topantispyware.com läßt sich nicht entfernen

#136 Hallo@snoopmore

silentrunners
http://www.silentrunners.org/sr_download.html
gehe auf:
Zitat:
Click here to download a zip file.
hier die Erklaerung:
http://www.silentrunners.org/sr_scriptuse.html
klicke: output file is in text format. --> Doppelklick und es oeffnet sich der Editor-->
und poste alles, was angezeigt wird.

LSPfix.exe
http://www.spychecker.com/program/lspfix.html
<"I know what I'm doing" <--anhaken

bringe die flsmngr.dll von links nach rechts (falls sie nicht schon dort sind) und loeschen (deleted)

Start-->Ausfuehren--> regedit

HKEY_CURRENT_USER\Software\Microsoft\Internet \Explorer\Desktop\Components
falls du es findest--> loesche auf der rechten Seite der Registry den Unterschluessel "0" mit Rechtsklick

+ (auch loeschen)

"FriendlyName" = "Security"
"Source" = "C:\WINDOWS\Web\desktop.html"
"SubscribedURL" = "C:\WINDOWS\Web\desktop.html"

#öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.royalsearch.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O9 - Extra button: Microsoft AntiSpyware helper - {BEBBE3D1-050C-489F-B5FF-0709D6F84D91} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BEBBE3D1-050C-489F-B5FF-0709D6F84D91} - (no file) (HKCU)
O16 - DPF: {AD0B8220-7DA4-4C0A-8532-B25A9F631D3D} (VacPro.internazionale_ver10) - http://advnt01.com/dialer/internazionale_ver10.CAB

PC neustarten

•KillBox
http://www.bleepingcomputer.com/files/killbox.php

•Delete File on Reboot <--anhaken

und klicke auf das rote Kreuz,
wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes"

C:\WINDOWS\Downloaded Program Files\internazionale_ver10.ocx
c:\Program Files\Fln\fln.dll
C:\WINDOWS\System32\runsrv32.exe
C:\WINDOWS\System32\runsrv32.dll
C:\WINDOWS\System32\txfdb32.dll
C:\WINDOWS\System32\srpcsrv32.dll
C:\WINDOWS\System32\runsvc32.exe
C:\WINDOWS\System\runsrv32.dll
C:\WINDOWS\System32\runoledb32.exe
C:\Program Files\TopAntiSpyware
C:\WINDOWS\desktop.html
C:\WINDOWS\Web\desktop.html
C:\r.exe
C:\WINDOWS\System32\spoolsrv32.exe

PC neustarten

CCleaner--> loesche alle *temp-Datein
http://www.ccleaner.com/ccdownload.asp




so kann man C:\WINDOWS\Web\desktop.html loeschen
Geht auf Start -> Einstellungen -> Systemsteuerung und klickt dort auf "Anzeige" Darin gibt es ein Register "Desktop" und die Möglichkeit "Desktop anpassen". Darin wiederum klickt ihr auf das Register "Web" und entfernt dort "Security" in der Liste

1 - Taskleiste Rechtsklick - Eigenschaften.
2 - Taskleiste automatisch ausblenden Aktivieren.
3 - Man kann nun einen kleinen Teil des alten Desktop hintergrundes sehen, da wo die Taskleiste früher war.
4 - Rechtsklick - Eigenschaften auf den kleinen alten Desktop ausschnitt.
5 - Dektop - Desktop anpassen
6 - Web-Karteikarte auswählen
7 - Eintrag "Security"+C:\WINDOWS\desktop.html Löschen

•C:\WINDOWS\Web\desktop.html
•C:\WINDOWS\SSICO.ICO
•C:\Dokumente und Einstellungen\User\\Desktop\! Protect Your Data.url
•C:\Dokumente und Einstellungen\User\\Favorites\! Smart Security.url
•C:\Dokumente und Einstellungen\User\\Recent\! Smart Security.url
•C:\Dokumente und Einstellungen\User\\Start Menu\! Secure Yourself.url

•Download NOD32 Antivirus System
http://www.nod32.de/download/download.php
Man sollte jedoch darauf achten, dass man die Einstellungen
dahingehend ändert das ALLE DATEIEN durchsucht werden.
Voreingestellt sind nur bestimmte Dateitypen.

suche/scanne mit dem Panda-Onlinescan (und berichte)
http://virus-protect.org/onlinescan.html

dann poste das neue Log vom HijackThis
__________
MfG Sabina

rund um die PC-Sicherheit

#137 ich hoffe das ist so richtig:

"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""C:\Programme\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"xojjwmr" = "c:\windows\chaemsf.exe" [file not found]
"Skype" = ""C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"ilmolaq" = "c:\windows\chaemsf.exe" [file not found]
"buaabyu" = "c:\windows\chaemsf.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Agent Themes" = "C:\WINDOWS\system32\sdbiript.exe" [null data]
"SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_02\bin\jusched.exe" ["Sun Microsystems, Inc."]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"D-Link AirPlus Xtreme G" = "C:\Programme\D-Link\AirPlus Xtreme G\AirPlusCFG.exe" ["D-Link"]
"ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"grohqkzbcnjnh" = "C:\WINDOWS\System32\tkuoavpe.exe" [file not found]
"SAcc" = "C:\Programme\SAcc\SAcc.exe" [file not found]
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]
"FlnCPY" = ""C:\Program Files\Common Files\Java\flncpy.exe"" [null data]
"conscorr" = "C:\WINDOWS\conscorr.exe" [file not found]
"arvVtanf" = "C:\WINDOWS\hapasjob.exe" [file not found]
"ANIWZCSService" = "C:\Programme\Alpha Networks\ANIWZCS Service\WZCSLDR.exe" [file not found]
"OESpamTest" = "C:\PROGRA~1\KASPER~1\KASPER~1\KASPER~3\OESpamTest.ExE" ["Ashmanov & Partners"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{A749B4BC-7621-4a80-9220-D0A283367DD5}\(Default) = "FlashEnhancer Extnder" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Fln\fln.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F802F260-519B-11D1-BB5D-0060974C6013}" = "ICQ Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQ\ICQShExt.dll" [file not found]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice Property Sheet Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\OpenOffice.org1.1.4\program\shlxthdl.dll" ["Sun Microsystems, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Alwil Software\Avast4\ashShell.dll" [file not found]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"Terminal Player" = "{67537D5D-D9A8-485F-A8EA-931AE56AA1F1}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\msnsurl.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\scrnsave.scr" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is enabled.

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"

Active Desktop web content:

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"FriendlyName" = "Security"
"Source" = "C:\WINDOWS\Web\desktop.html"
"SubscribedURL" = "C:\WINDOWS\Web\desktop.html"


Startup items in "David Mohr" & "All Users" startup folders:
------------------------------------------------------------

C:\Dokumente und Einstellungen\David Mohr\Startmenü\Programme\Autostart
"Trillian" -> shortcut to: "C:\Programme\Trillian\trillian.exe" ["Cerulean Studios"]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Kaspersky Anti-Hacker" -> shortcut to: "C:\Programme\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Hacker\KAVPF.exe /silence" ["Kaspersky Labs"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\system32\flsmngr.dll [null data], 01 - 02, 28
xfire_lsp_8742.dll [null data], 03 - 07, 13
%SystemRoot%\system32\mswsock.dll [MS], 08 - 10, 14 - 27
%SystemRoot%\system32\rsvpsp.dll [MS], 11 - 12


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}"
-> {CLSID}\(Default) = "ICQ Toolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\ICQToolbar\toolbaru.dll" [file not found]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{D3F7557B-BAB5-4D34-A7C1-8B19E6606695}\
"ButtonText" = "Microsoft AntiSpyware helper"
"MenuText" = "Microsoft AntiSpyware helper"

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll" ["Sun Microsystems, Inc."]

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Crypkey License, Crypkey License, "crypserv.exe" [null data]
kavsvc, kavsvc, ""C:\Programme\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Virus Personal\kavsvc.exe"" ["Kaspersky Lab"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------






Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: A001-19D7

Verzeichnis von c:\windows\system32

02.05.2005 19:31 126.976 flsmngr.dll
1 Datei(en) 126.976 Bytes

Verzeichnis von C:\Dokumente und Einstellungen\David Mohr\Desktop


Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: A001-19D7

Verzeichnis von c:\windows


Verzeichnis von C:\Dokumente und Einstellungen\David Mohr\Desktop


Scanned at: 18:19:06 on: 04.05.2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

#138 Hi sabina!

Zugriff auf den Desktop als solches hab ich schon. Ich habnur keine Möglichkeit dieses Web Ding an zu wählen da nicht vorhanden. ichkann auch keinen Active Desktop auswählen oder nicht. Denn den bräucht ich wahrscheinlich um dieses Web Ding zu bekommen.

Bitte nochmal um einne Tipp.

danke

Alex

Halo noch mal!

Ich habe anscheinend das letzte Mal was falsch verstanden, auf jeden Fall habe ich nn den gesamten Schlüssel 0 gelöscht und beim Neustart hat XP den Schlüssel wieder so wie er gehört hergestellt, da ja der Trojaner entfernt war.

Du bist definitiv das einzige Genie, dass dieses Problem wirklich lösen kann, und ich habe eine Woche im Net gesucht, glaub es mir.

Danke noch mal für die tolle Unterstützung

Alex

#139 Hallo@Tschobbl

LSPfix.exe--> poste mir, welche dll du im Tool findest !!!!!!!!
http://www.spychecker.com/program/lspfix.html
<"I know what I'm doing" <--anhaken

das waere zu loeschen--> also auf die rechte Seite bringen--> deleted (loeschen)

flsmngr.dll

C:\windows\system32\flsmngr.dll (ich weiss noch nicht, ob man das einfach so loeschen kann, denn es ist im Winsock und da muss man vorsichtig sein, du musst mir also mitteilen, ob du die dll in dem Tool findest oder nicht)
--------------------------------------------------------------------
Gehe in die Registry

Start-->Ausfuehren-->regedit

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0

loesche:

"FriendlyName" = "Security"
"Source" = "C:\WINDOWS\Web\desktop.html"
"SubscribedURL" = "C:\WINDOWS\Web\desktop.html"

•KillBox
http://www.bleepingcomputer.com/files/killbox.php

•Delete File on Reboot <--anhaken

und klicke auf das rote Kreuz,
wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes"

c:\windows\chaemsf.exe
C:\Program Files\Common Files\Java\flncpy.exe
C:\WINDOWS\system32\sdbiript.exe
C:\WINDOWS\System32\tkuoavpe.exe
C:\WINDOWS\conscorr.exe
C:\WINDOWS\hapasjob.exe
C:\WINDOWS\system32\msnsurl.dll

PC neustarten

CCleaner--> loesche alle *temp-Datein
http://www.ccleaner.com/ccdownload.asp



#RegCleaner (Deutsch)
(Tip: Lade RegCleaner, stelle das Tool in Deutsch ein und saeubere ueber <Tools<Registry saeubern<alles durchfuehren < den PC (du kannst alles angezeigte Loeschen, denn es verbleibt eine Sicherung)
http://www.chip.de/downloads/c_downloads_8830516.html

dann scanne noch einmal mit silentrunner und poste auch das neue Log vom HijacktHis
+
C:\Programme\SAcc\SAcc.exe<--poste mir, was das fuer ein Programm ist.
__________
MfG Sabina

rund um die PC-Sicherheit

#140 Hallo@riddle2000

Active Desktop

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies

erstelle rechts unter Default den Wert: ForceActiveDesktopOn
und setze dann den Wert 1.

Value Name: ForceActiveDesktopOn
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = default, 1 = aktiv )


--------------------------------------------

oder:
HKey_Local_Maschine\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\Explorer

Hier DWORD-Einträge eingefügen:

NoSetActiveDesktop= 0

1 aktiviert/ 0 deaktiviert

dann PC neustarten
-------------------

silentrunners
http://www.silentrunners.org/sr_download.html
gehe auf:
Zitat:
Click here to download a zip file.
hier die Erklaerung:
http://www.silentrunners.org/sr_scriptuse.html
klicke: output file is in text format. --> Doppelklick und es oeffnet sich der Editor-->
und poste alles, was angezeigt wird.
__________
MfG Sabina

rund um die PC-Sicherheit

#141 so hier die logs :

Logfile of HijackThis v1.99.1
Scan saved at 13:50:32, on 06.05.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Java\jre1.5.0_02\bin\jusched.exe
C:\Programme\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\David Mohr\Eigene Dateien\HijackThis.exe

O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Programme\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [FlnCPY] "C:\Program Files\Common Files\Java\flncpy.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = ?
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E27F8CA-4F43-449A-8781-F0D2B2F8B02F}: NameServer = 145.253.2.11
O21 - SSODL: Terminal Player - {67537D5D-D9A8-485F-A8EA-931AE56AA1F1} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\GEMEIN~1\SONYSH~1\AVLib\Sptisrv.exe





"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""C:\Programme\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Skype" = ""C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_02\bin\jusched.exe" ["Sun Microsystems, Inc."]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"D-Link AirPlus Xtreme G" = "C:\Programme\D-Link\AirPlus Xtreme G\AirPlusCFG.exe" ["D-Link"]
"ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]
"FlnCPY" = ""C:\Program Files\Common Files\Java\flncpy.exe"" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{A749B4BC-7621-4a80-9220-D0A283367DD5}\(Default) = "FlashEnhancer Extnder" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Fln\fln.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice Property Sheet Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\OpenOffice.org1.1.4\program\shlxthdl.dll" ["Sun Microsystems, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"Terminal Player" = "{67537D5D-D9A8-485F-A8EA-931AE56AA1F1}"
-> {CLSID}\InProcServer32\(Default) = (value not set)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\scrnsave.scr" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\David Mohr\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Startup items in "David Mohr" & "All Users" startup folders:
------------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Kaspersky Anti-Hacker" -> shortcut to: "C:\Programme\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Hacker\KAVPF.exe /silence" ["Kaspersky Labs"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll" ["Sun Microsystems, Inc."]

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Crypkey License, Crypkey License, "crypserv.exe" [null data]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------


achja und diese sachen finde ich nicht und krieg sie nicht in killbox:



C:\WINDOWS\System32\tkuoavpe.exe
C:\WINDOWS\conscorr.exe
C:\WINDOWS\hapasjob.exe


und dieses programm finde ich auch nicht und ich weiß auch nicht was es ist:

C:\Programme\SAcc\SAcc.exe<--poste mir, was das fuer ein Programm ist.

aber nochaml vielen dank für die freundliche hilfe

#142 Hallo@Tschobbl

Gehe in die Registry

Start-->Ausfuehren-->regedit

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

mit rechtsklick loeschen:

{9EF34FF2-3396-4527-9D27-04C8C1C67806}

KILLBOX:
http://www.bleepingcomputer.com/files/killbox.php
2. Doppel-klicke auf Killbox.exe und lasse es offen
3. In Killbox klickeauf Delete on Reboot ( roter Kasten )



Fügen diese Datei oben in die Full Path of File to Delete Box (1) in
dem man den u.g. Pfad dort eingibt (einfach reinkopieren

c:\Program Files\Fln\fln.dll
c:\windows\chaemsf.exe
C:\Program Files\Common Files\Java\flncpy.exe
C:\WINDOWS\system32\sdbiript.exe
C:\WINDOWS\System32\tkuoavpe.exe
C:\WINDOWS\conscorr.exe
C:\WINDOWS\hapasjob.exe
C:\WINDOWS\system32\msnsurl.dll

5. Klicke Yes beim Delete on Reboot Prompt.
6. Klicke No beim laufenden Prozesse Prompt
7. Klicke auf den Delete File Button (sieht aus wie ein Stopzeichen (3).
8. Klicke auf Yes beim Delete on Reboot Prompt.
9. Klicke auf Yes beim laufenden Prozesse Prompt, um den Computer neu zu starten. Lasse den Computer neustarten.
10. Sollte folgende Meldung erscheinen, dann führe einen manuellen Neustart durch. "PendingFileRenameOperations Registry Data has been Removed by External Process!"

PC neustarten

Start-->alle Programme-->Zubehoer-->Editor und kopiere folgenden Text rein:

dir C:\WINDOWS\system32\w?crtupd.exe /a h > files.txt
notepad files.txt

<Speichern als: Findfile.bat
<abspeichern unter : Dateityp: alle Dateien
<speichere auf dem Desktop

Locate FindFile.bat--> doopelklick auf die bat-Datei , der Editor oeffnet sich-->poste den Text

..................................................................................................................

•eScan-Erkennungstool
eSan ist hier unter dem Namen Free eScan Antivirus Toolkit Utility kostenlos erhältlich:
http://www.mwti.net/antivirus/free_utilities.asp
oeffne den Scanner--> noch nicht scannen--> gehe in Start<Ausfuehren< schreib rein: %temp% und suche
kavupd.exe, die klickst du an--> (Update- in DOS) ausführen

gehe in den abgesicherten Modus
http://www.tu-berlin.de/www/software/virus/savemode.shtml

und den Scanner mit der "mwav.exe"[oder:MWAVSCAN.COM] starten. Alle Häkchen setzen :
Auswählen: "all files", Memory, Startup-Folders, Registry, System Folders,
Services, Drive/All Local drives, Folder [C:\WINDOWS], Include SubDirectory

-->und "Scan " klicken.

•Gehe wieder in den Normalmodus:

•mache bitte folgendes:
nun öffnest du mit dem editor, die mwav.txt und gehst unter bearbeiten -> suchen, hier gibst du "infected" ein



•jene zeile in der infected steht, markieren, und hier einfügen, weitersuchen usw.
•und ganz unten steht die zusammenfassung, diese auch hier posten
__________
MfG Sabina

rund um die PC-Sicherheit

#143 Hallo @Sabina!!!

Ich habe damals ein Thema gepostet und du hast mir geantwortet. Erstmal Danke dafür:-)
Ich habe aber nichts unternommen. Nun, ein paar Monate später und mit einigen
Trojanern mehr am Rechner, habe ich beschlossen die Plage zu bekämpfen.

Also den Hijack Log habe ich erstmal geschafft, aber auch nur dank http://virus-protect.org/hijackthis.html#Einleitung. Wirklich gute Arbeit, die Ihr da macht.

So ich stelle nun das Log-Ergebnis rein und hoffe du, oder auch jemand anders hilft mir, wäre sehr dankbar, wenn mir einer helfen würde, kenne mich mit dieser Materie leider schlecht aus.


Noch eins vorweg: Laut eTrust Antivirus habe ich so ca. 34 Trojaner, verschiedener Sorten.

Hab mir vor kurzem einen afrikanischen Trojaner oder so, zumindest stand da im Warnfenster Nigeria als Standort, über Mozialla eingefangen über ein offenes Port (stand noch was von JAVA) eingefangen.

Also bitte helft mir mal, hier das Log:



Logfile of HijackThis v1.99.1
Scan saved at 23:38:45, on 06.05.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Programme\CA\eTrust Antivirus\InoRpc.exe
C:\Programme\CA\eTrust Antivirus\InoRT.exe
C:\Programme\CA\eTrust Antivirus\InoTask.exe
C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Programme\Home Cinema\PowerCinema\PCMService.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\ICQLite\ICQLite.exe
C:\Programme\HP\HP Software Update\HPWuSchd.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\Programme\FRITZ!DSL\StCenter.exe
C:\Programme\FRITZ!DSL\fritzdsl.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Igor-J\Eigene Dateien\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hvnfd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hvnfd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hvnfd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hvnfd.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hvnfd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = fritz.box
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {99E674B1-BD1C-9AB8-9C0E-C4FB2608BBD6} - C:\WINDOWS\atlzo32.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Verknüpfung mit der High Definition Audio-Eigenschaftenseite] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [HP Software Update] "C:\Programme\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: BlueSoleil.lnk = C:\Programme\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: FRITZ!DSL Startcenter.lnk = C:\Programme\FRITZ!DSL\StCenter.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: MedionShop - {5CF0F1D2-1D22-499D-93A1-8126F28412F4} - http://www.medionshop.de/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://start.online-dialer.com/xac.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/12b59a1dbbc2c6658a05/netzip/RdxIE601_de.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097566082250
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DDCE6A6B-B5A7-4139-B275-DA0721262015}: NameServer = 192.168.122.252,192.168.122.253
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: CA-Lizenz-Client (CA_LIC_CLNT) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA-Lizenzserver (CA_LIC_SRVR) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Ereignisprotokoll-Überwachung (LogWatch) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O23 - Service: Network Security Service (NSS) (�%AF夶À¨) - Unknown owner - C:\WINDOWS\ipff32.exe (file missing)

Noch was: was bedeutet eigentlich SP2 hinter Windows XP zum Beispiel????

Habe hier http://virus-protect.org/hijackthis.html gelesen, dass man vorher Spybot oder-/und Ad-Aware laufen lassen sollte, habe es aber nicht gemacht, ist es schlimm???


MFG
SPYKILLER

#144 Hallo@SPYKILLER

An deiner Stelle wuerde ich formatieren, denn das System ist nicht mehr verauenswuerdig.Dein Name bedeutet wohl mehr das Gegenteil ...selten sieht man so einen verseuchten PC ......

Natuerlich kann man es einigermassen sauber bekommen, aber ........sicher wird es nie mehr sein.

Was meinst du ? Nimm die XP-CD und formatiere .
__________
MfG Sabina

rund um die PC-Sicherheit

#145 Hi @Sabina

Danke erstmal für deine Antwort. Ja mein Name ist zwar SPYKILLER, aber
so richtig einer bin ich noch nicht.:-)))

Was nicht ist kann aber noch werden, werde mich jetzt öfter in dem Thema weiterbilden, denn das ganze ist so umfangreich, dass man es mehrere Semester Studieren könnte.

Jetzt zum Thema: Formatieren??? Habe mir schon gedacht dass es kommen würde, nur wenn ich es könnte, hätte ich es selber schon längst gemacht.

Ich habe 3 Festplatten und nicht, dass ich das falsche formatiere und naher nichts mehr geht:-)

Naja schaue gleich im Internet nach, wie man formatiert, wenn es nichts bringt rufe ich mal ein Freund an, sein kleiner Bruder formatiert alle 2 Tage, der wird sich bestens damit auskennen denke ich mal.


Die Frage ist jetzt eigentlich, wie und womit können wir es in Zukunft das Formatieren verhindern??

Die meiste Seuche, habe ich mir mit dem IE reingeholt, benutze jetzt
Firefox, ist zwar sicherer aber auch nicht perfekt, Java Zeugs muß ich abstellen
wahrscheinlich.

Was benutzt ihr denn so, für Browser, Virusprogramme oder Firewalls???
Bei mir ist alles an, Firewall, Virusscanner und bringt nicht so viel, wie man sieht.


Gruß
SPYKILLER

#146 Hallo@SPYKILLER

http://virus-protect.org/seite1.html
dort wird es erklaert und die komplette Seite , die dir bestimmt weiterhelfen wird (ohne einige Semester Studium findest du unten in meiner Signatur,
__________
MfG Sabina

rund um die PC-Sicherheit

#147 Sorry aber ich habe das gleiche prob. mit TopAntiSpyWare.com ... aber ich versteh hier leider nichts ich blick da nicht so durch ... ich hab hijackthis, spybot, Ad Aware SE, AOL antispy, Antivir drüberlaufen lassen ... und ich habe alle datein bei hijackthis die "böse" waren gefixt ... bei SpyBot Antivir Ad Aware SE AOL antispy alles gelöscht was se gefunden haben .... und hab immernoch das problem ... ich hab auf der ersten site die log gelesen ... und die hilfestellung darunter was man löschen soll und wann man neustarten soll ... aber ich blick da einfach nicht durch kann mir das nicht jemand lieberweise erklären? ich finde nichts im netz was mir da weiterhilft überall nur (für mich) unübersichtliche logs und unübersichtliche hilfestellung (ja ich weiß ich bin dumm, aber ich kenn mich net so aus) und bei google hab ich sobs nicht irgendein prog. gibt was es sofort löscht aber anscheint kann ich das nur so lösen wie es hier im forum steht ... Aber wie schon gesagt versteh ich das leider nicht ... Naja wenn ihr keine lust habt mir das zu erklären dann is oke ... will ja net nerven ... aber ich poste mal meine log zur sicherheit ....

Logfile of HijackThis v1.99.1
Scan saved at 00:54:02, on 13.05.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\0190_U~1\w0svc.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Programme\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
C:\Programme\MessengerPlus! 3\MsgPlus.exe
C:\Programme\ICQLite\ICQLite.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programme\Gemeinsame Dateien\Logitech\QCDriver3\LVCOMS.EXE
C:\Programme\Logitech\ImageStudio\LogiTray.exe
C:\PROGRA~1\0190_U~1\WARN0190.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Programme\MSN Apps\Updater\01.02.3000.1001\de\msnappau.exe
C:\PROGRA~1\GEMEIN~1\aol\AOLPRI~1\AOLSP Scheduler.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Winamp\winampa.exe
C:\Programme\VVSN\VVSN.exe
C:\WINDOWS\System32\ctfmon.exe
C:\programme\valve\steam\steam.exe
C:\Programme\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Programme\Skype\Phone\Skype.exe
C:\windows\mmrjxjy.exe
C:\windows\mmrjxjy.exe
C:\windows\mmrjxjy.exe
C:\windows\mmrjxjy.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Programme\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\AOL9~1.0\waol.exe
C:\PROGRA~1\AOL9~1.0\shellmon.exe
C:\Programme\Gemeinsame Dateien\Aol\aoltpspd.exe
C:\Programme\AVPersonal\AVWIN.EXE
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Chrisitophel\Desktop\Emscherkurve77\Mono für Alle\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wind-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://wind-find4u.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wind-find4u.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://wind-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://wind-find4u.com/index.htm
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {104B28D8-D895-E015-FE93-A2C7A10FB4A2} - C:\DOKUME~1\CHRISI~1\ANWEND~1\BAITCD~1\StartMemo.exe
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programme\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\MSN Apps\MSN Toolbar\01.02.4000.1001\de\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\MSN Apps\MSN Toolbar\01.02.4000.1001\de\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programme\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programme\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMS] C:\Programme\Gemeinsame Dateien\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Programme\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [0190/0900 Warner präsentiert von AOL] C:\PROGRA~1\0190_U~1\WARN0190.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [msnappau] "C:\Programme\MSN Apps\Updater\01.02.3000.1001\de\msnappau.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\GEMEIN~1\aol\AOLPRI~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [2 Gpl Warn Wait] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\License Hide 2 Gpl\64 media.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [VVSN] C:\Programme\VVSN\VVSN.exe
O4 - HKLM\..\Run: [BearShare] "C:\Programme\BearShare\BearShare.exe" /pause
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programme\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Steam] "c:\programme\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [LDM] C:\Programme\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Delete Fast] C:\DOKUME~1\CHRISI~1\ANWEND~1\Rdrgrid\LIST AXIS.exe
O4 - HKCU\..\Run: [ukftddb] c:\windows\mmrjxjy.exe
O4 - HKCU\..\Run: [ndlhaep] c:\windows\mmrjxjy.exe
O4 - HKCU\..\Run: [mgjaavt] c:\windows\mmrjxjy.exe
O4 - HKCU\..\Run: [jlfscrr] c:\windows\mmrjxjy.exe
O4 - HKCU\..\Run: [eslmgrt] c:\windows\mmrjxjy.exe
O4 - HKCU\..\Run: [gshruje] c:\windows\mmrjxjy.exe
O4 - HKCU\..\Run: [voxtuqr] c:\windows\mmrjxjy.exe
O4 - HKCU\..\Run: [pilaqwj] c:\windows\mmrjxjy.exe
O4 - HKCU\..\Run: [uqhhgbs] c:\windows\mmrjxjy.exe
O4 - HKCU\..\Run: [jfclsrk] c:\windows\mmrjxjy.exe
O4 - HKCU\..\Run: [favhvkh] c:\windows\mmrjxjy.exe
O4 - HKCU\..\Run: [yxlwwry] c:\windows\mmrjxjy.exe
O4 - HKCU\..\Run: [mrjkjnh] c:\windows\mmrjxjy.exe
O4 - HKCU\..\Run: [mesupeg] c:\windows\mmrjxjy.exe
O4 - HKCU\..\Run: [mbrurpe] c:\windows\mmrjxjy.exe
O4 - HKCU\..\Run: [nxwlwkg] c:\windows\mmrjxjy.exe
O4 - HKCU\..\Run: [potugfx] c:\windows\mmrjxjy.exe
O4 - HKCU\..\Run: [vunptxh] c:\windows\mmrjxjy.exe
O4 - HKCU\..\Run: [ngyfepa] c:\windows\mmrjxjy.exe
O4 - HKCU\..\Run: [wsdutec] c:\windows\mmrjxjy.exe
O4 - HKCU\..\Run: [gfxthqx] c:\windows\drjuwbv.exe
O4 - HKCU\..\Run: [jwetfqn] c:\windows\pyvxgki.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [nytmdha] c:\windows\drjuwbv.exe
O4 - HKCU\..\Run: [sorbovn] c:\windows\pyvxgki.exe
O4 - HKCU\..\Run: [jhwgnbj] c:\windows\drjuwbv.exe
O4 - HKCU\..\Run: [pwukfxv] c:\windows\pyvxgki.exe
O4 - HKCU\..\Run: [ijjhrpk] c:\windows\drjuwbv.exe
O4 - HKCU\..\Run: [aviwmeq] c:\windows\pyvxgki.exe
O4 - HKCU\..\Run: [lrheole] c:\windows\drjuwbv.exe
O4 - HKCU\..\Run: [iulktit] c:\windows\pyvxgki.exe
O4 - HKCU\..\Run: [spjgiaa] c:\windows\drjuwbv.exe
O4 - HKCU\..\Run: [gnfotha] c:\windows\pyvxgki.exe
O4 - HKCU\..\Run: [haqknmp] c:\windows\drjuwbv.exe
O4 - HKCU\..\Run: [bthutko] c:\windows\pyvxgki.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Programme\IrfanView\Ebay\Ebay.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc/zOOCjPnta53-vqwIDsw.chm::/on-line.exe
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\wx.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\wx.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EEBC776-7AD2-4D36-ADEE-CDCBA08ACD52}: NameServer = 205.188.146.145
O18 - Protocol: bw+0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {F8885ECC-B121-46C9-A47A-7BC3D0E953BA} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: 0190/0900 Warner Überwachungsdienst (0190_0900_Warner_MonitorService) - Mirko Böer - C:\PROGRA~1\0190_U~1\w0svc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Privacy Protection Service (AOLService) - Unknown owner - C:\Programme\Gemeinsame Dateien\AOL\AOL Privacy Protection\\aolserv.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: McAfee.com Personal Firewall Service (MpfService) - McAfee.com Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: AntiVir Update Temp (TmpUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\DOKUME~1\CHRISI~1\LOKALE~1\TEMP\_VWUPSRV.EXE








Hier Habe ich auch mal meine Ad-Aware Log-files:



Ad-Aware SE Build 1.05
Logfile Created on:Freitag, 13. Mai 2005 13:54:32
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R44 10.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):28 total references
Possible Browser Hijack attempt(TAC index:3):7 total references
Tracking Cookie(TAC index:3):30 total references
WhenU(TAC index:3):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


13.05.2005 13:54:33 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Dokumente und Einstellungen\Chrisitophel\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1715567821-1801674531-1005\software\google\navclient\1.1\history
Description : list of recently used search terms in the google toolbar


MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1715567821-1801674531-1005\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1715567821-1801674531-1005\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1715567821-1801674531-1005\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1715567821-1801674531-1005\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1715567821-1801674531-1005\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1715567821-1801674531-1005\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1715567821-1801674531-1005\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1715567821-1801674531-1005\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1715567821-1801674531-1005\software\microsoft\mediaplayer\preferences
Description : last cd record path used in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1715567821-1801674531-1005\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1715567821-1801674531-1005\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1715567821-1801674531-1005\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1715567821-1801674531-1005\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1715567821-1801674531-1005\software\microsoft\windows\currentversion\applets\paint\recent file list
Description : list of files recently opened using microsoft paint


MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1715567821-1801674531-1005\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad


MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1715567821-1801674531-1005\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1715567821-1801674531-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1715567821-1801674531-1005\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1715567821-1801674531-1005\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1715567821-1801674531-1005\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-1229272821-1715567821-1801674531-1005\software\winrar\dialogedithistory\extrpath
Description : winrar "extract-to" history


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 408
ThreadCreationTime : 13.05.2005 11:51:38
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 488
ThreadCreationTime : 13.05.2005 11:51:42
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 512
ThreadCreationTime : 13.05.2005 11:51:43
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 716
ThreadCreationTime : 13.05.2005 11:51:43
BasePriority : Normal
FileVersion : 5.1.2600.1224 (xpsp2.030516-0318)
ProductVersion : 5.1.2600.1224
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Anwendung für Dienste und Controller
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 728
ThreadCreationTime : 13.05.2005 11:51:43
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 904
ThreadCreationTime : 13.05.2005 11:51:44
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1092
ThreadCreationTime : 13.05.2005 11:51:44
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1252
ThreadCreationTime : 13.05.2005 11:51:45
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1324
ThreadCreationTime : 13.05.2005 11:51:45
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1484
ThreadCreationTime : 13.05.2005 11:51:46
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:11 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1812
ThreadCreationTime : 13.05.2005 11:51:52
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : EXPLORER.EXE

#:12 [dragdiag.exe]
FilePath : C:\Programme\Alcatel\SpeedTouch USB\
ProcessID : 2004
ThreadCreationTime : 13.05.2005 11:52:07
BasePriority : Normal
FileVersion : 201.2.0.0
ProductVersion : 201.2.0.0
ProductName : SpeedTouch USB
CompanyName : THOMSON multimedia
FileDescription : SpeedTouch Statistics
LegalCopyright : Copyright© THOMSON multimedia 1999-2002

#:13 [aoldial.exe]
FilePath : C:\Programme\Gemeinsame Dateien\AOL\ACS\
ProcessID : 2028
ThreadCreationTime : 13.05.2005 11:52:07
BasePriority : Normal
FileVersion : 2.6.6.3.DE.55
ProductVersion : 2.6.6.3.DE.55
ProductName : AOL Connectivity Service
CompanyName : America Online, Inc
FileDescription : AOL Connectivity Service Dialer
LegalCopyright : Copyright © 2003 America Online, Inc.
OriginalFilename : AOLDial.exe

#:14 [msgplus.exe]
FilePath : C:\Programme\MessengerPlus! 3\
ProcessID : 2036
ThreadCreationTime : 13.05.2005 11:52:07
BasePriority : Normal


#:15 [icqlite.exe]
FilePath : C:\Programme\ICQLite\
ProcessID : 2044
ThreadCreationTime : 13.05.2005 11:52:07
BasePriority : Normal
FileVersion : 20, 32, 2315, 0
ProductVersion : 20, 32, 2315, 0
ProductName : ICQLite
CompanyName : ICQ Ltd.
FileDescription : ICQLite
InternalName : ICQ Lite
LegalCopyright : Copyright (C) 2002
OriginalFilename : ICQLite.exe

#:16 [rundll32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 148
ThreadCreationTime : 13.05.2005 11:52:07
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Eine DLL-Datei als Anwendung ausführen
InternalName : rundll
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : RUNDLL.EXE

#:17 [lvcoms.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Logitech\QCDriver3\
ProcessID : 164
ThreadCreationTime : 13.05.2005 11:52:07
BasePriority : Normal
FileVersion : 7.3.0.1113
ProductVersion : 7.3.0.1113
ProductName : Logitech ImageStudio
CompanyName : Logitech Inc.
FileDescription : LVCom Server
InternalName : LVComS.exe
LegalCopyright : (c) 1996-2002 Logitech. All rights reserved.
OriginalFilename : LVComS.exe

#:18 [logitray.exe]
FilePath : C:\Programme\Logitech\ImageStudio\
ProcessID : 172
ThreadCreationTime : 13.05.2005 11:52:07
BasePriority : Normal
FileVersion : 7.3.0.1113
ProductVersion : 7.3.0.1113
ProductName : Logitech ImageStudio
CompanyName : Logitech Inc.
FileDescription : ImageStudio Tray Application
InternalName : LogiTray.exe
LegalCopyright : (c) 1996-2002 Logitech. All rights reserved.
OriginalFilename : LogiTray.exe

#:19 [warn0190.exe]
FilePath : C:\PROGRA~1\0190_U~1\
ProcessID : 136
ThreadCreationTime : 13.05.2005 11:52:07
BasePriority : Normal
FileVersion : 4.3.0.219
ProductVersion : 4.03
ProductName : 0190 Warner / 0900 Warner
CompanyName : Mirko Böer
FileDescription : 0190 Warner / 0900 Warner
LegalCopyright : Copyright © 2001 - 2004 Mirko Böer
Comments : http://www.wt-rate.com/

#:20 [mpftray.exe]
FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\
ProcessID : 196
ThreadCreationTime : 13.05.2005 11:52:08
BasePriority : Normal
FileVersion : 4.5.3.30
ProductVersion : 4.5.3.30
ProductName : McAfee Personal Firewall (MPF)
CompanyName : McAfee Security
FileDescription : McAfee Personal Firewall Tray Monitor
InternalName : MpfTray
LegalCopyright : Copyright © 2000-2003 Networks Associates Technologies, Inc.
OriginalFilename : MPFTRAY.EXE
Comments : Tray Icon for McAfee Personal Firewall

#:21 [msnappau.exe]
FilePath : C:\Programme\MSN Apps\Updater\01.02.3000.1001\de\
ProcessID : 184
ThreadCreationTime : 13.05.2005 11:52:08
BasePriority : Normal


#:22 [aolsp scheduler.exe]
FilePath : C:\PROGRA~1\GEMEIN~1\aol\AOLPRI~1\
ProcessID : 220
ThreadCreationTime : 13.05.2005 11:52:09
BasePriority : Normal
FileVersion : 1, 0, 0, 73
ProductVersion : 1, 0, 0, 73
ProductName : AOLSP Scheduler
FileDescription : AOLSP Scheduler
InternalName : AOLSP Scheduler
LegalCopyright : Copyright (C) America Online, Inc. 2004
OriginalFilename : AOLSP Scheduler.exe

#:23 [pdvdserv.exe]
FilePath : C:\Programme\CyberLink\PowerDVD\
ProcessID : 240
ThreadCreationTime : 13.05.2005 11:52:09
BasePriority : Normal
FileVersion : 6.00.1027
ProductVersion : 6.00.1027
ProductName : PowerDVD
CompanyName : Cyberlink Corp.
FileDescription : PowerDVD RC Service
InternalName : PowerDVD RC Service
LegalCopyright : Copyright (c) CyberLink Corp. 1997-2004
OriginalFilename : PDVDSERV.EXE

#:24 [qttask.exe]
FilePath : C:\Programme\QuickTime\
ProcessID : 256
ThreadCreationTime : 13.05.2005 11:52:09
BasePriority : Normal
FileVersion : 6.5
ProductVersion : QuickTime 6.5
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe

#:25 [winampa.exe]
FilePath : C:\Programme\Winamp\
ProcessID : 264
ThreadCreationTime : 13.05.2005 11:52:09
BasePriority : Normal


#:26 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 332
ThreadCreationTime : 13.05.2005 11:52:10
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:27 [steam.exe]
FilePath : C:\programme\valve\steam\
ProcessID : 348
ThreadCreationTime : 13.05.2005 11:52:10
BasePriority : Normal
FileVersion : 1.0.0.0
ProductVersion : 1.0.0.0
ProductName : Steam
CompanyName : Valve Corporation
FileDescription : Steam
LegalCopyright : © Copyright 2000-2003 Valve Corporation All rights reserved.
OriginalFilename : Steam.exe

#:28 [logitechdesktopmessenger.exe]
FilePath : C:\Programme\Logitech\Desktop Messenger\8876480\Program\
ProcessID : 356
ThreadCreationTime : 13.05.2005 11:52:10
BasePriority : Normal
FileVersion : 2.1.2.0
ProductVersion : 2.1.2.0
ProductName : Logitech Desktop Messenger
CompanyName : Logitech
FileDescription : Logitech Desktop Messenger
InternalName : Logitech BackWeb Runner
LegalCopyright : Copyright (C) Logitech 2000-2004. All rights reserved
OriginalFilename : backweb-8876480.exe
Comments : www.logitech.com/ldm

#:29 [skype.exe]
FilePath : C:\Programme\Skype\Phone\
ProcessID : 364
ThreadCreationTime : 13.05.2005 11:52:10
BasePriority : Normal


#:30 [mmrjxjy.exe]
FilePath : C:\windows\
ProcessID : 292
ThreadCreationTime : 13.05.2005 11:52:11
BasePriority : Normal


#:31 [w0svc.exe]
FilePath : C:\PROGRA~1\0190_U~1\
ProcessID : 676
ThreadCreationTime : 13.05.2005 11:52:12
BasePriority : Normal
FileVersion : 4.0.0.22
ProductVersion : 4.0
ProductName : 0190/0900 Warner
CompanyName : Mirko Böer
FileDescription : 0190/0900 Warner Service
InternalName : w0svc
LegalCopyright : Copyright © 2003-2004 Mirko Böer
OriginalFilename : w0svc.exe

#:32 [teatimer.exe]
FilePath : C:\Programme\Spybot - Search & Destroy\
ProcessID : 1192
ThreadCreationTime : 13.05.2005 11:52:13
BasePriority : Idle
FileVersion : 1, 3, 0, 12
ProductVersion : 1, 3, 0, 12
ProductName : Spybot - Search & Destroy
CompanyName : Safer Networking Limited
FileDescription : System settings protector
InternalName : TeaTimer
LegalCopyright : © 2000-2004 Patrick M. Kolla / Safer Networking Limited. Alle Rechte vorbehalten.
LegalTrademarks : "Spybot" und "Spybot - Search & Destroy" sind registrierte Warenzeichen.
OriginalFilename : TeaTimer.exe
Comments : Schützt Systemeinstellungen vor ungewollten Änderungen.

#:33 [aolacsd.exe]
FilePath : C:\Programme\Gemeinsame Dateien\AOL\ACS\
ProcessID : 1368
ThreadCreationTime : 13.05.2005 11:52:14
BasePriority : Normal


#:34 [iexplore.exe]
FilePath : C:\Programme\Internet Explorer\
ProcessID : 1576
ThreadCreationTime : 13.05.2005 11:52:14
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : IEXPLORE.EXE

#:35 [avwupsrv.exe]
FilePath : C:\Programme\AVPersonal\
ProcessID : 1672
ThreadCreationTime : 13.05.2005 11:52:15
BasePriority : Normal


#:36 [mpfagent.exe]
FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\
ProcessID : 1752
ThreadCreationTime : 13.05.2005 11:52:15
BasePriority : Normal
FileVersion : 4.1.0.1
ProductVersion : 4.1.0.1
ProductName : McAfee Personal Firewall (MPF)
CompanyName : McAfee Security
FileDescription : McAfee Personal Firewall Agent Interface
InternalName : MpfAgent
LegalCopyright : Copyright © 2000-2003 Networks Associates Technologies, Inc.
OriginalFilename : MPFAGENT.EXE
Comments : McAfee Personal Firewall Security Center Module

#:37 [mpfservice.exe]
FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\
ProcessID : 1796
ThreadCreationTime : 13.05.2005 11:52:16
BasePriority : Normal
FileVersion : 4.1.0.1
ProductVersion : 4.1.0.1
ProductName : McAfee.com Personal Firewall
CompanyName : McAfee.com Corporation
FileDescription : McAfee.com Personal Firewall Service
InternalName : MPFService
LegalCopyright : Copyright © 2000,2001
OriginalFilename : MpfService.exe
Comments : McAfee.com Personal Firewall Service

#:38 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1860
ThreadCreationTime : 13.05.2005 11:52:16
BasePriority : Normal
FileVersion : 6.14.10.6693
ProductVersion : 6.14.10.6693
ProductName : NVIDIA Driver Helper Service, Version 66.93
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 66.93
InternalName : NVSVC
LegalCopyright : (C) NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:39 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2020
ThreadCreationTime : 13.05.2005 11:52:16
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:40 [wdfmgr.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1560
ThreadCreationTime : 13.05.2005 11:52:17
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: dnsrv(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:41 [wmiprvse.exe]
FilePath : C:\WINDOWS\System32\wbem\
ProcessID : 3200
ThreadCreationTime : 13.05.2005 11:52:38
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI
InternalName : Wmiprvse.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : Wmiprvse.exe

#:42 [msnmsgr.exe]
FilePath : C:\Programme\MSN Messenger\
ProcessID : 3268
ThreadCreationTime : 13.05.2005 11:52:39
BasePriority : Normal
FileVersion : 7.0.0777
ProductVersion : 7.0.0777
ProductName : MSN Messenger
CompanyName : Microsoft Corporation
FileDescription : MSN Messenger
InternalName : msnmsgr
LegalCopyright : Copyright (c) Microsoft Corporation 1997-2004
LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msnmsgr.exe

#:43 [waol.exe]
FilePath : C:\PROGRA~1\AOL9~1.0\
ProcessID : 3788
ThreadCreationTime : 13.05.2005 11:53:01
BasePriority : Normal


#:44 [shellmon.exe]
FilePath : C:\PROGRA~1\AOL9~1.0\
ProcessID : 3960
ThreadCreationTime : 13.05.2005 11:53:04
BasePriority : Normal


#:45 [aoltpspd.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Aol\
ProcessID : 3980
ThreadCreationTime : 13.05.2005 11:53:05
BasePriority : Normal
FileVersion : 1, 1, 1, 0
ProductVersion : [v1_r1.1-2] On Mon 11/29/2004 19:54:26.07
ProductName : AOL TopSpeed(TM)
CompanyName : America Online Inc
FileDescription : AOL TopSpeed(TM)
InternalName : AOL TopSpeed(TM)
LegalCopyright : Copyright © America Online 2003
LegalTrademarks : AOL TopSpeed(TM)
OriginalFilename : aoltpspd.exe

#:46 [ad-aware.exe]
FilePath : C:\Programme\Lavasoft\Ad-Aware SE Personal\
ProcessID : 2500
ThreadCreationTime : 13.05.2005 11:53:46
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 28


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 28


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Possible Browser Hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistantfind4u.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://wind-find4u.com/sp.htm"
Category : Data Miner
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "http://wind-find4u.com/sp.htm"
Possible Browser Hijack attempt : S-1-5-21-1229272821-1715567821-1801674531-1005\Software\Microsoft\Internet Explorer\MainSearch Pagefind4u.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://wind-find4u.com/index.htm"
Category : Data Miner
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-21-1229272821-1715567821-1801674531-1005\Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "http://wind-find4u.com/index.htm"
Possible Browser Hijack attempt : S-1-5-21-1229272821-1715567821-1801674531-1005\Software\Microsoft\Internet Explorer\MainStart Pagefind4u.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://wind-find4u.com/index.htm"
Category : Data Miner
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-21-1229272821-1715567821-1801674531-1005\Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "http://wind-find4u.com/index.htm"
Possible Browser Hijack attempt : S-1-5-21-1229272821-1715567821-1801674531-1005\Software\Microsoft\Internet Explorer\MainSearch Barfind4u.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://wind-find4u.com/sp.htm"
Category : Data Miner
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-21-1229272821-1715567821-1801674531-1005\Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "http://wind-find4u.com/sp.htm"
Possible Browser Hijack attempt : S-1-5-21-1229272821-1715567821-1801674531-1005\Software\Microsoft\Internet Explorer\SearchURLfind4u.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://wind-find4u.com/index.htm"
Category : Data Miner
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-21-1229272821-1715567821-1801674531-1005\Software\Microsoft\Internet Explorer\SearchURL
Value :
Data : "http://wind-find4u.com/index.htm"
Possible Browser Hijack attempt : S-1-5-21-1229272821-1715567821-1801674531-1005\Software\Microsoft\Internet Explorer\SearchURLProviderfind4u.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "wind-find4u.com"
Category : Data Miner
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-21-1229272821-1715567821-1801674531-1005\Software\Microsoft\Internet Explorer\SearchURL
Value : Provider
Data : "wind-find4u.com"

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 6
Objects found so far: 34


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chrisitophel@as-eu.falkag[1].txt
Category : Data Miner
Comment : Hits:59
Value : Cookie:chrisitophel@as-eu.falkag.net/
Expires : 03.05.2006 21:10:56
LastSync : Hits:59
UseCount : 0
Hits : 59

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chrisitophel@statcounter[1].txt
Category : Data Miner
Comment : Hits:3
Value : Cookie:chrisitophel@statcounter.com/
Expires : 02.05.2010 01:25:30
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chrisitophel@tradedoubler[1].txt
Category : Data Miner
Comment : Hits:62
Value : Cookie:chrisitophel@tradedoubler.com/
Expires : 02.06.2005 14:27:52
LastSync : Hits:62
UseCount : 0
Hits : 62

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chrisitophel@as1.falkag[2].txt
Category : Data Miner
Comment : Hits:146
Value : Cookie:chrisitophel@as1.falkag.de/
Expires : 12.06.2005 02:02:08
LastSync : Hits:146
UseCount : 0
Hits : 146

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chrisitophel@tribalfusion[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:chrisitophel@tribalfusion.com/
Expires : 01.01.2038 02:00:00
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chrisitophel@cs.sexcounter[2].txt
Category : Data Miner
Comment : Hits:2
Value : Cookie:chrisitophel@cs.sexcounter.com/
Expires : 12.05.2024 20:07:28
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chrisitophel@revenue[1].txt
Category : Data Miner
Comment : Hits:22
Value : Cookie:chrisitophel@revenue.net/
Expires : 10.06.2022 07:05:42
LastSync : Hits:22
UseCount : 0
Hits : 22

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chrisitophel@2o7[2].txt
Category : Data Miner
Comment : Hits:265
Value : Cookie:chrisitophel@2o7.net/
Expires : 12.05.2010 00:25:26
LastSync : Hits:265
UseCount : 0
Hits : 265

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chrisitophel@adserver.rushed[1].txt
Category : Data Miner
Comment : Hits:2
Value : Cookie:chrisitophel@adserver.rushed.de/
Expires : 03.05.2006 14:10:50
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chrisitophel@adtech[2].txt
Category : Data Miner
Comment : Hits:28
Value : Cookie:chrisitophel@adtech.de/
Expires : 30.04.2015 02:07:16
LastSync : Hits:28
UseCount : 0
Hits : 28

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chrisitophel@fastclick[1].txt
Category : Data Miner
Comment : Hits:12
Value : Cookie:chrisitophel@fastclick.net/
Expires : 29.04.2007 15:24:50
LastSync : Hits:12
UseCount : 0
Hits : 12

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chrisitophel@cgi-bin[1].txt
Category : Data Miner
Comment : Hits:36
Value : Cookie:chrisitophel@imrworldwide.com/cgi-bin
Expires : 08.05.2015 12:07:40
LastSync : Hits:36
UseCount : 0
Hits : 36

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chrisitophel@bs.serving-sys[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:chrisitophel@bs.serving-sys.com/
Expires : 01.01.2038 07:00:00
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chrisitophel@serving-sys[2].txt
Category : Data Miner
Comment : Hits:5
Value : Cookie:chrisitophel@serving-sys.com/
Expires : 01.01.2038 07:00:00
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chrisitophel@0[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:chrisitophel@jrightm.cjt1.net/HTM/602/0
Expires : 10.05.2006 11:00:42
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chrisitophel@weborama[2].txt
Category : Data Miner
Comment : Hits:42
Value : Cookie:chrisitophel@weborama.fr/
Expires : 01.05.2007 19:52:24
LastSync : Hits:42
UseCount : 0
Hits : 42

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chrisitophel@partners.webmasterplan[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:chrisitophel@partners.webmasterplan.com/
Expires : 03.06.2005
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chrisitophel@fortunecity[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:chrisitophel@fortunecity.com/
Expires : 01.01.2011 02:00:00
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chrisitophel@paycounter[2].txt
Category : Data Miner
Comment : Hits:3
Value : Cookie:chrisitophel@paycounter.com/
Expires : 31.12.2030 03:00:00
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : chrisitophel@ads.tripod.lycos[1].txt
Category : Data Miner
Comment : Hits:6
Value : Cookie:chrisitophel@ads.tripod.lycos.de/
Expires : 10.05.2005 00:44:22
LastSync

#148 Hi, ich hab auch diesen topantispyware link auf dem desktop, finde allerdings nicht die lines im hijackthis log die zu fixen sind. deshalb hier mein log, vielleicht kann mir jemand helfen..

Logfile of HijackThis v1.99.1
Scan saved at 14:10:56, on 29.05.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\explorer.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\DOKUME~1\MARTIN~1.SCH\LOKALE~1\TEMP\_VWUPSRV.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Dokumente und Einstellungen\Martin.SCHNIGGS-A6Y48M\Lokale Einstellungen\Temp\Temporäres Verzeichnis 2 für hijackthis.zip\HijackThis.exe
C:\Dokumente und Einstellungen\Martin.SCHNIGGS-A6Y48M\Lokale Einstellungen\Temporary Internet Files\Content.IE5\A54BMLE5\kav5.0trial_personalen[1].exe
C:\kav\personal5.0\english\kav5.0.227_personalen.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpl.dll/asst.htm
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Programme\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google-Suche - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://C:\Programme\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.171.149/5/s1//q.chm::/file.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1113979786147
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BF5CB08-1E2A-4EB3-B71E-A99E79B48F89}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{D542778C-A39B-4B8B-8852-3C9F0E6BC007}: NameServer = 62.72.64.241 62.72.64.237
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\smc.exe
O23 - Service: AntiVir Update Temp (TmpUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\DOKUME~1\MARTIN~1.SCH\LOKALE~1\TEMP\_VWUPSRV.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Dankeschön

#149 Hallo@saraha

Lade: rkfiles.zip
http://bilder.informationsarchiv.net/Nikitas_Tools/rkfiles.zip
-->entpacken-->
gehe in den abgesicherten Modus
http://www.tu-berlin.de/www/software/virus/savemode.shtml
-->Doppelklick(Ausfuehren)-->rkfiles.bat--> warten bis sich
das DOS-Fenster schliesst...auch wenn es lange dauert --->poste C:\log.txt

#öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpl.dll/asst.htm
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.171.149/5/s1//q.chm::/file.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c267.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab

PC neustarten

CCleaner--> loesche alle *temp-Datein
http://virus-protect.org/temp.html



------------------------------------------------------------------------

Escan-Erkennungstool (Anleitung)
http://virus-protect.org/escan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#150 Hallo@CyrusXjr

Nimm bitte deine XP-CD und formatiere, der PC ist total verseucht
__________
MfG Sabina

rund um die PC-Sicherheit