Probleme mit web--search.com |
||
|---|---|---|
| #0
| ||
|
09.01.2005, 13:11
...neu hier
Beiträge: 4 |
||
 
|
|
|
|
09.01.2005, 17:05
...neu hier
Beiträge: 2 |
#2
Ich habe das selbe Problem,
was muss ich tun hier ist meine Log-Datei von Hijack: Logfile of HijackThis v1.99.0 Scan saved at 17:05:12, on 09.01.2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v5.50 (5.50.4134.0100) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAMME\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\LOADQM.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE D:\PROGRAMME\0190 WARNER\WARN0190.EXE C:\PROGRAMME\NORTON ANTIVIRUS\NAVAPW32.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAMME\NORTON ANTIVIRUS\POPROXY.EXE C:\WINDOWS\TWAIN_32\SLIMU2\HOTKEY.EXE C:\PROGRAMME\WINZIP\WZQKPICK.EXE C:\WINDOWS\SYSTEM\PGSEXE.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAMME\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\WINDOWS\EXPLORER.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freenet.de R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R3 - URLSearchHook: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\WEBDLG32.DLL F1 - win.ini: run=hpfsched O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: Advertiser Class - {53D3C442-8FEE-4784-9A21-6297D39613F0} - C:\WINDOWS\SYSTEM\WINAD2.DLL O2 - BHO: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\WEBDLG32.DLL O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\WEBDLG32.DLL O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSTEM\SysUpd.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [0190 Warner] D:\PROGRA~1\0190WA~1\WARN0190.EXE O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET O4 - HKLM\..\Run: [Norton eMail Protect] C:\Programme\Norton AntiVirus\POPROXY.EXE O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\SlimU2\HotKey.exe O4 - HKLM\..\Run: [loader32] C:\WINDOWS\ANWENDUNGSDATEN\SYSDOWN\SYS32105.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\SYSTEM\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Programme\Gemeinsame Dateien\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAMME\MSN MESSENGER\MSNMSGR.EXE" /background O4 - Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE O4 - Startup: Microsoft Office-Indexerstellung.lnk = C:\MSOffice\Office\FINDFAST.EXE O4 - Startup: Microsoft Office-Schnellstart.lnk = C:\MSOffice\Office\FASTBOOT.EXE O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing) O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing) O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O14 - IERESET.INF: START_PAGE_URL=http://www.freenet.de Danke für eure Hilfe im Voraus |
|
|
|
|
|
|
13.02.2005, 17:46
...neu hier
Themenstarter Beiträge: 4 |
#3
Hallo liebes Forum,
habe bisher noch keine Möglichkeit oder Hilfe gefunden, die web--search.com Seite wieder loszukriegen... Hier noch mal ein aktueller Logscan: Logfile of HijackThis v1.99.0 Scan saved at 17:44:19, on 13.02.05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\ATIPTAAA.EXE C:\PROGRAMME\NORTON ANTIVIRUS\NAVAPW32.EXE C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE C:\PROGRAMME\AVPERSONAL\AVSCHED32.EXE C:\WINDOWS\SAMSUNG\LASERSMMGR\SSMMGR.EXE C:\PROGRAMME\USB FLASHDISK\UFD UTILITY 2003\UFDLMON.EXE C:\PROGRAMME\USB FLASHDISK\UFD UTILITY 2003\UFDTOOL.EXE C:\PROGRAMME\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\PROGRAMME\MONEY99\SYSTEM\REMINDER.EXE C:\EIGENE DATEIEN\0190-ALARM\0190ALARM.EXE C:\PROGRAMME\GEMEINSAME DATEIEN\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE C:\PROGRAMME\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\EIGENE DATEIEN\SONSTIGES\OLECO\_OLECO.EXE C:\PROGRAMME\MOZILLA FIREFOX\FIREFOX.EXE C:\PROGRAMME\OUTLOOK EXPRESS\MSIMN.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAMME\GEMEINSAME DATEIEN\REAL\UPDATE_OB\REALSCHED.EXE C:\PROGRAMME\REAL\REALPLAYER\REALPLAY.EXE C:\EIGENE DATEIEN\HIJACKTHIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sureseeker.com/search.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.t-online.de/service/redir/ie_suche.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.sureseeker.com/search.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.t-online.de/service/redir/ie_t-online.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.whatsyoursearch.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.sureseeker.com/search.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.1stpagehere.com/s.php R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.whatsyoursearch.com/search R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von T-Online International AG R3 - URLSearchHook: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\WEBDLG32.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX (file missing) O2 - BHO: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\WEBDLG32.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\WEBDLG32.DLL O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe O4 - HKLM\..\Run: [LNK_ALL] C:\WINDOWS\rundll.exe setupx.dll,InstallHinfSection DefaultInstall 132 C:\windows\LNK_ALL.INF O4 - HKLM\..\Run: [Renovate] C:\WINDOWS\SYSTEM\Renovate.exe O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET O4 - HKLM\..\Run: [AVGCtrl] "C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE" /min O4 - HKLM\..\Run: [AVSCHED32] C:\PROGRAMME\AVPERSONAL\AVSCHED32.EXE /min O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe" /autorun O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe O4 - HKLM\..\Run: [UFD Monitor9382] C:\Programme\USB FlashDisk\UFD Utility 2003\ufdlmon.exe O4 - HKLM\..\Run: [UFD Utility9382] C:\Programme\USB FlashDisk\UFD Utility 2003\UFDTool.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKCU\..\Run: [Reminder] C:\Programme\Money99\System\reminder.exe O4 - HKCU\..\Run: [0190 Alarm] C:\EIGENE DATEIEN\0190-ALARM\0190ALARM.EXE O4 - HKCU\..\RunServicesOnce: [Place Holder] Regsvr32.exe /s pholder.ocx O4 - Startup: Erinnerungen für Microsoft Works-Kalender.lnk = C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office Neu\Office\OSA9.EXE O4 - Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll O12 - Plugin for .mpga: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.t-online.de/service/redir/ie_t-online.htm O16 - DPF: {6D15BD40-CCA6-11D2-A6A0-0060089A0EFF} (RWSO_IHB) - https://banking.rwso.de/kskcalw/srwso2001.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/064dac5f81262daaf305/netzip/RdxIE601_de.cab O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe Vielleicht könnte mir jemand helfen...? Das wäre super! Danke und Gruß Tobias |
|
|
|
|
|
|
13.02.2005, 18:37
Ehrenmitglied
 Beiträge: 29434 |
#4
Hallo@Schwedentobi
Jotti's malware scan 2.4 - einzelne "exe" ueberpruefen http://virusscan.jotti.dhs.org/ kopiere rein: C:\WINDOWS\SYSTEM\Renovate.exe C:\WINDOWS\DOWNLOADED PROGRAM FILES\WEBDLG32.DLL C:\WINDOWS\WEBDLG32.DLL poste das Ergebnis _________________________________________________________________ Download Registry Search Tool : http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip Doppelklick:regsrch.vbs reinkopieren: {30192F8D-0958-44E6-B54D-331FD39AC959} Press 'OK' warten, bis die Suche beendet ist. (Ergebnis bitte posten) das machst du mit. {30192F8D-0958-44E6-B54D-331FD39AC959} {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} {11311111-1111-1111-1111-111111111157} #öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sureseeker.com/search.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.t-online.de/service/redir/ie_suche.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.sureseeker.com/search.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.whatsyoursearch.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.sureseeker.com/search.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.1stpagehere.com/s.php R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.whatsyoursearch.com/search R3 - URLSearchHook: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\WEBDLG32.DLL O2 - BHO: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\WEBDLG32.DLL O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\WEBDLG32.DLL O4 - HKLM\..\Run: [Renovate] C:\WINDOWS\SYSTEM\Renovate.exe O4 - HKCU\..\RunServicesOnce: [Place Holder] Regsvr32.exe /s pholder.ocx O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe PC neustarten KillBox http://www.bleepingcomputer.com/files/killbox.php <Delete File on Reboot und klick auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes" -->"you want to reboot" auf "yes" gehen dann kommt die Meldung : "PendingFileRenameOperations Registry Data has been Removed by External Process". C:\WINDOWS\WEBDLG32.DLL C:\Recycled\Q330995.exe C:\WINDOWS\SYSTEM\Renovate.exe C:\WINDOWS\DOWNLOADED PROGRAM FILES\WEBDLG32.DLL PC neustarten eScan-Erkennungstool eSan ist hier unter dem Namen Free eScan Antivirus Toolkit Utility kostenlos erhältlich: http://www.mwti.net/antivirus/free_utilities.asp oeffne den Scanner--> noch nicht scannen--> gehe in Start<Ausfuehren< schreib rein: %temp% und suche kavupd.exe, die klickst du an--> (Update- in DOS) ausführen -->mwav.exe oeffnen-->alle Haekchen setzen-->scannen-->View Log anklicken--> Bearbeiten anklicken--> "infected" reinschreiben und nun alles rauskopieren, was angezeigt wird--> (das musst du dann in die killbox kopieren und loeschen) #ClaerProg..lade die neuste Version <1.4.1 http://www.clearprog.de/downloads.php <und saeubere den Browser. Das Programm löscht die Surfspuren des Internet Explorers ab Version 5.0, des Netscape/Mozilla und des Opera: - Cookies - Verlauf - Temporäre Internetfiles (Cache) #neue Startseite gehe zur Systemsteuerung --> Internetoptionen --> auf dem Reiter Allgemein bei Temporäre Internetdateien klickst du Dateien löschen --> auch bei Alle Offlineinhalte löschen das Häkchen setzen und mit OK bestätigen --> Auf den Reiter Programme gehen und dort auf Webeinstellungen zurücksetzen klicken, mit Ja bestätigen, fall Nachfrage kommt --> auf Übernehmen und abschließend auf OK klicken und stelle eine neue Startseite ein #Ad-aware SE Personal 1.05 Updated http://fileforum.betanews.com/detail/965718306/1 Laden--> Updaten-->scannen-->PC neustarten--> noch mal scannen--> poste das Log vom Scann + das neue Log vom HijacThis __________ MfG Sabina rund um die PC-Sicherheit Dieser Beitrag wurde am 13.02.2005 um 18:59 Uhr von Sabina editiert.
|
|
|
|
|
|
|
13.02.2005, 18:54
Ehrenmitglied
Beiträge: 29434 |
#5
Hallo@Pforzheimer
Jotti's malware scan 2.4 - einzelne "exe" ueberpruefen http://virusscan.jotti.dhs.org/ kopiere rein: C:\WINDOWS\ANWENDUNGSDATEN\SYSDOWN\SYS32105.EXE poste das Ergebnis #öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com R3 - URLSearchHook: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\WEBDLG32.DLL O2 - BHO: Advertiser Class - {53D3C442-8FEE-4784-9A21-6297D39613F0} - C:\WINDOWS\SYSTEM\WINAD2.DLL O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\WEBDLG32.DLL O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSTEM\SysUpd.exe O4 - HKLM\..\Run: [loader32] C:\WINDOWS\ANWENDUNGSDATEN\SYSDOWN\SYS32105.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing) O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing) PC neustarten KillBox http://www.bleepingcomputer.com/files/killbox.php <Delete File on Reboot und klick auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes" -->"you want to reboot" auf "yes" gehen dann kommt die Meldung : "PendingFileRenameOperations Registry Data has been Removed by External Process" C:\WINDOWS\ANWENDUNGSDATEN\SYSDOWN\SYS32105.EXE C:\WINDOWS\WEBDLG32.DLL C:\WINDOWS\SYSTEM\WINAD2.DLL C:\WINDOWS\SYSTEM\SysUpd.exe PC neustarten eScan-Erkennungstool eSan ist hier unter dem Namen Free eScan Antivirus Toolkit Utility kostenlos erhältlich: http://www.mwti.net/antivirus/free_utilities.asp oeffne den Scanner--> noch nicht scannen--> gehe in Start<Ausfuehren< schreib rein: %temp% und suche kavupd.exe, die klickst du an--> (Update- in DOS) ausführen -->mwav.exe oeffnen-->alle Haekchen setzen-->scannen-->View Log anklicken--> Bearbeiten anklicken--> "infected" reinschreiben und nun alles rauskopieren, was angezeigt wird--> (das musst du dann in die killbox kopieren und loeschen) #ClaerProg..lade die neuste Version <1.4.1 http://www.clearprog.de/downloads.php <und saeubere den Browser. Das Programm löscht die Surfspuren des Internet Explorers ab Version 5.0, des Netscape/Mozilla und des Opera: - Cookies - Verlauf - Temporäre Internetfiles (Cache) #neue Startseite gehe zur Systemsteuerung --> Internetoptionen --> auf dem Reiter Allgemein bei Temporäre Internetdateien klickst du Dateien löschen --> auch bei Alle Offlineinhalte löschen das Häkchen setzen und mit OK bestätigen --> Auf den Reiter Programme gehen und dort auf Webeinstellungen zurücksetzen klicken, mit Ja bestätigen, fall Nachfrage kommt --> auf Übernehmen und abschließend auf OK klicken und stelle eine neue Startseite ein #Ad-aware SE Personal 1.05 Updated http://fileforum.betanews.com/detail/965718306/1 Laden--> Updaten-->scannen-->PC neustarten--> noch mal scannen--> poste das Log vom Scann + das neue Log vom HijackThis __________ MfG Sabina rund um die PC-Sicherheit Dieser Beitrag wurde am 13.02.2005 um 18:55 Uhr von Sabina editiert.
|
|
|
|
|
|
|
20.02.2005, 18:41
...neu hier
Themenstarter Beiträge: 4 |
#6
Hallo @Sabina,
vielen Dank für deine Hilfe! Also, über jottis malware scan kam als Ergbenis raus, dass die renovate.exe OK sei, die anderen beiden Dateien habe ich auf meinem Computer nicht gefunden (kann das sein??). Unten habe ich die Ergebnisse des regsrch.vbs gepostet, vielleicht kannst du mir noch helfen, was ich damit tun kann...?? Wäre super! Herzliche Grüße Tobias REGEDIT4 ; RegSrch.vbs © Bill James ; Registry search results for string "{30192F8D-0958-44E6-B54D-331FD39AC959}" 20.02.05 15:21:50 ; NOTE: This file will be deleted when you close WordPad. ; You must manually save this file to a new location if you want to refer to it again later. ; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.) [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{30192F8D-0958-44E6-B54D-331FD39AC959}] [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{30192F8D-0958-44E6-B54D-331FD39AC959}] [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{30192F8D-0958-44E6-B54D-331FD39AC959}\ProgID] [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{30192F8D-0958-44E6-B54D-331FD39AC959}\VersionIndependentProgID] [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{30192F8D-0958-44E6-B54D-331FD39AC959}\TypeLib] [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{30192F8D-0958-44E6-B54D-331FD39AC959}\InprocServer32] [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{30192F8D-0958-44E6-B54D-331FD39AC959}\Programmable] [HKEY_LOCAL_MACHINE\Software\CLASSES\ToolBand.StartBHO.1\CLSID] @="{30192F8D-0958-44E6-B54D-331FD39AC959}" [HKEY_LOCAL_MACHINE\Software\CLASSES\ToolBand.StartBHO\CLSID] @="{30192F8D-0958-44E6-B54D-331FD39AC959}" [HKEY_USERS\Tobias Cremer\Software\Microsoft\Internet Explorer\URLSearchHooks] "{30192F8D-0958-44E6-B54D-331FD39AC959}"="" REGEDIT4 ; RegSrch.vbs © Bill James ; Registry search results for string "{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}" 20.02.05 15:24:14 ; NOTE: This file will be deleted when you close WordPad. ; You must manually save this file to a new location if you want to refer to it again later. ; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.) [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/webdlg32.dll] ".Owner"="{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/webdlg32.dll] "{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}"="" [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar] "{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}"="Search Bar" [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}] [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}\ProgID] [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}\VersionIndependentProgID] [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}\TypeLib] [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}\InprocServer32] [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}\Programmable] [HKEY_LOCAL_MACHINE\Software\CLASSES\ToolBand.ToolBandObj.1\CLSID] @="{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}" [HKEY_LOCAL_MACHINE\Software\CLASSES\ToolBand.ToolBandObj\CLSID] @="{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}" [HKEY_USERS\Tobias Cremer\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser] "{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}"=hex:f8,30,12,0e,50,ea,a9,42,98,3c,d2,\ [HKEY_USERS\Tobias Cremer\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}"=hex:f8,30,12,0e,50,ea,a9,42,98,3c,d2,\ REGEDIT4 ; RegSrch.vbs © Bill James ; Registry search results for string "{11311111-1111-1111-1111-111111111157}" 20.02.05 15:26:38 ; NOTE: This file will be deleted when you close WordPad. ; You must manually save this file to a new location if you want to refer to it again later. ; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.) [HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{11311111-1111-1111-1111-111111111157}] [HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{11311111-1111-1111-1111-111111111157}\DownloadInformation] [HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{11311111-1111-1111-1111-111111111157}\InstalledVersion] [HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{11311111-1111-1111-1111-111111111157}\Contains] |
|
|
|
|
|
|
20.02.2005, 22:39
Ehrenmitglied
Beiträge: 29434 |
#7
Hallo@Pforzheimer
nun arbeite bitte alle weitern Punkte ab  __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
26.02.2005, 16:46
...neu hier
Themenstarter Beiträge: 4 |
#8
Hallo@Sabina,
könntest du mir (hoffentlich) noch ein letztes Mal helfen und dir die beiden Scans anschauen, ob ich noch was vergessen habe? Wäre super! Vielen Dank, Tobias Ad-Aware SE Build 1.05 Logfile Created on:Samstag, 26. Februar 2005 13:29:53 Created with Ad-Aware SE Personal, free for private use. Using definitions file:SE1R28 16.02.2005 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» References detected during the scan: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Alexa(TAC index:5):10 total references CoolWebSearch(TAC index:10):28 total references MRU List(TAC index:0):32 total references Possible Browser Hijack attempt(TAC index:3):36 total references Tracking Cookie(TAC index:3):12 total references »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Ad-Aware SE Settings =========================== Set : Search for negligible risk entries Set : Safe mode (always request confirmation) Set : Scan active processes Set : Scan registry Set : Deep-scan registry Set : Scan my IE Favorites for banned URLs Set : Scan my Hosts file Extended Ad-Aware SE Settings =========================== Set : Unload recognized processes & modules during scan Set : Scan registry for all users instead of current user only Set : Always try to unload modules before deletion Set : Let Windows remove files in use at next reboot Set : Delete quarantined objects after restoring Set : Include basic Ad-Aware settings in log file Set : Include additional Ad-Aware settings in log file Set : Include reference summary in log file Set : Include alternate data stream details in log file Set : Play sound at scan completion if scan locates critical objects 26.02.05 13:29:53 - Scan started. (Full System Scan) MRU List Object Recognized! Location: : Tobias Cremer\software\microsoft\windows\currentversion\applets\wordpad\recent file list Description : list of recent files opened using wordpad MRU List Object Recognized! Location: : Tobias Cremer\software\microsoft\windows\currentversion\applets\paint\recent file list Description : list of files recently opened using microsoft paint MRU List Object Recognized! Location: : Tobias Cremer\software\microsoft\windows\currentversion\explorer\runmru Description : mru list for items opened in start | run MRU List Object Recognized! Location: : Tobias Cremer\software\microsoft\office\9.0\powerpoint\recentfolderlist Description : list of recent folders used by microsoft powerpoint MRU List Object Recognized! Location: : .DEFAULT\software\microsoft\office\8.0\excel\recent file list Description : list of recent files used by microsoft excel MRU List Object Recognized! Location: : Tobias Cremer\software\microsoft\office\8.0\excel\recent file list Description : list of recent files used by microsoft excel MRU List Object Recognized! Location: : Tobias Cremer\software\microsoft\office\9.0\excel\recent files Description : list of recent files used by microsoft excel MRU List Object Recognized! Location: : Tobias Cremer\software\microsoft\office\9.0\powerpoint\recent file list Description : list of recent files used by microsoft powerpoint MRU List Object Recognized! Location: : Tobias Cremer\software\microsoft\office\8.0\powerpoint\recent file list Description : list of recent files used by microsoft powerpoint MRU List Object Recognized! Location: : Tobias Cremer\software\adobe\adobe acrobat\5.0\avgeneral\crecentfiles Description : list of recently used files in adobe acrobat MRU List Object Recognized! Location: : Tobias Cremer\software\microsoft\mediaplayer\player\recentfilelist Description : list of recently used files in microsoft windows media player MRU List Object Recognized! Location: : Tobias Cremer\software\microsoft\internet explorer\main Description : last save directory used in microsoft internet explorer MRU List Object Recognized! Location: : Tobias Cremer\software\realnetworks\realplayer\6.0\preferences Description : list of recent skins in realplayer MRU List Object Recognized! Location: : Tobias Cremer\software\microsoft\internet explorer Description : last download directory used in microsoft internet explorer MRU List Object Recognized! Location: : software\microsoft\directdraw\mostrecentapplication Description : most recent application to use microsoft directdraw MRU List Object Recognized! Location: : Tobias Cremer\software\microsoft\mediaplayer\player\settings Description : last save as directory used in jasc paint shop pro MRU List Object Recognized! Location: : .DEFAULT\software\microsoft\internet explorer\typedurls Description : list of recently entered addresses in microsoft internet explorer MRU List Object Recognized! Location: : Tobias Cremer\software\microsoft\internet explorer\typedurls Description : list of recently entered addresses in microsoft internet explorer MRU List Object Recognized! Location: : software\microsoft\internet explorer\typedurls Description : list of recently entered addresses in microsoft internet explorer MRU List Object Recognized! Location: : software\microsoft\direct3d\mostrecentapplication Description : most recent application to use microsoft direct3d MRU List Object Recognized! Location: : Tobias Cremer\software\realnetworks\realplayer\6.0\preferences Description : list of recent clips in realplayer MRU List Object Recognized! Location: : .DEFAULT\software\microsoft\mediaplayer\preferences Description : last playlist loaded in microsoft windows media player MRU List Object Recognized! Location: : Tobias Cremer\software\microsoft\mediaplayer\preferences Description : last playlist loaded in microsoft windows media player MRU List Object Recognized! Location: : Tobias Cremer\software\microsoft\mediaplayer\radio\mrulist Description : list of recently used stations in microsoft windows media player MRU List Object Recognized! Location: : Tobias Cremer\software\microsoft\clipart gallery\2.0\mrudescription Description : most recently used description in microsoft clipart gallery MRU List Object Recognized! Location: : Tobias Cremer\software\realnetworks\realplayer\6.0\preferences Description : last login time in realplayer MRU List Object Recognized! Location: : Tobias Cremer\software\microsoft\office\9.0\powerpoint\recent typeface list Description : list of recently used typefaces in microsoft powerpoint MRU List Object Recognized! Location: : Tobias Cremer\software\microsoft\windows\currentversion\explorer\findcomputermru Description : list of recently used search terms for locating computers using the microsoft windows operating system MRU List Object Recognized! Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\doc find spec mru Description : list of recently used search terms for locating files using the microsoft windows operating system MRU List Object Recognized! Location: : Tobias Cremer\software\microsoft\windows\currentversion\explorer\doc find spec mru Description : list of recently used search terms for locating files using the microsoft windows operating system MRU List Object Recognized! Location: : software\microsoft\direct3d\mostrecentapplication Description : most recent application to use microsoft direct X MRU List Object Recognized! Location: : Tobias Cremer\software\microsoft\windows media\wmsdk\general Description : windows media sdk Listing running processes »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» #:1 [KERNEL32.DLL] FilePath : C:\WINDOWS\SYSTEM\ ProcessID : 4279174811 Threads : 4 Priority : High FileVersion : 4.10.2222 ProductVersion : 4.10.2222 ProductName : Betriebssystem Microsoft(R) Windows(R) CompanyName : Microsoft Corporation FileDescription : Kernkomponente des Win32-Kernel InternalName : KERNEL32 LegalCopyright : Copyright (C) Microsoft Corp. 1991-1999 OriginalFilename : KERNEL32.DLL #:2 [MSGSRV32.EXE] FilePath : C:\WINDOWS\SYSTEM\ ProcessID : 4294930955 Threads : 1 Priority : Normal FileVersion : 4.10.2222 ProductVersion : 4.10.2222 ProductName : Betriebssystem Microsoft(R) Windows(R) CompanyName : Microsoft Corporation FileDescription : Windows 32-Bit-VxD-Meldungsserver InternalName : MSGSRV32 LegalCopyright : Copyright (C) Microsoft Corp. 1992-1998 OriginalFilename : MSGSRV32.EXE #:3 [MPREXE.EXE] FilePath : C:\WINDOWS\SYSTEM\ ProcessID : 4294919611 Threads : 2 Priority : Normal FileVersion : 4.10.1998 ProductVersion : 4.10.1998 ProductName : Microsoft(R) Windows(R) Operating System CompanyName : Microsoft Corporation FileDescription : WIN32 Network Interface Service Process InternalName : MPREXE LegalCopyright : Copyright (C) Microsoft Corp. 1993-1998 OriginalFilename : MPREXE.EXE #:4 [mmtask.tsk] FilePath : C:\WINDOWS\SYSTEM\ ProcessID : 4294925435 Threads : 1 Priority : Normal FileVersion : 4.03.1998 ProductVersion : 4.03.1998 ProductName : Microsoft Windows CompanyName : Microsoft Corporation FileDescription : Multimedia background task support module InternalName : mmtask.tsk LegalCopyright : Copyright © Microsoft Corp. 1991-1998 OriginalFilename : mmtask.tsk #:5 [MSTASK.EXE] FilePath : C:\WINDOWS\SYSTEM\ ProcessID : 4294945271 Threads : 2 Priority : Normal FileVersion : 4.71.1968.1 ProductVersion : 4.71.1968.1 ProductName : Taskplaner für Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Taskplaner-Engine InternalName : TaskScheduler LegalCopyright : Copyright (C) Microsoft Corp. 2000 OriginalFilename : mstask.exe #:6 [VSMON.EXE] FilePath : C:\WINDOWS\SYSTEM\ZONELABS\ ProcessID : 4294954215 Threads : 15 Priority : Normal FileVersion : 5.1.025.000 ProductVersion : 5.1.025.000 ProductName : TrueVector Service CompanyName : Zone Labs Inc. FileDescription : TrueVector Service InternalName : vsmon LegalCopyright : Copyright © 1998-2004, Zone Labs Inc. OriginalFilename : vsmon.exe #:7 [EXPLORER.EXE] FilePath : C:\WINDOWS\ ProcessID : 4294892483 Threads : 12 Priority : Normal FileVersion : 4.72.3110.1 ProductVersion : 4.72.3110.1 ProductName : Betriebssystem Microsoft(R) Windows NT(R) CompanyName : Microsoft Corporation FileDescription : Windows-Explorer InternalName : explorer LegalCopyright : Copyright (C) Microsoft Corp. 1981-1997 OriginalFilename : EXPLORER.EXE #:8 [TASKMON.EXE] FilePath : C:\WINDOWS\ ProcessID : 4294558635 Threads : 1 Priority : Normal FileVersion : 4.10.1998 ProductVersion : 4.10.1998 ProductName : Microsoft(R) Windows(R) Operating System CompanyName : Microsoft Corporation FileDescription : Task Monitor InternalName : TaskMon LegalCopyright : Copyright (C) Microsoft Corp. 1998 OriginalFilename : TASKMON.EXE #:9 [SYSTRAY.EXE] FilePath : C:\WINDOWS\SYSTEM\ ProcessID : 4294560147 Threads : 2 Priority : Normal FileVersion : 4.10.2222 ProductVersion : 4.10.2222 ProductName : Betriebssystem Microsoft(R) Windows(R) CompanyName : Microsoft Corporation FileDescription : Systemanwendung für Taskleiste InternalName : SYSTRAY LegalCopyright : Copyright (C) Microsoft Corp. 1993-1998 OriginalFilename : SYSTRAY.EXE #:10 [ATIPTAAA.EXE] FilePath : C:\WINDOWS\SYSTEM\ ProcessID : 4294449115 Threads : 1 Priority : Normal FileVersion : 4.11.2428 ProductName : ATI Technologies, Inc. CompanyName : ATI Technologies, Inc. FileDescription : ATI Task Icon InternalName : ATIPDSXX LegalCopyright : Copyright © ATI Technologies Inc. 1998 OriginalFilename : ATIPTAXX.DLL #:11 [NAVAPW32.EXE] FilePath : C:\PROGRAMME\NORTON ANTIVIRUS\ ProcessID : 4294446591 Threads : 6 Priority : Normal FileVersion : 5.3.1.36 ProductVersion : 5.3.1.36 ProductName : Norton AntiVirus CompanyName : Symantec Corporation FileDescription : Norton AntiVirus Auto-Protect Agent InternalName : NAVAPW32 LegalCopyright : Copyright (C) Symantec Corporation 1991-1998 OriginalFilename : NAVAPW32.DLL #:12 [AVGCTRL.EXE] FilePath : C:\PROGRAMME\AVPERSONAL\ ProcessID : 4294478695 Threads : 2 Priority : Normal #:13 [AVSCHED32.EXE] FilePath : C:\PROGRAMME\AVPERSONAL\ ProcessID : 4294482991 Threads : 1 Priority : Normal FileVersion : 6.29.00.00 ProductVersion : 6.29.00.00 ProductName : AVSched32 CompanyName : H+BEDV Datentechnik GmbH FileDescription : AVSched32 InternalName : AVSched32 LegalCopyright : Copyright © 1998-2004 by H+BEDV Datentechnik GmbH, Germany LegalTrademarks : AntiVir® is a registered trademark of H+BEDV Datentechnik GmbH, Germany OriginalFilename : AVSched32.exe #:14 [SSMMGR.EXE] FilePath : C:\WINDOWS\SAMSUNG\LASERSMMGR\ ProcessID : 4294506415 Threads : 1 Priority : Normal FileVersion : 1.14 ProductVersion : 1.14 ProductName : LaserSMMgr Application CompanyName : Samsung Electronics. FileDescription : Samsung Status Monitor Manager InternalName : LaserSMMgr LegalCopyright : Copyright (C) 2003 Samsung Electronics. OriginalFilename : LaserSMMgr.EXE #:15 [UFDLMON.EXE] FilePath : C:\PROGRAMME\USB FLASHDISK\UFD UTILITY 2003\ ProcessID : 4294499267 Threads : 1 Priority : Normal FileVersion : 1, 0, 0, 0 ProductVersion : 1, 0, 0, 0 ProductName : UFD Utility CompanyName : Alcor Micro, Corp. FileDescription : ufdlmon.exe InternalName : ufdlmon LegalCopyright : Copyright (c) 1998 - 2003 OriginalFilename : ufdlmon.exe #:16 [UFDTOOL.EXE] FilePath : C:\PROGRAMME\USB FLASHDISK\UFD UTILITY 2003\ ProcessID : 4294654711 Threads : 3 Priority : Normal FileVersion : 1.00.0010 ProductVersion : 1.00.0010 ProductName : USB Flash Disk Utility CompanyName : FileDescription : USB Flash Disk Utility InternalName : UFDTool OriginalFilename : UFDTool.exe #:17 [REALSCHED.EXE] FilePath : C:\PROGRAMME\GEMEINSAME DATEIEN\REAL\UPDATE_OB\ ProcessID : 4294647155 Threads : 2 Priority : Normal FileVersion : 0.1.0.3018 ProductVersion : 0.1.0.3018 ProductName : RealPlayer (32-bit) CompanyName : RealNetworks, Inc. FileDescription : RealNetworks Scheduler InternalName : schedapp LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004 LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc. OriginalFilename : realsched.exe #:18 [ZLCLIENT.EXE] FilePath : C:\PROGRAMME\ZONE LABS\ZONEALARM\ ProcessID : 4294669687 Threads : 6 Priority : Normal FileVersion : 5.1.025.000 ProductVersion : 5.1.025.000 ProductName : Zone Labs Client CompanyName : Zone Labs Inc. FileDescription : Zone Labs Client InternalName : zlclient LegalCopyright : Copyright © 1998-2004, Zone Labs Inc. OriginalFilename : zlclient.exe #:19 [REMINDER.EXE] FilePath : C:\PROGRAMME\MONEY99\SYSTEM\ ProcessID : 4294662559 Threads : 1 Priority : Normal FileVersion : 7.00.2412 ProductVersion : 7.00.2412 ProductName : Microsoft Money CompanyName : Microsoft Corporation FileDescription : Microsoft Money Reminder InternalName : REMINDER LegalCopyright : Copyright (C) Microsoft Corp. 1990-1998. Alle Rechte vorbehalten. OriginalFilename : REMINDER.EXE #:20 [0190ALARM.EXE] FilePath : C:\EIGENE DATEIEN\0190-ALARM\ ProcessID : 4294699579 Threads : 1 Priority : Normal FileVersion : 3.0.0.0 ProductVersion : 3.00 ProductName : 0190 Alarm CompanyName : aborange.de - Mathias Müller FileDescription : 0190 Alarm - Schutz vor 0190-Dialern InternalName : 0190 Alarm LegalCopyright : © 2001-2002 Mathias Müller OriginalFilename : 0190Alarm.exe #:21 [WKCALREM.EXE] FilePath : C:\PROGRAMME\GEMEINSAME DATEIEN\MICROSOFT SHARED\WORKS SHARED\ ProcessID : 4294586219 Threads : 2 Priority : Normal FileVersion : 5.00.2004.0 ProductVersion : 5.00.2004.0 ProductName : Microsoft® Works 2000 CompanyName : Microsoft® Corporation FileDescription : Microsoft® Works Calendar Reminder Service InternalName : WkCalRem LegalCopyright : © 1999 Microsoft Corp. All rights reserved. OriginalFilename : WKCALREM.EXE #:22 [ACROTRAY.EXE] FilePath : C:\PROGRAMME\ADOBE\ACROBAT 5.0\DISTILLR\ ProcessID : 4294615619 Threads : 1 Priority : Normal FileVersion : 5, 0, 0, 0 ProductVersion : 5, 0, 0, 0 ProductName : AcroTray - Adobe Acrobat Distiller helper application. CompanyName : Adobe Systems Inc. FileDescription : AcroTray InternalName : AcroTray LegalCopyright : Copyright © 2001 OriginalFilename : AcroTray.exe #:23 [RNAAPP.EXE] FilePath : C:\WINDOWS\SYSTEM\ ProcessID : 4294638231 Threads : 2 Priority : Normal FileVersion : 4.10.2222 ProductVersion : 4.10.2222 ProductName : Betriebssystem Microsoft(R) Windows(R) CompanyName : Microsoft Corporation FileDescription : DFÜ-Netzwerkprogramm InternalName : RNAAPP LegalCopyright : Copyright (C) Microsoft Corp. 1992-1996 OriginalFilename : RNAAPP.EXE #:24 [WMIEXE.EXE] FilePath : C:\WINDOWS\SYSTEM\ ProcessID : 4294260967 Threads : 3 Priority : Normal FileVersion : 5.00.1755.1 ProductVersion : 5.00.1755.1 ProductName : Microsoft(R) Windows NT(R) Operating System CompanyName : Microsoft Corporation FileDescription : WMI service exe housing InternalName : wmiexe LegalCopyright : Copyright (C) Microsoft Corp. 1981-1998 OriginalFilename : wmiexe.exe #:25 [TAPISRV.EXE] FilePath : C:\WINDOWS\SYSTEM\ ProcessID : 4294270819 Threads : 5 Priority : Normal FileVersion : 4.10.2222 ProductVersion : 4.10.2222 ProductName : Betriebssystem Microsoft(R) Windows(R) CompanyName : Microsoft Corporation FileDescription : Microsoft® Windows(R) Telefonieserver InternalName : Telefoniedienst LegalCopyright : Copyright (C) Microsoft Corp. 1994-1998 OriginalFilename : TAPISRV.EXE #:26 [AD-AWARE.EXE] FilePath : C:\PROGRAMME\LAVASOFT\AD-AWARE SE PERSONAL\ ProcessID : 4294186767 Threads : 2 Priority : Normal FileVersion : 6.2.0.206 ProductVersion : VI.Second Edition ProductName : Lavasoft Ad-Aware SE CompanyName : Lavasoft Sweden FileDescription : Ad-Aware SE Core application InternalName : Ad-Aware.exe LegalCopyright : Copyright © Lavasoft Sweden OriginalFilename : Ad-Aware.exe Comments : All Rights Reserved Memory scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 32 Started registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Alexa Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : MenuText Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : MenuStatusBar Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : Script Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : clsid Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : Icon Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : HotIcon Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} Value : ButtonText CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : typelib\{5297e905-1dfb-4a9c-9871-a4f95fd58945} CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.toolbandobj.1 CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.toolbandobj.1 Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.toolbandobj CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.toolbandobj Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.startbho.1 CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.startbho.1 Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.startbho CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : toolband.startbho Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{95b92d92-8b7d-4a19-a3f1-43113b4dbcaf} CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{95b92d92-8b7d-4a19-a3f1-43113b4dbcaf} Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{1de9ee01-df51-49db-9bdd-5990b35c1c2a} CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{1de9ee01-df51-49db-9bdd-5990b35c1c2a} Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{0e1230f8-ea50-42a9-983c-d22abc2eed3b} CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{0e1230f8-ea50-42a9-983c-d22abc2eed3b} Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_USERS Object : Tobias Cremer\software\serg\searchbar CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_USERS Object : Tobias Cremer\software\serg\searchbar Value : NumRuns CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_USERS Object : Tobias Cremer\software\serg\searchbar Value : Next CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_USERS Object : Tobias Cremer\software\serg\searchbar Value : CLSID CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_USERS Object : Tobias Cremer\software\serg\searchbar Value : PanelNumber CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_USERS Object : Tobias Cremer\software\serg CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\sbsoft CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\sbsoft Value : DisplayName CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\sbsoft Value : UninstallString Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}" Rootkey : HKEY_USERS Object : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a} Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}" Rootkey : HKEY_USERS Object : Tobias Cremer\software\microsoft\internet explorer\extensions\cmdmapping Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a} CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : "{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}" Rootkey : HKEY_USERS Object : Tobias Cremer\software\microsoft\internet explorer\toolbar\webbrowser Value : {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} Registry Scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 35 Objects found so far: 67 Started deep registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Deep registry scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 67 Started Tracking Cookie scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking Cookie Object Recognized! Type : IECache Entry Data : tobias cremer@versiontracker[1].txt Category : Data Miner Comment : Hits:3 Value : Cookie:tobias cremer@versiontracker.com/ Expires : 26.02.07 03:27:00 LastSync : Hits:3 UseCount : 0 Hits : 3 Tracking Cookie Object Recognized! Type : IECache Entry Data : tobias cremer@adtech[2].txt Category : Data Miner Comment : Hits:4 Value : Cookie:tobias cremer@adtech.de/ Expires : 24.02.15 11:26:20 LastSync : Hits:4 UseCount : 0 Hits : 4 Tracking Cookie Object Recognized! Type : IECache Entry Data : tobias cremer@atdmt[1].txt Category : Data Miner Comment : Hits:1 Value : Cookie:tobias cremer@atdmt.com/ Expires : 25.02.10 01:00:00 LastSync : Hits:1 UseCount : 0 Hits : 1 Tracking Cookie Object Recognized! Type : IECache Entry Data : tobias cremer@mediaplex[1].txt Category : Data Miner Comment : Hits:1 Value : Cookie:tobias cremer@mediaplex.com/ Expires : 22.06.09 01:00:00 LastSync : Hits:1 UseCount : 0 Hits : 1 Tracking Cookie Object Recognized! Type : IECache Entry Data : tobias cremer@tribalfusion[1].txt Category : Data Miner Comment : Hits:1 Value : Cookie:tobias cremer@tribalfusion.com/ Expires : 01.01.38 01:00:00 LastSync : Hits:1 UseCount : 0 Hits : 1 Tracking Cookie Object Recognized! Type : IECache Entry Data : tobias cremer@servedby.netshelter[2].txt Category : Data Miner Comment : Hits:4 Value : Cookie:tobias cremer@servedby.netshelter.net/ Expires : 05.03.05 11:09:46 LastSync : Hits:4 UseCount : 0 Hits : 4 Tracking cookie scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 6 Objects found so far: 73 Deep scanning and examining files (c »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking Cookie Object Recognized! Type : IECache Entry Data : tobias cremer@mediaplex[1].txt Category : Data Miner Comment : Value : c:\WINDOWS\Profiles\Tobias Cremer\Cookies\tobias cremer@mediaplex[1].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : tobias cremer@versiontracker[1].txt Category : Data Miner Comment : Value : c:\WINDOWS\Profiles\Tobias Cremer\Cookies\tobias cremer@versiontracker[1].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : tobias cremer@adtech[2].txt Category : Data Miner Comment : Value : c:\WINDOWS\Profiles\Tobias Cremer\Cookies\tobias cremer@adtech[2].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : tobias cremer@servedby.netshelter[2].txt Category : Data Miner Comment : Value : c:\WINDOWS\Profiles\Tobias Cremer\Cookies\tobias cremer@servedby.netshelter[2].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : tobias cremer@tribalfusion[1].txt Category : Data Miner Comment : Value : c:\WINDOWS\Profiles\Tobias Cremer\Cookies\tobias cremer@tribalfusion[1].txt Tracking Cookie Object Recognized! Type : IECache Entry Data : tobias cremer@atdmt[1].txt Category : Data Miner Comment : Value : c:\WINDOWS\Profiles\Tobias Cremer\Cookies\tobias cremer@atdmt[1].txt Disk Scan Result for c:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 79 Possible Browser Hijack attempt Object Recognized! Type : File Data : File Sharing Center.url Category : Misc Comment : Problematic URL discovered: http://hop.clickbank.net/?kliksearch/fileshare Object : C:\WINDOWS\Favoriten\LINKS\MP3 and Movies\ Possible Browser Hijack attempt Object Recognized! Type : File Data : MP3 Advance.url Category : Misc Comment : Problematic URL discovered: http://hop.clickbank.net/?kliksearch/mp3advance Object : C:\WINDOWS\Favoriten\LINKS\MP3 and Movies\ Possible Browser Hijack attempt Object Recognized! Type : File Data : MP3 Center.url Category : Misc Comment : Problematic URL discovered: http://hop.clickbank.net/?kliksearch/mp3center Object : C:\WINDOWS\Favoriten\LINKS\MP3 and Movies\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Shared Movies.url Category : Misc Comment : Problematic URL discovered: http://hop.clickbank.net/?kliksearch/sharedm Object : C:\WINDOWS\Favoriten\LINKS\MP3 and Movies\ Possible Browser Hijack attempt Object Recognized! Type : File Data : 24-7 Downloads.url Category : Misc Comment : Problematic URL discovered: http://www.247downloads.com/3_click.php?a=14&b=684&c=1&sub=klik Object : C:\WINDOWS\Favoriten\LINKS\MP3 and Movies\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Cinema Download.url Category : Misc Comment : Problematic URL discovered: http://hop.clickbank.net/?kliksearch/cinemad Object : C:\WINDOWS\Favoriten\LINKS\MP3 and Movies\ Possible Browser Hijack attempt Object Recognized! Type : File Data : KaZaa Light.url Category : Misc Comment : Problematic URL discovered: http://hop.clickbank.net/?kliksearch/ishareit Object : C:\WINDOWS\Favoriten\LINKS\MP3 and Movies\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Extractor & Burner.url Category : Misc Comment : Problematic URL discovered: http://www.extractorandburner.com/?revid=4416&s=1 Object : C:\WINDOWS\Favoriten\LINKS\MP3 and Movies\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Download Shield.url Category : Misc Comment : Problematic URL discovered: http://hop.clickbank.net/?kliksearch/airon Object : C:\WINDOWS\Favoriten\LINKS\MP3 and Movies\ Possible Browser Hijack attempt Object Recognized! Type : File Data : MP3 Dowload HQ.url Category : Misc Comment : Problematic URL discovered: http://hop.clickbank.net/?kliksearch/william26 Object : C:\WINDOWS\Favoriten\LINKS\MP3 and Movies\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Adult Love Line.url Category : Misc Comment : Problematic URL discovered: URL=http://www.adultloveline.com/index.cfm?wm_login=klikdate Object : C:\WINDOWS\Favoriten\LINKS\Dating\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Amateur Match.url Category : Misc Comment : Problematic URL discovered: http://www.datinggold.com/index.php?a=MTAwMHwx Object : C:\WINDOWS\Favoriten\LINKS\Dating\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Date Match.url Category : Misc Comment : Problematic URL discovered: http://www.datinggold.com/index.php?a=MTAwMHw0 Object : C:\WINDOWS\Favoriten\LINKS\Dating\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Wild Hot Dates.url Category : Misc Comment : Problematic URL discovered: http://www.wildhotdates.com/index.cfm?wm_login=klikdate Object : C:\WINDOWS\Favoriten\LINKS\Dating\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Flirt 4 Dates.url Category : Misc Comment : Problematic URL discovered: http://www.flirt4dates.com/index.cfm?wm_login=klikdate Object : C:\WINDOWS\Favoriten\LINKS\Dating\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Adult Friend Finder.url Category : Misc Comment : Problematic URL discovered: http://adultfriendfinder.com/go/p73081 Object : C:\WINDOWS\Favoriten\LINKS\Dating\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Singles 4 You.url Category : Misc Comment : Problematic URL discovered: http://www.singles4you.com/index.cfm?wm_login=klikdate Object : C:\WINDOWS\Favoriten\LINKS\Dating\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Passion.com.url Category : Misc Comment : Problematic URL discovered: http://passion.com/go/p73081 Object : C:\WINDOWS\Favoriten\LINKS\Dating\ Possible Browser Hijack attempt Object Recognized! Type : File Data : File Sharing Center.url Category : Misc Comment : Problematic URL discovered: http://hop.clickbank.net/?kliksearch/fileshare Object : C:\WINDOWS\Favoriten\MP3 and Movies\ Possible Browser Hijack attempt Object Recognized! Type : File Data : MP3 Advance.url Category : Misc Comment : Problematic URL discovered: http://hop.clickbank.net/?kliksearch/mp3advance Object : C:\WINDOWS\Favoriten\MP3 and Movies\ Possible Browser Hijack attempt Object Recognized! Type : File Data : MP3 Center.url Category : Misc Comment : Problematic URL discovered: http://hop.clickbank.net/?kliksearch/mp3center Object : C:\WINDOWS\Favoriten\MP3 and Movies\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Shared Movies.url Category : Misc Comment : Problematic URL discovered: http://hop.clickbank.net/?kliksearch/sharedm Object : C:\WINDOWS\Favoriten\MP3 and Movies\ Possible Browser Hijack attempt Object Recognized! Type : File Data : 24-7 Downloads.url Category : Misc Comment : Problematic URL discovered: http://www.247downloads.com/3_click.php?a=14&b=684&c=1&sub=klik Object : C:\WINDOWS\Favoriten\MP3 and Movies\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Cinema Download.url Category : Misc Comment : Problematic URL discovered: http://hop.clickbank.net/?kliksearch/cinemad Object : C:\WINDOWS\Favoriten\MP3 and Movies\ Possible Browser Hijack attempt Object Recognized! Type : File Data : KaZaa Light.url Category : Misc Comment : Problematic URL discovered: http://hop.clickbank.net/?kliksearch/ishareit Object : C:\WINDOWS\Favoriten\MP3 and Movies\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Extractor & Burner.url Category : Misc Comment : Problematic URL discovered: http://www.extractorandburner.com/?revid=4416&s=1 Object : C:\WINDOWS\Favoriten\MP3 and Movies\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Download Shield.url Category : Misc Comment : Problematic URL discovered: http://hop.clickbank.net/?kliksearch/airon Object : C:\WINDOWS\Favoriten\MP3 and Movies\ Possible Browser Hijack attempt Object Recognized! Type : File Data : MP3 Dowload HQ.url Category : Misc Comment : Problematic URL discovered: http://hop.clickbank.net/?kliksearch/william26 Object : C:\WINDOWS\Favoriten\MP3 and Movies\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Adult Love Line.url Category : Misc Comment : Problematic URL discovered: URL=http://www.adultloveline.com/index.cfm?wm_login=klikdate Object : C:\WINDOWS\Favoriten\Dating\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Amateur Match.url Category : Misc Comment : Problematic URL discovered: http://www.datinggold.com/index.php?a=MTAwMHwx Object : C:\WINDOWS\Favoriten\Dating\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Date Match.url Category : Misc Comment : Problematic URL discovered: http://www.datinggold.com/index.php?a=MTAwMHw0 Object : C:\WINDOWS\Favoriten\Dating\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Wild Hot Dates.url Category : Misc Comment : Problematic URL discovered: http://www.wildhotdates.com/index.cfm?wm_login=klikdate Object : C:\WINDOWS\Favoriten\Dating\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Flirt 4 Dates.url Category : Misc Comment : Problematic URL discovered: http://www.flirt4dates.com/index.cfm?wm_login=klikdate Object : C:\WINDOWS\Favoriten\Dating\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Adult Friend Finder.url Category : Misc Comment : Problematic URL discovered: http://adultfriendfinder.com/go/p73081 Object : C:\WINDOWS\Favoriten\Dating\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Singles 4 You.url Category : Misc Comment : Problematic URL discovered: http://www.singles4you.com/index.cfm?wm_login=klikdate Object : C:\WINDOWS\Favoriten\Dating\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Passion.com.url Category : Misc Comment : Problematic URL discovered: http://passion.com/go/p73081 Object : C:\WINDOWS\Favoriten\Dating\ Performing conditional scans... »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : software\serg CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : software\microsoft\internet explorer\main Value : Enable Browser Extensions CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : software\microsoft\internet explorer\main Value : Use Custom Search URL Conditional scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 3 Objects found so far: 118 13:52:26 Scan Complete Summary Of This Scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Total scanning time:00:22:33.480 Objects scanned:90195 Objects identified:86 Objects ignored:0 New critical objects:86 Logfile of HijackThis v1.99.0 Scan saved at 16:43:43, on 26.02.05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\ATIPTAAA.EXE C:\PROGRAMME\NORTON ANTIVIRUS\NAVAPW32.EXE C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE C:\PROGRAMME\AVPERSONAL\AVSCHED32.EXE C:\WINDOWS\SAMSUNG\LASERSMMGR\SSMMGR.EXE C:\PROGRAMME\USB FLASHDISK\UFD UTILITY 2003\UFDLMON.EXE C:\PROGRAMME\USB FLASHDISK\UFD UTILITY 2003\UFDTOOL.EXE C:\PROGRAMME\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\PROGRAMME\MONEY99\SYSTEM\REMINDER.EXE C:\EIGENE DATEIEN\0190-ALARM\0190ALARM.EXE C:\PROGRAMME\GEMEINSAME DATEIEN\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE C:\PROGRAMME\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAMME\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE C:\PROGRAMME\MOZILLA FIREFOX\FIREFOX.EXE C:\EIGENE DATEIEN\SONSTIGES\OLECO\_OLECO.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAMME\OUTLOOK EXPRESS\MSIMN.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAMME\GEMEINSAME DATEIEN\REAL\UPDATE_OB\REALSCHED.EXE C:\PROGRAMME\REAL\REALPLAYER\REALPLAY.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\EIGENE DATEIEN\HIJACKTHIS\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.t-online.de/service/redir/ie_t-online.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.t-online.de/service/redir/ie_t-online.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von T-Online International AG O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe O4 - HKLM\..\Run: [LNK_ALL] C:\WINDOWS\rundll.exe setupx.dll,InstallHinfSection DefaultInstall 132 C:\windows\LNK_ALL.INF O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET O4 - HKLM\..\Run: [AVGCtrl] "C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE" /min O4 - HKLM\..\Run: [AVSCHED32] C:\PROGRAMME\AVPERSONAL\AVSCHED32.EXE /min O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe" /autorun O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe O4 - HKLM\..\Run: [UFD Monitor9382] C:\Programme\USB FlashDisk\UFD Utility 2003\ufdlmon.exe O4 - HKLM\..\Run: [UFD Utility9382] C:\Programme\USB FlashDisk\UFD Utility 2003\UFDTool.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKCU\..\Run: [Reminder] C:\Programme\Money99\System\reminder.exe O4 - HKCU\..\Run: [0190 Alarm] C:\EIGENE DATEIEN\0190-ALARM\0190ALARM.EXE O4 - Startup: Erinnerungen für Microsoft Works-Kalender.lnk = C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office Neu\Office\OSA9.EXE O4 - Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll O12 - Plugin for .mpga: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.t-online.de/service/redir/ie_t-online.htm O16 - DPF: {6D15BD40-CCA6-11D2-A6A0-0060089A0EFF} (RWSO_IHB) - https://banking.rwso.de/kskcalw/srwso2001.cab O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/064dac5f81262daaf305/netzip/RdxIE601_de.cab |
|
|
|
|
|
|
27.02.2005, 00:03
Ehrenmitglied
Beiträge: 29434 |
#9
Hallo@Schwedentobi
Ich denke, das Log ist sauber, aber du solltest noch mal "tiefer " graben: eScan-Erkennungstool eSan ist hier unter dem Namen Free eScan Antivirus Toolkit Utility kostenlos erhältlich: http://www.mwti.net/antivirus/free_utilities.asp oeffne den Scanner--> noch nicht scannen--> gehe in Start<Ausfuehren< schreib rein: %temp% und suche kavupd.exe, die klickst du an--> (Update- in DOS) ausführen und den Scanner mit der "mwav.exe"[oder:MWAVSCAN.COM] starten. Alle Häkchen setzen : Auswählen: "all files", Memory, Startup-Folders, Registry, System Folders, Services, Drive/All Local drives, Folder [C:\WINDOWS], Include SubDirectory -->mwav.exe oeffnen-->alle Haekchen setzen-->scannen-->View Log anklicken--> Bearbeiten anklicken--> "infected" reinschreiben und nun alles rauskopieren, was angezeigt wird--> __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!
bitte erst » hier kostenlos registrieren!!
Folgende Themen könnten Dich auch interessieren:
Seite(n): 1
Copyright © 2024, Protecus.de - Protecus Team - Impressum / Mediadaten
ich habe gesehen, dass es schon Andere gab, die mit dieser Homepage Probleme hatten, trotzdem will ich hier nochmals extra fragen... Hab von Computern keine große Ahnung, habs aber immerhin schon mal geschafft, mir das Hijackthis-Programm runterzuladen und einen Scan durchzuführen! Sabina hatte ja schon mal eine Anleitung gegeben, wie jetzt weiter vorzugehen ist. Kann ich das auf meinen Computer einfach übertragen? Ich wäre froh, wenn mir jemand helfen könnte, diese blöde Startseite wieder loszuwerden. Wenn möglich, mit einfachen Erklärungen...
Viele Grüße, Tobi
Logfile of HijackThis v1.99.0
Scan saved at 13:04:41, on 09.01.05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAAA.EXE
C:\PROGRAMME\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAMME\AVPERSONAL\AVSCHED32.EXE
C:\WINDOWS\SAMSUNG\LASERSMMGR\SSMMGR.EXE
C:\PROGRAMME\USB FLASHDISK\UFD UTILITY 2003\UFDLMON.EXE
C:\PROGRAMME\USB FLASHDISK\UFD UTILITY 2003\UFDTOOL.EXE
C:\PROGRAMME\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAMME\MONEY99\SYSTEM\REMINDER.EXE
C:\EIGENE DATEIEN\0190-ALARM\0190ALARM.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAMME\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMME\MOZILLA FIREFOX\FIREFOX.EXE
C:\EIGENE DATEIEN\SONSTIGES\OLECO\_OLECO.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAMME\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\EIGENE DATEIEN\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sureseeker.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.t-online.de/service/redir/ie_suche.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.sureseeker.com/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web--search.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.t-online.de/service/redir/ie_t-online.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.whatsyoursearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.sureseeker.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.1stpagehere.com/s.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.whatsyoursearch.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von T-Online International AG
R3 - URLSearchHook: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\WEBDLG32.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX (file missing)
O2 - BHO: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\WEBDLG32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Search Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\WEBDLG32.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe
O4 - HKLM\..\Run: [LNK_ALL] C:\WINDOWS\rundll.exe setupx.dll,InstallHinfSection DefaultInstall 132 C:\windows\LNK_ALL.INF
O4 - HKLM\..\Run: [Renovate] C:\WINDOWS\SYSTEM\Renovate.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AVGCtrl] "C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE" /min
O4 - HKLM\..\Run: [AVSCHED32] C:\PROGRAMME\AVPERSONAL\AVSCHED32.EXE /min
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [UFD Monitor9382] C:\Programme\USB FlashDisk\UFD Utility 2003\ufdlmon.exe
O4 - HKLM\..\Run: [UFD Utility9382] C:\Programme\USB FlashDisk\UFD Utility 2003\UFDTool.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Reminder] C:\Programme\Money99\System\reminder.exe
O4 - HKCU\..\Run: [0190 Alarm] C:\EIGENE DATEIEN\0190-ALARM\0190ALARM.EXE
O4 - HKCU\..\RunServicesOnce: [Place Holder] Regsvr32.exe /s pholder.ocx
O4 - Startup: Erinnerungen für Microsoft Works-Kalender.lnk = C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office Neu\Office\OSA9.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mpga: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.t-online.de/service/redir/ie_t-online.htm
O16 - DPF: {6D15BD40-CCA6-11D2-A6A0-0060089A0EFF} (RWSO_IHB) - https://banking.rwso.de/kskcalw/srwso2001.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/064dac5f81262daaf305/netzip/RdxIE601_de.cab
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe