Viren- und Trojanerbefall |
||
---|---|---|
#0
| ||
13.11.2004, 14:37
Member
Beiträge: 15 |
||
|
||
17.11.2004, 00:13
Ehrenmitglied
Beiträge: 29434 |
#2
Fixe:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: DOMPeek Class - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe ........................................................................................................... neustarten #oeffne das HijackThis. HijackThis-->Config-->Misc Tools-->Delete a file on reboot kopiere rein: C:\WINDOWS\dpe.dll wenn dann die Frage kommt, ob neugestartet werden soll (will be deleted by Windows when the system restarts....Do you want to restart your computer now?" )-->>klicke "no" und fuege das naechste ein. C:\WINDOWS\System\MSMSGSVC.exe wenn dann die Frage kommt, ob neugestartet werden soll (will be deleted by Windows when the system restarts....Do you want to restart your computer now?" )-->>klicke "no" und fuege das naechste ein. <C:\WINDOWS\e.exe Nun klickst du "yes" und startest den PC neu. #dann versuch es noch (HijackThis mit: <C:\WINDOWS\toolbar.exe <C:\WINDOWS\System32\toolbar.dll suche und loesche manuell: <msmsgsvc.exe <toolbar.txt <C:\WINDOWS\System32\Version.txt ..................................................................................................... #Windows\Downloaded Programm Files löschen. ActiveX-Controls Schalter Einstellungen Klicken Sie auf den Button Objekte anzeigen. Eine Liste aller lokalen ActiveX-Controls öffnet sich. Um zu entscheiden, ob es ich um ein vertrauenswürdiges Programm handelt, reicht es in der Regel aus, den Urheber der Komponente ausfindig zu machen. Wenn "unbekannt dasteht...dann lösche es . dort ist auch: ...was zu loeschen waere.... <C:\WINDOWS\Downloaded Program Files\load.exe Datentraegerbereinigung: und Löschen der Temporary-Dateien <Start<Ausfuehren<cleanmgr #Click:Temporäre Internet Files/Temporäre Internet Dateien, o.k. #Click:Temporäre Dateien, o.k Internetexplorer reinigen: 1. Klicken Sie in der Menüzeile des Internet Explorers auf Extras und Internet-Optionen. 2. Auf der Registerkarte Allgemein klicken Sie im Bereich Temporäre Internetdateien auf den Button Cookies löschen. 3.Temporäre Internet-Dateien<Dateien löschen stelle eine neue Startseite ein und poste das Log noch mal. ------------------------------------------------------------------------ was deine Frage zu einem effizienten Virenscanner betrifft....vergiss den Norton Wenn du den eScan laedst, musst du ihn eh deaktivieren. #eScan-Trial http://www.mwti.net/antivirus/escan/escandl_antivirus.asp (15-Tage- trial-Freeversion) klicke auf: awn2k3e.exe Diesen Scanner kannst du dann mit einer jaehrliches Lizenz erwerben. mfg abina __________ MfG Sabina rund um die PC-Sicherheit Dieser Beitrag wurde am 17.11.2004 um 01:19 Uhr von Sabina editiert.
|
|
|
||
24.11.2004, 07:37
Member
Themenstarter Beiträge: 15 |
#3
Hallo Sabina,
vorab herzlichen Dank für die letzte „Arbeitsanweisung“. Ich habe sie sorgfältig befolgt mit Ausnahme des Punktes „suche und loesche manuell:“ hier konnte ich nur die Datei „msmsgsvc.exe“ finden und löschen. Die Dateien „toolbar.txt“ sowie „C:\windows\system32\version.txt“ sind nicht auffindbar, wobei es allerdings mehrere Dateien des Namens „version.txt“ gibt. Diese befinden sich indes im Verzeichnis C:\windows\java. Nun ja, nach dem neuerlichen „hijackthis“ – Durchlauf haben wir das vertraute Bild. Schau es dir doch einfach mal an. Was ist jetzt zu tun??? Vielen Dank auch für den Tipp mit dem eScan. Wir werden das Norton-Abo nicht verlängern. Aber enthält eScan auch eine Firewall? Ich habe jetzt gelesen, dass es eine Software namens „Panda“ geben soll die so ziemlich alles abdeckt. Ist das auch nur eine billige Werbemasche für unbedarfte User wie uns? Für deine weiteren Bemühungen wieder einmal vielen, vielen herzlichen Dank. Liebe Grüße HugoRatlos (und Familie) Logfile of HijackThis v1.98.2 Scan saved at 20:32:02, on 22.11.2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe C:\Programme\Norton Internet Security\NISUM.EXE C:\Programme\Norton Internet Security\ccPxySvc.exe C:\Programme\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Programme\Ahead\InCD\InCD.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe C:\Programme\Winamp3\winampa.exe C:\Programme\WinSweep\WSMonitor.exe C:\Programme\TraXEx\TraXEx.exe C:\Dokumente und Einstellungen\Papa\Anwendungsdaten\hijackthis_198\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated) O2 - BHO: DOMPeek Class - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp3\winampa.exe" O4 - HKLM\..\Run: [mwavscan] "C:\DOKUME~1\Papa\LOKALE~1\Temp\mwavscan.com" /s O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [WINSWEEP] C:\Programme\WinSweep\WinSweep.Exe /AUTO O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe O4 - Startup: TraXEx.lnk = C:\Programme\TraXEx\TraXEx.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Preispiraten 2.02 - {86DE8B3B-1EB7-4386-84BD-EBE94348A913} - C:\Programme\Preispiraten 2.0b\preispiraten2.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O13 - DefaultPrefix: http://ehttp.cc/? O13 - WWW Prefix: http://ehttp.cc/? O13 - WWW. Prefix: http://ehttp.cc/? |
|
|
||
25.11.2004, 15:07
Ehrenmitglied
Beiträge: 29434 |
#4
Hallo@
Schritt: <"cwsfix.reg" + "cwsserviceremove.reg downloaden, einen neuen Ordner anlegen und alle Dateien in diesen Ordner entpacken. --> http://d21c.com/Tom41/?D=A <AboutBuster.zip downloaden, einen neuen Ordner anlegen und alle Dateien in diesen Ordner entpacken. AboutBuster starten und updaten. Noch nicht scannen lassen. --> www.malwarebytes.biz/AboutBuster.zip <AdAware downloaden, installieren und updaten. Ebenfalls noch nicht scannen lassen. --> http://www.lavasoft.de/support/download/ Schritt: #öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated) O2 - BHO: DOMPeek Class - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll (file missing) O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe O13 - DefaultPrefix: http://ehttp.cc/? O13 - WWW Prefix: http://ehttp.cc/? O13 - WWW. Prefix: http://ehttp.cc/? neustarten Schritt: #oeffne das HijackThis. HijackThis-->Config-->Misc Tools-->Delete a file on reboot kopiere rein: C:\WINDOWS\dpe.dll PC neustarten...wieder in den abgesicherten Modus #oeffne das HijackThis. HijackThis-->Config-->Misc Tools-->Delete a file on reboot kopiere rein: C:\WINDOWS\System\MSMSGSVC.exe PC neustarten...wieder in den abgesicherten Modus #oeffne das HijackThis. HijackThis-->Config-->Misc Tools-->Delete a file on reboot kopiere rein: C:\WINDOWS\e.exe PC neustarten...wieder in den abgesicherten Modus Schritt: und dort füge cwsfix.reg" + "cwsserviceremove.reg durch "yes" der Registry bei und scanne mit AboutBuster und AdAware.(zweimal) und mit eScan (einmal) Schritt: mache ebenfalls im abgesicherten Modus: Datenträgerbereinigung: und Löschen der Temporary-Dateien <Start<Ausfuehren--> reinschreiben : cleanmgr loesche nur: #Click:Temporäre Internet Files/Temporäre Internet Dateien, o.k. #Click:Temporäre Dateien, o.k Schritt: Deaktivieren Wiederherstellung «XP http://service1.symantec.com/SUPPORT/INTER/tsgeninfointl.nsf/gdocid/20030807105707924 Hier das Reg-File, das die Standardwerte unter "DefaultPrefix" und "Prefixes" wieder herstellt. defaultprefix.reg downloaden. http://www.wintotal.de/Tipps/Eintrag.php?TID=434 Dann stelle unter "Internetoption" eine neue Startseite ein und poste das Log noch mal. mfg Sabina __________ MfG Sabina rund um die PC-Sicherheit Dieser Beitrag wurde am 25.11.2004 um 15:24 Uhr von Sabina editiert.
|
|
|
||
17.12.2004, 21:04
Member
Themenstarter Beiträge: 15 |
#5
Hallo sabina,
endlich bin ich dazu gekommen deinen Anweisungen vom 26.11.04 zu Folge zu leisten, wenigstens fast vollständig. Ich habe die von dir angegebenen Programme heruntergeladen und die Schritte mit Hijackthis abgearbeitet. Cwsfix.reg und cwsserviceremove.reg in die Registry einfügen konnte ich leider nicht. Ich habe über support keinen Hinweis bekommen wo die Registry ist. Lach bitte nicht aber dazu reicht es eben (noch) nicht. Die weiteren Schritte habe ich dann wieder durchgeführt. Ich möchte jetzt gem. deiner Aufforderung das „Log“ posten. Aber welches? Ich habe drei Stück zur Auswahl: - eines von Hijackthis - eines von Adware und - eines vom escan. Oder möchtest du alle drei??? Ich warte voller Erwartung auf deine nächsten Anweisungen. Vorab schon so viel – die lästigen ungebetenen Seiten erscheinen nicht mehr bei der Einwahl ins Internet.Habe jetzt nur etwas Probleme mit TRAXX aber dazu vielleicht erst dann mehr wenn dieser Komplex hier abgearbeitet ist. Symantec habe ich – deinem Rat folgend – deaktiviert und „escan“ heruntergeladen (Kauf). Hoffentlich bleiben wir jetzt von Müll verschont denn wie schon geschildert hat escan irgendwelche ungebetenen Gäste aufgespürt zu denen Symantec zu keiner Zeit eine Meldung abgegeben hat. Im Gegenteil. Ein Scan brachte das Ergebnis: virenfrei! Ein schönes Wochenende wünschend verbleibe ich, einmal mehr für deine Bemühungen dankend (wie kann ich mich nur erkenntlich zeigen?) Mit den besten Grüßen HugoRatlos |
|
|
||
18.12.2004, 00:50
Ehrenmitglied
Beiträge: 29434 |
#6
Hallo@Hugo Ratlos
Poste alle 3 Logs - eines von Hijackthis - eines von Adware und - eines vom escan. __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
19.12.2004, 17:48
Member
Themenstarter Beiträge: 15 |
#7
Hallo sabina,
nachfolend die drei log-files. Vorab noch eine ganz wichtige Frage!!!! Ich wollte nach dem letzten Beitrag von mir "escan Internet security (ISS)" runterladen. Funktioniert aber nicht. Ich komme auf der amerikanischen Seite nicht weiter. Jetzt habe ich über google gesehen, dass man das Paket bei ebay kaufen kann. Für uns als Modem-Nutzer ist das vermutlich ohnehin die bessere Alternative weil wir andernfalls vermutlich stundenlang vor dem PC sitzen müssten?? Frage: Morgen läuft unser symantec-Abo aus, d.h. ab dann sind wir bei der Internetnutzung "schutzlos". Reicht die 15-tage-Version v. escan zum Schutz aus oder muss übergangsweise ein anderes Programm runtergeladen werden?? DIESE FRAGE IST NOCH WICHTIGER ALS DIE WEITEREN REINIGUNGSBEMÜHUNGEN!!!! Jetzt aber die files: 1. Hijackthis Logfile of HijackThis v1.98.2 Scan saved at 17:30:33, on 19.12.2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe C:\Programme\Norton Internet Security\NISUM.EXE C:\Programme\Norton Internet Security\ccPxySvc.exe C:\Programme\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Programme\Ahead\InCD\InCD.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe C:\Programme\Winamp3\winampa.exe C:\Programme\WinSweep\WSMonitor.exe C:\WINDOWS\system32\ntvdm.exe C:\T-ONLINE\BSW4\ToDuCAlC.EXE C:\Programme\Internet Explorer\iexplore.exe C:\Dokumente und Einstellungen\Papa\Anwendungsdaten\hijackthis_198\HijackThis.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp3\winampa.exe" O4 - HKLM\..\Run: [mwavscan] "C:\DOKUME~1\Papa\LOKALE~1\Temp\mwavscan.com" /s O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKCU\..\Run: [WINSWEEP] C:\Programme\WinSweep\WinSweep.Exe /AUTO O4 - HKCU\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe O4 - Startup: TraXEx.lnk = C:\Programme\TraXEx\TraXEx.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Preispiraten 2.02 - {86DE8B3B-1EB7-4386-84BD-EBE94348A913} - C:\Programme\Preispiraten 2.0b\preispiraten2.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O17 - HKLM\System\CCS\Services\Tcpip\..\{EF33CAF9-EAAE-4541-AD0C-E10E62C288D7}: NameServer = 217.237.150.33 217.237.151.161 2. Adware Ad-Aware SE Build 1.05 Logfile Created on:Sonntag, 19. Dezember 2004 17:35:51 Created with Ad-Aware SE Personal, free for private use. Using definitions file:SE1R8 13.09.2004 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» References detected during the scan: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Alexa(TAC index:5):8 total references Claria(TAC index:7):5 total references CoolWebSearch(TAC index:10):30 total references MRU List(TAC index:0):20 total references PeopleOnPage(TAC index:9):2 total references »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Ad-Aware SE Settings =========================== Set : Search for negligible risk entries Set : Safe mode (always request confirmation) Set : Scan active processes Set : Scan registry Set : Deep-scan registry Set : Scan my IE Favorites for banned URLs Set : Scan my Hosts file Extended Ad-Aware SE Settings =========================== Set : Unload recognized processes & modules during scan Set : Scan registry for all users instead of current user only Set : Always try to unload modules before deletion Set : During removal, unload Explorer and IE if necessary Set : Let Windows remove files in use at next reboot Set : Delete quarantined objects after restoring Set : Include basic Ad-Aware settings in log file Set : Include additional Ad-Aware settings in log file Set : Include reference summary in log file Set : Include alternate data stream details in log file Set : Play sound at scan completion if scan locates critical objects 19.12.2004 17:35:51 - Scan started. (Full System Scan) MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\search assistant\acmru Description : list of recent search terms used with the search assistant MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru Description : list of recently saved files, stored according to file extension MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru Description : list of recent programs opened MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows\currentversion\explorer\recentdocs Description : list of recent documents opened MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\internet explorer\main Description : last save directory used in microsoft internet explorer MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\internet explorer Description : last download directory used in microsoft internet explorer MRU List Object Recognized! Location: : software\microsoft\directdraw\mostrecentapplication Description : most recent application to use microsoft directdraw MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\office\10.0\common\general Description : list of recently used symbols in microsoft office MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\mediaplayer\preferences Description : last cd record path used in microsoft windows media player MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\mediaplayer\player\settings Description : last open directory used in jasc paint shop pro MRU List Object Recognized! Location: : software\microsoft\direct3d\mostrecentapplication Description : most recent application to use microsoft direct3d MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows\currentversion\applets\regedit Description : last key accessed using the microsoft registry editor MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\mediaplayer\preferences Description : last playlist loaded in microsoft windows media player MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\automap\9.0\findmru Description : list of recently used find queries used in microsoft automap-based products MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\automap\9.0\recent file list Description : list of recently used files in microsoft automap-based products MRU List Object Recognized! Location: : software\microsoft\direct3d\mostrecentapplication Description : most recent application to use microsoft direct X MRU List Object Recognized! Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general Description : windows media sdk MRU List Object Recognized! Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general Description : windows media sdk MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows media\wmsdk\general Description : windows media sdk MRU List Object Recognized! Location: : C:\Dokumente und Einstellungen\Papa\recent Description : list of recently opened documents Listing running processes »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» #:1 [smss.exe] FilePath : \SystemRoot\System32\ ProcessID : 460 ThreadCreationTime : 19.12.2004 12:43:46 BasePriority : Normal #:2 [csrss.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 516 ThreadCreationTime : 19.12.2004 12:43:47 BasePriority : Normal #:3 [winlogon.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 540 ThreadCreationTime : 19.12.2004 12:43:47 BasePriority : High #:4 [services.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 584 ThreadCreationTime : 19.12.2004 12:43:48 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Betriebssystem Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Anwendung für Dienste und Controller InternalName : services.exe LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten. OriginalFilename : services.exe #:5 [lsass.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 596 ThreadCreationTime : 19.12.2004 12:43:48 BasePriority : Normal FileVersion : 5.1.2600.1106 (xpsp1.020828-1920) ProductVersion : 5.1.2600.1106 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : LSA Shell (Export Version) InternalName : lsass.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : lsass.exe #:6 [svchost.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 852 ThreadCreationTime : 19.12.2004 12:43:48 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:7 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 876 ThreadCreationTime : 19.12.2004 12:43:48 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:8 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 960 ThreadCreationTime : 19.12.2004 12:43:49 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:9 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1024 ThreadCreationTime : 19.12.2004 12:43:49 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:10 [spoolsv.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1152 ThreadCreationTime : 19.12.2004 12:43:50 BasePriority : Normal FileVersion : 5.1.2600.0 (XPClient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Spooler SubSystem App InternalName : spoolsv.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : spoolsv.exe #:11 [ccevtmgr.exe] FilePath : C:\Programme\Gemeinsame Dateien\Symantec Shared\ ProcessID : 1192 ThreadCreationTime : 19.12.2004 12:43:50 BasePriority : Normal FileVersion : 1.03.4 ProductVersion : 1.03.4 ProductName : Event Manager CompanyName : Symantec Corporation FileDescription : Event Manager Service InternalName : ccEvtMgr LegalCopyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved. OriginalFilename : ccEvtMgr.exe #:12 [nisum.exe] FilePath : C:\Programme\Norton Internet Security\ ProcessID : 1208 ThreadCreationTime : 19.12.2004 12:43:50 BasePriority : Normal FileVersion : 6.02.2003 ProductVersion : 6.02.2003 ProductName : Norton Internet Security CompanyName : Symantec Corporation FileDescription : Norton Internet Security NISUM InternalName : NISUM LegalCopyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved. OriginalFilename : NISUM.exe #:13 [alg.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1376 ThreadCreationTime : 19.12.2004 12:43:52 BasePriority : Normal FileVersion : 5.1.2600.1106 (xpsp1.020828-1920) ProductVersion : 5.1.2600.1106 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Application Layer Gateway Service InternalName : ALG.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : ALG.exe #:14 [ccpxysvc.exe] FilePath : C:\Programme\Norton Internet Security\ ProcessID : 1388 ThreadCreationTime : 19.12.2004 12:43:52 BasePriority : Normal FileVersion : 6.02.2003 ProductVersion : 6.02.2003 ProductName : Norton Internet Security CompanyName : Symantec Corporation FileDescription : Norton Internet Security Proxy Service InternalName : ccPxySvc LegalCopyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved. OriginalFilename : ccPxySvc.exe #:15 [navapsvc.exe] FilePath : C:\Programme\Norton AntiVirus\ ProcessID : 1428 ThreadCreationTime : 19.12.2004 12:43:52 BasePriority : Normal FileVersion : 9.05.1015 ProductVersion : 9.05.1015 ProductName : Norton AntiVirus CompanyName : Symantec Corporation FileDescription : Norton AntiVirus Auto-Protect Service InternalName : NAVAPSVC LegalCopyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved. OriginalFilename : NAVAPSVC.EXE #:16 [nvsvc32.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1476 ThreadCreationTime : 19.12.2004 12:43:52 BasePriority : Normal FileVersion : 6.13.10.3082 ProductVersion : 6.13.10.3082 ProductName : NVIDIA Driver Helper Service, Version 30.82 CompanyName : NVIDIA Corporation FileDescription : NVIDIA Driver Helper Service, Version 30.82 InternalName : NVSVC LegalCopyright : (c) NVIDIA Corporation. All rights reserved. OriginalFilename : nvsvc32.exe #:17 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1572 ThreadCreationTime : 19.12.2004 12:43:52 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:18 [explorer.exe] FilePath : C:\WINDOWS\ ProcessID : 3740 ThreadCreationTime : 19.12.2004 15:23:52 BasePriority : Normal FileVersion : 6.00.2800.1106 (xpsp1.020828-1920) ProductVersion : 6.00.2800.1106 ProductName : Betriebssystem Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Windows Explorer InternalName : explorer LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten. OriginalFilename : EXPLORER.EXE #:19 [soundman.exe] FilePath : C:\WINDOWS\ ProcessID : 3932 ThreadCreationTime : 19.12.2004 15:23:52 BasePriority : Normal FileVersion : 5.0.03 ProductVersion : 5.0.03 ProductName : Avance Sound Manager CompanyName : Avance Logic, Inc. FileDescription : Avance Sound Manager InternalName : ALSMTray LegalCopyright : Copyright (c) 2001-2002 Avance Logic, Inc. OriginalFilename : ALSMTray.exe Comments : Avance AC97 Audio Sound Manager #:20 [incd.exe] FilePath : C:\Programme\Ahead\InCD\ ProcessID : 3660 ThreadCreationTime : 19.12.2004 15:23:52 BasePriority : Normal FileVersion : 3.33.0 ProductVersion : 3.33.0 ProductName : InCD CompanyName : Copyright (C) ahead software gmbh and its licensors FileDescription : InCD CD-RW UDF Tools InternalName : InCD LegalCopyright : Copyright (C) ahead software gmbh and its licensors OriginalFilename : InCD.EXE Comments : CD-RW UDF Tools #:21 [wkufind.exe] FilePath : C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\ ProcessID : 3664 ThreadCreationTime : 19.12.2004 15:23:53 BasePriority : Normal FileVersion : 7.00.0617.0 ProductVersion : 7.00.0617.0 ProductName : Update Detection Module CompanyName : Microsoft® Corporation FileDescription : Microsoft® Works-Aktualisierungserkennung InternalName : WkUFind LegalCopyright : Copyright © 1987-2002 Microsoft Corporation. OriginalFilename : WkUFind.exe #:22 [ccapp.exe] FilePath : C:\Programme\Gemeinsame Dateien\Symantec Shared\ ProcessID : 3736 ThreadCreationTime : 19.12.2004 15:23:53 BasePriority : Normal FileVersion : 1.0.9.002 ProductVersion : 1.0.9.002 ProductName : Common Client CompanyName : Symantec Corporation FileDescription : Common Client CC App InternalName : ccApp LegalCopyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved. OriginalFilename : ccApp.exe #:23 [jusched.exe] FilePath : C:\Programme\Java\j2re1.4.2_03\bin\ ProcessID : 3480 ThreadCreationTime : 19.12.2004 15:23:53 BasePriority : Normal #:24 [winampa.exe] FilePath : C:\Programme\Winamp3\ ProcessID : 2996 ThreadCreationTime : 19.12.2004 15:23:53 BasePriority : Normal #:25 [wsmonitor.exe] FilePath : C:\Programme\WinSweep\ ProcessID : 3964 ThreadCreationTime : 19.12.2004 15:23:54 BasePriority : Normal FileVersion : 1.03.0070 ProductVersion : 1.03.0070 ProductName : WINSWEEP CompanyName : Software-Entwicklung Frank-Oliver Dzewas InternalName : WSMonitor LegalCopyright : Software-Entwicklung Frank-Oliver Dzewas OriginalFilename : WSMonitor.Exe #:26 [ntvdm.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1060 ThreadCreationTime : 19.12.2004 15:45:56 BasePriority : Normal FileVersion : 5.1.2600.1106 (xpsp1.020828-1920) ProductVersion : 5.1.2600.1106 ProductName : Betriebssystem Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : NTVDM.EXE InternalName : NTVDM.EXE LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten. OriginalFilename : NTVDM.EXE #:27 [toducalc.exe] FilePath : C:\T-ONLINE\BSW4\ ProcessID : 292 ThreadCreationTime : 19.12.2004 16:08:24 BasePriority : Normal FileVersion : 1.04.10 ProductVersion : 3.0 ProductName : T-Online Software CompanyName : Drews EDV+Btx GmbH FileDescription : T-Online DUN Connection Alive Checker InternalName : ToDuCAlC LegalCopyright : Copyright © Drews EDV+Btx GmbH 1999,2000 OriginalFilename : ToDuCAlC.exe #:28 [iexplore.exe] FilePath : C:\Programme\Internet Explorer\ ProcessID : 2228 ThreadCreationTime : 19.12.2004 16:25:55 BasePriority : Normal FileVersion : 6.00.2800.1106 (xpsp1.020828-1920) ProductVersion : 6.00.2800.1106 ProductName : Betriebssystem Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Internet Explorer InternalName : iexplore LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten. OriginalFilename : IEXPLORE.EXE #:29 [ad-aware.exe] FilePath : C:\Dokumente und Einstellungen\Papa\Anwendungsdaten\Computerhygiene\Lavasoft\Ad-Aware SE Personal\ ProcessID : 3708 ThreadCreationTime : 19.12.2004 16:35:38 BasePriority : Normal FileVersion : 6.2.0.206 ProductVersion : VI.Second Edition ProductName : Lavasoft Ad-Aware SE CompanyName : Lavasoft Sweden FileDescription : Ad-Aware SE Core application InternalName : Ad-Aware.exe LegalCopyright : Copyright © Lavasoft Sweden OriginalFilename : Ad-Aware.exe Comments : All Rights Reserved Memory scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 20 Started registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Alexa Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : MenuText Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : MenuStatusBar Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : Script Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : clsid Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : Icon Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : HotIcon Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : ButtonText Claria Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} Claria Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} Value : uets Claria Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} Value : GEF Claria Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} Value : GMG Claria Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\gator.com CoolWebSearch Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar CoolWebSearch Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar Value : Next CoolWebSearch Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar Value : CLSID CoolWebSearch Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar Value : ID1 CoolWebSearch Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar Value : ID2 CoolWebSearch Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar Value : ID4 CoolWebSearch Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar Value : PanelNumber CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : typelib\{bd0022a3-a43f-4f44-b64f-53ea7575f097} CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : typelib\{5297e905-1dfb-4a9c-9871-a4f95fd58945} CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.toolbandobj.1 CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.toolbandobj.1 Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.toolbandobj CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.toolbandobj Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.startbho.1 CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.startbho.1 Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.startbho CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.startbho Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{30192f8d-0958-44e6-b54d-331fd39ac959} CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{30192f8d-0958-44e6-b54d-331fd39ac959} Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{0e1230f8-ea50-42a9-983c-d22abc2eed3b} CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{0e1230f8-ea50-42a9-983c-d22abc2eed3b} Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : analyzeie.dompeek.1 CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : analyzeie.dompeek.1 Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : analyzeie.dompeek CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : analyzeie.dompeek Value : CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : "{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}" Rootkey : HKEY_USERS Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\internet explorer\toolbar\webbrowser Value : {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} Registry Scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 39 Objects found so far: 59 Started deep registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Deep registry scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 59 Started Tracking Cookie scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking cookie scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 59 Deep scanning and examining files (C »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» PeopleOnPage Object Recognized! Type : File Data : libexpat.dll Category : Data Miner Comment : Object : C:\Dokumente und Einstellungen\Papa\Schulprogramme\Englisch\Teachmaster\ PeopleOnPage Object Recognized! Type : File Data : libexpat.dll Category : Data Miner Comment : Object : C:\Dokumente und Einstellungen\Mascha\Schule\Englisch\Vokabeltest\ Disk Scan Result for C:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 61 Deep scanning and examining files (D »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Disk Scan Result for D:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 61 Scanning Hosts file...... Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts". »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Hosts file scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 1 entries scanned. New critical objects:0 Objects found so far: 61 Performing conditional scans... »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{b1e68d42-02c4-465b-8368-5ed9b732e22d} CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{b1e68d42-02c4-465b-8368-5ed9b732e22d} Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : software\serg CoolWebSearch Object Recognized! Type : File Data : hosts Category : Malware Comment : Object : C:\WINDOWS\ Conditional scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 4 Objects found so far: 65 17:39:58 Scan Complete Summary Of This Scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Total scanning time:00:04:06.516 Objects scanned:97185 Objects identified:45 Objects ignored:0 New critical objects:45 3. escan Sun Dec 19 16:50:31 2004 => ********************************************************** Sun Dec 19 16:50:31 2004 => eScan AntiVirus Toolkit Utility. Sun Dec 19 16:50:31 2004 => Copyright © 2003-2004, MicroWorld Technologies Inc. Sun Dec 19 16:50:31 2004 => ********************************************************** Sun Dec 19 16:50:32 2004 => Version 4.7.5 (C:\DOKUME~1\Papa\LOKALE~1\Temp\mwavscan.com) Sun Dec 19 16:50:32 2004 => Log File: C:\DOKUME~1\Papa\LOKALE~1\Temp\mwav.log Sun Dec 19 16:50:33 2004 => Latest Date of files inside MWAV: 15 Dec 2004 06:01:46. Sun Dec 19 16:50:38 2004 => AV Library Loaded... Sun Dec 19 16:50:38 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavss.exe Sun Dec 19 16:50:38 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\Getvlist.exe Sun Dec 19 16:50:39 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavss.dll Sun Dec 19 16:50:39 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavssdi.dll Sun Dec 19 16:50:39 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavssi.dll Sun Dec 19 16:50:39 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavvlg.dll Sun Dec 19 16:50:40 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\msvlclnt.dll Sun Dec 19 16:50:40 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\ipc.dll Sun Dec 19 16:50:40 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\main.avi Sun Dec 19 16:50:40 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\virus.avi Sun Dec 19 16:50:41 2004 => Virus Database Date: 2004/12/15 Sun Dec 19 16:50:41 2004 => Virus Database Count: 112526 Sun Dec 19 16:50:45 2004 => ********************************************************** Sun Dec 19 16:50:45 2004 => eScan AntiVirus Toolkit Utility. Sun Dec 19 16:50:45 2004 => Copyright © 2003-2004, MicroWorld Technologies Inc. Sun Dec 19 16:50:45 2004 => Sun Dec 19 16:50:45 2004 => Support: support@mwti.net Sun Dec 19 16:50:45 2004 => Web: http://www.mwti.net Sun Dec 19 16:50:45 2004 => ********************************************************** Sun Dec 19 16:50:45 2004 => Version 4.7.5 (C:\DOKUME~1\Papa\LOKALE~1\Temp\mwavscan.com) Sun Dec 19 16:50:45 2004 => Log File: C:\DOKUME~1\Papa\LOKALE~1\Temp\mwav.log Sun Dec 19 16:50:45 2004 => Latest Date of files inside MWAV: 15 Dec 2004 06:01:46. Sun Dec 19 16:50:45 2004 => Options Selected by User: Sun Dec 19 16:50:45 2004 => Memory Check: Enabled Sun Dec 19 16:50:45 2004 => Registry Check: Enabled Sun Dec 19 16:50:45 2004 => StartUp Folder Check: Enabled Sun Dec 19 16:50:45 2004 => System Folder Check: Enabled Sun Dec 19 16:50:45 2004 => System Area Check: Disabled Sun Dec 19 16:50:45 2004 => Services Check: Enabled Sun Dec 19 16:50:45 2004 => Drive Check Option Disabled Sun Dec 19 16:50:45 2004 => Folder Check: Enabled Sun Dec 19 16:50:45 2004 => Folder Selected = C:\WINDOWS Sun Dec 19 16:50:45 2004 => ***** Scanning Memory Files ***** Sun Dec 19 16:50:45 2004 => Scanning File C:\WINDOWS\SYSTEM32\CSRSS.EXE Sun Dec 19 16:50:45 2004 => Scanning File C:\WINDOWS\SYSTEM32\WINLOGON.EXE Sun Dec 19 16:50:46 2004 => Scanning File C:\WINDOWS\System32\smss.exe Sun Dec 19 16:50:46 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\ipc.dll Sun Dec 19 16:50:46 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavss.dll Sun Dec 19 16:50:46 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavss.exe Sun Dec 19 16:50:46 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavssd.dll Sun Dec 19 16:50:46 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavssdi.dll Sun Dec 19 16:50:46 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavssi.dll Sun Dec 19 16:50:46 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\msvlclnt.dll Sun Dec 19 16:50:46 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\mwavscan.com Sun Dec 19 16:50:46 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\PSAPI.DLL Sun Dec 19 16:50:46 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\RICHED32.DLL Sun Dec 19 16:50:46 2004 => Scanning File C:\PROGRA~1\GEMEIN~1\SYMANT~1\CCEMLPXY.DLL Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\GEMEIN~1\SYMANT~1\ccErrDsp.DLL Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\GEMEIN~1\SYMANT~1\ccEvt.dll Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\GEMEIN~1\SYMANT~1\CCREGMON.DLL Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\NORTON~1\apwutil.dll Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\NORTON~1\CCIMSCAN.DLL Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\NORTON~1\DEFALERT.DLL Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\NORTON~1\NAVAPW32.DLL Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\NORTON~1\NAVEvent.dll Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\NORTON~1\SavRT32.dll Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\NORTON~2\ATRACK.DLL Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\NORTON~2\ccFWRuls.dll Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\NORTON~2\IAMAPP.DLL Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\NORTON~2\LICALERT.DLL Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\NORTON~2\NAVAPI32.DLL Sun Dec 19 16:50:47 2004 => Scanning File C:\PROGRA~1\NORTON~2\NISALERT.DLL Sun Dec 19 16:50:48 2004 => Scanning File C:\PROGRA~1\NORTON~2\NisEvt.dll Sun Dec 19 16:50:48 2004 => Scanning File C:\PROGRA~1\NORTON~2\NISRES.DLL Sun Dec 19 16:50:48 2004 => Scanning File C:\PROGRA~1\NORTON~2\tlevel.dll Sun Dec 19 16:50:48 2004 => Scanning File C:\PROGRA~1\NORTON~2\UMCBK.DLL Sun Dec 19 16:50:48 2004 => Scanning File C:\PROGRA~1\Symantec\S32EVNT1.DLL Sun Dec 19 16:50:48 2004 => Scanning File C:\Programme\Ahead\InCD\InCD.exe Sun Dec 19 16:50:48 2004 => Scanning File C:\Programme\Ahead\InCD\res.dll Sun Dec 19 16:50:48 2004 => Scanning File C:\PROGRA~1\GEMEIN~1\MICROS~1\WORKSS~1\WkUFind.exe Sun Dec 19 16:50:48 2004 => Scanning File C:\PROGRA~1\GEMEIN~1\SYMANT~1\ccApp.exe Sun Dec 19 16:50:48 2004 => Scanning File C:\PROGRA~1\GEMEIN~1\SYMANT~1\ccEvt.dll Sun Dec 19 16:50:49 2004 => Scanning File C:\PROGRA~1\GEMEIN~1\SYMANT~1\ccEvtMgr.exe Sun Dec 19 16:50:49 2004 => Scanning File C:\PROGRA~1\GEMEIN~1\SYMANT~1\LiveReg\iraLSCl2.dll Sun Dec 19 16:50:49 2004 => Scanning File C:\PROGRA~1\GEMEIN~1\SYMANT~1\LiveReg\IraVcLc2.dll Sun Dec 19 16:50:49 2004 => Scanning File C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\scrauth.dll Sun Dec 19 16:50:49 2004 => Scanning File C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\ScrBlock.dll Sun Dec 19 16:50:49 2004 => Scanning File C:\Programme\Java\j2re1.4.2_03\bin\jpins7.dll Sun Dec 19 16:50:49 2004 => Scanning File C:\Programme\Java\j2re1.4.2_03\bin\jpinsp.dll Sun Dec 19 16:50:49 2004 => Scanning File C:\Programme\Java\j2re1.4.2_03\bin\jpishare.dll Sun Dec 19 16:50:49 2004 => Scanning File C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe Sun Dec 19 16:50:49 2004 => Scanning File C:\Programme\Java\j2re1.4.2_03\bin\NPOJI610.dll Sun Dec 19 16:50:49 2004 => Scanning File C:\Programme\Messenger\msgsc.dll Sun Dec 19 16:50:49 2004 => Scanning File C:\PROGRA~1\MOZILL~1\COMPON~1\FULLSOFT.DLL Sun Dec 19 16:50:50 2004 => Scanning File C:\PROGRA~1\MOZILL~1\COMPON~1\jar50.dll Sun Dec 19 16:50:50 2004 => Scanning File C:\PROGRA~1\MOZILL~1\COMPON~1\QFASER~1.DLL Sun Dec 19 16:50:50 2004 => Scanning File C:\PROGRA~1\MOZILL~1\firefox.exe Sun Dec 19 16:50:50 2004 => Scanning File C:\PROGRA~1\MOZILL~1\js3250.dll Sun Dec 19 16:50:50 2004 => Scanning File C:\PROGRA~1\MOZILL~1\nspr4.dll Sun Dec 19 16:50:50 2004 => Scanning File C:\PROGRA~1\MOZILL~1\nss3.dll Sun Dec 19 16:50:50 2004 => Scanning File C:\PROGRA~1\MOZILL~1\plc4.dll Sun Dec 19 16:50:50 2004 => Scanning File C:\PROGRA~1\MOZILL~1\plds4.dll Sun Dec 19 16:50:50 2004 => Scanning File C:\PROGRA~1\MOZILL~1\smime3.dll Sun Dec 19 16:50:50 2004 => Scanning File C:\PROGRA~1\MOZILL~1\softokn3.dll Sun Dec 19 16:50:50 2004 => Scanning File C:\PROGRA~1\MOZILL~1\ssl3.dll Sun Dec 19 16:50:50 2004 => Scanning File C:\PROGRA~1\MOZILL~1\xpcom.dll Sun Dec 19 16:50:51 2004 => Scanning File C:\PROGRA~1\MOZILL~1\XPCOM_~1.DLL Sun Dec 19 16:50:51 2004 => Scanning File C:\PROGRA~1\NORTON~1\apwcmdnt.dll Sun Dec 19 16:50:51 2004 => Scanning File C:\PROGRA~1\NORTON~1\navapsvc.exe Sun Dec 19 16:50:51 2004 => Scanning File C:\PROGRA~1\NORTON~1\NavEmail.dll Sun Dec 19 16:50:51 2004 => Scanning File C:\PROGRA~1\NORTON~1\NavShExt.dll Sun Dec 19 16:50:51 2004 => Scanning File C:\PROGRA~1\NORTON~1\SavRT32.dll Sun Dec 19 16:50:51 2004 => Scanning File C:\PROGRA~1\NORTON~2\ccAntiSp.dll Sun Dec 19 16:50:51 2004 => Scanning File C:\PROGRA~1\NORTON~2\ccProxy.dll Sun Dec 19 16:50:51 2004 => Scanning File C:\PROGRA~1\NORTON~2\ccPxyEvt.dll Sun Dec 19 16:50:51 2004 => Scanning File C:\PROGRA~1\NORTON~2\ccPxySvc.exe Sun Dec 19 16:50:51 2004 => Scanning File C:\PROGRA~1\NORTON~2\ccScanSp.dll Sun Dec 19 16:50:51 2004 => Scanning File C:\PROGRA~1\NORTON~2\DataHTTP.dll Sun Dec 19 16:50:51 2004 => Scanning File C:\PROGRA~1\NORTON~2\DJSMAR00.DLL Sun Dec 19 16:50:52 2004 => Scanning File C:\PROGRA~1\NORTON~2\NisAdBlk.dll Sun Dec 19 16:50:52 2004 => Scanning File C:\PROGRA~1\NORTON~2\NISCONFD.DLL Sun Dec 19 16:50:52 2004 => Scanning File C:\PROGRA~1\NORTON~2\NisEmail.dll Sun Dec 19 16:50:52 2004 => Scanning File C:\PROGRA~1\NORTON~2\NisEvt.DLL Sun Dec 19 16:50:52 2004 => Scanning File C:\PROGRA~1\NORTON~2\NISUM.EXE Sun Dec 19 16:50:52 2004 => Scanning File C:\PROGRA~1\NORTON~2\NISUMPS.DLL Sun Dec 19 16:50:52 2004 => Scanning File C:\PROGRA~1\NORTON~2\PxyHTTP.dll Sun Dec 19 16:50:52 2004 => Scanning File C:\PROGRA~1\NORTON~2\PxyIM.dll Sun Dec 19 16:50:52 2004 => Scanning File C:\PROGRA~1\NORTON~2\PxyNNTP.DLL Sun Dec 19 16:50:52 2004 => Scanning File C:\PROGRA~1\NORTON~2\StrmFilt.dll Sun Dec 19 16:50:52 2004 => Scanning File C:\PROGRA~1\NORTON~2\SymIConv.dll Sun Dec 19 16:50:52 2004 => Scanning File C:\Programme\TraXEx\TraXEx.exe Sun Dec 19 16:50:52 2004 => Scanning File C:\Programme\Winamp3\winampa.exe Sun Dec 19 16:50:53 2004 => Scanning File C:\Programme\WinSweep\WSMonitor.exe Sun Dec 19 16:50:53 2004 => Scanning File C:\T-ONLINE\BSW4\ontool32.dll Sun Dec 19 16:50:53 2004 => Scanning File C:\T-ONLINE\BSW4\ToDuCAlC.EXE Sun Dec 19 16:50:53 2004 => Scanning File C:\WINDOWS\Explorer.EXE Sun Dec 19 16:50:53 2004 => Scanning File c:\windows\pchealth\helpctr\binaries\pchsvc.dll Sun Dec 19 16:50:53 2004 => Scanning File C:\WINDOWS\SOUNDMAN.EXE Sun Dec 19 16:50:53 2004 => Scanning File C:\WINDOWS\System32\ACTIVEDS.dll Sun Dec 19 16:50:53 2004 => Scanning File C:\WINDOWS\System32\actxprxy.dll Sun Dec 19 16:50:53 2004 => Scanning File C:\WINDOWS\System32\adsldpc.dll Sun Dec 19 16:50:53 2004 => Scanning File C:\WINDOWS\system32\ADVAPI32.dll Sun Dec 19 16:50:53 2004 => Scanning File C:\WINDOWS\System32\ADVPACK.dll Sun Dec 19 16:50:53 2004 => Scanning File C:\WINDOWS\System32\alg.exe Sun Dec 19 16:50:53 2004 => Scanning File C:\WINDOWS\system32\Apphelp.dll Sun Dec 19 16:50:53 2004 => Scanning File C:\WINDOWS\System32\ATL.DLL Sun Dec 19 16:50:54 2004 => Scanning File c:\windows\system32\audiosrv.dll Sun Dec 19 16:50:54 2004 => Scanning File C:\WINDOWS\system32\AUTHZ.dll Sun Dec 19 16:50:54 2004 => Scanning File C:\WINDOWS\System32\avicap32.dll Sun Dec 19 16:50:54 2004 => Scanning File C:\WINDOWS\system32\basesrv.dll Sun Dec 19 16:50:54 2004 => Scanning File C:\WINDOWS\System32\BatMeter.dll Sun Dec 19 16:50:54 2004 => Scanning File C:\WINDOWS\System32\browselc.dll Sun Dec 19 16:50:54 2004 => Scanning File c:\windows\system32\browser.dll Sun Dec 19 16:50:54 2004 => Scanning File C:\WINDOWS\System32\BROWSEUI.dll Sun Dec 19 16:50:54 2004 => Scanning File C:\WINDOWS\System32\ccPasswd.DLL Sun Dec 19 16:50:54 2004 => Scanning File C:\WINDOWS\System32\ccTrust.dll Sun Dec 19 16:50:54 2004 => Scanning File c:\windows\system32\certcli.dll Sun Dec 19 16:50:54 2004 => Scanning File c:\windows\system32\CFGMGR32.dll Sun Dec 19 16:50:54 2004 => Scanning File C:\WINDOWS\System32\CLBCATQ.DLL Sun Dec 19 16:50:54 2004 => Scanning File c:\windows\system32\CLUSAPI.dll Sun Dec 19 16:50:55 2004 => Scanning File C:\WINDOWS\system32\cnbjmon.dll Sun Dec 19 16:50:55 2004 => Scanning File C:\WINDOWS\system32\colbact.DLL Sun Dec 19 16:50:55 2004 => Scanning File C:\WINDOWS\system32\COMCTL32.dll Sun Dec 19 16:50:55 2004 => Scanning File C:\WINDOWS\system32\comdlg32.dll Sun Dec 19 16:50:55 2004 => Scanning File C:\WINDOWS\System32\COMRes.dll Sun Dec 19 16:50:55 2004 => Scanning File C:\WINDOWS\system32\comsvcs.dll Sun Dec 19 16:50:55 2004 => Scanning File c:\windows\system32\credui.dll Sun Dec 19 16:50:55 2004 => Scanning File C:\WINDOWS\system32\CRYPT32.dll Sun Dec 19 16:50:56 2004 => Scanning File C:\WINDOWS\system32\cryptdll.dll Sun Dec 19 16:50:56 2004 => Scanning File C:\WINDOWS\system32\cryptnet.dll Sun Dec 19 16:50:56 2004 => Scanning File c:\windows\system32\cryptsvc.dll Sun Dec 19 16:50:56 2004 => Scanning File C:\WINDOWS\System32\CRYPTUI.dll Sun Dec 19 16:50:56 2004 => Scanning File C:\WINDOWS\system32\cscdll.dll Sun Dec 19 16:50:56 2004 => Scanning File C:\WINDOWS\System32\cscui.dll Sun Dec 19 16:50:56 2004 => Scanning File C:\WINDOWS\system32\CSRSRV.dll Sun Dec 19 16:50:56 2004 => Scanning File C:\WINDOWS\System32\davclnt.dll Sun Dec 19 16:50:56 2004 => Scanning File c:\windows\system32\dhcpcsvc.dll Sun Dec 19 16:50:56 2004 => Scanning File C:\WINDOWS\system32\DNSAPI.dll Sun Dec 19 16:50:56 2004 => Scanning File c:\windows\system32\dnsrslvr.dll Sun Dec 19 16:50:56 2004 => Scanning File C:\WINDOWS\System32\drprov.dll Sun Dec 19 16:50:56 2004 => Scanning File C:\WINDOWS\System32\dssenh.dll Sun Dec 19 16:50:56 2004 => Scanning File C:\WINDOWS\System32\DUSER.dll Sun Dec 19 16:50:56 2004 => Scanning File c:\windows\system32\ersvc.dll Sun Dec 19 16:50:56 2004 => Scanning File c:\windows\system32\es.dll Sun Dec 19 16:50:57 2004 => Scanning File c:\windows\system32\ESENT.dll Sun Dec 19 16:50:57 2004 => Scanning File C:\WINDOWS\system32\eventlog.dll Sun Dec 19 16:50:57 2004 => Scanning File C:\WINDOWS\system32\GDI32.dll Sun Dec 19 16:50:57 2004 => Scanning File C:\WINDOWS\System32\h323.tsp Sun Dec 19 16:50:57 2004 => Scanning File C:\WINDOWS\System32\HID.DLL Sun Dec 19 16:50:57 2004 => Scanning File C:\WINDOWS\System32\hidphone.tsp Sun Dec 19 16:50:57 2004 => Scanning File c:\windows\system32\HNetCfg.dll Sun Dec 19 16:50:57 2004 => Scanning File c:\windows\system32\ICAAPI.dll Sun Dec 19 16:50:57 2004 => Scanning File C:\WINDOWS\system32\icmp.dll Sun Dec 19 16:50:57 2004 => Scanning File C:\WINDOWS\system32\IMAGEHLP.dll Sun Dec 19 16:50:57 2004 => Scanning File C:\WINDOWS\System32\IMM32.DLL Sun Dec 19 16:50:57 2004 => Scanning File C:\WINDOWS\system32\inetpp.dll Sun Dec 19 16:50:57 2004 => Scanning File C:\WINDOWS\System32\ipconf.tsp Sun Dec 19 16:50:57 2004 => Scanning File C:\WINDOWS\system32\iphlpapi.dll Sun Dec 19 16:50:57 2004 => Please Wait Exiting Application... Sun Dec 19 16:50:57 2004 => ***** Scanning complete. ***** Sun Dec 19 16:50:57 2004 => Virus Database Date: 2004/12/15 Sun Dec 19 16:50:57 2004 => Virus Database Count: 112526 Sun Dec 19 16:50:57 2004 => Scan Completed. Sun Dec 19 16:50:58 2004 => Total Files Scanned: 155 Sun Dec 19 16:50:58 2004 => Total Virus(es) Found: 0 Sun Dec 19 16:50:58 2004 => Total Disinfected Files: 0 Sun Dec 19 16:50:58 2004 => Total Files Renamed: 0 Sun Dec 19 16:50:58 2004 => Total Deleted Files: 0 Sun Dec 19 16:50:58 2004 => Total Errors: 0 Sun Dec 19 16:50:58 2004 => Time Elapsed: 00:00:12 Sun Dec 19 17:06:48 2004 => Virus Database Date: 2004/12/15 Sun Dec 19 17:06:48 2004 => Virus Database Count: 112526 Sun Dec 19 17:06:54 2004 => AV Library Unloaded (3)... Sun Dec 19 17:43:52 2004 => ********************************************************** Sun Dec 19 17:43:52 2004 => eScan AntiVirus Toolkit Utility. Sun Dec 19 17:43:52 2004 => Copyright © 2003-2004, MicroWorld Technologies Inc. Sun Dec 19 17:43:52 2004 => ********************************************************** Sun Dec 19 17:43:52 2004 => Version 4.7.5 (C:\DOKUME~1\Papa\LOKALE~1\Temp\mwavscan.com) Sun Dec 19 17:43:52 2004 => Log File: C:\DOKUME~1\Papa\LOKALE~1\Temp\mwav.log Sun Dec 19 17:43:52 2004 => Latest Date of files inside MWAV: 15 Dec 2004 06:01:46. Sun Dec 19 17:43:53 2004 => AV Library Loaded... Sun Dec 19 17:43:53 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavss.exe Sun Dec 19 17:43:53 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\Getvlist.exe Sun Dec 19 17:43:53 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavss.dll Sun Dec 19 17:43:53 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavssdi.dll Sun Dec 19 17:43:53 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavssi.dll Sun Dec 19 17:43:53 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\kavvlg.dll Sun Dec 19 17:43:53 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\msvlclnt.dll Sun Dec 19 17:43:53 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\ipc.dll Sun Dec 19 17:43:54 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\main.avi Sun Dec 19 17:43:54 2004 => Scanning File C:\DOKUME~1\Papa\LOKALE~1\Temp\virus.avi Sun Dec 19 17:43:54 2004 => Virus Database Date: 2004/12/15 Sun Dec 19 17:43:54 2004 => Virus Database Count: 112526 Vorab für alle deine Bemühungen - in welcher Richtung auch immer - herzlichsten Dank und noch einen schönen vierten Adventsabend. HugoRatlos |
|
|
||
19.12.2004, 18:12
Ehrenmitglied
Beiträge: 29434 |
#8
Hallo@HugoRatlos
Das sieht doch schon sehr gut aus Fixe bitte noch: O4 - HKLM\..\Run: [mwavscan] "C:\DOKUME~1\Papa\LOKALE~1\Temp\mwavscan.com" /s O9 - Extra button: Preispiraten 2.02 - {86DE8B3B-1EB7-4386-84BD-EBE94348A913} - C:\Programme\Preispiraten 2.0b\preispiraten2.exe neustarten Dann saeubere den PC und den IE . #TuneUp2004 (30 Tage free)--<nichts verstellen...nur reinigen und optimieren und Fehlerbehebung http://www.tuneup.de/products/tuneup-utilities/ #ClaerProg..lade die neuste Version <1.4.0 Final <und saeubere den Browser. Das Programm löscht die Surfspuren des Internet Explorers ab Version 5.0, des Netscape/Mozilla und des Opera: - Cookies - Verlauf - Temporäre Internetfiles (Cache) - die eingetragenen URLs - Autovervollständigen-Einträge in Web-Formularen des IE (bisher nur Win9x/ME) - Download-Listen des Netscape/Opera http://www.clearprog.de/downloads.php (was den Escan betrifft, so ist das doch ein wenig umstaendlich. besser (und billger) ist Antivirus free-->allerdings muss der Symantec komplett deinstalliert werden (am Besten im abgesicherten Modus) konfiguriere im Scanner UND im Guard: <alle Dateien <Heuristik Mittel) und update den Scanner jeden Tag (!) #Antivirus (free) http://www.free-av.de/ und surfe nur noch mit dem Firefox #Alternativbrowser zum IE Firefox http://www.mozilla-europe.org/de/ Installation+Konfiguration Firefox http://www.pcwelt.de/know-how/software/103924/index1.html Dann stelle bitte unter Internetoption eine Startseite ein und poste das Log noch einmal. __________ MfG Sabina rund um die PC-Sicherheit Dieser Beitrag wurde am 19.12.2004 um 18:16 Uhr von Sabina editiert.
|
|
|
||
20.12.2004, 21:24
Member
Themenstarter Beiträge: 15 |
#9
Hallo sabina,
wieder einmal habe ich mich durch deine Anweisungen durchgekämpft, diesmal wohl mit nur bedingtem Erfolg. Bedingt deshalb, weil ein Aufruf von folgende Meldung generiert: „C:\Dokumente und Einstellungen\....\avwinsfx03.exe st keine zulässige Win32 Anwendung“ Was nun? Ich habe Norton Anti-Virus deinstalliert. Sind wir jetzt schutzlos? Die Norton-Internet-Security ist noch installiert. Das Abo endet morgen. Was tun? Die drei logfiles der diversen Prüfroutinen habe ich nachfolgend wieder eingestellt. Das Einstellen der Startseite unter „Internetoptionen“ bezog sich sicherlich auf den IE? Die bei uns noch installierte Mozilla-Version ist rein auf Englisch und bietet diese Einstellmöglichkeit nicht. Hier nun die logfiles: 1. Hijackthis: Logfile of HijackThis v1.98.2 Scan saved at 20:29:15, on 20.12.2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe C:\Programme\Norton Internet Security\NISUM.EXE C:\Programme\Norton Internet Security\ccPxySvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Programme\Ahead\InCD\InCD.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe C:\Programme\Winamp3\winampa.exe C:\WINDOWS\System32\host32.exe C:\Programme\WinSweep\WSMonitor.exe C:\Programme\TraXEx\TraXEx.exe C:\Programme\Microsoft Office\Office10\WINWORD.EXE C:\Programme\Microsoft Works\MSWorks.exe C:\Dokumente und Einstellungen\Papa\Anwendungsdaten\hijackthis_198\HijackThis.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp3\winampa.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Sygate Personal Firewall] host32.exe O4 - HKLM\..\RunServices: [Sygate Personal Firewall] host32.exe O4 - HKCU\..\Run: [WINSWEEP] C:\Programme\WinSweep\WinSweep.Exe /AUTO O4 - HKCU\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe O4 - HKCU\..\Run: [Sygate Personal Firewall] host32.exe O4 - Startup: TraXEx.lnk = C:\Programme\TraXEx\TraXEx.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm 2. escan Hier habe ich nur die Virusfundstellen einkopiert. Ansonsten hätte das log die Seite „gesprengt“. Falls es nicht ausreichend sein sollte – bitte lass’ es mich wissen. Dann poste ich auch den Rest. Das was folgt ist für uns erschreckend genug: 14 Viren? Nach dieser ganzen Prozedur? Oder handelt es sich lediglich um 4 Viren an verschiedenen Stellen? File C:\WINDOWS\System32\host32.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\host32.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\host32.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\host32.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\host32.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken. File C:\WINDOWS\msmsgsui.exe infected by "Trojan.Win32.StartPage.lj" Virus. Action Taken: No Action Taken. File C:\WINDOWS\System32\vbsys.dll_old infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken. File C:\WINDOWS\System32\vbsys2.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken. File C:\WINDOWS\System32\host32.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\vbsys.dll_old infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\vbsys2.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\host32.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken. File C:\WINDOWS\Downloaded Program Files\amateur.exe infected by "Trojan.Win32.Dialer.fl" Virus. Action Taken: No Action Taken. File C:\WINDOWS\msmsgsui.exe infected by "Trojan.Win32.StartPage.lj" Virus. Action Taken: No Action Taken. 3. adware Hier wusste ich nicht, was ohne Info-Verlust gelöscht werden kann, deshalb das komplette logfile: Ad-Aware SE Build 1.05 Logfile Created on:Montag, 20. Dezember 2004 21:11:22 Created with Ad-Aware SE Personal, free for private use. Using definitions file:SE1R8 13.09.2004 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» References detected during the scan: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Alexa(TAC index:5):8 total references Claria(TAC index:7):5 total references CoolWebSearch(TAC index:10):30 total references MRU List(TAC index:0):20 total references PeopleOnPage(TAC index:9):2 total references »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Ad-Aware SE Settings =========================== Set : Search for negligible risk entries Set : Safe mode (always request confirmation) Set : Scan active processes Set : Scan registry Set : Deep-scan registry Set : Scan my IE Favorites for banned URLs Set : Scan my Hosts file Extended Ad-Aware SE Settings =========================== Set : Unload recognized processes & modules during scan Set : Scan registry for all users instead of current user only Set : Always try to unload modules before deletion Set : During removal, unload Explorer and IE if necessary Set : Let Windows remove files in use at next reboot Set : Delete quarantined objects after restoring Set : Include basic Ad-Aware settings in log file Set : Include additional Ad-Aware settings in log file Set : Include reference summary in log file Set : Include alternate data stream details in log file Set : Play sound at scan completion if scan locates critical objects 20.12.2004 21:11:22 - Scan started. (Full System Scan) MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\search assistant\acmru Description : list of recent search terms used with the search assistant MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru Description : list of recently saved files, stored according to file extension MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru Description : list of recent programs opened MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows\currentversion\explorer\recentdocs Description : list of recent documents opened MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\internet explorer\main Description : last save directory used in microsoft internet explorer MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\internet explorer Description : last download directory used in microsoft internet explorer MRU List Object Recognized! Location: : software\microsoft\directdraw\mostrecentapplication Description : most recent application to use microsoft directdraw MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\office\10.0\common\general Description : list of recently used symbols in microsoft office MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\mediaplayer\preferences Description : last cd record path used in microsoft windows media player MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\mediaplayer\player\settings Description : last open directory used in jasc paint shop pro MRU List Object Recognized! Location: : software\microsoft\direct3d\mostrecentapplication Description : most recent application to use microsoft direct3d MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows\currentversion\applets\regedit Description : last key accessed using the microsoft registry editor MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\mediaplayer\preferences Description : last playlist loaded in microsoft windows media player MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\automap\9.0\findmru Description : list of recently used find queries used in microsoft automap-based products MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\automap\9.0\recent file list Description : list of recently used files in microsoft automap-based products MRU List Object Recognized! Location: : software\microsoft\direct3d\mostrecentapplication Description : most recent application to use microsoft direct X MRU List Object Recognized! Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general Description : windows media sdk MRU List Object Recognized! Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general Description : windows media sdk MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows media\wmsdk\general Description : windows media sdk MRU List Object Recognized! Location: : C:\Dokumente und Einstellungen\Papa\recent Description : list of recently opened documents Listing running processes »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» #:1 [smss.exe] FilePath : \SystemRoot\System32\ ProcessID : 452 ThreadCreationTime : 20.12.2004 19:16:05 BasePriority : Normal #:2 [csrss.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 516 ThreadCreationTime : 20.12.2004 19:16:06 BasePriority : Normal #:3 [winlogon.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 540 ThreadCreationTime : 20.12.2004 19:16:07 BasePriority : High #:4 [services.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 584 ThreadCreationTime : 20.12.2004 19:16:07 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Betriebssystem Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Anwendung für Dienste und Controller InternalName : services.exe LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten. OriginalFilename : services.exe #:5 [lsass.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 596 ThreadCreationTime : 20.12.2004 19:16:07 BasePriority : Normal FileVersion : 5.1.2600.1106 (xpsp1.020828-1920) ProductVersion : 5.1.2600.1106 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : LSA Shell (Export Version) InternalName : lsass.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : lsass.exe #:6 [svchost.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 844 ThreadCreationTime : 20.12.2004 19:16:07 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:7 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 868 ThreadCreationTime : 20.12.2004 19:16:07 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:8 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 988 ThreadCreationTime : 20.12.2004 19:16:08 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:9 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1028 ThreadCreationTime : 20.12.2004 19:16:09 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:10 [spoolsv.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1136 ThreadCreationTime : 20.12.2004 19:16:10 BasePriority : Normal FileVersion : 5.1.2600.0 (XPClient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Spooler SubSystem App InternalName : spoolsv.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : spoolsv.exe #:11 [ccevtmgr.exe] FilePath : C:\Programme\Gemeinsame Dateien\Symantec Shared\ ProcessID : 1172 ThreadCreationTime : 20.12.2004 19:16:10 BasePriority : Normal FileVersion : 1.03.4 ProductVersion : 1.03.4 ProductName : Event Manager CompanyName : Symantec Corporation FileDescription : Event Manager Service InternalName : ccEvtMgr LegalCopyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved. OriginalFilename : ccEvtMgr.exe #:12 [nisum.exe] FilePath : C:\Programme\Norton Internet Security\ ProcessID : 1188 ThreadCreationTime : 20.12.2004 19:16:10 BasePriority : Normal FileVersion : 6.02.2003 ProductVersion : 6.02.2003 ProductName : Norton Internet Security CompanyName : Symantec Corporation FileDescription : Norton Internet Security NISUM InternalName : NISUM LegalCopyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved. OriginalFilename : NISUM.exe #:13 [alg.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1328 ThreadCreationTime : 20.12.2004 19:16:11 BasePriority : Normal FileVersion : 5.1.2600.1106 (xpsp1.020828-1920) ProductVersion : 5.1.2600.1106 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Application Layer Gateway Service InternalName : ALG.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : ALG.exe #:14 [ccpxysvc.exe] FilePath : C:\Programme\Norton Internet Security\ ProcessID : 1340 ThreadCreationTime : 20.12.2004 19:16:11 BasePriority : Normal FileVersion : 6.02.2003 ProductVersion : 6.02.2003 ProductName : Norton Internet Security CompanyName : Symantec Corporation FileDescription : Norton Internet Security Proxy Service InternalName : ccPxySvc LegalCopyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved. OriginalFilename : ccPxySvc.exe #:15 [nvsvc32.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1388 ThreadCreationTime : 20.12.2004 19:16:11 BasePriority : Normal FileVersion : 6.13.10.3082 ProductVersion : 6.13.10.3082 ProductName : NVIDIA Driver Helper Service, Version 30.82 CompanyName : NVIDIA Corporation FileDescription : NVIDIA Driver Helper Service, Version 30.82 InternalName : NVSVC LegalCopyright : (c) NVIDIA Corporation. All rights reserved. OriginalFilename : nvsvc32.exe #:16 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1472 ThreadCreationTime : 20.12.2004 19:16:12 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:17 [explorer.exe] FilePath : C:\WINDOWS\ ProcessID : 1972 ThreadCreationTime : 20.12.2004 19:16:17 BasePriority : Normal FileVersion : 6.00.2800.1106 (xpsp1.020828-1920) ProductVersion : 6.00.2800.1106 ProductName : Betriebssystem Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Windows Explorer InternalName : explorer LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten. OriginalFilename : EXPLORER.EXE #:18 [soundman.exe] FilePath : C:\WINDOWS\ ProcessID : 248 ThreadCreationTime : 20.12.2004 19:16:19 BasePriority : Normal FileVersion : 5.0.03 ProductVersion : 5.0.03 ProductName : Avance Sound Manager CompanyName : Avance Logic, Inc. FileDescription : Avance Sound Manager InternalName : ALSMTray LegalCopyright : Copyright (c) 2001-2002 Avance Logic, Inc. OriginalFilename : ALSMTray.exe Comments : Avance AC97 Audio Sound Manager #:19 [incd.exe] FilePath : C:\Programme\Ahead\InCD\ ProcessID : 332 ThreadCreationTime : 20.12.2004 19:16:19 BasePriority : Normal FileVersion : 3.33.0 ProductVersion : 3.33.0 ProductName : InCD CompanyName : Copyright (C) ahead software gmbh and its licensors FileDescription : InCD CD-RW UDF Tools InternalName : InCD LegalCopyright : Copyright (C) ahead software gmbh and its licensors OriginalFilename : InCD.EXE Comments : CD-RW UDF Tools #:20 [wkufind.exe] FilePath : C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\ ProcessID : 340 ThreadCreationTime : 20.12.2004 19:16:19 BasePriority : Normal FileVersion : 7.00.0617.0 ProductVersion : 7.00.0617.0 ProductName : Update Detection Module CompanyName : Microsoft® Corporation FileDescription : Microsoft® Works-Aktualisierungserkennung InternalName : WkUFind LegalCopyright : Copyright © 1987-2002 Microsoft Corporation. OriginalFilename : WkUFind.exe #:21 [ccapp.exe] FilePath : C:\Programme\Gemeinsame Dateien\Symantec Shared\ ProcessID : 348 ThreadCreationTime : 20.12.2004 19:16:19 BasePriority : Normal FileVersion : 1.0.9.002 ProductVersion : 1.0.9.002 ProductName : Common Client CompanyName : Symantec Corporation FileDescription : Common Client CC App InternalName : ccApp LegalCopyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved. OriginalFilename : ccApp.exe #:22 [jusched.exe] FilePath : C:\Programme\Java\j2re1.4.2_03\bin\ ProcessID : 364 ThreadCreationTime : 20.12.2004 19:16:19 BasePriority : Normal #:23 [winampa.exe] FilePath : C:\Programme\Winamp3\ ProcessID : 372 ThreadCreationTime : 20.12.2004 19:16:19 BasePriority : Normal #:24 [host32.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 408 ThreadCreationTime : 20.12.2004 19:16:19 BasePriority : Normal #:25 [wsmonitor.exe] FilePath : C:\Programme\WinSweep\ ProcessID : 440 ThreadCreationTime : 20.12.2004 19:16:20 BasePriority : Normal FileVersion : 1.03.0070 ProductVersion : 1.03.0070 ProductName : WINSWEEP CompanyName : Software-Entwicklung Frank-Oliver Dzewas InternalName : WSMonitor LegalCopyright : Software-Entwicklung Frank-Oliver Dzewas OriginalFilename : WSMonitor.Exe #:26 [traxex.exe] FilePath : C:\Programme\TraXEx\ ProcessID : 520 ThreadCreationTime : 20.12.2004 19:16:20 BasePriority : Normal FileVersion : 2.2.1.6 ProductVersion : 1.0.0.0 ProductName : TraXEx 2.2 - Der Spurenverwischer CompanyName : Softwareentwicklung Alexander Miehlke FileDescription : TraXEx 2.2 - Der Spurenverwischer InternalName : TraXEx LegalCopyright : 1999-2002 Alexander Miehlke Softwareentwicklung OriginalFilename : TraXEx.exe #:27 [winword.exe] FilePath : C:\Programme\Microsoft Office\Office10\ ProcessID : 856 ThreadCreationTime : 20.12.2004 19:19:38 BasePriority : Normal #:28 [msworks.exe] FilePath : C:\Programme\Microsoft Works\ ProcessID : 1920 ThreadCreationTime : 20.12.2004 19:19:45 BasePriority : Normal FileVersion : 7.02.0620.0 ProductVersion : 7.02.0620.0 ProductName : Microsoft® Works 7.0 CompanyName : Microsoft® Corporation FileDescription : Microsoft® Works Task Launcher InternalName : MSWORKS LegalCopyright : Copyright © Microsoft Corporation. All rights reserved. OriginalFilename : MSWorks.exe #:29 [ad-aware.exe] FilePath : C:\Dokumente und Einstellungen\Papa\Anwendungsdaten\Computerhygiene\Lavasoft\Ad-Aware SE Personal\ ProcessID : 3780 ThreadCreationTime : 20.12.2004 20:11:04 BasePriority : Normal FileVersion : 6.2.0.206 ProductVersion : VI.Second Edition ProductName : Lavasoft Ad-Aware SE CompanyName : Lavasoft Sweden FileDescription : Ad-Aware SE Core application InternalName : Ad-Aware.exe LegalCopyright : Copyright © Lavasoft Sweden OriginalFilename : Ad-Aware.exe Comments : All Rights Reserved Memory scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 20 Started registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Alexa Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : MenuText Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : MenuStatusBar Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : Script Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : clsid Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : Icon Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : HotIcon Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : ButtonText Claria Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} Claria Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} Value : uets Claria Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} Value : GEF Claria Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} Value : GMG Claria Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\gator.com CoolWebSearch Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar CoolWebSearch Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar Value : Next CoolWebSearch Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar Value : CLSID CoolWebSearch Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar Value : ID1 CoolWebSearch Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar Value : ID2 CoolWebSearch Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar Value : ID4 CoolWebSearch Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar Value : PanelNumber CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : typelib\{bd0022a3-a43f-4f44-b64f-53ea7575f097} CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : typelib\{5297e905-1dfb-4a9c-9871-a4f95fd58945} CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.toolbandobj.1 CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.toolbandobj.1 Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.toolbandobj CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.toolbandobj Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.startbho.1 CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.startbho.1 Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.startbho CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.startbho Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{30192f8d-0958-44e6-b54d-331fd39ac959} CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{30192f8d-0958-44e6-b54d-331fd39ac959} Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{0e1230f8-ea50-42a9-983c-d22abc2eed3b} CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{0e1230f8-ea50-42a9-983c-d22abc2eed3b} Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : analyzeie.dompeek.1 CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : analyzeie.dompeek.1 Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : analyzeie.dompeek CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : analyzeie.dompeek Value : CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : "{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}" Rootkey : HKEY_USERS Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\internet explorer\toolbar\webbrowser Value : {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} Registry Scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 39 Objects found so far: 59 Started deep registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Deep registry scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 59 Started Tracking Cookie scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking cookie scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 59 Deep scanning and examining files (C »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» PeopleOnPage Object Recognized! Type : File Data : libexpat.dll Category : Data Miner Comment : Object : C:\Dokumente und Einstellungen\Papa\Schulprogramme\Englisch\Teachmaster\ PeopleOnPage Object Recognized! Type : File Data : libexpat.dll Category : Data Miner Comment : Object : C:\Dokumente und Einstellungen\Mascha\Schule\Englisch\Vokabeltest\ Disk Scan Result for C:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 61 Deep scanning and examining files (D »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Disk Scan Result for D:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 61 Scanning Hosts file...... Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts". »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Hosts file scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 1 entries scanned. New critical objects:0 Objects found so far: 61 Performing conditional scans... »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{b1e68d42-02c4-465b-8368-5ed9b732e22d} CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{b1e68d42-02c4-465b-8368-5ed9b732e22d} Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : software\serg CoolWebSearch Object Recognized! Type : File Data : hosts Category : Malware Comment : Object : C:\WINDOWS\ Conditional scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 4 Objects found so far: 65 21:14:14 Scan Complete Summary Of This Scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Total scanning time:00:02:51.781 Objects scanned:97785 Objects identified:45 Objects ignored:0 New critical objects:45 Ich denke ich sause morgen zum „…Markt“ und halte Ausschau nach einem empfohlenen Internetsecurity/AntiVirus-Komplett Paket (ausgenommen das von Symantec) und installiere es bevor wir wieder ans Netz gehen. Wäre das nicht die wirksamste Alternative? Dann könnten wir uns weiter der „PC-Säuberung“ widmen. Lieber und dankbarer Gruß HugoRatlos |
|
|
||
20.12.2004, 23:46
Ehrenmitglied
Beiträge: 29434 |
#10
Oh Gott, nun ist ein Backdoor drauf !
W32/Rbot-GU ist ein Wurm, der versucht, sich auf remote Netzwerkfreigaben zu verbreiten. Er verfügt außerdem über Backdoor-Funktionalität, die unbefugten Fernzugriff auf den infizierten Computer mittels IRC-Kanälen ermöglicht. du musst die Netzfreigaben abstellen !!!!!!!!! #NT- Dienste sicher konfigurieren http://www.ntsvcfg.de/ oder www.dingens.org _________________________________________________________________________ Deaktivieren Wiederherstellung «XP http://service1.symantec.com/SUPPORT/INTER/tsgeninfointl.nsf/gdocid/20030807105707924 Gehe in die Registry Start<Ausfuehren<regedit HKLM\Software\Microsoft\Ole\ EnableDCOM = N --> aendere in Y HKLM\System\ControlSet001\Control\Lsa\ restrictanonymous = 1 --> aendere in 0 HKLM\System\CurrentControlSet\Control\Lsa\ restrictanonymous = 1 ---> aendere in 0 --------------------------------------------------------------------------- Lade die Killbox- http://www.bleepingcomputer.com/files/killbox.php Fixe O4 - HKLM\..\Run: [Sygate Personal Firewall] host32.exe O4 - HKLM\..\RunServices: [Sygate Personal Firewall] host32.exe O4 - HKCU\..\Run: [Sygate Personal Firewall] host32.exe neustarten in den abgesicherten Modus Loesche mit der Killbox: geh auf <Delete File on Reboot <Unregister .dll before deleting.” und klick auf das rote Kreuz, wenn gefragt wird, ob reboot-> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes" C:\WINDOWS\System32\host32.exe C:\WINDOWS\msmsgsui.exe C:\WINDOWS\System32\vbsys.dll_old C:\WINDOWS\System32\vbsys2.dll neustarten , scanne noch mal mit eScan und berichte #Trend-Micro (Online) http://de.trendmicro-europe.com/enterprise/products/housecall_pre.php #Patches, Service Packs und Tools (XP) http://www.rz.uni-freiburg.de/pc/sys/winxp/index.php #Alternativbrowser zum IE Firefox http://www.mozilla-europe.org/de/ Installation+Konfiguration Firefox http://www.pcwelt.de/know-how/software/103924/index1.html Firewall: <Sygate (Deutsch)Firewall http://www.sygate.de/ ---------------------------------------------------------------------------------------------- Probiere sie alle mal durch...also alle 15 Tage ein anderes und dann entscheide dich Trial versions of F-Prot Antivirus http://www.f-prot.com/download/corporate/trial/ #Download NOD32 Antivirus System http://www.nod32.de/download/download.php Man sollte jedoch darauf achten, dass man die Einstellungen dahingehend ändert das ALLE DATEIEN durchsucht werden. Voreingestellt sind nur bestimmte Dateitypen. #Testversion "F-Secure Internet Security 2005" http://esd.element5.com/demoreg.html?productid=544568&sessionid=145499584&random=a990a1793c30e7d127a6bce39bc82919&sessionid=145499584&random=a990a1793c30e7d127a6bce39bc82919 __________ MfG Sabina rund um die PC-Sicherheit Dieser Beitrag wurde am 21.12.2004 um 00:00 Uhr von Sabina editiert.
|
|
|
||
22.12.2004, 00:11
Member
Themenstarter Beiträge: 15 |
#11
Hallo Sabina,
zu einer für mich ungewöhnlichen Stunde hier das Resultat mehrstündiger Bemühungen: Die obligatorischen drei logfiles – lies und staune ob des Ergebnisses. Ich denke wir dürfen beide mit dem Erreichten zufrieden sein. 1. Hijackthis Logfile of HijackThis v1.98.2 Scan saved at 23:43:25, on 21.12.2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\AntiVirenKit InternetSecurity\AVK\AVKService.exe C:\Programme\AntiVirenKit InternetSecurity\AVK\AVKWCtl.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Programme\Ahead\InCD\InCD.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe C:\Programme\Winamp3\winampa.exe C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE C:\Programme\WinSweep\WSMonitor.exe C:\Programme\AntiVirenKit InternetSecurity\Webfilter\Webfilter.exe C:\Programme\AntiVirenKit InternetSecurity\Firewall\kavpf.exe C:\PROGRA~1\ANTIVI~1\WEBFIL~1\ADSCLE~1.EXE C:\WINDOWS\system32\ntvdm.exe C:\Programme\Microsoft Office\Office10\WINWORD.EXE C:\Programme\Microsoft Works\MSWorks.exe C:\Dokumente und Einstellungen\Papa\Anwendungsdaten\hijackthis_198\HijackThis.exe O2 - BHO: Poly HTML Filter BHO - {0140DF95-9128-4053-AE72-F43F0CFCA062} - C:\WINDOWS\system32\SiKernel.dll O2 - BHO: SIPAKBHO Class - {40FB69E1-9B7B-453F-B238-37D8E9528929} - C:\Programme\AntiVirenKit InternetSecurity\Webfilter\PAKIEPlugins.dll O2 - BHO: Offliner AdFilter Helper - {DC9377A2-2E8D-44A1-99DB-F8A821DF254D} - C:\WINDOWS\system32\SiPlugins.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: WebFilter-Leiste - {75CD0BC5-E317-449C-9FF6-4986B3D48F64} - C:\PROGRA~1\ANTIVI~1\WEBFIL~1\PAKIEGUI.dll O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp3\winampa.exe" O4 - HKLM\..\Run: [AVK Mail Checker] "C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\AVKPOP.EXE" O4 - HKCU\..\Run: [WINSWEEP] C:\Programme\WinSweep\WinSweep.Exe /AUTO O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Webfilter.lnk = C:\Programme\AntiVirenKit InternetSecurity\Webfilter\Webfilter.exe O4 - Global Startup: Firewall.lnk = ? O8 - Extra context menu item: Add selected links to Link Container - C:\PROGRA~1\ANTIVI~1\WEBFIL~1\System\Scripts\off_collector_sel.htm O8 - Extra context menu item: Show domain links - C:\PROGRA~1\ANTIVI~1\WEBFIL~1\System\Scripts\off_domain_links.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm 2. escan File C:\WINDOWS\Downloaded Program Files\amateur.exe infected by "Trojan.Win32.Dialer.fl" Virus. Action Taken: No Action Taken. 3. adware Ad-Aware SE Build 1.05 Logfile Created on:Mittwoch, 22. Dezember 2004 00:01:57 Created with Ad-Aware SE Personal, free for private use. Using definitions file:SE1R8 13.09.2004 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» References detected during the scan: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Alexa(TAC index:5):8 total references Claria(TAC index:7):5 total references CoolWebSearch(TAC index:10):30 total references MRU List(TAC index:0):20 total references PeopleOnPage(TAC index:9):2 total references »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Ad-Aware SE Settings =========================== Set : Search for negligible risk entries Set : Safe mode (always request confirmation) Set : Scan active processes Set : Scan registry Set : Deep-scan registry Set : Scan my IE Favorites for banned URLs Set : Scan my Hosts file Extended Ad-Aware SE Settings =========================== Set : Unload recognized processes & modules during scan Set : Scan registry for all users instead of current user only Set : Always try to unload modules before deletion Set : During removal, unload Explorer and IE if necessary Set : Let Windows remove files in use at next reboot Set : Delete quarantined objects after restoring Set : Include basic Ad-Aware settings in log file Set : Include additional Ad-Aware settings in log file Set : Include reference summary in log file Set : Include alternate data stream details in log file Set : Play sound at scan completion if scan locates critical objects 22.12.2004 00:01:57 - Scan started. (Full System Scan) MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\search assistant\acmru Description : list of recent search terms used with the search assistant MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru Description : list of recently saved files, stored according to file extension MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru Description : list of recent programs opened MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows\currentversion\explorer\recentdocs Description : list of recent documents opened MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\internet explorer\main Description : last save directory used in microsoft internet explorer MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\internet explorer Description : last download directory used in microsoft internet explorer MRU List Object Recognized! Location: : software\microsoft\directdraw\mostrecentapplication Description : most recent application to use microsoft directdraw MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\office\10.0\common\general Description : list of recently used symbols in microsoft office MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\mediaplayer\preferences Description : last cd record path used in microsoft windows media player MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\mediaplayer\player\settings Description : last open directory used in jasc paint shop pro MRU List Object Recognized! Location: : software\microsoft\direct3d\mostrecentapplication Description : most recent application to use microsoft direct3d MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows\currentversion\applets\regedit Description : last key accessed using the microsoft registry editor MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\mediaplayer\preferences Description : last playlist loaded in microsoft windows media player MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\automap\9.0\findmru Description : list of recently used find queries used in microsoft automap-based products MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\automap\9.0\recent file list Description : list of recently used files in microsoft automap-based products MRU List Object Recognized! Location: : software\microsoft\direct3d\mostrecentapplication Description : most recent application to use microsoft direct X MRU List Object Recognized! Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general Description : windows media sdk MRU List Object Recognized! Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general Description : windows media sdk MRU List Object Recognized! Location: : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\windows media\wmsdk\general Description : windows media sdk MRU List Object Recognized! Location: : C:\Dokumente und Einstellungen\Papa\recent Description : list of recently opened documents Listing running processes »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» #:1 [smss.exe] FilePath : \SystemRoot\System32\ ProcessID : 464 ThreadCreationTime : 21.12.2004 21:49:51 BasePriority : Normal #:2 [csrss.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 524 ThreadCreationTime : 21.12.2004 21:49:52 BasePriority : Normal #:3 [winlogon.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 548 ThreadCreationTime : 21.12.2004 21:49:53 BasePriority : High #:4 [services.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 596 ThreadCreationTime : 21.12.2004 21:49:53 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Betriebssystem Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Anwendung für Dienste und Controller InternalName : services.exe LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten. OriginalFilename : services.exe #:5 [lsass.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 608 ThreadCreationTime : 21.12.2004 21:49:53 BasePriority : Normal FileVersion : 5.1.2600.1106 (xpsp1.020828-1920) ProductVersion : 5.1.2600.1106 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : LSA Shell (Export Version) InternalName : lsass.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : lsass.exe #:6 [svchost.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 860 ThreadCreationTime : 21.12.2004 21:49:54 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:7 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 884 ThreadCreationTime : 21.12.2004 21:49:54 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:8 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1040 ThreadCreationTime : 21.12.2004 21:49:54 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:9 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1076 ThreadCreationTime : 21.12.2004 21:49:55 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:10 [spoolsv.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1184 ThreadCreationTime : 21.12.2004 21:49:55 BasePriority : Normal FileVersion : 5.1.2600.0 (XPClient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Spooler SubSystem App InternalName : spoolsv.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : spoolsv.exe #:11 [alg.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1284 ThreadCreationTime : 21.12.2004 21:49:55 BasePriority : Normal FileVersion : 5.1.2600.1106 (xpsp1.020828-1920) ProductVersion : 5.1.2600.1106 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Application Layer Gateway Service InternalName : ALG.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : ALG.exe #:12 [avkservice.exe] FilePath : C:\Programme\AntiVirenKit InternetSecurity\AVK\ ProcessID : 1300 ThreadCreationTime : 21.12.2004 21:49:55 BasePriority : Normal FileVersion : 1, 0, 1, 5 ProductVersion : 11, 0, 0, 0 ProductName : AVKService Module FileDescription : AVKService Module InternalName : AVKService LegalCopyright : Copyright G DATA Software AG 2001-2003 OriginalFilename : AVKService.EXE #:13 [avkwctl.exe] FilePath : C:\Programme\AntiVirenKit InternetSecurity\AVK\ ProcessID : 1316 ThreadCreationTime : 21.12.2004 21:49:55 BasePriority : Normal FileVersion : 18, 0, 1, 1 ProductVersion : 14, 0, 0, 0 ProductName : AVK FileDescription : AVKWCtl Monitor Service InternalName : AVKWCtl OriginalFilename : AVKWCtl.EXE #:14 [nvsvc32.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1372 ThreadCreationTime : 21.12.2004 21:49:57 BasePriority : Normal FileVersion : 6.13.10.3082 ProductVersion : 6.13.10.3082 ProductName : NVIDIA Driver Helper Service, Version 30.82 CompanyName : NVIDIA Corporation FileDescription : NVIDIA Driver Helper Service, Version 30.82 InternalName : NVSVC LegalCopyright : (c) NVIDIA Corporation. All rights reserved. OriginalFilename : nvsvc32.exe #:15 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1456 ThreadCreationTime : 21.12.2004 21:49:57 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:16 [explorer.exe] FilePath : C:\WINDOWS\ ProcessID : 208 ThreadCreationTime : 21.12.2004 21:50:37 BasePriority : Normal FileVersion : 6.00.2800.1106 (xpsp1.020828-1920) ProductVersion : 6.00.2800.1106 ProductName : Betriebssystem Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Windows Explorer InternalName : explorer LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten. OriginalFilename : EXPLORER.EXE #:17 [soundman.exe] FilePath : C:\WINDOWS\ ProcessID : 368 ThreadCreationTime : 21.12.2004 21:50:39 BasePriority : Normal FileVersion : 5.0.03 ProductVersion : 5.0.03 ProductName : Avance Sound Manager CompanyName : Avance Logic, Inc. FileDescription : Avance Sound Manager InternalName : ALSMTray LegalCopyright : Copyright (c) 2001-2002 Avance Logic, Inc. OriginalFilename : ALSMTray.exe Comments : Avance AC97 Audio Sound Manager #:18 [incd.exe] FilePath : C:\Programme\Ahead\InCD\ ProcessID : 396 ThreadCreationTime : 21.12.2004 21:50:41 BasePriority : Normal FileVersion : 3.33.0 ProductVersion : 3.33.0 ProductName : InCD CompanyName : Copyright (C) ahead software gmbh and its licensors FileDescription : InCD CD-RW UDF Tools InternalName : InCD LegalCopyright : Copyright (C) ahead software gmbh and its licensors OriginalFilename : InCD.EXE Comments : CD-RW UDF Tools #:19 [wkufind.exe] FilePath : C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\ ProcessID : 404 ThreadCreationTime : 21.12.2004 21:50:41 BasePriority : Normal FileVersion : 7.00.0617.0 ProductVersion : 7.00.0617.0 ProductName : Update Detection Module CompanyName : Microsoft® Corporation FileDescription : Microsoft® Works-Aktualisierungserkennung InternalName : WkUFind LegalCopyright : Copyright © 1987-2002 Microsoft Corporation. OriginalFilename : WkUFind.exe #:20 [jusched.exe] FilePath : C:\Programme\Java\j2re1.4.2_03\bin\ ProcessID : 416 ThreadCreationTime : 21.12.2004 21:50:41 BasePriority : Normal #:21 [winampa.exe] FilePath : C:\Programme\Winamp3\ ProcessID : 424 ThreadCreationTime : 21.12.2004 21:50:42 BasePriority : Normal #:22 [avkpop.exe] FilePath : C:\Programme\Gemeinsame Dateien\G DATA\AVKMail\ ProcessID : 432 ThreadCreationTime : 21.12.2004 21:50:43 BasePriority : Normal FileVersion : 3, 0, 2, 0 ProductVersion : 3, 0, 2, 0 ProductName : AVK CompanyName : G DATA Software AG FileDescription : AVK POP3/IMAP Proxy InternalName : AVKPOP LegalCopyright : Copyright 2001-2004 OriginalFilename : AVKPop.exe #:23 [wsmonitor.exe] FilePath : C:\Programme\WinSweep\ ProcessID : 484 ThreadCreationTime : 21.12.2004 21:50:44 BasePriority : Normal FileVersion : 1.03.0070 ProductVersion : 1.03.0070 ProductName : WINSWEEP CompanyName : Software-Entwicklung Frank-Oliver Dzewas InternalName : WSMonitor LegalCopyright : Software-Entwicklung Frank-Oliver Dzewas OriginalFilename : WSMonitor.Exe #:24 [webfilter.exe] FilePath : C:\Programme\AntiVirenKit InternetSecurity\Webfilter\ ProcessID : 612 ThreadCreationTime : 21.12.2004 21:50:47 BasePriority : Normal FileVersion : 1, 0, 0, 1 ProductVersion : 1, 0, 0, 1 ProductName : G DATA WebFilter CompanyName : G DATA Software AG FileDescription : WebFilter InternalName : WebFilter LegalCopyright : (C) Copyright 1992-2004 G DATA Software AG OriginalFilename : WebFilter.exe Comments : HB #:25 [kavpf.exe] FilePath : C:\Programme\AntiVirenKit InternetSecurity\Firewall\ ProcessID : 944 ThreadCreationTime : 21.12.2004 21:50:48 BasePriority : Normal FileVersion : 1.5.0.119 ProductVersion : 1.5.0.0 ProductName : Kaspersky Anti-Hacker CompanyName : Kaspersky Labs FileDescription : Kaspersky Anti-Hacker InternalName : KAVPF LegalCopyright : Copyright © Kaspersky Labs 1996-2003. LegalTrademarks : Kaspersky™ Anti-Virus ® is registered trademark of Kaspersky Labs. OriginalFilename : KAVPF.EXE #:26 [adscle~1.exe] FilePath : C:\PROGRA~1\ANTIVI~1\WEBFIL~1\ ProcessID : 924 ThreadCreationTime : 21.12.2004 21:50:51 BasePriority : Normal FileVersion : 1.0.0.0 ProductVersion : 1.0.0.0 ProductName : AdsCleaner Professional CompanyName : SoftInform InternalName : AdsCleaner OriginalFilename : AdsCleaner.Exe #:27 [ntvdm.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1156 ThreadCreationTime : 21.12.2004 22:26:14 BasePriority : Normal FileVersion : 5.1.2600.1106 (xpsp1.020828-1920) ProductVersion : 5.1.2600.1106 ProductName : Betriebssystem Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : NTVDM.EXE InternalName : NTVDM.EXE LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten. OriginalFilename : NTVDM.EXE #:28 [winword.exe] FilePath : C:\Programme\Microsoft Office\Office10\ ProcessID : 3868 ThreadCreationTime : 21.12.2004 22:42:38 BasePriority : Normal #:29 [msworks.exe] FilePath : C:\Programme\Microsoft Works\ ProcessID : 3896 ThreadCreationTime : 21.12.2004 22:42:44 BasePriority : Normal FileVersion : 7.02.0620.0 ProductVersion : 7.02.0620.0 ProductName : Microsoft® Works 7.0 CompanyName : Microsoft® Corporation FileDescription : Microsoft® Works Task Launcher InternalName : MSWORKS LegalCopyright : Copyright © Microsoft Corporation. All rights reserved. OriginalFilename : MSWorks.exe #:30 [ad-aware.exe] FilePath : C:\Dokumente und Einstellungen\Papa\Anwendungsdaten\Computerhygiene\Lavasoft\Ad-Aware SE Personal\ ProcessID : 3124 ThreadCreationTime : 21.12.2004 23:01:45 BasePriority : Normal FileVersion : 6.2.0.206 ProductVersion : VI.Second Edition ProductName : Lavasoft Ad-Aware SE CompanyName : Lavasoft Sweden FileDescription : Ad-Aware SE Core application InternalName : Ad-Aware.exe LegalCopyright : Copyright © Lavasoft Sweden OriginalFilename : Ad-Aware.exe Comments : All Rights Reserved Memory scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 20 Started registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Alexa Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : MenuText Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : MenuStatusBar Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : Script Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : clsid Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : Icon Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : HotIcon Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : ButtonText Claria Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} Claria Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} Value : uets Claria Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} Value : GEF Claria Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} Value : GMG Claria Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\gator.com CoolWebSearch Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar CoolWebSearch Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar Value : Next CoolWebSearch Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar Value : CLSID CoolWebSearch Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar Value : ID1 CoolWebSearch Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar Value : ID2 CoolWebSearch Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar Value : ID4 CoolWebSearch Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_USERS Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar Value : PanelNumber CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : typelib\{bd0022a3-a43f-4f44-b64f-53ea7575f097} CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : typelib\{5297e905-1dfb-4a9c-9871-a4f95fd58945} CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.toolbandobj.1 CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.toolbandobj.1 Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.toolbandobj CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.toolbandobj Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.startbho.1 CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.startbho.1 Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.startbho CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.startbho Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{30192f8d-0958-44e6-b54d-331fd39ac959} CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{30192f8d-0958-44e6-b54d-331fd39ac959} Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{0e1230f8-ea50-42a9-983c-d22abc2eed3b} CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{0e1230f8-ea50-42a9-983c-d22abc2eed3b} Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : analyzeie.dompeek.1 CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : analyzeie.dompeek.1 Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : analyzeie.dompeek CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : analyzeie.dompeek Value : CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : "{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}" Rootkey : HKEY_USERS Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\microsoft\internet explorer\toolbar\webbrowser Value : {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} Registry Scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 39 Objects found so far: 59 Started deep registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Deep registry scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 59 Started Tracking Cookie scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking cookie scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 59 Deep scanning and examining files (C »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» PeopleOnPage Object Recognized! Type : File Data : libexpat.dll Category : Data Miner Comment : Object : C:\Dokumente und Einstellungen\Papa\Schulprogramme\Englisch\Teachmaster\ PeopleOnPage Object Recognized! Type : File Data : libexpat.dll Category : Data Miner Comment : Object : C:\Dokumente und Einstellungen\Mascha\Schule\Englisch\Vokabeltest\ Disk Scan Result for C:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 61 Deep scanning and examining files (D »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Disk Scan Result for D:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 61 Scanning Hosts file...... Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts". »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Hosts file scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 1 entries scanned. New critical objects:0 Objects found so far: 61 Performing conditional scans... »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{b1e68d42-02c4-465b-8368-5ed9b732e22d} CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{b1e68d42-02c4-465b-8368-5ed9b732e22d} Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : software\serg CoolWebSearch Object Recognized! Type : File Data : hosts Category : Malware Comment : Object : C:\WINDOWS\ Conditional scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 4 Objects found so far: 65 00:07:49 Scan Complete Summary Of This Scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Total scanning time:00:05:52.656 Objects scanned:95742 Objects identified:45 Objects ignored:0 New critical objects:45 Bleiben nur die folgenden Fragen: 1. Wie bekomme ich noch die Datei „amateur.exe“ vom PC? Ich kann sie nämlich nirgendwo finden. 2. Kann ich unter www.mozilla-europe.org/de/ eine deutschsprachige Version des Mozilla herunterladen? 3. Wie kann man die Auswirkungen des Browsers auf graphische Darstellungen ändern? Ich habe nämlich festgestellt, dass z.B. Offerten bei ebay nicht mehr so angezeigt werden wie ich sie mit Word vorbereitet habe. Stattdessen steht der gesamte Text in einer ununterbrochenen Reihe. Nochmals vielen herzlichen Dank für deine Mühe und die selbstlose Unterstützung. Habe dich bereits wärmstens weiterempfohlen. Sicherlich kommen demnächst neue Anfragen im Forum. Herzlicher Gruß HugoRatlos |
|
|
||
22.12.2004, 00:17
Ehrenmitglied
Beiträge: 29434 |
#12
Hallo@HugoRatlos
ich trau dem AdAware nicht so recht. ueberpruefe mal alle Schluessel in der Registry und loesche manuell. Start<Ausfuehren<regedit zum Beispiel alles mit: serg Bearbeiten-->suchen HKEY_USERS Object : S-1-5-21-2772738787-1426495390-2454685184-1005\software\serg\searchbar oder: HKEY_CLASSES_ROOT Object : clsid\{30192f8d-0958-44e6-b54d-331fd39ac959} -------------------------------------------------------------------------- Bin leider kein Mozillaspezialist...google dich mal durch das Thema (oder nutze den IE, wenn du zu eBay gehst) woher weisst du von der "amateur.exe" ? versuch sie mal mit der Killbox zu finden. http://www.bleepingcomputer.com/files/killbox.php Also den Pfad ausprobieren..in die Killbox kopieren <Delete File on Reboot und klick auf das rote Kreuz, wenn gefragt wird, ob reboot-> klicke auf "yes C:\Windows\System32\amateur.exe Gruss __________ MfG Sabina rund um die PC-Sicherheit Dieser Beitrag wurde am 22.12.2004 um 00:23 Uhr von Sabina editiert.
|
|
|
||
22.12.2004, 14:17
Member
Themenstarter Beiträge: 15 |
#13
Hallo sabina,
danke für die obligatorisch schnelle Antwort. Ich versuche mich kurz zu fassen: Die Suche nach Einträgen mit „serg“ führte zum Ordner „SerG“ mit dem Unterornder „SearchBar“. Darin sind enthalten: Name Typ Wert (Standard) REG-SZ (Wert nicht gesetzt) CLSID REG_SZ 995AC72C-903D-442E-973E-2469D536E43D ID1 REG_SZ 92 ID2 REG_SZ 66801951 ID4 REG_SZ 1 NEXT REG_DWORD 0*00000000(0) PanelNumber REG_DWORD 0*00000001(1). Soll ich hiervon etwas rauslöschen? Der Ordner HKEY_Users enthält acht Unterordner. Zwei davon tragen die Bezeichnung „S-1-5-21-2772738787-1426495390-2454685184-1005“ einmal ohne jeden weiteren Zusatz und einmal mit dem Anhang „_CLASSES“. Jeder dieser Ordner enthält wieder eine Menge Unterordner. Löschen oder nicht? Den Anhang „\software\serg\searchbar“ den du angegeben hast findet man nicht. In dem Ordner HKEY_CLASSES_ROOT befindet sich ein Unterordner „CLSID“. Dieser wiederum enthält einen Unterordner mit der von dir genannten Bezeichnung {30192f8d-0958-44e6-b54d-331fd39ac959} welcher selbst fünf Unterordner enthält. Löschen oder nicht? Die amateur.exe wurde mir nach dem „escan“ angezeigt. Originalmeldung: File C:\WINDOWS\Downloaded Program Files\amateur.exe infected by "Trojan.Win32.Dialer.fl" Virus. Action Taken: No Action Taken. Über Suchfunktion mittels XP wird sie aber nicht angezeigt. Ich habe dann einen Versuch mit jottis Virus-Scan gestartet und bekam folgendes Resultat angezeigt: Service load: 0% 100% File: amateur.exe Status: INFECTED/MALWARE Packers detected: UPX AntiVir DIAL/Generic dialer (0.64 seconds taken) Avast No viruses found (3.11 seconds taken) BitDefender No viruses found (0.37 seconds taken) ClamAV No viruses found (0.32 seconds taken) Dr.Web No viruses found (0.52 seconds taken) F-Prot Antivirus No viruses found (0.06 seconds taken) Kaspersky Anti-Virus Trojan.Win32.Dialer.fl (0.63 seconds taken) mks_vir No viruses found (0.24 seconds taken) NOD32 No viruses found (0.42 seconds taken) Norman Virus Control No viruses found (0.43 seconds taken) Offensichtlich findet nur Kaspersky den Virus (oder die Datei?). Sodann haben wir über unseren Neuerwerb (AntiVirenKit) festgestellt, dass wir möglicherweise doch noch einen Wurm auf dem PC haben. Der Virenwächter zeigt uns nämlich am heutigen Tag (22.12) vier Mal folgenden Protokolleintrag: Beim Schließen der Datei "C:\WINDOWS\system32\.pif" wurde der Virus "Backdoor.BotGet.FtpB.Gen" von der Engine "BDF" entdeckt. Datei gesäubert: ja. Datei gelöscht: nein. Quarantäne: nein. Und das trotz der Virenprüfung von heute Nacht: Virenprüfung mit AntiVirenKit Version 15.0.5 Virensignaturen vom 19.12.2004 Job: Lokale Festplatten Startzeit: 22.12.2004 01:52 Engine(s): KAV-Engine (AVK 15.0.1612), BD-Engine (BD 15.0.163) Heuristik: Ein Archive: Ein Systembereiche: Ein Prüfung der Systembereiche... Prüfung aller lokalen Festplatten... Objekt: o Pfad: C:\WINDOWS\system32 Status: Virus entfernt Virus: Backdoor.BotGet.FtpB.Gen (BD-Engine)Analyse vollständig durchgeführt: 22.12.2004 02:16 39397 Dateien überprüft 1 infizierte Dateien gefunden 0 verdächtige Dateien gefunden Ist der Wurm jetzt weg oder ist er’s nicht???? Ich denke das reicht mal an Fragen für den Augenblick. Ich werde mich in der Zwischenzeit mal mit der Killbox befassen um die „amateur.exe“ zu finden. Herzlicher dankbarer vorweihnachtlicher Gruß HugoRatlos |
|
|
||
22.12.2004, 15:22
Ehrenmitglied
Beiträge: 29434 |
#14
das muesste eigentlich mit der Killbox zu loeschen sein:
C:\WINDOWS\Downloaded Program Files\amateur.exe und die Eintraege von SerG“ und „SearchBar“ in der Registry kannst du alle schoen saeuberlich loeschen. __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
22.12.2004, 18:37
Member
Themenstarter Beiträge: 15 |
#15
Hi sabina,
danke für die Anleitung. Wird sofort erledigt. Die Killbox-Aktion hat kein verwertbares Resultat gebracht. Nach der Bestätigung zum Reboot kam die Meldung: „Pending File Rename Operations Registry Data has been removed y external process.“ Außer Kaspersky sieht/findet offensichtlich nichts und niemand diese Datei. Merkwürdig. Außerdem erhalten wir mit jedem Neustart des PC folgende Meldung: „You now have almost empty advertising list. This can dramatically decrease effectivness of banner blocking function. Do you want to update advertising list from Internet?” Bisher verneinen wir die Frage, denn wir wissen nicht woher sie stammt? Freund oder Feind ist hier die Frage! „Unser“ Wurm ist übrigens noch da. Ein Scan von heute Nachmittag hat ihn wieder zutage befördert. Sieh’s dir an: Virenprüfung mit AntiVirenKit Version 15.0.5 Virensignaturen vom 19.12.2004 Startzeit: 22.12.2004 15:13 Engine(s): KAV-Engine (AVK 15.0.1612), BD-Engine (BD 15.0.163) Heuristik: Ein Archive: Ein Systembereiche: Ein Prüfung der Systembereiche... Prüfung aller lokalen Festplatten... Objekt: o Pfad: C:\WINDOWS\system32 Status: Virus entfernt Virus: Backdoor.BotGet.FtpB.Gen (BD-Engine) Analyse vollständig durchgeführt: 22.12.2004 15:40 39585 Dateien überprüft 1 infizierte Dateien gefunden 0 verdächtige Dateien gefunden Soll ich vielleicht doch noch die von dir empfohlenen Schritte (löschen von host32.exe und msmsgsui.exe mit killbox) vornehmen? Herzlicher Gruß vielen Dank und noch einen schönen Abend wünscht HugoRatlos |
|
|
||
einige Wochen sind vergangen und zur PC-Pflege war keine Zeit. Jetzt ist Ruhe und zugleicht Entsetzen eingekehrt. Warum? Schau dir bitte mal die Logs von
- hijackthis und
- escan
an. Die sprechen – für dich als Spezialistin – sicher eine deutliche Sprache.
Die als infiziert angezeigten Dateien habe ich noch mit Jotti’s malware scan 2.4 abgecheckt. Auch dieses Resultat ist gepostet (auch wenn sich die Resultate mit denen vom escan – soweit ich das beurteilen kann – decken).
Die „Dummy.class“-Dokumente (oder sind das Dateien?) habe ich bereits gelöscht. Ich hoffe damit keinen Schaden angerichtet zu haben.
Kurze Frage: Was soll ich jetzt noch wie vom PC entfernen?
Für deine hilfreichen Ausführungen wie immer schon vorab meinen allerherzlichsten Dank.
Lieber Gruß
HugoRatlos
PS: Unser Symantec-Abo läuft zum Jahresende aus und müsste wieder einmal verlängert werden. Wenn ich die enorme „Schutzwirkung“ dieser Software sehe frage ich mich ob das wirklich sinnvoll ist. Würdest du eine andere Internet-Security-Software favorisieren, z.B. von Kaspersky? Danke für jeden hilfreichen Tipp!!!
Und hier die Scan-Resultate:
1. LOG v. Hijackthis:
Logfile of HijackThis v1.98.2
Scan saved at 13:37:34, on 13.11.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\Norton Internet Security\NISUM.EXE
C:\Programme\Norton Internet Security\ccPxySvc.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Ahead\InCD\InCD.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programme\Winamp3\winampa.exe
C:\WINDOWS\System\MSMSGSVC.exe
C:\Programme\WinSweep\WSMonitor.exe
C:\Programme\TraXEx\TraXEx.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programme\Microsoft Office\Office10\WINWORD.EXE
C:\Programme\Microsoft Works\MSWorks.exe
C:\Dokumente und Einstellungen\Papa\Anwendungsdaten\hijackthis_198\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: DOMPeek Class - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\WINDOWS\dpe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [mwavscan] "C:\DOKUME~1\Papa\LOKALE~1\Temp\mwavscan.com" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WINSWEEP] C:\Programme\WinSweep\WinSweep.Exe /AUTO
O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe
O4 - Startup: TraXEx.lnk = C:\Programme\TraXEx\TraXEx.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Preispiraten 2.02 - {86DE8B3B-1EB7-4386-84BD-EBE94348A913} - C:\Programme\Preispiraten 2.0b\preispiraten2.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
2. LOG von escan (gefundene Viren)
File C:\WINDOWS\System\MSMSGSVC.exe infected by "TrojanDropper.Win32.Small.lx" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System\MSMSGSVC.exe infected by "TrojanDropper.Win32.Small.lx" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\e.exe infected by "TrojanDropper.Win32.Small.lx" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\load.exe infected by "Trojan.Win32.Qhost.o" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\e.exe infected by "TrojanDropper.Win32.Small.lx" Virus. Action Taken: No Action Taken.
File C:\Dokumente und Einstellungen\Papa\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-51d3f209-69a8240b.class infected by "Trojan.Java.ClassLoader.Dummy.c" Virus. Action Taken: No Action Taken. (ANMERKUNG: VON MIR GELÖSCHT!!!)
File C:\Dokumente und Einstellungen\Papa\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-531c338a-77070eb5.class infected by "Trojan.Java.ClassLoader.Dummy.c" Virus. Action Taken: No Action Taken. (ANMERKUNG: VON MIR GELÖSCHT!!!)
File C:\Dokumente und Einstellungen\Surferkonto\Anwendungsdaten\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-31bbc5c3-3b9f9d0f.class infected by "Trojan.Java.ClassLoader.Dummy.c" Virus. Action Taken: No Action Taken. (ANMERKUNG: VON MIR GELÖSCHT!!!)
File C:\WINDOWS\Downloaded Program Files\load.exe infected by "Trojan.Win32.Qhost.o" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\e.exe infected by "TrojanDropper.Win32.Small.lx" Virus. Action Taken: No Action Taken.
Service load: 0% 100%
File: msmsgsvc.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected: UPX
AntiVir TR/Dldr.Small.LX (0.13 seconds taken)
Avast No viruses found (1.69 seconds taken)
BitDefender Trojan.Dropper.Small.LX (0.90 seconds taken)
ClamAV No viruses found (0.33 seconds taken)
Dr.Web Trojan.MulDrop.1132 (0.47 seconds taken)
F-Prot Antivirus No viruses found (0.09 seconds taken)
Kaspersky Anti-Virus TrojanDropper.Win32.Small.lx (0.61 seconds taken)
mks_vir Trojan.Trojandropper.Small.Lx (0.43 seconds taken)
NOD32 No viruses found (0.49 seconds taken)
Norman Virus Control No viruses found (0.48 seconds taken
Service load: 0% 100%
File: e.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected: UPX
AntiVir TR/Dldr.Small.LX (0.13 seconds taken)
Avast No viruses found (1.64 seconds taken)
BitDefender Trojan.Dropper.Small.LX (1.07 seconds taken)
ClamAV No viruses found (0.30 seconds taken)
Dr.Web Trojan.MulDrop.1132 (0.42 seconds taken)
F-Prot Antivirus No viruses found (0.08 seconds taken)
Kaspersky Anti-Virus TrojanDropper.Win32.Small.lx (0.57 seconds taken)
mks_vir Trojan.Trojandropper.Small.Lx (0.39 seconds taken)
NOD32 No viruses found (0.44 seconds taken)
Norman Virus Control No viruses found (0.46 seconds taken)
Service load: 0% 100%
File: load.exe
Status: INFECTED/MALWARE
Packers detected: UPX
AntiVir No viruses found (0.13 seconds taken)
Avast Win32:Trojano-537 (1.62 seconds taken)
BitDefender No viruses found (1.26 seconds taken)
ClamAV Trojan.Qhost.O (0.31 seconds taken)
Dr.Web Trojan.DownLoader.820 (0.47 seconds taken)
F-Prot Antivirus W32/Sillydropper.AF (0.06 seconds taken)
Kaspersky Anti-Virus Trojan.Win32.Qhost.o (0.58 seconds taken)
mks_vir Trojan.Qhost.O (0.21 seconds taken)
NOD32 No viruses found (0.36 seconds taken)
Norman Virus Control Sandbox: W32/Downloader; [ General information ]
* Creating several executable files on hard-drive.
* File length: 5120 bytes.
[ Changes to filesystem ]
* Creates file C:\WINDOWS\toolbar.exe.
[ Network services ]
* Looks for an Internet connection.
* Opens URL: http://213.159.117.133/dkprogs/toolbar.txt.
[ Security issues ]
* Starting downloaded file - potential security problem. (0.53 seconds taken)
Service load: 0% 100%
File: Dummy.class-51d3f209-69a8240b.class
Status: INFECTED/MALWARE
Packers detected: None
AntiVir TR/ClaLdr.Dummy.C (0.13 seconds taken)
Avast JS:ByteVerify-Dummy (1.61 seconds taken)
BitDefender Trojan.Java.ClassLoader.Dummy.C (0.82 seconds taken)
ClamAV Java.ClassLoader.Dummy.C (0.28 seconds taken)
Dr.Web Exploit.ByteVerify (0.43 seconds taken)
F-Prot Antivirus No viruses found (0.05 seconds taken)
Kaspersky Anti-Virus Trojan.Java.ClassLoader.Dummy.c (0.53 seconds taken)
mks_vir No viruses found (0.17 seconds taken)
NOD32 Java/Exploit.Bytverify (0.31 seconds taken)
Norman Virus Control No viruses found (0.10 seconds taken)
Service load: 0% 100%
File: dummy.class-531c338a-77070eb5.class
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected: None
AntiVir TR/ClaLdr.Dummy.C (0.13 seconds taken)
Avast JS:ByteVerify-Dummy (1.64 seconds taken)
BitDefender Trojan.Java.ClassLoader.Dummy.C (0.78 seconds taken)
ClamAV Java.ClassLoader.Dummy.C (0.28 seconds taken)
Dr.Web Exploit.ByteVerify (0.42 seconds taken)
F-Prot Antivirus No viruses found (0.05 seconds taken)
Kaspersky Anti-Virus Trojan.Java.ClassLoader.Dummy.c (0.53 seconds taken)
mks_vir No viruses found (0.17 seconds taken)
NOD32 Java/Exploit.Bytverify (0.31 seconds taken)
Norman Virus Control No viruses found (0.10 seconds taken)
Statistics
Last piece of malware found was Java/Exploit.Bytverify in Dummy.class-51d3f209-69a8240b.class, detected by:
Scanner Malware name Time taken
AntiVir TR/ClaLdr.Dummy.C 0.13 seconds
Avast JS:ByteVerify-Dummy 1.61 seconds
BitDefender Trojan.Java.ClassLoader.Dummy.C 0.82 seconds
ClamAV Java.ClassLoader.Dummy.C 0.28 seconds
Dr.Web Exploit.ByteVerify 0.43 seconds
F-Prot Antivirus X 0.05 seconds
Kaspersky Anti-Virus Trojan.Java.ClassLoader.Dummy.c 0.53 seconds
mks_vir X 0.17 seconds
NOD32 Java/Exploit.Bytverify 0.31 seconds
Norman Virus Control X 0.10 seconds
Service load: 0% 100%
File: dummy.class-31bbc5c3-3b9f9d0f.class
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected: None
AntiVir TR/ClaLdr.Dummy.C (0.14 seconds taken)
Avast JS:ByteVerify-Dummy (1.66 seconds taken)
BitDefender Trojan.Java.ClassLoader.Dummy.C (0.65 seconds taken)
ClamAV Java.ClassLoader.Dummy.C (0.29 seconds taken)
Dr.Web Exploit.ByteVerify (0.43 seconds taken)
F-Prot Antivirus No viruses found (0.05 seconds taken)
Kaspersky Anti-Virus Trojan.Java.ClassLoader.Dummy.c (0.53 seconds taken)
mks_vir No viruses found (0.17 seconds taken)
NOD32 Java/Exploit.Bytverify (0.32 seconds taken)
Norman Virus Control No viruses found (0.11 seconds taken)
Service load: 0% 100%
File: load.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected: UPX
AntiVir No viruses found (0.13 seconds taken)
Avast Win32:Trojano-537 (1.71 seconds taken)
BitDefender No viruses found (1.23 seconds taken)
ClamAV Trojan.Qhost.O (0.28 seconds taken)
Dr.Web Trojan.DownLoader.820 (0.43 seconds taken)
F-Prot Antivirus W32/Sillydropper.AF (0.05 seconds taken)
Kaspersky Anti-Virus Trojan.Win32.Qhost.o (0.56 seconds taken)
mks_vir Trojan.Qhost.O (0.20 seconds taken)
NOD32 No viruses found (0.36 seconds taken)
Norman Virus Control Sandbox: W32/Downloader; [ General information ]
* Creating several executable files on hard-drive.
* File length: 5120 bytes.
[ Changes to filesystem ]
* Creates file C:\WINDOWS\toolbar.exe.
[ Network services ]
* Looks for an Internet connection.
* Opens URL: http://213.159.117.133/dkprogs/toolbar.txt.
[ Security issues ]
* Starting downloaded file - potential security problem. (0.53 seconds taken)
Service load: 0% 100%
File: e.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected: UPX
AntiVir TR/Dldr.Small.LX (0.13 seconds taken)
Avast No viruses found (1.62 seconds taken)
BitDefender Trojan.Dropper.Small.LX (0.93 seconds taken)
ClamAV No viruses found (0.29 seconds taken)
Dr.Web Trojan.MulDrop.1132 (0.43 seconds taken)
F-Prot Antivirus No viruses found (0.08 seconds taken)
Kaspersky Anti-Virus TrojanDropper.Win32.Small.lx (0.57 seconds taken)
mks_vir Trojan.Trojandropper.Small.Lx (0.40 seconds taken)
NOD32 No viruses found (0.44 seconds taken)
Norman Virus Control No viruses found (0.46 seconds taken)