PSGuard-Trojaner |
||
---|---|---|
#0
| ||
01.07.2005, 20:02
...neu hier
Beiträge: 3 |
||
|
||
01.07.2005, 20:42
Ehrenmitglied
Beiträge: 29434 |
#2
Hallo@taucher0815
#öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten O4 - HKLM\..\Run: [PSGuard] C:\Programme\PSGuard\PSGuard.exe O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\system32\intel32.exe PC neustarten Start -- Ausführen -- cmd -- kopiere nur die Einträge der letzten 40 Tage aus dem sich öffnenden Editor raus einzeln reinkopierendann öffnet sich der Editor) cd\ cd %windir%\system32 dir /a:-d /o:-d > %systemdrive%\system32.txt start %systemdrive%\system32.txt cls exit cd\ cd %temp%\ dir /a:-d /o:-d > %systemdrive%\systemtemp.txt start %systemdrive%\systemtemp.txt cls exit cd\ cd %windir% dir /a:-d /o:-d > %systemdrive%\system.txt start %systemdrive%\system.txt cls exit cd\ dir /a:-d /o:-d > %systemdrive%\sys.txt start %systemdrive%\sys.txt cls exit im abgesicherten modus loeschen: C:\Programme\PSGuard\PSGuard.exe C:\WINDOWS\system32\intel32.exe mache einen Onlinescan mit panda + berichte http://virus-protect.org/onlinescan.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
01.07.2005, 20:58
...neu hier
Themenstarter Beiträge: 3 |
#3
Verzeichnis von C:\WINDOWS\system32
26.06.2005 18:57 381.692 perfh009.dat 26.06.2005 18:57 53.436 perfc009.dat 26.06.2005 18:57 392.512 perfh007.dat 26.06.2005 18:57 64.452 perfc007.dat 26.06.2005 18:57 902.652 PerfStringBackup.INI 11.06.2005 10:38 0 dfwmysf14.win 11.06.2005 00:33 4.212 zllictbl.dat 09.06.2005 14:35 1.300.312 MRT.exe 30.05.2005 20:36 2.828 KGyGaAvL.sys 30.05.2005 20:34 56 F57499EBC9.sys 27.05.2005 04:04 137.216 itss.dll 27.05.2005 04:04 546.304 hhctrl.ocx 27.05.2005 04:04 41.472 hhsetup.dll 27.05.2005 04:04 155.136 itircl.dll Verzeichnis von C:\DOKUME~1\Sven\LOKALE~1\Temp 01.07.2005 20:54 12.763 WcesView.log 01.07.2005 20:14 32.768 ~DFF3C4.tmp 01.07.2005 20:14 279 WCESCOMM.LOG 01.07.2005 20:14 4.185 jusched.log 01.07.2005 19:29 32.768 ~DFECF0.tmp 01.07.2005 19:25 116 kb.log 01.07.2005 18:56 32.768 ~DFF927.tmp 01.07.2005 18:09 455 Dll_.ini 01.07.2005 17:31 130.949 GRD$LOGFILE.LOG 01.07.2005 06:31 32.768 ~DFE9F9.tmp 30.06.2005 07:23 236.134 wcesmgr.log 30.06.2005 07:19 6.262 outstore.log 30.06.2005 06:06 32.768 ~DFF7C1.tmp 27.06.2005 18:33 1.248 java_install_reg.log 27.06.2005 06:12 25.600 ~$_lock.tmp 27.06.2005 05:25 2 Twain001.Mtx 26.06.2005 19:55 373 jupdate1.5.0.xml 26.06.2005 15:36 0 TWAIN.LOG 26.06.2005 08:31 32.768 ~DFEA43.tmp 25.06.2005 19:55 32.768 ~DFEB22.tmp 25.06.2005 17:31 32.768 ~DFEDC6.tmp 25.06.2005 05:31 32.768 ~DFF433.tmp 24.06.2005 16:09 116 574F41BA.TMP 23.06.2005 18:06 717 control.xml 23.06.2005 17:57 983.040 ~DF9DA9.tmp 22.06.2005 06:53 283 wahtmltmp00.htm 21.06.2005 19:50 32.768 ~DFF019.tmp 21.06.2005 07:21 983.040 ~DF5AA3.tmp 21.06.2005 07:21 32.768 ~DFF1B8.tmp 21.06.2005 07:19 7.021 9LQ33YJL.htm 20.06.2005 21:41 983.040 ~DFDA5B.tmp 20.06.2005 21:31 32.768 ~DFFDEA.tmp 19.06.2005 16:18 49.152 ~DFF6.tmp 16.06.2005 21:44 0 is13F.tmp 16.06.2005 21:40 0 isD7.tmp 16.06.2005 21:38 0 isAE.tmp 16.06.2005 21:38 0 is9F.tmp 16.06.2005 21:37 194 MSI29e54.LOG 16.06.2005 21:37 0 is92.tmp 16.06.2005 21:16 0 TempCover2 Verzeichnis von C:\WINDOWS 01.07.2005 20:15 811 win.ini 01.07.2005 20:14 4.442 ModemLog_Creatix V.9X DSP Data Fax Modem.txt 01.07.2005 20:14 551.306 WindowsUpdate.log 01.07.2005 20:14 159 wiadebug.log 01.07.2005 20:14 50 wiaservc.log 01.07.2005 20:14 0 0.log 01.07.2005 20:14 2.048 bootstat.dat 01.07.2005 20:13 15.788 SchedLgU.Txt 01.07.2005 20:12 28.525 KB883939.log 01.07.2005 20:12 13.319 updspapi.log 01.07.2005 20:08 17.711 setupapi.log 01.07.2005 18:48 95.980 ntbtlog.txt 01.07.2005 07:42 3.886 newsbot.ini 01.07.2005 07:02 116 NeroDigital.ini 30.06.2005 19:01 1.125 winamp.ini 29.06.2005 05:44 64.057 wmsetup.log 28.06.2005 22:16 42.490 iis6.log 28.06.2005 22:16 1.374 imsins.log 28.06.2005 22:16 48.436 ntdtcsetup.log 28.06.2005 22:16 10.130 ocmsn.log 28.06.2005 22:16 81.206 comsetup.log 28.06.2005 22:16 111.407 tsoc.log 28.06.2005 22:16 7.531 KB898461.log 28.06.2005 22:16 152.009 ocgen.log 28.06.2005 22:16 14.376 msgsocm.log 28.06.2005 22:16 310.982 FaxSetup.log 26.06.2005 18:08 502 wincmd.ini 26.06.2005 17:52 388 wcx_ftp.ini 15.06.2005 09:12 252 setup.iss 14.06.2005 20:57 239.190 KB893066.log 14.06.2005 20:56 1.374 imsins.BAK 14.06.2005 20:56 16.907 KB896428.log 14.06.2005 20:56 17.240 KB896422.log 14.06.2005 20:56 17.711 KB890046.log 14.06.2005 20:56 17.110 KB896358.log 13.06.2005 14:58 145.258 UNNeroVision.cfg 13.06.2005 14:36 45.511 UNNMP.cfg 12.06.2005 19:50 1.062.121 setupapi.log.0.old 11.06.2005 20:32 3.145.782 BGInfo.bmp 27.05.2005 01:22 10.752 hh.exe 23.05.2005 16:34 2.920.448 UNNMP.exe 23.05.2005 16:34 2.920.448 UNNeroVision.exe 19.05.2005 19:51 25.459 cFosSpeed_Setup_Log.txt 18.05.2005 22:57 99.970 UninstallFirefox.exe Verzeichnis von C:\ 01.07.2005 20:56 0 sys.txt 01.07.2005 20:56 9.233 system.txt 01.07.2005 20:56 2.404 systemtemp.txt 01.07.2005 20:56 102.042 system32.txt 01.07.2005 20:13 805.306.368 pagefile.sys 01.07.2005 20:01 1.357 log.txt 01.07.2005 19:42 793 pfind.txt 01.07.2005 19:30 2.742 dltrace.Log 11.06.2005 14:56 210 boot.ini |
|
|
||
01.07.2005, 21:05
Ehrenmitglied
Beiträge: 29434 |
#4
ich hab noch vergessen:
Gehe in die Registry Start-->Ausfuehren--> regedit HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ loeschen: "Syslog" PC neustarten Zitat im abgesicherten modus loeschen: __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
01.07.2005, 21:20
...neu hier
Themenstarter Beiträge: 3 |
#5
Zitat Sabina posteteDer scannt leider nicht... Kann an meiner Firewall liegen.... System Files Messages Scanned Yes 0 0 Infected - 0 0 Suspicious - 0 0 Disinfected - 0 0 Dieser Beitrag wurde am 01.07.2005 um 21:44 Uhr von taucher0815 editiert.
|
|
|
||
01.07.2005, 23:27
Ehrenmitglied
Beiträge: 29434 |
#6
C:\Programme\PSGuard\ <--loeschen
escan http://virus-protect.org/escan.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
HiJack:
Logfile of HijackThis v1.99.1
Scan saved at 19:36:57, on 01.07.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\Dit.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
C:\Programme\Java\jre1.5.0_02\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Logitech\QCDriver3\LVCOMS.EXE
C:\Programme\Ahead\InCD\InCD.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\Prismsta.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programme\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\Microsoft Office\Office\1031\OLFSNT40.EXE
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\GFI\LANguard Network Security Scanner 3\sscansvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Internet Explorer\iexplore.exe
D:\_Downloads\hijackthis\HijackThis.exe
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Programme\Gemeinsame Dateien\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Programme\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Programme\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [Prism_Utility] Prismsta.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PSGuard] C:\Programme\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\system32\intel32.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Programme\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Trillian.lnk = C:\Programme\Trillian\trillian.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition-Anschluss.lnk = C:\Programme\Microsoft Office\Office\1031\OLFSNT40.EXE
O8 - Extra context menu item: &Google-Suche - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://C:\Programme\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/284a4fdfd3c8f142ab04/netzip/RdxIE601_de.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1114347483007
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {DF6504AC-3EFE-4287-B259-FB299B069C95} (WEBDE Fotoalbum Upload Control) - https://img.web.de/v/aktenkoffer/activex/upload_11110.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD32266F-E81C-45F8-BC24-0403ACB47116}: NameServer = 192.168.1.1
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: GFI LANguard N.S.S. Scheduled Scans Service (lnss_sscans) - GFI Software Ltd. - C:\Programme\GFI\LANguard Network Security Scanner 3\sscansvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
PFIND:
Files found with this application may be legitimate.
Only remove files that you know are malware related.
Checking the C:\WINDOWS folder
C:\WINDOWS\epsuninst.exe: UPX!
Checking the C:\WINDOWS\SYSTEM32 folder
C:\WINDOWS\SYSTEM32\DivX.dll: PEC2
C:\WINDOWS\SYSTEM32\DivX.dll: PECompact2
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder
Checking the C:\Dokumente und Einstellungen\All Users\Start Menu\programs\Startup\ folder
Checking the C:\Dokumente und Einstellungen\All Users\Application Data folder
Checking the C:\Dokumente und Einstellungen\Sven\Start Menu\programs\Startup\ folder
Checking the C:\Dokumente und Einstellungen\Sven\Application Data folder
Silentrunner:
"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"H/PC Connection Agent" = ""C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"" [MS]
"Bandwidth Monitor Pro" = ""C:\Programme\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized" ["Pro²soft"]
"Skype" = ""C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"Dit" = "Dit.exe" ["ICSI Technology Ltd."]
"ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"CHotkey" = "mHotkey.exe" ["Chicony"]
"ledpointer" = "CNYHKey.exe" ["Chicony"]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"HotKey" = "C:\WINDOWS\Twain_32\FlatBed\HotKey.exe" ["Pmx. Electronics Ltd."]
"SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_02\bin\jusched.exe" ["Sun Microsystems, Inc."]
"LVCOMS" = "C:\Programme\Gemeinsame Dateien\Logitech\QCDriver3\LVCOMS.EXE" ["Logitech Inc."]
"LogitechGalleryRepair" = "C:\Programme\Logitech\ImageStudio\ISStart.exe" [file not found]
"LogitechImageStudioTray" = "C:\Programme\Logitech\ImageStudio\LogiTray.exe" [file not found]
"InCD" = "C:\Programme\Ahead\InCD\InCD.exe" ["Nero AG"]
"AVGCtrl" = "C:\Programme\AVPersonal\AVGNT.EXE /min" ["H+BEDV Datentechnik GmbH"]
"Syslog" = (empty string)
"Prism_Utility" = "Prismsta.exe" ["Intersil Americas Inc."]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]
"PSGuard" = "C:\Programme\PSGuard\PSGuard.exe" [file not found]
"intel32.exe" = "C:\WINDOWS\system32\intel32.exe" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup\ {++}
EXECUTION UNLIKELY: "Registrando Panda ActiveX" = "C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\ActiveScan\as.dll" [MS]
EXECUTION UNLIKELY: "Registrando Panda Almacen" = "C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\ActiveScan\pavpz.dll" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Ahead\InCD\incdshx.dll" ["Nero AG"]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Startup items in "Sven" & "All Users" startup folders:
------------------------------------------------------
C:\Dokumente und Einstellungen\Sven\Startmenü\Programme\Autostart
"Trillian" -> shortcut to: "C:\Programme\Trillian\trillian.exe" ["Cerulean Studios"]
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Symantec Fax Starter Edition-Anschluss" -> shortcut to: "C:\Programme\Microsoft Office\Office\1031\OLFSNT40.EXE" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 24
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Inc."]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll" ["Sun Microsystems, Inc."]
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Mobilen Favoriten erstellen"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft ActiveSync\inetrepl.dll" [MS]
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Mobilen Favoriten erstellen..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft ActiveSync\inetrepl.dll" [MS]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AntiVir Service, AntiVirService, ""C:\Programme\AVPersonal\AVGUARD.EXE"" ["H+BEDV Datentechnik GmbH"]
AntiVir Update, AVWUpSrv, ""C:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"]
GFI LANguard N.S.S. Scheduled Scans Service, lnss_sscans, "C:\Programme\GFI\LANguard Network Security Scanner 3\sscansvc.exe" ["GFI Software Ltd."]
InCD Helper, InCDsrv, "C:\Programme\Ahead\InCD\InCDsrv.exe" ["Nero AG"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 79 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 11 seconds.
---------- (total run time: 127 seconds)
Find-IT:
Microsoft Windows XP [Version 5.1.2600]
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first
* UPX! C:\WINDOWS\EPSUNI~1.EXE
»»»»» lagitamate file's can/will show in this section.
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»» Checking Windir\svcproc.exe and nail.exe.
»»»»» Checking for System32\DrPMon.dll.
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 4018-680A
Verzeichnis von C:\WINDOWS\SYSTEM32
»»»»» Checking for SAHAgent ico files.
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 4018-680A
Verzeichnis von C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»».