einfach über Start->Systemsteuerung->Software deinstalliert werden.

Führe danach einen Scan mit Malwarebytes durch und lasse alle Funde löschen. Poste das Log hier.

Erstelle zum Schluss ein Log mit DSS und poste es ebenfalls hier.
DSS
  • Lade dir DSS
  • Schließe alle Anwendungen und führe DSS.exe dann mit einem Doppelklick aus
  • Führe während DSS arbeitet bitte keine anderen Aktionen durch
  • Am Ende öffnen sich 2 Datein main.txt und extra.txt
  • Poste den Inhalt beider Dateien hier

Danach sehen wir weiter :)

lg myrtille

stefanr. 05.06.2008 11:52
Also erstmal schönen Dank für die schnelle Hilfe!

So dann mal los...
Hier erstmal das HJT logfile der aktuellen version

Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:07:29, on 05.06.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Power Manager\PM.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\rundll32.exe
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Stefan Roelofs\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "c:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [recinfo245] c:\RecInfo\RecInfo.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [fsc-reg] C:\ProgramData\fsc-reg\fscreg.exe 20080525
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\STEFAN~1\AppData\Local\Temp\ljJYSmkI.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\STEFAN~1\AppData\Local\Temp\efcDUkLf.dll,c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [BMcfa4b324] Rundll32.exe "C:\Users\STEFAN~1\AppData\Local\Temp\yfjyucli.dll",s
O4 - HKCU\..\Run: [cc9780b8] rundll32.exe "C:\Users\STEFAN~1\AppData\Local\Temp\cvfbcupq.dll",b
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O13 - Gopher Prefix:
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FSCLBaseUpdaterService - Unknown owner - C:\Program Files\Fujitsu Siemens Computers\FSCLounge\FSCWBaseUpdaterService\2\FSCWBaseUpdaterService.exe
O23 - Service: Symantec IS Kennwortprüfung (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: IviRegMgr - InterVideo - c:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7452 bytes


dann hab ich erstmal avira antivir entfernt, was die sache schon mal ne ganze ecke schneller machte...


dann kommt jetzt das malwarebytes log

Code:
Malwarebytes' Anti-Malware 1.14
Datenbank Version: 826

12:14:09 05.06.2008
mbam-log-6-5-2008 (12-14-09).txt

Scan Art: Komplett Scan (C:\|D:\|)
Objekte gescannt: 143024
Scan Dauer: 48 minute(s), 44 second(s)

Infizierte Speicher Prozesse: 0
Infizierte Speicher Module: 3
Infizierte Registrierungsschlüssel: 3
Infizierte Registrierungswerte: 4
Infizierte Datei Objekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 40

Infizierte Speicher Prozesse:
(Keine Malware Objekte gefunden)

Infizierte Speicher Module:
C:\Users\***\AppData\Local\Temp\cvfbcupq.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Users\***\AppData\Local\Temp\cbXQGXRH.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Users\***\AppData\Local\Temp\cudfyuuo.dll (Trojan.Vundo) -> Unloaded module successfully.

Infizierte Registrierungsschlüssel:
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cc9780b8 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmds (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMcfa4b324 (Trojan.Agent) -> Quarantined and deleted successfully.

Infizierte Datei Objekte der Registrierung:
(Keine Malware Objekte gefunden)

Infizierte Verzeichnisse:
(Keine Malware Objekte gefunden)

Infizierte Dateien:
C:\Users\***\AppData\Local\Temp\cvfbcupq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\cbXQGXRH.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2M72LKLC\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X2ARG17E\kb456456[1] (Trojan.Vundo) -> Delete on reboot.
C:\Users\***\AppData\Local\Temp\cudfyuuo.dll (Trojan.Vundo) -> Delete on reboot.
C:\Users\***\AppData\Local\Temp\ssqNExWN.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp0001aade (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp0001bde1 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp0001beac (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp0001fd61 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp00020e80 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp00021219 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp00023d5d (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp000242ba (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp000244bc (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp000245d5 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp00024f86 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp00025540 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp00026b7e (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp00026bfb (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp00027c11 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp00028a92 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp00029a2c (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp00029ecd (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp0002a997 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp0002cd2d (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp0002cd4c (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp00030c5e (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp0003193a (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp00034597 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp000398f4 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp00047bd3 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp0005141c (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\tmp00167407 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\uiclelag.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\vaqplahc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\xddftswp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\ywskqpjg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\efcDUkLf.dll (Trojan.Agent) -> Delete on reboot.
C:\Users\***\AppData\Local\Temp\hbpkttpt.dll (Trojan.Agent) -> Delete on reboot.



die gefundenen sachen hab ich gelöscht

stefanr. 05.06.2008 11:57
und dann dss.exe laufen lassen...hier die logfiles davon


Code:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium  (build 6001) SP 1.0
Architecture: X86; Language: German

CPU 0: AMD Turion(tm) 64 X2 Mobile Technology TL-56
Percentage of Memory in Use: 33%
Physical Memory (total/avail): 2046.26 MiB / 1355.97 MiB
Pagefile Memory (total/avail): 4331.06 MiB / 3435.61 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1889.88 MiB

C: is Fixed (NTFS) - 148.1 GiB total, 111.21 GiB free.
D: is Fixed (NTFS) - 73.07 GiB total, 72.49 GiB free.
E: is CDROM (UDF)

\\.\PHYSICALDRIVE0 - WDC WD25 00BEVS-22UST SCSI Disk Device - 232.88 GiB - 3 partitions
  \PARTITION0 - Unknown - 11.72 GiB
  \PARTITION1 (bootable) - Installierbares Dateisystem - 148.1 GiB - C:
  \PARTITION2 - Installierbares Dateisystem - 73.07 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FW: Norton Internet Security v2007 (Symantec Corporation) Disabled
AV: Norton Internet Security v2007 (Symantec Corporation)
AS: Windows-Defender v1.1.1505.0 (Microsoft Corporation) Disabled
AS: Norton Internet Security v2007 (Symantec Corporation) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\***\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=***-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\***
LOCALAPPDATA=C:\Users\***\AppData\Local
LOGONSERVER=\\***-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 72 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4802
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\STEFAN~1\AppData\Local\Temp
TMP=C:\Users\STEFAN~1\AppData\Local\Temp
USERDOMAIN=***-PC
USERNAME=***
USERPROFILE=C:\Users\***
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

***


-- Add/Remove Programs ---------------------------------------------------------

 --> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
 --> C:\Windows\UNNeroMediaHome.exe /UNINSTALL
 --> C:\Windows\UNNeroShowTime.exe /UNINSTALL
 --> C:\Windows\UNNeroVision.exe /UNINSTALL
 --> C:\Windows\UNRecode.exe /UNINSTALL
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0407-0000-0000000FF1CE} /uninstall {DCBECE36-8F23-4B33-925E-A1C6183C0DBD}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0407-0000-0000000FF1CE} /uninstall {DCBECE36-8F23-4B33-925E-A1C6183C0DBD}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0407-0000-0000000FF1CE} /uninstall {DCBECE36-8F23-4B33-925E-A1C6183C0DBD}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0407-0000-0000000FF1CE} /uninstall {2AB528A5-BB1B-4EBE-8E51-AD0C4CD33CA9}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0410-0000-0000000FF1CE} /uninstall {58FC5E37-DD28-4D4A-A549-125744C6763C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0407-0000-0000000FF1CE} /uninstall {888B9AC7-8F5C-456B-A27A-157A6C310E52}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0407-0000-0000000FF1CE} /uninstall {DCBECE36-8F23-4B33-925E-A1C6183C0DBD}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
Activation Assistant for the 2007 Microsoft Office suites --> "C:\ProgramData\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}\Microsoft Office Activation Assistant.exe" REMOVE=TRUE MODIFY=FALSE
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000101}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5101}
Adobe Flash Player 9 ActiveX --> C:\Windows\system32\Macromed\Flash\UninstFl.exe -q
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-119F-4D52-B551-6739B2B22101}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.2 - Deutsch --> MsiExec.exe /I{AC76BA86-7AD7-1031-7B44-A81200000003}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-0C40-4930-9AFE-113BCE553101}
ALPS Touch Pad Driver --> C:\Program Files\Apoint2K\Uninstap.exe ADDREMOVE
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
Bison WebCam --> Rundll32.exe BisonRem.dll,WinMainRmv
BMW TV Version 1.5.0 --> "C:\Program Files\BMW\BMW TV\unins000.exe"
Canon PIXMA iP3000 --> C:\Windows\system32\CNMCP61.exe "-PRINTERNAMECanon PIXMA iP3000" "-HELPERDLLC:\BJPrinter\CNMWindows\Canon PIXMA iP3000 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWindows\Canon PIXMA iP3000 Installer\Inst2\cnmi0407.dll"
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
Compatibility Pack für 2007 Office System --> MsiExec.exe /X{90120000-0020-0407-0000-0000000FF1CE}
Easy-WebPrint --> C:\Windows\IsUn0407.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
FirstSteps Diagnostics --> MsiExec.exe /X{94D66D71-12F0-48A5-B46A-D4B835A0F1B7}
Free Windows Registry Cleaner 1.1 --> "C:\Program Files\Free Windows Registry Cleaner\unins000.exe"
FRITZ!Box --> C:\Program Files\FRITZ!Box\install.exe -d
FSCLounge --> MsiExec.exe /I{9A3BC157-B94F-4EFD-ABA9-1E56DEB00655}
HDAUDIO Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F10001\UIU32m.exe -U -IPDAZLCMzK.inf
ICQ 5.1 --> C:\Program Files\ICQLite\ICQLiteUninstall.EXE
InterVideo WinDVD 8 --> C:\Program Files\InstallShield Installation Information\{20471B27-D702-4FE8-8DEC-0702CC8C0A85}\setup.exe -runfromtemp -l0x0407
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office Excel MUI (German) 2007 --> MsiExec.exe /X{90120000-0016-0407-0000-0000000FF1CE}
Microsoft Office Home and Student 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007 --> MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (German) 2007 --> MsiExec.exe /X{90120000-00A1-0407-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (German) 2007 --> MsiExec.exe /X{90120000-0018-0407-0000-0000000FF1CE}
Microsoft Office PowerPoint Viewer 2007 (German) --> MsiExec.exe /X{95120000-00AF-0407-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (German) 2007 --> MsiExec.exe /X{90120000-001F-0407-0000-0000000FF1CE}
Microsoft Office Proof (Italian) 2007 --> MsiExec.exe /X{90120000-001F-0410-0000-0000000FF1CE}
Microsoft Office Proofing (German) 2007 --> MsiExec.exe /X{90120000-002C-0407-0000-0000000FF1CE}
Microsoft Office Shared MUI (German) 2007 --> MsiExec.exe /X{90120000-006E-0407-0000-0000000FF1CE}
Microsoft Office Word MUI (German) 2007 --> MsiExec.exe /X{90120000-001B-0407-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Works --> MsiExec.exe /I{39D0E034-1042-4905-BECB-5502909FCB7C}
MSRedist --> MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
n-tv plus --> MsiExec.exe /X{DFFA4AEC-B0D9-43E6-A7FE-CA8E1D2229AE}
Need for Speed Underground 2 --> C:\Program Files\EA GAMES\Need for Speed Underground 2\EAUninstall.exe
Need for Speed™ Most Wanted --> C:\Program Files\EA GAMES\Need for Speed Most Wanted\EAUninstall.exe
Nero 7 Essentials --> MsiExec.exe /X{81CD6232-10F5-4832-B3DA-1B88B1571031}
Norton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49e2-A969-C2C2106332E0}
Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}
Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}
Norton Internet Security --> MsiExec.exe /I{3672B097-EA69-4bfe-B92F-29AE6D9D2B34}
Norton Internet Security --> MsiExec.exe /I{48185814-A224-447A-81DA-71BD20580E1B}
Norton Internet Security --> MsiExec.exe /I{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}
Norton Internet Security --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Internet Security (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}_10_1_0_26\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}.exe" /X
Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
Power Manager 2.1.7 --> "C:\Program Files\Power Manager\unins000.exe"
PowerDV --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B804C424-B66D-447A-84BD-C6B88C392C3A}\setup.exe"  -uninstall
Premiere Internet TV Version 1.2.3 --> "C:\Program Files\Premiere\Premiere Internet TV\unins000.exe"
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
Security Update for Excel 2007 (KB946974) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB947801) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Symantec Real Time Storage Protection Component --> MsiExec.exe /I{D6E6FA4A-5445-4850-8365-CF216C1CBB7A}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
TopSpin --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{1EC73FB6-97FD-48EE-8100-CA969A56E727} /l1031
Update for Office 2007 (KB946691) --> msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
WinRAR --> C:\Program Files\WinRAR\uninstall.exe
YAVIDO --> MsiExec.exe /I{4C3EF687-803F-4825-B815-04AE32DDEB41}
ZDFmediathek Version 1.4.0 --> "C:\Program Files\ZDF\ZDFmediathek\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type6130 / Success
Event Submitted/Written: 06/05/2008 00:24:28 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type6127 / Success
Event Submitted/Written: 06/05/2008 00:24:20 PM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type6120 / Success
Event Submitted/Written: 06/05/2008 00:24:06 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
Der Softwarelizenzierungsdienst wurde gestartet.

Event Record #/Type6100 / Warning
Event Submitted/Written: 06/05/2008 00:22:04 PM
Event ID/Source: 1530 / profsvc
Event Description:
Es wurde festgestellt, dass Ihre Registrierungsdatei noch von anderen Anwendungen oder Diensten verwendet wird. Die Datei wird nun entladen. Die Anwendungen oder Dienste, die Ihre Registrierungsdatei anhalten, funktionieren anschließend u. U. nicht mehr ordnungsgemäß. 

 DETAIL -
 1 user registry handles leaked from \Registry\User\S-1-5-21-3231974552-3300285612-2814474537-1000_Classes:
Process 960 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3231974552-3300285612-2814474537-1000_CLASSES

Event Record #/Type6099 / Warning
Event Submitted/Written: 06/05/2008 00:22:02 PM
Event ID/Source: 1530 / profsvc
Event Description:
Es wurde festgestellt, dass Ihre Registrierungsdatei noch von anderen Anwendungen oder Diensten verwendet wird. Die Datei wird nun entladen. Die Anwendungen oder Dienste, die Ihre Registrierungsdatei anhalten, funktionieren anschließend u. U. nicht mehr ordnungsgemäß. 

 DETAIL -
 1 user registry handles leaked from \Registry\User\S-1-5-21-3231974552-3300285612-2814474537-1000:
Process 960 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3231974552-3300285612-2814474537-1000



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type35345 / Error
Event Submitted/Written: 06/05/2008 00:30:51 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
RAS-VerbindungsverwaltungTelefonie%%1058

Event Record #/Type35344 / Error
Event Submitted/Written: 06/05/2008 00:30:51 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
RAS-VerbindungsverwaltungTelefonie%%1058

Event Record #/Type35343 / Error
Event Submitted/Written: 06/05/2008 00:30:50 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
RAS-VerbindungsverwaltungTelefonie%%1058

Event Record #/Type35342 / Error
Event Submitted/Written: 06/05/2008 00:30:50 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
RAS-VerbindungsverwaltungTelefonie%%1058

Event Record #/Type35341 / Error
Event Submitted/Written: 06/05/2008 00:30:47 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
RAS-VerbindungsverwaltungTelefonie%%1058



-- End of Deckard's System Scanner: finished at 2008-06-05 12:35:37 ------------

stefanr. 05.06.2008 11:58
und das 2. logfile (main.txt)

Code:
Deckard's System Scanner v20071014.68
Run by *** on 2008-06-05 12:27:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 4 Restore Point(s) --
4: 2008-06-04 23:34:09 UTC - RP44 - Avira AntiVir Personal - 05.06.2008 01:34
3: 2008-06-04 11:06:16 UTC - RP42 - Windows Update
2: 2008-06-03 14:41:30 UTC - RP41 - Installiert TopSpin
1: 2008-05-30 11:57:46 UTC - RP39 - Windows Vista Service Pack 1


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-05 12:30:15
Platform: Windows Vista Service Pack 1 (6.00.6001)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\dwm.exe
C:\Windows\explorer.exe
C:\Windows\System32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Power Manager\PM.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Windows\System32\taskeng.exe
C:\Users\***\Desktop\dss.exe
C:\Windows\System32\msfeedssync.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/de/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBHO.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "c:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [recinfo245] c:\RecInfo\RecInfo.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [fsc-reg] C:\ProgramData\fsc-reg\fscreg.exe 20080525
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [BMcfa4b324] Rundll32.exe "C:\Users\***~1\AppData\Local\Temp\hbpkttpt.dll",s
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\***~1\AppData\Local\Temp\efcDUkLf.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\microsoft shared\Information Retrieval\msitss.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FSCLBaseUpdaterService - Unknown owner - C:\Program Files\Fujitsu Siemens Computers\FSCLounge\FSCWBaseUpdaterService\2\FSCWBaseUpdaterService.exe
O23 - Service: Symantec IS Kennwortprüfung (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\FirstSteps\OnlineDiagnostic\TestManager\TestHandler.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\System32\drivers\XAudio.exe


--
End of file - 7884 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 FSCLBaseUpdaterService - "c:\program files\fujitsu siemens computers\fsclounge\fscwbaseupdaterservice\2\fscwbaseupdaterservice.exe" <Not Verified; ; FSCWBaseUpdaterService>
R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>
R2 TestHandler (Fujitsu Siemens Computers Diagnostic Testhandler) - c:\firststeps\onlinediagnostic\testmanager\testhandler.exe <Not Verified; Fujitsu Siemens Computers; ServerView Online Diagnostic>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-05 12:30:32      436 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{DAE356E8-372C-4183-92BE-0DC63E1AA68F}.job
2008-05-30 23:03:42      542 --a------ C:\Windows\Tasks\Norton Internet Security - Vollständige Systemprüfung ausführen - ***.job


-- Files created between 2008-05-05 and 2008-06-05 -----------------------------

2008-06-05 11:21:15        0 d-------- C:\Users\All Users\Malwarebytes
2008-06-05 11:21:13        0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-04 15:13:22        0 d-------- C:\Program Files\Free Windows Registry Cleaner
2008-06-03 20:54:34        0 d-------- C:\HiJack
2008-06-03 16:43:27        0 d-------- C:\Program Files\Atari
2008-05-30 17:00:44        0 d-------- C:\PerfLogs
2008-05-30 15:55:47    152576 --a------ C:\Windows\system32\SPWizUI.dll <Not Verified; Microsoft Corporation; Betriebssystem Microsoft® Windows®>
2008-05-30 13:57:18        0 d-------- C:\7ce44ce813ca5e666c050cd0ff
2008-05-30 00:11:05        0 d-------- C:\Users\All Users\Avira
2008-05-22 23:14:39        0 d-------- C:\Users\All Users\Adobe Systems
2008-05-22 23:07:48        0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-05-18 23:35:41        0 d-------- C:\Program Files\ICQLite
2008-05-13 13:13:11        0 d-------- C:\Program Files\EURO I AG


-- Find3M Report ---------------------------------------------------------------

2008-06-05 12:31:08    618430 --a------ C:\Windows\system32\perfh007.dat
2008-06-05 12:31:08    122648 --a------ C:\Windows\system32\perfc007.dat
2008-06-05 12:24:37    49774 --a------ C:\Users\***\AppData\Roaming\nvModes.001
2008-06-05 11:21:51        0 d-------- C:\Users\***\AppData\Roaming\Malwarebytes
2008-06-05 00:53:23    49774 --a------ C:\Users\***\AppData\Roaming\nvModes.dat
2008-06-03 17:20:17        0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-03 16:40:59        0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-02 00:14:31        12 --a------ C:\Windows\bthservsdp.dat
2008-05-30 17:48:44      174 --ahs---- C:\Program Files\desktop.ini
2008-05-30 17:26:39        0 d-------- C:\Program Files\Windows Sidebar
2008-05-30 17:26:39        0 d-------- C:\Program Files\Windows Calendar
2008-05-30 17:26:39        0 d-------- C:\Program Files\Movie Maker
2008-05-30 17:26:38        0 d-------- C:\Program Files\Windows Mail
2008-05-30 17:26:38        0 d-------- C:\Program Files\Windows Collaboration
2008-05-30 17:26:37        0 d-------- C:\Program Files\Windows Photo Gallery
2008-05-30 17:26:37        0 d-------- C:\Program Files\Windows Journal
2008-05-30 17:26:33        0 d-------- C:\Program Files\Windows Defender
2008-05-26 22:00:31      2415 --a------ C:\Windows\KernelMessage
2008-05-25 23:31:58        0 d-------- C:\Users\***\AppData\Roaming\Adobe
2008-05-22 23:24:14        0 d-------- C:\Users\***\AppData\Roaming\Opera
2008-05-22 23:08:50        0 d-------- C:\Program Files\Common Files\Adobe
2008-05-22 23:07:48        0 d-------- C:\Program Files\Common Files
2008-05-18 23:37:59        0 d-------- C:\Users\***\AppData\Roaming\ICQLite
2008-05-13 12:57:29        0 d-------- C:\Users\***\AppData\Roaming\CyberLink
2008-05-08 23:28:25        0 d-------- C:\Users\***\AppData\Roaming\WinRAR
2008-04-30 23:30:55        0 d-------- C:\Users\***\AppData\Roaming\Ahead
2008-04-29 23:06:37        0 d-------- C:\Program Files\EA GAMES
2008-04-27 23:41:01        0 d-------- C:\Program Files\FRITZ!Box
2008-04-27 09:50:37        0 d-------- C:\Program Files\Norton Internet Security
2008-04-27 09:50:37        0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-25 23:34:59        0 d-------- C:\Users\***\AppData\Roaming\InterVideo
2008-04-25 17:04:58        0 d-------- C:\Program Files\ZDF
2008-04-25 16:56:12        0 d-------- C:\Program Files\BMW
2008-04-25 16:46:49        0 d-------- C:\Program Files\Premiere
2008-04-25 16:38:33        0 d-------- C:\Program Files\n-tv
2008-04-25 13:33:54        0 d-------- C:\Program Files\Canon
2008-04-25 13:24:19        0 d-------- C:\Program Files\Miranda IM
2008-04-25 13:18:07        0 d-------- C:\Users\***\AppData\Roaming\ICQ
2008-04-25 12:24:15        0 d-------- C:\Users\***\AppData\Roaming\Macromedia
2008-04-25 12:22:46        0 d-------- C:\Program Files\Activation Assistant for the 2007 Microsoft Office suites
2008-04-25 12:18:54        0 d-------- C:\Program Files\Fujitsu Siemens Computers
2008-04-25 12:16:14        0 d-------- C:\Users\***\AppData\Roaming\Identities
2008-04-25 12:08:31        0 d-------- C:\Program Files\Windows NT
2008-04-25 12:08:31        0 d--hs---- C:\Program Files\Gemeinsame Dateien


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [18.01.2008 23:38]
"RtHDVCpl"="RtHDVCpl.exe" [18.01.2007 14:46 C:\Windows\RtHDVCpl.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [07.11.2006 20:57]
"PowerManager"="C:\Program Files\Power Manager\PM.exe" [13.03.2007 16:01]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [26.02.2007 21:46]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [25.10.2006 00:08]
"osCheck"="c:\Program Files\Norton Internet Security\osCheck.exe" [27.10.2006 02:18]
"recinfo245"="c:\RecInfo\RecInfo.exe" [23.10.2007 14:52]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [19.07.2007 01:31]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [19.07.2007 01:31]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [19.07.2007 01:31]
"Malwarebytes Anti-Malware Reboot"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [30.05.2008 01:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"fsc-reg"="C:\ProgramData\fsc-reg\fscreg.exe" [08.11.2007 15:38]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [18.01.2008 23:33]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [18.01.2008 23:33]
"BMcfa4b324"="C:\Users\***~1\AppData\Local\Temp\hbpkttpt.dll,s" []
"cmds"="C:\Users\***~1\AppData\Local\Temp\efcDUkLf.dll,c" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"C:\Program Files\ICQLite\ICQLite.exe" -minimize

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService        nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted        hidserv WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum UxSms
bthsvcs        BthServ

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-06-05 12:35:37 ------------

so das ist hoffentlich alles, was du benötigst :)
Grüße, Stefan

myrtille 05.06.2008 12:03
Hi,

Zitat:
C:\Windows\system32\SPWizUI.dll
lass die Datei bitte mal bei virustotal auswerten und poste die kompletten Ergebnisse hier.
(Wenn du die Datei hochlädst und oben auf der Seite Die Datei wurde bereits analysiert: erscheint. Klicke bitte unten auf den Link neben Permalink: und poste den Inhalt der erscheinenden Seite.).

Was macht der Rechner?

lg myrtille

stefanr. 05.06.2008 19:03
N'abend!
Also der Rechner arbeitet Prima... die beschriebenen Probleme sind so gut wie weg... die CPU-auslastung ist Stabil zwischen 10 und 20% lag vorher wechselnd zwischen 40 und 100 %...
hier das Protokoll der Überprüfung von SPWizUI.dll:

Code:
Datei SPWizUI.dll empfangen 2008.04.27 00:46:46 (CET)
Status: Beendet

Ergebnis: 1/32 (3.12%)
 Filter Drucken der Ergebnisse 
Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
FileAdvisor - - -
Fortinet - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - BlockReason.0
weitere Informationen
MD5: 562f9c10ed7a3092e177dc936a5364e6
SHA1: 29880609110ca6968b0b42fff4088d0a98a466a7
SHA256: bd2fd1bf5b65feb4b1ee15afbf0f7d6b40a0646251131748413cefc9b30d28b3
SHA512: 3f441aa13814a9c68a1bbf005ad826ef76b094bc6b181ab03385e9c949091ab5a7eb9951fc834f3651276c5d9f366e6d5db2e50624165a7e6788d53c7dd104a1
Danke nochmal und schöne Grüße, Stefan

myrtille 05.06.2008 19:27
Hi,
die Datei scheint tatsächlich zu Windows zu gehören. :D Bzw zum SP1.

Es bleiben noch 2-3 Einträge zu fixen:
Fixen
  • Hijackthis aufrufen
  • Do a system scan only anklicken
  • Haken vor die zu fixenden Einträge setzen
    Code:
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
    O4 - HKCU\..\Run: [BMcfa4b324] Rundll32.exe "C:\Users\***~1\AppData\Local\Temp\hbpkttpt.dll",s
    O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\***~1\AppData\Local\Temp\efcDUkLf.dll,c
  • Unten auf Fix checked klicken

Das sollte es dann eigentlich gewesen sein :)

Poste zur Sicherheit noch ein letztes Hijackthislog :)

lg myrtille

stefanr. 06.06.2008 13:00
Danke nochmal für die super Hilfe!

Hier das letzte logfile von HJT

Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:58:06, on 06.06.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Power Manager\PM.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Users\Stefan Roelofs\Desktop\Antispy und Malware\HJT\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "c:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [recinfo245] c:\RecInfo\RecInfo.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [fsc-reg] C:\ProgramData\fsc-reg\fscreg.exe 20080525
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O13 - Gopher Prefix:
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FSCLBaseUpdaterService - Unknown owner - C:\Program Files\Fujitsu Siemens Computers\FSCLounge\FSCWBaseUpdaterService\2\FSCWBaseUpdaterService.exe
O23 - Service: Symantec IS Kennwortprüfung (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: IviRegMgr - InterVideo - c:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6712 bytes

myrtille 06.06.2008 13:17
Hi,
dein Log ist sauber :)

Allerdings taucht dein voller Name darin auf (Vor- und Nachname), editiere diese bitte zu deinem eigenen Schutz und ersetze den Namen durch *** ;)

Wenn du sonst keine Beschwerden hast, würd ich sagen wars das. :)

Die Infektion, die du dir zugezogen hattest, verbreitet sich auf untershciedliche Weisen:
Zum einen über Cracks & P2P-Programme, weswegen man von solchen Sachen eher Abstand halten sollte. Generell gilt: Installiere nur Software aus Quellen, denen du vertraust.

Zum andern über infizierte Webseiten. Daher ist es wichtig immer alle Programme aktuell zu halten, um möglichst alle bekannten Schwachstellen im System zu schließen.
Außerdem empfehle ich dir den Firefox mit den Addons NoScript und BlockFlash zu nutzen, um sicherzugehen, dass auf unbekannten Seiten keine Skripte ausgeführt werden.

lg myrtille


Alle Zeitangaben in WEZ +1. Es ist jetzt 04:39 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131