AdWare.Look2Me.u

#16 o.k. - starte den rechner neu - nun poste die 4 logs von datfindbat
__________
MfG Sabina

rund um die PC-Sicherheit

#17 das war von clean up,ok hab nur noch bis halb 8 zeit.

#18 poste die 4 logs (3 monate auswaehlen, von jedem)
__________
MfG Sabina

rund um die PC-Sicherheit

#19 Datentr„ger in Laufwerk C: ist SYSTEM
Volumeseriennummer: 409B-7D81

Verzeichnis von C:\WINDOWS\system32

06-10-02 18:59 43,573 nvapps.xml
06-10-02 18:58 234,113 nurspl.dll
06-10-02 18:58 234,617 h40q0ed5eh0.dll
06-10-02 18:45 234,376 fp6203joe.dll
06-10-02 18:19 234,586 fpp4037qe.dll
06-10-02 18:16 234,116 fp0003dme.dll
06-10-02 17:03 13,646 wpa.dbl
06-10-02 16:51 234,113 hoetwiz.dll
06-10-02 16:48 235,773 l4r0le9m1h.dll
06-10-02 16:38 234,113 m0lsla371d.dll
06-10-02 16:10 235,773 n0r2la9o1d.dll
06-10-02 12:52 235,773 lv0u09d9e.dll
06-10-02 12:51 235,773 dclayx.dll
06-10-02 11:54 235,773 g8400ihme84a0.dll
06-10-02 11:53 235,773 ewent97.dll
06-10-02 11:13 235,773 mvjql9151.dll
06-10-02 11:12 235,773 peofmap.dll
06-10-02 10:48 235,773 fp4o03h3e.dll
06-10-02 10:47 235,773 iiakui.dll
06-10-01 16:52 234,193 en0ul1d91.dll
06-09-30 18:32 234,272 ir5331.dll
06-09-30 17:18 236,118 o648lghu1648.dll
06-09-30 17:16 29,696 w053a7fd.dll
06-09-23 15:30 3,766 KGyGaAvL.sys
06-09-20 17:19 88 611B0F4970.sys
06-09-18 20:11 778,240 divx_xx07.dll
06-09-18 20:11 778,240 divx_xx0c.dll
06-09-18 20:11 761,856 divx_xx11.dll
06-09-18 20:11 620,180 DivX.dll
06-09-15 22:04 48,816 S32EVNT1.DLL
06-08-11 19:35 4,276 divxsm.tlb
06-08-11 19:35 520,192 DivXsm.exe
06-08-11 19:35 10,863 dsm_ja.qm
06-08-11 19:35 15,507 dsm_de.qm
06-08-11 19:35 15,299 dsm_fr.qm
06-08-11 19:35 3,596,288 qt-dx331.dll
06-08-11 19:35 1,044,480 libdivx.dll
06-08-11 19:35 200,704 ssldivx.dll
06-08-11 19:31 73,728 dpl100.dll
06-08-11 19:31 196,608 dtu100.dll
06-08-11 19:31 53,248 dpuGUI10.dll
06-08-11 19:31 593,920 dpuGUI11.dll
06-08-11 19:31 344,064 dpus11.dll
06-08-11 19:31 57,344 dpv11.dll
06-08-11 19:31 294,912 dpu11.dll
06-08-11 19:31 294,912 dpu10.dll
06-08-11 19:31 704,512 divxdec.ax
06-08-11 19:31 352,401 DivXMedia.ax
06-08-11 19:31 12,288 DivXWMPExtType.dll
06-08-11 19:31 118,784 DivXCodecUpdateChecker.exe
06-08-11 19:31 8,523 dpude.qm
06-08-11 19:31 3,136 dtu_de.qm
06-08-07 16:02 534,208 SymNeti.dll
06-08-07 16:02 161,472 SymRedir.dll
06-07-29 17:14 173,872 FNTCACHE.DAT
06-07-28 20:19 16,832 amcompat.tlb
06-07-28 20:19 23,392 nscompat.tlb
06-07-28 18:34 4,431,360 logonuiX.exe
06-07-27 12:54 7,006 jupdate-1.5.0_06-b05.log
06-07-25 11:37 312,048 perfh009.dat
06-07-25 11:37 40,244 perfc009.dat
06-07-25 11:37 317,272 perfh007.dat
06-07-25 11:37 48,474 perfc007.dat
06-07-19 17:26 787,968 PerfStringBackup.INI
06-06-21 17:44 3,588 PepsiFootball.log
06-05-25 00:48 421,888 pxdrv.dll
06-05-25 00:48 108,544 pxcpyi64.exe
06-05-25 00:48 109,568 pxinsi64.exe


Datentr„ger in Laufwerk C: ist SYSTEM
Volumeseriennummer: 409B-7D81

Verzeichnis von C:\DOKUME~1\Nico\LOKALE~1\Temp

06-10-02 18:55 102,898 bt5701.bat
06-10-02 18:51 16,384 ~DFB9A1.tmp
06-10-02 18:50 16,384 ~DF8C45.tmp
06-10-02 18:50 512 ~DF8C67.tmp
06-10-02 18:13 2,432 wmplog00.sqm
06-10-02 17:07 331 SNDunin.log
06-10-02 17:07 874,944 system.nfo
06-10-02 16:55 181 url.txt
06-10-02 16:54 16,384 ~DF421E.tmp
06-10-02 16:54 512 ~DF1C40.tmp
06-10-02 16:54 16,384 ~DF1C0C.tmp
06-10-02 16:35 124 symcprop.dat
06-10-02 16:35 124 SSALiveUpdate.dat
06-10-02 16:35 3,667,326 Norton SystemWorks 2006 10-2-2006 16h27m41s.log
06-10-02 16:32 16,384 ~DF991C.tmp
06-10-02 16:32 512 ~DF5EA7.tmp
06-10-02 16:32 16,384 ~DF5E8E.tmp
06-10-02 16:31 124 AVRES_OPTRF_LiveUpdate.dat
06-10-02 16:29 3,272 SYMEVENT.LOG
06-10-02 16:27 16,384 Perflib_Perfdata_934.dat
06-10-01 18:16 16,384 ~DF6972.tmp
06-10-01 18:16 16,384 ~DF68A5.tmp
06-10-01 18:16 16,384 ~DF679A.tmp
06-10-01 18:16 16,384 ~DF6669.tmp
06-10-01 18:06 16,384 ~DF86C8.tmp
06-10-01 18:02 169 2006LUProdRg.ini
06-10-01 17:34 16,384 ~DF8E34.tmp
06-10-01 17:34 16,384 ~DF7C41.tmp
06-03-21 12:27 32,768 LUProdRg.exe
29 Datei(en) 4,915,605 Bytes
0 Verzeichnis(se), 5,445,300,224 Bytes frei


Datentr„ger in Laufwerk C: ist SYSTEM
Volumeseriennummer: 409B-7D81

Verzeichnis von C:\WINDOWS

06-10-02 18:58 2,048 bootstat.dat
06-10-02 17:51 116 NeroDigital.ini
06-10-02 16:49 32,592 SchedLgU.Txt
06-10-02 16:48 3,236 WindowsUpdate.log
06-10-01 16:03 50,912 iconu.exe
06-10-01 15:40 24,296 icont.exe
06-10-01 15:10 24 LogonStudio.ini
06-09-14 19:58 811 win.ini
06-08-27 13:44 105 pcwKmm.BAT
06-08-27 13:43 1,371 pcwKoe.BAT
06-07-23 18:27 740 ODBC.INI
06-07-15 17:03 3,025 mozver.dat
06-07-11 10:53 512 randseed.rnd
06-05-28 13:55 31 bluevoda.ini
06-05-22 20:25 737,280 iun6002.exe
06-05-10 15:51 895 goldwave.ini
06-04-23 15:20 316,640 WMSysPr9.prx
06-04-14 16:31 749 WindowsShell.Manifest
06-03-30 17:34 29 AlphaPlayer.INI
06-03-03 17:19 227 system.ini
06-01-29 16:41 151 PhotoSnapViewer.INI
06-01-23 21:11 754 WORDPAD.INI
06-01-14 18:55 11,966 EPISMG05.SWB
06-01-14 18:54 12,350 EPISMG02.SWB
06-01-14 18:54 12,222 EPISMG04.SWB
06-01-07 17:54 0 dbgout.INI
05-12-04 17:22 196 SIERRA.INI
05-12-02 19:39 11 exchng.ini
05-12-02 19:39 4,348 ODBCINST.INI
05-12-02 19:37 271,360 outlook.pst
05-12-02 19:33 23,554 Microsoft Outlook.FAV
05-12-02 19:32 15,298 Nico.acl
05-12-02 19:29 290 HAUSDRCKINST.INI
05-11-27 15:13 684 Sof.INI
05-11-15 22:09 46,083 UNNMP.cfg
05-09-27 17:44 739 STImgBrowser.INI
05-07-29 17:12 2,977,792 UNNMP.exe
05-05-27 01:22 10,752 hh.exe
05-05-04 14:08 45 DECFHOJP.ini
05-02-02 10:12 0 netscape.INI
05-02-02 10:12 28,597 nsreg.dat
05-02-02 09:00 0 Net-It Now! SE.INI
05-02-02 08:49 0 winhelp.ini
05-01-16 16:37 0 control.ini
05-01-16 16:32 37 vbaddin.ini
05-01-16 16:32 36 vb.ini
05-01-14 09:20 194,344 DrUninst.exe
04-08-04 14:00 707 _default.pif
04-08-04 14:00 288,768 winhlp32.exe
04-08-04 14:00 48,680 winnt.bmp
04-08-04 14:00 70,144 NOTEPAD.EXE
04-08-04 14:00 48,680 winnt256.bmp
04-08-04 14:00 26,582 Granit.bmp
04-08-04 14:00 18,944 vmmreg32.dll
04-08-04 14:00 16,730 Feder.bmp
04-08-04 14:00 34,818 wmprfDEU.prx
04-08-04 14:00 80 explorer.scf
04-08-04 14:00 1,035,264 explorer.exe
04-08-04 14:00 1,405 msdfmap.ini
04-08-04 14:00 65,954 Pr„riewind.bmp
04-08-04 14:00 2 desktop.ini
04-08-04 14:00 153,600 regedit.exe
04-08-04 14:00 17,362 Rhododendron.bmp
04-08-04 14:00 26,680 F„cher.bmp
04-08-04 14:00 65,978 Seifenblase.bmp
04-08-04 14:00 82,944 clock.avi
04-08-04 14:00 1,272 Blaue Spitzen 16.bmp
04-08-04 14:00 17,336 Angler.bmp
04-08-04 14:00 9,522 Zapotek.bmp
04-08-04 14:00 257,568 winhelp.exe
04-08-04 14:00 15,872 TASKMAN.EXE
04-08-04 14:00 94,800 twain.dll
04-08-04 14:00 50,688 twain_32.dll
04-08-04 14:00 49,680 twunk_16.exe
04-08-04 14:00 25,600 twunk_32.exe
03-10-08 11:42 237,568 BTK700iphmgunin.exe
03-02-28 19:26 46,352 setdebug.exe
03-02-28 17:35 6,550 jautoexp.dat
02-01-18 19:12 112 ActiveSkin.INI
00-01-05 00:21 86,016 unvise32qt.exe
99-05-26 09:46 212,480 pcdlib32.dll
99-05-21 03:23 41,472 luln11de.dll
99-05-11 03:23 15,638 luln11de.hlp
99-05-11 03:23 181 acroread.ini
99-04-14 03:23 328,192 lunin11.exe
99-03-03 11:49 6,367 Gwpreset.ini
99-03-03 11:35 3,282 Express.eqx
98-11-17 14:44 328,704 IsUn0407.exe
98-10-29 17:45 306,688 IsUninst.exe
97-12-04 18:08 739,792 ld32404.exe
97-09-18 03:23 106,256 imagehlp.dll
96-11-15 01:00 2 ARTGALRY.CAG
96-11-15 01:00 15,298 MSO97.ACL
96-11-06 13:05 302,592 unin0407.exe
94-04-07 03:23 462 lodbf13.ini
95 Datei(en) 10,096,912 Bytes
0 Verzeichnis(se), 5,445,292,032 Bytes frei

Datentr„ger in Laufwerk C: ist SYSTEM
Volumeseriennummer: 409B-7D81

Verzeichnis von C:\

06-10-02 19:23 0 sys.txt
06-10-02 19:22 4,759 system.txt
06-10-02 19:22 1,671 systemtemp.txt
06-10-02 19:22 104,712 system32.txt
06-10-02 18:58 133,668,864 hiberfil.sys
06-10-02 18:55 130 ComboFix.txt
06-04-14 16:30 210 boot.ini
06-03-09 16:07 1,343 Nero StartSmart.lnk
05-01-16 16:37 0 MSDOS.SYS
05-01-16 16:37 0 CONFIG.SYS
05-01-16 16:37 0 IO.SYS
05-01-16 16:37 0 AUTOEXEC.BAT
04-08-04 14:00 4,952 bootfont.bin
04-08-04 14:00 251,184 ntldr
04-08-04 14:00 47,564 NTDETECT.COM
15 Datei(en) 134,085,389 Bytes
0 Verzeichnis(se), 5,445,300,224 Bytes frei


Muss gehn ich komm morgen nochmal(mittags)

#20 avenger
kopiere rein
http://virus-protect.org/artikel/tools/avenger.html

Zitat

Files to delete:
C:\WINDOWS\Downloaded Program Files\SAIX.dll
C:\WINDOWS\Downloaded Program Files\ClientAX.dll
C:\WINDOWS\system32\m0lsla371d.dll
C:\WINDOWS\system32\nurspl.dll
C:\WINDOWS\system32\h40q0ed5eh0.dll
C:\WINDOWS\system32\fp6203joe.dll
C:\WINDOWS\system32\fpp4037qe.dll
C:\WINDOWS\system32\fp0003dme.dll
C:\WINDOWS\system32\hoetwiz.dll
C:\WINDOWS\system32\l4r0le9m1h.dll
C:\WINDOWS\system32\m0lsla371d.dll
C:\WINDOWS\system32\n0r2la9o1d.dll
C:\WINDOWS\system32\lv0u09d9e.dll
C:\WINDOWS\system32\dclayx.dll
C:\WINDOWS\system32\g8400ihme84a0.dll
C:\WINDOWS\system32\ewent97.dll
C:\WINDOWS\system32\mvjql9151.dll
C:\WINDOWS\system32\peofmap.dll
C:\WINDOWS\system32\fp4o03h3e.dll
C:\WINDOWS\system32\iiakui.dll
C:\WINDOWS\system32\en0ul1d91.dll
C:\WINDOWS\system32\ir5331.dll
C:\WINDOWS\system32\o648lghu1648.dll
C:\WINDOWS\system32\w053a7fd.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\iconu.exe
C:\WINDOWS\icont.exe

Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

nach dem neustart erscheint das log vom avenger - poste es hier.

««
öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

R3 - URLSearchHook: (no name) - _{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O3 - Toolbar: Oemji - {804DB5C7-31E6-4885-850A-F1941B58A4C7} - (no file)

O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Seekmo/ie/bridge-c24.cab

O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Seekmo/ie/bridge-c18.cab?21595a55bcee
9e87edbc49d34614c0b550
c9fbe341f06435b5679f367af25f7d532a4ca9c2ed59d9dc488
aec24dcc5a5ba1e1fb10f8e34f8
2eba6f77b8d60c7f73d695c54c:584e34bcf0567f47bece5b5b666353a7

O20 - Winlogon Notify: URL - C:\WINDOWS\system32\m0lsla371d.dll

dann: wende noch mal combofix und Look2Me-Destroyer V1.0.5 an
__________
MfG Sabina

rund um die PC-Sicherheit

#21 Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vfkvgaep

*******************

Script file located at: \??\C:\tusqpryq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\Downloaded Program Files\SAIX.dll not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\SAIX.dll failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\SAIX.dll
Status: 0xc0000034



File C:\WINDOWS\Downloaded Program Files\ClientAX.dll not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\ClientAX.dll failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\ClientAX.dll
Status: 0xc0000034



File C:\WINDOWS\system32\m0lsla371d.dll not found!
Deletion of file C:\WINDOWS\system32\m0lsla371d.dll failed!

Could not process line:
C:\WINDOWS\system32\m0lsla371d.dll
Status: 0xc0000034



File C:\WINDOWS\system32\nurspl.dll not found!
Deletion of file C:\WINDOWS\system32\nurspl.dll failed!

Could not process line:
C:\WINDOWS\system32\nurspl.dll
Status: 0xc0000034

File C:\WINDOWS\system32\h40q0ed5eh0.dll deleted successfully.
File C:\WINDOWS\system32\fp6203joe.dll deleted successfully.
File C:\WINDOWS\system32\fpp4037qe.dll deleted successfully.
File C:\WINDOWS\system32\fp0003dme.dll deleted successfully.
File C:\WINDOWS\system32\hoetwiz.dll deleted successfully.
File C:\WINDOWS\system32\l4r0le9m1h.dll deleted successfully.


File C:\WINDOWS\system32\m0lsla371d.dll not found!
Deletion of file C:\WINDOWS\system32\m0lsla371d.dll failed!

Could not process line:
C:\WINDOWS\system32\m0lsla371d.dll
Status: 0xc0000034

File C:\WINDOWS\system32\n0r2la9o1d.dll deleted successfully.
File C:\WINDOWS\system32\lv0u09d9e.dll deleted successfully.
File C:\WINDOWS\system32\dclayx.dll deleted successfully.
File C:\WINDOWS\system32\g8400ihme84a0.dll deleted successfully.
File C:\WINDOWS\system32\ewent97.dll deleted successfully.
File C:\WINDOWS\system32\mvjql9151.dll deleted successfully.
File C:\WINDOWS\system32\peofmap.dll deleted successfully.
File C:\WINDOWS\system32\fp4o03h3e.dll deleted successfully.
File C:\WINDOWS\system32\iiakui.dll deleted successfully.
File C:\WINDOWS\system32\en0ul1d91.dll deleted successfully.


File C:\WINDOWS\system32\ir5331.dll not found!
Deletion of file C:\WINDOWS\system32\ir5331.dll failed!

Could not process line:
C:\WINDOWS\system32\ir5331.dll
Status: 0xc0000034

File C:\WINDOWS\system32\o648lghu1648.dll deleted successfully.
File C:\WINDOWS\system32\w053a7fd.dll deleted successfully.
File C:\WINDOWS\system32\guard.tmp deleted successfully.
File C:\WINDOWS\iconu.exe deleted successfully.
File C:\WINDOWS\icont.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Bei Look2me-Destroyer und Combofix kommt wieder ein blauer Bildschirm.Bei Combofix steht nur active Look2me found!!! und dann kommt en neues fenster da steht in 10sekunden schliest sich und öffnet sich combofix wieder,sobald das zu ist kommt der blaue bildschirm.

Beim Bildschirm steht dann:

Fehler: 0x000000F4(0x00000003,0xFF967390,0xFF967504,0x805F9F88)
Vieleicht hilft das?!

#22 L2mfix
http://www.downloads.subratam.org/l2mfix.exe
# Speichern der Datei auf dem Desktop und doppel-klicken l2mfix.exe.

# Klicken auf Installieren um die Dateien zu extrahieren und folgen Sie den Anweisungen während der Installation.

# Dann öffnen Sie den auf Ihrem Desktop neuerstellten Ordner l2mfix

# Doppel-klicken Datei l2mfix.bat und tippen sie eine 1 und drücken Sie [Enter], um Findlog laufen zu lassen. Dies wird Ihren Computer scannen. Es kann sein, das es so aussieht als ob nichts passiert, aber nach 1 oder 2 Minuten wird sich Notepad mit einem Log öffnen.

# Kopieren Sie den Inhalt durch Strg+A und fügen Sie den Inhalt in Ihren Thread durch Strg+V...oder einfach mit der Maus abkopieren.
__________
MfG Sabina

rund um die PC-Sicherheit

#23 L2MFIX find log 051206
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WASHData]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\h84m0ih1e84.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{53A02DCD-8207-F3D8-3B47-FE3F2A0CDB63}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Webpublishing-Assistent"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Bestellung von Abz�gen �ber das Internet"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shellobjekt des Webpublishing-Assistenten"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Passport-Assistent"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Benutzerkonten"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft URL-Verlauf-Dienst"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Verlauf"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Sucheingriff"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskleiste und Startmen�"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite-Begr�áungsbildschirm"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Suchen"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Hilfe und Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Hilfe und Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Ausf�hren..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-Mail"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer-Band"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Schriftarten"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Verwaltung"
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"="Shell Extension for Malware scanning"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ Dateiminiaturansicht-Extrahierungsprogramm"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Zusammenfassungs-Miniaturansichthandler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML-Extrahierungsprogramm"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}"="ICQ Lite Shell Extension"
"{2F860D81-AF3C-11D4-BDB3-00E0987D8540}"="UltimateZip Shell Extension"
"{2F860D82-AF3C-11D4-BDB3-00E0987D8540}"="UltimateZip Drag Drop Handler"
"{C169E5F0-E2B3-41F3-B81A-7BA529CBE193}"="ZipGenius Shell Extension"
"{2E5AC2E0-406D-11D4-86B3-FA5861508E25}"="ZipGenius Zip InfoTip"
"{310A0C95-EA11-42AE-A8E4-53E69E650310}"="ZipGenius Drop handler"
"{FE8D01BF-610A-4261-9C6E-32D65A42C907}"="ZipGenius DnD Extract handler"
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.6 Context Menu Shell Extension"
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.6 DragDrop Shell Extension"
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.6 Context Menu Shell Extension"
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}"="WinAce Archiver 2.6 Property Sheet Shell Extension"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{35786D3C-B075-49b9-88DD-029876E11C01}"="Portable Devices"
"{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8}"="Portable Devices Menu"
"{4EB264B4-4EDB-4772-AAF8-D574FB4A5770}"=""
"{41D4FB4E-1AB0-4A72-A4C5-582239A4ED5B}"=""
"{5EC3EA89-4453-4416-A78B-65F689DC2048}"="Goback Drives"
"{6809E580-A3A7-11D1-9A00-00A0C945B006}"="GoBack Shell Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4EB264B4-4EDB-4772-AAF8-D574FB4A5770}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{4EB264B4-4EDB-4772-AAF8-D574FB4A5770}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4EB264B4-4EDB-4772-AAF8-D574FB4A5770}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4EB264B4-4EDB-4772-AAF8-D574FB4A5770}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{41D4FB4E-1AB0-4A72-A4C5-582239A4ED5B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{41D4FB4E-1AB0-4A72-A4C5-582239A4ED5B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{41D4FB4E-1AB0-4A72-A4C5-582239A4ED5B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{41D4FB4E-1AB0-4A72-A4C5-582239A4ED5B}\InprocServer32]
@="C:\\WINDOWS\\system32\\mvr.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
divx.dll Mon Sep 18 2006 8:11:16p A.... 620,180 605.64 K
dpl100.dll Fri Aug 11 2006 7:31:52p A.... 73,728 72.00 K
dpu10.dll Fri Aug 11 2006 7:31:52p A.... 294,912 288.00 K
dpu11.dll Fri Aug 11 2006 7:31:52p A.... 294,912 288.00 K
dpugui10.dll Fri Aug 11 2006 7:31:52p A.... 53,248 52.00 K
dpugui11.dll Fri Aug 11 2006 7:31:52p A.... 593,920 580.00 K
dpus11.dll Fri Aug 11 2006 7:31:52p A.... 344,064 336.00 K
dpv11.dll Fri Aug 11 2006 7:31:52p A.... 57,344 56.00 K
dtu100.dll Fri Aug 11 2006 7:31:52p A.... 196,608 192.00 K
libdivx.dll Fri Aug 11 2006 7:35:30p A.... 1,044,480 1020.00 K
mvr.dll Tue Oct 3 2006 3:26:18p ..S.R 235,209 229.70 K
qt-dx331.dll Fri Aug 11 2006 7:35:36p A.... 3,596,288 3.43 M
s32evnt1.dll Fri Sep 15 2006 10:04:12p A.... 48,816 47.67 K
ssldivx.dll Fri Aug 11 2006 7:35:30p A.... 200,704 196.00 K
symneti.dll Mon Aug 7 2006 4:02:32p A.... 534,208 521.69 K
symredir.dll Mon Aug 7 2006 4:02:30p A.... 161,472 157.69 K

16 items found: 16 files (1 H/S), 0 directories.
Total of file sizes: 8,350,093 bytes 7.96 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Datentr„ger in Laufwerk C: ist SYSTEM
Volumeseriennummer: 409B-7D81

Verzeichnis von C:\WINDOWS\System32

06-10-03 15:31 <DIR> ..
06-10-03 15:31 <DIR> .
06-10-03 15:26 235,209 mvr.dll
06-10-03 15:26 235,903 r4r60e9seh.dll
06-10-03 13:45 235,638 lv2409fqe.dll
06-10-03 13:36 235,312 fp0m03d1e.dll
06-10-03 13:28 235,367 i8nm0i51e8.dll
06-10-03 13:22 235,061 enjul1191.dll
06-10-03 13:09 235,209 h84m0ih1e84.dll
06-09-30 18:32 234,272 ir5331.dll
06-09-23 15:30 3,766 KGyGaAvL.sys
06-09-20 17:19 88 611B0F4970.sys
06-08-27 13:48 <DIR> dllcache
05-05-18 06:57 56 F9AEB9E893.sys
05-01-16 16:43 <DIR> Microsoft
99-09-30 19:21 166,672 mstext35.dll
99-09-28 21:42 1,050,896 msjet35.dll
99-09-09 22:06 168,720 msltus35.dll
99-09-09 22:06 252,688 msexcl35.dll
99-08-25 14:57 415,504 msrepl35.dll
99-06-10 09:34 24,848 msjter35.dll
99-06-10 09:34 123,664 msjint35.dll
99-06-07 18:59 250,128 mspdox35.dll
99-04-25 17:00 287,504 Msxbse35.dll
99-04-25 17:00 368,912 Vbar332.dll
99-04-25 17:00 252,176 Msrd2x35.dll
22 Datei(en) 5,247,593 Bytes
4 Verzeichnis(se), 5,430,992,896 Bytes frei

#24 # Schließen Sie alle offenen Programme , da der nächste Schritt einen Neustart erfordert. Klicken Sie erneut auf l2mfix.bat und tippen Sie 2 ein --- [Enter].

# Drücken Sie eine beliebige Taste, um einen Systemneustart einzuleiten.

# Nach dem Neustart, werden Ihre Icons auf dem Desktop kurz erscheinen und kurz verschwinden - dies ist NORMAL.

# L2mfix wird den Systemscan fortsetzen und wenn es fertig ist, wird sich Notepad öffnen und einen Log anzeigen.
__________
MfG Sabina

rund um die PC-Sicherheit

#25 da geht der pc wieder aus,da steht dann killing processes.

#26 der rechner muss ausgehen, wenn er dann wieder hochfaehrt, musst du den scan abwarten, bis sich der texteditor oeffnet
kopiere es ab
__________
MfG Sabina

rund um die PC-Sicherheit

#27 da kommt en blauer bildschirm und da steht wieder das ein problem festgestellt worde,ich hab ne systemwiederherrstellung gmacht,und norton ist nmoch drauf kann sein,dass das deswegen ist.Irgendne Soft- Hardware wurde nciht richtig instaliert steht da.
Bin gerade mit F-Secure den PC am prüfen,vieleicht hilft das,oder das findet noch mehr^^

#28 ja, wenn du eine Systemwiederherstellung machst, stellst du auch die viren wieder her....
__________
MfG Sabina

rund um die PC-Sicherheit

#29 die hab ich aber vor 3 tagen gemacht.
F-Secure hat bis jetzt 3 Viren gefunden,vieleicht geht das mit F-Secure weg.Ich hab jetzt einen neuen Benutzer aufm pc(L2MFIX)wollte da drauf gehen,aber da ist ein passwort drin,undin den abgesicherten modus komm ich auch nich mehr.


Result: 3 malware found
Trojan-Clicker.Win32.VB.fo (virus)

* C:\WINDOWS\TMLJBW\COMMAND.EXE (Renamed)

W32/Agent.HPO (virus)

* C:\WINDOWS\DOWNLOADED PROGRAM FILES\INSTALL.DLL

W32/DLoader.AKCE (virus)

* C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWFX5UNETINSTALLER.EXE

#30 0.
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.
Die Datei "fixme.reg" auf dem Desktop doppelklicken

Zitat

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

[-HKEY_CURRENT_USER\Software\Look2Me]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WASHData]

1.
Avenger

Zitat

registry keys to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WASHData
HKEY_CLASSES_ROOT\CLSID\{41D4FB4E-1AB0-4A72-A4C5-582239A4ED5B}
HKEY_CLASSES_ROOT\CLSID\{4EB264B4-4EDB-4772-AAF8-D574FB4A5770}

Files to delete:
C:\WINDOWS\System32\mvr.dll
C:\WINDOWS\System32\r4r60e9seh.dll
C:\WINDOWS\System32\lv2409fqe.dll
C:\WINDOWS\System32\fp0m03d1e.dll
C:\WINDOWS\System32\i8nm0i51e8.dll
C:\WINDOWS\System32\enjul1191.dll
C:\WINDOWS\System32\h84m0ih1e84.dll
C:\WINDOWS\System32\ir5331.dll

Folders to delete:
C:\WINDOWS\TMLJBW

»»
scanne mit ewido und poste den scanreport
http://virus-protect.org/ewido.html
__________
MfG Sabina

rund um die PC-Sicherheit