Home » Viren, Trojaner & Malware Forum » hclean ballon,hgqhp.exe, NameServer = 195.95.218.35,85.255.112.11 » Themenansicht
hclean ballon,hgqhp.exe, NameServer = 195.95.218.35,85.255.112.11Thema ist geschlossen! |
||
|---|---|---|
Thema ist geschlossen! |
||
| #0
| ||
|
16.09.2005, 15:02
Ehrenmitglied
 Beiträge: 29434 |
||
 
|
|
|
|
16.09.2005, 15:51
...neu hier
Beiträge: 10 |
#62
Habe inzwischen die rasphone.pbk gefunden und die Schritte , so weit möglich versucht durchzuführen.
Nun sieht der Hj-log an der wichtigen Stelle so aus: O17 - HKLM\System\CCS\Services\Tcpip\..\{D60049E9-6678-4339-B230-BDFFAAA169CD}: NameServer = 62.104.191.241 62.104.196.134 tja, aber wirklich schlauer bin ich jetzt auch nicht... Habe nun mal nach {D60049E9-6678-4339-B230-BDFFAAA169CD} gesucht. Hier das Ergebnis: REGEDIT4 ; RegSrch.vbs © Bill James ; Registry search results for string "{D60049E9-6678-4339-B230-BDFFAAA169CD}" 16.09.2005 15:53:49 ; NOTE: This file will be deleted when you close WordPad. ; You must manually save this file to a new location if you want to refer to it again later. ; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.) [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dhcp\Parameters] "{D60049E9-6678-4339-B230-BDFFAAA169CD}"=hex:0f,00,00,00,00,00,00,00,00,00,00,\ [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces\Tcpip_{D60049E9-6678-4339-B230-BDFFAAA169CD}] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{D60049E9-6678-4339-B230-BDFFAAA169CD}] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Dhcp\Parameters] "{D60049E9-6678-4339-B230-BDFFAAA169CD}"=hex:0f,00,00,00,00,00,00,00,00,00,00,\ [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\NetBT\Parameters\Interfaces\Tcpip_{D60049E9-6678-4339-B230-BDFFAAA169CD}] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{D60049E9-6678-4339-B230-BDFFAAA169CD}] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters] "{D60049E9-6678-4339-B230-BDFFAAA169CD}"=hex:0f,00,00,00,00,00,00,00,00,00,00,\ [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{D60049E9-6678-4339-B230-BDFFAAA169CD}] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D60049E9-6678-4339-B230-BDFFAAA169CD}] Dieser Beitrag wurde am 16.09.2005 um 15:55 Uhr von horrst editiert.
|
|
|
|
|
|
|
16.09.2005, 16:49
Ehrenmitglied
Beiträge: 29434 |
#63
Zitat Habe nun mal nach {D60049E9-6678-4339-B230-BDFFAAA169CD} gesucht. Hier das Ergebnis:die solltest du aber nicht eingeben, sondern eine andere....!!! starte den PC neu, ich hoffe, nun funktioniert noch alles....denn du hast alles geloscht..... 62.104.191.241 62.104.196.134 --> deine korrekte IP, alle Parameter...alles.... vielleicht auch nicht...wir werden sehen... wenn du dann nicht mehr ins net kommen solltest, mache das BackUp von RegSrch.vbs, was dir die Daten wieder erstellt. und poste das neue Log vom HijackThis __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
16.09.2005, 17:19
...neu hier
Beiträge: 10 |
#64
keine Panik, bin von Natur aus ein Glückskind. Habe da nichts gelöscht, sondern nur mal geguckt, wo sich dieser, für mich neue O 17- Eintrag mum so alles befindet. Alles in bester Ordnung also...
Vieleicht kannst du mir mal kurz erklären, was dieser O 17-Eintrag, der ja nun offenbar nicht mehr schlecht ist, überhaupt bewirkt. Ich habe doch leider fast keine Ahnung von der Materie (wenn die Ahnung auch in den letzten Tage wahnsinnig gewachsen ist ;-) Habe nun eben, verwirrt wie ich bin, einen neuen Hij-scan gemacht, mit Internetverbindung und im Nicht abgesicherten Modus. Hier ist er: Logfile of HijackThis v1.99.1 Scan saved at 17:14:52, on 16.09.2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\atiptaxx.exe C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe C:\WINDOWS\gtwatch.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe C:\Programme\AVPersonal\AVSched32.EXE C:\Programme\AVPersonal\AVGNT.EXE C:\WINDOWS\system32\ctfmon.exe C:\Programme\Messenger\msmsgs.exe C:\Programme\ComCenter\IWatch.exe C:\WINDOWS\twain_32\S6U12K\WATCH.exe C:\Programme\AVPersonal\AVGUARD.EXE C:\Programme\AVPersonal\AVWUPSRV.EXE C:\Programme\ewido\security suite\ewidoctrl.exe C:\Programme\ewido\security suite\ewidoguard.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\System32\ScsiAccess.EXE C:\WINDOWS\System32\svchost.exe C:\Programme\Internet Explorer\iexplore.exe C:\Dokumente und Einstellungen\Totto\Desktop\HijackThis\1_99_1.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Gtwatch] C:\WINDOWS\gtwatch.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AVSCHED32] C:\Programme\AVPersonal\AVSched32.EXE /min O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - Global Startup: ISDNWatch.lnk = C:\Programme\ComCenter\IWatch.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\S6U12K\WATCH.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O12 - Plugin for .pdf: C:\Programme\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126008246262 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/de/check/qdiagh.cab?312 O17 - HKLM\System\CCS\Services\Tcpip\..\{D60049E9-6678-4339-B230-BDFFAAA169CD}: NameServer = 62.104.191.241 62.104.196.134 O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Programme\ewido\security suite\ewidoguard.exe O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE danke , wie hält man es bloß mit solchen Computer-Legasthenikern wie mir aus? tut mir leid... grüße Horrst |
|
|
|
|
|
|
16.09.2005, 23:42
Ehrenmitglied
Beiträge: 29434 |
#65
Hallo@Horrst
Erleichtert  Schweissvonderstirnwisches ist nun alles in Ordnung Zitat Die Internetprotokollfamilie (englisch internet protocol suite) ist eine Familie von rund 500 Netzprotokollen, die die Basis für die Netzkommunikation im Internet bilden. Synonym dazu wird auch die Bezeichnung TCP/IP-Protokoll-Familie verwendet. __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
17.09.2005, 11:41
...neu hier
Beiträge: 10 |
#66
Wow Sabina,
soll das heißen, wir haben diesen ganzen Viren und Trojanerkram erfolgreich von meinem System verjagt und ich kann wieder an die normalen Sachen denken? Wäre ja eine ganz phantastische Nachricht. Wenn dem so ist, dann nochmal: Allergrößten Dank für die stetige Hilfe und deine doch arg strapazierte Geduld. Was wäre ich nur ohne dich gewesen? Relativ hilflos wohl... Aber nun muss ich meinen Rechner nicht aus dem Fenster werfen und bin froh und dankbar dafür besondere Grüße horrst |
|
|
|
|
|
|
17.09.2005, 11:44
...neu hier
Beiträge: 7 |
#67
Hallo Sabina,
ich habe mir vor einigen Tagen ebenfalls diese Trojaner eingefangen, Norton und AVG finden hclean.exe und rdsndin.exe können diese aber nicht beseitigen. Habe den Thread gelesen und hoffe mal du kannst mir auch helfen. Als 1. Schritt der HijackThis scan: Logfile of HijackThis v1.99.1 Scan saved at 11:34:33, on 17.09.2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe C:\Programme\Norton Internet Security\ISSVC.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\htpatch.exe C:\WINDOWS\SOUNDMAN.EXE C:\Programme\QuickTime\qttask.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe C:\WINDOWS\Dit.exe C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe C:\WINDOWS\DitExp.exe C:\Programme\Medion\PowerCinema\PCMService.exe C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe C:\WINDOWS\System32\wuauclt.exe C:\Programme\Messenger\msmsgs.exe C:\Programme\Adobe\Acrobat 4.0\Reader\AcroRd32.exe C:\Programme\AVPersonal\AVWUPSRV.EXE C:\WINDOWS\explorer.exe C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\kernel.exe C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\sc_watch.exe C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\PROFIL~1.EXE C:\PROGRAMME\MOZILLA-WIN32-1.5-DE-AT\BIN\MOZILLA.EXE C:\Dokumente und Einstellungen\Oliver\Eigene Dateien\Programme\hijackthis_199\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.t-online.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ulhph.dll (file missing) O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ulhph.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [Dit] Dit.exe O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [ToADiMon.exe] C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart O4 - HKLM\..\Run: [PCMService] C:\Programme\Medion\PowerCinema\PCMService.exe O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\System32\oline.dll O9 - Extra button: MedionShop - {01E9CF82-AE9D-42BA-A629-B23D51A4B86B} - http://www.medionshop.de/ (file missing) (HKCU) O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com/ O15 - Trusted Zone: http://www.t-online.de O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126637636218 O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{13C9FBEB-F2C8-46DC-AE86-AEB59B968791}: NameServer = 195.95.218.3,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip\..\{4BD95B01-9A5E-439E-95E4-98C7D68CEA79}: NameServer = 195.95.218.3,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip\..\{7FCC1E94-AFF5-4DCA-A1F3-61FC9B119CB9}: NameServer = 195.95.218.3,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip\..\{BC916F8A-2FE8-4840-8161-3ABE7729D489}: NameServer = 217.237.151.161 217.237.151.33 O17 - HKLM\System\CS1\Services\Tcpip\..\{13C9FBEB-F2C8-46DC-AE86-AEB59B968791}: NameServer = 195.95.218.3,85.255.112.5 O17 - HKLM\System\CS2\Services\Tcpip\..\{13C9FBEB-F2C8-46DC-AE86-AEB59B968791}: NameServer = 195.95.218.3,85.255.112.5 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programme\Norton Internet Security\ISSVC.exe O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe |
|
|
|
|
|
|
17.09.2005, 14:34
Ehrenmitglied
Beiträge: 29434 |
#68
Hallo@newcomer2005
start-->Ausfuehren--> regedit HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces "NameServer" = "195.95.218.4,85.255.112.9"<--loeschen HKEY_CURRENT_USER\RemoteAccess\Profile "IP" = "02,00,00,00,00,00,00,00,c4,b0,32,45,25,b0,e1,c3,00,00,00,00,00,00,00,00,00,00,00,00"<---loeschen HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip \Parameters\Adapters "NameServer" = "69.50.176.196,195.225.176.37"<--loeschen "195.95.218.3,85.255.112.5"<--loeschen ------------------------------------------------------------------------------------ C:\Documents and Settings\All Users\Application Data\rasphone.pbk Windowssuche: eingeben: rasphone.pbk --> rechtsklick --> oeffnen mit --> nimm das Haekchen raus aus" Deselect the "Always use this program to open this program" check box." (mein System ist in Englisch..ich weiss nicht, wie das auf einem dt.System heisst) scrolle bis du zum Notepad(Texteditor) kommst --> oeffnen--> loesche:(je nachdem, was du findest) "IpDnsAddress=69.50.176.196" "IpDns2Address=192.225.176.37" "IpNameAssign=2" "IpDnsAddress=195.95.218.3, "IpDns2Address=85.255.112.5 "IpNameAssign=2" abspeichern im Notepad und schliessen Zitat # Windows XP--------------------------------------------------------------------------------------- #öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ulhph.dll (file missing) O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ulhph.dll (file missing) O17 - HKLM\System\CCS\Services\Tcpip\..\{13C9FBEB-F2C8-46DC-AE86-AEB59B968791}: NameServer = 195.95.218.3,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip\..\{4BD95B01-9A5E-439E-95E4-98C7D68CEA79}: NameServer = 195.95.218.3,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip\..\{7FCC1E94-AFF5-4DCA-A1F3-61FC9B119CB9}: NameServer = 195.95.218.3,85.255.112.5 O17 - HKLM\System\CS1\Services\Tcpip\..\{13C9FBEB-F2C8-46DC-AE86-AEB59B968791}: NameServer = 195.95.218.3,85.255.112.5 O17 - HKLM\System\CS2\Services\Tcpip\..\{13C9FBEB-F2C8-46DC-AE86-AEB59B968791}: NameServer = 195.95.218.3,85.255.112.5 PC neustarten CCleaner--> loesche alle *temp-Datein http://virus-protect.org/temp.html Download f-secure-Beta Trial http://www.f-secure.com/blacklight/ doppelklick: blbeta.exe nach den Check klicke --> next (suche die textdatei vom scan auf dem Desktop und poste sie mir) poste alle 4 Logs + Pfadangabe http://virus-protect.org/datfindbat.html rkfiles.zip http://skads.org/special/rkfiles.zip -->entpacken--> gehe in den abgesicherten Modus http://www.tu-berlin.de/www/software/virus/savemode.shtml -->Doppelklick(Ausfuehren)-->rkfiles.bat--> warten bis sich das DOS-Fenster schliesst--->poste C:\log.txt winpfind http://virus-protect.org/winpfind.html silentrunners http://virus-protect.org/silentrunner.html http://www.silentrunners.org/sr_download.html gehe auf: Zitat: Click here to download a zip file. hier die Erklaerung: http://www.silentrunners.org/sr_scriptuse.html klicke: output file is in text format. --> Doppelklick und es oeffnet sich der Editor--> und poste alles, was angezeigt wird. -------------------------------------------------------------------------- Scanreport posten: http://virus-protect.org/ewido.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
17.09.2005, 17:13
...neu hier
Beiträge: 7 |
#69
Hallo Sabina,
habe in der Zwischenzeit schon mal ewido runtergeladen und über mein System laufen lassen. ewido hat 47 infizierte Dateien gefunden. Hab dann die infizierten Dateien in ewidu gelöscht, hoffe das macht nix. Mein HijackThis scan sieht seitdem etwas anders aus. Wie auch immer hab alle Empfehlungen ausgeführt und die entsprechenden Dateien soweit sie da waren gelöscht. hier der neue HijackThis scan, anschliessend alle anderen scans wie gefordert: Logfile of HijackThis v1.99.1 Scan saved at 16:47:52, on 17.09.2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe C:\Programme\Norton Internet Security\ISSVC.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\htpatch.exe C:\WINDOWS\SOUNDMAN.EXE C:\Programme\QuickTime\qttask.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe C:\WINDOWS\Dit.exe C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Programme\Real\RealPlayer\RealPlay.exe C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe C:\Programme\Medion\PowerCinema\PCMService.exe C:\Programme\AVPersonal\AVGNT.EXE C:\WINDOWS\DitExp.exe C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\kernel.exe C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\sc_watch.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Programme\AVPersonal\AVWUPSRV.EXE C:\Programme\ewido\security suite\ewidoctrl.exe C:\Programme\ewido\security suite\ewidoguard.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\PROFIL~1.EXE C:\WINDOWS\System32\wuauclt.exe C:\PROGRAMME\MOZILLA-WIN32-1.5-DE-AT\BIN\MOZILLA.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Programme\ewido\security suite\SecuritySuite.exe C:\Programme\Messenger\msmsgs.exe C:\Dokumente und Einstellungen\Oliver\Eigene Dateien\Programme\hijackthis_199\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.t-online.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [Dit] Dit.exe O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [ToADiMon.exe] C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart O4 - HKLM\..\Run: [PCMService] C:\Programme\Medion\PowerCinema\PCMService.exe O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\System32\oline.dll O9 - Extra button: MedionShop - {01E9CF82-AE9D-42BA-A629-B23D51A4B86B} - http://www.medionshop.de/ (file missing) (HKCU) O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com/ O15 - Trusted Zone: http://www.t-online.de O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126637636218 O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{BC916F8A-2FE8-4840-8161-3ABE7729D489}: NameServer = 217.237.151.161 217.237.151.33 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Programme\ewido\security suite\ewidoguard.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programme\Norton Internet Security\ISSVC.exe O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe --------------------------------------------------------------------------- F-Secure: http://www.f-secure.com/blacklight/ 09/17/05 16:10:08 [Info]: BlackLight Engine 1.0.23 initialized 09/17/05 16:10:08 [Info]: OS: 5.1 build 2600 (Service Pack 1) 09/17/05 16:10:08 [Note]: 4019 0 09/17/05 16:10:08 [Note]: 4019 1 09/17/05 16:10:08 [Note]: 4019 2 09/17/05 16:10:08 [Note]: 4019 3 09/17/05 16:10:08 [Note]: 4019 4 09/17/05 16:10:08 [Note]: 4005 0 09/17/05 16:10:13 [Note]: 4006 0 09/17/05 16:10:13 [Note]: 4011 1448 09/17/05 16:10:14 [Note]: FSRAW library version 1.7.1011 09/17/05 16:11:16 [Info]: Hidden file: C:\WINDOWS\system32\wbem\wbemtest.exe 09/17/05 16:11:16 [Note]: 10002 1 09/17/05 16:11:20 [Info]: Hidden file: C:\WINDOWS\system32\cskop.exe 09/17/05 16:11:20 [Note]: 4002 32 09/17/05 16:11:20 [Note]: 4003 1 09/17/05 16:11:20 [Note]: 10002 1 09/17/05 16:11:21 [Info]: Hidden file: C:\WINDOWS\system32\hclean32.exe 09/17/05 16:11:21 [Note]: 4002 5 09/17/05 16:11:21 [Note]: 4003 1 09/17/05 16:11:21 [Note]: 10002 1 09/17/05 16:11:27 [Info]: Hidden file: C:\WINDOWS\system32\rdsndin.exe 09/17/05 16:11:27 [Note]: 4002 5 09/17/05 16:11:27 [Note]: 4003 1 09/17/05 16:11:27 [Note]: 10002 1 09/17/05 16:11:29 [Info]: Hidden file: C:\WINDOWS\system32\dmmlo.exe 09/17/05 16:11:29 [Note]: 4002 32 09/17/05 16:11:29 [Note]: 4003 1 09/17/05 16:11:29 [Note]: 10002 1 --------------------------------------------------------------------------- datFind.bat: http://virus-protect.org/datfindbat.html Verzeichnis von C:\WINDOWS\system32 16.09.2005 22:47 2.206 wpa.dbl 03.09.2005 15:02 16.832 amcompat.tlb 03.09.2005 15:02 23.392 nscompat.tlb 04.08.2005 15:43 358.790 perfh009.dat 04.08.2005 15:43 43.848 perfc009.dat 04.08.2005 15:43 365.756 perfh007.dat 04.08.2005 15:43 53.176 perfc007.dat 04.08.2005 15:43 827.472 PerfStringBackup.INI 02.08.2005 13:48 57 mapisvc.inf 28.07.2005 14:52 91.856 S32EVNT1.DLL 26.05.2005 04:19 178.408 muweb.dll 26.05.2005 04:16 1.343.768 wuaueng.dll Verzeichnis von C:\DOKUME~1\Oliver\LOKALE~1\Temp 17.09.2005 15:57 16.384 Perflib_Perfdata_93c.dat 1 Datei(en) 16.384 Bytes 0 Verzeichnis(se), 51.402.633.216 Bytes frei Verzeichnis von C:\WINDOWS 17.09.2005 15:57 769 win.ini 17.09.2005 15:44 1.410.986 WindowsUpdate.log 17.09.2005 15:44 50 wiaservc.log 17.09.2005 15:44 157 wiadebug.log 17.09.2005 15:43 54.156 QTFont.qfn 17.09.2005 15:43 1.409 QTFont.for 17.09.2005 15:43 2.048 bootstat.dat 17.09.2005 15:42 32.534 SchedLgU.Txt 17.09.2005 09:04 9.046 mozver.dat 17.09.2005 08:46 6.400 balloon.wav 11.09.2005 00:01 224 videodeLuxe.INI 09.09.2005 22:04 392 _delis43.ini 03.09.2005 15:06 316.640 WMSysPr9.prx 02.09.2005 19:44 4.517 rdt.ini 09.08.2005 22:48 4.210 ModemLog_Creatix V.9X DSP Data Fax Modem.txt 02.08.2005 13:59 93 Travel.ini 02.07.2005 20:02 227 system.ini Verzeichnis von C:\ 17.09.2005 16:08 0 sys.txt 17.09.2005 16:08 6.200 system.txt 17.09.2005 16:06 297 systemtemp.txt 17.09.2005 16:04 94.547 system32.txt 17.09.2005 15:43 536.399.872 hiberfil.sys 17.09.2005 15:43 805.306.368 pagefile.sys 11.09.2005 16:35 25.260.366 AVG7DB_F.DAT 05.09.2005 23:10 0 23990098.$$$ 05.09.2005 23:10 6 AVPCallback.log 03.09.2005 15:05 184 Setup.log 02.09.2005 20:57 0 EPG_Chan.log 02.07.2005 20:02 194 boot.ini --------------------------------------------------------------------------- rkfiles http://skads.org/special/rkfiles.zip fehlt --------------------------------------------------------------------------- winpfind: http://virus-protect.org/winpfind.html WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding. If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly. »»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600 Internet Explorer Version: 6.0.2800.1106 »»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»» Checking %SystemDrive% folder... Checking %ProgramFilesDir% folder... FSG! 26.10.2003 22:27:08 11593071 C:\Programme\mozilla-win32-1.5-de-AT.zip Checking %WinDir% folder... aspack 06.05.2002 23:53:40 180224 C:\WINDOWS\Össur.scr Checking %System% folder... PEC2 29.08.2002 14:00:00 41118 C:\WINDOWS\SYSTEM32\dfrg.msc Umonitor 29.08.2002 14:00:00 660480 C:\WINDOWS\SYSTEM32\rasdlg.dll FSG! 04.10.2003 15:00:24 R 2048 C:\WINDOWS\SYSTEM32\TFTP2128 winsync 29.08.2002 14:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu Checking %System%\Drivers folder and sub-folders... UPX! 29.07.2005 19:40:32 668704 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys FSG! 29.07.2005 19:40:32 668704 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys aspack 29.07.2005 19:40:32 668704 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts Checking the Windows folder and sub-folders for system and hidden files within the last 60 days... 17.09.2005 16:24:02 S 2048 C:\WINDOWS\bootstat.dat 17.09.2005 16:24:30 H 54156 C:\WINDOWS\QTFont.qfn 15.09.2005 21:51:00 H 0 C:\WINDOWS\inf\oem19.inf 15.09.2005 21:51:00 H 0 C:\WINDOWS\LastGood\INF\oem19.inf 15.09.2005 21:51:00 H 0 C:\WINDOWS\LastGood\INF\oem19.PNF 13.09.2005 20:58:54 H 493808 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\29783065c622707b9eaabb28ba2c49bb\BIT42.tmp 17.09.2005 16:24:08 H 6 C:\WINDOWS\Tasks\SA.DAT Checking for CPL files... Microsoft Corporation 29.08.2002 14:00:00 68096 C:\WINDOWS\SYSTEM32\access.cpl Realtek Semiconductor Corp. 28.10.2002 08:38:08 1375744 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL Microsoft Corporation 29.08.2002 14:00:00 583680 C:\WINDOWS\SYSTEM32\appwiz.cpl Microsoft Corporation 29.08.2002 14:00:00 132096 C:\WINDOWS\SYSTEM32\desk.cpl Microsoft Corporation 29.08.2002 14:00:00 152064 C:\WINDOWS\SYSTEM32\hdwwiz.cpl Microsoft Corporation 29.08.2002 14:00:00 293376 C:\WINDOWS\SYSTEM32\inetcpl.cpl Microsoft Corporation 29.08.2002 14:00:00 125440 C:\WINDOWS\SYSTEM32\intl.cpl Microsoft Corporation 29.08.2002 14:00:00 66560 C:\WINDOWS\SYSTEM32\joy.cpl Microsoft Corporation 29.08.2002 14:00:00 189440 C:\WINDOWS\SYSTEM32\main.cpl Microsoft Corporation 29.08.2002 14:00:00 566272 C:\WINDOWS\SYSTEM32\mmsys.cpl Microsoft Corporation 29.08.2002 14:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl Microsoft Corporation 29.08.2002 14:00:00 259072 C:\WINDOWS\SYSTEM32\nusrmgr.cpl Microsoft Corporation 29.08.2002 14:00:00 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl Microsoft Corporation 29.08.2002 14:00:00 111616 C:\WINDOWS\SYSTEM32\powercfg.cpl RealNetworks, Inc. 05.02.2003 14:01:52 25088 C:\WINDOWS\SYSTEM32\prefscpl.cpl Apple Computer, Inc. 09.10.2003 20:02:10 316416 C:\WINDOWS\SYSTEM32\QuickTime.cpl Microsoft Corporation 29.08.2002 14:00:00 272896 C:\WINDOWS\SYSTEM32\sysdm.cpl Microsoft Corporation 29.08.2002 14:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl Microsoft Corporation 29.08.2002 14:00:00 90112 C:\WINDOWS\SYSTEM32\timedate.cpl Microsoft Corporation 26.05.2005 04:16:22 174872 C:\WINDOWS\SYSTEM32\wuaucpl.cpl Microsoft Corporation 29.08.2002 14:00:00 68096 C:\WINDOWS\SYSTEM32\dllcache\access.cpl Microsoft Corporation 29.08.2002 14:00:00 583680 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl Microsoft Corporation 29.08.2002 14:00:00 132096 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl Microsoft Corporation 29.08.2002 14:00:00 152064 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl Microsoft Corporation 29.08.2002 14:00:00 293376 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl Microsoft Corporation 29.08.2002 14:00:00 125440 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl Microsoft Corporation 29.08.2002 14:00:00 66560 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl Microsoft Corporation 29.08.2002 14:00:00 189440 C:\WINDOWS\SYSTEM32\dllcache\main.cpl Microsoft Corporation 29.08.2002 14:00:00 566272 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl Microsoft Corporation 29.08.2002 14:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl Microsoft Corporation 29.08.2002 14:00:00 259072 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl Microsoft Corporation 29.08.2002 14:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl Microsoft Corporation 29.08.2002 14:00:00 111616 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl Microsoft Corporation 29.08.2002 14:00:00 151552 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl Microsoft Corporation 29.08.2002 14:00:00 272896 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl Microsoft Corporation 29.08.2002 14:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl Microsoft Corporation 29.08.2002 14:00:00 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl »»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»» Checking files in %ALLUSERSPROFILE%\Startup folder... 05.02.2003 09:31:28 HS 84 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini 27.03.2003 10:17:26 1713 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk Checking files in %ALLUSERSPROFILE%\Application Data folder... 05.02.2003 09:27:12 HS 62 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini Checking files in %USERPROFILE%\Startup folder... 05.02.2003 09:31:28 HS 84 C:\Dokumente und Einstellungen\Oliver\Startmenü\Programme\Autostart\desktop.ini Checking files in %USERPROFILE%\Application Data folder... 05.02.2003 09:27:12 HS 62 C:\Dokumente und Einstellungen\Oliver\Anwendungsdaten\desktop.ini »»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»» [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers] HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programme\Grisoft\AVG Free\avgse.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Programme\ewido\security suite\context.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With {09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{441253c2-a0da-4e6e-924f-0024b4d06d9e} = C:\Programme\T-Online\T-Online_Software_5\Banking\HbDokMan.dll HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} Start Menu Pin = %SystemRoot%\system32\SHELL32.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programme\Grisoft\AVG Free\avgse.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu {A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Programme\ewido\security suite\context.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files {750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF} = %SystemRoot%\system32\SHELL32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE} = %SystemRoot%\system32\SHELL32.dll [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} AcroIEHlprObj Class = C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1} CNisExtBho Class = C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872} CNavExtBho Class = C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376} &Tipps und Tricks = %SystemRoot%\System32\shdocvw.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE} Real.com = C:\WINDOWS\System32\Shdocvw.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar] {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} = Norton Internet Security : C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll {8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B06300D0-CCDE-11d2-92D3-0000F87A4A55} MenuText = Add to R&estricted Zone : C:\WINDOWS\System32\webzone.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{BF80219A-CCDD-11d2-92D3-0000F87A4A55} MenuText = Add to Tr&usted Zone : C:\WINDOWS\System32\webzone.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} ButtonText = Real.com : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FC09D8A3-C85A-11d2-92D0-0000F87A4A55} ButtonText = Offline : [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478} Media Band = %SystemRoot%\System32\browseui.dll HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} Explorer-Band = %SystemRoot%\System32\shdocvw.dll [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll {08BEC6AA-49FC-4379-3587-4B21E286C19E} = : HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} = Norton Internet Security : C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll {08BEC6AA-49FC-4379-3587-4B21E286C19E} = : [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] HTpatch C:\WINDOWS\htpatch.exe VOBRegCheck C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg SoundMan SOUNDMAN.EXE QuickTime Task "C:\Programme\QuickTime\qttask.exe" -atboottime NeroCheck C:\WINDOWS\System32\\NeroCheck.exe Microsoft Works Update Detection C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe Dit Dit.exe ATIPTA C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe ccApp "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" SSC_UserPrompt C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP RealTray C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER ToADiMon.exe C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart PCMService C:\Programme\Medion\PowerCinema\PCMService.exe AVGCtrl "C:\Programme\AVPersonal\AVGNT.EXE" /min AVGCtrl "C:\Programme\AVPersonal\AVGNT.EXE" /min AVGCtrl "C:\Programme\AVPersonal\AVGNT.EXE" /min [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] IMAIL Installed = 1 MAPI Installed = 1 MSFS Installed = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = {0DF44EAA-FF21-4412-828E-260A8728E7F1} = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system dontdisplaylastusername 0 legalnoticecaption legalnoticetext shutdownwithoutlogon 1 undockwithoutlogon 1 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies] HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoDriveTypeAutoRun 145 NoBandCustomize 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, Shell = Explorer.exe System = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain = crypt32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet = cryptnet.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll = cscdll.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy = sclgntfy.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn = WlNotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv = wlnotify.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon = wlnotify.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path Debugger = ntsd -d [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] AppInit_DLLs »»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» WinPFind v1.4.0 - Log file written to "WinPFind.Txt" in the WinPFind folder. Scan completed on 17.09.2005 16:36:02 --------------------------------------------------------------------------- silentrunners: http://virus-protect.org/silentrunner.html "Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "HTpatch" = "C:\WINDOWS\htpatch.exe" [null data] "VOBRegCheck" = "C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg" [null data] "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."] "QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "NeroCheck" = "C:\WINDOWS\System32\\NeroCheck.exe" ["Ahead Software Gmbh"] "Microsoft Works Update Detection" = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"] "Dit" = "Dit.exe" [null data] "ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."] "ccApp" = ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"" ["Symantec Corporation"] "SSC_UserPrompt" = "C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"] "Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"] "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."] "RealTray" = "C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."] "ToADiMon.exe" = "C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart" ["Marmiko IT-Solutions GmbH"] "yaemu.exe" = "C:\WINDOWS\System32\yaemu.exe" [file not found] "PCMService" = "C:\Programme\Medion\PowerCinema\PCMService.exe" [empty string] "AVGCtrl" = ""C:\Programme\AVPersonal\AVGNT.EXE" /min" ["H+BEDV Datentechnik GmbH"] "dmpxl.exe" = "C:\WINDOWS\System32\dmpxl.exe" [null data] HKLM\Software\Microsoft\Active Setup\Installed Components\ {8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax" \StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS] {94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider" \StubPath = "rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string] {9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"] {BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{F5D92341-0A64-11D0-9956-0000E8096023}" = "CD Copy Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shellext\CDWshext.dll" ["VoB Computersysteme GmbH"] "{F5D92342-0A64-11D0-9956-0000E8096023}" = "CD Wizard Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shellext\CDWshext.dll" ["VoB Computersysteme GmbH"] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ INFECTION WARNING! "System" = "csfqu.exe" [null data] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido\security suite\context.dll" ["ewido networks"] Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido\security suite\context.dll" ["ewido networks"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Grüne Idylle.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\System32\scrnsave.scr" [MS] Startup items in "Oliver" & "All Users" startup folders: -------------------------------------------------------- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office\OSA9.EXE -b -l" [MS] Enabled Scheduled Tasks: ------------------------ "Norton AntiVirus - Meinen Computer prüfen - Oliver" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"] "Symantec NetDetect" -> launches: "C:\Programme\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"] "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"] "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKCU\Software\Microsoft\Internet Explorer\Extensions\ {01E9CF82-AE9D-42BA-A629-B23D51A4B86B}\ "ButtonText" = "MedionShop" "Exec" = "http://www.medionshop.de/" [file not found] HKLM\Software\Microsoft\Internet Explorer\Extensions\ {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\ "ButtonText" = "Real.com" Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://www.medion.com/ Missing lines (compared with English-language version): [Strings]: 1 line Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir Update, AVWUpSrv, ""C:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"] AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."] AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."] ewido security suite control, ewido security suite control, "C:\Programme\ewido\security suite\ewidoctrl.exe" ["ewido networks"] ewido security suite guard, ewido security suite guard, "C:\Programme\ewido\security suite\ewidoguard.exe" ["ewido networks"] ISSvc, ISSVC, "C:\Programme\Norton Internet Security\ISSVC.exe" ["Symantec Corporation"] Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS] Norton AntiVirus Auto-Protect-Dienst, navapsvc, ""C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"] Symantec Core LC, Symantec Core LC, "C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"] Symantec Event Manager, ccEvtMgr, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"] Symantec Network Drivers Service, SNDSrvc, "C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"] Symantec Network Proxy, ccProxy, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"] Symantec Settings Manager, ccSetMgr, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"] Symantec SPBBCSvc, SPBBCSvc, "C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"] X10 Device Network Service, x10nets, "C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe" ["X10"] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 110 seconds, including 18 seconds for message boxes) --------------------------------------------------------------------------- ewido: http://virus-protect.org/ewido.html --------------------------------------------------------- ewido security suite - Scan Report --------------------------------------------------------- + Erstellt am: 17:11:21, 17.09.2005 + Report-Checksumme: 85476B8E + Scanergebnis: Keine infizierten Objekte gefunden. ::Report Ende Schöne Grüße Oliver P.S. Kann mich erst morgen wieder melden |
|
|
|
|
|
|
17.09.2005, 17:39
Ehrenmitglied
Beiträge: 29434 |
#70
Hallo@newcomer2005
poste mir bitte den scanreport vom escan __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
17.09.2005, 17:56
Ehrenmitglied
Beiträge: 29434 |
#71
Hallo@newcomer2005
oben im Browser: Datei -- Seite speichern unter.. -- wähle "Desktop" -- speichern (dann erscheint eine fix.reg auf dem Desktop) http://virus-protect.org/reg/fix.reg •KillBox http://www.bleepingcomputer.com/files/killbox.php Anleitung: (bebildert) http://virus-protect.org/killbox.html •Delete File on Reboot <--anhaken und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes" C:\WINDOWS\system32\cskop.exe C:\WINDOWS\system32\hclean32.exe C:\WINDOWS\system32\rdsndin.exe C:\WINDOWS\system32\dmmlo.exe C:\WINDOWS\balloon.wav C:\WINDOWS\rdt.ini C:\WINDOWS\SYSTEM32\TFTP2128 C:\WINDOWS\System32\yaemu.exe C:\WINDOWS\System32\dmpxl.exe C:\WINDOWS\System32\csfqu.exe Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "fix.reg" auf dem Desktop doppelklicken und bestaetigen, dass sie der Registry beigefuegt wird dann poste das neue Log vom Silentrunner __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
17.09.2005, 18:07
Ehrenmitglied
Beiträge: 29434 |
#72
Hallo@newcomer2005
C:\WINDOWS\System32\wbem\wmiprvse.exe C:\WINDOWS\system32\wbem\wbemtest.exe einzelne "exe" ueberpruefen http://www.virustotal.com/flash/index_en.html Jotti's malware scan 2.4 - einzelne "exe" ueberpruefen http://virusscan.jotti.org/de/ Oben auf der Seite auf Durchsuchen klicken --> Datei aussuchen --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten und danach das Ergebnis abkopieren und hier im Beitrag posten __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
17.09.2005, 23:09
...neu hier
Beiträge: 7 |
#73
Hallo Sabina,
konnte es doch nicht abwarten, also: erst mal die beiden Dateien: C:\WINDOWS\System32\wbem\wmiprvse.exe C:\WINDOWS\system32\wbem\wbemtest.exe Kaspersky File Scanner: Scanned file: wmiprvse.exe wmiprvse.exe - OK Statistics: Known viruses: 149757 Updated: 17-09-2005 File size (Kb): 199 Virus bodies: 0 Files: 1 Warnings: 0 Archives: 0 Suspicious: 0 Scanned file: wbemtest.exe wbemtest.exe - OK Statistics: Known viruses: 149741 Updated: 17-09-2005 File size (Kb): 158 Virus bodies: 0 Files: 1 Warnings: 0 Archives: 0 Suspicious: 0 Jottis Malwarescan 2.99-TRANSITION_TO_3.00: Datei: wmiprvse.exe Status: OK (Anmerkung: diese Datei wurde bereits vorher gescannt. Die Scanergebnisse werden daher nicht in der Datenbank gespeichert.) Entdeckte Packprogramme: - AntiVir Keine Viren gefunden ArcaVir Keine Viren gefunden Avast Keine Viren gefunden AVG Antivirus Keine Viren gefunden BitDefender Keine Viren gefunden ClamAV Keine Viren gefunden Dr.Web Keine Viren gefunden F-Prot Antivirus Keine Viren gefunden Fortinet Keine Viren gefunden Kaspersky Anti-Virus Keine Viren gefunden NOD32 Keine Viren gefunden Norman Virus Control Keine Viren gefunden UNA Keine Viren gefunden VBA32 Keine Viren gefunden Datei: wbemtest.exe Status: OK (Anmerkung: diese Datei wurde bereits vorher gescannt. Die Scanergebnisse werden daher nicht in der Datenbank gespeichert.) Entdeckte Packprogramme: - AntiVir Keine Viren gefunden ArcaVir Keine Viren gefunden Avast Keine Viren gefunden AVG Antivirus Keine Viren gefunden BitDefender Keine Viren gefunden ClamAV Keine Viren gefunden Dr.Web Keine Viren gefunden F-Prot Antivirus Keine Viren gefunden Fortinet Keine Viren gefunden Kaspersky Anti-Virus Keine Viren gefunden NOD32 Keine Viren gefunden Norman Virus Control Keine Viren gefunden UNA Keine Viren gefunden VBA32 Keine Viren gefunden eScan: das gesamte objects scanned: Sat Sep 17 21:59:25 2005 => Scanning Folder: D:\Tools\PhoneTools 5.01A\reader\Run\Resource\*.* Sat Sep 17 21:59:25 2005 => Scanning Folder: D:\Tools\PhoneTools 5.01A\reader\Run\Resource\CMap\*.* Sat Sep 17 21:59:25 2005 => Scanning Folder: D:\Tools\PhoneTools 5.01A\reader\Run\Resource\Font\*.* Sat Sep 17 21:59:25 2005 => Scanning Folder: D:\Tools\PhoneTools 5.01A\reader\Run\Resource\Font\PFM\*.* Sat Sep 17 21:59:26 2005 => Scanning Folder: D:\Tools\PhoneTools 5.01A\reader\se\*.* Sat Sep 17 21:59:26 2005 => Scanning Folder: D:\Tools\PhoneTools 5.01A\reader\tw\*.* Sat Sep 17 21:59:26 2005 => Scanning Folder: D:\Tools\PhoneTools 5.01A\reader\Uk\*.* Sat Sep 17 21:59:27 2005 => Scanning Folder: D:\Tools\Pinnacle Instant Copy\*.* Sat Sep 17 21:59:29 2005 => Scanning Folder: D:\Tools\Videos\*.* Sat Sep 17 21:59:50 2005 => Scanning Folder: D:\Tools\Wallpaper\*.* Sat Sep 17 21:59:52 2005 => Scanning Folder: D:\Tools\Wallpaper\Screensaver\*.* Sat Sep 17 21:59:54 2005 => Scanning Folder: D:\Tools\Winflash\*.* Sat Sep 17 21:59:56 2005 => Scanning Folder: D:\TV\*.* Sat Sep 17 21:59:56 2005 => Scanning Folder: D:\TV\TV-Aufnahmen\*.* Sat Sep 17 21:59:56 2005 => Scanning Folder: D:\TV\TV-Aufnahmen\Celeb\*.* Sat Sep 17 22:00:02 2005 => Scanning Folder: D:\TV\TV-Aufnahmen\Filme\*.* Sat Sep 17 22:00:02 2005 => Scanning Folder: D:\TV\TV-Aufnahmen\Musik\*.* Sat Sep 17 22:00:06 2005 => Scanning Folder: D:\TV\TV-Aufnahmen\PromiCaps\*.* Sat Sep 17 22:00:06 2005 => Scanning Folder: D:\TV\TV-Aufnahmen\PromiCaps\Elke Winkens\*.* Sat Sep 17 22:00:08 2005 => Scanning Folder: D:\TV\TV-Aufnahmen\PromiCaps\Franka Potente\*.* Sat Sep 17 22:00:08 2005 => Scanning Folder: D:\TV\TV-Aufnahmen\PromiCaps\FvA\*.* Sat Sep 17 22:00:10 2005 => Scanning Folder: D:\TV\TV-Aufnahmen\PromiCaps\Hanna Stockbauer\*.* Sat Sep 17 22:00:12 2005 => Scanning Folder: D:\TV\TV-Aufnahmen\PromiCaps\Jeanette Biedermann\*.* Sat Sep 17 22:00:13 2005 => Scanning Folder: D:\TV\TV-Aufnahmen\PromiCaps\Maria Riesch\*.* Sat Sep 17 22:00:13 2005 => Scanning Folder: D:\TV\TV-Aufnahmen\PromiCaps\Michelle\*.* Sat Sep 17 22:00:13 2005 => Scanning Folder: D:\TV\TV-Aufnahmen\PromiCaps\Michelle Hunziker\*.* Sat Sep 17 22:00:13 2005 => Scanning Folder: D:\TV\TV-Aufnahmen\PromiCaps\Nova Meierhenrich\*.* Sat Sep 17 22:00:14 2005 => Scanning Folder: D:\TV\TV-Aufnahmen\PromiCaps\Regina Halmich\*.* Sat Sep 17 22:00:14 2005 => Scanning Folder: D:\TV\TV-Aufnahmen\PromiCaps\Sandy\*.* Sat Sep 17 22:00:14 2005 => Scanning Folder: D:\TV\TV-Aufnahmen\PromiCaps\Sarah Conner\*.* Sat Sep 17 22:00:14 2005 => Scanning Folder: D:\TV\TV-Aufnahmen\PromiCaps\Schulmädchen\*.* Sat Sep 17 22:00:17 2005 => Scanning Folder: D:\TV\TV-Aufnahmen\PromiCaps\Sina Schielke\*.* Sat Sep 17 22:00:19 2005 => Scanning Folder: D:\TV\TV-Aufnahmen\PromiCaps\Sonja Zietlow\*.* Sat Sep 17 22:00:20 2005 => Scanning Folder: D:\TV\TV-Aufnahmen\PromiCaps\Sophie Schütt + Christina Plate\*.* Sat Sep 17 22:00:25 2005 => Scanning Folder: D:\TV\TV-Aufnahmen\Sport\*.* Sat Sep 17 22:00:28 2005 => Scanning Folder: D:\WUTemp\*.* Sat Sep 17 22:00:28 2005 => Scanning E:\ Drive Sat Sep 17 22:00:28 2005 => Scanning Folder: E:\*.* Sat Sep 17 22:00:28 2005 => Scanning Folder: E:\System Volume Information\*.* Sat Sep 17 22:00:28 2005 => Scanning Folder: E:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\*.* Sat Sep 17 22:00:28 2005 => Scanning Folder: E:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP344\*.* Sat Sep 17 22:00:28 2005 => Scanning Folder: E:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP348\*.* Sat Sep 17 22:00:28 2005 => Scanning Folder: E:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP355\*.* Sat Sep 17 22:00:28 2005 => Scanning Folder: E:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP356\*.* Sat Sep 17 22:00:28 2005 => Scanning Folder: E:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP359\*.* Sat Sep 17 22:00:28 2005 => Scanning Folder: E:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP375\*.* Sat Sep 17 22:00:29 2005 => Scanning Folder: E:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP380\*.* Sat Sep 17 22:00:29 2005 => Scanning Folder: E:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP381\*.* Sat Sep 17 22:00:29 2005 => Scanning Folder: E:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP386\*.* Sat Sep 17 22:00:29 2005 => Scanning Folder: E:\Recycled\*.* Sat Sep 17 22:00:29 2005 => Scanning Folder: E:\Recover\*.* Sat Sep 17 22:00:31 2005 => Scanning Folder: E:\Treiber\*.* Sat Sep 17 22:00:31 2005 => ***** Checking for specific ITW Viruses ***** Sat Sep 17 22:00:31 2005 => Checking for Welchia Virus... Sat Sep 17 22:00:31 2005 => Checking for LovGate Virus... Sat Sep 17 22:00:31 2005 => Checking for CodeRed Virus... Sat Sep 17 22:00:31 2005 => Checking for OpaServ Virus... Sat Sep 17 22:00:31 2005 => Checking for Sobig.e Virus... Sat Sep 17 22:00:31 2005 => Checking for Winupie Virus... Sat Sep 17 22:00:31 2005 => Checking for Swen Virus... Sat Sep 17 22:00:31 2005 => Checking for JS.Fortnight Virus... Sat Sep 17 22:00:31 2005 => Checking for Novarg Virus... Sat Sep 17 22:00:31 2005 => Checking for Pagabot Virus... Sat Sep 17 22:00:31 2005 => Checking for Parite.b Virus... Sat Sep 17 22:00:31 2005 => Checking for Parite.a Virus... Sat Sep 17 22:00:31 2005 => Checking for Adware.SeekSeek Virus... Sat Sep 17 22:00:31 2005 => ***** Scanning complete. ***** Sat Sep 17 22:00:31 2005 => Total Objects Scanned: 91877 Sat Sep 17 22:00:31 2005 => Total Virus(es) Found: 18 Sat Sep 17 22:00:31 2005 => Total Disinfected Files: 0 Sat Sep 17 22:00:31 2005 => Total Files Renamed: 0 Sat Sep 17 22:00:31 2005 => Total Deleted Objects: 0 Sat Sep 17 22:00:31 2005 => Total Errors: 86 Sat Sep 17 22:00:31 2005 => Time Elapsed: 00:59:44 Sat Sep 17 22:00:31 2005 => Virus Database Date: 2005/09/03 Sat Sep 17 22:00:31 2005 => Virus Database Count: 147562 Sat Sep 17 22:00:31 2005 => Scan Completed. virus log information: Object "AdWare.ToolBar.SBSoft.h Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe" refers to invalid object "C:\WINDOWS\System32\cmmgr32.exe". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ICSI.exe" refers to invalid object "C:\Programme\ICSI\Multi-Card Reader / Flash Disk\ICSI.exe". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ORUN32.EXE" refers to invalid object "C:\WINDOWS\ORUN32.EXE". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\setup.exe" refers to invalid object "C:\Programme\ATI Technologies\ATI Control Panel\setup.exe". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".000". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".001". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".01". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".1". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".87JPG". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ac3". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".BUP". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".D2V". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".DivX". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".DSC". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ERG". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".err". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".fdb". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".H0". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".HDP". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ifx". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".igs". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ima". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".isu". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".jou". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".M2V". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".mcf". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".nt". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".old". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".PAS". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".pdi". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".rcf". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".rom". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".RPT". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".tbe". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".tcl". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".tmp". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".tpr". Action Taken: No Action Taken. Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object "OpenWithList". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "America Online de". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "ieupdate". Action Taken: No Action Taken. Entry "HKCR\CLSID\{3D272B00-B576-11CF-A50F-00A024583C19}" refers to invalid object "c:\matlab6p1\bin\win32\mwoles05.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{524D70E3-8FBC-11D0-99EB-0000B4322961}" refers to invalid object "C:\ArCon\Programm\ARCON.OCX". Action Taken: No Action Taken. Entry "HKCR\CLSID\{524D70E4-8FBC-11D0-99EB-0000B4322961}" refers to invalid object "C:\ArCon\Programm\ARCON.OCX". Action Taken: No Action Taken. Entry "HKCR\CLSID\{524D70EC-8FBC-11D0-99EB-0000B4322961}" refers to invalid object "C:\ArCon\Programm\ARCON.OCX". Action Taken: No Action Taken. Entry "HKCR\CLSID\{554F6051-79D4-11D4-B067-009027BA5F81}" refers to invalid object "c:\matlab6p1\bin\win32\matlab.exe /Automation". Action Taken: No Action Taken. Entry "HKCR\CLSID\{554F6053-79D4-11D4-B067-009027BA5F81}" refers to invalid object "c:\matlab6p1\bin\win32\matlab.exe /Automation". Action Taken: No Action Taken. Entry "HKCR\CLSID\{6DECC242-87EF-11CF-86B4-444553540000}" refers to invalid object "C:\Photoshp\Photosle.exe". Action Taken: No Action Taken. Entry "HKCR\CLSID\{93DD7016-2AA6-11D1-B929-0800096A5C08}" refers to invalid object "C:\ARCON\PROGRAMM\MBCTRL.OCX". Action Taken: No Action Taken. Entry "HKCR\CLSID\{93DD7017-2AA6-11D1-B929-0800096A5C08}" refers to invalid object "C:\ARCON\PROGRAMM\MBCTRL.OCX". Action Taken: No Action Taken. Entry "HKCR\CLSID\{AD6BF5C0-7B88-11D5-A5DE-444553540000}" refers to invalid object "C:\Programme\PIXELA\ImageMixer\BMPCapture.ax". Action Taken: No Action Taken. Entry "HKCR\CLSID\{D61C1092-2DA6-11D1-B92B-0800096A5C08}" refers to invalid object "C:\ARCON\PROGRAMM\MBCTRL.OCX". Action Taken: No Action Taken. Entry "HKCR\CLSID\{F1388BEE-7140-4CD8-BF10-4565147E2B35}" refers to invalid object "C:\Programme\PIXELA\ImageMixer\Mpg2sppx.ax". Action Taken: No Action Taken. Entry "HKCR\TypeLib\{3C84EDA9-9EA3-4FC3-BEA5-97B6294EC437}" refers to invalid object "C:\DOKUME~1\Oliver\LOKALE~1\Temp\VBE\MSForms.exd". Action Taken: No Action Taken. Entry "HKCR\TypeLib\{468A4C32-92C0-4C56-BBC0-0D3B7855C5BA}" refers to invalid object "C:\DOKUME~1\Oliver\LOKALE~1\Temp\Word8.0\MSForms.exd". Action Taken: No Action Taken. Entry "HKCR\TypeLib\{524D70E0-8FBC-11D0-99EB-0000B4322961}" refers to invalid object "C:\ArCon\Programm\ARCON.OCX". Action Taken: No Action Taken. Entry "HKCR\TypeLib\{554F6052-79D4-11D4-B067-009027BA5F81}" refers to invalid object "c:\matlab6p1\bin\win32\mlapp.tlb". Action Taken: No Action Taken. Entry "HKCR\TypeLib\{70923AF6-3586-447A-AE49-7D7F5E9C2F31}" refers to invalid object "C:\Programme\CyberLink\Shared Files\TLFXTSFM.DLL". Action Taken: No Action Taken. Entry "HKCR\TypeLib\{731B9F1D-5496-45D5-BCBF-4071980A1E08}" refers to invalid object "C:\Programme\AOL 7.0\ebrowser.dll". Action Taken: No Action Taken. Entry "HKCR\TypeLib\{87099223-C7AF-11D0-B225-00C04FB6C2F5}" refers to invalid object "C:\WINDOWS\System32\fxscom.dll". Action Taken: No Action Taken. Entry "HKCR\TypeLib\{8A98FABF-A6FE-4439-BEC3-4870BBC947D9}" refers to invalid object "C:\DOKUME~1\Oliver\LOKALE~1\Temp\VBE\MSForms.exd". Action Taken: No Action Taken. Entry "HKCR\TypeLib\{93DD7012-2AA6-11D1-B929-0800096A5C08}" refers to invalid object "C:\ARCON\PROGRAMM\MBCTRL.OCX". Action Taken: No Action Taken. Entry "HKCR\TypeLib\{D9EC6F5A-FBD3-4BE3-8758-8DD1D88FFC53}" refers to invalid object "C:\Programme\CyberLink\Shared Files\TRFXTSFM.DLL". Action Taken: No Action Taken. Entry "HKCR\.frg" refers to invalid object "Access.Fragment". Action Taken: No Action Taken. Entry "HKCR\.gst" refers to invalid object "MSMap.Datainst.8". Action Taken: No Action Taken. Entry "HKCR\.ldb" refers to invalid object "Access.LockFile.9". Action Taken: No Action Taken. Entry "HKCR\.mpg" refers to invalid object "mpgfile". Action Taken: No Action Taken. Entry "HKCR\.pcb" refers to invalid object "PCBFile". Action Taken: No Action Taken. Entry "HKCR\.pds" refers to invalid object "pdsfile". Action Taken: No Action Taken. Entry "HKCR\.sll" refers to invalid object "SSLFile". Action Taken: No Action Taken. Entry "HKCR\.tuw" refers to invalid object "TUWFile". Action Taken: No Action Taken. Entry "HKCR\.ZR3\shell\open\command" refers to invalid object "C:\ZAR3\WZAR3.exe %1". Action Taken: No Action Taken. Entry "HKCR\Automatische Zuordnung.Map.EU" refers to invalid object "{A49EEA01-9231-4C77-AA9E-2F89D72B4804}". Action Taken: No Action Taken. Entry "HKCR\Automatische Zuordnung.Map.EU.9" refers to invalid object "{A49EEA01-9231-4C77-AA9E-2F89D72B4804}". Action Taken: No Action Taken. Entry "HKCR\Automatische Zuordnung.Template.EU.9" refers to invalid object "{A49EEA01-9231-4C77-AA9E-2F89D72B4804}". Action Taken: No Action Taken. Entry "HKCR\Connection Manager Profile\shell\open\command" refers to invalid object "C:\WINDOWS\System32\CMMGR32.EXE "%1"". Action Taken: No Action Taken. Entry "HKCR\Deckblatt\shell\open\command" refers to invalid object "%systemroot%\system32\fxscover.exe "%1"". Action Taken: No Action Taken. Entry "HKCR\Photoshop.Application.4" refers to invalid object "{6DECC242-87EF-11cf-86B4-444553540000} ". Action Taken: No Action Taken. Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken. Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken. Entry "HKCR\uipfile\shell\open\command" refers to invalid object "C:\Programme\CyberLInk\Common\updateipr.exe "%l"". Action Taken: No Action Taken. Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken. Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken. File C:\WINDOWS\System32\TFTP2128 infected by "Worm.Win32.Lovesan.a" Virus! Action Taken: No Action Taken. File C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\0600062D.exe tagged as "not-a-virus  orn-Dialer.Win32.RzDialer". Action Taken: No Action Taken.File C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\0AA46205.dll tagged as "not-a-virus:AdWare.ToolBar.SBSoft.h". Action Taken: No Action Taken. File C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\0AA80C01.dll tagged as "not-a-virus:AdWare.ToolBar.SBSoft.h". Action Taken: No Action Taken. File C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\2F0606E6.htm infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken. File C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\4F512B0A.htm infected by "Exploit.HTML.IframeBof" Virus! Action Taken: No Action Taken. File C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\5D6D6EB0.htm infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken. File C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\6E3E532E.tmp infected by "Trojan-Downloader.Win32.Clisser.b" Virus! Action Taken: No Action Taken. File C:\Programme\Norton Internet Security\Norton AntiVirus\Quarantine\72F13DD8.htm infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken. File C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP386\A0055528.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken. File C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP386\A0055543.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken. File C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP386\A0055569.exe infected by "Trojan.Win32.Qhost.qr" Virus! Action Taken: No Action Taken. File C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP386\A0055571.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken. File C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP386\A0055574.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken. File C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP386\A0055591.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus! Action Taken: No Action Taken. File C:\WINDOWS\system32\TFTP2128 infected by "Worm.Win32.Lovesan.a" Virus! Action Taken: No Action Taken. Nochmal ewido: --------------------------------------------------------- ewido security suite - Scan Report --------------------------------------------------------- + Erstellt am: 22:36:11, 17.09.2005 + Report-Checksumme: 43970EE9 + Scanergebnis: :mozilla.7:C:\Dokumente und Einstellungen\Oliver\Anwendungsdaten\Mozilla\Profiles\default\r0a03f9r.slt\cookies.txt -> Spyware.Cookie.2o7 : Gesäubert mit Backup :mozilla.18:C:\Dokumente und Einstellungen\Oliver\Anwendungsdaten\Mozilla\Profiles\default\r0a03f9r.slt\cookies.txt -> Spyware.Cookie.Ivwbox : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP379\A0050971.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP379\A0050973.exe -> Trojan.DNSChanger.u : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP379\A0050986.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP379\A0050988.exe -> Trojan.DNSChanger.u : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP379\A0051009.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP379\A0051011.exe -> Trojan.DNSChanger.u : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP379\A0051097.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP379\A0051220.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP380\A0051478.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP380\A0051490.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP380\A0052022.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP380\A0052052.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP380\A0052092.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP381\A0052117.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP381\A0052128.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP382\A0053130.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP382\A0053142.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP382\A0053156.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP383\A0053192.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP383\A0053210.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP384\A0055215.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP384\A0055285.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP384\A0055299.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP385\A0055357.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP385\A0055377.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP385\A0055409.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP385\A0055426.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP386\A0055528.exe -> TrojanDropper.Vidro.u : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP386\A0055533.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP386\A0055543.exe -> TrojanDropper.Vidro.u : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP386\A0055549.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP386\A0055569.exe -> Trojan.Qhost.qr : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP386\A0055571.exe -> TrojanDropper.Vidro.u : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP386\A0055574.exe -> TrojanDropper.Vidro.u : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP386\A0055580.exe -> Trojan.Ysearch : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP386\A0055591.exe -> TrojanDropper.Vidro.u : Gesäubert mit Backup C:\System Volume Information\_restore{FA0CEAAD-9AC9-4161-8426-57672CB9C5D3}\RP386\A0055598.exe -> Trojan.Ysearch : Gesäubert mit Backup ::Report Ende silent runners: "Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "HTpatch" = "C:\WINDOWS\htpatch.exe" [null data] "VOBRegCheck" = "C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg" [null data] "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."] "QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "NeroCheck" = "C:\WINDOWS\System32\\NeroCheck.exe" ["Ahead Software Gmbh"] "Microsoft Works Update Detection" = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"] "Dit" = "Dit.exe" [null data] "ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."] "ccApp" = ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"" ["Symantec Corporation"] "SSC_UserPrompt" = "C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"] "Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"] "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."] "RealTray" = "C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."] "ToADiMon.exe" = "C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart" ["Marmiko IT-Solutions GmbH"] "PCMService" = "C:\Programme\Medion\PowerCinema\PCMService.exe" [empty string] "AVGCtrl" = ""C:\Programme\AVPersonal\AVGNT.EXE" /min" ["H+BEDV Datentechnik GmbH"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\ {++} "Flags" = 8 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\000 {++} "runonce1" = ""C:\HJT\hijackthis.exe"" [file not found] HKLM\Software\Microsoft\Active Setup\Installed Components\ {8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax" \StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS] {94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider" \StubPath = "rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string] {9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"] {BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{F5D92341-0A64-11D0-9956-0000E8096023}" = "CD Copy Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shellext\CDWshext.dll" ["VoB Computersysteme GmbH"] "{F5D92342-0A64-11D0-9956-0000E8096023}" = "CD Wizard Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shellext\CDWshext.dll" ["VoB Computersysteme GmbH"] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido\security suite\context.dll" ["ewido networks"] Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido\security suite\context.dll" ["ewido networks"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Grüne Idylle.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\System32\scrnsave.scr" [MS] Startup items in "Oliver" & "All Users" startup folders: -------------------------------------------------------- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office\OSA9.EXE -b -l" [MS] Enabled Scheduled Tasks: ------------------------ "Norton AntiVirus - Meinen Computer prüfen - Oliver" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"] "Symantec NetDetect" -> launches: "C:\Programme\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"] "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" = "Norton Internet Security" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"] "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKCU\Software\Microsoft\Internet Explorer\Extensions\ {01E9CF82-AE9D-42BA-A629-B23D51A4B86B}\ "ButtonText" = "MedionShop" "Exec" = "http://www.medionshop.de/" [file not found] HKLM\Software\Microsoft\Internet Explorer\Extensions\ {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\ "ButtonText" = "Real.com" Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://www.medion.com/ Missing lines (compared with English-language version): [Strings]: 1 line All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}): --------------------------------------------------------------------------- AntiVir Update, AVWUpSrv, ""C:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"] Anwendungsverwaltung, AppMgmt, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\appmgmts.dll" [file not found]} AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."] AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."] Dienst für Seriennummern der tragbaren Medien, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\mspmsnsv.dll" [MS]} ewido security suite control, ewido security suite control, "C:\Programme\ewido\security suite\ewidoctrl.exe" ["ewido networks"] ewido security suite guard, ewido security suite guard, "C:\Programme\ewido\security suite\ewidoguard.exe" ["ewido networks"] ISSvc, ISSVC, "C:\Programme\Norton Internet Security\ISSVC.exe" ["Symantec Corporation"] Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS] Norton AntiVirus Auto-Protect-Dienst, navapsvc, ""C:\Programme\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"] SAVScan, SAVScan, "C:\Programme\Norton Internet Security\Norton AntiVirus\SAVScan.exe" ["Symantec Corporation"] ScriptBlocking Service, SBService, "C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe" ["Symantec Corporation"] Symantec Core LC, Symantec Core LC, "C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"] Symantec Event Manager, ccEvtMgr, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"] Symantec Network Drivers Service, SNDSrvc, "C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"] Symantec Network Proxy, ccProxy, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"] Symantec Password Validation, ccPwdSvc, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe"" ["Symantec Corporation"] Symantec Settings Manager, ccSetMgr, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"] Symantec SPBBCSvc, SPBBCSvc, "C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"] SymWMI Service, SymWSC, "C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe" ["Symantec Corporation"] Verwaltungsdienst für die Verwaltung logischer Datenträger, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"] WMI-Leistungsadapter, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS] X10 Device Network Service, x10nets, "C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe" ["X10"] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 53 seconds, including 18 seconds for message boxes) Schöne Grüße Oliver |
|
|
|
|
|
|
17.09.2005, 23:44
Ehrenmitglied
Beiträge: 29434 |
#74
Hallo@newcomer2005
das sollte doch schon laengst geloescht sein...wieso wurde das im escan noch angezeigt ????? Zitat File C:\WINDOWS\System32\TFTP2128 infected by "Worm.Win32.Lovesan.a" Virus!C:\WINDOWS\System32\TFTP2128 (ist ein Backdoor, der Zugriff auf dein System hat) scanne mit Kaspersky und berichte: http://virus-protect.org/onlinescan.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
18.09.2005, 00:05
...neu hier
Beiträge: 7 |
#75
Hallo Sabina,
bin grad etwas verunsichert, krieg auch noch von Norton die Meldung das der Trojaner dmpxl.exe aktiv ist und nicht entfernt werden kann. Kaspersky File Scanner: Scanned file: TFTP2128 TFTP2128 - infected by Worm.Win32.Lovesan.a Statistics: Known viruses: 149757 Updated: 17-09-2005 File size (Kb): 2 Virus bodies: 1 Files: 1 Warnings: 0 Archives: 0 Suspicious: 0 Gruß Oliver |
|
|
|
|
|
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!
bitte erst » hier kostenlos registrieren!!
Folgende Themen könnten Dich auch interessieren:
Copyright © 2024, Protecus.de - Protecus Team - Impressum / Mediadaten
Zitat
die dll ist also vorhanden (im Original)warum nun der Fehler kommt, ...das weiss ich auch nicht....
Wahrscheinlich wird es nur ueber reparieren wieder in Ordnung kommen, aber das kannst du ja, wie schon gesagt nicht machen, weil du inzwischen eine andere Version draufhast.
probiere mal:
beim Hochfahren vom PC-->F8 dreucken, dann gehe aber nicht in den abgesicherten Modus, sondern klicke: letzte bekannte " fehlerfreie" Konfiguration (das ist natuerlich nicht der genaue Wortlaut, aber mein System ist in Englisch, daher weiss ich es nicht in Deutsch)
dann berichte, ob sich der Fehler behoben hat.
__________
MfG Sabina
rund um die PC-Sicherheit