Search Bar = http://www.richfind.com/ie/

#0
23.01.2005, 01:44
...neu hier

Beiträge: 8
#1 Hoi mitder nander,
ihr wurdet mir in den höhsten tönen empfohlen von einem kollegen, dem ihr schon mal gerettet habt und hoffe ihr könnt es, bei mir gleich tun.
und zwar sobald ich meinen explorer öffne bekomme ich immer die eine falsche startseite geöffnet, ich habs auch schon mit euern hijachthis entfernt, aber sie kam bis jetzt immer wieder. ich hoffe ihr könnt mir da weiter helfen, vielen dank im vorraus, hier mein logfile:

Logfile of HijackThis v1.99.0
Scan saved at 01:19:34, on 23.01.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Programme\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programme\Siemens\Gigaset USB Stick 54\Gcc.exe
C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programme\StarOffice6.0\program\soffice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\Siemens\Gigaset USB Stick 54\OdHost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\WinRAR\WinRAR.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\DOKUME~1\OLIVER~1.OLI\LOKALE~1\Temp\Rar$EX14.524\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my-mail.ch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my-mail.ch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von cablecom hispeed internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
R3 - URLSearchHook: Search - {B3CC3ADE-3C49-49BD-BD55-179723AAB0FB} - C:\WINDOWS\System32\Q447553.dll (file missing)
O2 - BHO: Search - {16C3C644-B7D6-4131-A7D7-D251439E8C26} - C:\WINDOWS\System32\Q447553.dll (file missing)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [VOBID] C:\Programme\Pinnacle\InstantCDDVD\InstantDrive\InstantDrive.exe /remount
O4 - HKLM\..\Run: [IW ControlCenter] C:\Programme\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programme\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programme\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Workflow] D:\Installs\Workflow.exe
O4 - HKLM\..\Run: [BJCFD] C:\Programme\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Programme\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: StarOffice 6.0.lnk = C:\Programme\StarOffice6.0\program\quickstart.exe
O4 - Global Startup: Gigaset WLAN Adapter Monitor.lnk = C:\Programme\Siemens\Gigaset USB Stick 54\Gcc.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://63.219.181.7/cax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EEFAA4F-0185-4CA8-89FE-10A0B38120EA}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{968D7E4A-C7A1-4904-BEFF-DDB380456F60}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{A86F940E-86C6-4BA0-B67F-36DF00C0D1DA}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE71992D-2F9C-4779-B19E-DF69372E718E}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{F21A4CC9-7615-4FD8-8F62-4D133CEF3614}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EEFAA4F-0185-4CA8-89FE-10A0B38120EA}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{0EEFAA4F-0185-4CA8-89FE-10A0B38120EA}: NameServer = 69.50.188.180,195.225.176.31
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect-Dienst - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe


cu. Metty
Dieser Beitrag wurde am 26.01.2005 um 12:22 Uhr von Sabina editiert.
Seitenanfang Seitenende
23.01.2005, 22:03
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#2 Hallo@Metteron

Deaktivieren Wiederherstellung
«XP
Arbeitsplatz-->rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.
--> kannst du nach der Reinigung wieder aktivieren

KillBoxladen (auf dem Desktop entpacken)
http://www.bleepingcomputer.com/files/killbox.php

1) lade rem.zip
http://forums.skads.org/index.php?showtopic=80
2) entpacke es im verzeichnis C:\WINDOWS\System32\
(es ist wichtig, dass es in diesem verzeichnis ist!)

#öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
R3 - URLSearchHook: Search - {B3CC3ADE-3C49-49BD-BD55-179723AAB0FB} - C:\WINDOWS\System32\Q447553.dll (file missing)
O2 - BHO: Search - {16C3C644-B7D6-4131-A7D7-D251439E8C26} - C:\WINDOWS\System32\Q447553.dll (file missing)
O4 - HKCU\..\Run: [LDM] C:\Programme\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://63.219.181.7/cax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EEFAA4F-0185-4CA8-89FE-10A0B38120EA}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{968D7E4A-C7A1-4904-BEFF-DDB380456F60}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{A86F940E-86C6-4BA0-B67F-36DF00C0D1DA}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE71992D-2F9C-4779-B19E-DF69372E718E}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{F21A4CC9-7615-4FD8-8F62-4D133CEF3614}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EEFAA4F-0185-4CA8-89FE-10A0B38120EA}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{0EEFAA4F-0185-4CA8-89FE-10A0B38120EA}: NameServer = 69.50.188.180,195.225.176.31

PC neustarten
3) starte den rechner im abgesicherten modus.
http://www.tu-berlin.de/www/software/virus/savemode.shtml

Datenträgerbereinigung: und Löschen der Temporary-Dateien
<Start<Ausfuehren--> reinschreiben : cleanmgr
loesche nur:
#Click:Temporäre Internet Files/Temporäre Internet Dateien, o.k.
#Click:Temporäre Dateien, o.k


Killbox-> oeffnen
<Delete File on Reboot

C:\WINDOWS\System32\Q447553.dll

und klick auf das rote Kreuz,
wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "yes"

4) starte die datei rem.bat, scannen lassen.

5) starte den rechner anschließend im normalen modus.

#ClaerProg..lade die neuste Version <1.4.0 Final
http://www.clearprog.de/downloads.php
<und saeubere den Browser.
Das Programm löscht die Surfspuren des Internet Explorers ab Version 5.0, des Netscape/Mozilla und des Opera:
- Cookies
- Verlauf
- Temporäre Internetfiles (Cache)
- die eingetragenen URLs


6) unter C:\ sollte nun eine datei namens log.txt zu finden sein.
7) markiere den inhalt und füge ihn hier ein.

erstelle ein aktuelles HijackThis log und poste es mit der log.txt von rem.
__________
MfG Sabina

rund um die PC-Sicherheit
Dieser Beitrag wurde am 23.01.2005 um 22:07 Uhr von Sabina editiert.
Seitenanfang Seitenende
24.01.2005, 03:15
...neu hier

Themenstarter

Beiträge: 8
#3 Hoi Sabina,
danke schön, so sieht es nun aus:

Logfile of HijackThis v1.99.0
Scan saved at 02:46:28, on 24.01.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Programme\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programme\Siemens\Gigaset USB Stick 54\Gcc.exe
C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programme\StarOffice6.0\program\soffice.exe
C:\Programme\Siemens\Gigaset USB Stick 54\OdHost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\OLIVER~1.OLI\LOKALE~1\Temp\Rar$EX01.115\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.richfind.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.richfind.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.richfind.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.richfind.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von cablecom hispeed internet
R3 - URLSearchHook: Search - {9CD9ED88-318F-4782-BCCA-D3914AB5247E} - C:\WINDOWS\System32\Q1535337.dll
O2 - BHO: Search - {04C22C8E-8FC8-49E5-897A-CA6DEABBA0C1} - C:\WINDOWS\System32\Q1535337.dll
O2 - BHO: Search - {139C38F2-3533-48A0-BC68-0FEF3304918E} - C:\WINDOWS\System32\Q1535337.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: Search - {4B02F362-76FF-4902-B0B8-D7620B8F6F61} - C:\WINDOWS\System32\Q1535337.dll
O3 - Toolbar: Search - {CD235C4B-326A-4F76-B917-60D013ECB157} - C:\WINDOWS\System32\Q1535337.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [VOBID] C:\Programme\Pinnacle\InstantCDDVD\InstantDrive\InstantDrive.exe /remount
O4 - HKLM\..\Run: [IW ControlCenter] C:\Programme\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programme\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programme\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Workflow] D:\Installs\Workflow.exe
O4 - HKLM\..\Run: [BJCFD] C:\Programme\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [LDM] C:\Programme\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: StarOffice 6.0.lnk = C:\Programme\StarOffice6.0\program\quickstart.exe
O4 - Global Startup: Gigaset WLAN Adapter Monitor.lnk = C:\Programme\Siemens\Gigaset USB Stick 54\Gcc.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Search - {4B02F362-76FF-4902-B0B8-D7620B8F6F61} - C:\WINDOWS\System32\Q1535337.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Search - {CD235C4B-326A-4F76-B917-60D013ECB157} - C:\WINDOWS\System32\Q1535337.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O18 - Filter: text/html - {B75AAAA4-5B4A-4560-B404-18C3F45B7FC5} - C:\WINDOWS\System32\Q1535337.dll
O18 - Filter: text/plain - {B75AAAA4-5B4A-4560-B404-18C3F45B7FC5} - C:\WINDOWS\System32\Q1535337.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect-Dienst - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe


Aber die synthome sind immer noch da, ich hoff du kannst mir dabei helfen
Dieser Beitrag wurde am 24.01.2005 um 03:34 Uhr von Metteron editiert.
Seitenanfang Seitenende
24.01.2005, 11:07
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#4 Hallo@Metteron

ich warte noch auf das Log der rem-dat
unter C:\ sollte nun eine datei namens log.txt zu finden sein.
---------------------------------------------------------------------------------------
Deaktivieren Wiederherstellung
«XP
Arbeitsplatz-->rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.

Fixe mit dem Hijackthis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.richfind.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.richfind.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.richfind.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.richfind.com/ie/
R3 - URLSearchHook: Search - {9CD9ED88-318F-4782-BCCA-D3914AB5247E} - C:\WINDOWS\System32\Q1535337.dll
O2 - BHO: Search - {04C22C8E-8FC8-49E5-897A-CA6DEABBA0C1} - C:\WINDOWS\System32\Q1535337.dll
O2 - BHO: Search - {139C38F2-3533-48A0-BC68-0FEF3304918E} - C:\WINDOWS\System32\Q1535337.dll
O3 - Toolbar: Search - {4B02F362-76FF-4902-B0B8-D7620B8F6F61} - C:\WINDOWS\System32\Q1535337.dll
O3 - Toolbar: Search - {CD235C4B-326A-4F76-B917-60D013ECB157} - C:\WINDOWS\System32\Q1535337.dll
O4 - HKCU\..\Run: [LDM] C:\Programme\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: Search - {4B02F362-76FF-4902-B0B8-D7620B8F6F61} - C:\WINDOWS\System32\Q1535337.dll
O9 - Extra button: Search - {CD235C4B-326A-4F76-B917-60D013ECB157} - C:\WINDOWS\System32\Q1535337.dll
O18 - Filter: text/html - {B75AAAA4-5B4A-4560-B404-18C3F45B7FC5} - C:\WINDOWS\System32\Q1535337.dll
O18 - Filter: text/plain - {B75AAAA4-5B4A-4560-B404-18C3F45B7FC5} - C:\WINDOWS\System32\Q1535337.dll

PC neustarten

Kopiere in die Killbox:
<Delete File on Reboot

C:\RECYCLER\Desktop.ini
C:\WINDOWS\System32\Q447553.dll
C:\WINDOWS\System32\Q1535337.dll

und klick auf das rote Kreuz,
wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "yes"

PC neustarten


#Ad-aware SE Personal 1.05 Updated
http://fileforum.betanews.com/detail/965718306/1
Lade--> updaten--> scannen--> PC neustarten--> noch mal scannen--> poste mir das Log vom Scann
---------------------------------------------------------------------------------------------
#eScan-Erkennungstool[/u]
eSan ist hier unter dem Namen Free eScan Antivirus Toolkit Utility kostenlos erhältlich:
http://www.mwti.net/antivirus/free_utilities.asp

erstelle den Ordner c:\bases
escan in diesen ordner
entpacke das *zip file mwav.zip
die Datei in den Ordner c:\bases (wichtig!) entpacken und danach kavupd.exe (Update- in DOS) ausführen

gehe in den abgesicherten Modus
http://www.tu-berlin.de/www/software/virus/savemode.shtml

und den Scanner mit der "mwav.exe"[oder:MWAVSCAN.COM] starten. Alle Häkchen setzen :
Auswählen: "all files", Memory, Startup-Folders, Registry, System Folders,
Services, Drive/All Local drives, Folder [C:\WINDOWS], Include SubDirectory
-->und "Scan " klicken.

mache bitte folgendes:
nun öffnest du mit dem editor, die mwav.txt und gehst unter bearbeiten -> suchen, hier gibst du infected ein



jene zeile in der infected steht, markieren, und hier einfügen, weitersuchen usw.
und ganz unten steht die zusammenfassung, diese auch hier posten
;)

#neue Startseite
gehe zur Systemsteuerung --> Internetoptionen --> auf dem Reiter Allgemein bei Temporäre Internetdateien klickst du Dateien löschen --> auch bei Alle Offlineinhalte löschen das Häkchen setzen und mit OK bestätigen --> Auf den Reiter Programme gehen und dort auf Webeinstellungen zurücksetzen klicken, mit Ja bestätigen, fall Nachfrage kommt --> auf Übernehmen und abschließend auf OK klicken und stelle eine neue Startseite ein

+ poste das neue Log vom HijackThis

__________
MfG Sabina

rund um die PC-Sicherheit
Dieser Beitrag wurde am 24.01.2005 um 11:25 Uhr von Sabina editiert.
Seitenanfang Seitenende
26.01.2005, 10:24
...neu hier

Themenstarter

Beiträge: 8
#5 „Sorry, das ich mich erst jetzt bei dir wieder melde, aber ich hatte viel zuschaffen im betrieb und dausserdem muss ich dir gestehen das was wir hier machen noch NIE gemacht habe, aber mit deiner hilfe klappt es ganz gut, danke für den nachhilfe unterricht ;)


Hier noch das Remlog:

Files Found.................
----------------------------------------
run_dos.dll

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------


Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
msi.dll
Finished

„du wolltest doch das ich :

Zitat

Kopiere in die killbox:
-delete file on reboot

c:/recycler/destop.ini
c:/windows/system32/q447553.dll
c:/windows/system32/q1535337.dll
diese dateien hatte ich aber nicht“

Hier ist das escanlog:

Mon Jan 24 23:50:00 2005 => File C:\WINDOWS\system32\rdspclips.exe infected by "HackTool.Win32.Hidd.e" Virus. Action Taken: No Action Taken.

Mon Jan 24 23:50:21 2005 => File C:\WINDOWS\msxmidi.exe infected by "Trojan-Dropper.Win32.Small.qi" Virus. Action Taken: No Action Taken.

Mon Jan 24 23:50:22 2005 => File C:\WINDOWS\Ole32ws.dll infected by "not-a-virus:porn-Dialer.Win32.OnlineDialer" Virus. Action Taken: No Action Taken.

Mon Jan 24 23:51:08 2005 => File C:\WINDOWS\System32\hdbvz.dll infected by "HackTool.Win32.Hidd.c" Virus. Action Taken: No Action Taken.

Mon Jan 24 23:51:08 2005 => File C:\WINDOWS\System32\hdzow.dll infected by "HackTool.Win32.Hidd.c" Virus. Action Taken: No Action Taken.

Mon Jan 24 23:51:12 2005 => File C:\WINDOWS\System32\iesp1.dll infected by "Trojan-Clicker.Win32.Agent.br" Virus. Action Taken: No Action Taken.

Mon Jan 24 23:51:49 2005 => File C:\WINDOWS\System32\msxmidi.exe infected by "Trojan-Dropper.Win32.Small.qi" Virus. Action Taken: No Action Taken.

Mon Jan 24 23:51:50 2005 => File C:\WINDOWS\System32\nbtrstat.exe infected by "Trojan-Clicker.Win32.Small.dg" Virus. Action Taken: No Action Taken.

Mon Jan 24 23:52:19 2005 => File C:\WINDOWS\System32\sprestrst.exe infected by "Trojan.Win32.DNSChanger.b" Virus. Action Taken: No Action Taken.

Mon Jan 24 23:52:28 2005 => File C:\WINDOWS\System32\tsmsetup.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.

Mon Jan 24 23:52:30 2005 => File C:\WINDOWS\System32\update.exe infected by "Trojan-Dropper.Win32.Small.qi" Virus. Action Taken: No Action Taken.

Mon Jan 24 23:52:30 2005 => File C:\WINDOWS\System32\upncont.exe infected by "Trojan-Dropper.Win32.Small.qt" Virus. Action Taken: No Action Taken.

Mon Jan 24 23:52:44 2005 => File C:\WINDOWS\System32\wowdbe.exe infected by "Trojan-Dropper.Win32.Small.qt" Virus. Action Taken: No Action Taken.

Mon Jan 24 23:53:13 2005 => File C:\DOKUME~1\OLIVER~1.OLI\LOKALE~1\TEMPOR~1\Content.IE5\OOLUCG24\cax[1].cab infected by "not-a-virus:porn-Dialer.Win32.OnlineDialer" Virus. Action Taken: No Action Taken.

Mon Jan 24 23:53:24 2005 => Scanning File C:\DOKUME~1\OLIVER~1.OLI\LOKALE~1\TEMPOR~1\Content.IE5\U0JMVQ2K\infected6xz[1].gif

Mon Jan 24 23:53:28 2005 => File C:\DOKUME~1\OLIVER~1.OLI\LOKALE~1\TEMPOR~1\Content.IE5\Z985IXYA\connect[1].htm infected by "Trojan-Downloader.JS.Small.ac" Virus. Action Taken: No Action Taken.

Tue Jan 25 00:04:51 2005 => File C:\Dokumente und Einstellungen\Oliver.OLIVERLAPTOP\Eigene Dateien\Word\bgcolor.mim infected by "I-Worm.Klez.h" Virus. Action Taken: No Action Taken.


Tue Jan 25 00:05:23 2005 => File C:\Dokumente und Einstellungen\Oliver.OLIVERLAPTOP\Lokale Einstellungen\Temporary Internet Files\Content.IE5\OOLUCG24\cax[1].cab infected by "not-a-virus:porn-Dialer.Win32.OnlineDialer" Virus. Action Taken: No Action Taken.


Tue Jan 25 00:05:33 2005 => Scanning File C:\Dokumente und Einstellungen\Oliver.OLIVERLAPTOP\Lokale Einstellungen\Temporary Internet Files\Content.IE5\U0JMVQ2K\infected6xz[1].gif


Tue Jan 25 00:05:36 2005 => File C:\Dokumente und Einstellungen\Oliver.OLIVERLAPTOP\Lokale Einstellungen\Temporary Internet Files\Content.IE5\Z985IXYA\connect[1].htm infected by "Trojan-Downloader.JS.Small.ac" Virus. Action Taken: No Action Taken.


Tue Jan 25 00:15:12 2005 => File C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\18241EC9.htm infected by "Exploit.VBS.Phel.a" Virus. Action Taken: No Action Taken.


Tue Jan 25 00:15:12 2005 => File C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\182748C6.class infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: No Action Taken.


Tue Jan 25 00:15:12 2005 => File C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\184118A9.CHM infected by "TrojanDownloader.VBS.Psyme.ac" Virus. Action Taken: No Action Taken.


Tue Jan 25 00:15:12 2005 => File C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\18900853.htm infected by "Exploit.VBS.Phel.a" Virus. Action Taken: No Action Taken.


Tue Jan 25 00:15:12 2005 => File C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\32351D1E.class infected by "Trojan.Java.ClassLoader.Dummy.a" Virus. Action Taken: No Action Taken.


Tue Jan 25 00:15:14 2005 => File C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\3BE55571 infected by "not-a-virus:porn-Dialer.Win32.OnlineDialer" Virus. Action Taken: No Action Taken.


Tue Jan 25 00:15:14 2005 => File C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\432B0893 infected by "not-a-virus:porn-Dialer.Win32.OnlineDialer" Virus. Action Taken: No Action Taken.


Tue Jan 25 00:15:14 2005 => File C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\56D25FE5.class infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.

Tue Jan 25 00:15:14 2005 => File C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\778A14C0.class infected by "Trojan-Downloader.Java.OpenConnection.v" Virus. Action Taken: No Action Taken.


Tue Jan 25 00:52:58 2005 => File C:\WINDOWS\msxmidi.exe infected by "Trojan-Dropper.Win32.Small.qi" Virus. Action Taken: No Action Taken.


Tue Jan 25 00:52:59 2005 => File C:\WINDOWS\Ole32ws.dll infected by "not-a-virus:porn-Dialer.Win32.OnlineDialer" Virus. Action Taken: No Action Taken.


Tue Jan 25 01:01:53 2005 => File C:\WINDOWS\system32\hdbvz.dll infected by "HackTool.Win32.Hidd.c" Virus. Action Taken: No Action Taken.


Tue Jan 25 01:01:53 2005 => File C:\WINDOWS\system32\hdzow.dll infected by "HackTool.Win32.Hidd.c" Virus. Action Taken: No Action Taken.


Tue Jan 25 01:01:58 2005 => File C:\WINDOWS\system32\iesp1.dll infected by "Trojan-Clicker.Win32.Agent.br" Virus. Action Taken: No Action Taken.


Tue Jan 25 01:02:37 2005 => File C:\WINDOWS\system32\msxmidi.exe infected by "Trojan-Dropper.Win32.Small.qi" Virus. Action Taken: No Action Taken.


Tue Jan 25 01:02:39 2005 => File C:\WINDOWS\system32\nbtrstat.exe infected by "Trojan-Clicker.Win32.Small.dg" Virus. Action Taken: No Action Taken.


Tue Jan 25 01:03:47 2005 => File C:\WINDOWS\system32\sprestrst.exe infected by "Trojan.Win32.DNSChanger.b" Virus. Action Taken: No Action Taken.


Tue Jan 25 01:03:56 2005 => File C:\WINDOWS\system32\tsmsetup.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.


Tue Jan 25 01:03:58 2005 => File C:\WINDOWS\system32\update.exe infected by "Trojan-Dropper.Win32.Small.qi" Virus. Action Taken: No Action Taken.

Tue Jan 25 01:03:58 2005 => File C:\WINDOWS\system32\upncont.exe infected by "Trojan-Dropper.Win32.Small.qt" Virus. Action Taken: No Action Taken.

Tue Jan 25 01:04:26 2005 => File C:\WINDOWS\system32\wowdbe.exe infected by "Trojan-Dropper.Win32.Small.qt" Virus. Action Taken: No Action Taken.

Tue Jan 25 01:10:59 2005 => File C:\WINDOWS\msxmidi.exe infected by "Trojan-Dropper.Win32.Small.qi" Virus. Action Taken: No Action Taken.

Tue Jan 25 01:11:00 2005 => File C:\WINDOWS\Ole32ws.dll infected by "not-a-virus:porn-Dialer.Win32.OnlineDialer" Virus. Action Taken: No Action Taken.

Tue Jan 25 01:19:34 2005 => File C:\WINDOWS\system32\hdbvz.dll infected by "HackTool.Win32.Hidd.c" Virus. Action Taken: No Action Taken.

Tue Jan 25 01:19:34 2005 => File C:\WINDOWS\system32\hdzow.dll infected by "HackTool.Win32.Hidd.c" Virus. Action Taken: No Action Taken.

Tue Jan 25 01:19:39 2005 => File C:\WINDOWS\system32\iesp1.dll infected by "Trojan-Clicker.Win32.Agent.br" Virus. Action Taken: No Action Taken.

Tue Jan 25 01:20:17 2005 => File C:\WINDOWS\system32\msxmidi.exe infected by "Trojan-Dropper.Win32.Small.qi" Virus. Action Taken: No Action Taken.

Tue Jan 25 01:20:19 2005 => File C:\WINDOWS\system32\nbtrstat.exe infected by "Trojan-Clicker.Win32.Small.dg" Virus. Action Taken: No Action Taken.

Tue Jan 25 01:21:25 2005 => File C:\WINDOWS\system32\sprestrst.exe infected by "Trojan.Win32.DNSChanger.b" Virus. Action Taken: No Action Taken.

Tue Jan 25 01:21:33 2005 => File C:\WINDOWS\system32\tsmsetup.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.

Tue Jan 25 01:21:35 2005 => File C:\WINDOWS\system32\update.exe infected by "Trojan-Dropper.Win32.Small.qi" Virus. Action Taken: No Action Taken.

Tue Jan 25 01:21:35 2005 => File C:\WINDOWS\system32\upncont.exe infected by "Trojan-Dropper.Win32.Small.qt" Virus. Action Taken: No Action Taken.

Tue Jan 25 01:22:04 2005 => File C:\WINDOWS\system32\wowdbe.exe infected by "Trojan-Dropper.Win32.Small.qt" Virus. Action Taken: No Action Taken.

Tue Jan 25 01:22:22 2005 => Total Disinfected Files: 0



Tue Jan 25 01:22:22 2005 => ***** Scanning complete. *****

Tue Jan 25 01:22:22 2005 => Total Files Scanned: 78448
Tue Jan 25 01:22:22 2005 => Total Virus(es) Found: 53
Tue Jan 25 01:22:22 2005 => Total Disinfected Files: 0
Tue Jan 25 01:22:22 2005 => Total Files Renamed: 0
Tue Jan 25 01:22:22 2005 => Total Deleted Files: 0
Tue Jan 25 01:22:22 2005 => Total Errors: 16
Tue Jan 25 01:22:22 2005 => Time Elapsed: 01:33:15
Tue Jan 25 01:22:22 2005 => Virus Database Date: 2005/01/24
Tue Jan 25 01:22:22 2005 => Virus Database Count: 116554

Tue Jan 25 01:22:22 2005 => Scan Completed.

Tue Jan 25 02:12:18 2005 => Virus Database Date: 2005/01/24
Tue Jan 25 02:12:18 2005 => Virus Database Count: 116554
Tue Jan 25 02:13:10 2005 => AV Library Unloaded (3)...
Tue Jan 25 23:28:40 2005 => **********************************************************
Tue Jan 25 23:28:40 2005 => eScan AntiVirus Toolkit Utility.
Tue Jan 25 23:28:40 2005 => Copyright © 2003-2004, MicroWorld Technologies Inc.
Tue Jan 25 23:28:40 2005 => **********************************************************
Tue Jan 25 23:28:40 2005 => Version 4.8.7 (C:\bases\mwavscan.com)
Tue Jan 25 23:28:40 2005 => Log File: C:\bases\MWAV.LOG
Tue Jan 25 23:28:40 2005 => Last Scan Date and Time: 24.01.2005 23:48:50
Tue Jan 25 23:28:43 2005 => Latest Date of files inside MWAV: 24 Jan 2005 07:01:08.
Tue Jan 25 23:28:47 2005 => AV Library Loaded...
Tue Jan 25 23:28:47 2005 => Scanning File C:\bases\kavss.exe
Tue Jan 25 23:28:47 2005 => Scanning File C:\bases\Getvlist.exe
Tue Jan 25 23:28:48 2005 => Scanning File C:\bases\kavss.dll
Tue Jan 25 23:28:48 2005 => Scanning File C:\bases\kavssdi.dll
Tue Jan 25 23:28:48 2005 => Scanning File C:\bases\kavssi.dll
Tue Jan 25 23:28:48 2005 => Scanning File C:\bases\kavvlg.dll
Tue Jan 25 23:28:48 2005 => Scanning File C:\bases\msvlclnt.dll
Tue Jan 25 23:28:48 2005 => Scanning File C:\bases\ipc.dll
Tue Jan 25 23:28:48 2005 => Scanning File C:\bases\main.avi
Tue Jan 25 23:28:48 2005 => Scanning File C:\bases\virus.avi
Tue Jan 25 23:28:48 2005 => Virus Database Date: 2005/01/24
Tue Jan 25 23:28:48 2005 => Virus Database Count: 116554


Hier das neu HijackThis Logfile:

Logfile of HijackThis v1.99.0
Scan saved at 01:13:49, on 26.01.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\StarOffice6.0\program\soffice.exe
C:\Programme\Messenger\msmsgs.exe
C:\DOKUME~1\OLIVER~1.OLI\LOKALE~1\Temp\Rar$EX00.702\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.richfind.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von cablecom hispeed internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Search - {1B306924-8878-49C2-A9B1-A8325171261E} - C:\WINDOWS\System32\Q611689.dll
R3 - URLSearchHook: Search - {E6895057-B902-4D53-83A6-67AB49391B5A} - C:\WINDOWS\System32\Q411812.dll
O2 - BHO: Search - {0E48F63E-E3A2-43E5-AC6F-7912458A8F87} - C:\WINDOWS\System32\Q611689.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Search - {A44CCC8B-3111-4C4F-A8E6-592979840F8A} - C:\WINDOWS\System32\Q411812.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DFA03BFB-C2E2-4DEF-9E5A-CBC5621ABCC0} - C:\WINDOWS\System32\msugm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: Search - {40AFFD00-86CE-4188-8B39-E47B255C3844} - C:\WINDOWS\System32\Q611689.dll
O3 - Toolbar: Search - {16020B9E-6F7D-430F-BA7A-50B55043527D} - C:\WINDOWS\System32\Q411812.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [VOBID] C:\Programme\Pinnacle\InstantCDDVD\InstantDrive\InstantDrive.exe /remount
O4 - HKLM\..\Run: [IW ControlCenter] C:\Programme\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programme\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programme\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [BJCFD] C:\Programme\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [rdspclips.exe] rdspclips.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: StarOffice 6.0.lnk = C:\Programme\StarOffice6.0\program\quickstart.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Search - {16020B9E-6F7D-430F-BA7A-50B55043527D} - C:\WINDOWS\System32\Q411812.dll
O9 - Extra button: Search - {40AFFD00-86CE-4188-8B39-E47B255C3844} - C:\WINDOWS\System32\Q611689.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://63.219.181.7/cax.cab
O18 - Filter: text/html - {214C5E18-E675-4E93-BE5E-BD0A9BE6B955} - C:\WINDOWS\System32\Q611689.dll
O18 - Filter: text/plain - {214C5E18-E675-4E93-BE5E-BD0A9BE6B955} - C:\WINDOWS\System32\Q611689.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect-Dienst - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe

nochmals vielen Dank für deine Geduld.

mfg Olli
Dieser Beitrag wurde am 26.01.2005 um 10:31 Uhr von Metteron editiert.
Seitenanfang Seitenende
26.01.2005, 11:40
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#6 Hallo@Metteron

Download Registry Search Tool :
http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip
Doppelklick:regsrch.vbs

kopiere rein:

{16020B9E-6F7D-430F-BA7A-50B55043527D}

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)

{1B306924-8878-49C2-A9B1-A8325171261E}

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)

{06ABAA2D-34AB-4902-A326-409BD9B9A7A5}

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)


{A44CCC8B-3111-4C4F-A8E6-592979840F8A}

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)

{0E48F63E-E3A2-43E5-AC6F-7912458A8F87}

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)

{DFA03BFB-C2E2-4DEF-9E5A-CBC5621ABCC0}

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)

{E6895057-B902-4D53-83A6-67AB49391B5A}

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)

{40AFFD00-86CE-4188-8B39-E47B255C3844}

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)

{16020B9E-6F7D-430F-BA7A-50B55043527D}

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)

{40AFFD00-86CE-4188-8B39-E47B255C3844}

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)

{214C5E18-E675-4E93-BE5E-BD0A9BE6B955}

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)
--------------------------------------------------------------------------------------

Start<Ausfuehren
kopiere rein:

regsvr32 /u Q611689.dll

regsvr32 /u Q411812.dll

regsvr32 /u msugm.dll

fixe mit dem HijackThis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.richfind.com/ie/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Search - {1B306924-8878-49C2-A9B1-A8325171261E} - C:\WINDOWS\System32\Q611689.dll
R3 - URLSearchHook: Search - {E6895057-B902-4D53-83A6-67AB49391B5A} - C:\WINDOWS\System32\Q411812.dll
O2 - BHO: Search - {0E48F63E-E3A2-43E5-AC6F-7912458A8F87} - C:\WINDOWS\System32\Q611689.dll
O2 - BHO: Search - {A44CCC8B-3111-4C4F-A8E6-592979840F8A} - C:\WINDOWS\System32\Q411812.dll
O2 - BHO: (no name) - {DFA03BFB-C2E2-4DEF-9E5A-CBC5621ABCC0} - C:\WINDOWS\System32\msugm.dll
O3 - Toolbar: Search - {40AFFD00-86CE-4188-8B39-E47B255C3844} - C:\WINDOWS\System32\Q611689.dll
O3 - Toolbar: Search - {16020B9E-6F7D-430F-BA7A-50B55043527D} - C:\WINDOWS\System32\Q411812.dll
O4 - HKLM\..\Run: [rdspclips.exe] rdspclips.exe
O9 - Extra button: Search - {16020B9E-6F7D-430F-BA7A-50B55043527D} - C:\WINDOWS\System32\Q411812.dll
O9 - Extra button: Search - {40AFFD00-86CE-4188-8B39-E47B255C3844} - C:\WINDOWS\System32\Q611689.dll
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://63.219.181.7/cax.cab
O18 - Filter: text/html - {214C5E18-E675-4E93-BE5E-BD0A9BE6B955} - C:\WINDOWS\System32\Q611689.dll
O18 - Filter: text/plain - {214C5E18-E675-4E93-BE5E-BD0A9BE6B955} - C:\WINDOWS\System32\Q611689.dll

Neustarten
--> in den abgesicherten Modus


remv3.bat--> noch einmal scannen, bitte

#Arbeitsplatz -> rechter Mausklick -->Windows Explorer -> "Extras/Ordneroptionen" ->
"Ansicht" -> Haken entfernen bei "Geschützte Systemdateien
ausblenden (empfohlen)" und "Alle Dateien und Ordner anzeigen"
aktivieren -> "OK"


Loeschen temporaere Dateien --> loesche die Dateien in den Ordnern, nicht die ordner selbst
C:\WINDOWS\Temp\
C:\Temp\
C:\Dokumente und Einstellungen\OLIVER~1.OLI\Lokale Einstellungen\Temp\
C:\Dokumente und Einstellungen\Oliver.OLIVERLAPTOP\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ [loesche nicht die index.dat)

#C:\Windows\Downloaded Programm Files\ -->löschen


Datenträgerbereinigung: und Löschen der Temporary-Dateien
<Start<Ausfuehren--> reinschreiben : cleanmgr
loesche nur:
#Click:Temporäre Internet Files/Temporäre Internet Dateien, o.k.
#Click:Temporäre Dateien, o.k

Loesche:
C:\Dokumente und Einstellungen\Oliver.OLIVERLAPTOP\Eigene Dateien\Word\bgcolor.mim

KillBox
<Delete File on Reboot

und klick auf das rote Kreuz,
wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes"

C:\WINDOWS\System32\run_dos.dll
C:\WINDOWS\System32\msugm.dll
C:\WINDOWS\System32\Q611689.dll
C:\WINDOWS\System32\Q411812.dll
C:\WINDOWS\system32\rdspclips.exe
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\Ole32ws.dll
C:\WINDOWS\System32\hdbvz.dll
C:\WINDOWS\System32\hdzow.dll
C:\WINDOWS\System32\iesp1.dll
C:\WINDOWS\System32\nbtrstat.exe
C:\WINDOWS\System32\sprestrst.exe
C:\WINDOWS\System32\tsmsetup.exe
C:\WINDOWS\System32\update.exe
C:\WINDOWS\System32\upncont.exe
C:\WINDOWS\System32\wowdbe.exe

PC neustarten

Die remv3.bat hat die Datei C:\log.txt angelegt. Den Inhalt hier posten.
markiere den inhalt und füge ihn hier ein.

------------------------------------------------------------------------
#backdoor.agent.b.removal.tool.(Symantec)
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.agent.b.removal.tool.html

#Search&Destroy
http://www.safer-networking.org/de/download/index.html
Spybot - Search && Destroy process list report,-->bitte abkopieren und posten

#Ad-aware SE Personal 1.05 Updated
http://fileforum.betanews.com/detail/965718306/1
Laden--> updaten--> Fullscann--> PC neustarten--> noch einmal scannen und poste das Log vom Scann zusammen mit der rem.bat-txt

#ClaerProg..lade die neuste Version <1.4.0 Final
http://www.clearprog.de/downloads.php
<und saeubere den Browser.
Das Programm löscht die Surfspuren des Internet Explorers ab Version 5.0, des Netscape/Mozilla und des Opera:
- Cookies
- Verlauf
- Temporäre Internetfiles (Cache)
- die eingetragenen URLs

_______________________________________________________________________________
scanne noch mal mit escan und uberpruefe, ob alles geloescht wurde, wenn nicht--> wieder in die Killbox kopieren-->loeschen durch Neustart

gleiches gilt mit der rem.bat--> was nach dem Scann als "not deleted" angegeben wird, musst du dann manuell loeschen


Files Found
----------------------------------------
xxxxxx.dlll

Files Not deleted.................


+ das neue Log vom HijackThis posten
__________
MfG Sabina

rund um die PC-Sicherheit
Dieser Beitrag wurde am 26.01.2005 um 12:07 Uhr von Sabina editiert.
Seitenanfang Seitenende
27.01.2005, 16:52
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#7 Hallo@Metteron

Arbeite alles ab....nun mache ich keine Veranderungen mehr
Es kann sein, dass du spaeter noch ein anderes Tool installieren musst, aber erst einmal versuchen wir es so
__________
MfG Sabina

rund um die PC-Sicherheit
Dieser Beitrag wurde am 27.01.2005 um 16:53 Uhr von Sabina editiert.
Seitenanfang Seitenende
28.01.2005, 07:45
...neu hier

Themenstarter

Beiträge: 8
#8 hallo Sabina,
irgendwie hab ich Müll gebaut und zwar ich hab extra einen Datei angelegt für dich, und irgend wie ist nun die Hälfte der Logfiles verschwunden, die einzigen Logfiles die ich noch habe sind die Ad-Aware,hijackthis,ClearProg escan. Sorry, ich hoffe wir beide bekommen es auch so in den griff, oder ist es besser ich starte noch mal von vorne?

Ad-Aware SE Build 1.05
Logfile Created on;)onnerstag, 27. Januar 2005 23:27:27
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R26 25.01.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
CoolWebSearch(TAC index:10):11 total references
MRU List(TAC index:0):13 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


27.01.2005 23:27:27 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : S-1-5-21-436374069-746137067-854245398-1004\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad


MRU List Object Recognized!
Location: : S-1-5-21-436374069-746137067-854245398-1004\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : S-1-5-21-436374069-746137067-854245398-1004\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-436374069-746137067-854245398-1004\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-436374069-746137067-854245398-1004\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-436374069-746137067-854245398-1004\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-436374069-746137067-854245398-1004\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-436374069-746137067-854245398-1004\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-436374069-746137067-854245398-1004\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : S-1-5-21-436374069-746137067-854245398-1004\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-436374069-746137067-854245398-1004\software\winrar\dialogedithistory\extrpath
Description : winrar "extract-to" history


MRU List Object Recognized!
Location: : C:\Dokumente und Einstellungen\Oliver.OLIVERLAPTOP\recent
Description : list of recently opened documents


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 1132
ThreadCreationTime : 27.01.2005 22:25:03
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 1244
ThreadCreationTime : 27.01.2005 22:25:05
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 1272
ThreadCreationTime : 27.01.2005 22:25:07
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1316
ThreadCreationTime : 27.01.2005 22:25:07
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Anwendung für Dienste und Controller
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1328
ThreadCreationTime : 27.01.2005 22:25:07
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1492
ThreadCreationTime : 27.01.2005 22:25:08
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1676
ThreadCreationTime : 27.01.2005 22:25:08
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1828
ThreadCreationTime : 27.01.2005 22:25:08
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1976
ThreadCreationTime : 27.01.2005 22:25:09
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 564
ThreadCreationTime : 27.01.2005 22:25:10
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : EXPLORER.EXE

#:11 [ccsetmgr.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Symantec Shared\
ProcessID : 684
ThreadCreationTime : 27.01.2005 22:25:10
BasePriority : Normal
FileVersion : 2.1.3.4
ProductVersion : 2.1.3.4
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:12 [sndsrvc.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Symantec Shared\
ProcessID : 716
ThreadCreationTime : 27.01.2005 22:25:10
BasePriority : Normal
FileVersion : 5.4.3.11
ProductVersion : 5.4
ProductName : Symantec Security Drivers
CompanyName : Symantec Corporation
FileDescription : Network Driver Service
InternalName : SndSrvc
LegalCopyright : Copyright 2002, 2003, 2004 Symantec Corporation
OriginalFilename : SndSrvc.exe

#:13 [ccevtmgr.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Symantec Shared\
ProcessID : 776
ThreadCreationTime : 27.01.2005 22:25:10
BasePriority : Normal
FileVersion : 2.1.3.4
ProductVersion : 2.1.3.4
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:14 [atiptaxx.exe]
FilePath : C:\Programme\ATI Technologies\ATI Control Panel\
ProcessID : 1000
ThreadCreationTime : 27.01.2005 22:25:11
BasePriority : Normal
FileVersion : 6.14.10.4039
ProductVersion : 6.14.10.4039
ProductName : ATI Desktop Component
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Desktop Control Panel
InternalName : Atiptaxx.exe
LegalCopyright : Copyright (C) 1998-2002 ATI Technologies Inc.
OriginalFilename : Atiptaxx.exe

#:15 [soundman.exe]
FilePath : C:\WINDOWS\
ProcessID : 1008
ThreadCreationTime : 27.01.2005 22:25:11
BasePriority : Normal
FileVersion : 5.0.18
ProductVersion : 5.0.18
ProductName : Realtek Sound Manager
CompanyName : Realtek Semiconductor Corp.
FileDescription : Realtek Sound Manager
InternalName : ALSMTray
LegalCopyright : Copyright (c) 2001-2003 Realtek Semiconductor Corp.
OriginalFilename : ALSMTray.exe
Comments : Realtek AC97 Audio Sound Manager

#:16 [syntplpr.exe]
FilePath : C:\Programme\Synaptics\SynTP\
ProcessID : 1016
ThreadCreationTime : 27.01.2005 22:25:11
BasePriority : Normal
FileVersion : 6.6.0 05Jul02
ProductVersion : 6.6.0 05Jul02
ProductName : Progressive Touch
CompanyName : Synaptics, Inc.
FileDescription : TouchPad Driver Helper Application
InternalName : SynTPLpr
LegalCopyright : Copyright (C) Synaptics, Inc. 1996-2002
OriginalFilename : SynTPLpr.exe

#:17 [syntpenh.exe]
FilePath : C:\Programme\Synaptics\SynTP\
ProcessID : 1024
ThreadCreationTime : 27.01.2005 22:25:11
BasePriority : Normal
FileVersion : 6.6.0 05Jul02
ProductVersion : 6.6.0 05Jul02
ProductName : Progressive Touch
CompanyName : Synaptics, Inc.
FileDescription : Synaptics TouchPad Enhancements
InternalName : Scrolleroo
LegalCopyright : Copyright (C) Synaptics, Inc. 1996-2002
OriginalFilename : SynTPEnh.exe

#:18 [iwctrl.exe]
FilePath : C:\Programme\Pinnacle\InstantCDDVD\InstantWrite\
ProcessID : 1076
ThreadCreationTime : 27.01.2005 22:25:11
BasePriority : Normal
FileVersion : 4.0.2.7
ProductVersion : 4.0.0.0
ProductName : InstantWrite
CompanyName : Pinnacle Systems, Inc.
FileDescription : InstantWrite Control Center
InternalName : iwctrl
LegalCopyright : Copyright ©1997-2003 VOB Pinnacle Systems, Inc.

#:19 [directcd.exe]
FilePath : C:\Programme\Roxio\Easy CD Creator 5\DirectCD\
ProcessID : 1164
ThreadCreationTime : 27.01.2005 22:25:12
BasePriority : Normal
FileVersion : 5.3.4.21
ProductVersion : 5.3.4.21
ProductName : DirectCD
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
LegalCopyright : Copyright (c) 2001,2002, Roxio, Inc.
OriginalFilename : Directcd.exe

#:20 [ccapp.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Symantec Shared\
ProcessID : 1192
ThreadCreationTime : 27.01.2005 22:25:12
BasePriority : Normal
FileVersion : 2.1.3.4
ProductVersion : 2.1.3.4
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client User Session
InternalName : ccApp
LegalCopyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:21 [cfd.exe]
FilePath : C:\Programme\BroadJump\Client Foundation\
ProcessID : 1212
ThreadCreationTime : 27.01.2005 22:25:12
BasePriority : Normal


#:22 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1656
ThreadCreationTime : 27.01.2005 22:25:13
BasePriority : Normal
FileVersion : 8.16
ProductVersion : 8.16
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : (C) 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LexBceS.exe

#:23 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1748
ThreadCreationTime : 27.01.2005 22:25:13
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:24 [lexpps.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1760
ThreadCreationTime : 27.01.2005 22:25:13
BasePriority : Normal
FileVersion : 8.16
ProductVersion : 8.16
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
LegalCopyright : (C) 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LEXPPS.EXE
Comments : MarkVision for Windows '95 New P2P Server (32-bit)

#:25 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1716
ThreadCreationTime : 27.01.2005 22:25:13
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:26 [msmsgs.exe]
FilePath : C:\Programme\Messenger\
ProcessID : 1836
ThreadCreationTime : 27.01.2005 22:25:13
BasePriority : Normal
FileVersion : 4.7.2009
ProductVersion : Version 4.7
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
LegalCopyright : Copyright (c) Microsoft Corporation 1997-2003
LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:27 [spysweeper.exe]
FilePath : C:\Programme\Webroot\Spy Sweeper\
ProcessID : 1900
ThreadCreationTime : 27.01.2005 22:25:13
BasePriority : Normal
FileVersion : 3.0.0.118
ProductVersion : 3.0i
ProductName : Spy Sweeper
CompanyName : Webroot Software, Inc.
FileDescription : Spy Sweeper
LegalCopyright : Copyright (c) 2001-2004 Webroot Software, Inc.
LegalTrademarks : Spy Sweeper is a trademark of Webroot Software, Inc.

#:28 [wincinemamgr.exe]
FilePath : C:\Programme\InterVideo\Common\Bin\
ProcessID : 148
ThreadCreationTime : 27.01.2005 22:25:14
BasePriority : Normal
FileVersion : 1.0
ProductVersion : 1, 0, 0, 1
ProductName : WinCinema Manager for InterVideo WinCinema products
FileDescription : WinCinema Manager
InternalName : WinCinema Manager
LegalCopyright : Copyright (C) 2000 InterVideo Inc.
OriginalFilename : WinCinemaMgr.EXE

#:29 [soffice.exe]
FilePath : C:\Programme\StarOffice6.0\program\
ProcessID : 300
ThreadCreationTime : 27.01.2005 22:25:15
BasePriority : Normal
FileVersion : 6.00.8546
ProductVersion : 6.00.8546
CompanyName : Sun Microsystems, Inc.
FileDescription : StarOffice 6.0
InternalName : SOFFICE
LegalCopyright : Copyright © 2000 by Sun Microsystems, Inc.
OriginalFilename : SOFFICE.EXE

#:30 [em_exec.exe]
FilePath : C:\Programme\Logitech\MouseWare\system\
ProcessID : 304
ThreadCreationTime : 27.01.2005 22:25:15
BasePriority : Normal
FileVersion : 9.80.019
ProductVersion : 9.80.019
ProductName : MouseWare
CompanyName : Logitech Inc.
FileDescription : Logitech Events Handler Application
InternalName : Em_Exec
LegalCopyright : (C) 1987-2004 Logitech. All rights reserved.
LegalTrademarks : Logitech® and MouseWare® are registered trademarks of Logitech Inc.
OriginalFilename : Em_Exec.exe
Comments : Created by the MouseWare team

#:31 [ati2evxx.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2740
ThreadCreationTime : 27.01.2005 22:26:18
BasePriority : Normal


#:32 [ccproxy.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Symantec Shared\
ProcessID : 2760
ThreadCreationTime : 27.01.2005 22:26:19
BasePriority : Normal
FileVersion : 2.1.3.4
ProductVersion : 2.1.3.4
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Network Proxy Service
InternalName : ccProxy
LegalCopyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccProxy.exe

#:33 [navapsvc.exe]
FilePath : C:\Programme\Norton Internet Security\Norton AntiVirus\
ProcessID : 2848
ThreadCreationTime : 27.01.2005 22:26:19
BasePriority : Normal
FileVersion : 10.00.2
ProductVersion : 10.00.2
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Norton AntiVirus 2004 for Windows 98/ME/2000/XP Copyright (c) 2003 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE

#:34 [wuauclt.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3168
ThreadCreationTime : 27.01.2005 22:26:20
BasePriority : Normal
FileVersion : 5.4.3790.2182 built by: srv03_rtm(ntvbl04)
ProductVersion : 5.4.3790.2182
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Automatische Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : wuauclt.exe

#:35 [savscan.exe]
FilePath : C:\Programme\Norton Internet Security\Norton AntiVirus\
ProcessID : 3912
ThreadCreationTime : 27.01.2005 22:26:27
BasePriority : Normal
FileVersion : 9.2.1.14
ProductVersion : 9.2
ProductName : Symantec AntiVirus AutoProtect
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus Scanner
InternalName : SAVSCAN
LegalCopyright : Copyright (c) 2003 Symantec Corporation
OriginalFilename : SAVSCAN.EXE

#:36 [ad-aware.exe]
FilePath : C:\Programme\Lavasoft\Ad-Aware SE Personal\
ProcessID : 2344
ThreadCreationTime : 27.01.2005 22:26:39
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:37 [wuauclt.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3284
ThreadCreationTime : 27.01.2005 22:27:20
BasePriority : Normal
FileVersion : 5.4.3790.2182 built by: srv03_rtm(ntvbl04)
ProductVersion : 5.4.3790.2182
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Automatische Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : wuauclt.exe

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 13


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "HOMEOldSP"
Rootkey : HKEY_USERS
Object : S-1-5-21-436374069-746137067-854245398-1004\software\microsoft\internet explorer\main
Value : HOMEOldSP

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "HOMEOldSP"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : HOMEOldSP

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 15


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15



Deep scanning and examining files (C;)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 15




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : protocols\filter\text/plain

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : protocols\filter\text/plain
Value : CLSID

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : protocols\filter\text/html

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : protocols\filter\text/html
Value : CLSID

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\search
Value : SearchAssistant

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Search Bar

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Custom Search URL

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\protocols\filter\text/html
Value : CLSID

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 9
Objects found so far: 24

23:37:45 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:10:17.858
Objects scanned:119848
Objects identified:11
Objects ignored:0
New critical objects:11

___________________________________________________________________________________________

und hier die remlog:

Files Found.................
----------------------------------------
run_dos.dll

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------


Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
msi.dll
Finished

____________________________________________________________________________________________

ClearProg:

Cookies des IE 0 Cookies 0 Byte
Cache des IE 2 Dateien 134 Byte
URLs des IE 0 Einträge ------
------------------------------------------------------------------------
Gelöschte Anzahl: 2 Einträge/Dateien
Gelöschte Datenmenge: (134 Byte)

_________________________________________________________________

und hier die log vom escan

Fri Jan 28 02:04:53 2005 => ***** Checking for specific ITW Viruses *****
Fri Jan 28 02:04:53 2005 => Checking for Welchia Virus...
Fri Jan 28 02:04:53 2005 => Checking for LovGate Virus...
Fri Jan 28 02:04:53 2005 => Checking for CodeRed Virus...
Fri Jan 28 02:04:53 2005 => Checking for OpaServ Virus...
Fri Jan 28 02:04:53 2005 => Checking for Sobig.e Virus...
Fri Jan 28 02:04:53 2005 => Checking for Winupie Virus...
Fri Jan 28 02:04:53 2005 => Checking for Swen Virus...
Fri Jan 28 02:04:53 2005 => Checking for JS.Fortnight Virus...
Fri Jan 28 02:04:53 2005 => Checking for Novarg Virus...
Fri Jan 28 02:04:53 2005 => Checking for Pagabot Virus...
Fri Jan 28 02:04:53 2005 => Checking for Parite.b Virus...
Fri Jan 28 02:04:53 2005 => Checking for Parite.a Virus...

Fri Jan 28 02:04:54 2005 => ***** Scanning complete. *****

Fri Jan 28 02:04:54 2005 => Total Files Scanned: 77435
Fri Jan 28 02:04:54 2005 => Total Virus(es) Found: 23
Fri Jan 28 02:04:54 2005 => Total Disinfected Files: 0
Fri Jan 28 02:04:54 2005 => Total Files Renamed: 0
Fri Jan 28 02:04:54 2005 => Total Deleted Files: 0
Fri Jan 28 02:04:54 2005 => Total Errors: 45
Fri Jan 28 02:04:54 2005 => Time Elapsed: 01:38:06
Fri Jan 28 02:04:54 2005 => Virus Database Date: 2005/01/24
Fri Jan 28 02:04:54 2005 => Virus Database Count: 116554

Fri Jan 28 02:04:54 2005 => Scan Completed


Hier ist aber schon mal ein zwischen Bericht ich wiederhole gerade nochmal das mit der killbox, nur mal so ne frage, würde ich es uns nicht erleichtern wenn man einmal formatiert und dann nur noch die restlichen Viruse sucht und killt, oder Lohn sich das nicht mehr?
Ich find es echt lieb von dir das du so viel Geduld mit mir hast, Danke schön für alles, als bis später,
mfg Olli al. Virenkiller
Dieser Beitrag wurde am 29.01.2005 um 00:08 Uhr von Metteron editiert.
Seitenanfang Seitenende
28.01.2005, 07:45
...neu hier

Themenstarter

Beiträge: 8
#9 doppelposting/ doppelposting/
Dieser Beitrag wurde am 28.01.2005 um 10:26 Uhr von Sabina editiert.
Seitenanfang Seitenende
28.01.2005, 10:13
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#10 Hallo@Metteron

nun gut, es geht so nicht, hab ich schon bei einem anderen User gesehen, aber ich wollte sicher gehen.
Die Killbox scheint die infizierten Dateien, die von escan erkannt werden, nicht dauerhaft zu loeschen...oder sie werden nachgeladen.
Fri Jan 28 02:04:54 2005 => Total Virus(es) Found: 23

_________________________________________________________________________________

Mache folgendes:

du musst sehr genau ueberpruefen, ob dein System "einfriert", wenn du den escan trial laedst, einfach weil du auch den Symantec aktiv hast.
-->deaktiviere also den Symantec

#eScan-Trial
http://www.mwti.net/antivirus/escan/escandl_antivirus.asp (15-Tage- trial-Freeversion)

Killbox-> oeffnen
<Delete File on Reboot

C:\WINDOWS\System32\run_dos.dll

und klick auf das rote Kreuz,
wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "yes"

--->
gehe in den abgesicherten Modus (das ist wichtig) und klicke auf: awn2k3e.exe
mache einen Full-Scann.

dann poste das neue Log vom HijackTHis.
__________
MfG Sabina

rund um die PC-Sicherheit
Dieser Beitrag wurde am 28.01.2005 um 10:17 Uhr von Sabina editiert.
Seitenanfang Seitenende
28.01.2005, 17:10
...neu hier

Themenstarter

Beiträge: 8
#11 Hoi Sabina,

dies konnte ich nicht ausführen, da die Run_Dos.dll fehlte, aber dafür alles andere

Zitat

Killbox-> oeffnen
<Delete File on Reboot

C:\WINDOWS\System32\run_dos.dll

und klick auf das rote Kreuz,
wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "yes"

Hier das Ergebnis des escan´s

Fr Jan 28 16:34:17 2005 => ***** Scanning Completed. *****
Fr Jan 28 16:34:17 2005 =>
Fr Jan 28 16:34:17 2005 => Total Number of Files Scanned: 31755
Fr Jan 28 16:34:17 2005 => Total Number of Files Infected: 13
Fr Jan 28 16:34:17 2005 => Total Number of Files Disinfected: 0
Fr Jan 28 16:34:17 2005 => Total Number of Files Renamed: 3
Fr Jan 28 16:34:17 2005 => Total Number of Files Deleted: 10
Fr Jan 28 16:34:17 2005 => Total Number of Errors: 0
Fr Jan 28 16:34:17 2005 => Time Elapsed:: 00:34:26
_________________________________________________

und die hijackthis.log:

Logfile of HijackThis v1.99.0
Scan saved at 16:55:22, on 28.01.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Dokumente und Einstellungen\Oliver.OLIVERLAPTOP\Eigene Dateien\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\protect32.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\protect32.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\protect32.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\protect32.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\protect32.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\protect32.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von cablecom hispeed internet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iesp1.dll (file missing)
O3 - Toolbar: Search - {18B0760D-86E1-46A7-B83E-08A34581833C} - C:\WINDOWS\System32\Q1677101.dll
O3 - Toolbar: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [VOBID] C:\Programme\Pinnacle\InstantCDDVD\InstantDrive\InstantDrive.exe /remount
O4 - HKLM\..\Run: [IW ControlCenter] C:\Programme\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programme\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programme\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\Programme\eScan\LAUNCH.EXE"
O4 - HKLM\..\Run: [eScan Updater] C:\PROGRA~1\eScan\TRAYICOS.EXE /App
O4 - HKLM\..\Run: [eScan Monitor] C:\PROGRA~1\eScan\AVPMWrap.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: StarOffice 6.0.lnk = C:\Programme\StarOffice6.0\program\quickstart.exe
O9 - Extra button: Search - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Search - {18B0760D-86E1-46A7-B83E-08A34581833C} - C:\WINDOWS\System32\Q1677101.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'mwtsp.dll' missing
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EEFAA4F-0185-4CA8-89FE-10A0B38120EA}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{968D7E4A-C7A1-4904-BEFF-DDB380456F60}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{A86F940E-86C6-4BA0-B67F-36DF00C0D1DA}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE71992D-2F9C-4779-B19E-DF69372E718E}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EEFAA4F-0185-4CA8-89FE-10A0B38120EA}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{0EEFAA4F-0185-4CA8-89FE-10A0B38120EA}: NameServer = 69.50.188.180,195.225.176.31
O18 - Filter: text/html - {F026A0FB-2B37-480B-81DE-0FEA29869853} - C:\WINDOWS\System32\protect32.dll
O18 - Filter: text/plain - {F026A0FB-2B37-480B-81DE-0FEA29869853} - C:\WINDOWS\System32\protect32.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: eScan Server-Updater - MWTI2 - C:\PROGRA~1\eScan\TRAYSSER.EXE
O23 - Service: eScan Monitor Service - Kaspersky Labs. - C:\PROGRA~1\eScan\avpm.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe

________________________________

mfg Olli
Dieser Beitrag wurde am 29.01.2005 um 00:04 Uhr von Metteron editiert.
Seitenanfang Seitenende
29.01.2005, 00:49
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#12 Download Registry Search Tool :
http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip
Doppelklick:regsrch.vbs

kopiere rein:

{06ABAA2D-34AB-4902-A326-409BD9B9A7A5}

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)

{18B0760D-86E1-46A7-B83E-08A34581833C}

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)

{00000000-0000-0000-0000-000000000000}

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)

{F026A0FB-2B37-480B-81DE-0FEA29869853}

Press 'OK'
warten, bis die Suche beendet ist. (Ergebnis bitte posten)
___________________________________________________________________________

Fixe mit dem HijackThis:

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\protect32.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\protect32.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\protect32.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\protect32.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\protect32.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\protect32.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iesp1.dll (file missing)
O3 - Toolbar: Search - {18B0760D-86E1-46A7-B83E-08A34581833C} - C:\WINDOWS\System32\Q1677101.dll
O3 - Toolbar: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
O9 - Extra button: Search - {18B0760D-86E1-46A7-B83E-08A34581833C} - C:\WINDOWS\System32\Q1677101.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0EEFAA4F-0185-4CA8-89FE-10A0B38120EA}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{968D7E4A-C7A1-4904-BEFF-DDB380456F60}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{A86F940E-86C6-4BA0-B67F-36DF00C0D1DA}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE71992D-2F9C-4779-B19E-DF69372E718E}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{0EEFAA4F-0185-4CA8-89FE-10A0B38120EA}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{0EEFAA4F-0185-4CA8-89FE-10A0B38120EA}: NameServer = 69.50.188.180,195.225.176.31
O18 - Filter: text/html - {F026A0FB-2B37-480B-81DE-0FEA29869853} - C:\WINDOWS\System32\protect32.dll
O18 - Filter: text/plain - {F026A0FB-2B37-480B-81DE-0FEA29869853} - C:\WINDOWS\System32\protect32.dll

PC neustarten

Kille mit der Killbox:
C:\WINDOWS\System32\protect32.dll/sp.html
C:\WINDOWS\System32\Q1677101.dll
C:\WINDOWS\System32\iesp1.dll
C:\WINDOWS\System32\protect32.dll

PC neustarten

#backdoor.agent.b.removal.tool.(Symantec)
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.agent.b.removal.tool.html

Gehe in den abgesicherten Modus:

Datenträgerbereinigung: und Löschen der Temporary-Dateien
<Start<Ausfuehren--> reinschreiben : cleanmgr
loesche nur:
#Click:Temporäre Internet Files/Temporäre Internet Dateien, o.k.
#Click:Temporäre Dateien, o.k

dann scanne noch mal mit escan (aber unbedingt im abgesicherten Modus)

#ClaerProg..lade die neuste Version <1.4.0 Final
http://www.clearprog.de/downloads.php
<und saeubere den Browser.
Das Programm löscht die Surfspuren des Internet Explorers ab Version 5.0, des Netscape/Mozilla und des Opera:
- Cookies
- Verlauf
- Temporäre Internetfiles (Cache)
- die eingetragenen URLs


#neue Startseite
gehe zur Systemsteuerung --> Internetoptionen --> auf dem Reiter Allgemein bei Temporäre Internetdateien klickst du Dateien löschen --> auch bei Alle Offlineinhalte löschen das Häkchen setzen und mit OK bestätigen --> Auf den Reiter Programme gehen und dort auf Webeinstellungen zurücksetzen klicken, mit Ja bestätigen, fall Nachfrage kommt --> auf Übernehmen und abschließend auf OK klicken und stelle eine neue Startseite ein

poste das neue Log vom HijackThis.
__________
MfG Sabina

rund um die PC-Sicherheit
Dieser Beitrag wurde am 29.01.2005 um 00:54 Uhr von Sabina editiert.
Seitenanfang Seitenende
29.01.2005, 15:34
...neu hier

Themenstarter

Beiträge: 8
#13 Hi Sabina,

escan hat nichts gefunden genauso wie ad-Aware, nur search &destroy hat noch vier gefunden, leider schaff ich es einfach nicht dir dies zu kopieren, ist es geschafft?

Wenn ja, dann aber nicht ganz, denn wenn ich ins Netz gehe steht unter in der taskleiste immer noch Search Bar = http://........., oder ist das korrekt?


______________________________
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "{06ABAA2D-34AB-4902-A326-409BD9B9A7A5}" 29.01.2005 01:03:00

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06ABAA2D-34AB-4902-A326-409BD9B9A7A5}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06ABAA2D-34AB-4902-A326-409BD9B9A7A5}\InprocServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{06ABAA2D-34AB-4902-A326-409BD9B9A7A5}"=hex(4):46,72,65,73,68,42,61,72,00

____________________

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "{18B0760D-86E1-46A7-B83E-08A34581833C}" 29.01.2005 01:05:54

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{18B0760D-86E1-46A7-B83E-08A34581833C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{18B0760D-86E1-46A7-B83E-08A34581833C}\InprocServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\{18B0760D-86E1-46A7-B83E-08A34581833C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\{18B0760D-86E1-46A7-B83E-08A34581833C}\Implemented Categories]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\{18B0760D-86E1-46A7-B83E-08A34581833C}\Implemented Categories\{00021494-0000-0000-C000-000000000046}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{18B0760D-86E1-46A7-B83E-08A34581833C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{18B0760D-86E1-46A7-B83E-08A34581833C}]
"BandCLSID"="{18B0760D-86E1-46A7-B83E-08A34581833C}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{18B0760D-86E1-46A7-B83E-08A34581833C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{18B0760D-86E1-46A7-B83E-08A34581833C}"="Search"

[HKEY_USERS\S-1-5-21-436374069-746137067-854245398-1004\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
"{18B0760D-86E1-46A7-B83E-08A34581833C}"=dword:0000200d

_____________________________________________

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "{00000000-0000-0000-0000-000000000000}" 29.01.2005 01:07:21

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31345649-0000-0010-8000-00AA00389B71}\Pins\Output\Types\{73646976-0000-0010-8000-00AA00389B71}\{00000000-0000-0000-0000-000000000000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4CB63E61-C611-11D0-83AA-000092900184}\Pins\Output\Types\{73646976-0000-0010-8000-00AA00389B71}\{00000000-0000-0000-0000-000000000000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A2551F60-705F-11CF-A424-00AA003735BE}\Pins\Input\Types\{73646976-0000-0010-8000-00AA00389B71}\{00000000-0000-0000-0000-000000000000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\{00000000-0000-0000-0000-000000000000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\{00000000-0000-0000-0000-000000000000}\Implemented Categories]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\{00000000-0000-0000-0000-000000000000}\Implemented Categories\{00021494-0000-0000-C000-000000000046}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{BB07BACD-CD56-4e63-A8FF-CBF0355FB9F4}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{BB07BACD-CD56-4e63-A8FF-CBF0355FB9F4}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{BB07BACD-CD56-4e63-A8FF-CBF0355FB9F4}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{D0565000-9DF4-11D1-A281-00C04FCA0AA7}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{D0565000-9DF4-11D1-A281-00C04FCA0AA7}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{D0565000-9DF4-11D1-A281-00C04FCA0AA7}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{D5978620-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{D5978620-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{D5978620-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{D5978630-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{D5978630-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{D5978630-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{D5978640-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{D5978640-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{D5978640-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{D5978650-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{D5978650-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{D5978650-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{ECABB0C3-7F19-11D2-978E-0000F8757E2A}-{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}-{00000000-0000-0000-0000-000000000000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{ECABB0C3-7F19-11D2-978E-0000F8757E2A}-{41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}-{00000000-0000-0000-0000-000000000000}]
"EventClassApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{ECABB0C6-7F19-11D2-978E-0000F8757E2A}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{ECABB0C6-7F19-11D2-978E-0000F8757E2A}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{ECABB0C6-7F19-11D2-978E-0000F8757E2A}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{FAF53CC4-BD73-4E36-83F1-2B23F46E513E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{FAF53CC4-BD73-4E36-83F1-2B23F46E513E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{FAF53CC4-BD73-4E36-83F1-2B23F46E513E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{D789AB02-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{D789AB02-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{D789AB02-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{D789AB02-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"SubscriberPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{D789AB02-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"SubscriberApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{D789AB02-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}\PublisherProperties]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{02D3EB1A-D009-41B8-81CA-2E0EA4634DEF}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{02D3EB1A-D009-41B8-81CA-2E0EA4634DEF}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{02D3EB1A-D009-41B8-81CA-2E0EA4634DEF}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{02D3EB1A-D009-41B8-81CA-2E0EA4634DEF}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"SubscriberPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{02D3EB1A-D009-41B8-81CA-2E0EA4634DEF}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"SubscriberApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{19AABA67-B25F-4919-B5DA-52EB9E180C53}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{19AABA67-B25F-4919-B5DA-52EB9E180C53}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{19AABA67-B25F-4919-B5DA-52EB9E180C53}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{19AABA67-B25F-4919-B5DA-52EB9E180C53}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"SubscriberPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{19AABA67-B25F-4919-B5DA-52EB9E180C53}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"SubscriberApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{57A43E27-8269-4588-8512-136731B20D79}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{57A43E27-8269-4588-8512-136731B20D79}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{57A43E27-8269-4588-8512-136731B20D79}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{57A43E27-8269-4588-8512-136731B20D79}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"SubscriberPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{57A43E27-8269-4588-8512-136731B20D79}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"SubscriberApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{6697B9EC-7219-4954-A336-498C9B806394}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{6697B9EC-7219-4954-A336-498C9B806394}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{6697B9EC-7219-4954-A336-498C9B806394}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{6697B9EC-7219-4954-A336-498C9B806394}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"SubscriberPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{6697B9EC-7219-4954-A336-498C9B806394}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"SubscriberApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{6697B9EC-7219-4954-A336-498C9B806394}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}\SubscriberProperties]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{BAE41415-F42C-4180-9025-8EB70BE8F943}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{BAE41415-F42C-4180-9025-8EB70BE8F943}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{BAE41415-F42C-4180-9025-8EB70BE8F943}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{BAE41415-F42C-4180-9025-8EB70BE8F943}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"SubscriberPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{BAE41415-F42C-4180-9025-8EB70BE8F943}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"SubscriberApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{BBBEB7AA-8547-497C-864A-908EB118B688}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{BBBEB7AA-8547-497C-864A-908EB118B688}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{BBBEB7AA-8547-497C-864A-908EB118B688}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{BBBEB7AA-8547-497C-864A-908EB118B688}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"SubscriberPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{BBBEB7AA-8547-497C-864A-908EB118B688}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"SubscriberApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{BBFAF7C7-9B5D-4D6A-93CE-F02DA42D4668}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{BBFAF7C7-9B5D-4D6A-93CE-F02DA42D4668}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{BBFAF7C7-9B5D-4D6A-93CE-F02DA42D4668}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{BBFAF7C7-9B5D-4D6A-93CE-F02DA42D4668}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"SubscriberPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{BBFAF7C7-9B5D-4D6A-93CE-F02DA42D4668}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"SubscriberApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{E8E63809-F6F3-4A01-A433-0DD4B98CFF6B}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{E8E63809-F6F3-4A01-A433-0DD4B98CFF6B}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{E8E63809-F6F3-4A01-A433-0DD4B98CFF6B}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{E8E63809-F6F3-4A01-A433-0DD4B98CFF6B}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"SubscriberPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{E8E63809-F6F3-4A01-A433-0DD4B98CFF6B}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"SubscriberApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{EFDB684B-FC4B-4E80-A46F-22A758387235}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{EFDB684B-FC4B-4E80-A46F-22A758387235}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{EFDB684B-FC4B-4E80-A46F-22A758387235}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"EventClassApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{EFDB684B-FC4B-4E80-A46F-22A758387235}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"SubscriberPartitionID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\{EFDB684B-FC4B-4E80-A46F-22A758387235}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]
"SubscriberApplicationID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000000-0000-0000-0000-000000000000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{00000000-0000-0000-0000-000000000000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{00000000-0000-0000-0000-000000000000}]
"BandCLSID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{00000000-0000-0000-0000-000000000000}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tuning Spaces\1]
"Network Type"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tuning Spaces\2]
"Network Type"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tuning Spaces\5]
"Network Type"="{00000000-0000-0000-0000-000000000000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00000000-0000-0000-0000-000000000000}"="Search"

[HKEY_USERS\.DEFAULT\Identities]
"Last User ID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_USERS\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device]
"DSGuid"="{00000000-0000-0000-0000-000000000000}"

[HKEY_USERS\S-1-5-19\Identities]
"Last User ID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_USERS\S-1-5-19\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device]
"DSGuid"="{00000000-0000-0000-0000-000000000000}"

[HKEY_USERS\S-1-5-20\Identities]
"Last User ID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_USERS\S-1-5-20\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device]
"DSGuid"="{00000000-0000-0000-0000-000000000000}"

[HKEY_USERS\S-1-5-21-436374069-746137067-854245398-1004\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device]
"DSGuid"="{00000000-0000-0000-0000-000000000000}"

[HKEY_USERS\S-1-5-21-436374069-746137067-854245398-1004\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
"{00000000-0000-0000-0000-000000000000}"=dword:0000200e

[HKEY_USERS\S-1-5-18\Identities]
"Last User ID"="{00000000-0000-0000-0000-000000000000}"

[HKEY_USERS\S-1-5-18\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device]
"DSGuid"="{00000000-0000-0000-0000-000000000000}"
___________________________________________------

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "{F026A0FB-2B37-480B-81DE-0FEA29869853}" 29.01.2005 01:08:52

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F026A0FB-2B37-480B-81DE-0FEA29869853}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F026A0FB-2B37-480B-81DE-0FEA29869853}\InProcServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html]
"CLSID"="{F026A0FB-2B37-480B-81DE-0FEA29869853}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain]
"CLSID"="{F026A0FB-2B37-480B-81DE-0FEA29869853}"

_________________________________________________________

escann:

Sa Jan 29 14:29:59 2005 => ***** Scanning Completed. *****
Sa Jan 29 14:29:59 2005 =>
Sa Jan 29 14:29:59 2005 => Total Number of Files Scanned: 31394
Sa Jan 29 14:29:59 2005 => Total Number of Files Infected: 0
Sa Jan 29 14:29:59 2005 => Total Number of Files Disinfected: 0
Sa Jan 29 14:29:59 2005 => Total Number of Files Renamed: 0
Sa Jan 29 14:29:59 2005 => Total Number of Files Deleted: 0
Sa Jan 29 14:29:59 2005 => Total Number of Errors: 0
Sa Jan 29 14:29:59 2005 => Time Elapsed:: 00:33:06

___________________________________________________________


Ad-Aware SE Build 1.05
Logfile Created on:Samstag, 29. Januar 2005 14:56:32
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R26 25.01.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):15 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


29.01.2005 14:56:33 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : S-1-5-21-436374069-746137067-854245398-1004\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad


MRU List Object Recognized!
Location: : S-1-5-21-436374069-746137067-854245398-1004\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : S-1-5-21-436374069-746137067-854245398-1004\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-436374069-746137067-854245398-1004\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-436374069-746137067-854245398-1004\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-436374069-746137067-854245398-1004\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-436374069-746137067-854245398-1004\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-436374069-746137067-854245398-1004\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : S-1-5-21-436374069-746137067-854245398-1004\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : S-1-5-21-436374069-746137067-854245398-1004\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : S-1-5-21-436374069-746137067-854245398-1004\software\winrar\dialogedithistory\extrpath
Description : winrar "extract-to" history


MRU List Object Recognized!
Location: : C:\Dokumente und Einstellungen\Oliver.OLIVERLAPTOP\recent
Description : list of recently opened documents


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 800
ThreadCreationTime : 29.01.2005 13:52:38
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 876
ThreadCreationTime : 29.01.2005 13:52:39
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 908
ThreadCreationTime : 29.01.2005 13:52:42
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 960
ThreadCreationTime : 29.01.2005 13:52:42
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Anwendung für Dienste und Controller
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 972
ThreadCreationTime : 29.01.2005 13:52:42
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1148
ThreadCreationTime : 29.01.2005 13:52:43
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1300
ThreadCreationTime : 29.01.2005 13:52:43
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1512
ThreadCreationTime : 29.01.2005 13:52:43
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1588
ThreadCreationTime : 29.01.2005 13:52:43
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1836
ThreadCreationTime : 29.01.2005 13:52:44
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : EXPLORER.EXE

#:11 [ccsetmgr.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Symantec Shared\
ProcessID : 1944
ThreadCreationTime : 29.01.2005 13:52:44
BasePriority : Normal
FileVersion : 2.1.3.4
ProductVersion : 2.1.3.4
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:12 [sndsrvc.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Symantec Shared\
ProcessID : 1956
ThreadCreationTime : 29.01.2005 13:52:45
BasePriority : Normal
FileVersion : 5.4.3.11
ProductVersion : 5.4
ProductName : Symantec Security Drivers
CompanyName : Symantec Corporation
FileDescription : Network Driver Service
InternalName : SndSrvc
LegalCopyright : Copyright 2002, 2003, 2004 Symantec Corporation
OriginalFilename : SndSrvc.exe

#:13 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 284
ThreadCreationTime : 29.01.2005 13:52:45
BasePriority : Normal
FileVersion : 8.16
ProductVersion : 8.16
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : (C) 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LexBceS.exe

#:14 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 316
ThreadCreationTime : 29.01.2005 13:52:45
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:15 [lexpps.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 332
ThreadCreationTime : 29.01.2005 13:52:46
BasePriority : Normal
FileVersion : 8.16
ProductVersion : 8.16
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
LegalCopyright : (C) 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LEXPPS.EXE
Comments : MarkVision for Windows '95 New P2P Server (32-bit)

#:16 [atiptaxx.exe]
FilePath : C:\Programme\ATI Technologies\ATI Control Panel\
ProcessID : 368
ThreadCreationTime : 29.01.2005 13:52:46
BasePriority : Normal
FileVersion : 6.14.10.4039
ProductVersion : 6.14.10.4039
ProductName : ATI Desktop Component
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Desktop Control Panel
InternalName : Atiptaxx.exe
LegalCopyright : Copyright (C) 1998-2002 ATI Technologies Inc.
OriginalFilename : Atiptaxx.exe

#:17 [soundman.exe]
FilePath : C:\WINDOWS\
ProcessID : 380
ThreadCreationTime : 29.01.2005 13:52:46
BasePriority : Normal
FileVersion : 5.0.18
ProductVersion : 5.0.18
ProductName : Realtek Sound Manager
CompanyName : Realtek Semiconductor Corp.
FileDescription : Realtek Sound Manager
InternalName : ALSMTray
LegalCopyright : Copyright (c) 2001-2003 Realtek Semiconductor Corp.
OriginalFilename : ALSMTray.exe
Comments : Realtek AC97 Audio Sound Manager

#:18 [syntpenh.exe]
FilePath : C:\Programme\Synaptics\SynTP\
ProcessID : 416
ThreadCreationTime : 29.01.2005 13:52:46
BasePriority : Normal
FileVersion : 6.6.0 05Jul02
ProductVersion : 6.6.0 05Jul02
ProductName : Progressive Touch
CompanyName : Synaptics, Inc.
FileDescription : Synaptics TouchPad Enhancements
InternalName : Scrolleroo
LegalCopyright : Copyright (C) Synaptics, Inc. 1996-2002
OriginalFilename : SynTPEnh.exe

#:19 [iwctrl.exe]
FilePath : C:\Programme\Pinnacle\InstantCDDVD\InstantWrite\
ProcessID : 572
ThreadCreationTime : 29.01.2005 13:52:46
BasePriority : Normal
FileVersion : 4.0.2.7
ProductVersion : 4.0.0.0
ProductName : InstantWrite
CompanyName : Pinnacle Systems, Inc.
FileDescription : InstantWrite Control Center
InternalName : iwctrl
LegalCopyright : Copyright ©1997-2003 VOB Pinnacle Systems, Inc.

#:20 [directcd.exe]
FilePath : C:\Programme\Roxio\Easy CD Creator 5\DirectCD\
ProcessID : 664
ThreadCreationTime : 29.01.2005 13:52:47
BasePriority : Normal
FileVersion : 5.3.4.21
ProductVersion : 5.3.4.21
ProductName : DirectCD
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
LegalCopyright : Copyright (c) 2001,2002, Roxio, Inc.
OriginalFilename : Directcd.exe

#:21 [ati2evxx.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 740
ThreadCreationTime : 29.01.2005 13:52:47
BasePriority : Normal


#:22 [ccproxy.exe]
FilePath : C:\Programme\Gemeinsame Dateien\Symantec Shared\
ProcessID : 764
ThreadCreationTime : 29.01.2005 13:52:47
BasePriority : Normal
FileVersion : 2.1.3.4
ProductVersion : 2.1.3.4
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Network Proxy Service
InternalName : ccProxy
LegalCopyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccProxy.exe

#:23 [avpmwrap.exe]
FilePath : C:\PROGRA~1\eScan\
ProcessID : 1044
ThreadCreationTime : 29.01.2005 13:52:48
BasePriority : Normal
FileVersion : 4, 0, 0, 1
ProductVersion : 2.6
ProductName : eScan for Windows
CompanyName : MicroWorld Technologies Inc.
FileDescription : AVPMWrap
InternalName : AVPMWrap
LegalCopyright : Copyright © 2003-2005 MicroWorld
OriginalFilename : AVPMWrap.EXE

#:24 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1096
ThreadCreationTime : 29.01.2005 13:52:48
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:25 [msmsgs.exe]
FilePath : C:\Programme\Messenger\
ProcessID : 1016
ThreadCreationTime : 29.01.2005 13:52:48
BasePriority : Normal
FileVersion : 4.7.2009
ProductVersion : Version 4.7
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
LegalCopyright : Copyright (c) Microsoft Corporation 1997-2003
LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:26 [spysweeper.exe]
FilePath : C:\Programme\Webroot\Spy Sweeper\
ProcessID : 1192
ThreadCreationTime : 29.01.2005 13:52:48
BasePriority : Normal
FileVersion : 3.0.0.118
ProductVersion : 3.0i
ProductName : Spy Sweeper
CompanyName : Webroot Software, Inc.
FileDescription : Spy Sweeper
LegalCopyright : Copyright (c) 2001-2004 Webroot Software, Inc.
LegalTrademarks : Spy Sweeper is a trademark of Webroot Software, Inc.

#:27 [traysser.exe]
FilePath : C:\PROGRA~1\eScan\
ProcessID : 1196
ThreadCreationTime : 29.01.2005 13:52:48
BasePriority : Normal
FileVersion : 4, 0, 0, 1
ProductVersion : 4, 0, 0, 1
ProductName : MWTI2 TRAYSSER
CompanyName : MWTI2
FileDescription : TRAYSSER
InternalName : TRAYSSER
LegalCopyright : Copyright © 2004
OriginalFilename : TRAYSSER.exe

#:28 [avpm.exe]
FilePath : C:\PROGRA~1\eScan\
ProcessID : 1240
ThreadCreationTime : 29.01.2005 13:52:48
BasePriority : Normal
FileVersion : 4.2.0.58
ProductVersion : 4.2.0.0
ProductName : Kaspersky Anti-Virus
CompanyName : Kaspersky Labs.
FileDescription : KAV Monitor main module
InternalName : AvpM
LegalCopyright : Copyright (c) Kaspersky Labs. 1996-2002.
LegalTrademarks : Kaspersky Anti-Virus(R) and AVP(R) are registered trademarks of Kaspersky Labs.
OriginalFilename : AvpM.Exe
Comments : Victor Matiouchenkov [victor@avp.ru]

#:29 [em_exec.exe]
FilePath : C:\Programme\Logitech\MouseWare\system\
ProcessID : 1256
ThreadCreationTime : 29.01.2005 13:52:49
BasePriority : Normal
FileVersion : 9.80.019
ProductVersion : 9.80.019
ProductName : MouseWare
CompanyName : Logitech Inc.
FileDescription : Logitech Events Handler Application
InternalName : Em_Exec
LegalCopyright : (C) 1987-2004 Logitech. All rights reserved.
LegalTrademarks : Logitech® and MouseWare® are registered trademarks of Logitech Inc.
OriginalFilename : Em_Exec.exe
Comments : Created by the MouseWare team

#:30 [maildisp.exe]
FilePath : C:\PROGRA~1\eScan\
ProcessID : 1548
ThreadCreationTime : 29.01.2005 13:52:51
BasePriority : Normal
FileVersion : 4, 0, 0, 1
ProductVersion : 4, 0, 0, 1
ProductName : MAILDISP
CompanyName : MicroWorld Technologies Inc.
FileDescription : MAILDISP
InternalName : MAILDISP
LegalCopyright : Copyright © 2004
OriginalFilename : MAILDISP.exe

#:31 [soffice.exe]
FilePath : C:\Programme\StarOffice6.0\program\
ProcessID : 1616
ThreadCreationTime : 29.01.2005 13:52:51
BasePriority : Normal
FileVersion : 6.00.8546
ProductVersion : 6.00.8546
CompanyName : Sun Microsystems, Inc.
FileDescription : StarOffice 6.0
InternalName : SOFFICE
LegalCopyright : Copyright © 2000 by Sun Microsystems, Inc.
OriginalFilename : SOFFICE.EXE

#:32 [locator.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1864
ThreadCreationTime : 29.01.2005 13:52:52
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Rpc Locator
InternalName : locator.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : locator.exe

#:33 [mailscan.exe]
FilePath : C:\PROGRA~1\eScan\
ProcessID : 1372
ThreadCreationTime : 29.01.2005 13:52:54
BasePriority : Normal
FileVersion : 4, 0, 0, 1
ProductVersion : 4, 0, 0, 1
ProductName : MAILSCAN
CompanyName : MicroWorld Technologies Inc.
FileDescription : MAILSCAN
InternalName : MAILSCAN
LegalCopyright : Copyright © 2004
OriginalFilename : MAILSCAN.exe

#:34 [kavss.exe]
FilePath : C:\PROGRA~1\eScan\
ProcessID : 1164
ThreadCreationTime : 29.01.2005 13:52:55
BasePriority : Normal
FileVersion : 4.0.2.10
ProductVersion : 4.0.2.10
ProductName : Kaspersky Anti-Virus Scanner Server
CompanyName : Kaspersky Lab.
FileDescription : Kaspersky Anti-Virus Single Scanner
InternalName : kavss.exe
LegalCopyright : Copyright (C) 1999-2002 Kaspersky Lab.
LegalTrademarks : Kaspersky is a registered trademark of Kaspersky Lab.
OriginalFilename : kavss.exe
Comments : Dmitry A. Ryabov [ryabov@kaspersky.com]

#:35 [spooler.exe]
FilePath : C:\PROGRA~1\eScan\
ProcessID : 1528
ThreadCreationTime : 29.01.2005 13:52:55
BasePriority : Normal
FileVersion : 4, 0, 0, 1
ProductVersion : 4, 0, 0, 1
ProductName : spooler
CompanyName : MicroWorld Technologies Inc.
FileDescription : spooler
InternalName : spooler
LegalCopyright : Copyright © 2004 MicroWorld Technologies Inc.
OriginalFilename : spooler.exe

#:36 [avpm.exe]
FilePath : C:\PROGRA~1\eScan\
ProcessID : 2876
ThreadCreationTime : 29.01.2005 13:53:18
BasePriority : Normal
FileVersion : 4.2.0.58
ProductVersion : 4.2.0.0
ProductName : Kaspersky Anti-Virus
CompanyName : Kaspersky Labs.
FileDescription : KAV Monitor main module
InternalName : AvpM
LegalCopyright : Copyright (c) Kaspersky Labs. 1996-2002.
LegalTrademarks : Kaspersky Anti-Virus(R) and AVP(R) are registered trademarks of Kaspersky Labs.
OriginalFilename : AvpM.Exe
Comments : Victor Matiouchenkov [victor@avp.ru]

#:37 [wuauclt.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3652
ThreadCreationTime : 29.01.2005 13:53:39
BasePriority : Normal
FileVersion : 5.4.3790.2182 built by: srv03_rtm(ntvbl04)
ProductVersion : 5.4.3790.2182
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Automatische Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : wuauclt.exe

#:38 [wuauclt.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2904
ThreadCreationTime : 29.01.2005 13:54:39
BasePriority : Normal
FileVersion : 5.4.3790.2182 built by: srv03_rtm(ntvbl04)
ProductVersion : 5.4.3790.2182
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Automatische Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : wuauclt.exe

#:39 [syntplpr.exe]
FilePath : C:\Programme\Synaptics\SynTP\
ProcessID : 3108
ThreadCreationTime : 29.01.2005 13:55:52
BasePriority : Normal
FileVersion : 6.6.0 05Jul02
ProductVersion : 6.6.0 05Jul02
ProductName : Progressive Touch
CompanyName : Synaptics, Inc.
FileDescription : TouchPad Driver Helper Application
InternalName : SynTPLpr
LegalCopyright : Copyright (C) Synaptics, Inc. 1996-2002
OriginalFilename : SynTPLpr.exe

#:40 [ad-aware.exe]
FilePath : C:\Programme\Lavasoft\Ad-Aware SE Personal\
ProcessID : 2396
ThreadCreationTime : 29.01.2005 13:56:07
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15



Deep scanning and examining files (C;)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 15




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15

15:02:52 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:06:19.225
Objects scanned:96174
Objects identified:0
Objects ignored:0
New critical objects:0

______________________________________________________

Logfile of HijackThis v1.99.0Scan saved at 15:21:18, on 29.01.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Programme\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
C:\PROGRA~1\eScan\AVPMWrap.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\eScan\TRAYSSER.EXE
C:\PROGRA~1\eScan\avpm.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\eScan\MAILDISP.EXE
C:\Programme\StarOffice6.0\program\soffice.exe
C:\WINDOWS\System32\locator.exe
C:\PROGRA~1\eScan\MAILSCAN.EXE
C:\PROGRA~1\eScan\kavss.exe
C:\PROGRA~1\eScan\SPOOLER.EXE
C:\PROGRA~1\eScan\AvpM.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Dokumente und Einstellungen\Oliver.OLIVERLAPTOP\Eigene Dateien\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von cablecom hispeed internet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [VOBID] C:\Programme\Pinnacle\InstantCDDVD\InstantDrive\InstantDrive.exe /remount
O4 - HKLM\..\Run: [IW ControlCenter] C:\Programme\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programme\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programme\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\Programme\eScan\LAUNCH.EXE"
O4 - HKLM\..\Run: [eScan Updater] C:\PROGRA~1\eScan\TRAYICOS.EXE /App
O4 - HKLM\..\Run: [eScan Monitor] C:\PROGRA~1\eScan\AVPMWrap.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: StarOffice 6.0.lnk = C:\Programme\StarOffice6.0\program\quickstart.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'mwtsp.dll' missing
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: eScan Server-Updater - MWTI2 - C:\PROGRA~1\eScan\TRAYSSER.EXE
O23 - Service: eScan Monitor Service - Kaspersky Labs. - C:\PROGRA~1\eScan\avpm.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe

________________________________________

mfg ;) ;) ;)
Seitenanfang Seitenende
29.01.2005, 23:22
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#14 Hallo@Metteron

es sieht schon viel besser aus ;)

Neustarten
--> in den abgesicherten Modus

remv3.bat--> noch einmal scannen, bitte

dann die txt-Log von rem posten und stelle eine neue Startseite im InternetExplorer ein und poste das Log vom HijackTHis
__________
MfG Sabina

rund um die PC-Sicherheit
Dieser Beitrag wurde am 29.01.2005 um 23:24 Uhr von Sabina editiert.
Seitenanfang Seitenende
30.01.2005, 23:31
...neu hier

Themenstarter

Beiträge: 8
#15 Hi Sabina, hier sind die rem und hijackthis log´s/Dateien.

Könntest du mir noch ein paar Programme empfehlen damit ich nicht so schnell wieder ärger habe, beziehungsweise schwache nerven.;)




Files Found.................


----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------


Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
msi.dll
Finished
____________________________

Logfile of HijackThis v1.99.0
Scan saved at 23:20:44, on 30.01.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\PROGRA~1\eScan\TRAYICOS.EXE
C:\PROGRA~1\eScan\AVPMWrap.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\eScan\MAILDISP.EXE
C:\Programme\StarOffice6.0\program\soffice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
C:\PROGRA~1\eScan\TRAYSSER.EXE
C:\PROGRA~1\eScan\avpm.exe
C:\WINDOWS\System32\locator.exe
C:\PROGRA~1\eScan\SPOOLER.EXE
C:\PROGRA~1\eScan\MAILSCAN.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\eScan\kavss.exe
C:\PROGRA~1\eScan\AvpM.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Dokumente und Einstellungen\Oliver.OLIVERLAPTOP\Eigene Dateien\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.richfind.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer bereitgestellt von cablecom hispeed internet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [VOBID] C:\Programme\Pinnacle\InstantCDDVD\InstantDrive\InstantDrive.exe /remount
O4 - HKLM\..\Run: [IW ControlCenter] C:\Programme\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programme\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programme\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MailScan Dispatcher] "C:\Programme\eScan\LAUNCH.EXE"
O4 - HKLM\..\Run: [eScan Updater] C:\PROGRA~1\eScan\TRAYICOS.EXE /App
O4 - HKLM\..\Run: [eScan Monitor] C:\PROGRA~1\eScan\AVPMWrap.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: StarOffice 6.0.lnk = C:\Programme\StarOffice6.0\program\quickstart.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'mwtsp.dll' missing
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
O23 - Service: eScan Server-Updater - MWTI2 - C:\PROGRA~1\eScan\TRAYSSER.EXE
O23 - Service: eScan Monitor Service - Kaspersky Labs. - C:\PROGRA~1\eScan\avpm.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect-Dienst - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe


mfg Olli
Seitenanfang Seitenende