HideProc.a Trojaner verändert Hintergrund(desktop) |
||
---|---|---|
#0
| ||
13.01.2005, 23:37
Member
Beiträge: 36 |
||
|
||
14.01.2005, 14:36
Ehrenmitglied
Beiträge: 29434 |
#2
Hallo@Vitali
#Arbeitsplatz -> rechter Mausklick -->Windows Explorer -> "Extras/Ordneroptionen" -> "Ansicht" -> Haken entfernen bei "Geschützte Systemdateien ausblenden (empfohlen)" und "Alle Dateien und Ordner anzeigen" aktivieren -> "OK" Lade die Killbox: http://www.bleepingcomputer.com/files/killbox.php Deaktivieren Wiederherstellung «XP http://service1.symantec.com/SUPPORT/INTER/tsgeninfointl.nsf/gdocid/20030807105707924 Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als "fixme.reg" auf dem Desktop speichern. REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\½O.#ž‚„õØ´â] [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\½O.#ž‚„õØ´â] [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\½O.#ž‚„õØ´â] [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\½O.#ž‚„õØ´â] [-HKEY_CLASSES_ROOT\PROTOCOLS\Handler\ICOO] [-HKEY_CLASSES_ROOT\CLSID\{4A8DADD4-5A25-4D41-8599-CB7458766220}] #öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pkbor.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pkbor.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pkbor.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pkbor.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pkbor.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pkbor.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pkbor.dll/sp.html#37049 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {563AC50A-6D00-C342-5EC7-D1C5C40E2122} - C:\WINDOWS\system32\msef32.dll O4 - HKLM\..\Run: [shoothe] REM C:\DOKUME~1\LUBAVO~1\ANWEND~1\llstiess.exe -QuieT O4 - HKLM\..\Run: [Corel Reminder] REM O4 - HKLM\..\Run: [AttuneClientEngine] REM C:\PROGRA~1\Aveo\Attune\bin\attune_ce.exe O4 - HKLM\..\Run: [sysu] "C:\progra~1\ddm\sysu.exe" O4 - HKLM\..\Run: [94477480.exe] REM C:\WINDOWS\System32\94477480.exe O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe O4 - HKLM\..\Run: [B.tmp] C:\DOKUME~1\LUBAVO~1\LOKALE~1\Temp\B.tmp.exe 0 28129 O4 - HKLM\..\Run: [javayx32.exe] C:\WINDOWS\system32\javayx32.exe O4 - HKLM\..\Run: [WebRebates0] "C:\Programme\Web_Rebates\WebRebates0.exe" O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe O4 - HKLM\..\Run: [salm] c:\temp\salm.exe O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{A7CA429A-41F5-48E7-81A7-39D5CD8D2932}\SVCHOST.EXE O4 - HKLM\..\Run: [crvi.exe] C:\WINDOWS\system32\crvi.exe O4 - HKLM\..\Run: [apifd32.exe] C:\WINDOWS\apifd32.exe O4 - HKLM\..\RunOnce: [apihm32.exe] C:\WINDOWS\apihm32.exe O4 - HKCU\..\Run: [Rura] C:\Dokumente und Einstellungen\Luba von Roden\Anwendungsdaten\cier.exe O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe O4 - HKCU\..\Run: [Papojtf] C:\WINDOWS\System32\ligonui.exe O4 - Global Startup: eBay Toolbar.LNK = C:\Programme\eBay\eBay Toolbar\4.4.0.1\ebaytbar.exe O8 - Extra context menu item: Web Rebates - file://C:\Programme\Web_Rebates\Sy1150\Tp1150\scri1150a.htm O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Programme\SideFind\sidefind.dll (file missing) O15 - Trusted Zone: *.05p.com O15 - Trusted Zone: *.awmdabest.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.frame.crazywinnings.com O15 - Trusted Zone: *.iframedollars.biz O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.my-internet.info O15 - Trusted Zone: *.scoobidoo.com O15 - Trusted Zone: *.searchmiracle.com O15 - Trusted Zone: *.skoobidoo.com O15 - Trusted Zone: *.slotchbar.com O15 - Trusted Zone: *.static.topconverting.com O15 - Trusted Zone: *.windupdates.com O15 - Trusted Zone: *.ysbweb.com O15 - Trusted Zone: *.05p.com (HKLM) O15 - Trusted Zone: *.awmdabest.com (HKLM) O15 - Trusted Zone: *.clickspring.net (HKLM) O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM) O15 - Trusted Zone: *.iframedollars.biz (HKLM) O15 - Trusted Zone: *.mt-download.com (HKLM) O15 - Trusted Zone: *.my-internet.info (HKLM) O15 - Trusted Zone: *.scoobidoo.com (HKLM) O15 - Trusted Zone: *.searchmiracle.com (HKLM) O15 - Trusted Zone: *.skoobidoo.com (HKLM) O15 - Trusted Zone: *.slotchbar.com (HKLM) O15 - Trusted Zone: *.static.topconverting.com (HKLM) O15 - Trusted Zone: *.windupdates.com (HKLM) O15 - Trusted Zone: *.ysbweb.com (HKLM) O15 - Trusted IP range: 213.159.117.202 O15 - Trusted IP range: 213.159.117.202 (HKLM) O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c46.cab O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://iframedollars.biz/tb/loader2.ocx O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=2732 O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB O23 - Service: Network Security Service - Unknown - C:\WINDOWS\appvy.exe (file missing) Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). http://www.tu-berlin.de/www/software/virus/savemode.shtml Die Datei "fixme.reg" auf dem Desktop doppelklicken. KillBox <Delete File on Reboot und klick auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes" C:\Program Files\Admilli Service\AdmilliKeep.exe C:\Dokumente und Einstellungen\Luba von Roden\Eigene Dateien\nourl\NoURL.exe C:\WINDOWS\appvy.exe C:\Programme\SideFind\sidefind.dll C:\WINDOWS\System32\ligonui.exe C:\Programme\Web_Rebates\Sy1150\Tp1150\scri1150a.htm C:\PROGRA~1\COMMON~1\tsa\tsm2.exe C:\WINDOWS\System32\tibs3.exe C:\Dokumente und Einstellungen\Luba von Roden\Anwendungsdaten\cier.exe C:\WINDOWS\apihm32.exe C:\WINDOWS\apifd32.exe C:\WINDOWS\system32\crvi.exe C:\WINDOWS\System32\Services\{A7CA429A-41F5-48E7-81A7-39D5CD8D2932}\SVCHOST.EXE C:\WINDOWS\System32\systime.exe c:\temp\salm.exe C:\Program Files\Admilli Service\AdmilliServ.exe C:\Programme\Web_Rebates\WebRebates0.exe C:\progra~1\ddm\sysu.exe C:\WINDOWS\system32\javayx32.exe C:\WINDOWS\pkbor.dll C:\DOKUME~1\LUBAVO~1\LOKALE~1\Temp\B.tmp.exe 0 28129 C:\DOKUME~1\LUBAVO~1\LOKALE~1\Temp\B.tmp.exe C:\WINDOWS\System32\94477480.exe C:\DOKUME~1\LUBAVO~1\ANWEND~1\llstiess.exe C:\WINDOWS\system32\msef32.dll Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). http://www.tu-berlin.de/www/software/virus/savemode.shtml Loesche: <C:\Programme\SideFind\ <C:\Programme\Web_Rebates <C:\Dokumente und Einstellungen\Luba von Roden\Anwendungsdaten\cier.exe <C:\PROGRA~1\COMMON~1\tsa\ <C:\Program Files\Admilli Service\ <C:\Dokumente und Einstellungen\Luba von Roden\Eigene Dateien\nourl\NoURL.exe <C:\DOKUME~1\LUBAVO~1\ANWEND~1\llstiess.exe und loesche gleich den gesamten Inhalt der <C:\WINDOWS\Tempor~1\Content.IE5 (lasse nur die index.dat ...die darf nicht geloescht werden) <C:\Temp <-----alles loeschen, was du findest <C:\Windows\Temp <----alles loeschen, was du findest <C:\Dokumente und Einstellungen\username\Lokale Einstellungen\Temp\ <---alles loeschen, was du findest #C:\Windows\Downloaded Programm Files\ -->löschen (ALLES) Datenträgerbereinigung: und Löschen der Temporary-Dateien <Start<Ausfuehren--> reinschreiben : cleanmgr loesche nur: #Click:Temporäre Internet Files/Temporäre Internet Dateien, o.k. #Click:Temporäre Dateien, o.k Deinstalliere den Antivirus und lade. #Testversion "Antivirus Personal 5.0" http://www.computerbase.de/downloads/software/antivirensoftware/kaspersky_anti-virus/ Kaspersky-Antivirus-Final 5.0 [(Deutsch,10.062 KB, Windows)] #AdAware (free) http://www.lavasoft.de/support/download/ VOR jedem Scanvorgang das Programm Updaten! waehrend des Scanvorganges müssen ALLE sonstige Anwendungen beendet werden und alle Browserfenster müssen geschlossen sein! #Search&Destroy http://www.safer-networking.org/de/download/index.html #ClaerProg..lade die neuste Version <1.4.0 Final http://www.clearprog.de/downloads.php <und saeubere den Browser. Das Programm löscht die Surfspuren des Internet Explorers ab Version 5.0, des Netscape/Mozilla und des Opera: - Cookies - Verlauf - Temporäre Internetfiles (Cache) - die eingetragenen URLs #neue Startseite gehe zur Systemsteuerung --> Internetoptionen --> auf dem Reiter Allgemein bei Temporäre Internetdateien klickst du Dateien löschen --> auch bei Alle Offlineinhalte löschen das Häkchen setzen und mit OK bestätigen --> Auf den Reiter Programme gehen und dort auf Webeinstellungen zurücksetzen klicken, mit Ja bestätigen, fall Nachfrage kommt --> auf Übernehmen und abschließend auf OK klicken und stelle eine neue Startseite ein + poste das neue Log vom HijackTHis __________ MfG Sabina rund um die PC-Sicherheit Dieser Beitrag wurde am 14.01.2005 um 14:42 Uhr von Sabina editiert.
|
|
|
||
14.01.2005, 15:29
Member
Themenstarter Beiträge: 36 |
#3
Oh super danke sehr ich mache mich mal an die arbeit mal sehen ob ich das heute noch schaffe.
|
|
|
||
14.01.2005, 21:05
Member
Themenstarter Beiträge: 36 |
#4
ok also der hintergrund ist immer noch wie vorher
habe ich vielleicht was falsch gemacht? ich denke ich habé alle schritte befolgt. Logfile of HijackThis v1.99.0 Scan saved at 21:03:26, on 14.01.2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\logonui.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Programme\mobile PhoneTools\CapFax.EXE C:\Programme\Real\RealPlayer\RealPlay.exe C:\Programme\ICQLite\ICQLite.exe C:\Programme\Winamp\winampa.exe C:\Programme\Messenger\msmsgs.exe C:\WINDOWS\System32\ctfmon.exe C:\Programme\Trillian\trillian.exe C:\WINDOWS\System32\Ati2evxx.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\Dokumente und Einstellungen\Luba von Roden\Eigene Dateien\HJT\hijackthis199\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aon.at/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [SynTPLpr] REM C:\Programme\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] REM C:\Programme\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [NeroCheck] REM C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [CapFax] C:\Programme\mobile PhoneTools\CapFax.EXE O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [NoURL] C:\Dokumente und Einstellungen\Luba von Roden\Eigene Dateien\nourl\NoURL.exe O4 - HKCU\..\Run: [a-squared] "C:\Programme\a2\a2guard.exe" O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot O4 - Startup: Trillian.lnk = C:\Programme\Trillian\trillian.exe O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programme\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programme\ICQ\ICQ.exe O9 - Extra button: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra 'Tools' menuitem: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: *.frame.crazywinnings.com O15 - Trusted Zone: *.static.topconverting.com O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM) O15 - Trusted Zone: *.static.topconverting.com (HKLM) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105583648105 O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.de/scan/Msie/bitdefender.cab O16 - DPF: {BBCACFA8-B901-451E-A606-0FE678814967} (control to view directory & upload images) - http://www.uboot.com/h/int/applet/photo_activex/PhotoUploader.CAB O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: kavsvc - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe mfg vitali |
|
|
||
14.01.2005, 23:55
Ehrenmitglied
Beiträge: 29434 |
#5
Hallo@Vitali
Boote in den abgesicherten Modus: Gehe in die Registry Start<Ausfuehren<regedit HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ loesche (komplett) *.frame.crazywinnings.com *.static.topconverting.com *.frame.crazywinnings.com (HKLM) *.static.topconverting.com (HKLM) ------------------------------------------------------------------------------------------- #öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe O4 - HKCU\..\Run: [NoURL] C:\Dokumente und Einstellungen\Luba von Roden\Eigene Dateien\nourl\NoURL.exe O15 - Trusted Zone: *.frame.crazywinnings.com O15 - Trusted Zone: *.static.topconverting.com O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM) O15 - Trusted Zone: *.static.topconverting.com (HKLM) Button "Fix checked" #Arbeitsplatz -> rechter Mausklick -->Windows Explorer -> "Extras/Ordneroptionen" -> "Ansicht" -> Haken entfernen bei "Geschützte Systemdateien ausblenden (empfohlen)" und "Alle Dateien und Ordner anzeigen" aktivieren -> "OK" Loesche: C:\Program Files\Admilli Service\ C:\Dokumente und Einstellungen\Luba von Roden\Eigene Dateien\nourl\NoURL.exe Boote wieder in den Normalmodus #Search&Destroy http://www.safer-networking.org/de/download/index.html Spybot - Search && Destroy process list report,-->bitte abkopieren und posten #Ad-aware SE Personal 1.05 Updated http://fileforum.betanews.com/detail/965718306/1 poste das Log + das neue Log vom HijackThis __________ MfG Sabina rund um die PC-Sicherheit Dieser Beitrag wurde am 14.01.2005 um 23:58 Uhr von Sabina editiert.
|
|
|
||
15.01.2005, 20:42
Member
Themenstarter Beiträge: 36 |
#6
also paar datein die du mir geschreiben hast zu löschen waren nicht mehr da.
mein desktop ist immernoch so wie vorher. hoffe du findest was danke für deine mühe. Ad-Aware SE Build 1.05 Logfile Created on:Samstag, 15. Januar 2005 20:14:13 Created with Ad-Aware SE Personal, free for private use. Using definitions file:SE1R25 11.01.2005 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» References detected during the scan: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 180Solutions(TAC index:8):70 total references CoolWebSearch(TAC index:10):67 total references Ebates MoneyMaker(TAC index:4):1 total references Hijacker.TopConverting(TAC index:5):9 total references Possible Browser Hijack attempt(TAC index:3):3 total references SahAgent(TAC index:9):1 total references Search Relevancy(TAC index:5):8 total references Targetsavers(TAC index:8):3 total references TopMoxie(TAC index:3):7 total references Tracking Cookie(TAC index:3):5 total references »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Ad-Aware SE Settings =========================== Set : Search for negligible risk entries Set : Safe mode (always request confirmation) Set : Scan active processes Set : Scan registry Set : Deep-scan registry Set : Scan my IE Favorites for banned URLs Set : Scan my Hosts file Extended Ad-Aware SE Settings =========================== Set : Unload recognized processes & modules during scan Set : Scan registry for all users instead of current user only Set : Always try to unload modules before deletion Set : During removal, unload Explorer and IE if necessary Set : Let Windows remove files in use at next reboot Set : Delete quarantined objects after restoring Set : Include basic Ad-Aware settings in log file Set : Include additional Ad-Aware settings in log file Set : Include reference summary in log file Set : Include alternate data stream details in log file Set : Play sound at scan completion if scan locates critical objects 15.01.2005 20:14:13 - Scan started. (Full System Scan) Listing running processes »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» #:1 [smss.exe] FilePath : \SystemRoot\System32\ ProcessID : 368 ThreadCreationTime : 15.01.2005 18:50:22 BasePriority : Normal #:2 [csrss.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 416 ThreadCreationTime : 15.01.2005 18:50:25 BasePriority : Normal #:3 [winlogon.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 440 ThreadCreationTime : 15.01.2005 18:50:26 BasePriority : High #:4 [services.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 484 ThreadCreationTime : 15.01.2005 18:50:26 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Betriebssystem Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Anwendung fur Dienste und Controller InternalName : services.exe LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten. OriginalFilename : services.exe #:5 [lsass.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 496 ThreadCreationTime : 15.01.2005 18:50:26 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : LSA Shell (Export Version) InternalName : lsass.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : lsass.exe #:6 [svchost.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 656 ThreadCreationTime : 15.01.2005 18:50:27 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:7 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 680 ThreadCreationTime : 15.01.2005 18:50:27 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:8 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 812 ThreadCreationTime : 15.01.2005 18:50:28 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:9 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 840 ThreadCreationTime : 15.01.2005 18:50:28 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:10 [explorer.exe] FilePath : C:\WINDOWS\ ProcessID : 1084 ThreadCreationTime : 15.01.2005 18:50:30 BasePriority : Normal FileVersion : 6.00.2600.0000 (xpclient.010817-1148) ProductVersion : 6.00.2600.0000 ProductName : Betriebssystem Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Windows Explorer InternalName : explorer LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten. OriginalFilename : EXPLORER.EXE #:11 [spoolsv.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1108 ThreadCreationTime : 15.01.2005 18:50:30 BasePriority : Normal FileVersion : 5.1.2600.0 (XPClient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Spooler SubSystem App InternalName : spoolsv.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : spoolsv.exe #:12 [ati2evxx.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1196 ThreadCreationTime : 15.01.2005 18:50:30 BasePriority : Normal #:13 [mdm.exe] FilePath : C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\ ProcessID : 1268 ThreadCreationTime : 15.01.2005 18:50:30 BasePriority : Normal FileVersion : 7.00.9064.9150 ProductVersion : 7.00.9064.9150 ProductName : Microsoft Development Environment CompanyName : Microsoft Corporation FileDescription : Machine Debug Manager InternalName : mdm.exe LegalCopyright : Copyright (C) Microsoft Corp. 1997-2000 OriginalFilename : mdm.exe #:14 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1332 ThreadCreationTime : 15.01.2005 18:50:31 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:15 [capfax.exe] FilePath : C:\Programme\mobile PhoneTools\ ProcessID : 1640 ThreadCreationTime : 15.01.2005 18:50:36 BasePriority : Normal #:16 [realplay.exe] FilePath : C:\Programme\Real\RealPlayer\ ProcessID : 1656 ThreadCreationTime : 15.01.2005 18:50:36 BasePriority : Normal FileVersion : 6.0.9.367 ProductVersion : 6.0.9.367 ProductName : RealPlayer (32-bit) CompanyName : RealNetworks, Inc. FileDescription : RealPlayer InternalName : REALPLAY LegalCopyright : Copyright © RealNetworks, Inc. 1995-2000 LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc. OriginalFilename : REALPLAY.EXE #:17 [icqlite.exe] FilePath : C:\Programme\ICQLite\ ProcessID : 1664 ThreadCreationTime : 15.01.2005 18:50:36 BasePriority : Normal FileVersion : 555 ProductVersion : 1, 0, 0 ProductName : ICQLite CompanyName : ICQ Ltd. FileDescription : ICQLite InternalName : ICQ Lite LegalCopyright : Copyright (C) 2002 OriginalFilename : ICQLite.exe #:18 [winampa.exe] FilePath : C:\Programme\Winamp\ ProcessID : 1688 ThreadCreationTime : 15.01.2005 18:50:36 BasePriority : Normal #:19 [msmsgs.exe] FilePath : C:\Programme\Messenger\ ProcessID : 1712 ThreadCreationTime : 15.01.2005 18:50:37 BasePriority : Normal FileVersion : 4.0.0155 ProductVersion : Version 4.0 ProductName : Messenger CompanyName : Microsoft Corporation FileDescription : Messenger Client InternalName : msmsgs LegalCopyright : Copyright (c) Microsoft Corporation 1997-2001 LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft Corporation in the U.S. and/or other countries. OriginalFilename : msmsgs.exe #:20 [ctfmon.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1740 ThreadCreationTime : 15.01.2005 18:50:37 BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : CTF Loader InternalName : CTFMON LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : CTFMON.EXE #:21 [trillian.exe] FilePath : C:\Programme\Trillian\ ProcessID : 1796 ThreadCreationTime : 15.01.2005 18:50:38 BasePriority : Normal FileVersion : 3.0.0.967 ProductVersion : 3.0.0.967 ProductName : Trillian CompanyName : Cerulean Studios FileDescription : Trillian InternalName : Trillian LegalCopyright : © Cerulean Studios, LLC. All rights reserved. OriginalFilename : Trillian.exe #:22 [spybotsd.exe] FilePath : C:\Programme\Spybot - Search & Destroy\ ProcessID : 888 ThreadCreationTime : 15.01.2005 18:51:12 BasePriority : Normal FileVersion : 1, 3, 0, 12 ProductVersion : 1, 3, 0, 12 ProductName : SpyBot-S&D CompanyName : Safer Networking Limited FileDescription : Spybot - Search & Destroy InternalName : SpybotSD LegalCopyright : © 2000-2004 Patrick M. Kolla / Safer Networking Limited. Alle Rechte vorbehalten. LegalTrademarks : "Spybot" und "Spybot - Search & Destroy" sind registrierte Warenzeichen. OriginalFilename : SpyBotSD.exe Comments : Software zum Entfernen von Spyware und ahnlichen Bedrohungen. #:23 [iexplore.exe] FilePath : C:\Programme\Internet Explorer\ ProcessID : 1916 ThreadCreationTime : 15.01.2005 19:07:41 BasePriority : Normal FileVersion : 6.00.2600.0000 (xpclient.010817-1148) ProductVersion : 6.00.2600.0000 ProductName : Betriebssystem Microsoft® Windows® CompanyName : Microsoft Corporation FileDescription : Internet Explorer InternalName : iexplore LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten. OriginalFilename : IEXPLORE.EXE #:24 [ad-aware.exe] FilePath : C:\PROGRA~1\LAVASOFT\AD-AWA~2\ ProcessID : 360 ThreadCreationTime : 15.01.2005 19:13:52 BasePriority : Normal FileVersion : 6.2.0.206 ProductVersion : VI.Second Edition ProductName : Lavasoft Ad-Aware SE CompanyName : Lavasoft Sweden FileDescription : Ad-Aware SE Core application InternalName : Ad-Aware.exe LegalCopyright : Copyright © Lavasoft Sweden OriginalFilename : Ad-Aware.exe Comments : All Rights Reserved Memory scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 0 Started registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5} Hijacker.TopConverting Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : typelib\{487e7682-b976-41fb-a944-e8b83689a454} Hijacker.TopConverting Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : loader2.loader2ctrl.1 Hijacker.TopConverting Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : loader2.loader2ctrl.1 Value : Hijacker.TopConverting Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{ace5b10b-92a3-4103-8583-3684bb09409f} Hijacker.TopConverting Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{ace5b10b-92a3-4103-8583-3684bb09409f} Value : Hijacker.TopConverting Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{4fe82ba0-9335-4d4e-8e98-76409a88f2c1} Hijacker.TopConverting Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{4fe82ba0-9335-4d4e-8e98-76409a88f2c1} Value : Hijacker.TopConverting Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{38601801-2ff5-4a62-95da-d2007161c1b4} Hijacker.TopConverting Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{38601801-2ff5-4a62-95da-d2007161c1b4} Value : Search Relevancy Object Recognized! Type : Regkey Data : Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : searchrelevancy Search Relevancy Object Recognized! Type : RegValue Data : Category : Misc Comment : Rootkey : HKEY_CLASSES_ROOT Object : searchrelevancy Value : Search Relevancy Object Recognized! Type : Regkey Data : Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\search relevancy Search Relevancy Object Recognized! Type : RegValue Data : Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\search relevancy Value : DisplayName Search Relevancy Object Recognized! Type : RegValue Data : Category : Misc Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\search relevancy Value : UninstallString TopMoxie Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\untopr1150 TopMoxie Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\untopr1150 Value : TopMoxie Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\untopr1150 Value : DisplayName TopMoxie Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\untopr1150 Value : UninstallString 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : "partner_id" Rootkey : HKEY_LOCAL_MACHINE Object : software\salm Value : partner_id 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : "partner_id" Rootkey : HKEY_LOCAL_MACHINE Object : software\sais Value : partner_id CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : "UID" Rootkey : HKEY_LOCAL_MACHINE Object : software\tsa Value : UID Targetsavers Object Recognized! Type : RegValue Data : Category : Malware Comment : "AffiliateID" Rootkey : HKEY_LOCAL_MACHINE Object : software\tsa Value : AffiliateID Registry Scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 23 Objects found so far: 23 Started deep registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Trusted zone presumably compromised : static.topconverting.com Possible Browser Hijack attempt Object Recognized! Type : Regkey Data : Category : Vulnerability Comment : Trusted zone presumably compromised : static.topconverting.com Rootkey : HKEY_CURRENT_USER Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\static.topconverting.com Possible Browser Hijack attempt Object Recognized! Type : RegValue Data : Category : Vulnerability Comment : Trusted zone presumably compromised : static.topconverting.com Rootkey : HKEY_CURRENT_USER Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\static.topconverting.com Value : * Deep registry scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 2 Objects found so far: 25 Started Tracking Cookie scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking Cookie Object Recognized! Type : IECache Entry Data : luba von roden@as1.falkag[2].txt Category : Data Miner Comment : Hits:17 Value : Cookie:luba von roden@as1.falkag.de/ Expires : 13.02.2005 21:03:46 LastSync : Hits:17 UseCount : 0 Hits : 17 Tracking Cookie Object Recognized! Type : IECache Entry Data : luba von roden@servedby.netshelter[2].txt Category : Data Miner Comment : Hits:12 Value : Cookie:luba von roden@servedby.netshelter.net/ Expires : 29.06.2021 14:48:54 LastSync : Hits:12 UseCount : 0 Hits : 12 Tracking Cookie Object Recognized! Type : IECache Entry Data : luba von roden@versiontracker[2].txt Category : Data Miner Comment : Hits:4 Value : Cookie:luba von roden@versiontracker.com/ Expires : 15.01.2007 12:09:48 LastSync : Hits:4 UseCount : 0 Hits : 4 Tracking Cookie Object Recognized! Type : IECache Entry Data : luba von roden@tribalfusion[1].txt Category : Data Miner Comment : Hits:1 Value : Cookie:luba von roden@tribalfusion.com/ Expires : 01.01.2038 01:00:00 LastSync : Hits:1 UseCount : 0 Hits : 1 Tracking Cookie Object Recognized! Type : IECache Entry Data : luba von roden@adtech[1].txt Category : Data Miner Comment : Hits:3 Value : Cookie:luba von roden@adtech.de/ Expires : 13.01.2015 20:09:28 LastSync : Hits:3 UseCount : 0 Hits : 3 Tracking cookie scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 5 Objects found so far: 30 Deep scanning and examining files (C »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» CoolWebSearch Object Recognized! Type : File Data : oofjy.dat Category : Malware Comment : Object : C:\WINDOWS\system32\ CoolWebSearch Object Recognized! Type : File Data : jdjrl.log Category : Malware Comment : Object : C:\WINDOWS\system32\ CoolWebSearch Object Recognized! Type : File Data : asrqw.dat Category : Malware Comment : Object : C:\WINDOWS\system32\ CoolWebSearch Object Recognized! Type : File Data : mffhk.txt Category : Malware Comment : Object : C:\WINDOWS\system32\ CoolWebSearch Object Recognized! Type : File Data : zpium.log Category : Malware Comment : Object : C:\WINDOWS\system32\ CoolWebSearch Object Recognized! Type : File Data : lujxk.dat Category : Malware Comment : Object : C:\WINDOWS\system32\ CoolWebSearch Object Recognized! Type : File Data : rqbho.log Category : Malware Comment : Object : C:\WINDOWS\system32\ CoolWebSearch Object Recognized! Type : File Data : aqeha.dat Category : Malware Comment : Object : C:\WINDOWS\system32\ CoolWebSearch Object Recognized! Type : File Data : esaxr.dat Category : Malware Comment : Object : C:\WINDOWS\system32\ CoolWebSearch Object Recognized! Type : File Data : cprtg.txt Category : Malware Comment : Object : C:\WINDOWS\system32\ CoolWebSearch Object Recognized! Type : File Data : tajqb.txt Category : Malware Comment : Object : C:\WINDOWS\system32\ CoolWebSearch Object Recognized! Type : File Data : wcmor.dat Category : Malware Comment : Object : C:\WINDOWS\system32\ CoolWebSearch Object Recognized! Type : File Data : ecque.dat Category : Malware Comment : Object : C:\WINDOWS\system32\ CoolWebSearch Object Recognized! Type : File Data : petnt.log Category : Malware Comment : Object : C:\WINDOWS\system32\ CoolWebSearch Object Recognized! Type : File Data : pumtb.txt Category : Malware Comment : Object : C:\WINDOWS\system32\ CoolWebSearch Object Recognized! Type : File Data : eyknl.txt Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : pzoxi.txt Category : Malware Comment : Object : C:\WINDOWS\ SahAgent Object Recognized! Type : File Data : lsp_.dll Category : Data Miner Comment : Object : C:\WINDOWS\Downloaded Program Files\ FileVersion : 2, 0, 0, 1 ProductVersion : 2, 0, 0, 1 ProductName : ShopAtHomeSelect LSP CompanyName : ShopAtHomeSelect FileDescription : LSP InternalName : LSP LegalCopyright : Copyright © 2004 OriginalFilename : LSP.DLL CoolWebSearch Object Recognized! Type : File Data : ksvunk.log Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : dsnzhm.log Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : vlgfbx.log Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : fgxue.txt Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : dvxmgi.dat Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : vvpabs.dat Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : owafdv.txt Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : qczzmq.txt Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : jvkfhs.txt Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : tvckjd.log Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : styjp.txt Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : wvuhg.dat Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : uituap.log Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : mimzuz.log Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : fjwewk.log Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : slfpjo.dat Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : klyudr.dat Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : dmjzfb.dat Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : fqdujq.log Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : xqvzdt.dat Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : qrgmgd.dat Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : odxtt.dat Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : jicrm.txt Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : pwwfiv.txt Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : appkcf.txt Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : sqipxq.log Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : anpmy.txt Category : Malware Comment : Object : C:\WINDOWS\ CoolWebSearch Object Recognized! Type : File Data : lpswm.txt Category : Malware Comment : Object : C:\WINDOWS\ Search Relevancy Object Recognized! Type : File Data : SearchRelevancy.xml Category : Misc Comment : Object : C:\Programme\SearchRelevancy\ Ebates MoneyMaker Object Recognized! Type : File Data : 1150_1.dat Category : Data Miner Comment : Object : C:\Recycled\Dc11\Sy1150\Sy1150\ 180Solutions Object Recognized! Type : File Data : Dc28.dll Category : Data Miner Comment : Object : C:\Recycled\ TopMoxie Object Recognized! Type : File Data : Dc2388.exe Category : Data Miner Comment : Object : C:\Recycled\ TopMoxie Object Recognized! Type : File Data : Dc2777.exe Category : Data Miner Comment : Object : C:\Recycled\ Disk Scan Result for C:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 81 Possible Browser Hijack attempt Object Recognized! Type : File Data : Search the web.url Category : Misc Comment : Problematic URL discovered: http://www.lookfor.cc/ Object : C:\Dokumente und Einstellungen\Luba von Roden\Favoriten\ Performing conditional scans... »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : software\tsa CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : software\tsa Value : TslHWND CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : software\tsa Value : Tsm2HWND CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : software\tsa Value : Ts2HWND CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : software\tsa Value : Tsl2HWND CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : software\tsa Value : Tsp2HWND CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\tsa CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\tsa Value : CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\tsa Value : NewInstall CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\tsa Value : PAPP CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\tsa Value : Path CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\tsa Value : CODE CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\tsa Value : CountryCode CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\tsa Value : RegionCode CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\tsa Value : CityCode CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\tsa Value : MetroCode CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\tsa Value : ContinentCode CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : software\microsoft\internet explorer\main Value : Enable Browser Extensions CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\main Value : Use Search Asst CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft Value : set Search Relevancy Object Recognized! Type : Folder Category : Misc Comment : Object : C:\Programme\SearchRelevancy Search Relevancy Object Recognized! Type : File Data : uninstall.exe Category : Misc Comment : Object : C:\Programme\searchrelevancy\ TopMoxie Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\internet explorer\main\ins Value : 1150 180Solutions Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\salm 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\salm Value : last_conn_h 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\salm Value : last_conn_l 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\salm Value : we 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\salm Value : cdata 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\salm Value : TimeOffset 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\salm Value : action_url_version 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\salm Value : action_url_last_chunk 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\salm Value : action_url_last_full_version 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\salm Value : key_file 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\salm Value : kw_last_chunk 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\salm Value : geourl_last_full_version 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\salm Value : geourl_current_version 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\salm Value : actionurl_last_full_version 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\salm Value : actionurl_current_version 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\salm Value : keyword_last_full_version 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\salm Value : keyword_current_version 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\salm Value : recent_shown 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\salm Value : key_int_high 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\salm Value : key_int_low 180Solutions Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\sais 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\sais Value : last_conn_h 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\sais Value : last_conn_l 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\sais Value : we 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\sais Value : cdata 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\sais Value : TimeOffset 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\sais Value : action_url_version 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\sais Value : action_url_last_chunk 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\sais Value : action_url_last_full_version 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\sais Value : key_file 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\sais Value : kw_last_chunk 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\sais Value : geourl_last_full_version 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\sais Value : geourl_current_version 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\sais Value : actionurl_last_full_version 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\sais Value : actionurl_current_version 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\sais Value : keyword_last_full_version 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\sais Value : keyword_current_version 180Solutions Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\microsoft\internet explorer\explorer bars\{30d02401-6a81-11d0-8274-00c04fd5ae38} 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CURRENT_USER Object : software\microsoft\internet explorer\explorer bars\{30d02401-6a81-11d0-8274-00c04fd5ae38} Value : BarSize 180Solutions Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\salm 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\salm Value : mt1 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\salm Value : mt2 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\salm Value : mt3 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\salm Value : gma 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\salm Value : gvi 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\salm Value : gpi 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\salm Value : boom 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\salm Value : boom_ver 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\salm Value : did 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\salm Value : duid 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\salm Value : product_id 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\salm Value : umt 180Solutions Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\sais 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\sais Value : mt1 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\sais Value : mt2 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\sais Value : mt3 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\sais Value : gma 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\sais Value : gvi 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\sais Value : gpi 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\sais Value : did 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\sais Value : duid 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\sais Value : product_id 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\sais Value : umt 180Solutions Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\salm 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\salm Value : DisplayName 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\salm Value : UninstallString 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\salm Value : DisplayIcon Targetsavers Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\tsl installer Targetsavers Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\tsl installer Value : NoRemove Conditional scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 92 Objects found so far: 174 20:20:39 Scan Complete Summary Of This Scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Total scanning time:00:06:26.165 Objects scanned:101020 Objects identified:178 Objects ignored:0 New critical objects:178 mfg vitali |
|
|
||
15.01.2005, 21:16
Ehrenmitglied
Beiträge: 29434 |
#7
#LSPfix.exe
http://www10.brinkster.com/expl0iter/freeatlast/L2M/ts.htm <"I know what I'm doing" bringe die "lsp_.dll" von der linken auf die rechte Seite und loesche die dll Gehe in die Registry Start<Ausfuehren<regedit HKEY_CURRENT_USERSoftware\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ loesche: static.topconverting.com ---------------------------------------------------------------------------- #Arbeitsplatz -> rechter Mausklick -->Windows Explorer -> "Extras/Ordneroptionen" -> "Ansicht" -> Haken entfernen bei "Geschützte Systemdateien ausblenden (empfohlen)" und "Alle Dateien und Ordner anzeigen" aktivieren -> "OK" Loesche: C:\Programme\searchrelevancy\ KillBox http://www.bleepingcomputer.com/files/killbox.php <Delete File on Reboot und klick auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes" oeffne die Killbox (kopiere rein) C:\WINDOWS\system32\oofjy.dat C:\WINDOWS\system32\jdjrl.log C:\WINDOWS\system32\asrqw.dat C:\WINDOWS\system32\mffhk.txt C:\WINDOWS\system32\zpium.log C:\WINDOWS\system32\lujxk.dat C:\WINDOWS\system32\rqbho.log C:\WINDOWS\system32\aqeha.dat C:\WINDOWS\system32\esaxr.dat C:\WINDOWS\system32\cprtg.txt C:\WINDOWS\system32\tajqb.txt C:\WINDOWS\system32\wcmor.dat C:\WINDOWS\system32\ecque.dat C:\WINDOWS\system32\petnt.log C:\WINDOWS\system32\pumtb.txt C:\WINDOWS\eyknl.txt C:\WINDOWS\pzoxi.txt C:\WINDOWS\ksvunk.log C:\WINDOWS\dsnzhm.log C:\WINDOWS\vlgfbx.log C:\WINDOWS\fgxue.txt C:\WINDOWS\dvxmgi.dat C:\WINDOWS\vvpabs.dat C:\WINDOWS\owafdv.txt C:\WINDOWS\qczzmq.txt C:\WINDOWS\jvkfhs.txt C:\WINDOWS\tvckjd.log C:\WINDOWS\styjp.txt C:\WINDOWS\wvuhg.dat C:\WINDOWS\uituap.log C:\WINDOWS\mimzuz.log C:\WINDOWS\fjwewk.log C:\WINDOWS\slfpjo.dat C:\WINDOWS\klyudr.dat C:\WINDOWS\dmjzfb.dat C:\WINDOWS\fqdujq.log C:\WINDOWS\xqvzdt.dat C:\WINDOWS\qrgmgd.dat C:\WINDOWS\odxtt.dat C:\WINDOWS\jicrm.txt C:\WINDOWS\pwwfiv.txt C:\WINDOWS\appkcf.txt C:\WINDOWS\sqipxq.log C:\WINDOWS\anpmy.txt C:\WINDOWS\lpswm.txt C:\Programme\SearchRelevancy\SearchRelevancy.xml C:\RECYCLER\Desktop.ini PC neustarten Dann scanne noch mal mit AdAware + as neue Log vom HijackThis und berichte. __________ MfG Sabina rund um die PC-Sicherheit Dieser Beitrag wurde am 15.01.2005 um 21:20 Uhr von Sabina editiert.
|
|
|
||
16.01.2005, 14:20
Member
Themenstarter Beiträge: 36 |
#8
also ich habe lsp_.dll nicht :/ habe nur
mswsock.dll, winrnr.dll, rsvpsp.dll static.topconverting.com habe ich leider auch nicht gefunden Dieser Beitrag wurde am 16.01.2005 um 14:37 Uhr von Vitali editiert.
|
|
|
||
16.01.2005, 14:35
Ehrenmitglied
Beiträge: 29434 |
#9
o.k, dann fuehre alles aus, was ich sonst noch geschrieben habe und poste das neue Log vom HijackThis
__________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
16.01.2005, 15:00
Member
Themenstarter Beiträge: 36 |
#10
ok also als ich killerbox rebooten wollte kann das:
Pending File Rename Options registry data has beent removed by External process was soll das bedeuten? muss ich jezt alles nochmal reinkopieren? mfg vitali |
|
|
||
16.01.2005, 15:06
Ehrenmitglied
Beiträge: 29434 |
#11
nein, das bedeutet, dass beim Neustart (beim Booten) die einkopierte Datei geloescht wird)
Kopiere alle ein und erst bei der letzten bestaetige mit yes, dass Neugestartet werden soll __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
16.01.2005, 15:28
Member
Themenstarter Beiträge: 36 |
#12
ja das kamm ja bei der lezten datei. ich habe alles einkopiert und als ich dann reboot ja gedr§îckt habe, kamm der text
muss ich killerbox vielleicht im abgesicherten modus machen? hm also die datein bei killerbox gibts nicht, habe ich jezt gemerkt. mir ist aufgefallen, dass wenn ich ICQ starte f¨¹r kurzen moment da wo icq hinkommt schibt sich der komisch hintergrund zur¨¹ck, und man sieht den eigentlich hintergrund. sobald icq geladen wurde, kommt der komische hintergrund wieder. Dieser Beitrag wurde am 16.01.2005 um 17:12 Uhr von Vitali editiert.
|
|
|
||
16.01.2005, 18:38
Member
Themenstarter Beiträge: 36 |
#13
http://www.smart-security.info/?affid=11OXC9
auchso was war glaube ich der link der im desktop stand. |
|
|
||
16.01.2005, 19:17
Ehrenmitglied
Beiträge: 29434 |
#14
Hallo@Vitali
1. Update den Antivirus + konfiguriere unter "Options" [X] Speicher [X] Bootsektor Suchlaufwerke [ ] Unbekannte Bootsektoren melden [X] Alle Dateien [ ] Programmdateien 2.Gehe in den abgesicherten Modus 3. Mache einen Komplettscann 4. Poste mir das Log vom Scann + das neue Log vom HijackThis __________ MfG Sabina rund um die PC-Sicherheit Dieser Beitrag wurde am 16.01.2005 um 19:18 Uhr von Sabina editiert.
|
|
|
||
17.01.2005, 01:48
Member
Themenstarter Beiträge: 36 |
#15
Logfile of HijackThis v1.99.0
Scan saved at 01:17:48, on 17.01.2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe C:\Dokumente und Einstellungen\Luba von Roden\Eigene Dateien\HJT\hijackthis199\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aon.at/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [SynTPLpr] REM C:\Programme\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] REM C:\Programme\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [NeroCheck] REM C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [CapFax] C:\Programme\mobile PhoneTools\CapFax.EXE O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [a-squared] "C:\Programme\a2\a2guard.exe" O4 - Startup: Trillian.lnk = C:\Programme\Trillian\trillian.exe O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programme\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programme\ICQ\ICQ.exe O9 - Extra button: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra 'Tools' menuitem: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: *.frame.crazywinnings.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105583648105 O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.de/scan/Msie/bitdefender.cab O16 - DPF: {BBCACFA8-B901-451E-A606-0FE678814967} (control to view directory & upload images) - http://www.uboot.com/h/int/applet/photo_activex/PhotoUploader.CAB O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: kavsvc - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe achso das antivirus hat nix gefunden Dieser Beitrag wurde am 17.01.2005 um 01:48 Uhr von Vitali editiert.
|
|
|
||
es hat mein desktop verändert und ich kann es nicht ändern.
ich habe schon einiges drüber gelesen aber bei mir sehen die logs anders aus deswegen frage ich nochmal nicht das ich was falsch mache...)
Hoffe ihr könnt mir helfen ist der laptop meiner mom.
als erstes habe ich was gefunden, als ich was gegen den trojaner HideProc.a gesucht habe, es soll angeblich den trojaner entfernen wollte fragen ob das stimmt den ich kann auf dem befallenen pc leider das programm nicht updaten ka wieso, auf dem gesunden pc geht es, aber auf den befalenen nicht.
kann das mal einer cheken ob das programm was bringt?
http://www.emsisoft.de/de/support/malware/?showmalware=updates
achso und dann habe ich irgendwo gelesen das das auch helfen kann
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
kann das sein?
habe xp
Logfile of HijackThis v1.99.0
Scan saved at 21:53:45, on 13.01.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\apihm32.exe
C:\Programme\mobile PhoneTools\CapFax.EXE
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\Program Files\Admilli Service\AdmilliServ.exe
C:\Programme\Winamp\winampa.exe
C:\temp\salm.exe
C:\WINDOWS\System32\Services\{A7CA429A-41F5-48E7-81A7-39D5CD8D2932}\SVCHOST.EXE
C:\WINDOWS\apifd32.exe
C:\Programme\Messenger\msmsgs.exe
C:\Program Files\Admilli Service\AdmilliKeep.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Dokumente und Einstellungen\Luba von Roden\Eigene Dateien\nourl\NoURL.exe
C:\Programme\eBay\eBay Toolbar\4.4.0.1\ebaytbar.exe
C:\Programme\Trillian\trillian.exe
C:\WINDOWS\system32\lîgonui.exe
C:\Dokumente und Einstellungen\Luba von Roden\Eigene Dateien\HJT\hijackthis199\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pkbor.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pkbor.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aon.at
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pkbor.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pkbor.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pkbor.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pkbor.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pkbor.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {563AC50A-6D00-C342-5EC7-D1C5C40E2122} - C:\WINDOWS\system32\msef32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SynTPLpr] REM C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] REM C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroCheck] REM C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CapFax] C:\Programme\mobile PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [shoothe] REM C:\DOKUME~1\LUBAVO~1\ANWEND~1\llstiess.exe -QuieT
O4 - HKLM\..\Run: [Corel Reminder] REM
O4 - HKLM\..\Run: [AttuneClientEngine] REM C:\PROGRA~1\Aveo\Attune\bin\attune_ce.exe
O4 - HKLM\..\Run: [sysu] "C:\progra~1\ddm\sysu.exe"
O4 - HKLM\..\Run: [94477480.exe] REM C:\WINDOWS\System32\94477480.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [B.tmp] C:\DOKUME~1\LUBAVO~1\LOKALE~1\Temp\B.tmp.exe 0 28129
O4 - HKLM\..\Run: [javayx32.exe] C:\WINDOWS\system32\javayx32.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Programme\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{A7CA429A-41F5-48E7-81A7-39D5CD8D2932}\SVCHOST.EXE
O4 - HKLM\..\Run: [crvi.exe] C:\WINDOWS\system32\crvi.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [apifd32.exe] C:\WINDOWS\apifd32.exe
O4 - HKLM\..\RunOnce: [apihm32.exe] C:\WINDOWS\apihm32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NoURL] C:\Dokumente und Einstellungen\Luba von Roden\Eigene Dateien\nourl\NoURL.exe
O4 - HKCU\..\Run: [Rura] C:\Dokumente und Einstellungen\Luba von Roden\Anwendungsdaten\cier.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [Papojtf] C:\WINDOWS\System32\ligonui.exe
O4 - HKCU\..\Run: [a-squared] "C:\Programme\a2\a2guard.exe"
O4 - Startup: Trillian.lnk = C:\Programme\Trillian\trillian.exe
O4 - Global Startup: eBay Toolbar.LNK = C:\Programme\eBay\eBay Toolbar\4.4.0.1\ebaytbar.exe
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Web Rebates - file://C:\Programme\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Programme\SideFind\sidefind.dll (file missing)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programme\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programme\ICQ\ICQ.exe
O9 - Extra button: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c46.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105583648105
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://iframedollars.biz/tb/loader2.ocx
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.de/scan/Msie/bitdefender.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=2732
O16 - DPF: {BBCACFA8-B901-451E-A606-0FE678814967} (control to view directory & upload images) - http://www.uboot.com/h/int/applet/photo_activex/PhotoUploader.CAB
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\appvy.exe (file missing)
mfg vitali