Immer diese Loading Website

#16 du musst den L2MRemover scannen lassen, er scannt solange, bis Look2Me entfernt ist.....und startet wohl auch selbstaendig jedesmal den PC neu.
__________
MfG Sabina

rund um die PC-Sicherheit

#17 ja gut das ist dann passiert und wo ist nun logfile gespeichert?

#18 die muesste in dem Ordner von Look2Me gespeichert sein
__________
MfG Sabina

rund um die PC-Sicherheit

#19 was müsste das denn für ne datei sein? also welcher typ

#20 so war es angewiesen

Zitat

Entpacke das Programm mit einem Ziptool
in den neu zu erstellenden Ordner C:\Programme\Look2meRemover.

__________
MfG Sabina

rund um die PC-Sicherheit

#21 ja schon klar aber welche datei ist jetzt logfile?

#22 es muesste eine txt-Datei sein, oder eine log-Datei...ich weiss es auch nicht genau, weil ich das tool noch nie anwenden musste
__________
MfG Sabina

rund um die PC-Sicherheit

#23 also ich habe hier .dat , .rtf, .dll, .sys

#24 vergiss es.... ,)

Lade l2mfix und arbeite Option 2 ab, der PC wird neustarten, warte, lasse ihn scannen, wenn der scan beendet ist, wirst du den scanreport abkopieren koennen, mache das und poste ihn hier.
http://virus-protect.org/l2mfix.html
__________
MfG Sabina

rund um die PC-Sicherheit

#25 hier aus l2mfix als ich das erste mal gestartet habe, habe aber noch einen als der pc neu hochgefahren ist, den auch noch posten?
L2MFIX find log 122705
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hr8m05l1e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"
"Logoff"="NavLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\c200lcdm1f0a.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E7EBA6D5-F79F-CA73-F3F1-E037C31D23AA}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Eigenschaften f�r Multimediadatei"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM-Scannerverwaltung"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS-Sicherheit"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE-Eigenschaftenseite f�r Dokumente"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shellerweiterungen f�r Freigaben"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung f�r Grafikkarten"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung f�r Bildschirme"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung f�r Anzeigeverschiebung"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS-Sicherheit"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Kompatibilit„tsseite"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell-Datenauszughandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Erweiterung f�r Datentr„gerkopien"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shellerweiterungen f�r Microsoft Windows-Netzwerkobjekte"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM-Monitorverwaltung"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM-Druckerverwaltung"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shellerweiterungen f�r die Dateikomprimierung"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Shellerweiterung f�r Webdrucker"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Kontextmen� f�r die Verschl�sselung"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Aktenkoffer"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Erweiterung f�r HyperTerminal-Icons"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Schriftarten"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-Profil"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Druckersicherheit"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shellerweiterungen f�r Freigaben"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Krypto-PKO-Erweiterung"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Krypto-Sign-Erweiterung"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Netzwerkverbindungen"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Netzwerkverbindungen"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanner und Kameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanner und Kameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanner und Kameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanner und Kameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanner und Kameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shellerweiterungen f�r Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Datenverkn�pfung"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Geplante Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskleiste und Startmen�"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Suchen"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Hilfe und Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Hilfe und Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Ausf�hren..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-Mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Schriftarten"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Verwaltung"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Syntaxanalyse der Adressleiste"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft URL-Verlauf-Dienst"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Verlauf"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Sucheingriff"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite-Begr�áungsbildschirm"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer-Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX-Cacheordner"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ Dateiminiaturansicht-Extrahierungsprogramm"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Zusammenfassungs-Miniaturansichthandler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML-Extrahierungsprogramm"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Webpublishing-Assistent"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Bestellung von Abz�gen �ber das Internet"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shellobjekt des Webpublishing-Assistenten"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Passport-Assistent"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Benutzerkonten"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channeldatei"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channelverkn�pfung"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channelhandlerobjekt"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Ordner 'Offlinedateien'"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Nach Personen..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Webordner"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}"="ICQ Lite Shell Extension"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{330417E8-EF62-4047-82BE-D8305CEFF572}"="AMEncShlExt extension"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{C596B3D5-E784-4AE4-B607-2883E8873D2C}"=""
"{BA657BD3-A787-45FE-A9BA-4DC80F2761ED}"=""
"{02669066-13BB-4737-8A05-E4DC8970DDDA}"=""
"{8ACABB60-FAEC-4934-9588-57B70C387958}"=""
"{E2B03CAA-6987-4D7C-82D6-BF58A6BDCD89}"=""
"{D7DDD9DC-39D6-480F-AED6-B773867203A2}"=""
"{D789D77C-4B3D-40DF-BE1D-97F5E4EEA17D}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C596B3D5-E784-4AE4-B607-2883E8873D2C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C596B3D5-E784-4AE4-B607-2883E8873D2C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C596B3D5-E784-4AE4-B607-2883E8873D2C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C596B3D5-E784-4AE4-B607-2883E8873D2C}\InprocServer32]
@="C:\\WINDOWS\\system32\\SBDOCLC.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BA657BD3-A787-45FE-A9BA-4DC80F2761ED}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{BA657BD3-A787-45FE-A9BA-4DC80F2761ED}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BA657BD3-A787-45FE-A9BA-4DC80F2761ED}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BA657BD3-A787-45FE-A9BA-4DC80F2761ED}\InprocServer32]
@="C:\\WINDOWS\\system32\\UDLMON.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{02669066-13BB-4737-8A05-E4DC8970DDDA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{02669066-13BB-4737-8A05-E4DC8970DDDA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{02669066-13BB-4737-8A05-E4DC8970DDDA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{02669066-13BB-4737-8A05-E4DC8970DDDA}\InprocServer32]
@="C:\\WINDOWS\\system32\\pZutoenr.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8ACABB60-FAEC-4934-9588-57B70C387958}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8ACABB60-FAEC-4934-9588-57B70C387958}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8ACABB60-FAEC-4934-9588-57B70C387958}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8ACABB60-FAEC-4934-9588-57B70C387958}\InprocServer32]
@="C:\\WINDOWS\\system32\\wdnetmgr.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E2B03CAA-6987-4D7C-82D6-BF58A6BDCD89}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E2B03CAA-6987-4D7C-82D6-BF58A6BDCD89}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E2B03CAA-6987-4D7C-82D6-BF58A6BDCD89}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E2B03CAA-6987-4D7C-82D6-BF58A6BDCD89}\InprocServer32]
@="C:\\WINDOWS\\system32\\mcrd2x40.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D7DDD9DC-39D6-480F-AED6-B773867203A2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7DDD9DC-39D6-480F-AED6-B773867203A2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7DDD9DC-39D6-480F-AED6-B773867203A2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7DDD9DC-39D6-480F-AED6-B773867203A2}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D789D77C-4B3D-40DF-BE1D-97F5E4EEA17D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D789D77C-4B3D-40DF-BE1D-97F5E4EEA17D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D789D77C-4B3D-40DF-BE1D-97F5E4EEA17D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D789D77C-4B3D-40DF-BE1D-97F5E4EEA17D}\InprocServer32]
@="C:\\WINDOWS\\system32\\dWdpmesh.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
atmtd.dll Fri 30 Dec 2005 22:42:04 A.... 687.592 671,48 K
aza8la~1.dll Fri 30 Dec 2005 22:41:16 ..S.R 236.359 230,82 K
bassmod.dll Sat 29 Oct 2005 17:33:36 A.... 34.308 33,50 K
c200lc~1.dll Mon 2 Jan 2006 1:00:14 ..S.R 235.664 230,14 K
dwdpmesh.dll Mon 2 Jan 2006 13:11:22 ..S.R 235.664 230,14 K
e4020e~1.dll Fri 30 Dec 2005 22:46:50 ..S.R 235.523 230,00 K
fpp803~1.dll Sun 1 Jan 2006 23:20:56 ..S.R 235.664 230,14 K
j2l4lc~1.dll Mon 2 Jan 2006 1:04:44 ..S.R 235.664 230,14 K
k2pmlc~1.dll Fri 30 Dec 2005 18:52:10 ..S.R 237.045 231,49 K
kt6ul7~1.dll Sat 31 Dec 2005 16:33:24 ..S.R 236.197 230,66 K
l8p2li~1.dll Fri 30 Dec 2005 21:21:04 ..S.R 235.771 230,24 K
lv4209~1.dll Fri 30 Dec 2005 22:41:22 ..S.R 235.164 229,65 K
lv6u09~1.dll Fri 30 Dec 2005 13:07:08 ..S.R 236.740 231,19 K
mcrd2x40.dll Sat 31 Dec 2005 13:31:22 ..S.R 236.197 230,66 K
mvj2l9~1.dll Mon 2 Jan 2006 0:53:32 ..S.R 235.664 230,14 K
n0l8la~1.dll Fri 30 Dec 2005 21:05:04 ..S.R 234.163 228,67 K
pzutoenr.dll Fri 30 Dec 2005 23:03:24 ..S.R 234.213 228,72 K
sbdoclc.dll Fri 30 Dec 2005 22:13:54 ..S.R 235.771 230,24 K
sirenacm.dll Thu 13 Oct 2005 0:11:06 A.... 118.784 116,00 K
wdnetmgr.dll Sat 31 Dec 2005 1:09:02 ..S.R 235.664 230,14 K

20 items found: 20 files (17 H/S), 0 directories.
Total of file sizes: 4.847.811 bytes 4,62 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Mon 2 Jan 2006 13:11:34 A.... 237.278 231,71 K

1 item found: 1 file, 0 directories.
Total of file sizes: 237.278 bytes 231,71 K
**********************************************************************************
Directory Listing of system files:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: E479-4804

Verzeichnis von C:\WINDOWS\System32

02.01.2006 13:11 235.664 dWdpmesh.dll
02.01.2006 01:04 235.664 j2l4lc3q1f.dll
02.01.2006 01:00 235.664 c200lcdm1f0a.dll
02.01.2006 00:53 235.664 mvj2l91o1.dll
01.01.2006 23:20 235.664 fpp8037ue.dll
31.12.2005 16:33 236.197 kt6ul7j91.dll
31.12.2005 13:31 236.197 mcrd2x40.dll
31.12.2005 01:09 235.664 wdnetmgr.dll
30.12.2005 23:03 234.213 pZutoenr.dll
30.12.2005 22:46 235.523 e4020edoeh0c0.dll
30.12.2005 22:41 235.164 lv4209hoe.dll
30.12.2005 22:41 236.359 aza8la3u1d.dll
30.12.2005 22:13 235.771 SBDOCLC.DLL
30.12.2005 21:21 235.771 l8p2li7o18.dll
30.12.2005 21:05 234.163 n0l8la3u1d.dll
30.12.2005 18:52 237.045 k2pmlc711f.dll
30.12.2005 13:17 <DIR> dllcache
30.12.2005 13:07 236.740 lv6u09j9e.dll
08.08.2005 12:16 56 0CC811A25F.sys
25.07.2005 16:49 <DIR> Microsoft
18 Datei(en) 4.007.183 Bytes
2 Verzeichnis(se), 2.864.566.272 Bytes frei

#26 ich will den Bericht nach dem Hochfahren sehen
__________
MfG Sabina

rund um die PC-Sicherheit

#27 aber ich glaub der virus ist weg auf jednefall öfnet sich keine anderer seite mehr

L2mfix Beta 122705
Creating Account.
Der Befehl wurde erfolgreich ausgef�hrt.

Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 608 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 692 'winlogon.exe'
Killing PID 692 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1136 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 508 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administratoren ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
moving: C:\WINDOWS\system32\aza8la3u1d.dll
Successfully Moved: C:\WINDOWS\system32\aza8la3u1d.dll
moving: C:\WINDOWS\system32\c200lcdm1f0a.dll
Successfully Moved: C:\WINDOWS\system32\c200lcdm1f0a.dll
moving: C:\WINDOWS\system32\dWdpmesh.dll
Successfully Moved: C:\WINDOWS\system32\dWdpmesh.dll
moving: C:\WINDOWS\system32\e4020edoeh0c0.dll
Successfully Moved: C:\WINDOWS\system32\e4020edoeh0c0.dll
moving: C:\WINDOWS\system32\fpp8037ue.dll
Successfully Moved: C:\WINDOWS\system32\fpp8037ue.dll
moving: C:\WINDOWS\system32\j2l4lc3q1f.dll
Successfully Moved: C:\WINDOWS\system32\j2l4lc3q1f.dll
moving: C:\WINDOWS\system32\k2pmlc711f.dll
Successfully Moved: C:\WINDOWS\system32\k2pmlc711f.dll
moving: C:\WINDOWS\system32\kt6ul7j91.dll
Successfully Moved: C:\WINDOWS\system32\kt6ul7j91.dll
moving: C:\WINDOWS\system32\l8p2li7o18.dll
Successfully Moved: C:\WINDOWS\system32\l8p2li7o18.dll
moving: C:\WINDOWS\system32\lv4209hoe.dll
Successfully Moved: C:\WINDOWS\system32\lv4209hoe.dll
moving: C:\WINDOWS\system32\lv6u09j9e.dll
Successfully Moved: C:\WINDOWS\system32\lv6u09j9e.dll
moving: C:\WINDOWS\system32\mcrd2x40.dll
Successfully Moved: C:\WINDOWS\system32\mcrd2x40.dll
moving: C:\WINDOWS\system32\mvj2l91o1.dll
Successfully Moved: C:\WINDOWS\system32\mvj2l91o1.dll
moving: C:\WINDOWS\system32\n0l8la3u1d.dll
Successfully Moved: C:\WINDOWS\system32\n0l8la3u1d.dll
moving: C:\WINDOWS\system32\pZutoenr.dll
Successfully Moved: C:\WINDOWS\system32\pZutoenr.dll
moving: C:\WINDOWS\system32\SBDOCLC.DLL
Successfully Moved: C:\WINDOWS\system32\SBDOCLC.DLL
moving: C:\WINDOWS\system32\wdnetmgr.dll
Successfully Moved: C:\WINDOWS\system32\wdnetmgr.dll
moving: C:\WINDOWS\system32\guard.tmp
Successfully Moved: C:\WINDOWS\system32\guard.tmp




Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hr8m05l1e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"
"Logoff"="NavLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\c200lcdm1f0a.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\aza8la3u1d.dll
C:\WINDOWS\system32\c200lcdm1f0a.dll
C:\WINDOWS\system32\dWdpmesh.dll
C:\WINDOWS\system32\e4020edoeh0c0.dll
C:\WINDOWS\system32\fpp8037ue.dll
C:\WINDOWS\system32\j2l4lc3q1f.dll
C:\WINDOWS\system32\k2pmlc711f.dll
C:\WINDOWS\system32\kt6ul7j91.dll
C:\WINDOWS\system32\l8p2li7o18.dll
C:\WINDOWS\system32\lv4209hoe.dll
C:\WINDOWS\system32\lv6u09j9e.dll
C:\WINDOWS\system32\mcrd2x40.dll
C:\WINDOWS\system32\mvj2l91o1.dll
C:\WINDOWS\system32\n0l8la3u1d.dll
C:\WINDOWS\system32\pZutoenr.dll
C:\WINDOWS\system32\SBDOCLC.DLL
C:\WINDOWS\system32\wdnetmgr.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C596B3D5-E784-4AE4-B607-2883E8873D2C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C596B3D5-E784-4AE4-B607-2883E8873D2C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C596B3D5-E784-4AE4-B607-2883E8873D2C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C596B3D5-E784-4AE4-B607-2883E8873D2C}\InprocServer32]
@="C:\\WINDOWS\\system32\\SBDOCLC.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BA657BD3-A787-45FE-A9BA-4DC80F2761ED}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{BA657BD3-A787-45FE-A9BA-4DC80F2761ED}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BA657BD3-A787-45FE-A9BA-4DC80F2761ED}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BA657BD3-A787-45FE-A9BA-4DC80F2761ED}\InprocServer32]
@="C:\\WINDOWS\\system32\\UDLMON.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{02669066-13BB-4737-8A05-E4DC8970DDDA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{02669066-13BB-4737-8A05-E4DC8970DDDA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{02669066-13BB-4737-8A05-E4DC8970DDDA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{02669066-13BB-4737-8A05-E4DC8970DDDA}\InprocServer32]
@="C:\\WINDOWS\\system32\\pZutoenr.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8ACABB60-FAEC-4934-9588-57B70C387958}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8ACABB60-FAEC-4934-9588-57B70C387958}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8ACABB60-FAEC-4934-9588-57B70C387958}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8ACABB60-FAEC-4934-9588-57B70C387958}\InprocServer32]
@="C:\\WINDOWS\\system32\\wdnetmgr.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E2B03CAA-6987-4D7C-82D6-BF58A6BDCD89}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E2B03CAA-6987-4D7C-82D6-BF58A6BDCD89}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E2B03CAA-6987-4D7C-82D6-BF58A6BDCD89}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E2B03CAA-6987-4D7C-82D6-BF58A6BDCD89}\InprocServer32]
@="C:\\WINDOWS\\system32\\mcrd2x40.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D7DDD9DC-39D6-480F-AED6-B773867203A2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7DDD9DC-39D6-480F-AED6-B773867203A2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7DDD9DC-39D6-480F-AED6-B773867203A2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7DDD9DC-39D6-480F-AED6-B773867203A2}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D789D77C-4B3D-40DF-BE1D-97F5E4EEA17D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D789D77C-4B3D-40DF-BE1D-97F5E4EEA17D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D789D77C-4B3D-40DF-BE1D-97F5E4EEA17D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D789D77C-4B3D-40DF-BE1D-97F5E4EEA17D}\InprocServer32]
@="C:\\WINDOWS\\system32\\dWdpmesh.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{C596B3D5-E784-4AE4-B607-2883E8873D2C}"=-
"{BA657BD3-A787-45FE-A9BA-4DC80F2761ED}"=-
"{02669066-13BB-4737-8A05-E4DC8970DDDA}"=-
"{8ACABB60-FAEC-4934-9588-57B70C387958}"=-
"{E2B03CAA-6987-4D7C-82D6-BF58A6BDCD89}"=-
"{D7DDD9DC-39D6-480F-AED6-B773867203A2}"=-
"{D789D77C-4B3D-40DF-BE1D-97F5E4EEA17D}"=-
[-HKEY_CLASSES_ROOT\CLSID\{C596B3D5-E784-4AE4-B607-2883E8873D2C}]
[-HKEY_CLASSES_ROOT\CLSID\{BA657BD3-A787-45FE-A9BA-4DC80F2761ED}]
[-HKEY_CLASSES_ROOT\CLSID\{02669066-13BB-4737-8A05-E4DC8970DDDA}]
[-HKEY_CLASSES_ROOT\CLSID\{8ACABB60-FAEC-4934-9588-57B70C387958}]
[-HKEY_CLASSES_ROOT\CLSID\{E2B03CAA-6987-4D7C-82D6-BF58A6BDCD89}]
[-HKEY_CLASSES_ROOT\CLSID\{D7DDD9DC-39D6-480F-AED6-B773867203A2}]
[-HKEY_CLASSES_ROOT\CLSID\{D789D77C-4B3D-40DF-BE1D-97F5E4EEA17D}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/aza8la3u1d.dll (188 bytes security) (deflated 5%)
adding: dlls/c200lcdm1f0a.dll (188 bytes security) (deflated 5%)
adding: dlls/dWdpmesh.dll (188 bytes security) (deflated 5%)
adding: dlls/e4020edoeh0c0.dll (188 bytes security) (deflated 5%)
adding: dlls/fpp8037ue.dll (188 bytes security) (deflated 5%)
adding: dlls/guard.tmp (188 bytes security) (deflated 6%)
adding: dlls/j2l4lc3q1f.dll (188 bytes security) (deflated 5%)
adding: dlls/k2pmlc711f.dll (188 bytes security) (deflated 5%)
adding: dlls/kt6ul7j91.dll (188 bytes security) (deflated 5%)
adding: dlls/l8p2li7o18.dll (188 bytes security) (deflated 5%)
adding: dlls/lv4209hoe.dll (188 bytes security) (deflated 5%)
adding: dlls/lv6u09j9e.dll (188 bytes security) (deflated 5%)
adding: dlls/mcrd2x40.dll (188 bytes security) (deflated 5%)
adding: dlls/mvj2l91o1.dll (188 bytes security) (deflated 5%)
adding: dlls/n0l8la3u1d.dll (188 bytes security) (deflated 4%)
adding: dlls/pZutoenr.dll (188 bytes security) (deflated 4%)
adding: dlls/SBDOCLC.DLL (188 bytes security) (deflated 5%)
adding: dlls/wdnetmgr.dll (188 bytes security) (deflated 5%)
adding: backregs/02669066-13BB-4737-8A05-E4DC8970DDDA.reg (188 bytes security) (deflated 70%)
adding: backregs/8ACABB60-FAEC-4934-9588-57B70C387958.reg (188 bytes security) (deflated 70%)
adding: backregs/BA657BD3-A787-45FE-A9BA-4DC80F2761ED.reg (188 bytes security) (deflated 69%)
adding: backregs/C596B3D5-E784-4AE4-B607-2883E8873D2C.reg (188 bytes security) (deflated 70%)
adding: backregs/D789D77C-4B3D-40DF-BE1D-97F5E4EEA17D.reg (188 bytes security) (deflated 70%)
adding: backregs/D7DDD9DC-39D6-480F-AED6-B773867203A2.reg (188 bytes security) (deflated 70%)
adding: backregs/E2B03CAA-6987-4D7C-82D6-BF58A6BDCD89.reg (188 bytes security) (deflated 69%)
adding: backregs/notibac.reg (188 bytes security) (deflated 88%)
adding: backregs/shell.reg (188 bytes security) (deflated 73%)

#28 scanne mit panda und kopiere hier den scanreport
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#29 Incident Status Location

Adware:Adware/CommAd Not desinfected C:\WINDOWS\TWFya3Vz\command.exe
Adware:Adware/CommAd Not desinfected C:\WINDOWS\TWFya3Vz\asappsrv.dll
Adware:adware/commad Not desinfected C:\WINDOWS\SYSTEM32\atmtd.dll
Adware:adware/whenusearch Not desinfected C:\Dokumente und Einstellungen\Captain Chaos\Startmen\Programme\WhenU
Adware:adware/ist.istbar Not desinfected Windows Registry
Adware:Adware/Look2Me Not desinfected C:\!KillBox\dnns0157e.dll
Adware:Adware/Look2Me Not desinfected C:\!KillBox\j8l40i3qe8.dll
Adware:Adware/Look2Me Not desinfected C:\!KillBox\m4pole731h.dll
Adware:Adware/Sqwire Not desinfected C:\!KillBox\tsuninst.exe
Adware:Adware/Look2Me Not desinfected C:\!KillBox\UDLMON.DLL
Adware:Adware/nCase Not desinfected C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\816NW1YR\AppWrap[1].exe
Adware:Adware/nCase Not desinfected C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\8XAV4PYB\AppWrap[1].exe
Adware:Adware/Look2Me Not desinfected C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\8XAV4PYB\AppWrap[2].exe
Adware:Adware/CommAd Not desinfected C:\WINDOWS\TWFya3Vz\asappsrv.dll
Adware:Adware/CommAd Not desinfected C:\WINDOWS\TWFya3Vz\command.exe
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[aza8la3u1d.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[c200lcdm1f0a.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[dWdpmesh.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[e4020edoeh0c0.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[fpp8037ue.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[guard.tmp]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[j2l4lc3q1f.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[k2pmlc711f.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[kt6ul7j91.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[l8p2li7o18.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[lv4209hoe.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[lv6u09j9e.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[mcrd2x40.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[mvj2l91o1.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[n0l8la3u1d.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[pZutoenr.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[SBDOCLC.DLL]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[wdnetmgr.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\aza8la3u1d.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\c200lcdm1f0a.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\dWdpmesh.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\e4020edoeh0c0.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\fpp8037ue.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\guard.tmp
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\j2l4lc3q1f.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\k2pmlc711f.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\kt6ul7j91.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\l8p2li7o18.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\lv4209hoe.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\lv6u09j9e.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\mcrd2x40.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\mvj2l91o1.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\n0l8la3u1d.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\pZutoenr.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\SBDOCLC.DLL
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\wdnetmgr.dll

#30 loesche:

C:\WINDOWS\TWFya3Vz\command.exe
C:\WINDOWS\TWFya3Vz\asappsrv.dll
C:\WINDOWS\TWFya3Vz

C:\WINDOWS\SYSTEM32\atmtd.dll
C:\Dokumente und Einstellungen\Captain Chaos\Startmen\Programme\WhenU

C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\816NW1YR

C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\8XAV4PYB

gehe zur Systemsteuerung --> Internetoptionen --> auf dem Reiter Allgemein bei Temporäre Internetdateien klickst du Dateien löschen --> auch bei Alle Offlineinhalte löschen das Häkchen setzen und mit OK bestätigen --> Auf den Reiter Programme gehen und dort auf Webeinstellungen zurücksetzen klicken, mit Ja bestätigen, fall Nachfrage kommt --> auf Übernehmen und abschließend auf OK klicken

dann leere die C:\!KillBox

und loesche: D:\l2mfix\backup.zip

Download f-secure-Beta Trial
http://www.f-secure.com/blacklight/
doppelklick: blbeta.exe
nach dem Check klicke -- next
nun findet man eine log-datei auf dem Desktop: kopiere sie in deinen Thread

-----------------------------------------------------
dann scanne noch mal mit panda
__________
MfG Sabina

rund um die PC-Sicherheit