Home » Viren, Trojaner & Malware Forum » hclean ballon,hgqhp.exe, NameServer = 195.95.218.35,85.255.112.11 » Themenansicht
hclean ballon,hgqhp.exe, NameServer = 195.95.218.35,85.255.112.11Thema ist geschlossen! |
||
|---|---|---|
Thema ist geschlossen! |
||
| #0
| ||
|
11.09.2005, 19:31
Member
Beiträge: 23 |
||
 
|
|
|
|
12.09.2005, 01:29
Ehrenmitglied
 Beiträge: 29434 |
#2
Hallo@Eckart
CCleaner--> loesche alle *temp-Datein http://virus-protect.org/temp.html •KillBox http://www.bleepingcomputer.com/files/killbox.php Anleitung: (bebildert) http://virus-protect.org/killbox.html •Delete File on Reboot <--anhaken und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "----> klicke auf "no",und kopiere das naechste rein, erst beim letzten auf "yes" C:\WINDOWS\system32\yaemu.exe C:\WINDOWS\Help\SPAlert.chm C:\WINDOWS\system32\rdsndin.exe C:\WINDOWS\system32\ntfslpa.exe C:\WINDOWS\system32\drv2cltr.exe C:\WINDOWS\system32\hclean32.exe C:\Programme\MyWay\myBar\2.bin\MYBAR.DLL C:\Programme\MyWay\myBar\2.bin C:\Programme\MyWay\myBar C:\Programme\MyWay C:\WINDOWS\balloon.wav PC neustarten #öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten O8 - Extra context menu item: Web Savings - file://C:\Programme\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{392E08DF-FAF9-496E-B7CF-23D457FA4E61}: NameServer = 195.95.218.35,85.255.112.11 O17 - HKLM\System\CCS\Services\Tcpip\..\{5221D37A-7E8A-4497-BDFB-3E8DCA22F144}: NameServer = 195.95.218.35,85.255.112.11 O17 - HKLM\System\CCS\Services\Tcpip\..\{6C7C015D-FD1E-40CB-A9FB-F9378EB8A060}: NameServer = 195.95.218.35,85.255.112.11 O17 - HKLM\System\CCS\Services\Tcpip\..\{6C9A2FF3-78A4-4D8E-8653-1F32A524995B}: NameServer = 195.95.218.35,85.255.112.11 O17 - HKLM\System\CCS\Services\Tcpip\..\{91CC584C-050D-4E51-AF9B-CB1139D483C3}: NameServer = 195.95.218.35,85.255.112.11 PC neustarten deinstallieren MyWay\myBar und loeschen: C:\Programme\MyWay ich brauche das Log vom Silentrunner aber vorher kannst du noch mit ewido scannen+ den Scanreport posten: http://virus-protect.org/ewido.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
12.09.2005, 09:40
Member
Themenstarter Beiträge: 23 |
#3
Hallo Sabina!
Ok mach ich jetzt. Hier noch die Logs von -Silentrunner: "Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS] "LDM" = "C:\Programme\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" ["Logitech"] "ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS] "Google Desktop Search" = ""C:\Programme\Google\Google Desktop Search\GoogleDesktop.exe" /startup" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "zBrowser Launcher" = "C:\Programme\Logitech\iTouch\iTouch.exe" ["Logitech Inc. "] "TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."] "routcnf" = "C:\Programme\Telekom\T-Sinus 620data\routcnf.exe /capiactive" [file not found] "QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "PSDrvCheck" = "C:\WINDOWS\System32\PSDrvCheck.exe" [empty string] "PinnacleDriverCheck" = "C:\WINDOWS\System32\PSDrvCheck.exe" [empty string] "Omnipage" = "C:\Programme\ScanSoft\OmniPageSE\opware32.exe" ["ScanSoft, Inc"] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS] "EM_EXEC" = "C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" ["Logitech Inc. "] "ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS] "AVSCHED32" = "C:\Programme\AVPersonal\AVSched32.EXE /min" ["H+BEDV Datentechnik GmbH"] "Zone Labs Client" = ""C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs Inc."] "AVGCtrl" = ""C:\Programme\AVPersonal\AVGNT.EXE" /min" ["H+BEDV Datentechnik GmbH"] " " = "REM " [file not found] "hclean32.exe" = "C:\WINDOWS\System32\hclean32.exe" [null data] "dmpfo.exe" = "C:\WINDOWS\System32\dmpfo.exe" [null data] "hgqhp.exe" = "C:\WINDOWS\System32\hgqhp.exe" ["Ubmrellainc Technology inc"] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{596AB062-B4D2-4215-9F74-E9109B0A8153}" = "Previous Versions Property Page" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found] "{9DB7A13C-F208-4981-8353-73CC61AE2783}" = "Previous Versions" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found] "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}" = "Extensions Manager Folder" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\extmgr.dll" [file not found] "{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ INFECTION WARNING! "System" = "cspeb.exe" [null data] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\WINDOWS\web\wallpaper\Grüne Idylle.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS] Startup items in "Eckart" & "All Users" startup folders: -------------------------------------------------------- C:\Dokumente und Einstellungen\Eckart\Startmenü\Programme\Autostart "SpamPal" -> shortcut to: "C:\Programme\SpamPal\spampal.exe" ["www.spampal.org"] C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "Adobe Gamma Loader" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."] "Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] "InterVideo WinCinema Manager" -> shortcut to: "C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe" [empty string] "ISDN Guard" -> shortcut to: "C:\Programme\AGFEO\ISDN Guard\agfguard.exe" [" "] "Logitech Desktop Messenger" -> shortcut to: "C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start" ["Logitech"] "Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office10\OSA.EXE -b -l" [MS] "NETGEAR WG111T Smart Wizard" -> shortcut to: "C:\Programme\NETGEAR\WG111T Configuration Utility\wlan111t.exe" ["NETGEAR"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\Programme\Google\Google Desktop Search\GoogleDesktopNetwork1.dll [null data], 01 - 02, 08 %SystemRoot%\system32\mswsock.dll [MS], 03 - 05, 09 - 22 %SystemRoot%\system32\rsvpsp.dll [MS], 06 - 07 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}" = "My &Search Bar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\MyWay\myBar\2.bin\MYBAR.DLL" ["My Way"] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{327C2873-E90D-4C37-AA9D-10AC9BABA46C}" = "Easy-WebPrint" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Canon\Easy-WebPrint\Toolband.dll" [empty string] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."] HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."] {9455301C-CF6B-11D3-A266-00C04F689C50}\ = "Encarta &Recherche-Assistent" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Researcher\EROProj.dll" [MS] Dormant Explorer Bars in "View, Explorer Bar" menu HKLM\Software\Classes\CLSID\{0494D0DE-F8E0-41AD-92A3-14154ECE70AC}\ = "My Search Bar Quick View" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ "ButtonText" = "Messenger" "MenuText" = "Yahoo! Messenger" "CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."] {9455301C-CF6B-11D3-A266-00C04F689C50}\ "ButtonText" = "Recherche-Assistent" {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Messenger" "Exec" = "C:\Programme\Messenger\MSMSGS.EXE" [MS] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://www.tiscali.de Missing lines (compared with English-language version): [Strings]: 1 line HOSTS file ---------- C:\WINDOWS\System32\drivers\etc\HOSTS maps: 1 domain name to an IP address, 1 of the IP addresses is *not* localhost! Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir Service, AntiVirService, ""C:\Programme\AVPersonal\AVGUARD.EXE"" ["H+BEDV Datentechnik GmbH"] AntiVir Update, AVWUpSrv, ""C:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"] Einfache TCP/IP-Dienste, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS] Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS] Media Center Scheduler Service, ehSched, "C:\WINDOWS\ehome\ehSched.exe" [MS] RIP-Überwachung, Iprip, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\iprip.dll" [MS]} Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS] Keyboard Driver Filters: ------------------------ HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\ "UpperFilters" = INFECTION WARNING! "Lkbdflt2" ["Logitech, Inc."] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 75 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 28 seconds. ---------- (total run time: 143 seconds) und qoologic: Find Qoologic last edited 9/02/2005 PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. some examples are MRT.EXE NTDLL.DLL. »»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»» (fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f4bd48 Global Startup: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart . .. Adobe Gamma Loader.lnk Adobe Reader - Schnellstart.lnk desktop.ini InterVideo WinCinema Manager.lnk ISDN Guard.lnk Logitech Desktop Messenger.lnk Microsoft Office.lnk NETGEAR WG111T Smart Wizard.lnk User Startup: C:\Dokumente und Einstellungen\Eckart\Startmenü\Programme\Autostart . .. desktop.ini SpamPal.lnk »»»»» Search by size and name... »»»»» Files found by this method are not necessarily bad... »»»»» Example PNGFILT.DLL ctl3d32.dll are windows files... das andere werde ich jetzt ausführen und wieder berichten.. Ähmmmm, welchen Scanreport von ewido brauchst du? kompletter, schneller, registry oder Speicher-Scan?? THX, Eckart[/b] Nachtrag: habe CCleaner und Killbox durchgeführt, nach anschliessendem reboot hat sich die Kiste aufgehängt, habe 10 min gewartet und einen Kaltstart durchgeführt. (hoffe das war nicht schlimm) anschliessend gehijacked und gefixed, erneuter Reboot. Beim Hochfahren haben sich Antivir und Ewido wieder mit Trojanerwarnungen gemeldet. MyBar ist jetzt auch deinstalliert und gelöscht. Hier jetzt auch noch der Ewido Report vom Schnellscan: --------------------------------------------------------- ewido security suite - Scan Report --------------------------------------------------------- + Erstellt am: 10:37:14, 12.09.2005 + Report-Checksumme: DED9F1E0 + Scanergebnis: HKLM\SOFTWARE\Classes\Tchk.TChkBHO -> Spyware.Inetspeak : Ignoriert HKU\S-1-5-21-1957994488-1454471165-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{04079851-5845-4DEA-848C-3ECD647AA554} -> Spyware.MySearchBar : Ignoriert HKU\S-1-5-21-1957994488-1454471165-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0494D0D1-F8E0-41AD-92A3-14154ECE70AC} -> Spyware.MyWay : Ignoriert HKU\S-1-5-21-1957994488-1454471165-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC} -> Spyware.MyWay : Ignoriert C:\WINDOWS\system32\2hgqhp.exe -> Trojan.DNSChanger.u : Ignoriert C:\WINDOWS\system32\HCLEAN32.EXE.001 -> Trojan.Qhost.qr : Ignoriert C:\WINDOWS\system32\HCLEAN32.EXE.VIR -> Trojan.Qhost.qr : Ignoriert C:\Dokumente und Einstellungen\Eckart\Cookies\eckart@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Ignoriert C:\Dokumente und Einstellungen\Eckart\Cookies\eckart@ppms.popularix[1].txt -> Spyware.Cookie.Popularix : Ignoriert ::Report Ende Dieser Beitrag wurde am 12.09.2005 um 10:40 Uhr von Eckart editiert.
|
|
|
|
|
|
|
12.09.2005, 11:18
Ehrenmitglied
Beiträge: 29434 |
#4
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fixme.reg mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"=- "System"="" [-HKEY_LOCAL_MACHINE\Software\CLASSES\HCLEAN32.EXE] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WareOut] [-HKEY_LOCAL_MACHINE\SOFTWARE\WareOut] [-HKEY_CURRENT_USER\Software\WareOut] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoBandCustomize"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion] "Disabled"=- [-HKEY_LOCAL_MACHINE\SOFTWARE\SearchToolbar] [-HKEY_CURRENT_USER\Software\SearchToolbar] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{08BEC6AA-49FC-4379-3587-4B21E286C19E}"=- "{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}"=- [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hclean32.exe"=- "dmpfo.exe"=- "hgqhp.exe"=- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx] "Flags"=dword:00000008 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\000] "runonce1"="\"C:\\HJT\\hijackthis.exe\"" Gehe in die Registry Start-->Ausfuehren--> regedit HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces \[ADAPTER CLSID] loesche: "NameServer" = "195.95.218.4,85.255.112.9" Note: [ADAPTER CLSID] is the CLSID for one of the net adapters installed on the compromised computer. -------------------------------------------------------------------------- kopiere in die killbox: C:\WINDOWS\system32\yaemu.exe C:\WINDOWS\Help\SPAlert.chm C:\WINDOWS\system32\rdsndin.exe C:\WINDOWS\system32\ntfslpa.exe C:\WINDOWS\system32\drv2cltr.exe C:\WINDOWS\system32\HCLEAN32.EXE.001 C:\WINDOWS\system32\HCLEAN32.EXE.VIR C:\WINDOWS\System32\hgqhp.exe C:\WINDOWS\System32\dmpfo.exe C:\WINDOWS\System32\cspeb.exe C:\WINDOWS\system32\hclean32.exe C:\WINDOWS\balloon.wav C:\WINDOWS\system32\2hgqhp.exe Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "fixme.reg" auf dem Desktop doppelklicken Download f-secure-Beta Trial http://www.f-secure.com/blacklight/  doppelklick: blbeta.exe nach den Check klicke --> next wenn du gefragt wirst, ob reboot, klicke Yes (suche die textdatei vom scan und poste sie mir) dann poste das neue Log vom Silentrunner Zitat ueberpruefe, ob du das hier findest: erst mal noch nichts loeschen, denn der Hijacker ist neu und ich weiss noch nicht, was tun.... schreibe mir also nur, was du davon findest. __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
12.09.2005, 13:42
Member
Themenstarter Beiträge: 23 |
#5
Hi Sabina!
Also in der Regedit gabs bei mir weder diesen adapter noch den NAmeServer 195.95....... hab alles durchsucht.... hab die anderen Schritte trotzdem ausgeführt und die entsprechenden Logs: blbeta-log: 09/12/05 13:13:21 [Info]: BlackLight Engine 1.0.23 initialized 09/12/05 13:13:21 [Info]: OS: 5.1 build 2600 (Service Pack 1) 09/12/05 13:13:21 [Note]: 4019 0 09/12/05 13:13:21 [Note]: 4019 1 09/12/05 13:13:21 [Note]: 4019 2 09/12/05 13:13:21 [Note]: 4019 3 09/12/05 13:13:21 [Note]: 4019 4 09/12/05 13:13:21 [Note]: 4005 0 09/12/05 13:13:25 [Note]: 4006 0 09/12/05 13:13:25 [Note]: 4011 1668 09/12/05 13:13:26 [Note]: FSRAW library version 1.7.1011 09/12/05 13:23:46 [Note]: 4007 0 Das Programm hat allerdings nichts gefunden, das es löschen könnte! silentrunners: "Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS] "LDM" = "C:\Programme\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" ["Logitech"] "ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS] "Google Desktop Search" = ""C:\Programme\Google\Google Desktop Search\GoogleDesktop.exe" /startup" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "zBrowser Launcher" = "C:\Programme\Logitech\iTouch\iTouch.exe" ["Logitech Inc. "] "TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."] "routcnf" = "C:\Programme\Telekom\T-Sinus 620data\routcnf.exe /capiactive" [file not found] "QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "PSDrvCheck" = "C:\WINDOWS\System32\PSDrvCheck.exe" [empty string] "PinnacleDriverCheck" = "C:\WINDOWS\System32\PSDrvCheck.exe" [empty string] "Omnipage" = "C:\Programme\ScanSoft\OmniPageSE\opware32.exe" ["ScanSoft, Inc"] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS] "EM_EXEC" = "C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" ["Logitech Inc. "] "ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS] "AVSCHED32" = "C:\Programme\AVPersonal\AVSched32.EXE /min" ["H+BEDV Datentechnik GmbH"] "Zone Labs Client" = ""C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs Inc."] "AVGCtrl" = ""C:\Programme\AVPersonal\AVGNT.EXE" /min" ["H+BEDV Datentechnik GmbH"] " " = "REM " [file not found] "dmrbl.exe" = "C:\WINDOWS\System32\dmrbl.exe" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{596AB062-B4D2-4215-9F74-E9109B0A8153}" = "Previous Versions Property Page" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found] "{9DB7A13C-F208-4981-8353-73CC61AE2783}" = "Previous Versions" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found] "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}" = "Extensions Manager Folder" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\extmgr.dll" [file not found] "{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido\security suite\context.dll" ["ewido networks"] Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido\security suite\context.dll" ["ewido networks"] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\WINDOWS\web\wallpaper\Grüne Idylle.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS] Startup items in "Eckart" & "All Users" startup folders: -------------------------------------------------------- C:\Dokumente und Einstellungen\Eckart\Startmenü\Programme\Autostart "SpamPal" -> shortcut to: "C:\Programme\SpamPal\spampal.exe" ["www.spampal.org"] C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "Adobe Gamma Loader" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."] "Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] "InterVideo WinCinema Manager" -> shortcut to: "C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe" [empty string] "ISDN Guard" -> shortcut to: "C:\Programme\AGFEO\ISDN Guard\agfguard.exe" [" "] "Logitech Desktop Messenger" -> shortcut to: "C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start" ["Logitech"] "Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office10\OSA.EXE -b -l" [MS] "NETGEAR WG111T Smart Wizard" -> shortcut to: "C:\Programme\NETGEAR\WG111T Configuration Utility\wlan111t.exe" ["NETGEAR"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\Programme\Google\Google Desktop Search\GoogleDesktopNetwork1.dll [null data], 01 - 02, 08 %SystemRoot%\system32\mswsock.dll [MS], 03 - 05, 09 - 22 %SystemRoot%\system32\rsvpsp.dll [MS], 06 - 07 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{327C2873-E90D-4C37-AA9D-10AC9BABA46C}" = "Easy-WebPrint" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Canon\Easy-WebPrint\Toolband.dll" [empty string] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."] HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."] {9455301C-CF6B-11D3-A266-00C04F689C50}\ = "Encarta &Recherche-Assistent" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Researcher\EROProj.dll" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ "ButtonText" = "Messenger" "MenuText" = "Yahoo! Messenger" "CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."] {9455301C-CF6B-11D3-A266-00C04F689C50}\ "ButtonText" = "Recherche-Assistent" {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Messenger" "Exec" = "C:\Programme\Messenger\MSMSGS.EXE" [MS] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://www.tiscali.de Missing lines (compared with English-language version): [Strings]: 1 line HOSTS file ---------- C:\WINDOWS\System32\drivers\etc\HOSTS maps: 1 domain name to an IP address, 1 of the IP addresses is *not* localhost! Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir Service, AntiVirService, ""C:\Programme\AVPersonal\AVGUARD.EXE"" ["H+BEDV Datentechnik GmbH"] AntiVir Update, AVWUpSrv, ""C:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"] Einfache TCP/IP-Dienste, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS] ewido security suite control, ewido security suite control, "C:\Programme\ewido\security suite\ewidoctrl.exe" ["ewido networks"] ewido security suite guard, ewido security suite guard, "C:\Programme\ewido\security suite\ewidoguard.exe" ["ewido networks"] Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS] Media Center Scheduler Service, ehSched, "C:\WINDOWS\ehome\ehSched.exe" [MS] RIP-Überwachung, Iprip, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\iprip.dll" [MS]} TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs Inc."] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS] Keyboard Driver Filters: ------------------------ HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\ "UpperFilters" = INFECTION WARNING! "Lkbdflt2" ["Logitech, Inc."] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 10 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 19 seconds. ---------- (total run time: 52 seconds) So long Eckart |
|
|
|
|
|
|
12.09.2005, 14:23
Ehrenmitglied
Beiträge: 29434 |
#6
Zitat "dmrbl.exe" = "C:\WINDOWS\System32\dmrbl.exe" [null data]erstelle nach dem Schema siehe oben eine fix.reg REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "dmrbl.exe"=- loesche:mit der Killbox: C:\WINDOWS\system32\dmrbl.exe PC neustarten (abges. Modus), doppelklick fix.reg hoster.zip http://www.funkytoad.com/download/hoster.zip Press 'Restore Original Hosts' and press 'OK' Exit Program. CCleaner--> loesche alle *temp-Datein http://virus-protect.org/temp.html poste das Log vom HijackThis + Silentrunner ---------------- was findest du fuer Eintraege??? [CURRENT USER]-Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk findest du  ????????IpDnsAddress = 195.95.218.4 IpDns2Address = 85.255.112.9 IpNameAssign = 2 findest du ????????HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces "NameServer" = "195.95.218.4,85.255.112.9" __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
12.09.2005, 14:52
Member
Themenstarter Beiträge: 23 |
#7
Hi@Sabina
Alles erledigt! Jetzt fühlt sichs gut an, aber hier noch die beiden logs: Logfile of HijackThis v1.99.1 Scan saved at 14:45:03, on 12.09.2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\AVPersonal\AVGUARD.EXE C:\Programme\AVPersonal\AVWUPSRV.EXE C:\WINDOWS\ehome\ehSched.exe C:\Programme\ewido\security suite\ewidoctrl.exe C:\Programme\ewido\security suite\ewidoguard.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Programme\Logitech\iTouch\iTouch.exe C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe C:\WINDOWS\SOUNDMAN.EXE C:\Programme\QuickTime\qttask.exe C:\Programme\ScanSoft\OmniPageSE\opware32.exe C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\WINDOWS\ehome\ehtray.exe C:\Programme\AVPersonal\AVSched32.EXE C:\WINDOWS\System32\ctfmon.exe C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe C:\Programme\AVPersonal\AVGNT.EXE C:\Programme\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe C:\Programme\Google\Google Desktop Search\GoogleDesktop.exe C:\WINDOWS\ehome\ehmsas.exe C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe C:\Programme\AGFEO\ISDN Guard\agfguard.exe C:\Programme\NETGEAR\WG111T Configuration Utility\wlan111t.exe C:\Programme\SpamPal\spampal.exe C:\WINDOWS\System32\wuauclt.exe C:\Programme\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Programme\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\Dokumente und Einstellungen\Eckart\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.digitalfan.com/search R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.digitalfan.com/search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.de R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.digitalfan.com/search R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programme\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [routcnf] C:\Programme\Telekom\T-Sinus 620data\routcnf.exe /capiactive O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PSDrvCheck] C:\WINDOWS\System32\PSDrvCheck.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe O4 - HKLM\..\Run: [Omnipage] C:\Programme\ScanSoft\OmniPageSE\opware32.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [AVSCHED32] C:\Programme\AVPersonal\AVSched32.EXE /min O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [LDM] C:\Programme\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Google Desktop Search] "C:\Programme\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - Startup: SpamPal.lnk = C:\Programme\SpamPal\spampal.exe O4 - Global Startup: Adobe Gamma Loader.lnk = ? O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: ISDN Guard.lnk = C:\Programme\AGFEO\ISDN Guard\agfguard.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ? O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.1_03\bin\npjpi141_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.1_03\bin\npjpi141_03.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programme\Yahoo!\Messenger\yhexbmes.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programme\Yahoo!\Messenger\yhexbmes.dll O9 - Extra button: Recherche-Assistent - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Researcher\EROProj.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.de O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/150eacb85e56d1456b15/netzip/RdxIE601_de.cab O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc3.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Programme\ewido\security suite\ewidoguard.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe "Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS] "LDM" = "C:\Programme\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" ["Logitech"] "ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS] "Google Desktop Search" = ""C:\Programme\Google\Google Desktop Search\GoogleDesktop.exe" /startup" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "zBrowser Launcher" = "C:\Programme\Logitech\iTouch\iTouch.exe" ["Logitech Inc. "] "TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."] "routcnf" = "C:\Programme\Telekom\T-Sinus 620data\routcnf.exe /capiactive" [file not found] "QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "PSDrvCheck" = "C:\WINDOWS\System32\PSDrvCheck.exe" [empty string] "PinnacleDriverCheck" = "C:\WINDOWS\System32\PSDrvCheck.exe" [empty string] "Omnipage" = "C:\Programme\ScanSoft\OmniPageSE\opware32.exe" ["ScanSoft, Inc"] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS] "EM_EXEC" = "C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" ["Logitech Inc. "] "ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS] "AVSCHED32" = "C:\Programme\AVPersonal\AVSched32.EXE /min" ["H+BEDV Datentechnik GmbH"] "Zone Labs Client" = ""C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs Inc."] "AVGCtrl" = ""C:\Programme\AVPersonal\AVGNT.EXE" /min" ["H+BEDV Datentechnik GmbH"] " " = "REM " [file not found] "dmrbl.exe" = "C:\WINDOWS\System32\dmrbl.exe" [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{596AB062-B4D2-4215-9F74-E9109B0A8153}" = "Previous Versions Property Page" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found] "{9DB7A13C-F208-4981-8353-73CC61AE2783}" = "Previous Versions" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found] "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}" = "Extensions Manager Folder" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\extmgr.dll" [file not found] "{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido\security suite\context.dll" ["ewido networks"] Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido\security suite\context.dll" ["ewido networks"] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\WINDOWS\web\wallpaper\Grüne Idylle.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS] Startup items in "Eckart" & "All Users" startup folders: -------------------------------------------------------- C:\Dokumente und Einstellungen\Eckart\Startmenü\Programme\Autostart "SpamPal" -> shortcut to: "C:\Programme\SpamPal\spampal.exe" ["www.spampal.org"] C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "Adobe Gamma Loader" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."] "Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] "InterVideo WinCinema Manager" -> shortcut to: "C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe" [empty string] "ISDN Guard" -> shortcut to: "C:\Programme\AGFEO\ISDN Guard\agfguard.exe" [" "] "Logitech Desktop Messenger" -> shortcut to: "C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start" ["Logitech"] "Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office10\OSA.EXE -b -l" [MS] "NETGEAR WG111T Smart Wizard" -> shortcut to: "C:\Programme\NETGEAR\WG111T Configuration Utility\wlan111t.exe" ["NETGEAR"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\Programme\Google\Google Desktop Search\GoogleDesktopNetwork1.dll [null data], 01 - 02, 08 %SystemRoot%\system32\mswsock.dll [MS], 03 - 05, 09 - 22 %SystemRoot%\system32\rsvpsp.dll [MS], 06 - 07 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{327C2873-E90D-4C37-AA9D-10AC9BABA46C}" = "Easy-WebPrint" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Canon\Easy-WebPrint\Toolband.dll" [empty string] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."] HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."] {9455301C-CF6B-11D3-A266-00C04F689C50}\ = "Encarta &Recherche-Assistent" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Researcher\EROProj.dll" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ "ButtonText" = "Messenger" "MenuText" = "Yahoo! Messenger" "CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."] {9455301C-CF6B-11D3-A266-00C04F689C50}\ "ButtonText" = "Recherche-Assistent" {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Messenger" "Exec" = "C:\Programme\Messenger\MSMSGS.EXE" [MS] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://www.tiscali.de Missing lines (compared with English-language version): [Strings]: 1 line Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir Service, AntiVirService, ""C:\Programme\AVPersonal\AVGUARD.EXE"" ["H+BEDV Datentechnik GmbH"] AntiVir Update, AVWUpSrv, ""C:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"] Einfache TCP/IP-Dienste, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS] ewido security suite control, ewido security suite control, "C:\Programme\ewido\security suite\ewidoctrl.exe" ["ewido networks"] ewido security suite guard, ewido security suite guard, "C:\Programme\ewido\security suite\ewidoguard.exe" ["ewido networks"] Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS] Media Center Scheduler Service, ehSched, "C:\WINDOWS\ehome\ehSched.exe" [MS] RIP-Überwachung, Iprip, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\iprip.dll" [MS]} TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs Inc."] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS] Keyboard Driver Filters: ------------------------ HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\ "UpperFilters" = INFECTION WARNING! "Lkbdflt2" ["Logitech, Inc."] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 70 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 16 seconds. ---------- (total run time: 117 seconds) Phhhhh,..... Wars das jetzt? Hab ich die Teile endlich los??? Zumindest merk ich nix mehr! LG Eckart Ach und die genannten Einträge finde ich nicht! oder wo hätte ich suchen sollen?? |
|
|
|
|
|
|
12.09.2005, 14:56
Ehrenmitglied
Beiträge: 29434 |
#8
das ganze sieht professionell aus. wenn du willst, kannst du denen eine mail schicken und denen melden, daß von einem ihrer kunden unseriöse angebote übers internet verbreitet werden
mail-adresse abuse@esthost.com vielleicht werden sie ja gegen denjenigen aktiv ... Zitat inetnum: 195.95.218.0 - 195.95.219.255 __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
12.09.2005, 14:59
Member
Themenstarter Beiträge: 23 |
#9
Zitat das ganze sieht professionell aus.Meinst du die Reinheit meines PCs oder die Machenschaften dieser Esten? Ist der jetzt Clean????? Hoffentlich!!!! Eckart |
|
|
|
|
|
|
12.09.2005, 15:01
Ehrenmitglied
Beiträge: 29434 |
#10
nein, dein PC ist noch nicht clean
Zitat Sabina postete __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
12.09.2005, 15:10
Member
Themenstarter Beiträge: 23 |
#11
ok, erledigt,
sorry, hab deine letzte antwort erst nachher gesehen.... hier wieder das log von silentrunners: "Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS] "LDM" = "C:\Programme\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" ["Logitech"] "ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS] "Google Desktop Search" = ""C:\Programme\Google\Google Desktop Search\GoogleDesktop.exe" /startup" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "zBrowser Launcher" = "C:\Programme\Logitech\iTouch\iTouch.exe" ["Logitech Inc. "] "TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."] "routcnf" = "C:\Programme\Telekom\T-Sinus 620data\routcnf.exe /capiactive" [file not found] "QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "PSDrvCheck" = "C:\WINDOWS\System32\PSDrvCheck.exe" [empty string] "PinnacleDriverCheck" = "C:\WINDOWS\System32\PSDrvCheck.exe" [empty string] "Omnipage" = "C:\Programme\ScanSoft\OmniPageSE\opware32.exe" ["ScanSoft, Inc"] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS] "EM_EXEC" = "C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" ["Logitech Inc. "] "ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS] "AVSCHED32" = "C:\Programme\AVPersonal\AVSched32.EXE /min" ["H+BEDV Datentechnik GmbH"] "Zone Labs Client" = ""C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs Inc."] "AVGCtrl" = ""C:\Programme\AVPersonal\AVGNT.EXE" /min" ["H+BEDV Datentechnik GmbH"] " " = "REM " [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{596AB062-B4D2-4215-9F74-E9109B0A8153}" = "Previous Versions Property Page" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found] "{9DB7A13C-F208-4981-8353-73CC61AE2783}" = "Previous Versions" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\twext.dll" [file not found] "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}" = "Extensions Manager Folder" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\extmgr.dll" [file not found] "{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido\security suite\context.dll" ["ewido networks"] Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\ewido\security suite\context.dll" ["ewido networks"] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\WINDOWS\web\wallpaper\Grüne Idylle.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS] Startup items in "Eckart" & "All Users" startup folders: -------------------------------------------------------- C:\Dokumente und Einstellungen\Eckart\Startmenü\Programme\Autostart "SpamPal" -> shortcut to: "C:\Programme\SpamPal\spampal.exe" ["www.spampal.org"] C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "Adobe Gamma Loader" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."] "Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] "InterVideo WinCinema Manager" -> shortcut to: "C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe" [empty string] "ISDN Guard" -> shortcut to: "C:\Programme\AGFEO\ISDN Guard\agfguard.exe" [" "] "Logitech Desktop Messenger" -> shortcut to: "C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start" ["Logitech"] "Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office10\OSA.EXE -b -l" [MS] "NETGEAR WG111T Smart Wizard" -> shortcut to: "C:\Programme\NETGEAR\WG111T Configuration Utility\wlan111t.exe" ["NETGEAR"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\Programme\Google\Google Desktop Search\GoogleDesktopNetwork1.dll [null data], 01 - 02, 08 %SystemRoot%\system32\mswsock.dll [MS], 03 - 05, 09 - 22 %SystemRoot%\system32\rsvpsp.dll [MS], 06 - 07 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{327C2873-E90D-4C37-AA9D-10AC9BABA46C}" = "Easy-WebPrint" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Canon\Easy-WebPrint\Toolband.dll" [empty string] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."] HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."] {9455301C-CF6B-11D3-A266-00C04F689C50}\ = "Encarta &Recherche-Assistent" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Researcher\EROProj.dll" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ "ButtonText" = "Messenger" "MenuText" = "Yahoo! Messenger" "CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}" -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."] {9455301C-CF6B-11D3-A266-00C04F689C50}\ "ButtonText" = "Recherche-Assistent" {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Messenger" "Exec" = "C:\Programme\Messenger\MSMSGS.EXE" [MS] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://www.tiscali.de Missing lines (compared with English-language version): [Strings]: 1 line Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir Service, AntiVirService, ""C:\Programme\AVPersonal\AVGUARD.EXE"" ["H+BEDV Datentechnik GmbH"] AntiVir Update, AVWUpSrv, ""C:\Programme\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"] Einfache TCP/IP-Dienste, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS] ewido security suite control, ewido security suite control, "C:\Programme\ewido\security suite\ewidoctrl.exe" ["ewido networks"] ewido security suite guard, ewido security suite guard, "C:\Programme\ewido\security suite\ewidoguard.exe" ["ewido networks"] Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS] Media Center Scheduler Service, ehSched, "C:\WINDOWS\ehome\ehSched.exe" [MS] RIP-Überwachung, Iprip, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\iprip.dll" [MS]} TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs Inc."] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS] Keyboard Driver Filters: ------------------------ HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\ "UpperFilters" = INFECTION WARNING! "Lkbdflt2" ["Logitech, Inc."] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 63 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 17 seconds. ---------- (total run time: 103 seconds) |
|
|
|
|
|
|
12.09.2005, 15:26
Ehrenmitglied
Beiträge: 29434 |
#12
Onlinescan Panda + Kaspersky + berichte
http://virus-protect.org/onlinescan.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
13.09.2005, 01:39
Member
Themenstarter Beiträge: 23 |
#13
Zitat Sabina posteteSieht gar net gut aus: panda: Incident Status Location Adware:adware/wupd No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\activex.inf Adware:adware/look2me No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\activex.ocx Adware:adware/myway No disinfected Windows Registry Virus:Trj/Qhost.BP Disinfected C:\Programme\AVPersonal\INFECTED\HCLEAN32.EXE.001 Virus:Trj/Qhost.BP Disinfected C:\Programme\AVPersonal\INFECTED\HCLEAN32.EXE.VIR Adware:Adware/Findspy No disinfected C:\Programme\AVPersonal\INFECTED\RDSNDIN.EXE.001 Adware:Adware/Findspy No disinfected C:\Programme\AVPersonal\INFECTED\RDSNDIN.EXE.002 Adware:Adware/Findspy No disinfected C:\Programme\AVPersonal\INFECTED\RDSNDIN.EXE.VIR Security Risk:HackTool/Gendel.ANo disinfected C:\Programme\KFZ\gendel32.ex_ und kaspersky: ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Tuesday, September 13, 2005 01:37:05 Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 12/09/2005 Kaspersky Anti-Virus database records: 140066 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ F:\ G:\ H:\ I:\ Scan Statistics: Total number of scanned objects: 65832 Number of viruses found: 2 Number of infected objects: 20 Number of suspicious objects: 0 Duration of the scan process: 6864 sec Infected Object Name - Virus Name C:\System Volume Information\_restore{8EBBCEA3-2C4C-4F40-8826-A9E3D45DA73B}\RP667\A0116691.exe Infected: Trojan-Dropper.Win32.Vidro.u C:\System Volume Information\_restore{8EBBCEA3-2C4C-4F40-8826-A9E3D45DA73B}\RP667\A0116715.exe Infected: Trojan-Dropper.Win32.Vidro.u C:\System Volume Information\_restore{8EBBCEA3-2C4C-4F40-8826-A9E3D45DA73B}\RP667\A0116732.exe Infected: Trojan-Dropper.Win32.Vidro.u C:\System Volume Information\_restore{8EBBCEA3-2C4C-4F40-8826-A9E3D45DA73B}\RP667\A0117732.exe Infected: Trojan-Dropper.Win32.Vidro.u C:\System Volume Information\_restore{8EBBCEA3-2C4C-4F40-8826-A9E3D45DA73B}\RP667\A0117766.exe Infected: Trojan-Dropper.Win32.Vidro.u C:\System Volume Information\_restore{8EBBCEA3-2C4C-4F40-8826-A9E3D45DA73B}\RP667\A0118766.exe Infected: Trojan-Dropper.Win32.Vidro.u C:\System Volume Information\_restore{8EBBCEA3-2C4C-4F40-8826-A9E3D45DA73B}\RP667\A0118775.exe Infected: Trojan-Dropper.Win32.Vidro.u C:\System Volume Information\_restore{8EBBCEA3-2C4C-4F40-8826-A9E3D45DA73B}\RP667\A0118782.exe Infected: Trojan-Dropper.Win32.Vidro.u C:\System Volume Information\_restore{8EBBCEA3-2C4C-4F40-8826-A9E3D45DA73B}\RP667\A0118812.exe Infected: Trojan-Dropper.Win32.Vidro.u C:\System Volume Information\_restore{8EBBCEA3-2C4C-4F40-8826-A9E3D45DA73B}\RP668\A0118864.exe Infected: Trojan-Dropper.Win32.Vidro.u C:\System Volume Information\_restore{8EBBCEA3-2C4C-4F40-8826-A9E3D45DA73B}\RP668\A0118880.exe Infected: Trojan-Dropper.Win32.Vidro.u C:\System Volume Information\_restore{8EBBCEA3-2C4C-4F40-8826-A9E3D45DA73B}\RP668\A0118892.exe Infected: Trojan-Dropper.Win32.Vidro.u C:\System Volume Information\_restore{8EBBCEA3-2C4C-4F40-8826-A9E3D45DA73B}\RP668\A0118932.exe Infected: Trojan-Dropper.Win32.Vidro.u C:\System Volume Information\_restore{8EBBCEA3-2C4C-4F40-8826-A9E3D45DA73B}\RP668\A0119269.exe Infected: Trojan-Dropper.Win32.Vidro.u C:\System Volume Information\_restore{8EBBCEA3-2C4C-4F40-8826-A9E3D45DA73B}\RP668\A0120268.exe Infected: Trojan-Dropper.Win32.Vidro.u C:\System Volume Information\_restore{8EBBCEA3-2C4C-4F40-8826-A9E3D45DA73B}\RP668\A0120291.exe Infected: Trojan-Dropper.Win32.Vidro.u C:\System Volume Information\_restore{8EBBCEA3-2C4C-4F40-8826-A9E3D45DA73B}\RP669\A0120331.exe Infected: Trojan-Dropper.Win32.Vidro.u C:\System Volume Information\_restore{8EBBCEA3-2C4C-4F40-8826-A9E3D45DA73B}\RP669\A0120355.exe Infected: Trojan.Win32.DNSChanger.u C:\System Volume Information\_restore{8EBBCEA3-2C4C-4F40-8826-A9E3D45DA73B}\RP669\A0120356.exe Infected: Trojan-Dropper.Win32.Vidro.u C:\System Volume Information\_restore{8EBBCEA3-2C4C-4F40-8826-A9E3D45DA73B}\RP669\A0120374.exe Infected: Trojan-Dropper.Win32.Vidro.u Scan process completed. ´ hmm was nun?? |
|
|
|
|
|
|
13.09.2005, 03:43
Member
 Beiträge: 4730 |
#14
Doch, sieht gut aus.
Deaktiviere die Systemwiederherstellung: Start -> Sytemsteuerung -> System -> Systemwiederherstellung Lösche (ggf. mit Killbox (siehe oben)): C:\Programme\KFZ\gendel32.ex_ C:\WINDOWS\DOWNLOADED PROGRAM FILES\activex.inf C:\WINDOWS\DOWNLOADED PROGRAM FILES\activex.ocx Lösche Ordner C:\Programme\KFZ\ Mache einen Scan mit Spybot S&D (Update vor dem Scan nicht vergessen) und behebe alle gefundenen Probleme. Und nicht vergessen: Windows aktualisieren! Ach ja, Systemwiederherstellung kann wieder aktiviert werden  __________ Dies ist eine Signatur! Persönlicher Service: Du kommst aus Berlin? Dann melde Dich per PN bei mir, evtl. können wir einen Termin vereinbaren. Der Grabsteinschubser |
|
|
|
|
|
|
13.09.2005, 09:09
Member
Themenstarter Beiträge: 23 |
#15
Zitat Managor posteteOk alles erledigt, während der ersten Spybot-Suche hat sich Antivir wieder mal gemeldet mit den beiden bekannten hclean32.exe und rdsndin und das gleich zweimal! Also muss doch noch irgendwas da sein, oder?? Hab Spybot (nach Reboot) nochmal drüber laufen lassen, weil es einen Eintrag nicht entfernen konnte, da hat sich Antivir nur noch einmal gemeldet Nun immerhin hat Kaspersky jetzt in den 'Critical Areas' nichts mehr gefunden. und nach erneutem reboot findet auch spybot nix mehr.. uff, vielleicht ist jetzt doch alles sauber??? Windows aktualisieren? Ich hatte bald nach der Erscheinung des SP2 aufgrund des automatischen Downloads dieses heruntergeladen und installiert, was mich aber auch zwei Tage gekostet hat, da dieses SP2 nicht für meine MediaCenter Edition geeignet war. Kann ich das jetzt wagen??? Dieser Beitrag wurde am 13.09.2005 um 10:21 Uhr von Eckart editiert.
|
|
|
|
|
|
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!
bitte erst » hier kostenlos registrieren!!
Folgende Themen könnten Dich auch interessieren:
Copyright © 2024, Protecus.de - Protecus Team - Impressum / Mediadaten
Wie schon per PM angefragt, hab ich auch das Problem mit dem hclean32.exe und rdsndin.exe, die Antivir als Trojaner entlarvt.
Wäre echt klasse, wenn Du mir helfen könntest!
Hier also das HJT-Log:
Logfile of HijackThis v1.99.1
Scan saved at 01:05:26, on 11.09.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\ehome\ehSched.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Logitech\iTouch\iTouch.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\QuickTime\qttask.exe
C:\Programme\ScanSoft\OmniPageSE\opware32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Programme\AVPersonal\AVSched32.EXE
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Programme\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programme\AGFEO\ISDN Guard\agfguard.exe
C:\Programme\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Programme\SpamPal\spampal.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Programme\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Programme\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Programme\SlimBrowser\sbrowser.exe
C:\WINDOWS\System32\dwwin.exe
C:\Dokumente und Einstellungen\Eckart\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.digitalfan.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.digitalfan.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.digitalfan.com/search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programme\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [routcnf] C:\Programme\Telekom\T-Sinus 620data\routcnf.exe /capiactive
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSDrvCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [Omnipage] C:\Programme\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AVSCHED32] C:\Programme\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [LDM] C:\Programme\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Programme\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Startup: SpamPal.lnk = C:\Programme\SpamPal\spampal.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: ISDN Guard.lnk = C:\Programme\AGFEO\ISDN Guard\agfguard.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Savings - file://C:\Programme\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.1_03\bin\npjpi141_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.1_03\bin\npjpi141_03.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programme\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programme\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Recherche-Assistent - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Researcher\EROProj.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.de
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/150eacb85e56d1456b15/netzip/RdxIE601_de.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc3.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{392E08DF-FAF9-496E-B7CF-23D457FA4E61}: NameServer = 195.95.218.35,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{5221D37A-7E8A-4497-BDFB-3E8DCA22F144}: NameServer = 195.95.218.35,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C7C015D-FD1E-40CB-A9FB-F9378EB8A060}: NameServer = 195.95.218.35,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C9A2FF3-78A4-4D8E-8653-1F32A524995B}: NameServer = 195.95.218.35,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{91CC584C-050D-4E51-AF9B-CB1139D483C3}: NameServer = 195.95.218.35,85.255.112.11
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Dann das Find_T Log:
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Search by size and names...
C:\WINDOWS\balloon.wav
C:\WINDOWS\Help\SPAlert.chm
»»»»» Misc files
Dann die Datfindbat logs:
system32.txt:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 0807-9594
Verzeichnis von C:\WINDOWS\system32
11.09.2005 00:46 889 vsconfig.xml
09.09.2005 13:52 27.136 yaemu.exe
08.09.2005 08:25 381.692 perfh009.dat
08.09.2005 08:25 392.456 perfh007.dat
08.09.2005 08:25 53.436 perfc009.dat
08.09.2005 08:25 64.406 perfc007.dat
08.09.2005 08:25 902.546 PerfStringBackup.INI
09.08.2005 22:18 2.206 wpa.dbl
04.08.2005 18:54 1.457.496 MRT.exe
23.07.2005 15:25 16.832 amcompat.tlb
23.07.2005 15:25 23.392 nscompat.tlb
08.07.2005 18:10 238.592 tapisrv.dll
08.07.2005 18:10 72.704 remotesp.tsp
dann systemtemp.txt:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 0807-9594
Verzeichnis von C:\DOKUME~1\Eckart\LOKALE~1\Temp
11.09.2005 00:58 301.841 B9A56.dmp
11.09.2005 00:58 0 WERF.tmp
11.09.2005 00:46 16.384 ~DF837C.tmp
11.09.2005 00:46 16.384 ~DF80C1.tmp
11.09.2005 00:41 16.384 ~DFAF62.tmp
11.09.2005 00:16 302.353 43E6D.dmp
11.09.2005 00:16 0 WER1C.tmp
10.09.2005 23:48 16.384 ~DF2D8A.tmp
10.09.2005 23:48 16.384 ~DF248D.tmp
10.09.2005 23:47 16.384 ~DF5BBD.tmp
10.09.2005 23:47 16.384 ~DFEBD0.tmp
10.09.2005 23:43 302.353 3BFB7.dmp
10.09.2005 23:43 0 WER28.tmp
10.09.2005 23:40 32.768 ~DF9094.tmp
10.09.2005 23:37 0 16A8C.dmp
10.09.2005 23:37 0 WER5.tmp
10.09.2005 23:36 32.768 ~DF53B1.tmp
10.09.2005 23:34 16.384 ~DFE137.tmp
10.09.2005 23:34 32.768 ~DFEA4B.tmp
10.09.2005 23:34 32.768 ~DFAB25.tmp
10.09.2005 23:32 49.152 ~DFD519.tmp
10.09.2005 23:18 0 WER26.tmp
10.09.2005 22:40 0 WER15.tmp
07.09.2005 00:03 890 jinstall.cfg
05.09.2005 16:07 55 ram119.ram
05.09.2005 16:07 55 ram117.ram
05.09.2005 16:05 55 ram114.ram
05.09.2005 15:38 717 control.xml
26.08.2005 12:36 16.384 ~DF82A7.tmp
25.08.2005 21:25 0 fla6.tmp
24.08.2005 16:21 15.809.490 ram50.ram
24.08.2005 16:21 16.671.978 ram4F.ram
20.08.2005 12:14 0 WER1E.tmp
18.08.2005 22:57 14.832 ZTR14.tmp
18.08.2005 22:57 21.300 ZTR10.tmp
18.08.2005 22:57 17.640 ZTRC.tmp
18.08.2005 22:57 15.904 ZTR7.tmp
10.08.2005 20:40 32.768 ~DF9E3C.tmp
02.08.2005 08:32 14.832 ZTRC9.tmp
02.08.2005 08:32 21.300 ZTRC5.tmp
02.08.2005 08:32 17.640 ZTRC1.tmp
02.08.2005 08:32 16.200 ZTRBC.tmp
dann system.txt:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 0807-9594
Verzeichnis von C:\WINDOWS
11.09.2005 00:47 6.400 balloon.wav
11.09.2005 00:46 0 0.log
11.09.2005 00:46 1.409 QTFont.for
11.09.2005 00:46 54.156 QTFont.qfn
11.09.2005 00:46 1.166.342 WindowsUpdate.log
11.09.2005 00:46 65 iTouch.ini
11.09.2005 00:46 159 wiadebug.log
11.09.2005 00:46 50 wiaservc.log
11.09.2005 00:46 2.048 bootstat.dat
11.09.2005 00:45 32.554 SchedLgU.Txt
10.09.2005 22:06 803.400 setupapi.log
05.09.2005 15:38 248.804 wmsetup.log
22.08.2005 08:59 4.676 KB887998.log
18.08.2005 22:51 649.896 iis6.log
18.08.2005 22:51 179.424 comsetup.log
18.08.2005 22:51 112.003 ntdtcsetup.log
18.08.2005 22:51 1.374 imsins.log
18.08.2005 22:51 25.071 tabletoc.log
18.08.2005 22:51 14.840 KB899587.log
18.08.2005 22:51 248.532 tsoc.log
18.08.2005 22:51 300.467 ocgen.log
18.08.2005 22:51 167.018 MedCtrOC.log
18.08.2005 22:51 104.551 netfxocm.log
18.08.2005 22:51 19.527 ocmsn.log
18.08.2005 22:51 26.555 msgsocm.log
18.08.2005 22:51 515.484 FaxSetup.log
18.08.2005 22:51 173.210 msmqinst.log
18.08.2005 22:51 6.875 updspapi.log
18.08.2005 22:51 1.374 imsins.BAK
18.08.2005 22:51 14.326 KB899591.log
18.08.2005 22:51 14.596 KB893756.log
18.08.2005 22:51 13.706 KB896423.log
18.08.2005 22:51 12.917 KB901214.log
18.08.2005 22:50 12.869 KB899588.log
und jetzt noch sys.txt:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 0807-9594
Verzeichnis von C:\
11.09.2005 01:08 0 sys.txt
11.09.2005 01:08 12.057 system.txt
11.09.2005 01:08 14.134 systemtemp.txt
11.09.2005 01:07 113.505 system32.txt
11.09.2005 01:06 267 report.txt
11.09.2005 00:46 536.399.872 hiberfil.sys
11.09.2005 00:46 805.306.368 pagefile.sys
06.09.2005 23:50 6.223 FindT.bat
10.07.2005 22:42 367 Readme.txt
01.02.2005 23:24 1.364 INSTALL.LOG
01.02.2005 23:20 21.904 Juxta-Display-S-Si.ttf
11.01.2005 20:32 17 AUTOEXEC.BAT
11.01.2005 20:32 54 PVDATA.BAT
die regsearch.vbs Suche nach hclean hat kein Ergebnis erbracht.
rkfiles im abgesichertem Modus:
C:\Dokumente und Einstellungen\Eckart\Desktop
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\avisynth.dll: UPX!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
Files Found in all users startup Folder............
------------------------
C:\WINDOWS\system32\avisynth.dll: UPX!
Files Found in all users windows Folder............
------------------------
Finished
bye
Winpfind hat irgendwie viel leerzeilen produziert, die ich jetzt rausgelöscht habe:
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person
before proceeding.
If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows
somethimes displays this message due to the high volume of disk I/O. As long as the hard
disk light is flashing, the program is still working properly.
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number:
2600
Internet Explorer Version: 6.0.2900.2180
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
UPX! 09.12.2003 01:31:00 11254 C:\locate.com
UPX! 11.09.2005 01:53:20 783 C:\log.txt
PEC2 11.09.2005 01:53:20 783 C:\log.txt
qoologic 10.07.2005 22:42:00 367 C:\Readme.txt
UPX! 17.01.2005 19:15:10 3180 C:\rkfiles.bat
FSG! 17.01.2005 19:15:10 3180 C:\rkfiles.bat
PEC2 17.01.2005 19:15:10 3180 C:\rkfiles.bat
UPX! 11.09.2005 01:35:16 40 C:\start.txt
UPX! 11.09.2005 01:47:38 256 C:\win.txt
PEC2 11.09.2005 01:47:38 256 C:\win.txt
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
Checking %System% folder...
UPX! 22.11.2002 17:21:28 123904 C:\WINDOWS\SYSTEM32\avisynth.dll
PEC2 11.08.2003 14:00:00 41118 C:\WINDOWS\SYSTEM32\dfrg.msc
PECompact2 04.08.2005 18:54:06 1457496 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04.08.2005 18:54:06 1457496 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 11.08.2003 14:00:00 660480 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 11.08.2003 14:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
Checking %System%\Drivers folder and sub-folders...
Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60
days...
11.09.2005 09:07:50 S 2048 C:\WINDOWS\bootstat.dat
11.09.2005 09:10:08 H 54156 C:\WINDOWS\QTFont.qfn
11.09.2005 09:08:00 H 889 C:\WINDOWS\system32\vsconfig.xml
11.09.2005 17:29:32 H 1024
C:\WINDOWS\system32\config\default.LOG
11.09.2005 09:09:52 H 1024
C:\WINDOWS\system32\config\SAM.LOG
11.09.2005 16:09:58 H 1024
C:\WINDOWS\system32\config\SECURITY.LOG
11.09.2005 19:17:40 H 1024
C:\WINDOWS\system32\config\software.LOG
11.09.2005 19:17:48 H 1024
C:\WINDOWS\system32\config\system.LOG
18.08.2005 22:50:44 H 1024
C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
21.08.2005 09:58:44 HS 388
C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\ac658aa4-9c7c-4789-a45b-e7272f7418a3
21.08.2005 09:58:44 HS 24
C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
11.09.2005 09:07:52 H 6 C:\WINDOWS\Tasks\SA.DAT
Checking for CPL files...
Microsoft Corporation 11.08.2003 14:00:00 68096
C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 08.10.2003 17:05:36 13426176
C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 11.08.2003 14:00:00 583680
C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 11.08.2003 14:00:00 132096
C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 11.08.2003 14:00:00 152064
C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 11.08.2003 14:00:00 293376
C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 11.08.2003 14:00:00 125440
C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 11.08.2003 14:00:00 66560
C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 01.05.2003 09:05:18 229487
C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 11.08.2003 14:00:00 189440
C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 11.08.2003 14:00:00 566272
C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 11.08.2003 14:00:00 35840
C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 11.08.2003 14:00:00 259072
C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 17.11.2003 11:33:00 73728
C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 11.08.2003 14:00:00 38400
C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 11.08.2003 14:00:00 36864
C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 11.08.2003 14:00:00 111616
C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 23.12.2003 18:42:58 324608
C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 11.08.2003 14:00:00 272896
C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 11.08.2003 14:00:00 28160
C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 11.08.2003 14:00:00 90112
C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 26.05.2005 04:16:22 174872
C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 11.08.2003 14:00:00 68096
C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 11.08.2003 14:00:00 583680
C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 11.08.2003 14:00:00 132096
C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 11.08.2003 14:00:00 152064
C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 11.08.2003 14:00:00 293376
C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 11.08.2003 14:00:00 125440
C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 11.08.2003 14:00:00 66560
C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 11.08.2003 14:00:00 189440
C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 11.08.2003 14:00:00 566272
C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 11.08.2003 14:00:00 35840
C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 11.08.2003 14:00:00 259072
C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 11.08.2003 14:00:00 38400
C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 11.08.2003 14:00:00 36864
C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 11.08.2003 14:00:00 111616
C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 11.08.2003 14:00:00 151552
C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 11.08.2003 14:00:00 272896
C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 11.08.2003 14:00:00 28160
C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 11.08.2003 14:00:00 90112
C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Realtek Semiconductor Corp. 05.08.2003 16:51:00 R 10433024
C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFiles\ALSNDMGR.CPL
NVIDIA Corporation 28.07.2003 15:19:00 R 143360
C:\WINDOWS\SYSTEM32\ReinstallBackups\0003\DriverFiles\nvtuicpl.cpl
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
16.12.2004 12:31:08 807 C:\Dokumente und
Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Gamma Loader.lnk
27.12.2004 10:42:10 1737 C:\Dokumente und
Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader - Schnellstart.lnk
27.11.2003 17:04:30 HS 84 C:\Dokumente und
Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
12.02.2004 14:07:20 1747 C:\Dokumente und
Einstellungen\All Users\Startmenü\Programme\Autostart\InterVideo WinCinema Manager.lnk
16.08.2005 10:00:52 704 C:\Dokumente und
Einstellungen\All Users\Startmenü\Programme\Autostart\ISDN Guard.lnk
09.03.2004 16:55:04 1857 C:\Dokumente und
Einstellungen\All Users\Startmenü\Programme\Autostart\Logitech Desktop Messenger.lnk
04.12.2003 22:42:04 1714 C:\Dokumente und
Einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk
04.07.2005 22:08:38 1635 C:\Dokumente und
Einstellungen\All Users\Startmenü\Programme\Autostart\NETGEAR WG111T Smart Wizard.lnk
Checking files in %ALLUSERSPROFILE%\Application Data folder...
27.11.2003 16:54:16 HS 62 C:\Dokumente und
Einstellungen\All Users\Anwendungsdaten\desktop.ini
Checking files in %USERPROFILE%\Startup folder...
27.11.2003 17:04:30 HS 84 C:\Dokumente und
Einstellungen\Eckart\Startmenü\Programme\Autostart\desktop.ini
26.01.2004 11:54:22 608 C:\Dokumente und
Einstellungen\Eckart\Startmenü\Programme\Autostart\SpamPal.lnk
Checking files in %USERPROFILE%\Application Data folder...
27.11.2003 16:54:16 HS 62 C:\Dokumente und
Einstellungen\Eckart\Anwendungsdaten\desktop.ini
02.02.2005 12:32:42 88032 C:\Dokumente und
Einstellungen\Eckart\Anwendungsdaten\GDIPFONTCACHEV1.DAT
28.01.2004 00:51:50 22279 C:\Dokumente und
Einstellungen\Eckart\Anwendungsdaten\Kommagetrennte Werte (Windows).ADR
27.01.2004 10:51:20 12961 C:\Dokumente und
Einstellungen\Eckart\Anwendungsdaten\Kommagetrennte Werte (Windows).CAL
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User
Agent\Post Platform]
SV1 =
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AntiVir/Win
{a7cda720-84ee-11d0-b5c0-00001b3ca278} = C:\Programme\AVPersonal\AVShlExt.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AntiVir/Win
{a7cda720-84ee-11d0-b5c0-00001b3ca278} = C:\Programme\AVPersonal\AVShlExt.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-0
0C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0
000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0
000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0
000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-7
07F02C10627}
= C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer
Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Programme\Yahoo!\Messenger\yhexbmes.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer
Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tipps und Tricks = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer
Bars\{9455301C-CF6B-11D3-A266-00C04F689C50}
Encarta &Recherche-Assistent = C:\Programme\Gemeinsame Dateien\Microsoft
Shared\Encarta Researcher\EROProj.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} = Easy-WebPrint :
C:\Programme\Canon\Easy-WebPrint\Toolband.dll
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio :
C:\WINDOWS\System32\msdxm.ocx
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
ButtonText = Messenger :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions\{9455301C-CF6B-11D3-A266-00C04F689C50}
ButtonText = Recherche-Assistent :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Programme\Messenger\MSMSGS.EXE
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer
Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer
Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Programme\Yahoo!\Messenger\yhexbmes.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer
Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer-Band = %SystemRoot%\System32\shdocvw.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse :
%SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse :
%SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{0494D0D9-F8E0-41AD-92A3-14154ECE70AC} = My &Search Bar :
C:\Programme\MyWay\myBar\2.bin\MYBAR.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
zBrowser Launcher C:\Programme\Logitech\iTouch\iTouch.exe
TkBellExe "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe"
-osboot
SoundMan SOUNDMAN.EXE
routcnf C:\Programme\Telekom\T-Sinus 620data\routcnf.exe /capiactive
QuickTime Task "C:\Programme\QuickTime\qttask.exe" -atboottime
PSDrvCheck C:\WINDOWS\System32\PSDrvCheck.exe
PinnacleDriverCheck C:\WINDOWS\System32\PSDrvCheck.exe
Omnipage C:\Programme\ScanSoft\OmniPageSE\opware32.exe
nwiz nwiz.exe /install
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
EM_EXEC C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
ehTray C:\WINDOWS\ehome\ehtray.exe
AVSCHED32 C:\Programme\AVPersonal\AVSched32.EXE /min
Zone Labs Client "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
AVGCtrl "C:\Programme\AVPersonal\AVGNT.EXE" /min
REM
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
LDM C:\Programme\Logitech\Desktop
Messenger\8876480\Program\LogitechDesktopMessenger.exe
ctfmon.exe C:\WINDOWS\System32\ctfmon.exe
Google Desktop Search "C:\Programme\Google\Google Desktop
Search\GoogleDesktop.exe" /startup
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} =
C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} =
%SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} =
%SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} =
%SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} =
C:\WINDOWS\System32\stobject.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.9 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 11.09.2005 19:18:24
silentrunner und findqoologic liefer ich nach!!!
Vielen Dank schön mal für deine Mühe!!!!
Eckart