Viren- und Trojanerbefall

#1 Hallo Sabina,

einige Wochen sind vergangen und zur PC-Pflege war keine Zeit. Jetzt ist Ruhe und zugleicht Entsetzen eingekehrt. Warum? Schau dir bitte mal die Logs von
- hijackthis und
- escan
an. Die sprechen – für dich als Spezialistin – sicher eine deutliche Sprache.
Die als infiziert angezeigten Dateien habe ich noch mit Jotti’s malware scan 2.4 abgecheckt. Auch dieses Resultat ist gepostet (auch wenn sich die Resultate mit denen vom escan – soweit ich das beurteilen kann – decken).

Die „Dummy.class“-Dokumente (oder sind das Dateien?) habe ich bereits gelöscht. Ich hoffe damit keinen Schaden angerichtet zu haben.

Kurze Frage: Was soll ich jetzt noch wie vom PC entfernen?

Für deine hilfreichen Ausführungen wie immer schon vorab meinen allerherzlichsten Dank.

Lieber Gruß

HugoRatlos


PS: Unser Symantec-Abo läuft zum Jahresende aus und müsste wieder einmal verlängert werden. Wenn ich die enorme „Schutzwirkung“ dieser Software sehe frage ich mich ob das wirklich sinnvoll ist. Würdest du eine andere Internet-Security-Software favorisieren, z.B. von Kaspersky? Danke für jeden hilfreichen Tipp!!!

Und hier die Scan-Resultate:


1. LOG v. Hijackthis:

Logfile of HijackThis v1.98.2
Scan saved at 13:37:34, on 13.11.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Norton Internet Security\NISUM.EXE
C:\Programme\Norton Internet Security\ccPxySvc.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Ahead\InCD\InCD.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programme\Winamp3\winampa.exe
C:\WINDOWS\System\MSMSGSVC.exe
C:\Programme\WinSweep\WSMonitor.exe
C:\Programme\TraXEx\TraXEx.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programme\Microsoft Office\Office10\WINWORD.EXE
C:\Programme\Microsoft Works\MSWorks.exe
C:\Dokumente und Einstellungen\Papa\Anwendungsdaten\hijackthis_198\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: DOMPeek Class - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [mwavscan] "C:\DOKUME~1\Papa\LOKALE~1\Temp\mwavscan.com" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WINSWEEP] C:\Programme\WinSweep\WinSweep.Exe /AUTO
O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe
O4 - Startup: TraXEx.lnk = C:\Programme\TraXEx\TraXEx.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Preispiraten 2.02 - {86DE8B3B-1EB7-4386-84BD-EBE94348A913} - C:\Programme\Preispiraten 2.0b\preispiraten2.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

2. LOG von escan (gefundene Viren)

File C:\WINDOWS\System\MSMSGSVC.exe infected by "TrojanDropper.Win32.Small.lx" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System\MSMSGSVC.exe infected by "TrojanDropper.Win32.Small.lx" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\e.exe infected by "TrojanDropper.Win32.Small.lx" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\load.exe infected by "Trojan.Win32.Qhost.o" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\e.exe infected by "TrojanDropper.Win32.Small.lx" Virus. Action Taken: No Action Taken.
File C:\Dokumente und Einstellungen\Papa\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-51d3f209-69a8240b.class infected by "Trojan.Java.ClassLoader.Dummy.c" Virus. Action Taken: No Action Taken. (ANMERKUNG: VON MIR GELÖSCHT!!!)
File C:\Dokumente und Einstellungen\Papa\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-531c338a-77070eb5.class infected by "Trojan.Java.ClassLoader.Dummy.c" Virus. Action Taken: No Action Taken. (ANMERKUNG: VON MIR GELÖSCHT!!!)
File C:\Dokumente und Einstellungen\Surferkonto\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-31bbc5c3-3b9f9d0f.class infected by "Trojan.Java.ClassLoader.Dummy.c" Virus. Action Taken: No Action Taken. (ANMERKUNG: VON MIR GELÖSCHT!!!)
File C:\WINDOWS\Downloaded Program Files\load.exe infected by "Trojan.Win32.Qhost.o" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\e.exe infected by "TrojanDropper.Win32.Small.lx" Virus. Action Taken: No Action Taken.




Service load: 0% 100%

File: msmsgsvc.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected: UPX

AntiVir TR/Dldr.Small.LX (0.13 seconds taken)
Avast No viruses found (1.69 seconds taken)
BitDefender Trojan.Dropper.Small.LX (0.90 seconds taken)
ClamAV No viruses found (0.33 seconds taken)
Dr.Web Trojan.MulDrop.1132 (0.47 seconds taken)
F-Prot Antivirus No viruses found (0.09 seconds taken)
Kaspersky Anti-Virus TrojanDropper.Win32.Small.lx (0.61 seconds taken)
mks_vir Trojan.Trojandropper.Small.Lx (0.43 seconds taken)
NOD32 No viruses found (0.49 seconds taken)
Norman Virus Control No viruses found (0.48 seconds taken

Service load: 0% 100%

File: e.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected: UPX

AntiVir TR/Dldr.Small.LX (0.13 seconds taken)
Avast No viruses found (1.64 seconds taken)
BitDefender Trojan.Dropper.Small.LX (1.07 seconds taken)
ClamAV No viruses found (0.30 seconds taken)
Dr.Web Trojan.MulDrop.1132 (0.42 seconds taken)
F-Prot Antivirus No viruses found (0.08 seconds taken)
Kaspersky Anti-Virus TrojanDropper.Win32.Small.lx (0.57 seconds taken)
mks_vir Trojan.Trojandropper.Small.Lx (0.39 seconds taken)
NOD32 No viruses found (0.44 seconds taken)
Norman Virus Control No viruses found (0.46 seconds taken)

Service load: 0% 100%

File: load.exe
Status: INFECTED/MALWARE
Packers detected: UPX

AntiVir No viruses found (0.13 seconds taken)
Avast Win32:Trojano-537 (1.62 seconds taken)
BitDefender No viruses found (1.26 seconds taken)
ClamAV Trojan.Qhost.O (0.31 seconds taken)
Dr.Web Trojan.DownLoader.820 (0.47 seconds taken)
F-Prot Antivirus W32/Sillydropper.AF (0.06 seconds taken)
Kaspersky Anti-Virus Trojan.Win32.Qhost.o (0.58 seconds taken)
mks_vir Trojan.Qhost.O (0.21 seconds taken)
NOD32 No viruses found (0.36 seconds taken)
Norman Virus Control Sandbox: W32/Downloader; [ General information ]

* Creating several executable files on hard-drive.
* File length: 5120 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\toolbar.exe.

[ Network services ]
* Looks for an Internet connection.
* Opens URL: http://213.159.117.133/dkprogs/toolbar.txt.

[ Security issues ]
* Starting downloaded file - potential security problem. (0.53 seconds taken)


Service load: 0% 100%

File: Dummy.class-51d3f209-69a8240b.class
Status: INFECTED/MALWARE
Packers detected: None

AntiVir TR/ClaLdr.Dummy.C (0.13 seconds taken)
Avast JS:ByteVerify-Dummy (1.61 seconds taken)
BitDefender Trojan.Java.ClassLoader.Dummy.C (0.82 seconds taken)
ClamAV Java.ClassLoader.Dummy.C (0.28 seconds taken)
Dr.Web Exploit.ByteVerify (0.43 seconds taken)
F-Prot Antivirus No viruses found (0.05 seconds taken)
Kaspersky Anti-Virus Trojan.Java.ClassLoader.Dummy.c (0.53 seconds taken)
mks_vir No viruses found (0.17 seconds taken)
NOD32 Java/Exploit.Bytverify (0.31 seconds taken)
Norman Virus Control No viruses found (0.10 seconds taken)

Service load: 0% 100%

File: dummy.class-531c338a-77070eb5.class
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected: None

AntiVir TR/ClaLdr.Dummy.C (0.13 seconds taken)
Avast JS:ByteVerify-Dummy (1.64 seconds taken)
BitDefender Trojan.Java.ClassLoader.Dummy.C (0.78 seconds taken)
ClamAV Java.ClassLoader.Dummy.C (0.28 seconds taken)
Dr.Web Exploit.ByteVerify (0.42 seconds taken)
F-Prot Antivirus No viruses found (0.05 seconds taken)
Kaspersky Anti-Virus Trojan.Java.ClassLoader.Dummy.c (0.53 seconds taken)
mks_vir No viruses found (0.17 seconds taken)
NOD32 Java/Exploit.Bytverify (0.31 seconds taken)
Norman Virus Control No viruses found (0.10 seconds taken)

Statistics
Last piece of malware found was Java/Exploit.Bytverify in Dummy.class-51d3f209-69a8240b.class, detected by:
Scanner Malware name Time taken
AntiVir TR/ClaLdr.Dummy.C 0.13 seconds
Avast JS:ByteVerify-Dummy 1.61 seconds
BitDefender Trojan.Java.ClassLoader.Dummy.C 0.82 seconds
ClamAV Java.ClassLoader.Dummy.C 0.28 seconds
Dr.Web Exploit.ByteVerify 0.43 seconds
F-Prot Antivirus X 0.05 seconds
Kaspersky Anti-Virus Trojan.Java.ClassLoader.Dummy.c 0.53 seconds
mks_vir X 0.17 seconds
NOD32 Java/Exploit.Bytverify 0.31 seconds
Norman Virus Control X 0.10 seconds


Service load: 0% 100%

File: dummy.class-31bbc5c3-3b9f9d0f.class
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected: None

AntiVir TR/ClaLdr.Dummy.C (0.14 seconds taken)
Avast JS:ByteVerify-Dummy (1.66 seconds taken)
BitDefender Trojan.Java.ClassLoader.Dummy.C (0.65 seconds taken)
ClamAV Java.ClassLoader.Dummy.C (0.29 seconds taken)
Dr.Web Exploit.ByteVerify (0.43 seconds taken)
F-Prot Antivirus No viruses found (0.05 seconds taken)
Kaspersky Anti-Virus Trojan.Java.ClassLoader.Dummy.c (0.53 seconds taken)
mks_vir No viruses found (0.17 seconds taken)
NOD32 Java/Exploit.Bytverify (0.32 seconds taken)
Norman Virus Control No viruses found (0.11 seconds taken)

Service load: 0% 100%

File: load.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected: UPX

AntiVir No viruses found (0.13 seconds taken)
Avast Win32:Trojano-537 (1.71 seconds taken)
BitDefender No viruses found (1.23 seconds taken)
ClamAV Trojan.Qhost.O (0.28 seconds taken)
Dr.Web Trojan.DownLoader.820 (0.43 seconds taken)
F-Prot Antivirus W32/Sillydropper.AF (0.05 seconds taken)
Kaspersky Anti-Virus Trojan.Win32.Qhost.o (0.56 seconds taken)
mks_vir Trojan.Qhost.O (0.20 seconds taken)
NOD32 No viruses found (0.36 seconds taken)
Norman Virus Control Sandbox: W32/Downloader; [ General information ]

* Creating several executable files on hard-drive.
* File length: 5120 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\toolbar.exe.

[ Network services ]
* Looks for an Internet connection.
* Opens URL: http://213.159.117.133/dkprogs/toolbar.txt.

[ Security issues ]
* Starting downloaded file - potential security problem. (0.53 seconds taken)

Service load: 0% 100%

File: e.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected: UPX

AntiVir TR/Dldr.Small.LX (0.13 seconds taken)
Avast No viruses found (1.62 seconds taken)
BitDefender Trojan.Dropper.Small.LX (0.93 seconds taken)
ClamAV No viruses found (0.29 seconds taken)
Dr.Web Trojan.MulDrop.1132 (0.43 seconds taken)
F-Prot Antivirus No viruses found (0.08 seconds taken)
Kaspersky Anti-Virus TrojanDropper.Win32.Small.lx (0.57 seconds taken)
mks_vir Trojan.Trojandropper.Small.Lx (0.40 seconds taken)
NOD32 No viruses found (0.44 seconds taken)
Norman Virus Control No viruses found (0.46 seconds taken)

#2 Fixe:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: DOMPeek Class - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll
O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe

...........................................................................................................

neustarten

#oeffne das HijackThis.
HijackThis-->Config-->Misc Tools-->Delete a file on reboot
kopiere rein:

C:\WINDOWS\dpe.dll

wenn dann die Frage kommt, ob neugestartet werden soll (will be deleted by Windows when the system restarts....Do you want to restart your computer now?" )-->>klicke "no" und fuege das naechste ein.

C:\WINDOWS\System\MSMSGSVC.exe

wenn dann die Frage kommt, ob neugestartet werden soll (will be deleted by Windows when the system restarts....Do you want to restart your computer now?" )-->>klicke "no" und fuege das naechste ein.

<C:\WINDOWS\e.exe

Nun klickst du "yes" und startest den PC neu.

#dann versuch es noch (HijackThis mit:
<C:\WINDOWS\toolbar.exe
<C:\WINDOWS\System32\toolbar.dll

suche und loesche manuell:
<msmsgsvc.exe
<toolbar.txt
<C:\WINDOWS\System32\Version.txt
.....................................................................................................
#Windows\Downloaded Programm Files löschen.
ActiveX-Controls
Schalter Einstellungen
Klicken Sie auf den Button Objekte anzeigen. Eine Liste aller lokalen ActiveX-Controls öffnet sich. Um zu entscheiden, ob es ich um ein vertrauenswürdiges Programm handelt, reicht es in der Regel aus, den Urheber der Komponente ausfindig zu machen.
Wenn "unbekannt dasteht...dann lösche es .
dort ist auch: ...was zu loeschen waere....

<C:\WINDOWS\Downloaded Program Files\load.exe

Datentraegerbereinigung: und Löschen der Temporary-Dateien
<Start<Ausfuehren<cleanmgr
#Click:Temporäre Internet Files/Temporäre Internet Dateien, o.k.
#Click:Temporäre Dateien, o.k

Internetexplorer reinigen:
1. Klicken Sie in der Menüzeile des Internet Explorers auf Extras und Internet-Optionen.
2. Auf der Registerkarte Allgemein klicken Sie im Bereich Temporäre Internetdateien auf den Button Cookies löschen.
3.Temporäre Internet-Dateien<Dateien löschen

stelle eine neue Startseite ein und poste das Log noch mal.
------------------------------------------------------------------------
was deine Frage zu einem effizienten Virenscanner betrifft....vergiss den Norton
Wenn du den eScan laedst, musst du ihn eh deaktivieren.
#eScan-Trial

http://www.mwti.net/antivirus/escan/escandl_antivirus.asp (15-Tage- trial-Freeversion)
klicke auf: awn2k3e.exe

Diesen Scanner kannst du dann mit einer jaehrliches Lizenz erwerben.

mfg
abina
__________
MfG Sabina

rund um die PC-Sicherheit

#3 Hallo Sabina,

vorab herzlichen Dank für die letzte „Arbeitsanweisung“. Ich habe sie sorgfältig befolgt mit Ausnahme des Punktes

„suche und loesche manuell:“

hier konnte ich nur die Datei „msmsgsvc.exe“ finden und löschen.
Die Dateien „toolbar.txt“ sowie
„C:\windows\system32\version.txt“ sind nicht auffindbar, wobei es allerdings mehrere Dateien des Namens „version.txt“ gibt. Diese befinden sich indes im Verzeichnis
C:\windows\java.

Nun ja, nach dem neuerlichen „hijackthis“ – Durchlauf haben wir das vertraute Bild. Schau es dir doch einfach mal an.

Was ist jetzt zu tun???

Vielen Dank auch für den Tipp mit dem eScan. Wir werden das Norton-Abo nicht verlängern. Aber enthält eScan auch eine Firewall? Ich habe jetzt gelesen, dass es eine Software namens „Panda“ geben soll die so ziemlich alles abdeckt. Ist das auch nur eine billige Werbemasche für unbedarfte User wie uns?

Für deine weiteren Bemühungen wieder einmal vielen, vielen herzlichen Dank.

Liebe Grüße
HugoRatlos (und Familie)


Logfile of HijackThis v1.98.2
Scan saved at 20:32:02, on 22.11.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Norton Internet Security\NISUM.EXE
C:\Programme\Norton Internet Security\ccPxySvc.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Ahead\InCD\InCD.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programme\Winamp3\winampa.exe
C:\Programme\WinSweep\WSMonitor.exe
C:\Programme\TraXEx\TraXEx.exe
C:\Dokumente und Einstellungen\Papa\Anwendungsdaten\hijackthis_198\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)
O2 - BHO: DOMPeek Class - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [mwavscan] "C:\DOKUME~1\Papa\LOKALE~1\Temp\mwavscan.com" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WINSWEEP] C:\Programme\WinSweep\WinSweep.Exe /AUTO
O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe
O4 - Startup: TraXEx.lnk = C:\Programme\TraXEx\TraXEx.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Preispiraten 2.02 - {86DE8B3B-1EB7-4386-84BD-EBE94348A913} - C:\Programme\Preispiraten 2.0b\preispiraten2.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O13 - DefaultPrefix: http://ehttp.cc/?
O13 - WWW Prefix: http://ehttp.cc/?
O13 - WWW. Prefix: http://ehttp.cc/?

#4 Hallo@

Schritt:

<"cwsfix.reg" + "cwsserviceremove.reg downloaden, einen neuen Ordner anlegen und alle Dateien in diesen Ordner entpacken.
--> http://d21c.com/Tom41/?D=A

<AboutBuster.zip downloaden, einen neuen Ordner anlegen und alle Dateien in diesen Ordner entpacken. AboutBuster starten und updaten. Noch nicht scannen lassen.
--> www.malwarebytes.biz/AboutBuster.zip

<AdAware downloaden, installieren und updaten. Ebenfalls noch nicht scannen lassen.
--> http://www.lavasoft.de/support/download/

Schritt:
#öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)
O2 - BHO: DOMPeek Class - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll (file missing)
O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe
O13 - DefaultPrefix: http://ehttp.cc/?
O13 - WWW Prefix: http://ehttp.cc/?
O13 - WWW. Prefix: http://ehttp.cc/?

neustarten

Schritt:
#oeffne das HijackThis.
HijackThis-->Config-->Misc Tools-->Delete a file on reboot
kopiere rein:
C:\WINDOWS\dpe.dll
PC neustarten...wieder in den abgesicherten Modus

#oeffne das HijackThis.
HijackThis-->Config-->Misc Tools-->Delete a file on reboot
kopiere rein:
C:\WINDOWS\System\MSMSGSVC.exe
PC neustarten...wieder in den abgesicherten Modus

#oeffne das HijackThis.
HijackThis-->Config-->Misc Tools-->Delete a file on reboot
kopiere rein:
C:\WINDOWS\e.exe
PC neustarten...wieder in den abgesicherten Modus

Schritt:
und dort füge cwsfix.reg" +
"cwsserviceremove.reg durch "yes" der Registry bei und scanne mit
AboutBuster und AdAware.(zweimal) und mit eScan (einmal)

Schritt:
mache ebenfalls im abgesicherten Modus:
Datenträgerbereinigung: und Löschen der Temporary-Dateien
<Start<Ausfuehren--> reinschreiben : cleanmgr
loesche nur:
#Click:Temporäre Internet Files/Temporäre Internet Dateien, o.k.
#Click:Temporäre Dateien, o.k

Schritt:
Deaktivieren Wiederherstellung
«XP
http://service1.symantec.com/SUPPORT/INTER/tsgeninfointl.nsf/gdocid/20030807105707924

Hier das Reg-File, das die Standardwerte unter "DefaultPrefix" und "Prefixes" wieder herstellt.
defaultprefix.reg downloaden.
http://www.wintotal.de/Tipps/Eintrag.php?TID=434

Dann stelle unter "Internetoption" eine neue Startseite ein und poste das Log noch mal.

mfg
Sabina
__________
MfG Sabina

rund um die PC-Sicherheit

#5 Hallo sabina,

endlich bin ich dazu gekommen deinen Anweisungen vom 26.11.04 zu Folge zu leisten, wenigstens fast vollständig. Ich habe die von dir angegebenen Programme heruntergeladen und die Schritte mit Hijackthis abgearbeitet.
Cwsfix.reg und cwsserviceremove.reg in die Registry einfügen konnte ich leider nicht. Ich habe über support keinen Hinweis bekommen wo die Registry ist. Lach bitte nicht aber dazu reicht es eben (noch) nicht.
Die weiteren Schritte habe ich dann wieder durchgeführt.
Ich möchte jetzt gem. deiner Aufforderung das „Log“ posten. Aber welches? Ich habe drei Stück zur Auswahl:
- eines von Hijackthis
- eines von Adware und
- eines vom escan.
Oder möchtest du alle drei???

Ich warte voller Erwartung auf deine nächsten Anweisungen. Vorab schon so viel – die lästigen ungebetenen Seiten erscheinen nicht mehr bei der Einwahl ins Internet.Habe jetzt nur etwas Probleme mit TRAXX aber dazu vielleicht erst dann mehr wenn dieser Komplex hier abgearbeitet ist. Symantec habe ich – deinem Rat folgend – deaktiviert und „escan“ heruntergeladen (Kauf). Hoffentlich bleiben wir jetzt von Müll verschont denn wie schon geschildert hat escan irgendwelche ungebetenen Gäste aufgespürt zu denen Symantec zu keiner Zeit eine Meldung abgegeben hat. Im Gegenteil. Ein Scan brachte das Ergebnis: virenfrei!

Ein schönes Wochenende wünschend verbleibe ich, einmal mehr für deine Bemühungen dankend (wie kann ich mich nur erkenntlich zeigen?)

Mit den besten Grüßen

HugoRatlos

#6 Hallo@Hugo Ratlos

Poste alle 3 Logs
- eines von Hijackthis
- eines von Adware und
- eines vom escan.
__________
MfG Sabina

rund um die PC-Sicherheit

#7 Hallo sabina,

nachfolend die drei log-files.

Vorab noch eine ganz wichtige Frage!!!!

Ich wollte nach dem letzten Beitrag von mir "escan Internet security (ISS)" runterladen. Funktioniert aber nicht. Ich komme auf der amerikanischen Seite nicht weiter. Jetzt habe ich über google gesehen, dass man das Paket bei ebay kaufen kann. Für uns als Modem-Nutzer ist das vermutlich ohnehin die bessere Alternative weil wir andernfalls vermutlich stundenlang vor dem PC sitzen müssten??

Frage: Morgen läuft unser symantec-Abo aus, d.h. ab dann sind wir bei der Internetnutzung "schutzlos". Reicht die 15-tage-Version v. escan zum Schutz aus oder muss übergangsweise ein anderes Programm runtergeladen werden??

DIESE FRAGE IST NOCH WICHTIGER ALS DIE WEITEREN REINIGUNGSBEMÜHUNGEN!!!!

Jetzt aber die files:

1. Hijackthis

Logfile of HijackThis v1.98.2
Scan saved at 17:30:33, on 19.12.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Norton Internet Security\NISUM.EXE
C:\Programme\Norton Internet Security\ccPxySvc.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Ahead\InCD\InCD.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programme\Winamp3\winampa.exe
C:\Programme\WinSweep\WSMonitor.exe
C:\WINDOWS\system32\ntvdm.exe
C:\T-ONLINE\BSW4\ToDuCAlC.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Papa\Anwendungsdaten\hijackthis_198\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [mwavscan] "C:\DOKUME~1\Papa\LOKALE~1\Temp\mwavscan.com" /s
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [WINSWEEP] C:\Programme\WinSweep\WinSweep.Exe /AUTO
O4 - HKCU\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe
O4 - Startup: TraXEx.lnk = C:\Programme\TraXEx\TraXEx.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Preispiraten 2.02 - {86DE8B3B-1EB7-4386-84BD-EBE94348A913} - C:\Programme\Preispiraten 2.0b\preispiraten2.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF33CAF9-EAAE-4541-AD0C-E10E62C288D7}: NameServer = 217.237.150.33 217.237.151.161


2. Adware


Ad-Aware SE Build 1.05
Logfile Created on:Sonntag, 19. Dezember 2004 17:35:51
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R8 13.09.2004
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Alexa(TAC index:5):8 total references
Claria(TAC index:7):5 total references
CoolWebSearch(TAC index:10):30 total references
MRU List(TAC index:0):20 total references
PeopleOnPage(TAC index:9):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


19.12.2004 17:35:51 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\internet explorer\main
Description : last save directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\office\10.0\common\general
Description : list of recently used symbols in microsoft office


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\mediaplayer\preferences
Description : last cd record path used in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\automap\9.0\findmru
Description : list of recently used find queries used in microsoft automap-based products


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\automap\9.0\recent file list
Description : list of recently used files in microsoft automap-based products


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : C:\Dokumente und Einstellungen\Papa\recent
Description : list of recently opened documents


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 460
ThreadCreationTime : 19.12.2004 12:43:46
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 516
ThreadCreationTime : 19.12.2004 12:43:47
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 540
ThreadCreationTime : 19.12.2004 12:43:47
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 584
ThreadCreationTime : 19.12.2004 12:43:48
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Anwendung für Dienste und Controller
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 596
ThreadCreationTime : 19.12.2004 12:43:48
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 852
ThreadCreationTime : 19.12.2004 12:43:48
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 876
ThreadCreationTime : 19.12.2004 12:43:48
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 960
ThreadCreationTime : 19.12.2004 12:43:49
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1024
ThreadCreationTime : 19.12.2004 12:43:49
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1152
ThreadCreationTime : 19.12.2004 12:43:50
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:11 [ccevtmgr.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Symantec Shared\
ProcessID : 1192
ThreadCreationTime : 19.12.2004 12:43:50
BasePriority : Normal
FileVersion : 1.03.4
ProductVersion : 1.03.4
ProductName : Event Manager
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:12 [nisum.exe]
FilePath : C:\Programme\Norton Internet Security\
ProcessID : 1208
ThreadCreationTime : 19.12.2004 12:43:50
BasePriority : Normal
FileVersion : 6.02.2003
ProductVersion : 6.02.2003
ProductName : Norton Internet Security
CompanyName : Symantec Corporation
FileDescription : Norton Internet Security NISUM
InternalName : NISUM
LegalCopyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : NISUM.exe

#:13 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1376
ThreadCreationTime : 19.12.2004 12:43:52
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:14 [ccpxysvc.exe]
FilePath : C:\Programme\Norton Internet Security\
ProcessID : 1388
ThreadCreationTime : 19.12.2004 12:43:52
BasePriority : Normal
FileVersion : 6.02.2003
ProductVersion : 6.02.2003
ProductName : Norton Internet Security
CompanyName : Symantec Corporation
FileDescription : Norton Internet Security Proxy Service
InternalName : ccPxySvc
LegalCopyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : ccPxySvc.exe

#:15 [navapsvc.exe]
FilePath : C:\Programme\Norton AntiVirus\
ProcessID : 1428
ThreadCreationTime : 19.12.2004 12:43:52
BasePriority : Normal
FileVersion : 9.05.1015
ProductVersion : 9.05.1015
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE

#:16 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1476
ThreadCreationTime : 19.12.2004 12:43:52
BasePriority : Normal
FileVersion : 6.13.10.3082
ProductVersion : 6.13.10.3082
ProductName : NVIDIA Driver Helper Service, Version 30.82
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 30.82
InternalName : NVSVC
LegalCopyright : (c) NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:17 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1572
ThreadCreationTime : 19.12.2004 12:43:52
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:18 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 3740
ThreadCreationTime : 19.12.2004 15:23:52
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : EXPLORER.EXE

#:19 [soundman.exe]
FilePath : C:\WINDOWS\
ProcessID : 3932
ThreadCreationTime : 19.12.2004 15:23:52
BasePriority : Normal
FileVersion : 5.0.03
ProductVersion : 5.0.03
ProductName : Avance Sound Manager
CompanyName : Avance Logic, Inc.
FileDescription : Avance Sound Manager
InternalName : ALSMTray
LegalCopyright : Copyright (c) 2001-2002 Avance Logic, Inc.
OriginalFilename : ALSMTray.exe
Comments : Avance AC97 Audio Sound Manager

#:20 [incd.exe]
FilePath : C:\Programme\Ahead\InCD\
ProcessID : 3660
ThreadCreationTime : 19.12.2004 15:23:52
BasePriority : Normal
FileVersion : 3.33.0
ProductVersion : 3.33.0
ProductName : InCD
CompanyName : Copyright (C) ahead software gmbh and its licensors
FileDescription : InCD CD-RW UDF Tools
InternalName : InCD
LegalCopyright : Copyright (C) ahead software gmbh and its licensors
OriginalFilename : InCD.EXE
Comments : CD-RW UDF Tools

#:21 [wkufind.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\
ProcessID : 3664
ThreadCreationTime : 19.12.2004 15:23:53
BasePriority : Normal
FileVersion : 7.00.0617.0
ProductVersion : 7.00.0617.0
ProductName : Update Detection Module
CompanyName : Microsoft® Corporation
FileDescription : Microsoft® Works-Aktualisierungserkennung
InternalName : WkUFind
LegalCopyright : Copyright © 1987-2002 Microsoft Corporation.
OriginalFilename : WkUFind.exe

#:22 [ccapp.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Symantec Shared\
ProcessID : 3736
ThreadCreationTime : 19.12.2004 15:23:53
BasePriority : Normal
FileVersion : 1.0.9.002
ProductVersion : 1.0.9.002
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client CC App
InternalName : ccApp
LegalCopyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:23 [jusched.exe]
FilePath : C:\Programme\Java\j2re1.4.2_03\bin\
ProcessID : 3480
ThreadCreationTime : 19.12.2004 15:23:53
BasePriority : Normal


#:24 [winampa.exe]
FilePath : C:\Programme\Winamp3\
ProcessID : 2996
ThreadCreationTime : 19.12.2004 15:23:53
BasePriority : Normal


#:25 [wsmonitor.exe]
FilePath : C:\Programme\WinSweep\
ProcessID : 3964
ThreadCreationTime : 19.12.2004 15:23:54
BasePriority : Normal
FileVersion : 1.03.0070
ProductVersion : 1.03.0070
ProductName : WINSWEEP
CompanyName : Software-Entwicklung Frank-Oliver Dzewas
InternalName : WSMonitor
LegalCopyright : Software-Entwicklung Frank-Oliver Dzewas
OriginalFilename : WSMonitor.Exe

#:26 [ntvdm.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1060
ThreadCreationTime : 19.12.2004 15:45:56
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : NTVDM.EXE
InternalName : NTVDM.EXE
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : NTVDM.EXE

#:27 [toducalc.exe]
FilePath : C:\T-ONLINE\BSW4\
ProcessID : 292
ThreadCreationTime : 19.12.2004 16:08:24
BasePriority : Normal
FileVersion : 1.04.10
ProductVersion : 3.0
ProductName : T-Online Software
CompanyName : Drews EDV+Btx GmbH
FileDescription : T-Online DUN Connection Alive Checker
InternalName : ToDuCAlC
LegalCopyright : Copyright © Drews EDV+Btx GmbH 1999,2000
OriginalFilename : ToDuCAlC.exe

#:28 [iexplore.exe]
FilePath : C:\Programme\Internet Explorer\
ProcessID : 2228
ThreadCreationTime : 19.12.2004 16:25:55
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : IEXPLORE.EXE

#:29 [ad-aware.exe]
FilePath : C:\Dokumente und Einstellungen\Papa\Anwendungsdaten\Computerhygiene\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3708
ThreadCreationTime : 19.12.2004 16:35:38
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 20


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Alexa Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuText

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuStatusBar

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Script

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : clsid

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Icon

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : HotIcon

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : ButtonText

Claria Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c}

Claria Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c}
Value : uets

Claria Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c}
Value : GEF

Claria Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c}
Value : GMG

Claria Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\gator.com

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar
Value : Next

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar
Value : CLSID

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar
Value : ID1

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar
Value : ID2

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar
Value : ID4

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar
Value : PanelNumber

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{bd0022a3-a43f-4f44-b64f-53ea7575f097}

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{5297e905-1dfb-4a9c-9871-a4f95fd58945}

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolband.toolbandobj.1

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolband.toolbandobj.1
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolband.toolbandobj

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolband.toolbandobj
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolband.startbho.1

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolband.startbho.1
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolband.startbho

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolband.startbho
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{30192f8d-0958-44e6-b54d-331fd39ac959}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{30192f8d-0958-44e6-b54d-331fd39ac959}
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{0e1230f8-ea50-42a9-983c-d22abc2eed3b}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{0e1230f8-ea50-42a9-983c-d22abc2eed3b}
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : analyzeie.dompeek.1

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : analyzeie.dompeek.1
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : analyzeie.dompeek

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : analyzeie.dompeek
Value :

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}"
Rootkey : HKEY_USERS
Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\internet explorer\toolbar\webbrowser
Value : {0E1230F8-EA50-42A9-983C-D22ABC2EED3B}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 39
Objects found so far: 59


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 59


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 59



Deep scanning and examining files (C
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

PeopleOnPage Object Recognized!
Type : File
Data : libexpat.dll
Category : Data Miner
Comment :
Object : C:\Dokumente und Einstellungen\Papa\Schulprogramme\Englisch\Teachmaster\



PeopleOnPage Object Recognized!
Type : File
Data : libexpat.dll
Category : Data Miner
Comment :
Object : C:\Dokumente und Einstellungen\Mascha\Schule\Englisch\Vokabeltest\



Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 61


Deep scanning and examining files (D
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 61


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 61




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{b1e68d42-02c4-465b-8368-5ed9b732e22d}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{b1e68d42-02c4-465b-8368-5ed9b732e22d}
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\serg

CoolWebSearch Object Recognized!
Type : File
Data : hosts
Category : Malware
Comment :
Object : C:\WINDOWS\



Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 65

17:39:58 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:04:06.516
Objects scanned:97185
Objects identified:45
Objects ignored:0
New critical objects:45


3. escan

Sun Dec 19 16:50:31 2004 => **********************************************************
Sun Dec 19 16:50:31 2004 => eScan AntiVirus Toolkit Utility.
Sun Dec 19 16:50:31 2004 => Copyright © 2003-2004, MicroWorld Technologies Inc.
Sun Dec 19 16:50:31 2004 => **********************************************************
Sun Dec 19 16:50:32 2004 => Version 4.7.5 (C:\DOKUME~1\Papa\LOKALE~1\Temp\mwavscan.com)
Sun Dec 19 16:50:32 2004 => Log File: C:\DOKUME~1\Papa\LOKALE~1\Temp\mwav.log
Sun Dec 19 16:50:33 2004 => Latest Date of files inside MWAV: 15 Dec 2004 06:01:46.
Sun Dec 19 16:50:38 2004 => AV Library Loaded...
Sun Dec 19 16:50:38 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavss.exe
Sun Dec 19 16:50:38 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\Getvlist.exe
Sun Dec 19 16:50:39 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavss.dll
Sun Dec 19 16:50:39 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavssdi.dll
Sun Dec 19 16:50:39 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavssi.dll
Sun Dec 19 16:50:39 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavvlg.dll
Sun Dec 19 16:50:40 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\msvlclnt.dll
Sun Dec 19 16:50:40 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\ipc.dll
Sun Dec 19 16:50:40 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\main.avi
Sun Dec 19 16:50:40 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\virus.avi
Sun Dec 19 16:50:41 2004 => Virus Database Date: 2004/12/15
Sun Dec 19 16:50:41 2004 => Virus Database Count: 112526

Sun Dec 19 16:50:45 2004 => **********************************************************
Sun Dec 19 16:50:45 2004 => eScan AntiVirus Toolkit Utility.
Sun Dec 19 16:50:45 2004 => Copyright © 2003-2004, MicroWorld Technologies Inc.
Sun Dec 19 16:50:45 2004 =>
Sun Dec 19 16:50:45 2004 => Support: support@mwti.net
Sun Dec 19 16:50:45 2004 => Web: http://www.mwti.net
Sun Dec 19 16:50:45 2004 => **********************************************************
Sun Dec 19 16:50:45 2004 => Version 4.7.5 (C:\DOKUME~1\Papa\LOKALE~1\Temp\mwavscan.com)
Sun Dec 19 16:50:45 2004 => Log File: C:\DOKUME~1\Papa\LOKALE~1\Temp\mwav.log
Sun Dec 19 16:50:45 2004 => Latest Date of files inside MWAV: 15 Dec 2004 06:01:46.

Sun Dec 19 16:50:45 2004 => Options Selected by User:
Sun Dec 19 16:50:45 2004 => Memory Check: Enabled
Sun Dec 19 16:50:45 2004 => Registry Check: Enabled
Sun Dec 19 16:50:45 2004 => StartUp Folder Check: Enabled
Sun Dec 19 16:50:45 2004 => System Folder Check: Enabled
Sun Dec 19 16:50:45 2004 => System Area Check: Disabled
Sun Dec 19 16:50:45 2004 => Services Check: Enabled
Sun Dec 19 16:50:45 2004 => Drive Check Option Disabled
Sun Dec 19 16:50:45 2004 => Folder Check: Enabled
Sun Dec 19 16:50:45 2004 => Folder Selected = C:\WINDOWS

Sun Dec 19 16:50:45 2004 => ***** Scanning Memory Files *****
Sun Dec 19 16:50:45 2004 => Scanning File C:\WINDOWS\SYSTEM32\CSRSS.EXE
Sun Dec 19 16:50:45 2004 => Scanning File C:\WINDOWS\SYSTEM32\WINLOGON.EXE
Sun Dec 19 16:50:46 2004 => Scanning File C:\WINDOWS\System32\smss.exe
Sun Dec 19 16:50:46 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\ipc.dll
Sun Dec 19 16:50:46 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavss.dll
Sun Dec 19 16:50:46 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavss.exe
Sun Dec 19 16:50:46 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavssd.dll
Sun Dec 19 16:50:46 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavssdi.dll
Sun Dec 19 16:50:46 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavssi.dll
Sun Dec 19 16:50:46 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\msvlclnt.dll
Sun Dec 19 16:50:46 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\mwavscan.com
Sun Dec 19 16:50:46 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\PSAPI.DLL
Sun Dec 19 16:50:46 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\RICHED32.DLL
Sun Dec 19 16:50:46 2004 => Scanning File C:\PROGRA~1\GEMEIN~1\SYMANT~1\CCEMLPXY.DLL
Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\GEMEIN~1\SYMANT~1\ccErrDsp.DLL
Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\GEMEIN~1\SYMANT~1\ccEvt.dll
Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\GEMEIN~1\SYMANT~1\CCREGMON.DLL
Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\NORTON~1\apwutil.dll
Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\NORTON~1\CCIMSCAN.DLL
Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\NORTON~1\DEFALERT.DLL
Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\NORTON~1\NAVAPW32.DLL
Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\NORTON~1\NAVEvent.dll
Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\NORTON~1\SavRT32.dll
Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\NORTON~2\ATRACK.DLL
Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\NORTON~2\ccFWRuls.dll
Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\NORTON~2\IAMAPP.DLL
Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\NORTON~2\LICALERT.DLL
Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\NORTON~2\NAVAPI32.DLL
Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\NORTON~2\NISALERT.DLL
Sun Dec 19 16:50:48 2004 => Scanning File C:\PROGRA~1\NORTON~2\NisEvt.dll
Sun Dec 19 16:50:48 2004 => Scanning File C:\PROGRA~1\NORTON~2\NISRES.DLL
Sun Dec 19 16:50:48 2004 => Scanning File C:\PROGRA~1\NORTON~2\tlevel.dll
Sun Dec 19 16:50:48 2004 => Scanning File C:\PROGRA~1\NORTON~2\UMCBK.DLL
Sun Dec 19 16:50:48 2004 => Scanning File C:\PROGRA~1\Symantec\S32EVNT1.DLL
Sun Dec 19 16:50:48 2004 => Scanning File C:\Programme\Ahead\InCD\InCD.exe
Sun Dec 19 16:50:48 2004 => Scanning File C:\Programme\Ahead\InCD\res.dll
Sun Dec 19 16:50:48 2004 => Scanning File C:\PROGRA~1\GEMEIN~1\MICROS~1\WORKSS~1\WkUFind.exe
Sun Dec 19 16:50:48 2004 => Scanning File C:\PROGRA~1\GEMEIN~1\SYMANT~1\ccApp.exe
Sun Dec 19 16:50:48 2004 => Scanning File C:\PROGRA~1\GEMEIN~1\SYMANT~1\ccEvt.dll
Sun Dec 19 16:50:49 2004 => Scanning File C:\PROGRA~1\GEMEIN~1\SYMANT~1\ccEvtMgr.exe
Sun Dec 19 16:50:49 2004 => Scanning File C:\PROGRA~1\GEMEIN~1\SYMANT~1\LiveReg\iraLSCl2.dll
Sun Dec 19 16:50:49 2004 => Scanning File C:\PROGRA~1\GEMEIN~1\SYMANT~1\LiveReg\IraVcLc2.dll
Sun Dec 19 16:50:49 2004 => Scanning File C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\scrauth.dll
Sun Dec 19 16:50:49 2004 => Scanning File C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\ScrBlock.dll
Sun Dec 19 16:50:49 2004 => Scanning File C:\Programme\Java\j2re1.4.2_03\bin\jpins7.dll
Sun Dec 19 16:50:49 2004 => Scanning File C:\Programme\Java\j2re1.4.2_03\bin\jpinsp.dll
Sun Dec 19 16:50:49 2004 => Scanning File C:\Programme\Java\j2re1.4.2_03\bin\jpishare.dll
Sun Dec 19 16:50:49 2004 => Scanning File C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
Sun Dec 19 16:50:49 2004 => Scanning File C:\Programme\Java\j2re1.4.2_03\bin\NPOJI610.dll
Sun Dec 19 16:50:49 2004 => Scanning File C:\Programme\Messenger\msgsc.dll
Sun Dec 19 16:50:49 2004 => Scanning File C:\PROGRA~1\MOZILL~1\COMPON~1\FULLSOFT.DLL
Sun Dec 19 16:50:50 2004 => Scanning File C:\PROGRA~1\MOZILL~1\COMPON~1\jar50.dll
Sun Dec 19 16:50:50 2004 => Scanning File C:\PROGRA~1\MOZILL~1\COMPON~1\QFASER~1.DLL
Sun Dec 19 16:50:50 2004 => Scanning File C:\PROGRA~1\MOZILL~1\firefox.exe
Sun Dec 19 16:50:50 2004 => Scanning File C:\PROGRA~1\MOZILL~1\js3250.dll
Sun Dec 19 16:50:50 2004 => Scanning File C:\PROGRA~1\MOZILL~1\nspr4.dll
Sun Dec 19 16:50:50 2004 => Scanning File C:\PROGRA~1\MOZILL~1\nss3.dll
Sun Dec 19 16:50:50 2004 => Scanning File C:\PROGRA~1\MOZILL~1\plc4.dll
Sun Dec 19 16:50:50 2004 => Scanning File C:\PROGRA~1\MOZILL~1\plds4.dll
Sun Dec 19 16:50:50 2004 => Scanning File C:\PROGRA~1\MOZILL~1\smime3.dll
Sun Dec 19 16:50:50 2004 => Scanning File C:\PROGRA~1\MOZILL~1\softokn3.dll
Sun Dec 19 16:50:50 2004 => Scanning File C:\PROGRA~1\MOZILL~1\ssl3.dll
Sun Dec 19 16:50:50 2004 => Scanning File C:\PROGRA~1\MOZILL~1\xpcom.dll
Sun Dec 19 16:50:51 2004 => Scanning File C:\PROGRA~1\MOZILL~1\XPCOM_~1.DLL
Sun Dec 19 16:50:51 2004 => Scanning File C:\PROGRA~1\NORTON~1\apwcmdnt.dll
Sun Dec 19 16:50:51 2004 => Scanning File C:\PROGRA~1\NORTON~1\navapsvc.exe
Sun Dec 19 16:50:51 2004 => Scanning File C:\PROGRA~1\NORTON~1\NavEmail.dll
Sun Dec 19 16:50:51 2004 => Scanning File C:\PROGRA~1\NORTON~1\NavShExt.dll
Sun Dec 19 16:50:51 2004 => Scanning File C:\PROGRA~1\NORTON~1\SavRT32.dll
Sun Dec 19 16:50:51 2004 => Scanning File C:\PROGRA~1\NORTON~2\ccAntiSp.dll
Sun Dec 19 16:50:51 2004 => Scanning File C:\PROGRA~1\NORTON~2\ccProxy.dll
Sun Dec 19 16:50:51 2004 => Scanning File C:\PROGRA~1\NORTON~2\ccPxyEvt.dll
Sun Dec 19 16:50:51 2004 => Scanning File C:\PROGRA~1\NORTON~2\ccPxySvc.exe
Sun Dec 19 16:50:51 2004 => Scanning File C:\PROGRA~1\NORTON~2\ccScanSp.dll
Sun Dec 19 16:50:51 2004 => Scanning File C:\PROGRA~1\NORTON~2\DataHTTP.dll
Sun Dec 19 16:50:51 2004 => Scanning File C:\PROGRA~1\NORTON~2\DJSMAR00.DLL
Sun Dec 19 16:50:52 2004 => Scanning File C:\PROGRA~1\NORTON~2\NisAdBlk.dll
Sun Dec 19 16:50:52 2004 => Scanning File C:\PROGRA~1\NORTON~2\NISCONFD.DLL
Sun Dec 19 16:50:52 2004 => Scanning File C:\PROGRA~1\NORTON~2\NisEmail.dll
Sun Dec 19 16:50:52 2004 => Scanning File C:\PROGRA~1\NORTON~2\NisEvt.DLL
Sun Dec 19 16:50:52 2004 => Scanning File C:\PROGRA~1\NORTON~2\NISUM.EXE
Sun Dec 19 16:50:52 2004 => Scanning File C:\PROGRA~1\NORTON~2\NISUMPS.DLL
Sun Dec 19 16:50:52 2004 => Scanning File C:\PROGRA~1\NORTON~2\PxyHTTP.dll
Sun Dec 19 16:50:52 2004 => Scanning File C:\PROGRA~1\NORTON~2\PxyIM.dll
Sun Dec 19 16:50:52 2004 => Scanning File C:\PROGRA~1\NORTON~2\PxyNNTP.DLL
Sun Dec 19 16:50:52 2004 => Scanning File C:\PROGRA~1\NORTON~2\StrmFilt.dll
Sun Dec 19 16:50:52 2004 => Scanning File C:\PROGRA~1\NORTON~2\SymIConv.dll
Sun Dec 19 16:50:52 2004 => Scanning File C:\Programme\TraXEx\TraXEx.exe
Sun Dec 19 16:50:52 2004 => Scanning File C:\Programme\Winamp3\winampa.exe
Sun Dec 19 16:50:53 2004 => Scanning File C:\Programme\WinSweep\WSMonitor.exe
Sun Dec 19 16:50:53 2004 => Scanning File C:\T-ONLINE\BSW4\ontool32.dll
Sun Dec 19 16:50:53 2004 => Scanning File C:\T-ONLINE\BSW4\ToDuCAlC.EXE
Sun Dec 19 16:50:53 2004 => Scanning File C:\WINDOWS\Explorer.EXE
Sun Dec 19 16:50:53 2004 => Scanning File c:\windows\pchealth\helpctr\binaries\pchsvc.dll
Sun Dec 19 16:50:53 2004 => Scanning File C:\WINDOWS\SOUNDMAN.EXE
Sun Dec 19 16:50:53 2004 => Scanning File C:\WINDOWS\System32\ACTIVEDS.dll
Sun Dec 19 16:50:53 2004 => Scanning File C:\WINDOWS\System32\actxprxy.dll
Sun Dec 19 16:50:53 2004 => Scanning File C:\WINDOWS\System32\adsldpc.dll
Sun Dec 19 16:50:53 2004 => Scanning File C:\WINDOWS\system32\ADVAPI32.dll
Sun Dec 19 16:50:53 2004 => Scanning File C:\WINDOWS\System32\ADVPACK.dll
Sun Dec 19 16:50:53 2004 => Scanning File C:\WINDOWS\System32\alg.exe
Sun Dec 19 16:50:53 2004 => Scanning File C:\WINDOWS\system32\Apphelp.dll
Sun Dec 19 16:50:53 2004 => Scanning File C:\WINDOWS\System32\ATL.DLL
Sun Dec 19 16:50:54 2004 => Scanning File c:\windows\system32\audiosrv.dll
Sun Dec 19 16:50:54 2004 => Scanning File C:\WINDOWS\system32\AUTHZ.dll
Sun Dec 19 16:50:54 2004 => Scanning File C:\WINDOWS\System32\avicap32.dll
Sun Dec 19 16:50:54 2004 => Scanning File C:\WINDOWS\system32\basesrv.dll
Sun Dec 19 16:50:54 2004 => Scanning File C:\WINDOWS\System32\BatMeter.dll
Sun Dec 19 16:50:54 2004 => Scanning File C:\WINDOWS\System32\browselc.dll
Sun Dec 19 16:50:54 2004 => Scanning File c:\windows\system32\browser.dll
Sun Dec 19 16:50:54 2004 => Scanning File C:\WINDOWS\System32\BROWSEUI.dll
Sun Dec 19 16:50:54 2004 => Scanning File C:\WINDOWS\System32\ccPasswd.DLL
Sun Dec 19 16:50:54 2004 => Scanning File C:\WINDOWS\System32\ccTrust.dll
Sun Dec 19 16:50:54 2004 => Scanning File c:\windows\system32\certcli.dll
Sun Dec 19 16:50:54 2004 => Scanning File c:\windows\system32\CFGMGR32.dll
Sun Dec 19 16:50:54 2004 => Scanning File C:\WINDOWS\System32\CLBCATQ.DLL
Sun Dec 19 16:50:54 2004 => Scanning File c:\windows\system32\CLUSAPI.dll
Sun Dec 19 16:50:55 2004 => Scanning File C:\WINDOWS\system32\cnbjmon.dll
Sun Dec 19 16:50:55 2004 => Scanning File C:\WINDOWS\system32\colbact.DLL
Sun Dec 19 16:50:55 2004 => Scanning File C:\WINDOWS\system32\COMCTL32.dll
Sun Dec 19 16:50:55 2004 => Scanning File C:\WINDOWS\system32\comdlg32.dll
Sun Dec 19 16:50:55 2004 => Scanning File C:\WINDOWS\System32\COMRes.dll
Sun Dec 19 16:50:55 2004 => Scanning File C:\WINDOWS\system32\comsvcs.dll
Sun Dec 19 16:50:55 2004 => Scanning File c:\windows\system32\credui.dll
Sun Dec 19 16:50:55 2004 => Scanning File C:\WINDOWS\system32\CRYPT32.dll
Sun Dec 19 16:50:56 2004 => Scanning File C:\WINDOWS\system32\cryptdll.dll
Sun Dec 19 16:50:56 2004 => Scanning File C:\WINDOWS\system32\cryptnet.dll
Sun Dec 19 16:50:56 2004 => Scanning File c:\windows\system32\cryptsvc.dll
Sun Dec 19 16:50:56 2004 => Scanning File C:\WINDOWS\System32\CRYPTUI.dll
Sun Dec 19 16:50:56 2004 => Scanning File C:\WINDOWS\system32\cscdll.dll
Sun Dec 19 16:50:56 2004 => Scanning File C:\WINDOWS\System32\cscui.dll
Sun Dec 19 16:50:56 2004 => Scanning File C:\WINDOWS\system32\CSRSRV.dll
Sun Dec 19 16:50:56 2004 => Scanning File C:\WINDOWS\System32\davclnt.dll
Sun Dec 19 16:50:56 2004 => Scanning File c:\windows\system32\dhcpcsvc.dll
Sun Dec 19 16:50:56 2004 => Scanning File C:\WINDOWS\system32\DNSAPI.dll
Sun Dec 19 16:50:56 2004 => Scanning File c:\windows\system32\dnsrslvr.dll
Sun Dec 19 16:50:56 2004 => Scanning File C:\WINDOWS\System32\drprov.dll
Sun Dec 19 16:50:56 2004 => Scanning File C:\WINDOWS\System32\dssenh.dll
Sun Dec 19 16:50:56 2004 => Scanning File C:\WINDOWS\System32\DUSER.dll
Sun Dec 19 16:50:56 2004 => Scanning File c:\windows\system32\ersvc.dll
Sun Dec 19 16:50:56 2004 => Scanning File c:\windows\system32\es.dll
Sun Dec 19 16:50:57 2004 => Scanning File c:\windows\system32\ESENT.dll
Sun Dec 19 16:50:57 2004 => Scanning File C:\WINDOWS\system32\eventlog.dll
Sun Dec 19 16:50:57 2004 => Scanning File C:\WINDOWS\system32\GDI32.dll
Sun Dec 19 16:50:57 2004 => Scanning File C:\WINDOWS\System32\h323.tsp
Sun Dec 19 16:50:57 2004 => Scanning File C:\WINDOWS\System32\HID.DLL
Sun Dec 19 16:50:57 2004 => Scanning File C:\WINDOWS\System32\hidphone.tsp
Sun Dec 19 16:50:57 2004 => Scanning File c:\windows\system32\HNetCfg.dll
Sun Dec 19 16:50:57 2004 => Scanning File c:\windows\system32\ICAAPI.dll
Sun Dec 19 16:50:57 2004 => Scanning File C:\WINDOWS\system32\icmp.dll
Sun Dec 19 16:50:57 2004 => Scanning File C:\WINDOWS\system32\IMAGEHLP.dll
Sun Dec 19 16:50:57 2004 => Scanning File C:\WINDOWS\System32\IMM32.DLL
Sun Dec 19 16:50:57 2004 => Scanning File C:\WINDOWS\system32\inetpp.dll
Sun Dec 19 16:50:57 2004 => Scanning File C:\WINDOWS\System32\ipconf.tsp
Sun Dec 19 16:50:57 2004 => Scanning File C:\WINDOWS\system32\iphlpapi.dll
Sun Dec 19 16:50:57 2004 => Please Wait Exiting Application...

Sun Dec 19 16:50:57 2004 => ***** Scanning complete. *****
Sun Dec 19 16:50:57 2004 => Virus Database Date: 2004/12/15
Sun Dec 19 16:50:57 2004 => Virus Database Count: 112526

Sun Dec 19 16:50:57 2004 => Scan Completed.


Sun Dec 19 16:50:58 2004 => Total Files Scanned: 155
Sun Dec 19 16:50:58 2004 => Total Virus(es) Found: 0
Sun Dec 19 16:50:58 2004 => Total Disinfected Files: 0
Sun Dec 19 16:50:58 2004 => Total Files Renamed: 0
Sun Dec 19 16:50:58 2004 => Total Deleted Files: 0
Sun Dec 19 16:50:58 2004 => Total Errors: 0
Sun Dec 19 16:50:58 2004 => Time Elapsed: 00:00:12
Sun Dec 19 17:06:48 2004 => Virus Database Date: 2004/12/15
Sun Dec 19 17:06:48 2004 => Virus Database Count: 112526
Sun Dec 19 17:06:54 2004 => AV Library Unloaded (3)...
Sun Dec 19 17:43:52 2004 => **********************************************************
Sun Dec 19 17:43:52 2004 => eScan AntiVirus Toolkit Utility.
Sun Dec 19 17:43:52 2004 => Copyright © 2003-2004, MicroWorld Technologies Inc.
Sun Dec 19 17:43:52 2004 => **********************************************************
Sun Dec 19 17:43:52 2004 => Version 4.7.5 (C:\DOKUME~1\Papa\LOKALE~1\Temp\mwavscan.com)
Sun Dec 19 17:43:52 2004 => Log File: C:\DOKUME~1\Papa\LOKALE~1\Temp\mwav.log
Sun Dec 19 17:43:52 2004 => Latest Date of files inside MWAV: 15 Dec 2004 06:01:46.
Sun Dec 19 17:43:53 2004 => AV Library Loaded...
Sun Dec 19 17:43:53 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavss.exe
Sun Dec 19 17:43:53 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\Getvlist.exe
Sun Dec 19 17:43:53 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavss.dll
Sun Dec 19 17:43:53 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavssdi.dll
Sun Dec 19 17:43:53 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavssi.dll
Sun Dec 19 17:43:53 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavvlg.dll
Sun Dec 19 17:43:53 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\msvlclnt.dll
Sun Dec 19 17:43:53 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\ipc.dll
Sun Dec 19 17:43:54 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\main.avi
Sun Dec 19 17:43:54 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\virus.avi
Sun Dec 19 17:43:54 2004 => Virus Database Date: 2004/12/15
Sun Dec 19 17:43:54 2004 => Virus Database Count: 112526


Vorab für alle deine Bemühungen - in welcher Richtung auch immer - herzlichsten Dank und noch einen schönen vierten Adventsabend.

HugoRatlos

#8 Hallo@HugoRatlos

Das sieht doch schon sehr gut aus

Fixe bitte noch:
O4 - HKLM\..\Run: [mwavscan] "C:\DOKUME~1\Papa\LOKALE~1\Temp\mwavscan.com" /s
O9 - Extra button: Preispiraten 2.02 - {86DE8B3B-1EB7-4386-84BD-EBE94348A913} - C:\Programme\Preispiraten 2.0b\preispiraten2.exe

neustarten

Dann saeubere den PC und den IE .
#TuneUp2004 (30 Tage free)--<nichts verstellen...nur reinigen und optimieren und Fehlerbehebung
http://www.tuneup.de/products/tuneup-utilities/

#ClaerProg..lade die neuste Version <1.4.0 Final
<und saeubere den Browser.
Das Programm löscht die Surfspuren des Internet Explorers ab Version 5.0, des Netscape/Mozilla und des Opera:
- Cookies
- Verlauf
- Temporäre Internetfiles (Cache)
- die eingetragenen URLs
- Autovervollständigen-Einträge in Web-Formularen des IE (bisher
nur Win9x/ME)
- Download-Listen des Netscape/Opera
http://www.clearprog.de/downloads.php

(was den Escan betrifft, so ist das doch ein wenig umstaendlich.
besser (und billger) ist Antivirus free-->allerdings muss der Symantec komplett deinstalliert werden (am Besten im abgesicherten Modus)

konfiguriere im Scanner UND im Guard:
<alle Dateien
<Heuristik Mittel)
und update den Scanner jeden Tag (!)
#Antivirus (free)
http://www.free-av.de/

und surfe nur noch mit dem Firefox
#Alternativbrowser zum IE
Firefox
http://www.mozilla-europe.org/de/
Installation+Konfiguration Firefox
http://www.pcwelt.de/know-how/software/103924/index1.html

Dann stelle bitte unter Internetoption eine Startseite ein und poste das Log noch einmal.
__________
MfG Sabina

rund um die PC-Sicherheit

#9 Hallo sabina,

wieder einmal habe ich mich durch deine Anweisungen durchgekämpft, diesmal wohl mit nur bedingtem Erfolg.

Bedingt deshalb, weil ein Aufruf von folgende Meldung generiert:

„C:\Dokumente und Einstellungen\....\avwinsfx03.exe st keine zulässige Win32 Anwendung“

Was nun? Ich habe Norton Anti-Virus deinstalliert. Sind wir jetzt schutzlos? Die Norton-Internet-Security ist noch installiert. Das Abo endet morgen. Was tun?

Die drei logfiles der diversen Prüfroutinen habe ich nachfolgend wieder eingestellt. Das Einstellen der Startseite unter „Internetoptionen“ bezog sich sicherlich auf den IE? Die bei uns noch installierte Mozilla-Version ist rein auf Englisch und bietet diese Einstellmöglichkeit nicht.

Hier nun die logfiles:

1. Hijackthis:

Logfile of HijackThis v1.98.2
Scan saved at 20:29:15, on 20.12.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Norton Internet Security\NISUM.EXE
C:\Programme\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Ahead\InCD\InCD.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programme\Winamp3\winampa.exe
C:\WINDOWS\System32\host32.exe
C:\Programme\WinSweep\WSMonitor.exe
C:\Programme\TraXEx\TraXEx.exe
C:\Programme\Microsoft Office\Office10\WINWORD.EXE
C:\Programme\Microsoft Works\MSWorks.exe
C:\Dokumente und Einstellungen\Papa\Anwendungsdaten\hijackthis_198\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Sygate Personal Firewall] host32.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] host32.exe
O4 - HKCU\..\Run: [WINSWEEP] C:\Programme\WinSweep\WinSweep.Exe /AUTO
O4 - HKCU\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe
O4 - HKCU\..\Run: [Sygate Personal Firewall] host32.exe
O4 - Startup: TraXEx.lnk = C:\Programme\TraXEx\TraXEx.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

2. escan

Hier habe ich nur die Virusfundstellen einkopiert. Ansonsten hätte das log die Seite „gesprengt“. Falls es nicht ausreichend sein sollte – bitte lass’ es mich wissen. Dann poste ich auch den Rest.

Das was folgt ist für uns erschreckend genug: 14 Viren? Nach dieser ganzen Prozedur? Oder handelt es sich lediglich um 4 Viren an verschiedenen Stellen?

File C:\WINDOWS\System32\host32.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\host32.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\host32.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\host32.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\host32.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\msmsgsui.exe infected by "Trojan.Win32.StartPage.lj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\vbsys.dll_old infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\vbsys2.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\host32.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\vbsys.dll_old infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\vbsys2.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\host32.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\amateur.exe infected by "Trojan.Win32.Dialer.fl" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\msmsgsui.exe infected by "Trojan.Win32.StartPage.lj" Virus. Action Taken: No Action Taken.

3. adware

Hier wusste ich nicht, was ohne Info-Verlust gelöscht werden kann, deshalb das komplette logfile:

Ad-Aware SE Build 1.05
Logfile Created on:Montag, 20. Dezember 2004 21:11:22
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R8 13.09.2004
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Alexa(TAC index:5):8 total references
Claria(TAC index:7):5 total references
CoolWebSearch(TAC index:10):30 total references
MRU List(TAC index:0):20 total references
PeopleOnPage(TAC index:9):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


20.12.2004 21:11:22 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\internet explorer\main
Description : last save directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\office\10.0\common\general
Description : list of recently used symbols in microsoft office


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\mediaplayer\preferences
Description : last cd record path used in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\automap\9.0\findmru
Description : list of recently used find queries used in microsoft automap-based products


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\automap\9.0\recent file list
Description : list of recently used files in microsoft automap-based products


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : C:\Dokumente und Einstellungen\Papa\recent
Description : list of recently opened documents


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 452
ThreadCreationTime : 20.12.2004 19:16:05
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 516
ThreadCreationTime : 20.12.2004 19:16:06
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 540
ThreadCreationTime : 20.12.2004 19:16:07
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 584
ThreadCreationTime : 20.12.2004 19:16:07
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Anwendung für Dienste und Controller
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 596
ThreadCreationTime : 20.12.2004 19:16:07
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 844
ThreadCreationTime : 20.12.2004 19:16:07
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 868
ThreadCreationTime : 20.12.2004 19:16:07
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 988
ThreadCreationTime : 20.12.2004 19:16:08
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1028
ThreadCreationTime : 20.12.2004 19:16:09
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1136
ThreadCreationTime : 20.12.2004 19:16:10
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:11 [ccevtmgr.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Symantec Shared\
ProcessID : 1172
ThreadCreationTime : 20.12.2004 19:16:10
BasePriority : Normal
FileVersion : 1.03.4
ProductVersion : 1.03.4
ProductName : Event Manager
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:12 [nisum.exe]
FilePath : C:\Programme\Norton Internet Security\
ProcessID : 1188
ThreadCreationTime : 20.12.2004 19:16:10
BasePriority : Normal
FileVersion : 6.02.2003
ProductVersion : 6.02.2003
ProductName : Norton Internet Security
CompanyName : Symantec Corporation
FileDescription : Norton Internet Security NISUM
InternalName : NISUM
LegalCopyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : NISUM.exe

#:13 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1328
ThreadCreationTime : 20.12.2004 19:16:11
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:14 [ccpxysvc.exe]
FilePath : C:\Programme\Norton Internet Security\
ProcessID : 1340
ThreadCreationTime : 20.12.2004 19:16:11
BasePriority : Normal
FileVersion : 6.02.2003
ProductVersion : 6.02.2003
ProductName : Norton Internet Security
CompanyName : Symantec Corporation
FileDescription : Norton Internet Security Proxy Service
InternalName : ccPxySvc
LegalCopyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : ccPxySvc.exe

#:15 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1388
ThreadCreationTime : 20.12.2004 19:16:11
BasePriority : Normal
FileVersion : 6.13.10.3082
ProductVersion : 6.13.10.3082
ProductName : NVIDIA Driver Helper Service, Version 30.82
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 30.82
InternalName : NVSVC
LegalCopyright : (c) NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:16 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1472
ThreadCreationTime : 20.12.2004 19:16:12
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:17 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1972
ThreadCreationTime : 20.12.2004 19:16:17
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : EXPLORER.EXE

#:18 [soundman.exe]
FilePath : C:\WINDOWS\
ProcessID : 248
ThreadCreationTime : 20.12.2004 19:16:19
BasePriority : Normal
FileVersion : 5.0.03
ProductVersion : 5.0.03
ProductName : Avance Sound Manager
CompanyName : Avance Logic, Inc.
FileDescription : Avance Sound Manager
InternalName : ALSMTray
LegalCopyright : Copyright (c) 2001-2002 Avance Logic, Inc.
OriginalFilename : ALSMTray.exe
Comments : Avance AC97 Audio Sound Manager

#:19 [incd.exe]
FilePath : C:\Programme\Ahead\InCD\
ProcessID : 332
ThreadCreationTime : 20.12.2004 19:16:19
BasePriority : Normal
FileVersion : 3.33.0
ProductVersion : 3.33.0
ProductName : InCD
CompanyName : Copyright (C) ahead software gmbh and its licensors
FileDescription : InCD CD-RW UDF Tools
InternalName : InCD
LegalCopyright : Copyright (C) ahead software gmbh and its licensors
OriginalFilename : InCD.EXE
Comments : CD-RW UDF Tools

#:20 [wkufind.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\
ProcessID : 340
ThreadCreationTime : 20.12.2004 19:16:19
BasePriority : Normal
FileVersion : 7.00.0617.0
ProductVersion : 7.00.0617.0
ProductName : Update Detection Module
CompanyName : Microsoft® Corporation
FileDescription : Microsoft® Works-Aktualisierungserkennung
InternalName : WkUFind
LegalCopyright : Copyright © 1987-2002 Microsoft Corporation.
OriginalFilename : WkUFind.exe

#:21 [ccapp.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Symantec Shared\
ProcessID : 348
ThreadCreationTime : 20.12.2004 19:16:19
BasePriority : Normal
FileVersion : 1.0.9.002
ProductVersion : 1.0.9.002
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client CC App
InternalName : ccApp
LegalCopyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:22 [jusched.exe]
FilePath : C:\Programme\Java\j2re1.4.2_03\bin\
ProcessID : 364
ThreadCreationTime : 20.12.2004 19:16:19
BasePriority : Normal


#:23 [winampa.exe]
FilePath : C:\Programme\Winamp3\
ProcessID : 372
ThreadCreationTime : 20.12.2004 19:16:19
BasePriority : Normal


#:24 [host32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 408
ThreadCreationTime : 20.12.2004 19:16:19
BasePriority : Normal


#:25 [wsmonitor.exe]
FilePath : C:\Programme\WinSweep\
ProcessID : 440
ThreadCreationTime : 20.12.2004 19:16:20
BasePriority : Normal
FileVersion : 1.03.0070
ProductVersion : 1.03.0070
ProductName : WINSWEEP
CompanyName : Software-Entwicklung Frank-Oliver Dzewas
InternalName : WSMonitor
LegalCopyright : Software-Entwicklung Frank-Oliver Dzewas
OriginalFilename : WSMonitor.Exe

#:26 [traxex.exe]
FilePath : C:\Programme\TraXEx\
ProcessID : 520
ThreadCreationTime : 20.12.2004 19:16:20
BasePriority : Normal
FileVersion : 2.2.1.6
ProductVersion : 1.0.0.0
ProductName : TraXEx 2.2 - Der Spurenverwischer
CompanyName : Softwareentwicklung Alexander Miehlke
FileDescription : TraXEx 2.2 - Der Spurenverwischer
InternalName : TraXEx
LegalCopyright : 1999-2002 Alexander Miehlke Softwareentwicklung
OriginalFilename : TraXEx.exe

#:27 [winword.exe]
FilePath : C:\Programme\Microsoft Office\Office10\
ProcessID : 856
ThreadCreationTime : 20.12.2004 19:19:38
BasePriority : Normal


#:28 [msworks.exe]
FilePath : C:\Programme\Microsoft Works\
ProcessID : 1920
ThreadCreationTime : 20.12.2004 19:19:45
BasePriority : Normal
FileVersion : 7.02.0620.0
ProductVersion : 7.02.0620.0
ProductName : Microsoft® Works 7.0
CompanyName : Microsoft® Corporation
FileDescription : Microsoft® Works Task Launcher
InternalName : MSWORKS
LegalCopyright : Copyright © Microsoft Corporation. All rights reserved.
OriginalFilename : MSWorks.exe

#:29 [ad-aware.exe]
FilePath : C:\Dokumente und Einstellungen\Papa\Anwendungsdaten\Computerhygiene\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3780
ThreadCreationTime : 20.12.2004 20:11:04
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 20


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Alexa Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuText

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuStatusBar

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Script

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : clsid

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Icon

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : HotIcon

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : ButtonText

Claria Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c}

Claria Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c}
Value : uets

Claria Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c}
Value : GEF

Claria Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c}
Value : GMG

Claria Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\gator.com

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar
Value : Next

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar
Value : CLSID

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar
Value : ID1

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar
Value : ID2

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar
Value : ID4

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar
Value : PanelNumber

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{bd0022a3-a43f-4f44-b64f-53ea7575f097}

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{5297e905-1dfb-4a9c-9871-a4f95fd58945}

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolband.toolbandobj.1

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolband.toolbandobj.1
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolband.toolbandobj

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolband.toolbandobj
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolband.startbho.1

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolband.startbho.1
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolband.startbho

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolband.startbho
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{30192f8d-0958-44e6-b54d-331fd39ac959}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{30192f8d-0958-44e6-b54d-331fd39ac959}
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{0e1230f8-ea50-42a9-983c-d22abc2eed3b}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{0e1230f8-ea50-42a9-983c-d22abc2eed3b}
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : analyzeie.dompeek.1

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : analyzeie.dompeek.1
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : analyzeie.dompeek

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : analyzeie.dompeek
Value :

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}"
Rootkey : HKEY_USERS
Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\internet explorer\toolbar\webbrowser
Value : {0E1230F8-EA50-42A9-983C-D22ABC2EED3B}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 39
Objects found so far: 59


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 59


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 59



Deep scanning and examining files (C
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

PeopleOnPage Object Recognized!
Type : File
Data : libexpat.dll
Category : Data Miner
Comment :
Object : C:\Dokumente und Einstellungen\Papa\Schulprogramme\Englisch\Teachmaster\



PeopleOnPage Object Recognized!
Type : File
Data : libexpat.dll
Category : Data Miner
Comment :
Object : C:\Dokumente und Einstellungen\Mascha\Schule\Englisch\Vokabeltest\



Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 61


Deep scanning and examining files (D
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 61


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 61




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{b1e68d42-02c4-465b-8368-5ed9b732e22d}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{b1e68d42-02c4-465b-8368-5ed9b732e22d}
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\serg

CoolWebSearch Object Recognized!
Type : File
Data : hosts
Category : Malware
Comment :
Object : C:\WINDOWS\



Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 65

21:14:14 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:02:51.781
Objects scanned:97785
Objects identified:45
Objects ignored:0
New critical objects:45

Ich denke ich sause morgen zum „…Markt“ und halte Ausschau nach einem empfohlenen Internetsecurity/AntiVirus-Komplett Paket (ausgenommen das von Symantec) und installiere es bevor wir wieder ans Netz gehen. Wäre das nicht die wirksamste Alternative? Dann könnten wir uns weiter der „PC-Säuberung“ widmen.

Lieber und dankbarer Gruß
HugoRatlos

#10 Oh Gott, nun ist ein Backdoor drauf !

W32/Rbot-GU ist ein Wurm, der versucht, sich auf remote Netzwerkfreigaben zu verbreiten. Er verfügt außerdem über Backdoor-Funktionalität, die unbefugten Fernzugriff auf den infizierten Computer mittels IRC-Kanälen ermöglicht.

du musst die Netzfreigaben abstellen !!!!!!!!!

#NT- Dienste sicher konfigurieren http://www.ntsvcfg.de/ oder www.dingens.org
_________________________________________________________________________

Deaktivieren Wiederherstellung
«XP
http://service1.symantec.com/SUPPORT/INTER/tsgeninfointl.nsf/gdocid/20030807105707924

Gehe in die Registry
Start<Ausfuehren<regedit

HKLM\Software\Microsoft\Ole\
EnableDCOM = N --> aendere in Y

HKLM\System\ControlSet001\Control\Lsa\
restrictanonymous = 1 --> aendere in 0

HKLM\System\CurrentControlSet\Control\Lsa\
restrictanonymous = 1 ---> aendere in 0
---------------------------------------------------------------------------
Lade die Killbox-
http://www.bleepingcomputer.com/files/killbox.php

Fixe
O4 - HKLM\..\Run: [Sygate Personal Firewall] host32.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] host32.exe
O4 - HKCU\..\Run: [Sygate Personal Firewall] host32.exe

neustarten in den abgesicherten Modus

Loesche mit der Killbox:

geh auf
<Delete File on Reboot
<Unregister .dll before deleting.”
und klick auf das rote Kreuz,
wenn gefragt wird, ob reboot-> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes"

C:\WINDOWS\System32\host32.exe
C:\WINDOWS\msmsgsui.exe
C:\WINDOWS\System32\vbsys.dll_old
C:\WINDOWS\System32\vbsys2.dll

neustarten , scanne noch mal mit eScan und berichte

#Trend-Micro (Online)
http://de.trendmicro-europe.com/enterprise/products/housecall_pre.php

#Patches, Service Packs und Tools (XP)
http://www.rz.uni-freiburg.de/pc/sys/winxp/index.php

#Alternativbrowser zum IE
Firefox
http://www.mozilla-europe.org/de/
Installation+Konfiguration Firefox
http://www.pcwelt.de/know-how/software/103924/index1.html


Firewall:
<Sygate (Deutsch)Firewall
http://www.sygate.de/
----------------------------------------------------------------------------------------------
Probiere sie alle mal durch...also alle 15 Tage ein anderes und dann entscheide dich

Trial versions of F-Prot Antivirus
http://www.f-prot.com/download/corporate/trial/

#Download NOD32 Antivirus System
http://www.nod32.de/download/download.php
Man sollte jedoch darauf achten, dass man die Einstellungen
dahingehend ändert das ALLE DATEIEN durchsucht werden.
Voreingestellt sind nur bestimmte Dateitypen.

#Testversion "F-Secure Internet Security 2005"
http://esd.element5.com/demoreg.html?productid=544568&sessionid=145499584&random=a990a1793c30e7d127a6bce39bc82919&sessionid=145499584&random=a990a1793c30e7d127a6bce39bc82919
__________
MfG Sabina

rund um die PC-Sicherheit

#11 Hallo Sabina,

zu einer für mich ungewöhnlichen Stunde hier das Resultat mehrstündiger Bemühungen: Die obligatorischen drei logfiles – lies und staune ob des Ergebnisses. Ich denke wir dürfen beide mit dem Erreichten zufrieden sein.


1. Hijackthis

Logfile of HijackThis v1.98.2
Scan saved at 23:43:25, on 21.12.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVirenKit InternetSecurity\AVK\AVKService.exe
C:\Programme\AntiVirenKit InternetSecurity\AVK\AVKWCtl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Ahead\InCD\InCD.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programme\Winamp3\winampa.exe
C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE
C:\Programme\WinSweep\WSMonitor.exe
C:\Programme\AntiVirenKit InternetSecurity\Webfilter\Webfilter.exe
C:\Programme\AntiVirenKit InternetSecurity\Firewall\kavpf.exe
C:\PROGRA~1\ANTIVI~1\WEBFIL~1\ADSCLE~1.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Programme\Microsoft Office\Office10\WINWORD.EXE
C:\Programme\Microsoft Works\MSWorks.exe
C:\Dokumente und Einstellungen\Papa\Anwendungsdaten\hijackthis_198\HijackThis.exe

O2 - BHO: Poly HTML Filter BHO - {0140DF95-9128-4053-AE72-F43F0CFCA062} - C:\WINDOWS\system32\SiKernel.dll
O2 - BHO: SIPAKBHO Class - {40FB69E1-9B7B-453F-B238-37D8E9528929} - C:\Programme\AntiVirenKit InternetSecurity\Webfilter\PAKIEPlugins.dll
O2 - BHO: Offliner AdFilter Helper - {DC9377A2-2E8D-44A1-99DB-F8A821DF254D} - C:\WINDOWS\system32\SiPlugins.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: WebFilter-Leiste - {75CD0BC5-E317-449C-9FF6-4986B3D48F64} - C:\PROGRA~1\ANTIVI~1\WEBFIL~1\PAKIEGUI.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE"
O4 - HKCU\..\Run: [WINSWEEP] C:\Programme\WinSweep\WinSweep.Exe /AUTO
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Webfilter.lnk = C:\Programme\AntiVirenKit InternetSecurity\Webfilter\Webfilter.exe
O4 - Global Startup: Firewall.lnk = ?
O8 - Extra context menu item: Add selected links to Link Container - C:\PROGRA~1\ANTIVI~1\WEBFIL~1\System\Scripts\off_collector_sel.htm
O8 - Extra context menu item: Show domain links - C:\PROGRA~1\ANTIVI~1\WEBFIL~1\System\Scripts\off_domain_links.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

2. escan

File C:\WINDOWS\Downloaded Program Files\amateur.exe infected by "Trojan.Win32.Dialer.fl" Virus. Action Taken: No Action Taken.


3. adware



Ad-Aware SE Build 1.05
Logfile Created on:Mittwoch, 22. Dezember 2004 00:01:57
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R8 13.09.2004
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Alexa(TAC index:5):8 total references
Claria(TAC index:7):5 total references
CoolWebSearch(TAC index:10):30 total references
MRU List(TAC index:0):20 total references
PeopleOnPage(TAC index:9):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


22.12.2004 00:01:57 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\internet explorer\main
Description : last save directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\office\10.0\common\general
Description : list of recently used symbols in microsoft office


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\mediaplayer\preferences
Description : last cd record path used in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\automap\9.0\findmru
Description : list of recently used find queries used in microsoft automap-based products


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\automap\9.0\recent file list
Description : list of recently used files in microsoft automap-based products


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : C:\Dokumente und Einstellungen\Papa\recent
Description : list of recently opened documents


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 464
ThreadCreationTime : 21.12.2004 21:49:51
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 524
ThreadCreationTime : 21.12.2004 21:49:52
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 548
ThreadCreationTime : 21.12.2004 21:49:53
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 596
ThreadCreationTime : 21.12.2004 21:49:53
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Anwendung für Dienste und Controller
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 608
ThreadCreationTime : 21.12.2004 21:49:53
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 860
ThreadCreationTime : 21.12.2004 21:49:54
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 884
ThreadCreationTime : 21.12.2004 21:49:54
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1040
ThreadCreationTime : 21.12.2004 21:49:54
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1076
ThreadCreationTime : 21.12.2004 21:49:55
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1184
ThreadCreationTime : 21.12.2004 21:49:55
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:11 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1284
ThreadCreationTime : 21.12.2004 21:49:55
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:12 [avkservice.exe]
FilePath : C:\Programme\AntiVirenKit InternetSecurity\AVK\
ProcessID : 1300
ThreadCreationTime : 21.12.2004 21:49:55
BasePriority : Normal
FileVersion : 1, 0, 1, 5
ProductVersion : 11, 0, 0, 0
ProductName : AVKService Module
FileDescription : AVKService Module
InternalName : AVKService
LegalCopyright : Copyright G DATA Software AG 2001-2003
OriginalFilename : AVKService.EXE

#:13 [avkwctl.exe]
FilePath : C:\Programme\AntiVirenKit InternetSecurity\AVK\
ProcessID : 1316
ThreadCreationTime : 21.12.2004 21:49:55
BasePriority : Normal
FileVersion : 18, 0, 1, 1
ProductVersion : 14, 0, 0, 0
ProductName : AVK
FileDescription : AVKWCtl Monitor Service
InternalName : AVKWCtl
OriginalFilename : AVKWCtl.EXE

#:14 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1372
ThreadCreationTime : 21.12.2004 21:49:57
BasePriority : Normal
FileVersion : 6.13.10.3082
ProductVersion : 6.13.10.3082
ProductName : NVIDIA Driver Helper Service, Version 30.82
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 30.82
InternalName : NVSVC
LegalCopyright : (c) NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:15 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1456
ThreadCreationTime : 21.12.2004 21:49:57
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:16 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 208
ThreadCreationTime : 21.12.2004 21:50:37
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : EXPLORER.EXE

#:17 [soundman.exe]
FilePath : C:\WINDOWS\
ProcessID : 368
ThreadCreationTime : 21.12.2004 21:50:39
BasePriority : Normal
FileVersion : 5.0.03
ProductVersion : 5.0.03
ProductName : Avance Sound Manager
CompanyName : Avance Logic, Inc.
FileDescription : Avance Sound Manager
InternalName : ALSMTray
LegalCopyright : Copyright (c) 2001-2002 Avance Logic, Inc.
OriginalFilename : ALSMTray.exe
Comments : Avance AC97 Audio Sound Manager

#:18 [incd.exe]
FilePath : C:\Programme\Ahead\InCD\
ProcessID : 396
ThreadCreationTime : 21.12.2004 21:50:41
BasePriority : Normal
FileVersion : 3.33.0
ProductVersion : 3.33.0
ProductName : InCD
CompanyName : Copyright (C) ahead software gmbh and its licensors
FileDescription : InCD CD-RW UDF Tools
InternalName : InCD
LegalCopyright : Copyright (C) ahead software gmbh and its licensors
OriginalFilename : InCD.EXE
Comments : CD-RW UDF Tools

#:19 [wkufind.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\
ProcessID : 404
ThreadCreationTime : 21.12.2004 21:50:41
BasePriority : Normal
FileVersion : 7.00.0617.0
ProductVersion : 7.00.0617.0
ProductName : Update Detection Module
CompanyName : Microsoft® Corporation
FileDescription : Microsoft® Works-Aktualisierungserkennung
InternalName : WkUFind
LegalCopyright : Copyright © 1987-2002 Microsoft Corporation.
OriginalFilename : WkUFind.exe

#:20 [jusched.exe]
FilePath : C:\Programme\Java\j2re1.4.2_03\bin\
ProcessID : 416
ThreadCreationTime : 21.12.2004 21:50:41
BasePriority : Normal


#:21 [winampa.exe]
FilePath : C:\Programme\Winamp3\
ProcessID : 424
ThreadCreationTime : 21.12.2004 21:50:42
BasePriority : Normal


#:22 [avkpop.exe]
FilePath : C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\
ProcessID : 432
ThreadCreationTime : 21.12.2004 21:50:43
BasePriority : Normal
FileVersion : 3, 0, 2, 0
ProductVersion : 3, 0, 2, 0
ProductName : AVK
CompanyName : G DATA Software AG
FileDescription : AVK POP3/IMAP Proxy
InternalName : AVKPOP
LegalCopyright : Copyright 2001-2004
OriginalFilename : AVKPop.exe

#:23 [wsmonitor.exe]
FilePath : C:\Programme\WinSweep\
ProcessID : 484
ThreadCreationTime : 21.12.2004 21:50:44
BasePriority : Normal
FileVersion : 1.03.0070
ProductVersion : 1.03.0070
ProductName : WINSWEEP
CompanyName : Software-Entwicklung Frank-Oliver Dzewas
InternalName : WSMonitor
LegalCopyright : Software-Entwicklung Frank-Oliver Dzewas
OriginalFilename : WSMonitor.Exe

#:24 [webfilter.exe]
FilePath : C:\Programme\AntiVirenKit InternetSecurity\Webfilter\
ProcessID : 612
ThreadCreationTime : 21.12.2004 21:50:47
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : G DATA WebFilter
CompanyName : G DATA Software AG
FileDescription : WebFilter
InternalName : WebFilter
LegalCopyright : (C) Copyright 1992-2004 G DATA Software AG
OriginalFilename : WebFilter.exe
Comments : HB

#:25 [kavpf.exe]
FilePath : C:\Programme\AntiVirenKit InternetSecurity\Firewall\
ProcessID : 944
ThreadCreationTime : 21.12.2004 21:50:48
BasePriority : Normal
FileVersion : 1.5.0.119
ProductVersion : 1.5.0.0
ProductName : Kaspersky Anti-Hacker
CompanyName : Kaspersky Labs
FileDescription : Kaspersky Anti-Hacker
InternalName : KAVPF
LegalCopyright : Copyright © Kaspersky Labs 1996-2003.
LegalTrademarks : Kaspersky™ Anti-Virus ® is registered trademark of Kaspersky Labs.
OriginalFilename : KAVPF.EXE

#:26 [adscle~1.exe]
FilePath : C:\PROGRA~1\ANTIVI~1\WEBFIL~1\
ProcessID : 924
ThreadCreationTime : 21.12.2004 21:50:51
BasePriority : Normal
FileVersion : 1.0.0.0
ProductVersion : 1.0.0.0
ProductName : AdsCleaner Professional
CompanyName : SoftInform
InternalName : AdsCleaner
OriginalFilename : AdsCleaner.Exe

#:27 [ntvdm.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1156
ThreadCreationTime : 21.12.2004 22:26:14
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : NTVDM.EXE
InternalName : NTVDM.EXE
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : NTVDM.EXE

#:28 [winword.exe]
FilePath : C:\Programme\Microsoft Office\Office10\
ProcessID : 3868
ThreadCreationTime : 21.12.2004 22:42:38
BasePriority : Normal


#:29 [msworks.exe]
FilePath : C:\Programme\Microsoft Works\
ProcessID : 3896
ThreadCreationTime : 21.12.2004 22:42:44
BasePriority : Normal
FileVersion : 7.02.0620.0
ProductVersion : 7.02.0620.0
ProductName : Microsoft® Works 7.0
CompanyName : Microsoft® Corporation
FileDescription : Microsoft® Works Task Launcher
InternalName : MSWORKS
LegalCopyright : Copyright © Microsoft Corporation. All rights reserved.
OriginalFilename : MSWorks.exe

#:30 [ad-aware.exe]
FilePath : C:\Dokumente und Einstellungen\Papa\Anwendungsdaten\Computerhygiene\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3124
ThreadCreationTime : 21.12.2004 23:01:45
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 20


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Alexa Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuText

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuStatusBar

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Script

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : clsid

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Icon

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : HotIcon

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : ButtonText

Claria Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c}

Claria Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c}
Value : uets

Claria Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c}
Value : GEF

Claria Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c}
Value : GMG

Claria Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\gator.com

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar
Value : Next

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar
Value : CLSID

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar
Value : ID1

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar
Value : ID2

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar
Value : ID4

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar
Value : PanelNumber

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{bd0022a3-a43f-4f44-b64f-53ea7575f097}

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{5297e905-1dfb-4a9c-9871-a4f95fd58945}

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolband.toolbandobj.1

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolband.toolbandobj.1
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolband.toolbandobj

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolband.toolbandobj
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolband.startbho.1

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolband.startbho.1
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolband.startbho

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : toolband.startbho
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{30192f8d-0958-44e6-b54d-331fd39ac959}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{30192f8d-0958-44e6-b54d-331fd39ac959}
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{0e1230f8-ea50-42a9-983c-d22abc2eed3b}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{0e1230f8-ea50-42a9-983c-d22abc2eed3b}
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : analyzeie.dompeek.1

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : analyzeie.dompeek.1
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : analyzeie.dompeek

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : analyzeie.dompeek
Value :

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}"
Rootkey : HKEY_USERS
Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\internet explorer\toolbar\webbrowser
Value : {0E1230F8-EA50-42A9-983C-D22ABC2EED3B}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 39
Objects found so far: 59


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 59


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 59



Deep scanning and examining files (C
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

PeopleOnPage Object Recognized!
Type : File
Data : libexpat.dll
Category : Data Miner
Comment :
Object : C:\Dokumente und Einstellungen\Papa\Schulprogramme\Englisch\Teachmaster\



PeopleOnPage Object Recognized!
Type : File
Data : libexpat.dll
Category : Data Miner
Comment :
Object : C:\Dokumente und Einstellungen\Mascha\Schule\Englisch\Vokabeltest\



Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 61


Deep scanning and examining files (D
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 61


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 61




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{b1e68d42-02c4-465b-8368-5ed9b732e22d}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{b1e68d42-02c4-465b-8368-5ed9b732e22d}
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\serg

CoolWebSearch Object Recognized!
Type : File
Data : hosts
Category : Malware
Comment :
Object : C:\WINDOWS\



Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 65

00:07:49 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:05:52.656
Objects scanned:95742
Objects identified:45
Objects ignored:0
New critical objects:45



Bleiben nur die folgenden Fragen:

1. Wie bekomme ich noch die Datei „amateur.exe“ vom PC? Ich kann sie nämlich nirgendwo finden.
2. Kann ich unter www.mozilla-europe.org/de/ eine deutschsprachige Version des Mozilla herunterladen?
3. Wie kann man die Auswirkungen des Browsers auf graphische Darstellungen ändern? Ich habe nämlich festgestellt, dass z.B. Offerten bei ebay nicht mehr so angezeigt werden wie ich sie mit Word vorbereitet habe. Stattdessen steht der gesamte Text in einer ununterbrochenen Reihe.

Nochmals vielen herzlichen Dank für deine Mühe und die selbstlose Unterstützung. Habe dich bereits wärmstens weiterempfohlen. Sicherlich kommen demnächst neue Anfragen im Forum.

Herzlicher Gruß
HugoRatlos

#12 Hallo@HugoRatlos

ich trau dem AdAware nicht so recht.

ueberpruefe mal alle Schluessel in der Registry und loesche manuell.
Start<Ausfuehren<regedit

zum Beispiel alles mit: serg
Bearbeiten-->suchen

HKEY_USERS
Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar

oder:
HKEY_CLASSES_ROOT
Object : clsid\{30192f8d-0958-44e6-b54d-331fd39ac959}

--------------------------------------------------------------------------

Bin leider kein Mozillaspezialist...google dich mal durch das Thema
(oder nutze den IE, wenn du zu eBay gehst)

woher weisst du von der "amateur.exe" ?
versuch sie mal mit der Killbox zu finden.
http://www.bleepingcomputer.com/files/killbox.php

Also den Pfad ausprobieren..in die Killbox kopieren
<Delete File on Reboot
und klick auf das rote Kreuz,
wenn gefragt wird, ob reboot-> klicke auf "yes

C:\Windows\System32\amateur.exe

Gruss
__________
MfG Sabina

rund um die PC-Sicherheit

#13 Hallo sabina,

danke für die obligatorisch schnelle Antwort. Ich versuche mich kurz zu fassen:

Die Suche nach Einträgen mit „serg“ führte zum Ordner „SerG“ mit dem Unterornder „SearchBar“. Darin sind enthalten:

Name Typ Wert

(Standard) REG-SZ (Wert nicht gesetzt)
CLSID REG_SZ 995AC72C-903D-442E-973E-2469D536E43D
ID1 REG_SZ 92
ID2 REG_SZ 66801951
ID4 REG_SZ 1
NEXT REG_DWORD 0*00000000(0)
PanelNumber REG_DWORD 0*00000001(1).

Soll ich hiervon etwas rauslöschen?

Der Ordner HKEY_Users enthält acht Unterordner. Zwei davon tragen die Bezeichnung „S-1-5-21-2772738787-1426495390-2454685184-1005“ einmal ohne jeden weiteren Zusatz und einmal mit dem Anhang „_CLASSES“. Jeder dieser Ordner enthält wieder eine Menge Unterordner. Löschen oder nicht? Den Anhang „\software\serg\searchbar“ den du angegeben hast findet man nicht.

In dem Ordner HKEY_CLASSES_ROOT befindet sich ein Unterordner „CLSID“. Dieser wiederum enthält einen Unterordner mit der von dir genannten Bezeichnung {30192f8d-0958-44e6-b54d-331fd39ac959} welcher selbst fünf Unterordner enthält. Löschen oder nicht?

Die amateur.exe wurde mir nach dem „escan“ angezeigt. Originalmeldung:

File C:\WINDOWS\Downloaded Program Files\amateur.exe infected by "Trojan.Win32.Dialer.fl" Virus. Action Taken: No Action Taken.

Über Suchfunktion mittels XP wird sie aber nicht angezeigt. Ich habe dann einen Versuch mit jottis Virus-Scan gestartet und bekam folgendes Resultat angezeigt:

Service load: 0% 100%

File: amateur.exe
Status: INFECTED/MALWARE
Packers detected: UPX

AntiVir DIAL/Generic dialer (0.64 seconds taken)
Avast No viruses found (3.11 seconds taken)
BitDefender No viruses found (0.37 seconds taken)
ClamAV No viruses found (0.32 seconds taken)
Dr.Web No viruses found (0.52 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus Trojan.Win32.Dialer.fl (0.63 seconds taken)
mks_vir No viruses found (0.24 seconds taken)
NOD32 No viruses found (0.42 seconds taken)
Norman Virus Control No viruses found (0.43 seconds taken)

Offensichtlich findet nur Kaspersky den Virus (oder die Datei?).

Sodann haben wir über unseren Neuerwerb (AntiVirenKit) festgestellt, dass wir möglicherweise doch noch einen Wurm auf dem PC haben.

Der Virenwächter zeigt uns nämlich am heutigen Tag (22.12) vier Mal folgenden Protokolleintrag:

Beim Schließen der Datei "C:\WINDOWS\system32\.pif" wurde der Virus "Backdoor.BotGet.FtpB.Gen" von der Engine "BDF" entdeckt. Datei gesäubert: ja. Datei gelöscht: nein. Quarantäne: nein.


Und das trotz der Virenprüfung von heute Nacht:

Virenprüfung mit AntiVirenKit
Version 15.0.5
Virensignaturen vom 19.12.2004
Job: Lokale Festplatten
Startzeit: 22.12.2004 01:52
Engine(s): KAV-Engine (AVK 15.0.1612), BD-Engine (BD 15.0.163)
Heuristik: Ein
Archive: Ein
Systembereiche: Ein

Prüfung der Systembereiche...
Prüfung aller lokalen Festplatten...
Objekt: o
Pfad: C:\WINDOWS\system32
Status: Virus entfernt
Virus: Backdoor.BotGet.FtpB.Gen (BD-Engine)Analyse vollständig durchgeführt: 22.12.2004 02:16
39397 Dateien überprüft
1 infizierte Dateien gefunden
0 verdächtige Dateien gefunden

Ist der Wurm jetzt weg oder ist er’s nicht????

Ich denke das reicht mal an Fragen für den Augenblick. Ich werde mich in der Zwischenzeit mal mit der Killbox befassen um die „amateur.exe“ zu finden.

Herzlicher dankbarer vorweihnachtlicher Gruß

HugoRatlos

#14 das muesste eigentlich mit der Killbox zu loeschen sein:
C:\WINDOWS\Downloaded Program Files\amateur.exe

und die Eintraege von SerG“ und „SearchBar“
in der Registry kannst du alle schoen saeuberlich loeschen.
__________
MfG Sabina

rund um die PC-Sicherheit

#15 Hi sabina,

danke für die Anleitung. Wird sofort erledigt.

Die Killbox-Aktion hat kein verwertbares Resultat gebracht. Nach der Bestätigung zum Reboot kam die Meldung:

„Pending File Rename Operations Registry Data has been removed y external process.“

Außer Kaspersky sieht/findet offensichtlich nichts und niemand diese Datei. Merkwürdig.
Außerdem erhalten wir mit jedem Neustart des PC folgende Meldung:

„You now have almost empty advertising list. This can dramatically decrease effectivness of banner blocking function. Do you want to update advertising list from Internet?”

Bisher verneinen wir die Frage, denn wir wissen nicht woher sie stammt? Freund oder Feind ist hier die Frage!

„Unser“ Wurm ist übrigens noch da. Ein Scan von heute Nachmittag hat ihn wieder zutage befördert. Sieh’s dir an:

Virenprüfung mit AntiVirenKit
Version 15.0.5
Virensignaturen vom 19.12.2004
Startzeit: 22.12.2004 15:13
Engine(s): KAV-Engine (AVK 15.0.1612), BD-Engine (BD 15.0.163)
Heuristik: Ein
Archive: Ein
Systembereiche: Ein

Prüfung der Systembereiche...
Prüfung aller lokalen Festplatten...
Objekt: o
Pfad: C:\WINDOWS\system32
Status: Virus entfernt
Virus: Backdoor.BotGet.FtpB.Gen (BD-Engine)
Analyse vollständig durchgeführt: 22.12.2004 15:40
39585 Dateien überprüft
1 infizierte Dateien gefunden
0 verdächtige Dateien gefunden

Soll ich vielleicht doch noch die von dir empfohlenen Schritte (löschen von host32.exe und msmsgsui.exe mit killbox) vornehmen?

Herzlicher Gruß vielen Dank und noch einen schönen Abend wünscht

HugoRatlos