Home » Spyware & Browser Hijacker Support Forum » Win32.Nsag.a + "www.oneklicksearch.com" » Themenansicht
Win32.Nsag.a + "www.oneklicksearch.com" |
||
|---|---|---|
| #0
| ||
|
20.06.2005, 13:15
Member
Beiträge: 31 |
||
 
|
|
|
|
20.06.2005, 14:46
Ehrenmitglied
 Beiträge: 29434 |
#2
Hallo@
•LSPfix.exe http://www.spychecker.com/program/lspfix.html hake an: "I know what Im doing"-->Remove und loesche die winsflt.dll (eventuell musst du die dll von links nach rechts bringen) #öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/ F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp7416.tmp O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab PC neustarten Lade: rkfiles.zip http://bilder.informationsarchiv.net/Nikitas_Tools/rkfiles.zip -->entpacken--> gehe in den abgesicherten Modus http://www.tu-berlin.de/www/software/virus/savemode.shtml -->Doppelklick(Ausfuehren)-->rkfiles.bat--> warten bis sich das DOS-Fenster schliesst (auch wenn es sehr lange dauert  --->poste C:\log.txtarbeite das bitte ab:silentrunner http://virus-protect.org/silentrunner.html •KillBox http://bilder.informationsarchiv.net/Nikitas_Tools/KillBox.zip Anleitung: (bebildert) http://virus-protect.org/killbox.html •Delete File on Reboot <--anhaken und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes" C:\wp.exe C:\wp.bmp C:\bws.exe C:\Windows\sites.ini C:\Windows\popuper.exe C:\Windows\System32\helper.exe C:\Windows\System32\intmonp.exe C:\Windows\system32\dprsx.dll C:\Windows\system32\msmsgs.exe C:\Windows\system32\msole32.exe C:\Windows\system32\ole32vbs.exe C:\Windows\system32\intmon.exe C:\WINDOWS\System32\shnlog.exe C:\WINDOWS\System32\hp7416.tmp PC neustarten Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden. Zitat REGEDIT4Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "fixme.reg" auf dem Desktop doppelklicken. __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
20.06.2005, 15:19
Member
Themenstarter Beiträge: 31 |
#3
 wow, das nenn ich ja mal ne konkrete und umfangreiche anleitung... hatte gehofft das würde auch einfacher gehen aber vielen dank einmal für die mühe, werd das jetzt mal durcharbeiten ;-)
|
|
|
|
|
|
|
20.06.2005, 15:49
Ehrenmitglied
Beiträge: 29434 |
#4
na ja...ich hoffe, es klappt alles
...diese Reinigungen aus der Ferne... __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
20.06.2005, 15:56
Member
Themenstarter Beiträge: 31 |
#5
was verstehst du bei dem rkfiles denn unter lange?
also es läuft jetzt sicher schon über 10 minuten ohne sich irgendwie zu rühren... aufgehängt hat es sich aber auch nicht. es steht: 1 Datei(en) kopiert. Das System kann den angegebenen Pfad nicht finden. 0 Datei(en) kopiert. 1 Datei(en) kopiert. Please wait....etc. was bedeutet das mit dem pfad nicht finden? ist das schlimm? *g* |
|
|
|
|
|
|
20.06.2005, 15:57
Ehrenmitglied
Beiträge: 29434 |
#6
ja , genau...nun warte, wenn es sein muss...bis morgen
Zitat Please wait... __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
21.06.2005, 08:41
Member
Themenstarter Beiträge: 31 |
#7
so, habe jetzt alles durchgeführt.
also zumindest dieses oneclicksearch problem dürfte gelöst sein, es kommt wieder die richtige startseite. der virus ist aber immer noch drauf (falls der durch diese dinge überhaupt hätte verschwinden sollen). Wie gehts denn jetzt weiter? Helfen die logs irgendwas oder was kann ich sonst noch versuchen? bitte um hilfe Hier noch die Logs: rkfiles: C:\rkfiles PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Files Found in system Folder............ ------------------------ C:\WINDOWS\system32\AWM226.exe: UPX! C:\WINDOWS\system32\msmsgs.exe: FSG! C:\WINDOWS\system32\msole32.exe: FSG! C:\WINDOWS\system32\OLE32VBS.0XE: FSG! C:\WINDOWS\system32\ole32vbs.exe: FSG! C:\WINDOWS\system32\SHNLOG.0XE: FSG! C:\WINDOWS\system32\shnlog.exe: FSG! C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213 C:\WINDOWS\system32\oembios.bin: qPEc2H C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213 C:\WINDOWS\system32\oembios.bin: qPEc2H Files Found in all users startup Folder............ ------------------------ C:\WINDOWS\system32\AWM226.exe: UPX! C:\WINDOWS\system32\msmsgs.exe: FSG! C:\WINDOWS\system32\msole32.exe: FSG! C:\WINDOWS\system32\OLE32VBS.0XE: FSG! C:\WINDOWS\system32\ole32vbs.exe: FSG! C:\WINDOWS\system32\SHNLOG.0XE: FSG! C:\WINDOWS\system32\shnlog.exe: FSG! Files Found in all users windows Folder............ ------------------------ C:\WINDOWS\daemon.dll: UPX! C:\WINDOWS\popuper.exe: FSG! Finished bye Silentrunner: "Silent Runners.vbs", revision 38.1, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS] "MSMSGS" = ""C:\Programme\Messenger\msmsgs.exe" /background" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++} "paint.exe" = "shnlog.exe" [null data] "winlogon.exe" = "msole32.exe" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "SunJavaUpdateSched" = "D:\Programme\Java\j2re1.4.2_06\bin\jusched.exe" [null data] "IW ControlCenter" = "D:\Programme\InstantCDDVD\InstantWrite\iwctrl.exe" ["Pinnacle Systems, Inc."] "PinnacleDriverCheck" = "C:\WINDOWS\System32\PSDrvCheck.exe" [empty string] "AtiPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."] "(Default)" = (empty string) "SSC_UserPrompt" = "C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"] "ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."] "KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS] "F-Secure Manager" = ""D:\Programme\F-Secure Internet Security\Common\FSM32.EXE" /splash" ["F-Secure Corporation"] "F-Secure TNB" = ""D:\Programme\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW" ["F-Secure Corporation"] "F-Secure Startup Wizard" = ""D:\Programme\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot" ["F-Secure Corporation"] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided) \StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Programme\Messenger\msgsc.dll",ShowIconsUser" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\(Default) = "VMHomepage Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hp213B.tmp" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office\OLKFSTUB.DLL" [MS] "{B048C570-6186-11d4-A79B-00C04F9106CD}" = "My Mainframe 2.5" -> {CLSID}\InProcServer32\(Default) = "c:\mfe\mfide\bin\mfmvsns.dll" ["COMPANY_NAME"] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\WinRAR\rarext.dll" [null data] "{F5D92341-0A64-11D0-9956-0000E8096023}" = "CD Copy Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shellext\CDWshext.dll" ["Pinnacle Systems, Inc."] "{F5D92342-0A64-11D0-9956-0000E8096023}" = "CD Wizard Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shellext\CDWshext.dll" ["Pinnacle Systems, Inc."] "{F5D92344-0A64-11D0-9956-0000E8096023}" = "InstantWrite Shellextension" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shellext\iwshex.dll" ["Pinnacle Systems, Inc."] "{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6b2 (beta test) Context Menu Shell Extension" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\WinAce\arcext.dll" ["e-merge GmbH"] "{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6b2 (beta test) DragDrop Shell Extension" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\WinAce\arcext.dll" ["e-merge GmbH"] "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6b2 (beta test) Context Menu Shell Extension" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\WinAce\arcext.dll" ["e-merge GmbH"] "{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6b2 (beta test) Property Sheet Shell Extension" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\WinAce\arcext.dll" ["e-merge GmbH"] "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\ICQ\ICQLiteShell.dll" [empty string] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Dokumente und Einstellungen\Hyphistos\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS] Startup items in "Hyphistos" & "All Users" startup folders: ----------------------------------------------------------- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "InterVideo WinCinema Manager" -> shortcut to: "D:\Programme\Common\Bin\WinCinemaMgr.exe" ["InterVideo Inc."] "MA521 Configuration Utility" -> shortcut to: "D:\Programme\Netgear\wlancfg5.exe" [empty string] "Microsoft Office" -> shortcut to: "D:\Programme\Microsoft Office\Office\OSA9.EXE -b -l" [MS] Enabled Scheduled Tasks: ------------------------ "Scheduled scanning task" -> launches: "D:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exe /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=D:\PROGRA~1\F-SECU~1\ANTI-V~1\report.txt " ["F-Secure Corporation"] "Symantec NetDetect" -> launches: "C:\Programme\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 16 %SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{2D1DDD38-CE4D-459B-A01C-F11BC92D5B69}" = "GMX Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "D:\Programme\GMX Toolbar\toolbar.dll" ["GMX GmbH"] "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{2D1DDD38-CE4D-459B-A01C-F11BC92D5B69}" = "GMX Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "D:\Programme\GMX Toolbar\toolbar.dll" ["GMX GmbH"] "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS] {200DB664-75B5-47C0-8B45-A44ACCF73C00}\ "ButtonText" = "Webfilter" "CLSIDExtension" = "{D68926FD-18FD-4B0E-A1C7-917D13FAB760}" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll" ["F-Secure Corporation"] {200DB664-75B5-47C0-8B45-A44ACCF73F01}\ "MenuText" = "Website-&Liste anzeigen" "CLSIDExtension" = "{CF06A44B-19DA-4eac-B7CF-4AB0198DD959}" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll" ["F-Secure Corporation"] {200DB664-75B5-47C0-8B45-A44ACCF73F02}\ "MenuText" = "Webseitenfilter &aussetzen" "CLSIDExtension" = "{878137C3-9DAC-4a48-9625-78A054E86C1E}" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll" ["F-Secure Corporation"] {200DB664-75B5-47C0-8B45-A44ACCF73F03}\ "MenuText" = "Diese Website &sperren" "CLSIDExtension" = "{A7FC740A-AC46-46d2-9262-E368D619AD17}" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll" ["F-Secure Corporation"] {200DB664-75B5-47C0-8B45-A44ACCF73F04}\ "MenuText" = "Diese Website &zulassen" "CLSIDExtension" = "{C459289E-2150-486b-8556-12C706799CAC}" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll" ["F-Secure Corporation"] {B863453A-26C3-4E1F-A54D-A2CD196348E9}\ "ButtonText" = "ICQ Lite" "MenuText" = "ICQ Lite" "Exec" = "D:\Programme\ICQ\ICQLite.exe" ["ICQ Ltd."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir Update, AVWUpSrv, ""D:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"] Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."] F-Secure Anti-Virus Firewall Daemon, FSDFWD, ""D:\Programme\F-Secure Internet Security\FWES\Program\fsdfwd.exe"" ["F-Secure Corporation"] F-Secure Gatekeeper Handler Starter, F-Secure Gatekeeper Handler Starter, ""D:\Programme\F-Secure Internet Security\Anti-Virus\fsgk32st.exe"" ["F-Secure Corp."] F-Secure HTTP Server, fshttps, ""D:\Programme\F-Secure Internet Security\FSPC\fshttps\fshttps.exe"" ["F-Secure Corporation"] F-Secure Management Agent, FSMA, ""D:\Programme\F-Secure Internet Security\Common\FSMA32.EXE"" ["F-Secure Corporation"] fsbwsys, fsbwsys, ""D:\Programme\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe"" ["F-Secure Corp."] MERANT XDB Server for MFE 2.5, MERANT XDB Server for MFE 2.5, ""c:\mfe\mfsql\bin\xsrvmfe.exe"" [null data] ---------- This report excludes default entries except where indicated. To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. ---------- |
|
|
|
|
|
|
21.06.2005, 09:51
Ehrenmitglied
Beiträge: 29434 |
#8
Hallo@
Gehe in die registry Start-->Ausfuehren--> regedit HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ loeschen: "paint.exe" = "shnlog.exe" "winlogon.exe" = "msole32.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ loeschen: {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\(Default) = "VMHomepage Class" {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hp213B.tmp" schliesse die Registry •KillBox http://bilder.informationsarchiv.net/Nikitas_Tools/KillBox.zip Anleitung: (bebildert) http://virus-protect.org/killbox.html •Delete File on Reboot <--anhaken und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes" C:\Windows\system32\hhk.dll C:\WINDOWS\System32\hp213B.tmp C:\WINDOWS\System32\AWM226.exe C:\WINDOWS\system32\msmsgs.exe C:\WINDOWS\system32\msole32.exe C:\WINDOWS\system32\OLE32VBS.0XE C:\WINDOWS\system32\ole32vbs.exe C:\WINDOWS\system32\SHNLOG.0XE C:\WINDOWS\system32\shnlog.exe C:\WINDOWS\popuper.exe PC neustarten CCleaner--> loesche alle *temp-Datein http://virus-protect.org/temp.html  ------------------ + poste das neue Log vom HijackThis ------------------- C:\WINDOWS\system32\AWM226.exe ("Trojan.Win32.Dialer.hk"/ Adware:Adware/Popuper ) __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
21.06.2005, 12:02
Member
Themenstarter Beiträge: 31 |
#9
entschuldige bitte meine dummheit aber ich hab den regeditor jetzt zum erstne mal in meinem leben vor mir und finde dort kein HKLM
ich hab einen ordner mit HKEY_LOCAL_MACHINE, wo ich zuerst dachte das hklm könnte dafür die abkürzung sein, aber dort finde ich kein "Current Version" im Microsoft Ordner wie gesagt sry für meine unwissenheit, wie genau gelang ich denn dort hin? ich hab nur: HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_USERS HKEY_CURRENT_CONFIG |
|
|
|
|
|
|
21.06.2005, 13:00
Ehrenmitglied
Beiträge: 29434 |
#10
HKEY_LOCAL_MACHINE\
klick SOFTWARE\ klick Microsoft\ klick Windows\ klick CurrentVersion\ klick Policies\ klick Explorer\ klick Run\ "paint.exe" = "shnlog.exe" "winlogon.exe" = "msole32.exe" __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
21.06.2005, 13:47
Member
Themenstarter Beiträge: 31 |
#11
ok sry mein fehler...
also den ornder hab ich jetzt allerdings weiß ich nicht wo ich da irgendwas ändern soll, da ist nur eine datei mit dem namen (standard) drin und ide kann ich ned öffnen oder sonst noch was damit machen |
|
|
|
|
|
|
21.06.2005, 16:40
Ehrenmitglied
Beiträge: 29434 |
#12
nun gut.....loesche alle Dateien, die ich geschrieben habe mit der Killbox, poste das neue Log vom HijackThis
und scanne bitte noch einmal mit Silentrunners. __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
21.06.2005, 19:55
Member
Themenstarter Beiträge: 31 |
#13
sry wenn ich mich irgendwie dumm anstelle oder so... du wirkst schon etwas ungeduldig... das tut mir leid.
also hier mal mein hijackthis - log (seltsamerweise steht das oneklicksearch immer noch drin, obwohl ich das prob eigentlich nimmer habe): Logfile of HijackThis v1.99.1 Scan saved at 19:49:51, on 21.06.2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Ati2evxx.exe D:\Programme\AVPersonal\AVWUPSRV.EXE C:\WINDOWS\Explorer.EXE D:\Programme\Java\j2re1.4.2_06\bin\jusched.exe D:\Programme\InstantCDDVD\InstantWrite\iwctrl.exe C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe D:\Programme\F-Secure Internet Security\Common\FSM32.EXE C:\WINDOWS\System32\ctfmon.exe D:\Programme\Common\Bin\WinCinemaMgr.exe D:\Programme\Netgear\wlancfg5.exe D:\Programme\F-Secure Internet Security\Anti-Virus\fsgk32st.exe D:\Programme\F-Secure Internet Security\Anti-Virus\FSGK32.EXE D:\Programme\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe D:\Programme\F-Secure Internet Security\Common\FSMA32.EXE c:\mfe\mfsql\bin\xsrvmfe.exe D:\Programme\F-Secure Internet Security\Common\FSMB32.EXE D:\Programme\F-Secure Internet Security\Anti-Virus\fssm32.exe D:\Programme\F-Secure Internet Security\Common\FCH32.EXE D:\Programme\F-Secure Internet Security\Common\FAMEH32.EXE D:\Programme\F-Secure Internet Security\FSPC\fspc.exe D:\Programme\F-Secure Internet Security\FWES\Program\fsdfwd.exe D:\Programme\F-Secure Internet Security\Anti-Virus\fsav32.exe D:\Programme\F-Secure Internet Security\FSGUI\fsguiexe.exe C:\Programme\Internet Explorer\IEXPLORE.EXE D:\Installationsdateien\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmx.at/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/ O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: GMX Toolbar - {2D1DDD38-CE4D-459b-A01C-F11BC92D5B69} - D:\Programme\GMX Toolbar\toolbar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Programme\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [IW ControlCenter] D:\Programme\InstantCDDVD\InstantWrite\iwctrl.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe O4 - HKLM\..\Run: [AtiPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [F-Secure Manager] "D:\Programme\F-Secure Internet Security\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "D:\Programme\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [F-Secure Startup Wizard] "D:\Programme\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Programme\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: MA521 Configuration Utility.lnk = ? O4 - Global Startup: Microsoft Office.lnk = D:\Programme\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Webfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Website-&Liste anzeigen - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Webseitenfilter &aussetzen - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Diese Website &sperren - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Diese Website &zulassen - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQ\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQ\ICQLite.exe O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{95AC82C3-7178-4368-A15C-D6E046B2F063}: NameServer = 192.168.0.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{C298FC6F-D905-49F3-9F8E-584AED4C82E5}: NameServer = 192.189.51.195,192.189.51.19 O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - D:\Programme\AVPersonal\AVWUPSRV.EXE O23 - Service: F-Secure Internet Security 2005 (BackWeb Plug-in - 4476822) - Unknown owner - D:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - D:\Programme\F-Secure Internet Security\Anti-Virus\fsgk32st.exe O23 - Service: fsbwsys - F-Secure Corp. - D:\Programme\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - D:\Programme\F-Secure Internet Security\FWES\Program\fsdfwd.exe O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - D:\Programme\F-Secure Internet Security\FSPC\fshttps\fshttps.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - D:\Programme\F-Secure Internet Security\Common\FSMA32.EXE O23 - Service: MERANT XDB Server for MFE 2.5 - Unknown owner - c:\mfe\mfsql\bin\xsrvmfe.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe Und hier das vom SIlentRunner: "Silent Runners.vbs", revision 38.1, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS] "MSMSGS" = ""C:\Programme\Messenger\msmsgs.exe" /background" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "SunJavaUpdateSched" = "D:\Programme\Java\j2re1.4.2_06\bin\jusched.exe" [null data] "IW ControlCenter" = "D:\Programme\InstantCDDVD\InstantWrite\iwctrl.exe" ["Pinnacle Systems, Inc."] "PinnacleDriverCheck" = "C:\WINDOWS\System32\PSDrvCheck.exe" [empty string] "AtiPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."] "(Default)" = (empty string) "SSC_UserPrompt" = "C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"] "ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."] "KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS] "F-Secure Manager" = ""D:\Programme\F-Secure Internet Security\Common\FSM32.EXE" /splash" ["F-Secure Corporation"] "F-Secure TNB" = ""D:\Programme\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW" ["F-Secure Corporation"] "F-Secure Startup Wizard" = ""D:\Programme\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot" ["F-Secure Corporation"] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided) \StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Programme\Messenger\msgsc.dll",ShowIconsUser" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office\OLKFSTUB.DLL" [MS] "{B048C570-6186-11d4-A79B-00C04F9106CD}" = "My Mainframe 2.5" -> {CLSID}\InProcServer32\(Default) = "c:\mfe\mfide\bin\mfmvsns.dll" ["COMPANY_NAME"] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\WinRAR\rarext.dll" [null data] "{F5D92341-0A64-11D0-9956-0000E8096023}" = "CD Copy Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shellext\CDWshext.dll" ["Pinnacle Systems, Inc."] "{F5D92342-0A64-11D0-9956-0000E8096023}" = "CD Wizard Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shellext\CDWshext.dll" ["Pinnacle Systems, Inc."] "{F5D92344-0A64-11D0-9956-0000E8096023}" = "InstantWrite Shellextension" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shellext\iwshex.dll" ["Pinnacle Systems, Inc."] "{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6b2 (beta test) Context Menu Shell Extension" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\WinAce\arcext.dll" ["e-merge GmbH"] "{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6b2 (beta test) DragDrop Shell Extension" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\WinAce\arcext.dll" ["e-merge GmbH"] "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6b2 (beta test) Context Menu Shell Extension" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\WinAce\arcext.dll" ["e-merge GmbH"] "{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6b2 (beta test) Property Sheet Shell Extension" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\WinAce\arcext.dll" ["e-merge GmbH"] "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\ICQ\ICQLiteShell.dll" [empty string] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Dokumente und Einstellungen\Hyphistos\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS] Startup items in "Hyphistos" & "All Users" startup folders: ----------------------------------------------------------- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "InterVideo WinCinema Manager" -> shortcut to: "D:\Programme\Common\Bin\WinCinemaMgr.exe" ["InterVideo Inc."] "MA521 Configuration Utility" -> shortcut to: "D:\Programme\Netgear\wlancfg5.exe" [empty string] "Microsoft Office" -> shortcut to: "D:\Programme\Microsoft Office\Office\OSA9.EXE -b -l" [MS] Enabled Scheduled Tasks: ------------------------ "Scheduled scanning task" -> launches: "D:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exe /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=D:\PROGRA~1\F-SECU~1\ANTI-V~1\report.txt " ["F-Secure Corporation"] "Symantec NetDetect" -> launches: "C:\Programme\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 16 %SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{2D1DDD38-CE4D-459B-A01C-F11BC92D5B69}" = "GMX Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "D:\Programme\GMX Toolbar\toolbar.dll" ["GMX GmbH"] "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{2D1DDD38-CE4D-459B-A01C-F11BC92D5B69}" = "GMX Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "D:\Programme\GMX Toolbar\toolbar.dll" ["GMX GmbH"] "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS] {200DB664-75B5-47C0-8B45-A44ACCF73C00}\ "ButtonText" = "Webfilter" "CLSIDExtension" = "{D68926FD-18FD-4B0E-A1C7-917D13FAB760}" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll" ["F-Secure Corporation"] {200DB664-75B5-47C0-8B45-A44ACCF73F01}\ "MenuText" = "Website-&Liste anzeigen" "CLSIDExtension" = "{CF06A44B-19DA-4eac-B7CF-4AB0198DD959}" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll" ["F-Secure Corporation"] {200DB664-75B5-47C0-8B45-A44ACCF73F02}\ "MenuText" = "Webseitenfilter &aussetzen" "CLSIDExtension" = "{878137C3-9DAC-4a48-9625-78A054E86C1E}" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll" ["F-Secure Corporation"] {200DB664-75B5-47C0-8B45-A44ACCF73F03}\ "MenuText" = "Diese Website &sperren" "CLSIDExtension" = "{A7FC740A-AC46-46d2-9262-E368D619AD17}" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll" ["F-Secure Corporation"] {200DB664-75B5-47C0-8B45-A44ACCF73F04}\ "MenuText" = "Diese Website &zulassen" "CLSIDExtension" = "{C459289E-2150-486b-8556-12C706799CAC}" -> {CLSID}\InProcServer32\(Default) = "D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll" ["F-Secure Corporation"] {B863453A-26C3-4E1F-A54D-A2CD196348E9}\ "ButtonText" = "ICQ Lite" "MenuText" = "ICQ Lite" "Exec" = "D:\Programme\ICQ\ICQLite.exe" ["ICQ Ltd."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir Update, AVWUpSrv, ""D:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"] Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."] F-Secure Anti-Virus Firewall Daemon, FSDFWD, ""D:\Programme\F-Secure Internet Security\FWES\Program\fsdfwd.exe"" ["F-Secure Corporation"] F-Secure Gatekeeper Handler Starter, F-Secure Gatekeeper Handler Starter, ""D:\Programme\F-Secure Internet Security\Anti-Virus\fsgk32st.exe"" ["F-Secure Corp."] F-Secure HTTP Server, fshttps, ""D:\Programme\F-Secure Internet Security\FSPC\fshttps\fshttps.exe"" ["F-Secure Corporation"] F-Secure Management Agent, FSMA, ""D:\Programme\F-Secure Internet Security\Common\FSMA32.EXE"" ["F-Secure Corporation"] fsbwsys, fsbwsys, ""D:\Programme\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe"" ["F-Secure Corp."] MERANT XDB Server for MFE 2.5, MERANT XDB Server for MFE 2.5, ""c:\mfe\mfsql\bin\xsrvmfe.exe"" [null data] ---------- This report excludes default entries except where indicated. To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. ---------- |
|
|
|
|
|
|
21.06.2005, 22:24
Ehrenmitglied
Beiträge: 29434 |
#14
Hallo @
ich bin nie ungeduldig Fixe mit dem HijackThis: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/ lies auf dieser Seite, wo du klicken musst, um die temp-Datein zu loeschen (mit der killbox  (Tools -- Delete Temp Files)http://virus-protect.org/killbox.html Zitat Download pfind+ scanne bitte noch einmal mit: rkfiles.zip + •CWShredder (im abgesicherten modus 2 Mal scannen !!!!!!!!!!!!!!) http://virus-protect.org/antispywaretools.html * Double-click on CWShredder.exe. WÄHREND des Scanvorganges müssen ALLE sonstige Anwendungen beendet werden und alle Browserfenster müssen geschlossen sein! * Click "Fix ->" und click "OK" * CWShredder scannen lassen * Click "Next->" und dann "Exit". Log-->"make Report"-->bitte posten __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
22.06.2005, 11:21
Member
Themenstarter Beiträge: 31 |
#15
so, wieder alles durchgearbeitet und hier jetzt die neuesten logs... ich hoffe sie helfen irgendetwas:
PFIND: Files found with this application may be legitimate. Only remove files that you know are malware related. Checking the C:\WINDOWS folder C:\WINDOWS\daemon.dll: UPX! Checking the C:\WINDOWS\SYSTEM32 folder Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder Checking the C:\Dokumente und Einstellungen\All Users\Start Menu\programs\Startup\ folder Checking the C:\Dokumente und Einstellungen\All Users\Application Data folder Checking the C:\Dokumente und Einstellungen\Hyphistos\Start Menu\programs\Startup\ folder Checking the C:\Dokumente und Einstellungen\Hyphistos\Application Data folder RKFILES: D:\Installationsdateien\rkfiles PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Files Found in system Folder............ ------------------------ C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213 C:\WINDOWS\system32\oembios.bin: qPEc2H C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213 C:\WINDOWS\system32\oembios.bin: qPEc2H Files Found in all users startup Folder............ ------------------------ Files Found in all users windows Folder............ ------------------------ C:\WINDOWS\daemon.dll: UPX! Finished bye UND HIER NOCH DER CWSSHREDDER: **** Run Keys **** RUN: [SunJavaUpdateSched] D:\Programme\Java\j2re1.4.2_06\bin\jusched.exe RUN: [IW ControlCenter] D:\Programme\InstantCDDVD\InstantWrite\iwctrl.exe RUN: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe RUN: [AtiPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe RUN: [] RUN: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe RUN: [ATIModeChange] Ati2mdxx.exe RUN: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k RUN: [F-Secure Manager] "D:\Programme\F-Secure Internet Security\Common\FSM32.EXE" /splash RUN: [F-Secure TNB] "D:\Programme\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW RUN: [F-Secure Startup Wizard] "D:\Programme\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot RUN: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE **** Browser Helper Objects **** **** IE Toolbars **** TOOLBAR: [&Radio] C:\WINDOWS\System32\msdxm.ocx TOOLBAR: [GMX Toolbar] D:\Programme\GMX Toolbar\toolbar.dll TOOLBAR: [&Google] c:\programme\google\googletoolbar1.dll **** IE Extensions **** IEExt: [Web Browser Applet Control] C:\WINDOWS\System32\msjava.dll IEExt: [Webfilter] C:\WINDOWS\System32\msjava.dll IEExt: [Webfilter] C:\WINDOWS\System32\msjava.dll IEExt: [Webfilter] C:\WINDOWS\System32\msjava.dll IEExt: [Webfilter] C:\WINDOWS\System32\msjava.dll IEExt: [Webfilter] C:\WINDOWS\System32\msjava.dll IEExt: [ICQ Lite] D:\Programme\ICQ\ICQLite.exe **** Hosts File Entries **** HOSTS: 127.0.0.1 localhost HOSTS: 127.0.0.1 localhost **** IE Settings **** Default Page: http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome Default Search: http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Search Bar: http://search.msn.com/spbasic.htm Search Page: http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch **** IE Context Menu (Right click) **** **** Layered Service Providers **** LSP: MSAFD Irda [IrDA] LSP: MSAFD Tcpip [TCP/IP] LSP: MSAFD Tcpip [UDP/IP] LSP: RSVP UDP Service Provider LSP: RSVP TCP Service Provider LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{95AC82C3-7178-4368-A15C-D6E046B2F063}] SEQPACKET 0 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{95AC82C3-7178-4368-A15C-D6E046B2F063}] DATAGRAM 0 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C298FC6F-D905-49F3-9F8E-584AED4C82E5}] SEQPACKET 4 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C298FC6F-D905-49F3-9F8E-584AED4C82E5}] DATAGRAM 4 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FB2BE046-582F-4D6C-B82C-893D2AA6952C}] SEQPACKET 1 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FB2BE046-582F-4D6C-B82C-893D2AA6952C}] DATAGRAM 1 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7CA95C44-25C2-45A2-867F-B7E5791E7201}] SEQPACKET 2 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7CA95C44-25C2-45A2-867F-B7E5791E7201}] DATAGRAM 2 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{114FFDED-689F-448B-8C7A-E46DA202582D}] SEQPACKET 3 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{114FFDED-689F-448B-8C7A-E46DA202582D}] DATAGRAM 3 **** Blocked Control Panel Items **** BLOCKED: [ncpa.cpl] No BLOCKED: [odbccp32.cpl] No **** Downloaded Program Files **** DirectAnimation Java Classes [file://C:\WINDOWS\Java\classes\dajava.cab] Microsoft XML Parser for Java [file://C:\WINDOWS\Java\classes\xmldso.cab] {166B1BCA-3F9C-11CF-8075-444553540000} [http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab] {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} [http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab] C:\WINDOWS\Downloaded Program Files\ecmldr32.dll C:\WINDOWS\Downloaded Program Files\navapi.vxd C:\WINDOWS\Downloaded Program Files\navapi32.dll C:\WINDOWS\Downloaded Program Files\avsniffdlgs.dll C:\WINDOWS\Downloaded Program Files\avsniff.dll {33564D57-9980-0010-8000-00AA00389B71} [http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab] {644E432F-49D3-41A1-8DD5-E099162EEEC5} [http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab] {8AD9C840-044E-11D1-B3E9-00805F499D93} [http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab] {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} [http://www.pandasoftware.com/activescan/as5/asinst.cab] {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} [http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab] {D27CDB6E-AE6D-11CF-96B8-444553540000} [http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab] **** Windows Services **** **** Custom IE Search Items **** SEARCH: [SearchAssistant] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm SEARCH: [CustomizeSearch] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm SEARCH: [Default_Search_URL] http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch **** Complete IE Options **** IEOPT: [NoUpdateCheck] IEOPT: [NoJITSetup] IEOPT: [Disable Script Debugger] yes IEOPT: [Search Page] http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch IEOPT: [Search Bar] http://search.msn.com/spbasic.htm IEOPT: [Use Custom Search URL] IEOPT: [Default_Page_URL] http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome IEOPT: [Default_Search_URL] http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch IEOPT: [Search Page] http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch IEOPT: [Enable_Disk_Cache] yes IEOPT: [Cache_Percent_of_Disk] IEOPT: [Delete_Temp_Files_On_Exit] yes IEOPT: [Local Page] %SystemRoot%\system32\blank.htm IEOPT: [Anchor_Visitation_Horizon] IEOPT: [Use_Async_DNS] yes IEOPT: [Placeholder_Width] IEOPT: [Placeholder_Height] IEOPT: [Start Page] http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home IEOPT: [CompanyName] Microsoft Corporation IEOPT: [Custom_Key] MICROSO IEOPT: [Wizard_Version] 6.0.2600.0000 IEOPT: [FullScreen] no |
|
|
|
|
|
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!
bitte erst » hier kostenlos registrieren!!
Folgende Themen könnten Dich auch interessieren:
Copyright © 2024, Protecus.de - Protecus Team - Impressum / Mediadaten
Ich habe besagten Virus und bekomme ihn nicht weg. Ständig krieg ich von F-Secure (Antivirusprogramm) eine Meldung diesbezüglich bzw. spinnt mein Rechner ein wenig und ich bekomm auch Windowseigene Warnungsmeldungen etc. Zudem wurde meine I-net Startseite automatisch geändert... dieses Problem wollte ich mit Hijackthis fixen, bringt aber nichts. Nach jedem Neustart ist das wieder umgestellt. Diese Seite hat den Titel "Your Home Page" oder so und hat die url www.oneklicksearch.com und beinhaltet diverse links zu antiviren und antispyware programmen etc.
In dem anderen Thread habe ich gelesen dass dieser Panda-Online Scan etwas bringen könnte, aber wenn ich den starten will kommt statt dem eigentlichen Pop-up wieder nur diese besagte Seite.
Was kann ich da denn jetzt machen? Kann mir irgendwer helfen? Bin schon zeimlich genervt und will das System nicht neu aufsetzen.
Edit: achja die Datei die infiziert ist, ist übrigens die wininet.dll, falls das irgendwas hilft!
Das Hijackthis Protokoll:
Logfile of HijackThis v1.99.1
Scan saved at 07:26:38, on 20.06.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
D:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\msole32.exe
D:\Programme\Java\j2re1.4.2_06\bin\jusched.exe
C:\WINDOWS\System32\intmon.exe
D:\Programme\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Programme\F-Secure Internet Security\Common\FSM32.EXE
C:\WINDOWS\System32\ctfmon.exe
D:\Programme\Common\Bin\WinCinemaMgr.exe
D:\Programme\Netgear\wlancfg5.exe
D:\Programme\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
D:\Programme\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
D:\Programme\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
D:\Programme\F-Secure Internet Security\Common\FSMA32.EXE
c:\mfe\mfsql\bin\xsrvmfe.exe
D:\Programme\F-Secure Internet Security\Common\FSMB32.EXE
D:\Programme\F-Secure Internet Security\Anti-Virus\fssm32.exe
D:\Programme\F-Secure Internet Security\Common\FCH32.EXE
D:\Programme\F-Secure Internet Security\Common\FAMEH32.EXE
D:\Programme\F-Secure Internet Security\FSPC\fspc.exe
D:\Programme\F-Secure Internet Security\FWES\Program\fsdfwd.exe
D:\Programme\F-Secure Internet Security\Anti-Virus\fsav32.exe
D:\Programme\F-Secure Internet Security\FSGUI\fsguiexe.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
D:\Installationsdateien\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp7416.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: GMX Toolbar - {2D1DDD38-CE4D-459b-A01C-F11BC92D5B69} - D:\Programme\GMX Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Programme\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [IW ControlCenter] D:\Programme\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [F-Secure Manager] "D:\Programme\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "D:\Programme\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "D:\Programme\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Programme\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: MA521 Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Webfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Website-&Liste anzeigen - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Webseitenfilter &aussetzen - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Diese Website &sperren - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Diese Website &zulassen - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - D:\Programme\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQ\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQ\ICQLite.exe
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{95AC82C3-7178-4368-A15C-D6E046B2F063}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C298FC6F-D905-49F3-9F8E-584AED4C82E5}: NameServer = 192.189.51.195,192.189.51.19
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - D:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: F-Secure Internet Security 2005 (BackWeb Plug-in - 4476822) - Unknown owner - D:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - D:\Programme\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - D:\Programme\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - D:\Programme\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - D:\Programme\F-Secure Internet Security\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - D:\Programme\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: MERANT XDB Server for MFE 2.5 - Unknown owner - c:\mfe\mfsql\bin\xsrvmfe.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe