Immer diese Loading Website

#0
31.12.2005, 13:37
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#16 du musst den L2MRemover scannen lassen, er scannt solange, bis Look2Me entfernt ist.....und startet wohl auch selbstaendig jedesmal den PC neu.
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
02.01.2006, 13:56
Member

Beiträge: 25
#17 ja gut das ist dann passiert und wo ist nun logfile gespeichert?
Seitenanfang Seitenende
02.01.2006, 14:17
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#18 die muesste in dem Ordner von Look2Me gespeichert sein ;)
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
02.01.2006, 17:01
Member

Beiträge: 25
#19 was müsste das denn für ne datei sein? also welcher typ
Seitenanfang Seitenende
02.01.2006, 17:19
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#20 so war es angewiesen ;)

Zitat

Entpacke das Programm mit einem Ziptool
in den neu zu erstellenden Ordner C:\Programme\Look2meRemover.

__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
02.01.2006, 17:29
Member

Beiträge: 25
#21 ja schon klar aber welche datei ist jetzt logfile?
Seitenanfang Seitenende
02.01.2006, 17:51
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#22 es muesste eine txt-Datei sein, oder eine log-Datei...ich weiss es auch nicht genau, weil ich das tool noch nie anwenden musste ;)
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
02.01.2006, 19:31
Member

Beiträge: 25
#23 also ich habe hier .dat , .rtf, .dll, .sys
Seitenanfang Seitenende
02.01.2006, 20:11
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#24 vergiss es.... ,)

Lade l2mfix und arbeite Option 2 ab, der PC wird neustarten, warte, lasse ihn scannen, wenn der scan beendet ist, wirst du den scanreport abkopieren koennen, mache das und poste ihn hier.
http://virus-protect.org/l2mfix.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
02.01.2006, 20:25
Member

Beiträge: 25
#25 hier aus l2mfix als ich das erste mal gestartet habe, habe aber noch einen als der pc neu hochgefahren ist, den auch noch posten?
L2MFIX find log 122705
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hr8m05l1e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"
"Logoff"="NavLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\c200lcdm1f0a.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E7EBA6D5-F79F-CA73-F3F1-E037C31D23AA}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Eigenschaften fr Multimediadatei"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM-Scannerverwaltung"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS-Sicherheit"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE-Eigenschaftenseite fr Dokumente"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shellerweiterungen fr Freigaben"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung fr Grafikkarten"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung fr Bildschirme"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung fr Anzeigeverschiebung"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS-Sicherheit"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Kompatibilit„tsseite"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell-Datenauszughandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Erweiterung fr Datentr„gerkopien"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shellerweiterungen fr Microsoft Windows-Netzwerkobjekte"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM-Monitorverwaltung"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM-Druckerverwaltung"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shellerweiterungen fr die Dateikomprimierung"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Shellerweiterung fr Webdrucker"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Kontextmen fr die Verschlsselung"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Aktenkoffer"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Erweiterung fr HyperTerminal-Icons"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Schriftarten"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-Profil"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Druckersicherheit"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shellerweiterungen fr Freigaben"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Krypto-PKO-Erweiterung"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Krypto-Sign-Erweiterung"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Netzwerkverbindungen"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Netzwerkverbindungen"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanner und Kameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanner und Kameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanner und Kameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanner und Kameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanner und Kameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shellerweiterungen fr Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Datenverknpfung"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Geplante Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskleiste und Startmen"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Suchen"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Hilfe und Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Hilfe und Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Ausfhren..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-Mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Schriftarten"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Verwaltung"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Syntaxanalyse der Adressleiste"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft URL-Verlauf-Dienst"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Verlauf"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Sucheingriff"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite-Begráungsbildschirm"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer-Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX-Cacheordner"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ Dateiminiaturansicht-Extrahierungsprogramm"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Zusammenfassungs-Miniaturansichthandler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML-Extrahierungsprogramm"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Webpublishing-Assistent"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Bestellung von Abzgen ber das Internet"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shellobjekt des Webpublishing-Assistenten"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Passport-Assistent"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Benutzerkonten"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channeldatei"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channelverknpfung"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channelhandlerobjekt"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Ordner 'Offlinedateien'"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Nach Personen..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Webordner"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}"="ICQ Lite Shell Extension"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{330417E8-EF62-4047-82BE-D8305CEFF572}"="AMEncShlExt extension"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{C596B3D5-E784-4AE4-B607-2883E8873D2C}"=""
"{BA657BD3-A787-45FE-A9BA-4DC80F2761ED}"=""
"{02669066-13BB-4737-8A05-E4DC8970DDDA}"=""
"{8ACABB60-FAEC-4934-9588-57B70C387958}"=""
"{E2B03CAA-6987-4D7C-82D6-BF58A6BDCD89}"=""
"{D7DDD9DC-39D6-480F-AED6-B773867203A2}"=""
"{D789D77C-4B3D-40DF-BE1D-97F5E4EEA17D}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C596B3D5-E784-4AE4-B607-2883E8873D2C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C596B3D5-E784-4AE4-B607-2883E8873D2C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C596B3D5-E784-4AE4-B607-2883E8873D2C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C596B3D5-E784-4AE4-B607-2883E8873D2C}\InprocServer32]
@="C:\\WINDOWS\\system32\\SBDOCLC.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BA657BD3-A787-45FE-A9BA-4DC80F2761ED}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{BA657BD3-A787-45FE-A9BA-4DC80F2761ED}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BA657BD3-A787-45FE-A9BA-4DC80F2761ED}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BA657BD3-A787-45FE-A9BA-4DC80F2761ED}\InprocServer32]
@="C:\\WINDOWS\\system32\\UDLMON.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{02669066-13BB-4737-8A05-E4DC8970DDDA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{02669066-13BB-4737-8A05-E4DC8970DDDA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{02669066-13BB-4737-8A05-E4DC8970DDDA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{02669066-13BB-4737-8A05-E4DC8970DDDA}\InprocServer32]
@="C:\\WINDOWS\\system32\\pZutoenr.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8ACABB60-FAEC-4934-9588-57B70C387958}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8ACABB60-FAEC-4934-9588-57B70C387958}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8ACABB60-FAEC-4934-9588-57B70C387958}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8ACABB60-FAEC-4934-9588-57B70C387958}\InprocServer32]
@="C:\\WINDOWS\\system32\\wdnetmgr.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E2B03CAA-6987-4D7C-82D6-BF58A6BDCD89}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E2B03CAA-6987-4D7C-82D6-BF58A6BDCD89}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E2B03CAA-6987-4D7C-82D6-BF58A6BDCD89}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E2B03CAA-6987-4D7C-82D6-BF58A6BDCD89}\InprocServer32]
@="C:\\WINDOWS\\system32\\mcrd2x40.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D7DDD9DC-39D6-480F-AED6-B773867203A2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7DDD9DC-39D6-480F-AED6-B773867203A2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7DDD9DC-39D6-480F-AED6-B773867203A2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7DDD9DC-39D6-480F-AED6-B773867203A2}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D789D77C-4B3D-40DF-BE1D-97F5E4EEA17D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D789D77C-4B3D-40DF-BE1D-97F5E4EEA17D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D789D77C-4B3D-40DF-BE1D-97F5E4EEA17D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D789D77C-4B3D-40DF-BE1D-97F5E4EEA17D}\InprocServer32]
@="C:\\WINDOWS\\system32\\dWdpmesh.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
atmtd.dll Fri 30 Dec 2005 22:42:04 A.... 687.592 671,48 K
aza8la~1.dll Fri 30 Dec 2005 22:41:16 ..S.R 236.359 230,82 K
bassmod.dll Sat 29 Oct 2005 17:33:36 A.... 34.308 33,50 K
c200lc~1.dll Mon 2 Jan 2006 1:00:14 ..S.R 235.664 230,14 K
dwdpmesh.dll Mon 2 Jan 2006 13:11:22 ..S.R 235.664 230,14 K
e4020e~1.dll Fri 30 Dec 2005 22:46:50 ..S.R 235.523 230,00 K
fpp803~1.dll Sun 1 Jan 2006 23:20:56 ..S.R 235.664 230,14 K
j2l4lc~1.dll Mon 2 Jan 2006 1:04:44 ..S.R 235.664 230,14 K
k2pmlc~1.dll Fri 30 Dec 2005 18:52:10 ..S.R 237.045 231,49 K
kt6ul7~1.dll Sat 31 Dec 2005 16:33:24 ..S.R 236.197 230,66 K
l8p2li~1.dll Fri 30 Dec 2005 21:21:04 ..S.R 235.771 230,24 K
lv4209~1.dll Fri 30 Dec 2005 22:41:22 ..S.R 235.164 229,65 K
lv6u09~1.dll Fri 30 Dec 2005 13:07:08 ..S.R 236.740 231,19 K
mcrd2x40.dll Sat 31 Dec 2005 13:31:22 ..S.R 236.197 230,66 K
mvj2l9~1.dll Mon 2 Jan 2006 0:53:32 ..S.R 235.664 230,14 K
n0l8la~1.dll Fri 30 Dec 2005 21:05:04 ..S.R 234.163 228,67 K
pzutoenr.dll Fri 30 Dec 2005 23:03:24 ..S.R 234.213 228,72 K
sbdoclc.dll Fri 30 Dec 2005 22:13:54 ..S.R 235.771 230,24 K
sirenacm.dll Thu 13 Oct 2005 0:11:06 A.... 118.784 116,00 K
wdnetmgr.dll Sat 31 Dec 2005 1:09:02 ..S.R 235.664 230,14 K

20 items found: 20 files (17 H/S), 0 directories.
Total of file sizes: 4.847.811 bytes 4,62 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Mon 2 Jan 2006 13:11:34 A.... 237.278 231,71 K

1 item found: 1 file, 0 directories.
Total of file sizes: 237.278 bytes 231,71 K
**********************************************************************************
Directory Listing of system files:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: E479-4804

Verzeichnis von C:\WINDOWS\System32

02.01.2006 13:11 235.664 dWdpmesh.dll
02.01.2006 01:04 235.664 j2l4lc3q1f.dll
02.01.2006 01:00 235.664 c200lcdm1f0a.dll
02.01.2006 00:53 235.664 mvj2l91o1.dll
01.01.2006 23:20 235.664 fpp8037ue.dll
31.12.2005 16:33 236.197 kt6ul7j91.dll
31.12.2005 13:31 236.197 mcrd2x40.dll
31.12.2005 01:09 235.664 wdnetmgr.dll
30.12.2005 23:03 234.213 pZutoenr.dll
30.12.2005 22:46 235.523 e4020edoeh0c0.dll
30.12.2005 22:41 235.164 lv4209hoe.dll
30.12.2005 22:41 236.359 aza8la3u1d.dll
30.12.2005 22:13 235.771 SBDOCLC.DLL
30.12.2005 21:21 235.771 l8p2li7o18.dll
30.12.2005 21:05 234.163 n0l8la3u1d.dll
30.12.2005 18:52 237.045 k2pmlc711f.dll
30.12.2005 13:17 <DIR> dllcache
30.12.2005 13:07 236.740 lv6u09j9e.dll
08.08.2005 12:16 56 0CC811A25F.sys
25.07.2005 16:49 <DIR> Microsoft
18 Datei(en) 4.007.183 Bytes
2 Verzeichnis(se), 2.864.566.272 Bytes frei
Dieser Beitrag wurde am 02.01.2006 um 20:31 Uhr von cha0s editiert.
Seitenanfang Seitenende
02.01.2006, 21:40
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#26 ich will den Bericht nach dem Hochfahren sehen ;)
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
02.01.2006, 21:42
Member

Beiträge: 25
#27 aber ich glaub der virus ist weg auf jednefall öfnet sich keine anderer seite mehr

L2mfix Beta 122705
Creating Account.
Der Befehl wurde erfolgreich ausgefhrt.

Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 608 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 692 'winlogon.exe'
Killing PID 692 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1136 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 508 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administratoren ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
moving: C:\WINDOWS\system32\aza8la3u1d.dll
Successfully Moved: C:\WINDOWS\system32\aza8la3u1d.dll
moving: C:\WINDOWS\system32\c200lcdm1f0a.dll
Successfully Moved: C:\WINDOWS\system32\c200lcdm1f0a.dll
moving: C:\WINDOWS\system32\dWdpmesh.dll
Successfully Moved: C:\WINDOWS\system32\dWdpmesh.dll
moving: C:\WINDOWS\system32\e4020edoeh0c0.dll
Successfully Moved: C:\WINDOWS\system32\e4020edoeh0c0.dll
moving: C:\WINDOWS\system32\fpp8037ue.dll
Successfully Moved: C:\WINDOWS\system32\fpp8037ue.dll
moving: C:\WINDOWS\system32\j2l4lc3q1f.dll
Successfully Moved: C:\WINDOWS\system32\j2l4lc3q1f.dll
moving: C:\WINDOWS\system32\k2pmlc711f.dll
Successfully Moved: C:\WINDOWS\system32\k2pmlc711f.dll
moving: C:\WINDOWS\system32\kt6ul7j91.dll
Successfully Moved: C:\WINDOWS\system32\kt6ul7j91.dll
moving: C:\WINDOWS\system32\l8p2li7o18.dll
Successfully Moved: C:\WINDOWS\system32\l8p2li7o18.dll
moving: C:\WINDOWS\system32\lv4209hoe.dll
Successfully Moved: C:\WINDOWS\system32\lv4209hoe.dll
moving: C:\WINDOWS\system32\lv6u09j9e.dll
Successfully Moved: C:\WINDOWS\system32\lv6u09j9e.dll
moving: C:\WINDOWS\system32\mcrd2x40.dll
Successfully Moved: C:\WINDOWS\system32\mcrd2x40.dll
moving: C:\WINDOWS\system32\mvj2l91o1.dll
Successfully Moved: C:\WINDOWS\system32\mvj2l91o1.dll
moving: C:\WINDOWS\system32\n0l8la3u1d.dll
Successfully Moved: C:\WINDOWS\system32\n0l8la3u1d.dll
moving: C:\WINDOWS\system32\pZutoenr.dll
Successfully Moved: C:\WINDOWS\system32\pZutoenr.dll
moving: C:\WINDOWS\system32\SBDOCLC.DLL
Successfully Moved: C:\WINDOWS\system32\SBDOCLC.DLL
moving: C:\WINDOWS\system32\wdnetmgr.dll
Successfully Moved: C:\WINDOWS\system32\wdnetmgr.dll
moving: C:\WINDOWS\system32\guard.tmp
Successfully Moved: C:\WINDOWS\system32\guard.tmp




Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hr8m05l1e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"
"Logoff"="NavLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\c200lcdm1f0a.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\aza8la3u1d.dll
C:\WINDOWS\system32\c200lcdm1f0a.dll
C:\WINDOWS\system32\dWdpmesh.dll
C:\WINDOWS\system32\e4020edoeh0c0.dll
C:\WINDOWS\system32\fpp8037ue.dll
C:\WINDOWS\system32\j2l4lc3q1f.dll
C:\WINDOWS\system32\k2pmlc711f.dll
C:\WINDOWS\system32\kt6ul7j91.dll
C:\WINDOWS\system32\l8p2li7o18.dll
C:\WINDOWS\system32\lv4209hoe.dll
C:\WINDOWS\system32\lv6u09j9e.dll
C:\WINDOWS\system32\mcrd2x40.dll
C:\WINDOWS\system32\mvj2l91o1.dll
C:\WINDOWS\system32\n0l8la3u1d.dll
C:\WINDOWS\system32\pZutoenr.dll
C:\WINDOWS\system32\SBDOCLC.DLL
C:\WINDOWS\system32\wdnetmgr.dll
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C596B3D5-E784-4AE4-B607-2883E8873D2C}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C596B3D5-E784-4AE4-B607-2883E8873D2C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C596B3D5-E784-4AE4-B607-2883E8873D2C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C596B3D5-E784-4AE4-B607-2883E8873D2C}\InprocServer32]
@="C:\\WINDOWS\\system32\\SBDOCLC.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BA657BD3-A787-45FE-A9BA-4DC80F2761ED}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{BA657BD3-A787-45FE-A9BA-4DC80F2761ED}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BA657BD3-A787-45FE-A9BA-4DC80F2761ED}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BA657BD3-A787-45FE-A9BA-4DC80F2761ED}\InprocServer32]
@="C:\\WINDOWS\\system32\\UDLMON.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{02669066-13BB-4737-8A05-E4DC8970DDDA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{02669066-13BB-4737-8A05-E4DC8970DDDA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{02669066-13BB-4737-8A05-E4DC8970DDDA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{02669066-13BB-4737-8A05-E4DC8970DDDA}\InprocServer32]
@="C:\\WINDOWS\\system32\\pZutoenr.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8ACABB60-FAEC-4934-9588-57B70C387958}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8ACABB60-FAEC-4934-9588-57B70C387958}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8ACABB60-FAEC-4934-9588-57B70C387958}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8ACABB60-FAEC-4934-9588-57B70C387958}\InprocServer32]
@="C:\\WINDOWS\\system32\\wdnetmgr.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E2B03CAA-6987-4D7C-82D6-BF58A6BDCD89}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E2B03CAA-6987-4D7C-82D6-BF58A6BDCD89}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E2B03CAA-6987-4D7C-82D6-BF58A6BDCD89}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{E2B03CAA-6987-4D7C-82D6-BF58A6BDCD89}\InprocServer32]
@="C:\\WINDOWS\\system32\\mcrd2x40.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D7DDD9DC-39D6-480F-AED6-B773867203A2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7DDD9DC-39D6-480F-AED6-B773867203A2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7DDD9DC-39D6-480F-AED6-B773867203A2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D7DDD9DC-39D6-480F-AED6-B773867203A2}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D789D77C-4B3D-40DF-BE1D-97F5E4EEA17D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D789D77C-4B3D-40DF-BE1D-97F5E4EEA17D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D789D77C-4B3D-40DF-BE1D-97F5E4EEA17D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D789D77C-4B3D-40DF-BE1D-97F5E4EEA17D}\InprocServer32]
@="C:\\WINDOWS\\system32\\dWdpmesh.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{C596B3D5-E784-4AE4-B607-2883E8873D2C}"=-
"{BA657BD3-A787-45FE-A9BA-4DC80F2761ED}"=-
"{02669066-13BB-4737-8A05-E4DC8970DDDA}"=-
"{8ACABB60-FAEC-4934-9588-57B70C387958}"=-
"{E2B03CAA-6987-4D7C-82D6-BF58A6BDCD89}"=-
"{D7DDD9DC-39D6-480F-AED6-B773867203A2}"=-
"{D789D77C-4B3D-40DF-BE1D-97F5E4EEA17D}"=-
[-HKEY_CLASSES_ROOT\CLSID\{C596B3D5-E784-4AE4-B607-2883E8873D2C}]
[-HKEY_CLASSES_ROOT\CLSID\{BA657BD3-A787-45FE-A9BA-4DC80F2761ED}]
[-HKEY_CLASSES_ROOT\CLSID\{02669066-13BB-4737-8A05-E4DC8970DDDA}]
[-HKEY_CLASSES_ROOT\CLSID\{8ACABB60-FAEC-4934-9588-57B70C387958}]
[-HKEY_CLASSES_ROOT\CLSID\{E2B03CAA-6987-4D7C-82D6-BF58A6BDCD89}]
[-HKEY_CLASSES_ROOT\CLSID\{D7DDD9DC-39D6-480F-AED6-B773867203A2}]
[-HKEY_CLASSES_ROOT\CLSID\{D789D77C-4B3D-40DF-BE1D-97F5E4EEA17D}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************

****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/aza8la3u1d.dll (188 bytes security) (deflated 5%)
adding: dlls/c200lcdm1f0a.dll (188 bytes security) (deflated 5%)
adding: dlls/dWdpmesh.dll (188 bytes security) (deflated 5%)
adding: dlls/e4020edoeh0c0.dll (188 bytes security) (deflated 5%)
adding: dlls/fpp8037ue.dll (188 bytes security) (deflated 5%)
adding: dlls/guard.tmp (188 bytes security) (deflated 6%)
adding: dlls/j2l4lc3q1f.dll (188 bytes security) (deflated 5%)
adding: dlls/k2pmlc711f.dll (188 bytes security) (deflated 5%)
adding: dlls/kt6ul7j91.dll (188 bytes security) (deflated 5%)
adding: dlls/l8p2li7o18.dll (188 bytes security) (deflated 5%)
adding: dlls/lv4209hoe.dll (188 bytes security) (deflated 5%)
adding: dlls/lv6u09j9e.dll (188 bytes security) (deflated 5%)
adding: dlls/mcrd2x40.dll (188 bytes security) (deflated 5%)
adding: dlls/mvj2l91o1.dll (188 bytes security) (deflated 5%)
adding: dlls/n0l8la3u1d.dll (188 bytes security) (deflated 4%)
adding: dlls/pZutoenr.dll (188 bytes security) (deflated 4%)
adding: dlls/SBDOCLC.DLL (188 bytes security) (deflated 5%)
adding: dlls/wdnetmgr.dll (188 bytes security) (deflated 5%)
adding: backregs/02669066-13BB-4737-8A05-E4DC8970DDDA.reg (188 bytes security) (deflated 70%)
adding: backregs/8ACABB60-FAEC-4934-9588-57B70C387958.reg (188 bytes security) (deflated 70%)
adding: backregs/BA657BD3-A787-45FE-A9BA-4DC80F2761ED.reg (188 bytes security) (deflated 69%)
adding: backregs/C596B3D5-E784-4AE4-B607-2883E8873D2C.reg (188 bytes security) (deflated 70%)
adding: backregs/D789D77C-4B3D-40DF-BE1D-97F5E4EEA17D.reg (188 bytes security) (deflated 70%)
adding: backregs/D7DDD9DC-39D6-480F-AED6-B773867203A2.reg (188 bytes security) (deflated 70%)
adding: backregs/E2B03CAA-6987-4D7C-82D6-BF58A6BDCD89.reg (188 bytes security) (deflated 69%)
adding: backregs/notibac.reg (188 bytes security) (deflated 88%)
adding: backregs/shell.reg (188 bytes security) (deflated 73%)
Seitenanfang Seitenende
02.01.2006, 22:23
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#28 scanne mit panda und kopiere hier den scanreport
http://virus-protect.org/onlinescan.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
02.01.2006, 23:40
Member

Beiträge: 25
#29 Incident Status Location

Adware:Adware/CommAd Not desinfected C:\WINDOWS\TWFya3Vz\command.exe
Adware:Adware/CommAd Not desinfected C:\WINDOWS\TWFya3Vz\asappsrv.dll
Adware:adware/commad Not desinfected C:\WINDOWS\SYSTEM32\atmtd.dll
Adware:adware/whenusearch Not desinfected C:\Dokumente und Einstellungen\Captain Chaos\Startmen\Programme\WhenU
Adware:adware/ist.istbar Not desinfected Windows Registry
Adware:Adware/Look2Me Not desinfected C:\!KillBox\dnns0157e.dll
Adware:Adware/Look2Me Not desinfected C:\!KillBox\j8l40i3qe8.dll
Adware:Adware/Look2Me Not desinfected C:\!KillBox\m4pole731h.dll
Adware:Adware/Sqwire Not desinfected C:\!KillBox\tsuninst.exe
Adware:Adware/Look2Me Not desinfected C:\!KillBox\UDLMON.DLL
Adware:Adware/nCase Not desinfected C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\816NW1YR\AppWrap[1].exe
Adware:Adware/nCase Not desinfected C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\8XAV4PYB\AppWrap[1].exe
Adware:Adware/Look2Me Not desinfected C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\8XAV4PYB\AppWrap[2].exe
Adware:Adware/CommAd Not desinfected C:\WINDOWS\TWFya3Vz\asappsrv.dll
Adware:Adware/CommAd Not desinfected C:\WINDOWS\TWFya3Vz\command.exe
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[aza8la3u1d.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[c200lcdm1f0a.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[dWdpmesh.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[e4020edoeh0c0.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[fpp8037ue.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[guard.tmp]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[j2l4lc3q1f.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[k2pmlc711f.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[kt6ul7j91.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[l8p2li7o18.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[lv4209hoe.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[lv6u09j9e.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[mcrd2x40.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[mvj2l91o1.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[n0l8la3u1d.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[pZutoenr.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[SBDOCLC.DLL]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\backup.zip[wdnetmgr.dll]
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\aza8la3u1d.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\c200lcdm1f0a.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\dWdpmesh.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\e4020edoeh0c0.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\fpp8037ue.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\guard.tmp
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\j2l4lc3q1f.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\k2pmlc711f.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\kt6ul7j91.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\l8p2li7o18.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\lv4209hoe.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\lv6u09j9e.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\mcrd2x40.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\mvj2l91o1.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\n0l8la3u1d.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\pZutoenr.dll
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\SBDOCLC.DLL
Adware:Adware/Look2Me Not desinfected D:\l2mfix\dlls\wdnetmgr.dll
Seitenanfang Seitenende
03.01.2006, 00:05
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#30 loesche:

C:\WINDOWS\TWFya3Vz\command.exe
C:\WINDOWS\TWFya3Vz\asappsrv.dll
C:\WINDOWS\TWFya3Vz

C:\WINDOWS\SYSTEM32\atmtd.dll
C:\Dokumente und Einstellungen\Captain Chaos\Startmen\Programme\WhenU

C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\816NW1YR

C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\8XAV4PYB

gehe zur Systemsteuerung --> Internetoptionen --> auf dem Reiter Allgemein bei Temporäre Internetdateien klickst du Dateien löschen --> auch bei Alle Offlineinhalte löschen das Häkchen setzen und mit OK bestätigen --> Auf den Reiter Programme gehen und dort auf Webeinstellungen zurücksetzen klicken, mit Ja bestätigen, fall Nachfrage kommt --> auf Übernehmen und abschließend auf OK klicken

dann leere die C:\!KillBox

und loesche: D:\l2mfix\backup.zip

Download f-secure-Beta Trial
http://www.f-secure.com/blacklight/
doppelklick: blbeta.exe
nach dem Check klicke -- next
nun findet man eine log-datei auf dem Desktop: kopiere sie in deinen Thread

-----------------------------------------------------
dann scanne noch mal mit panda
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren: