Home » Spyware & Browser Hijacker Support Forum » AdWare.Lop -Verseuchung wegen: MessengerPlus3 » Themenansicht

AdWare.Lop -Verseuchung wegen: MessengerPlus3

Thema ist geschlossen!
Thema ist geschlossen!
#0
23.10.2005, 22:25
razor_89
Member

Beiträge: 47
#16 [EDIT]

Habs glaubich gefunden:


--------------------------------------------------
-------------------- INFECTED --------------------
--------------------------------------------------

1: Sun Oct 23 18:00:06 2005 => System found infected with bearshare Spyware/Adware ({558ec983-bedb-9168-b2de-31dbf0ee543e})! Action taken: No Action Taken.
2: Sun Oct 23 18:00:07 2005 => System found infected with hijackthis Spyware/Adware ({771a1334-6b08-4a6b-aedc-cf994ba2cebe})! Action taken: No Action Taken.
3: Sun Oct 23 18:00:07 2005 => System found infected with bearshare Spyware/Adware ({5f95e1af-2620-4f15-bdf9-7fdce4607e17})! Action taken: No Action Taken.
4: Sun Oct 23 18:00:07 2005 => System found infected with bearshare Spyware/Adware ({905d0df2-3a0a-4d94-853c-54a12a745905})! Action taken: No Action Taken.
5: Sun Oct 23 18:00:07 2005 => System found infected with istsvc Spyware/Adware ({db447818-96b4-40df-8a55-720da496f514})! Action taken: No Action Taken.
6: Sun Oct 23 18:00:07 2005 => System found infected with dyfuca Spyware/Adware ({aa4939c3-deca-4a48-a454-97cd587c0ef5})! Action taken: No Action Taken.
7: Sun Oct 23 18:00:07 2005 => System found infected with istsvc Spyware/Adware ({bf06da8e-2beb-4816-9bbd-f7625246e245})! Action taken: No Action Taken.
8: Sun Oct 23 18:00:07 2005 => System found infected with dyfuca Spyware/Adware ({eee4a2e5-9f56-432f-a6ed-f6f625b551e0})! Action taken: No Action Taken.
9: Sun Oct 23 18:00:12 2005 => Offending file found: C:\WINDOWS\DOWNLO~1\winadservx.dll
10: Sun Oct 23 18:00:12 2005 => System found infected with winad Spyware/Adware (winadservx.dll)! Action taken: No Action Taken.
11: Sun Oct 23 18:00:12 2005 => Offending file found: C:\WINDOWS\system32\vp.dat
12: Sun Oct 23 18:00:12 2005 => System found infected with deskad.service Spyware/Adware (vp.dat)! Action taken: No Action Taken.
13: Sun Oct 23 18:00:15 2005 => Offending file found: C:\Dokumente und Einstellungen\razor\Anwendungsdaten\microsoft\internet explorer\quick launch\bearshare downloads.lnk
14: Sun Oct 23 18:00:15 2005 => System found infected with bearshare Spyware/Adware (bearshare downloads.lnk)! Action taken: No Action Taken.
15: Sun Oct 23 18:00:15 2005 => Offending file found: C:\Dokumente und Einstellungen\razor\Anwendungsdaten\microsoft\internet explorer\quick launch\bearshare.lnk
16: Sun Oct 23 18:00:15 2005 => System found infected with bearshare Spyware/Adware (bearshare.lnk)! Action taken: No Action Taken.
17: Sun Oct 23 18:00:16 2005 => Offending file found: C:\Dokumente und Einstellungen\razor\Favoriten\fun & games\games.lnk
18: Sun Oct 23 18:00:16 2005 => System found infected with hotbar Spyware/Adware (games.lnk)! Action taken: No Action Taken.
19: Sun Oct 23 18:00:19 2005 => Offending file found: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\bearshare.lnk
20: Sun Oct 23 18:00:19 2005 => System found infected with bearshare Spyware/Adware (bearshare.lnk)! Action taken: No Action Taken.
21: Sun Oct 23 18:00:19 2005 => Offending file found: C:\Dokumente und Einstellungen\All Users\Startmenü\programme\bearshare.lnk
22: Sun Oct 23 18:00:19 2005 => System found infected with bearshare Spyware/Adware (bearshare.lnk)! Action taken: No Action Taken.
23: Sun Oct 23 18:00:20 2005 => Offending file found: C:\WINDOWS\iun6002.exe
24: Sun Oct 23 18:00:20 2005 => System found infected with zipitpro Spyware/Adware (C:\WINDOWS\iun6002.exe)! Action taken: No Action Taken.
25: Sun Oct 23 18:15:55 2005 => Scanning Folder: C:\Programme\AVPersonal\INFECTED\*.*
26: Sun Oct 23 19:01:31 2005 => File D:\Razor\Andere\desktoptoys an Zocker\finger.exe infected by "not-virus:BadJoke.Win32.Finger.b" Virus! Action Taken: No Action Taken.

--------------------------------------------------
--------------------- TAGGED ---------------------
--------------------------------------------------

1: Sun Oct 23 18:09:07 2005 => File C:\Program Files\Admanager Controller\AdManComm.dll tagged as "not-a-virus:AdWare.Win32.WinAD.r". Action Taken: No Action Taken.
2: Sun Oct 23 18:16:04 2005 => File C:\Programme\BearShare\Installer\saveinstwm.exe tagged as "not-a-virus:AdWare.Win32.SaveNow.z". Action Taken: No Action Taken.
3: Sun Oct 23 18:42:44 2005 => File C:\WINDOWS\Downloaded Program Files\WinAdServX.dll tagged as "not-a-virus:AdWare.Win32.WinAD". Action Taken: No Action Taken.
4: Sun Oct 23 18:42:44 2005 => File C:\WINDOWS\Downloaded Program Files\WinServAdX.dll tagged as "not-a-virus:AdWare.Win32.WinAD.f". Action Taken: No Action Taken.
5: Sun Oct 23 19:11:09 2005 => File H:\Counter-Strike\hltv.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken.
6: Sun Oct 23 19:21:40 2005 => File H:\HL\hltv.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken.

--------------------------------------------------
--------------------- ERRORS ---------------------
--------------------------------------------------

1: Sun Oct 23 17:59:00 2005 => ERROR!!! Invalid Entry = C:\DOKUME~1\razor\ANWEND~1\SOFTID~1\scr okay.exe (in key Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{58C4ED5B-BF92-4326-9409-8F8B11662515}). No Action Taken.
2: Sun Oct 23 17:59:07 2005 => ERROR!!! Invalid Entry {B8323370-FF27-11D2-97B6-204C4F4F5020} = C:\Programme\SmartFTP\smarthook.dll (in key SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved). No Action Taken.
3: Sun Oct 23 17:59:10 2005 => ERROR!!! Invalid Entry mmtask = c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe (in key SOFTWARE\Microsoft\Windows\CurrentVersion\Run). No Action Taken.
4: Sun Oct 23 18:00:24 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\MSXML3A.DLL". Action Taken: No Action Taken.
5: Sun Oct 23 18:00:24 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\DIMM.DLL". Action Taken: No Action Taken.
6: Sun Oct 23 18:00:24 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Adobe\Photoshop Album\Kataloge\My Catalog.psa". Action Taken: No Action Taken.
7: Sun Oct 23 18:00:24 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\DOKUME~1\razor\LOKALE~1\Temp\_ISTMP1.DIR\_ISTMP0.DIR\FileGrp\Msvcrt10.dll". Action Taken: No Action Taken.
8: Sun Oct 23 18:00:25 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\YSBactivex.dll". Action Taken: No Action Taken.
9: Sun Oct 23 18:00:25 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\popcaploader.dll". Action Taken: No Action Taken.
10: Sun Oct 23 18:00:25 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Oberon Media\Inspector-Parker\Uninstall.exe". Action Taken: No Action Taken.
11: Sun Oct 23 18:00:25 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Programme\Gravity\RagnarokOnline\2005-03-22aRagexe.rgz". Action Taken: No Action Taken.
12: Sun Oct 23 18:00:26 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\pxwma.dll". Action Taken: No Action Taken.
13: Sun Oct 23 18:00:26 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\pxsfs.dll". Action Taken: No Action Taken.
14: Sun Oct 23 18:00:26 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\pxinsa64.exe". Action Taken: No Action Taken.
15: Sun Oct 23 18:00:26 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\pxinsi64.exe". Action Taken: No Action Taken.
16: Sun Oct 23 18:00:26 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\pxcpya64.exe". Action Taken: No Action Taken.
17: Sun Oct 23 18:00:26 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\pxcpyi64.exe". Action Taken: No Action Taken.
18: Sun Oct 23 18:00:29 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\bckgzm.exe" refers to invalid object "C:\Programme\MSN Gaming Zone\Windows\bckgzm.exe". Action Taken: No Action Taken.
19: Sun Oct 23 18:00:29 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\BFVietnam.exe" refers to invalid object "C:\PROGRA~1\EAGAME~1\BATTLE~1\bfvietnam.exe". Action Taken: No Action Taken.
20: Sun Oct 23 18:00:29 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\chkrzm.exe" refers to invalid object "C:\Programme\MSN Gaming Zone\Windows\chkrzm.exe". Action Taken: No Action Taken.
21: Sun Oct 23 18:00:29 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe" refers to invalid object "C:\WINDOWS\System32\cmmgr32.exe". Action Taken: No Action Taken.
22: Sun Oct 23 18:00:29 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\hrtzzm.exe" refers to invalid object "C:\Programme\MSN Gaming Zone\Windows\hrtzzm.exe". Action Taken: No Action Taken.
23: Sun Oct 23 18:00:29 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ldm.exe" refers to invalid object "C:\Programme\Logitech\Desktop Messenger\ldm.exe". Action Taken: No Action Taken.
24: Sun Oct 23 18:00:29 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\MSMSGS.EXE" refers to invalid object "C:\Programme\Messenger\msmsgs.exe". Action Taken: No Action Taken.
25: Sun Oct 23 18:00:29 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\MSN6.EXE" refers to invalid object "C:\Programme\MSN\MSNCoreFiles\MSN6.exe". Action Taken: No Action Taken.
26: Sun Oct 23 18:00:30 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\rvsezm.exe" refers to invalid object "C:\Programme\MSN Gaming Zone\Windows\rvsezm.exe". Action Taken: No Action Taken.
27: Sun Oct 23 18:00:30 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\shvlzm.exe" refers to invalid object "C:\Programme\MSN Gaming Zone\Windows\shvlzm.exe". Action Taken: No Action Taken.
28: Sun Oct 23 18:00:30 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\speed2.exe" refers to invalid object "D:\Games\Need For Speed Underground 2\speed2.exe". Action Taken: No Action Taken.
29: Sun Oct 23 18:00:31 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\games\Call of Duty\uo\". Action Taken: No Action Taken.
30: Sun Oct 23 18:00:31 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Dokumente und Einstellungen\razor\Eigene Dateien\Pinnacle Expression\Captured Video\". Action Taken: No Action Taken.
31: Sun Oct 23 18:00:31 2005 => Entry "
193: Sun Oct 23 18:00:43 2005 => Entry "HKCR\Zb.ZbCmdProcessRawImages.1" refers to invalid object "{4DCADFA0-556A-4288-AB68-833C51A2CF6B}". Action Taken: No Action Taken.
194: Sun Oct 23 18:00:43 2005 => Entry "HKCR\Zb.ZbCmdRemoteCapture" refers to invalid object "{7D5BAFEE-5A7D-4BB0-B709-A17422EEB658}". Action Taken: No Action Taken.
195: Sun Oct 23 18:00:43 2005 => Entry "HKCR\Zb.ZbCmdRemoteCapture.1" refers to invalid object "{7D5BAFEE-5A7D-4BB0-B709-A17422EEB658}". Action Taken: No Action Taken.

--------------------------------------------------
-------- DATEIEN ZUM LÖSCHEN HINZUGEFÜGT ---------
--------------------------------------------------

1: D:\Razor\Andere\desktoptoys an Zocker\finger.exe => not-virus:BadJoke.Win32.Finger.b
2: H:\Counter-Strike\hltv.exe => tagged:Server-Proxy.Win32.Hltv.
3: H:\HL\hltv.exe => tagged:Server-Proxy.Win32.Hltv.

--------------------------------------------------
-------------------- Statistik -------------------
--------------------------------------------------

Sun Oct 23 19:33:13 2005 => Total Objects Scanned: 180656
Sun Oct 23 19:33:13 2005 => Total Virus(es) Found: 38
Sun Oct 23 19:33:13 2005 => Total Errors: 195
Sun Oct 23 19:33:13 2005 => Virus Database Date: 2005/10/22
Sun Oct 23 19:33:13 2005 => Virus Database Count: 155555
Dieser Beitrag wurde am 23.10.2005 um 22:53 Uhr von razor_89 editiert.
Seitenanfang Seitenende
23.10.2005, 23:59
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#17 Hallo@razor_89

Im Windows-Explorer->Extras->Ordneroptionen->den Reiter "Ansicht"->Versteckte Dateien und Ordner-> "alle Dateien und Ordner anzeigen" aktivieren
+
Im Windows-Explorer->Extras->Ordneroptionen->den Reiter "Ansicht"->Dateien und Ordner-> "Geschützte Systemdateien ausblenden (empfohlen)" deaktivieren


KILLBOX
http://virus-protect.org/killbox.html

Delete File on Reboot -- anhaken
reinkopieren:
...
und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"

C:\WINDOWS\Downloaded Program Files\winadservx.dll
C:\WINDOWS\system32\vp.dat
C:\WINDOWS\ecwkj.exe
C:\Program Files\Admanager Controller\AdManComm.dll
C:\Programme\BearShare\Installer\saveinstwm.exe
C:\WINDOWS\Downloaded Program Files\WinAdServX.dll
C:\WINDOWS\Downloaded Program Files\WinServAdX.dll
C:\WINDOWS\iun6002.exe

PC neustarten

deinstallieren:
bearshare

loesche diesen Ordner komplett.

C:\Dokumente und Einstellungen\razor\Anwendungsdaten\SOFTID~1\
C:\Dokumente und Einstellungen\razor\Anwendungsdaten\DVDDOW~1\
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\drive junk lies ball
C:\Program Files\Admanager Controller
C:\Programme\BearShare

scanne mit Counterspy
http://virus-protect.org/counterspy.html
nach dem Scan muss man sich entscheiden für:
*Ignore
*Remove
*Quarantaine
wähle immer Remove und starte den PC neu (dann kopiere den Scanreport ab und ins Sicherheitsforum)

Start -- alle Programme -- Zubehör -- Editor und kopiere folgenden Text rein:

Zitat

dir %Windir%\tasks /a h > files.txt
notepad files.txt
- Speichern als: findjobs.bat
- abspeichern unter : Dateityp: alle Dateien
- speichere auf dem Desktop
- Locate findjobs.bat-- doppelklick auf die bat-Datei , der Editor öffnet sich -- poste den Text
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
24.10.2005, 01:08
razor_89
Member

Beiträge: 47
#18 C:\Dokumente und Einstellungen\razor\Anwendungsdaten\SOFTID~1\
C:\Dokumente und Einstellungen\razor\Anwendungsdaten\DVDDOW~1\
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\drive junk lies ball
sind nicht zu finden!

Counterspy läuft, braucht aber noch n Moment!
Die Reports folgen!
Seitenanfang Seitenende
24.10.2005, 11:27
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#19 Im Windows-Explorer->Extras->Ordneroptionen->den Reiter "Ansicht"->Versteckte Dateien und Ordner-> "alle Dateien und Ordner anzeigen" aktivieren
+
Im Windows-Explorer->Extras->Ordneroptionen->den Reiter "Ansicht"->Dateien und Ordner-> "Geschützte Systemdateien ausblenden (empfohlen)" deaktivieren

C:\Dokumente und Einstellungen\razor\Anwendungsdaten\SOFTID....sind nicht die vollstaendigen Namen, du musst suchen mit Hilfe der ersten Buchstaben....

C:\Dokumente und Einstellungen\razor\Anwendungsdaten\DVDDOW....
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\drive junk lies ball<--das ist komplett und muesste drauf sein
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
24.10.2005, 13:28
razor_89
Member

Beiträge: 47
#20 Es sind keinerlei Ordner oder Dateien von den Gesuchten in meinen Anwendungsdaten zu finden, da der Ordner nicht mal 25 Dateien und Ordner (oberflächlich) umfasst! Die Ansicht aller Objekte ist bereits eingestellt.

Hier der Kram von Counterspy:

Spyware Scan Details
Start Date: 24.10.2005 00:47:37
End Date: 24.10.2005 01:40:55
Total Time: 53 mins 18 secs

Detected spyware

AntiLeech Plugin Adware more information...
Details: Plugin is an Ad-Ware software which enables the broadcasting of advertisements, and execution of e-commerce and other internet related services on the user-interface of the software.
Status: Deleted

Infected files detected
c:\programme\anti-leech\al2np.dll
c:\programme\anti-leech\alie.dll
c:\programme\anti-leech\alie.inf
c:\programme\anti-leech\iesetup2.exe
c:\programme\anti-leech\npalnn.dll
c:\programme\anti-leech\setup2.exe

Infected registry entries detected
HKEY_CURRENT_USER\Software\Anti-Leech\Anti-Leech Plugin
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AntiLeech.ALIE.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AntiLeech.ALIE.1\CLSID {056738EE-E15C-11D6-B876-0050BF5D85C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AntiLeech.ALIE.1 Anti-Leech Plug-in
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AntiLeech.ALIE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AntiLeech.ALIE\CLSID {056738EE-E15C-11D6-B876-0050BF5D85C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AntiLeech.ALIE\CurVer AntiLeech.ALIE.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AntiLeech.ALIE Anti-Leech Plug-in
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{056738EE-E15C-11D6-B876-0050BF5D85C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{056738EE-E15C-11D6-B876-0050BF5D85C7}\InprocServer32 C:\PROGRA~1\ANTI-L~1\alie.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{056738EE-E15C-11D6-B876-0050BF5D85C7}\InprocServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{056738EE-E15C-11D6-B876-0050BF5D85C7}\ProgID AntiLeech.ALIE.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{056738EE-E15C-11D6-B876-0050BF5D85C7}\TypeLib {056738E1-E15C-11D6-B876-0050BF5D85C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{056738EE-E15C-11D6-B876-0050BF5D85C7}\VersionIndependentProgID AntiLeech.ALIE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{056738EE-E15C-11D6-B876-0050BF5D85C7} Anti-Leech Plug-in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Anti-Leech ALIE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Anti-Leech ALIE DisplayName Anti-Leech Plugin for Internet Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Anti-Leech ALIE UninstallString C:\Programme\Anti-Leech\iesetup2.exe uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Anti-Leech ALNN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Anti-Leech ALNN DisplayName Anti-Leech Plugin for Netscape, Mozilla, Opera
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Anti-Leech ALNN UninstallString C:\Programme\Anti-Leech\setup2.exe -u


YourSiteBar Spyware more information...
Details: YourSiteBar from IST, the makers of numerous spyware Thread, is an affiliate based marketing toolbar.
Status: Deleted

Infected files detected
c:\programme\yoursitebar\imagemap_normal.bmp
c:\programme\yoursitebar\version.txt
c:\programme\yoursitebar\yoursitebar.xml
c:\windows\downloaded program files\ysbactivex.inf

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ysbactivex.installer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ysbactivex.installer\CLSID {771A1334-6B08-4a6b-AEDC-CF994BA2CEBE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ysbactivex.installer\CurVer YSBactivex.Installer.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ysbactivex.installer Installer Class
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs C:\WINDOWS\Downloaded Program Files\YSBactivex.dll
HKEY_CLASSES_ROOT\Ysbactivex.installer
HKEY_CLASSES_ROOT\Ysbactivex.installer\CLSID {771A1334-6B08-4a6b-AEDC-CF994BA2CEBE}
HKEY_CLASSES_ROOT\Ysbactivex.installer\CurVer YSBactivex.Installer.1
HKEY_CLASSES_ROOT\Ysbactivex.installer Installer Class
HKEY_CLASSES_ROOT\YSBactivex.Installer
HKEY_CLASSES_ROOT\YSBactivex.Installer\CLSID {771A1334-6B08-4a6b-AEDC-CF994BA2CEBE}
HKEY_CLASSES_ROOT\YSBactivex.Installer\CurVer YSBactivex.Installer.1
HKEY_CLASSES_ROOT\YSBactivex.Installer Installer Class


SearchRelevancy Adware more information...
Status: Deleted

Infected files detected
c:\programme\searchrelevancy\uninstall.exe

Infected registry entries detected
HKEY_LOCAL_MACHINE\software\searchrelevancy
HKEY_LOCAL_MACHINE\software\searchrelevancy\Update TimeStamp 1105732186
HKEY_LOCAL_MACHINE\software\searchrelevancy ID 8F5B7A9F


C2.Lop Spyware more information...
Details: Lop is a group of spyware and hijacker programs that set your Internet Explorer start page and search features to use the site lop.com ('Live Online Portal') or one of its clone sites.
Status: Deleted

Infected files detected
c:\dokumente und einstellungen\razor\favoriten\going places\travel.lnk


ShopAtHome Spyware more information...
Details: ShopAtHome installs itself in the Winsock layer of your computer and redirects visits to merchant sites in order to take the affiliate fees from them automatically without your knowledge.
Status: Deleted

Infected files detected
C:\WINDOWS\system32\xmlparse.dll
C:\WINDOWS\system32\xmltok.dll


BearShare P2P more information...
Details: BearShare is a file sharing network. The free version installs a number of known spyware and adware programs.
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\0\win32 C:\Programme\BearShare\RunMSC.dll
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\FLAGS 0
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\HELPDIR C:\Programme\BearShare\
HKEY_CLASSES_ROOT\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0 RunMSC 1.0 Type Library
HKEY_LOCAL_MACHINE\software\classes\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}
HKEY_LOCAL_MACHINE\software\classes\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\0\win32 C:\Programme\BearShare\RunMSC.dll
HKEY_LOCAL_MACHINE\software\classes\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\FLAGS 0
HKEY_LOCAL_MACHINE\software\classes\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0\HELPDIR C:\Programme\BearShare\
HKEY_LOCAL_MACHINE\software\classes\typelib\{905d0df2-3a0a-4d94-853c-54a12a745905}\1.0 RunMSC 1.0 Type Library


CoolWebSearch.StartPage Browser Hijacker more information...
Details: CoolWebSearch StartPage hijacks Internet Explorers start page not allowing the user to change this URL.
Status: Deleted

Infected registry entries detected
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Search Bar_bak


Messenger Plus! Adware Bundler more information...
Details: Messenger Plus! is a add-on for MSN Messenger. Messenger Plus! installs an OPTIONAL adware called C2Media which is also known as LOP.com.
Status: Deleted

Infected registry entries detected
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Archive\@jaO]u|wG/viMp1yqjYAplqck/rdokkcS Type 2
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Archive\@jaO]u|wG/viMp1yqjYAplqck/rdokkcS FilePath
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Archive LastArchiveTime 1129906094
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Contacts\@kcSefh1WiewmcoerhgA{o[exigCEI LastSignin 1129905800
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Contacts\@leWmuiqg/zq[iColdCi0rEcmIQa LastSignin 1129906224
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Contacts\@leWmuiqg/zq[iColdCi0rEcmIQa LastChat 1129905886
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Contacts\@leWmuiqg/zq[iColdCi0rEcmIQa XmlLogCreationTime
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Contacts\@leWmuiqg/zq[iColdCi0rEcmIQa XmlLogLastSize 148910
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Contacts\@MYqonsfk/nmccpuskSAcrekofqbWogimwtuekgd[CE LastSignin 1105394738
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Contacts\@RcSensfW/nmmcpuskgApr[kisiwCtkiEoIQa LastSignin 1129905800
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Preferences\BossProtections\BossProtection0 Shortcut 544
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Preferences SystemLogWndX 200
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Preferences SystemLogWndY 100
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Preferences SystemLogWndWidth 500
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Preferences SystemLogWndHeight 170
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Preferences ToastPopupSizeW6 181
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Preferences ToastPopupSizeH6 116
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Preferences ToastPopupPos6 1244
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Preferences ToastPopupResX 1600
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Preferences ToastPopupBorder6 0
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Preferences LogDirectory C:\Dokumente und Einstellungen\razor\Eigene Dateien\Meine Aufzeichnungen
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Preferences MigrateLevel 2
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Preferences FirstLaunch 1129905794
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Preferences FirstTimeWizard 0
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Preferences EnableLogging 1
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Preferences AutoAcceptDefault 1
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\kai1689@hotmail.com\Preferences UseBossProtection 0
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\Nobody\Data StatTime 1129905794
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\Nobody\Data CurrentStatID 1
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\Nobody\Data S1-1 0
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2\Nobody\Data S2-1 131648
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2 LanguageFile Lang_Deutsch.ini
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2 DefaultConfiguration kai1689@hotmail.com
HKEY_CURRENT_USER\Software\Patchou\MsgPlus2 SoftwareState 1129587027
HKEY_LOCAL_MACHINE\SOFTWARE\Patchou\MsgPlus2
HKEY_LOCAL_MACHINE\SOFTWARE\Patchou\MsgPlus2 BinDir C:\Programme\Messenger Plus! 3
HKEY_LOCAL_MACHINE\SOFTWARE\Patchou\MsgPlus2 LocalizationDir C:\Programme\Messenger Plus! 3\Resources
HKEY_LOCAL_MACHINE\SOFTWARE\Patchou\MsgPlus2 PluginDir C:\Programme\Messenger Plus! 3\Plugins
HKEY_LOCAL_MACHINE\SOFTWARE\Patchou\MsgPlus2 FileNameDll MsgPlusH.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Patchou\MsgPlus2 FileNameExe MsgPlus.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Patchou\MsgPlus2 FileNameLoader MsgPlusLoader.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Patchou\MsgPlus2 SoftwareBuild 3145
HKEY_LOCAL_MACHINE\SOFTWARE\Patchou\MsgPlus2 DefLanguageFile Lang_Deutsch.ini
HKEY_LOCAL_MACHINE\SOFTWARE\Patchou\MsgPlus2 InstallTime 1105394720
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MsgPlus.Encrypted
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MsgPlus.Encrypted\DefaultIcon C:\Programme\Messenger Plus! 3\Resources\MsgPlusRes.dll,-2781
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MsgPlus.Encrypted\shell\open\command "C:\Programme\Messenger Plus! 3\MsgPlus.exe" /LOG:%1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MsgPlus.Encrypted Encrypted Log File


MoneyTree Dialer more information...
Details: MoneyTree is an ActiveX control used to download premium-rate dialers, generally for porn sites. Each time MoneyTree is run, on system startup, it tries to connect to a pornographic website.
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\interface\{eee4a2e5-9f56-432f-a6ed-f6f625b551e0}
HKEY_CLASSES_ROOT\interface\{eee4a2e5-9f56-432f-a6ed-f6f625b551e0}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{eee4a2e5-9f56-432f-a6ed-f6f625b551e0}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{eee4a2e5-9f56-432f-a6ed-f6f625b551e0}\TypeLib {0BE10B0D-B4DB-4693-9B1F-9AEAD54D17DC}
HKEY_CLASSES_ROOT\interface\{eee4a2e5-9f56-432f-a6ed-f6f625b551e0}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\interface\{eee4a2e5-9f56-432f-a6ed-f6f625b551e0} IBHObj


IST.PowerScan Adware more information...
Details: PowerScan is advertised through in ordinary web pop-ups, but recently it started to install with help from the the ISTBar adware.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main bandrest


NetPumper Adware Bundler more information...
Details: Bundles with a number of adware components such as cydoor, Save!, ClockSync, and WhenU Toolbar.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetPumperNNProxy.NetscapeInterface
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetPumperNNProxy.NetscapeInterface\CLSID {E19B133D-184E-4BBA-8A70-38489C9DD31B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetPumperNNProxy.NetscapeInterface NetscapeInterface Object
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-netpumper-detector
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-netpumper-detector Extension .xnpd
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetPumper.AddUrl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetPumper.AddUrl\CLSID {1AA406AB-F581-42AB-B4D1-31D2E13819EF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetPumper.AddUrl AddUrl Object
HKEY_LOCAL_MACHINE\SOFTWARE\NetPumper
HKEY_LOCAL_MACHINE\SOFTWARE\NetPumper\Affiliated\Pro\Firstrun state 2
HKEY_LOCAL_MACHINE\SOFTWARE\NetPumper\Affiliated\Pro state 2
HKEY_LOCAL_MACHINE\SOFTWARE\NetPumper\Affiliated\Pro pkid
HKEY_LOCAL_MACHINE\SOFTWARE\NetPumper\Affiliated\Pro alid darkborn
HKEY_LOCAL_MACHINE\SOFTWARE\NetPumper\Affiliated\Pro iid {710A9A34-9B75-4C24-9BA7-657F9056BAF8}
HKEY_LOCAL_MACHINE\SOFTWARE\NetPumper Application NetPumper Pro
HKEY_LOCAL_MACHINE\SOFTWARE\NetPumper NEWVER http://cv.netpumper.com/
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E19B133D-184E-4BBA-8A70-38489C9DD31B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E19B133D-184E-4BBA-8A70-38489C9DD31B}\InprocServer32 C:\NetPumper\NetPumperNNProxy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E19B133D-184E-4BBA-8A70-38489C9DD31B}\InprocServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E19B133D-184E-4BBA-8A70-38489C9DD31B}\ProgID NetPumperNNProxy.NetscapeInterface
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E19B133D-184E-4BBA-8A70-38489C9DD31B}\Typelib {F7258F6E-9F60-49C0-8C82-F0A0993D68E0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E19B133D-184E-4BBA-8A70-38489C9DD31B}\Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E19B133D-184E-4BBA-8A70-38489C9DD31B} NetscapeInterface Object
HKEY_CLASSES_ROOT\NetPumperNNProxy.NetscapeInterface
HKEY_CLASSES_ROOT\NetPumperNNProxy.NetscapeInterface\CLSID {E19B133D-184E-4BBA-8A70-38489C9DD31B}
HKEY_CLASSES_ROOT\NetPumperNNProxy.NetscapeInterface NetscapeInterface Object
HKEY_CLASSES_ROOT\clsid\{1AA406AB-F581-42AB-B4D1-31D2E13819EF}
HKEY_CLASSES_ROOT\clsid\{1AA406AB-F581-42AB-B4D1-31D2E13819EF}\LocalServer32 C:\NetPumper\NetPumperPro.exe /Automation
HKEY_CLASSES_ROOT\clsid\{1AA406AB-F581-42AB-B4D1-31D2E13819EF}\LocalServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\{1AA406AB-F581-42AB-B4D1-31D2E13819EF}\ProgID NetPumper.AddUrl
HKEY_CLASSES_ROOT\clsid\{1AA406AB-F581-42AB-B4D1-31D2E13819EF}\Typelib {1145A909-A836-44B8-B03A-48D858B0F43E}
HKEY_CLASSES_ROOT\clsid\{1AA406AB-F581-42AB-B4D1-31D2E13819EF}\Version 1.1
HKEY_CLASSES_ROOT\clsid\{1AA406AB-F581-42AB-B4D1-31D2E13819EF} AddUrl Object
HKEY_CLASSES_ROOT\clsid\{E19B133D-184E-4BBA-8A70-38489C9DD31B}
HKEY_CLASSES_ROOT\clsid\{E19B133D-184E-4BBA-8A70-38489C9DD31B}\InprocServer32 C:\NetPumper\NetPumperNNProxy.dll
HKEY_CLASSES_ROOT\clsid\{E19B133D-184E-4BBA-8A70-38489C9DD31B}\InprocServer32 ThreadingModel Apartment
HKEY_CLASSES_ROOT\clsid\{E19B133D-184E-4BBA-8A70-38489C9DD31B}\ProgID NetPumperNNProxy.NetscapeInterface
HKEY_CLASSES_ROOT\clsid\{E19B133D-184E-4BBA-8A70-38489C9DD31B}\Typelib {F7258F6E-9F60-49C0-8C82-F0A0993D68E0}
HKEY_CLASSES_ROOT\clsid\{E19B133D-184E-4BBA-8A70-38489C9DD31B}\Version 1.0
HKEY_CLASSES_ROOT\clsid\{E19B133D-184E-4BBA-8A70-38489C9DD31B} NetscapeInterface Object
HKEY_CLASSES_ROOT\NetPumper.AddUrl
HKEY_CLASSES_ROOT\NetPumper.AddUrl\CLSID {1AA406AB-F581-42AB-B4D1-31D2E13819EF}
HKEY_CLASSES_ROOT\NetPumper.AddUrl AddUrl Object
HKEY_CURRENT_USER\Software\NetPumper
HKEY_CURRENT_USER\Software\NetPumper\razor Field1 1782252508
HKEY_CURRENT_USER\Software\NetPumper\razor Field2 1173715072
HKEY_CURRENT_USER\Software\NetPumper\razor Field3 1122981269
HKEY_CURRENT_USER\Software\NetPumper\razor Field4 315866115


IST.XXXToolbar Toolbar more information...
Details: Adult adware search toolbar for Internet Explorer. XXXToolbar displays a number of pop-up ads when Internet Explorer is running.
Status: Deleted

Infected registry entries detected
HKEY_CLASSES_ROOT\interface\{aa4939c3-deca-4a48-a454-97cd587c0ef5}
HKEY_CLASSES_ROOT\interface\{aa4939c3-deca-4a48-a454-97cd587c0ef5}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{aa4939c3-deca-4a48-a454-97cd587c0ef5}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{aa4939c3-deca-4a48-a454-97cd587c0ef5}\TypeLib {0BE10B0D-B4DB-4693-9B1F-9AEAD54D17DC}
HKEY_CLASSES_ROOT\interface\{aa4939c3-deca-4a48-a454-97cd587c0ef5}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\interface\{aa4939c3-deca-4a48-a454-97cd587c0ef5} ISinkObj
HKEY_CLASSES_ROOT\interface\{eee4a2e5-9f56-432f-a6ed-f6f625b551e0}
HKEY_CLASSES_ROOT\interface\{eee4a2e5-9f56-432f-a6ed-f6f625b551e0}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{eee4a2e5-9f56-432f-a6ed-f6f625b551e0}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\interface\{eee4a2e5-9f56-432f-a6ed-f6f625b551e0}\TypeLib {0BE10B0D-B4DB-4693-9B1F-9AEAD54D17DC}
HKEY_CLASSES_ROOT\interface\{eee4a2e5-9f56-432f-a6ed-f6f625b551e0}\TypeLib Version 1.0
HKEY_CLASSES_ROOT\interface\{eee4a2e5-9f56-432f-a6ed-f6f625b551e0} IBHObj
HKEY_LOCAL_MACHINE\software\classes\interface\{aa4939c3-deca-4a48-a454-97cd587c0ef5}
HKEY_LOCAL_MACHINE\software\classes\interface\{aa4939c3-deca-4a48-a454-97cd587c0ef5}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\software\classes\interface\{aa4939c3-deca-4a48-a454-97cd587c0ef5}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\software\classes\interface\{aa4939c3-deca-4a48-a454-97cd587c0ef5}\TypeLib {0BE10B0D-B4DB-4693-9B1F-9AEAD54D17DC}
HKEY_LOCAL_MACHINE\software\classes\interface\{aa4939c3-deca-4a48-a454-97cd587c0ef5}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\software\classes\interface\{aa4939c3-deca-4a48-a454-97cd587c0ef5} ISinkObj


AvenueMedia.DyFuCA Browser Plug-in more information...
Details: DyFuCA Internet Optimizer is an adware which also hijacks your browser error page. It opens pop-up windows to display ads from its network sites periodically, also is known to update itself.
Status: Deleted

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt


ATDMT.com Cookie more information...
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\razor\cookies\razor@atdmt[2].txt


Claria.DashBar Cookie Cookie more information...
Details: DashBar cookie is a small text file placed on the user's computer after when visiting the Claria/GAIN DashBar website.
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\razor\cookies\razor@belnk[1].txt


FastClick.com Cookie more information...
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\razor\cookies\razor@fastclick[2].txt


Radar Spy 1.0 Cookie more information...
Status: Deleted

Infected cookies detected
c:\dokumente und einstellungen\razor\cookies\razor@tradedoubler[1].txt

Hier noch das File von der Findjobs.bat:

Datentr„ger in Laufwerk C: ist proggys
Volumeseriennummer: 60FC-0DC0

Verzeichnis von C:\WINDOWS\tasks

21.10.2005 21:00 <DIR> .
21.10.2005 21:00 <DIR> ..
02.04.2003 14:00 65 desktop.ini
24.10.2005 13:16 6 SA.DAT
14.08.2005 14:37 308 Windows Media Player.job
3 Datei(en) 379 Bytes

Verzeichnis von C:\Dokumente und Einstellungen\razor\Desktop

Werden die Files von datFind.bat auch benötigt?

Gruß
Razor
Dieser Beitrag wurde am 24.10.2005 um 13:35 Uhr von razor_89 editiert.
Seitenanfang Seitenende
24.10.2005, 14:01
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#21 neue Startseite
gehe zur Systemsteuerung --> Internetoptionen --> auf dem Reiter Allgemein bei Temporäre Internetdateien klickst du Dateien löschen --> auch bei Alle Offlineinhalte löschen das Häkchen setzen und mit OK bestätigen --> Auf den Reiter Programme gehen und dort auf Webeinstellungen zurücksetzen klicken, mit Ja bestätigen, fall Nachfrage kommt --> auf Übernehmen und abschließend auf OK klicken und stelle eine neue Startseite ein

und poste das neue Log vom HijackThis ;)
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
24.10.2005, 18:27
razor_89
Member

Beiträge: 47
#22 Logfile of HijackThis v1.99.1
Scan saved at 18:27:12, on 24.10.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Java\jre1.5.0_04\bin\jusched.exe
C:\Programme\PC-Zeit\trap.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Programme\Logitech\SetPoint\KEM.exe
C:\Programme\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Programme\Sunbelt Software\CounterSpy\Consumer\Thread.exe
C:\Programme\Logitech\SetPoint\KHALMNPR.EXE
C:\Programme\ICQLite\ICQLite.exe
c:\programme\winamp\winamp.exe
C:\Programme\MSN Messenger\msnmsgr.exe
C:\Programme\Mozilla Firefox\firefox.exe
D:\Programme\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = h**p://www.nldeagsbsrnggzluzhpkej.org/yYFbZRqvKiMjmYMWcw5n9zeV/aHtWmTlTVSe05jux0wV_j7gI/hDS/Vztko78Il2.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.google.de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {58C4ED5B-BF92-4326-9409-8F8B11662515} - C:\DOKUME~1\razor\ANWEND~1\SOFTID~1\scr okay.exe (file missing)
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [pczeit] "C:\Programme\PC-Zeit\trap.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [SunServer] C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Programme\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res:***//C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Programme\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - h**p://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098139004937
O16 - DPF: {D7A4D8FB-83F0-40E5-954F-88F48D15AE96} (ICQVideoWindow Class) - h**p://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - h**p://arcade.icq.com/carlo/zuma/popcaploader_v5.cab
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - h**p://xtraz.icq.com/xtraz/activex/MISBH.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Das oberste scheint mir noch weg zu müssen mit diesem Searchbar und ich weiß nicht was Excel.Exe/3000 dadrin soll...
Zeug mit File missing kann generell auch weg oder?
Dieser Beitrag wurde am 24.10.2005 um 21:26 Uhr von razor_89 editiert.
Seitenanfang Seitenende
25.10.2005, 00:30
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#23 Fixe mit dem HIjackThis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = h**p://www.nldeagsbsrnggzluzhpkej.org/yYFbZRqvKiMjmYMWcw5n9zeV/aHtWmTlT
VSe05jux0wV_j7gI/hDS/Vztko78Il2.html

O2 - BHO: (no name) - {58C4ED5B-BF92-4326-9409-8F8B11662515} - C:\DOKUME~1\razor\ANWEND~1\SOFTID~1\scr okay.exe (file missing)
O4 - HKCU\..\Run: [LDM] C:\Programme\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe (das muss aus dem Autostart...hat dort NICHTS verloren)

PC neustarten

loesche:
D:\Razor\Andere\desktoptoys an Zocker\finger.exe

und poste das neue Log vom HijackThis ;)
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
25.10.2005, 00:43
razor_89
Member

Beiträge: 47
#24 O2 - BHO: (no name) - {58C4ED5B-BF92-4326-9409-8F8B11662515} - C:\DOKUME~1\razor\ANWEND~1\SOFTID~1\scr okay.exe (file missing)
O4 - HKCU\..\Run: [LDM] C:\Programme\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

sind weg, das ding mit dem change von meiner startseite stellt sich selbst wieder her und will zugreifen, wird aber dank counterspy geblockt!

ich starte jetzt trotzdem erstmal neu und poste dann das neue logfile

[edit]
Logfile of HijackThis v1.99.1
Scan saved at 00:46:39, on 25.10.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Java\jre1.5.0_04\bin\jusched.exe
C:\Programme\PC-Zeit\trap.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Logitech\SetPoint\KEM.exe
C:\Programme\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Mozilla Firefox\firefox.exe
D:\Programme\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = h**p://www.nldeagsbsrnggzluzhpkej.org/yYFbZRqvKiMjmYMWcw5n9zeV/aHtWmTlTVSe05jux0wV_j7gI/hDS/Vztko78Il2.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.google.de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [pczeit] "C:\Programme\PC-Zeit\trap.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [SunServer] C:\Programme\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res:**//C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Programme\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - h**p://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098139004937
O16 - DPF: {D7A4D8FB-83F0-40E5-954F-88F48D15AE96} (ICQVideoWindow Class) - h**p://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - h**p://arcade.icq.com/carlo/zuma/popcaploader_v5.cab
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - h**p://xtraz.icq.com/xtraz/activex/MISBH.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAMME\AVPERSONAL\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

beim starten wollte der treiber meiner maus bzw tastatur also irgendwas von logitech die datei von logitech (backweb....) wieder zum autostart hinzufügen, wurde aber von counterspy geblockt.
Dieser Beitrag wurde am 25.10.2005 um 00:49 Uhr von razor_89 editiert.
Seitenanfang Seitenende
25.10.2005, 00:52
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#25 fixe mit dem HijackThis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = h**p://www.nldeagsbsrnggzluzhpkej.org/yYFbZRqvKiMjmYMWcw5n9zeV/aHtWmTlTVSe05jux0wV_j7gI/hDS/Vztko78Il2.html
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - h**p://arcade.icq.com/carlo/zuma/popcaploader_v5.cab

neustarten

Wichtig: Sollte abschließend ein erneuter Scan mit eScan durchgeführt werden, dann ist es zwingend notwendig, daß die 'mwav.log' zuvor gelöscht wird, da diese nicht überschrieben, sondern nur erweitert wird!

scanne noch mal mit escan und poste alles (nur nicht die sachen, die sich wiederholen)
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
25.10.2005, 00:58
razor_89
Member

Beiträge: 47
#26 Oha das dauert dann aber wieder ein kleines Weilchen... ;)
Soll der wie immer im abgesicherten Modus scannen?
Übrigens: sobald dieses R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = h**p://www.nldeagsbsrnggzluzhpkej.org/yYFbZRqvKiMjmYMWcw5n9zeV/aHtWmTlTVSe05jux0wV_j7gI/hDS/Vztko78Il2.html
gefixt wird, bekomm ich von counterspy ne Message:

The Internet Explorer URL for your IE Urls is attempting to be changed from http://www.nldeagsbsrnggzluzhpkej.org/yYFbZRqvKiMjmYMWcw5n9zeV/aHtWmTlTVSe05jux0wV_j7gI/hDS/Vztko78Il2.html to .

Advice: Since it is not known if this is spyware you should analyze it before deciding to allow it.

Das Teil hat scheinbar irgendwo anders seinen Ursprung
Dieser Beitrag wurde am 25.10.2005 um 01:00 Uhr von razor_89 editiert.
Seitenanfang Seitenende
25.10.2005, 01:02
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#27 ja, ich weiss, der PC ist noch nicht sauber, deshalb muss du noch mal mit escan arbeiten
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
25.10.2005, 01:10
razor_89
Member

Beiträge: 47
#28 eScan verursacht beim starten im abgesicherten Modus einen Fehler und muss beendet werden...
im Normalmodus scheints zu gehen.
Sollich das Teil löschen und neuinstalliern?
Seitenanfang Seitenende
25.10.2005, 02:48
Sabina
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#29 scanne im normalmodus
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
25.10.2005, 13:20
razor_89
Member

Beiträge: 47
#30 --------------------------------------------------
-------------------- INFECTED --------------------
--------------------------------------------------

1: -------------------- INFECTED --------------------
2: 1: -------------------- INFECTED --------------------
3: 2: 1: Tue Oct 25 01:50:42 2005 => System found infected with bearshare Spyware/Adware ({558ec983-bedb-9168-b2de-31dbf0ee543e})! Action taken: No Action Taken.
4: 3: 2: Tue Oct 25 01:50:42 2005 => System found infected with hijackthis Spyware/Adware ({771a1334-6b08-4a6b-aedc-cf994ba2cebe})! Action taken: No Action Taken.
5: 4: 3: Tue Oct 25 01:50:42 2005 => System found infected with istsvc Spyware/Adware ({db447818-96b4-40df-8a55-720da496f514})! Action taken: No Action Taken.
6: 5: 4: Tue Oct 25 01:50:43 2005 => System found infected with istsvc Spyware/Adware ({bf06da8e-2beb-4816-9bbd-f7625246e245})! Action taken: No Action Taken.
7: 6: 5: Tue Oct 25 01:50:46 2005 => Offending file found: C:\WINDOWS\DOWNLO~1\winadservx.dll
8: 7: 6: Tue Oct 25 01:50:46 2005 => System found infected with winad Spyware/Adware (winadservx.dll)! Action taken: No Action Taken.
9: 8: 7: Tue Oct 25 01:50:46 2005 => Offending file found: C:\WINDOWS\system32\vp.dat
10: 9: 8: Tue Oct 25 01:50:46 2005 => System found infected with deskad.service Spyware/Adware (vp.dat)! Action taken: No Action Taken.
11: 10: 9: Tue Oct 25 01:50:50 2005 => Offending file found: C:\Dokumente und Einstellungen\razor\Favoriten\fun & games\games.lnk
12: 11: 10: Tue Oct 25 01:50:50 2005 => System found infected with hotbar Spyware/Adware (games.lnk)! Action taken: No Action Taken.
13: 12: 11: Tue Oct 25 01:50:52 2005 => Offending file found: C:\Dokumente und Einstellungen\razor\Lokale Einstellungen\temporary internet files\content.ie5\230nmh43\adsend[1].js
14: 13: 12: Tue Oct 25 01:50:52 2005 => System found infected with whenu.savenow Spyware/Adware (adsend[1].js)! Action taken: No Action Taken.
15: 14: 13: Tue Oct 25 01:50:53 2005 => Offending file found: C:\Dokumente und Einstellungen\razor\Lokale Einstellungen\temporary internet files\content.ie5\itcfyd41\adswrapper[1].js
16: 15: 14: Tue Oct 25 01:50:53 2005 => System found infected with whenu.savenow Spyware/Adware (adswrapper[1].js)! Action taken: No Action Taken.
17: 16: 15: Tue Oct 25 01:50:53 2005 => Offending file found: C:\Dokumente und Einstellungen\razor\Lokale Einstellungen\Temporary Internet Files\content.ie5\230nmh43\adsend[1].js
18: 17: 16: Tue Oct 25 01:50:53 2005 => System found infected with whenu.savenow Spyware/Adware (adsend[1].js)! Action taken: No Action Taken.
19: 18: 17: Tue Oct 25 01:50:53 2005 => Offending file found: C:\Dokumente und Einstellungen\razor\Lokale Einstellungen\Temporary Internet Files\content.ie5\itcfyd41\adswrapper[1].js
20: 19: 18: Tue Oct 25 01:50:53 2005 => System found infected with whenu.savenow Spyware/Adware (adswrapper[1].js)! Action taken: No Action Taken.
21: 20: 17: Tue Oct 25 01:50:53 2005 => Offending file found: C:\Dokumente und Einstellungen\razor\Lokale Einstellungen\Temporary Internet Files\content.ie5\itcfyd41\adswrapper[1].js
22: 21: 19: Tue Oct 25 02:08:47 2005 => Scanning Folder: C:\Programme\AVPersonal\INFECTED\*.*

--------------------------------------------------
--------------------- TAGGED ---------------------
--------------------------------------------------

1: --------------------- TAGGED ---------------------
2: 1: --------------------- TAGGED ---------------------
3: 2: 1: Tue Oct 25 12:16:39 2005 => File C:\WINDOWS\Downloaded Program Files\WinAdServX.dll tagged as "not-a-virus:AdWare.Win32.WinAD". Action Taken: No Action Taken.
4: 3: 2: Tue Oct 25 12:16:39 2005 => File C:\WINDOWS\Downloaded Program Files\WinServAdX.dll tagged as "not-a-virus:AdWare.Win32.WinAD.f". Action Taken: No Action Taken.
5: 4: 3: Tue Oct 25 12:43:03 2005 => File H:\Counter-Strike\hltv.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken.
6: 5: 4: Tue Oct 25 12:55:51 2005 => File H:\HL\hltv.exe tagged as not-a-virus:Server-Proxy.Win32.Hltv. No Action Taken.
7: 6: 1: H:\Counter-Strike\hltv.exe => tagged:Server-Proxy.Win32.Hltv.
8: 7: 2: H:\HL\hltv.exe => tagged:Server-Proxy.Win32.Hltv.
9: 1: H:\Counter-Strike\hltv.exe => tagged:Server-Proxy.Win32.Hltv.
10: 2: H:\HL\hltv.exe => tagged:Server-Proxy.Win32.Hltv.

--------------------------------------------------
--------------------- ERRORS ---------------------
--------------------------------------------------

1: 1: 1: Tue Oct 25 01:49:54 2005 => ERROR!!! Invalid Entry {B8323370-FF27-11D2-97B6-204C4F4F5020} = C:\Programme\SmartFTP\smarthook.dll (in key SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved). No Action Taken.
2: 2: 2: Tue Oct 25 01:49:56 2005 => ERROR!!! Invalid Entry mmtask = c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe (in key SOFTWARE\Microsoft\Windows\CurrentVersion\Run). No Action Taken.
3: 3: 3: Tue Oct 25 01:50:58 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\MSXML3A.DLL". Action Taken: No Action Taken.

Den Rest mit refers to invalid habich weggelassen!

--------------------------------------------------
-------- DATEIEN ZUM LÖSCHEN HINZUGEFÜGT ---------
--------------------------------------------------

1: H:\Counter-Strike\hltv.exe => tagged:Server-Proxy.Win32.Hltv.
2: H:\HL\hltv.exe => tagged:Server-Proxy.Win32.Hltv.

--------------------------------------------------
-------------------- Statistik -------------------
--------------------------------------------------

Tue Oct 25 13:08:41 2005 => Total Objects Scanned: 182834
Tue Oct 25 13:08:41 2005 => Total Virus(es) Found: 21
Tue Oct 25 13:08:41 2005 => Total Errors: 194
Tue Oct 25 13:08:41 2005 => Virus Database Date: 2005/10/25
Tue Oct 25 13:08:41 2005 => Virus Database Count: 156122
Tue Oct 25 13:15:56 2005 => Total Objects Scanned: 182834
Tue Oct 25 13:15:56 2005 => Total Virus(es) Found: 21
Tue Oct 25 13:15:56 2005 => Total Errors: 194
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren:
Seite(n): 123