Winfixer 2005, log HijackThis

#1 Logfile of HijackThis v1.99.1
Scan saved at 21:09:16, on 12.09.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Programme\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Prime95\prime95.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\NetPumper\NetPumperIEProxy.exe
C:\Programme\BearShare\BearShare.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Winamp\winampa.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Valve\Steam\Steam.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programme\HP\Digital Imaging\bin\hpqgalry.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Program Files\mIRC\mirc.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\iTunes\iTunes.exe
C:\Programme\MSN Messenger\msnmsgr.exe
C:\Dokumente und Einstellungen\Yves Althaus\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tele2.ch/startpage/adsl/de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://GLOBAL.ACER.COM/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\SERVIC~1\binacc.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [NetPumper] "C:\Programme\NetPumper\NetPumperIEProxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BearShare] "C:\Programme\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [second] C:\Downloads\l2mfix\second.bat
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programme\Messenger Plus! 3\MsgPlus1.exe" /WinStart
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Programme\eMule0_44b\emule.exe -AutoStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] C:\Programme\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: HP Image Zone Schnellstart.lnk = C:\Programme\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download with NetPumper - C:\Programme\NetPumper\AddUrl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O16 - DPF: Contains -
O16 - DPF: DownloadInformation -
O16 - DPF: InstalledVersion -
O16 - DPF: {14b87622-7e19-4ea8-93b3-97215f77a6bc} (MessengerStatsClient Class) -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.8.cab
O16 - DPF: {30402FF4-3E71-4A1C-9B4B-1CD3486A9FB2} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/099a225952c28f9df515/netzip/RdxIE601_de.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: binacc - C:\WINDOWS\SERVIC~1\binacc.dll
O20 - Winlogon Notify: binw - C:\WINDOWS\java\trustlib\binw.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programme\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prime95 Service - Unknown owner - C:\Programme\Prime95\prime95.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

#2 Hallo@yvesalthaus

arbeite bitte alle zwei Durchgaenge ab und poste die 2 Logs hier ins Forum
http://virus-protect.org/L2mfix.html
__________
MfG Sabina

rund um die PC-Sicherheit

#3 Öffne Notepad (editor)Start/Ausführen den Befehl notepad eingeben,bestätigen,dann erscheint ein notepad editor.
Oder unter Start/Programme/Zubehör/Editor

2. kopiere den Code rein:


echo ** This batch was originally written by OSC **
cd C:\WINDOWS\java\trustlib\
if exist C:\contents.txt del C:\contents.txt
echo ************************************>> C:\contents.txt
echo **These are the hidden files found**>> C:\contents.txt
echo ************************************>> C:\contents.txt
dir /a:h >> c:\contents.txt echo ************************************>> C:\contents.txt
echo **These are the system files found**>> C:\contents.txt
echo ************************************>> C:\contents.txt
dir /a:s >> C:\contents.txt
attrib /d /s -s -r -h -a
start notepad c:\contents.txt
exit


3. Speichere die Datei als find.bat auf dem Desktop
4. Doppel klick auf diese Datei findtheother.bat ((abkopieren und posten)

-----------------------------------------------------------------------

Öffne Notepad (editor)Start/Ausführen den Befehl notepad eingeben,bestätigen,dann erscheint ein notepad editor.
Oder unter Start/Programme/Zubehör/Editor

2. kopiere den Code rein:

echo ** This batch was originally written by OSC **
cd C:\WINDOWS\java\
if exist C:\contents.txt del C:\contents.txt
echo ************************************>> C:\contents.txt
echo **These are the hidden files found**>> C:\contents.txt
echo ************************************>> C:\contents.txt
dir /a:h >> c:\contents.txt
echo ************************************>> C:\contents.txt
echo **These are the system files found**>> C:\contents.txt
echo ************************************>> C:\contents.txt
dir /a:s >> C:\contents.txt
attrib /d /s -s -r -h -a
start notepad c:\contents.txt
exit


3. Speichere die Datei als findtheother.bat auf dem Desktop
4. Doppel klick auf diese Datei findtheother.bat ((abkopieren und posten)

______________________________________________________________________________________
__________
MfG Sabina

rund um die PC-Sicherheit

#4 L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\binacc]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\SERVIC~1\\binacc.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\binw]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\java\\trustlib\\binw.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Jeder
(ID-NI) ALLOW Read VORDEFINIERT\Benutzer
(ID-IO) ALLOW Read VORDEFINIERT\Benutzer
(ID-NI) ALLOW Full access VORDEFINIERT\Administratoren
(ID-IO) ALLOW Full access VORDEFINIERT\Administratoren
(ID-NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-IO) ALLOW Full access ERSTELLER-BESITZER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Eigenschaften f�r Multimediadatei"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM-Scannerverwaltung"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS-Sicherheit"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE-Eigenschaftenseite f�r Dokumente"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shellerweiterungen f�r Freigaben"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung f�r Grafikkarten"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung f�r Bildschirme"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung f�r Anzeigeverschiebung"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS-Sicherheit"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Kompatibilit„tsseite"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell-Datenauszughandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Erweiterung f�r Datentr„gerkopien"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shellerweiterungen f�r Microsoft Windows-Netzwerkobjekte"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM-Monitorverwaltung"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM-Druckerverwaltung"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shellerweiterungen f�r die Dateikomprimierung"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Shellerweiterung f�r Webdrucker"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Kontextmen� f�r die Verschl�sselung"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Aktenkoffer"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Erweiterung f�r HyperTerminal-Icons"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Schriftarten"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-Profil"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Druckersicherheit"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shellerweiterungen f�r Freigaben"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Krypto-PKO-Erweiterung"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Krypto-Sign-Erweiterung"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Netzwerkverbindungen"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Netzwerkverbindungen"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanner und Kameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanner und Kameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanner und Kameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanner und Kameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanner und Kameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shellerweiterungen f�r Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Datenverkn�pfung"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Geplante Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskleiste und Startmen�"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Suchen"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Hilfe und Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Hilfe und Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Ausf�hren..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-Mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Schriftarten"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Verwaltung"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adresse"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Syntaxanalyse der Adressleiste"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft URL-Verlauf-Dienst"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Verlauf"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Sucheingriff"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite-Begr�áungsbildschirm"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer-Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX-Cacheordner"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ Dateiminiaturansicht-Extrahierungsprogramm"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Zusammenfassungs-Miniaturansichthandler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML-Extrahierungsprogramm"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Webpublishing-Assistent"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Bestellung von Abz�gen �ber das Internet"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shellobjekt des Webpublishing-Assistenten"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Passport-Assistent"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Benutzerkonten"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channeldatei"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channelverkn�pfung"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channelhandlerobjekt"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Ordner 'Offlinedateien'"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Nach Personen..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{57C51AF9-DEF7-11D3-A801-00C04F163490}"="Ghost Shell Extension"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{A5110426-177D-4e08-AB3F-785F10B4439C}"="Eigene Telefone"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 130C-10DF

Verzeichnis von C:\WINDOWS\System32

26.08.2005 06:55 26'112 awvvs.dll
12.08.2004 17:39 32 {082EA48B-20C0-40E0-8D91-54CA1A3F683F}.dat
12.08.2004 17:39 32 {B2DCD59F-2652-4E2F-AD32-37E286AE7CF0}.dat
12.08.2004 17:38 32 {A2E7FC8F-3F64-429F-97FA-42BB52E99196}.dat
12.08.2004 17:36 32 {D3817918-299A-494D-9DC9-1B5DBBB33DDB}.dat
12.08.2004 17:36 32 {CCF85063-319B-4F8C-8A30-BC37E5816A81}.dat
12.08.2004 17:36 32 {3780A806-87C8-4BE3-9C84-C3AB8B1CC00C}.dat
12.08.2004 17:35 32 {5C1971DE-E120-4C45-AD5A-600F2F201DBE}.dat
11.01.2003 00:53 <DIR> Microsoft
11.01.2003 00:31 <DIR> dllcache
8 Datei(en) 26'336 Bytes
2 Verzeichnis(se), 5'017'894'912 Bytes frei


und

C:\
Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1988 'explorer.exe'
Killing PID 1988 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 316 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Desktop.ini sucessfully removed


Zipping up files for submission:
adding: mfc70.dll (deflated 51%)
adding: mfc70u.dll (deflated 51%)
adding: clear.reg (deflated 2%)
adding: desktop.ini (stored 0%)
adding: contents.txt (deflated 67%)
adding: lo2.txt (deflated 54%)
adding: test2.txt (stored 0%)
adding: test3.txt (stored 0%)
adding: test5.txt (stored 0%)
adding: test.txt (stored 0%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Jeder
(ID-NI) ALLOW Read VORDEFINIERT\Benutzer
(ID-IO) ALLOW Read VORDEFINIERT\Benutzer
(ID-NI) ALLOW Full access VORDEFINIERT\Administratoren
(ID-IO) ALLOW Full access VORDEFINIERT\Administratoren
(ID-NI) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-IO) ALLOW Full access NT-AUTORITŽT\SYSTEM
(ID-IO) ALLOW Full access ERSTELLER-BESITZER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332

Restoring Windows Update Certificates.:


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\binacc]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\SERVIC~1\\binacc.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\binw]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\java\\trustlib\\binw.dll"
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************


hier noch der 2. hijack log

Logfile of HijackThis v1.99.1
Scan saved at 15:51:02, on 13.09.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Programme\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Programme\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Prime95\prime95.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Yves Althaus\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tele2.ch/startpage/adsl/de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://GLOBAL.ACER.COM/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\SERVIC~1\binacc.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [NetPumper] "C:\Programme\NetPumper\NetPumperIEProxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BearShare] "C:\Programme\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programme\Messenger Plus! 3\MsgPlus1.exe" /WinStart
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Programme\eMule0_44b\emule.exe -AutoStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] C:\Programme\Valve\Steam\\Steam.exe -silent
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: HP Image Zone Schnellstart.lnk = C:\Programme\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download with NetPumper - C:\Programme\NetPumper\AddUrl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O16 - DPF: Contains -
O16 - DPF: DownloadInformation -
O16 - DPF: InstalledVersion -
O16 - DPF: {14b87622-7e19-4ea8-93b3-97215f77a6bc} (MessengerStatsClient Class) -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.8.cab
O16 - DPF: {30402FF4-3E71-4A1C-9B4B-1CD3486A9FB2} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/099a225952c28f9df515/netzip/RdxIE601_de.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: binacc - C:\WINDOWS\SERVIC~1\binacc.dll
O20 - Winlogon Notify: binw - C:\WINDOWS\java\trustlib\binw.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect-Dienst (navapsvc) - Symantec Corporation - C:\Programme\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programme\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prime95 Service - Unknown owner - C:\Programme\Prime95\prime95.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\GEMEIN~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Programme\Webroot\Spy Sweeper\WRSSSDK.exe

#5

Zitat

Sabina postete
Öffne Notepad (editor)Start/Ausführen den Befehl notepad eingeben,bestätigen,dann erscheint ein notepad editor.
Oder unter Start/Programme/Zubehör/Editor

2. kopiere den Code rein:


echo ** This batch was originally written by OSC **
cd C:\WINDOWS\java\trustlib\
if exist C:\contents.txt del C:\contents.txt
echo ************************************>> C:\contents.txt
echo **These are the hidden files found**>> C:\contents.txt
echo ************************************>> C:\contents.txt
dir /a:h >> c:\contents.txt echo ************************************>> C:\contents.txt
echo **These are the system files found**>> C:\contents.txt
echo ************************************>> C:\contents.txt
dir /a:s >> C:\contents.txt
attrib /d /s -s -r -h -a
start notepad c:\contents.txt
exit


3. Speichere die Datei als find.bat auf dem Desktop
4. Doppel klick auf diese Datei findtheother.bat ((abkopieren und posten)

-----------------------------------------------------------------------

Öffne Notepad (editor)Start/Ausführen den Befehl notepad eingeben,bestätigen,dann erscheint ein notepad editor.
Oder unter Start/Programme/Zubehör/Editor

2. kopiere den Code rein:

echo ** This batch was originally written by OSC **
cd C:\WINDOWS\java\
if exist C:\contents.txt del C:\contents.txt
echo ************************************>> C:\contents.txt
echo **These are the hidden files found**>> C:\contents.txt
echo ************************************>> C:\contents.txt
dir /a:h >> c:\contents.txt
echo ************************************>> C:\contents.txt
echo **These are the system files found**>> C:\contents.txt
echo ************************************>> C:\contents.txt
dir /a:s >> C:\contents.txt
attrib /d /s -s -r -h -a
start notepad c:\contents.txt
exit


3. Speichere die Datei als findtheother.bat auf dem Desktop
4. Doppel klick auf diese Datei findtheother.bat ((abkopieren und posten)

______________________________________________________________________________________

__________
MfG Sabina

rund um die PC-Sicherheit

#6 C:\WINDOWS\SERVIC~1\binacc.dll ???

Start-->Ausfuehren--> regedit

schreibe mir den vollstaendigen pfad bitte:

C:\\WINDOWS\SERVIC~1\binacc.dll"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\binacc]
"Asynchronous"=dword:00000001
"DllName"="C:\\WINDOWS\\SERVIC~1\\binacc.dll"

--------------------------------------------------------------------------------------


suche (in der mitte ungefaehr VundoFix.exe und lade
http://www.geekstogo.com/forum/index.php?showtopic=61817

Zitat

Please download VundoFix.exe to your desktop.

Lade und auf dem Desktop entpacken
* boote in den abgesicherten Modus (F8 druecken, wenn er PC hochfaehrt
* Double-click VundoFix.exe
* Klicke KillVundo.bat
* nun wird folgendes angezeigt:





-kopiere rein:

C:\WINDOWS\java\trustlib\binw.dll


-druecke Enter, und dann die F6 Taste, dann wieder Enter

* dann wird sich HijackThis oeffnen:
* In HiJackThis, ein Haekchen vor die folgenden Eintraege setzen + click FIX CHECKED:

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\SERVIC~1\binacc.dll
O16 - DPF: Contains -
O16 - DPF: DownloadInformation -
O16 - DPF: InstalledVersion -
O16 - DPF: {14b87622-7e19-4ea8-93b3-97215f77a6bc} (MessengerStatsClient Class) -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.8.cab
O16 - DPF: {30402FF4-3E71-4A1C-9B4B-1CD3486A9FB2} -
O20 - Winlogon Notify: binacc - C:\WINDOWS\SERVIC~1\binacc.dll
O20 - Winlogon Notify: binw - C:\WINDOWS\java\trustlib\binw.dll

* danach starte den PC neu
* es wird ein "Blue Screen of Death" sein, das ist normal ......

-----------------------------------------------------------------------------------------------
oben im Browser: Datei -- Seite speichern unter.. -- wähle "Desktop" -- speichern --> dann erscheint eine vundo.reg auf dem Desktop
http://virus-protect.org/reg/vundo.reg

Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "vundo.reg" auf dem Desktop doppelklicken und bestaetigen, dass sie der Registry beigefuegt wird

Computer in den abgesicherten Modus neustarten (F8 beim Starten drücken). Die Datei "fixme.reg" auf dem Desktop doppelklicken

-------------------------------------------------------------------------------------------------------

installiere CleanUp!
CleanUp40.exe
http://www.zdnet.de/downloads/prg/i/9/de000NI9-wc.html

-Click "Options..."
-Custom CleanUp!

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

- Click OK
- Press the CleanUp!
- nicht neustarten

CWShredder
http://www.trendmicro.com/ftp/products/online-tools/cwshredder

scanne mit ewido und poste mir den scanreport
http://virus-protect.org/ewido.html
+
das neue Log vom HijackThis
__________
MfG Sabina

rund um die PC-Sicherheit

#7 Hi,
wenn ich das hier alles so sehe wird mir ganz anders, also folgendes problem ist bei mir aufgetaucht ich hoffe bin hier nun richtig ... habe seit 2 tagen dieses progi WinFixer2005 auf meinem Desktop .. einen Pfad zur exe habe ich nicht gefunden bzw wird nicht angezeigt und immer wenn der PC neugestartet wird dann öffnet sich ein fenster wo draufsteht das das programm gedownloadet wird .. der timer läuft aber nichts passiert .. ich kann es auch nicht schliessen dann tauch in der taskleiste ein icon auf was aussieht wie ein kreis ... weiss und orange umrandet ich kann es nur durch " Task Beenden" wirklich schliessen ... und auch so kommen ständig fenster wo ich eine spyware downloaden soll ..

ich habe auch diesen hijackthis log gemacht und ich kopiere den einfach mal hier rein (dreisterweise) :

Logfile of HijackThis v1.99.1
Scan saved at 16:33:18, on 14.09.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Programme\Ahead\InCD\InCDsrv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Programme\ICQLite\ICQLite.exe
D:\Program Files\webHancer\Programs\whSurvey.exe
D:\Programme\QuickTime\qttask.exe
D:\Programme\0190_und_0900 Warner\w0svc.exe
D:\PROGRA~1\Save\Save.exe
D:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
D:\Programme\Ahead\InCD\InCD.exe
D:\Programme\Real\RealPlayer\RealPlay.exe
D:\Programme\Virenschutz\AVKService.exe
D:\Programme\Virenschutz\AVKWCtl.exe
D:\Program Files\webHancer\Programs\whAgent.exe
D:\Programme\AVPersonal\AVGNT.EXE
D:\Programme\AVPersonal\AVWUPSRV.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
D:\WINDOWS\wxxrquu.exe
D:\Programme\Winamp\winampa.exe
D:\WINDOWS\System32\RUNDLL32.EXE
D:\programme\aim95\aim.exe
D:\Programme\AOL 9.0a\aoltray.exe
D:\DOKUME~1\Ich2\LOKALE~1\Temp\bwgo0000c090.exe
D:\Programme\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
D:\Programme\HP DeskJet 610C Series\ereg\Remind32.exe
D:\Programme\AOL 9.0a\waol.exe
D:\Programme\AOL 9.0a\shellmon.exe
D:\Programme\Gemeinsame Dateien\Aol\aoltpspd.exe
D:\Programme\ISTsvc\istsvc.exe
D:\Programme\WinRAR\WinRAR.exe
D:\DOKUME~1\Ich2\LOKALE~1\Temp\Rar$EX09.625\HijackThis.exe
D:\Programme\BullsEye Network\bin\bargains.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.aol.de
R3 - URLSearchHook: (no name) - _{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - D:\WINDOWS\systb.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Programme\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - D:\WINDOWS\wsem303.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\programme\google\googletoolbar1.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - D:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - D:\WINDOWS\System32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Programme\ICQToolbar\toolbaru.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Programme\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - D:\Programme\YourSiteBar\ysb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [hpfsched] D:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [ICQ Lite] D:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [WebRebates0] "D:\Programme\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "D:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WhenUSave] D:\PROGRA~1\Save\Save.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RealTray] D:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LogitechGalleryRepair] D:\Programme\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] D:\Programme\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [webHancer Agent] "D:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [AVGCtrl] "D:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [AOLDialer] D:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [wOaBEdJ3] D:\WINDOWS\wxxrquu.exe
O4 - HKLM\..\Run: [BullsEye Network] D:\Programme\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [NI.UWFX5U] "D:\WINDOWS\Downloaded Program Files\UWFX5UNetInstaller.exe"
O4 - HKLM\..\Run: [IST Service] D:\Programme\ISTsvc\
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] D:\programme\aim95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [LDM] D:\Programme\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Startup: Reminder-hpc41003.lnk = D:\Programme\HP DeskJet 610C Series\ereg\Remind32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = D:\Programme\AOL 9.0a\aoltray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Ulead Kalendar Checker 4.0 SE.lnk = D:\Programme\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://D:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Backward &Links - res://D:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://D:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Web Rebates - file://D:\Programme\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\programme\aim95\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {54B21599-6962-4DB7-B9EB-343C25A403F8} - D:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {54B21599-6962-4DB7-B9EB-343C25A403F8} - D:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O12 - Plugin for .spop: D:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000000-7777-0704-0B53-2C8830E9FAEC} - http://gn.one2bill.de/soft/ieloader.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_lyricsviewer.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.de/computercheckup/qdiagcc.cab
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game17.zylomgames.com/activex/zylomgamesplayer.cab
O16 - DPF: {DA511858-B44C-439E-A0EA-704ED20035E7} (EphoxEditLive4.EditLive) - http://www.beepworld.de/hp/activexeditor/editlive4.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22C325C3-389F-44E2-BA63-E718CF16BEBC}: NameServer = 205.188.146.145
O23 - Service: 0190/0900 Warner Überwachungsdienst (0190_0900_Warner_MonitorService) - Mirko Böer - D:\Programme\0190_und_0900 Warner\w0svc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - D:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
O23 - Service: AVK Service (AVKService) - Unknown owner - D:\Programme\Virenschutz\AVKService.exe
O23 - Service: G DATA Virenschutz Wächter (AVKWCtl) - Unknown owner - D:\Programme\Virenschutz\AVKWCtl.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - D:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: AntiVir Update Temp (TmpUpSrv) - H+BEDV Datentechnik GmbH, Germany - D:\DOKUME~1\ICH2\LOKALE~1\TEMP\_VWUPSRV.EXE


ja alles chinesisch für mich gebe ich ehrlich zu .. aber wäre dankbar wenn ich das problem irgendwie gelöst kriege danke

Zim-Zum

#8 Hallo@Zim-Zum

ich gebe dir weitere Anweisungen fuer die Reinigung, aber erst heute Abend, mittlerweile mache folgendes:

Gehe in die Registry
start-->Ausfuehren--> regedit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaveNow<--loeschen

•LSPfix.exe
http://www.spychecker.com/program/lspfix.html

hake an: "I know what Im doing"-->Remove
und loesche die whiehlpr.dll
(eventuell musst du die dll von links nach rechts bringen)

---------------------------------------------

#öffne das HijackThis-->> Button "scan" -->> Häkchen setzen -->> Button "Fix checked" -->> PC neustarten

R3 - URLSearchHook: (no name) - _{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - D:\WINDOWS\systb.dll (file missing)

O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - D:\WINDOWS\wsem303.dll (file missing)

O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - D:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - D:\WINDOWS\System32\msbe.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - D:\Programme\YourSiteBar\ysb.dll
O4 - HKLM\..\Run: [hpfsched] D:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [WebRebates0] "D:\Programme\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "D:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [WhenUSave] D:\PROGRA~1\Save\Save.exe
O4 - HKLM\..\Run: [webHancer Agent] "D:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [wOaBEdJ3] D:\WINDOWS\wxxrquu.exe
O4 - HKLM\..\Run: [BullsEye Network] D:\Programme\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NI.UWFX5U] "D:\WINDOWS\Downloaded Program Files\UWFX5UNetInstaller.exe"
O4 - HKLM\..\Run: [IST Service] D:\Programme\ISTsvc\
O16 - DPF: {00000000-7777-0704-0B53-2C8830E9FAEC} - http://gn.one2bill.de/soft/ieloader.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game17.zylomgames.com/activex/zylomgamesplayer.cab

PC neustarten

deinstalliere
WebHancer
BullsEye Network
WhenUSave
WebRebates
YourSiteBar
ISTsvc

loeschen:
D:\WINDOWS\Downloaded Program Files\UWFX5UNetInstaller.exe
D:\DOKUME~1\Ich2\LOKALE~1\Temp\bwgo0000c090.exe

unten findest du das Removaltool fuer:ISTsvc (laden + scannen)
http://virus-protect.org/spyware2.html#Trojan-Downloader.Win32.IstBar

CCleaner--> loesche alle *temp-Datein--> hake alles an
http://virus-protect.org/temp.html

Ad-aware SE Personal
http://virus-protect.org/antispywaretools.html
Laden-->Konfigurieren
http://virus-protect.org/adaware.html
waehrend des Scanvorganges müssen ALLE sonstige
Anwendungen beendet werden und alle Browserfenster müssen
geschlossen sein!
scannen-->PC neustarten--> noch mal scannen--> poste das Log vom Scann

scanne mit ewido und poste mir den scanreport
http://virus-protect.org/ewido.html
__________
MfG Sabina

rund um die PC-Sicherheit

#9 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaveNow<--loeschen

^^ habe ich nicht gefunden

hake an: "I know what Im doing"-->Remove
und loesche die whiehlpr.dll
(eventuell musst du die dll von links nach rechts bringen)

sollte es mir sorgen machen wenn die nicht dabei steht? ist nur: mswsock.dll , winrnr.dll , webhdll.dll , rsvpsp.dll

ok .. danke erstmal .. für den anfang .. dann mache ich das hijackthis - dings

#10 webhdll.dll <--die loeschen, bitte (keine andere)
__________
MfG Sabina

rund um die PC-Sicherheit

#11 hier der ad aware scan-log:

Ad-Aware SE Build 1.06r1
Logfile Created ononnerstag, 15. September 2005 15:12:33
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R66 14.09.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
180Solutions(TAC index:6):2 total references
Alexa(TAC index:5):3 total references
BargainBuddy(TAC index:8):25 total references
DyFuCA(TAC index:3):18 total references
ImIServer IEPlugin(TAC index:5):28 total references
istbar(TAC index:7):7 total references
MicroGaming(TAC index:4):1 total references
MRU List(TAC index:0):12 total references
Possible Browser Hijack attempt(TAC index:3):2 total references
Powerscan(TAC index:5):1 total references
Roings(TAC index:8):3 total references
SahAgent(TAC index:9):4 total references
SideFind(TAC index:5):2 total references
TopMoxie(TAC index:3):9 total references
Tracking Cookie(TAC index:3):2 total references
WebHancer(TAC index:9):15 total references
WhenU(TAC index:3):45 total references
Windows(TAC index:3):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R66 14.09.2005
Internal build : 77
File location : D:\Programme\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 522778 Bytes
Total size : 1570907 Bytes
Signature data size : 1537712 Bytes
Reference data size : 32683 Bytes
Signatures total : 43686
CSI Fingerprints total : 1045
CSI data size : 37239 Bytes
Target categories : 15
Target families : 746


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:65 %
Total physical memory:523760 kb
Available physical memory:338204 kb
Total page file size:1280524 kb
Available on page file:1116380 kb
Total virtual memory:2097024 kb
Available virtual memory:2049356 kb
OS:Microsoft Windows XP Professional Service Pack 1 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


15.09.2005 15:12:33 - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 584
ThreadCreationTime : 15.09.2005 13:11:29
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\D:\WINDOWS\system32\csrss.exe
Command Line : D:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 660
ThreadCreationTime : 15.09.2005 13:11:32
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\D:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 684
ThreadCreationTime : 15.09.2005 13:11:34
BasePriority : High


#:4 [services.exe]
ModuleName : D:\WINDOWS\system32\services.exe
Command Line : D:\WINDOWS\system32\services.exe
ProcessID : 728
ThreadCreationTime : 15.09.2005 13:11:35
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Anwendung für Dienste und Controller
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : D:\WINDOWS\system32\lsass.exe
Command Line : D:\WINDOWS\system32\lsass.exe
ProcessID : 740
ThreadCreationTime : 15.09.2005 13:11:35
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : D:\WINDOWS\system32\svchost.exe
Command Line : D:\WINDOWS\system32\svchost -k rpcss
ProcessID : 916
ThreadCreationTime : 15.09.2005 13:11:35
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : D:\WINDOWS\System32\svchost.exe
Command Line : D:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 1020
ThreadCreationTime : 15.09.2005 13:11:35
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [incdsrv.exe]
ModuleName : D:\Programme\Ahead\InCD\InCDsrv.exe
Command Line : D:\Programme\Ahead\InCD\InCDsrv.exe
ProcessID : 1044
ThreadCreationTime : 15.09.2005 13:11:36
BasePriority : Normal
FileVersion : 4, 2, 4, 2
ProductVersion : 4, 2, 4, 2
ProductName : Ahead Software AG incdsrv
CompanyName : Ahead Software AG
FileDescription : incdsrv
InternalName : incdsrv
LegalCopyright : Copyright 1995-2004 Ahead Software AG and its licensors. All Rights Reserved.
LegalTrademarks : InCD is a trademark of Ahead Software AG
OriginalFilename : incdsrv.exe

#:9 [svchost.exe]
ModuleName : D:\WINDOWS\System32\svchost.exe
Command Line : D:\WINDOWS\System32\svchost.exe -k NetworkService
ProcessID : 1288
ThreadCreationTime : 15.09.2005 13:11:37
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
ModuleName : D:\WINDOWS\System32\svchost.exe
Command Line : D:\WINDOWS\System32\svchost.exe -k LocalService
ProcessID : 1320
ThreadCreationTime : 15.09.2005 13:11:37
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [explorer.exe]
ModuleName : D:\WINDOWS\Explorer.EXE
Command Line : D:\WINDOWS\Explorer.EXE
ProcessID : 1452
ThreadCreationTime : 15.09.2005 13:11:37
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : EXPLORER.EXE

#:12 [spoolsv.exe]
ModuleName : D:\WINDOWS\system32\spoolsv.exe
Command Line : D:\WINDOWS\system32\spoolsv.exe
ProcessID : 1528
ThreadCreationTime : 15.09.2005 13:11:38
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:13 [soundman.exe]
ModuleName : D:\WINDOWS\SOUNDMAN.EXE
Command Line : "D:\WINDOWS\SOUNDMAN.EXE"
ProcessID : 1704
ThreadCreationTime : 15.09.2005 13:11:40
BasePriority : Normal
FileVersion : 5.1.0.21
ProductVersion : 5.1.0.21
ProductName : Realtek Sound Manager
CompanyName : Realtek Semiconductor Corp.
FileDescription : Realtek Sound Manager
InternalName : ALSMTray
LegalCopyright : Copyright (c) 2001-2003 Realtek Semiconductor Corp.
OriginalFilename : ALSMTray.exe
Comments : Realtek AC97 Audio Sound Manager

#:14 [icqlite.exe]
ModuleName : D:\Programme\ICQLite\ICQLite.exe
Command Line : "D:\Programme\ICQLite\ICQLite.exe" -minimize
ProcessID : 1756
ThreadCreationTime : 15.09.2005 13:11:42
BasePriority : Normal
FileVersion : 20, 34, 2321, 0
ProductVersion : 20, 34, 2321, 0
ProductName : ICQLite
CompanyName : ICQ Ltd.
FileDescription : ICQLite
InternalName : ICQ Lite
LegalCopyright : Copyright (C) 2002
OriginalFilename : ICQLite.exe

#:15 [qttask.exe]
ModuleName : D:\Programme\QuickTime\qttask.exe
Command Line : "D:\Programme\QuickTime\qttask.exe" -atboottime
ProcessID : 1764
ThreadCreationTime : 15.09.2005 13:11:43
BasePriority : Normal
FileVersion : 6.5
ProductVersion : QuickTime 6.5
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe

#:16 [w0svc.exe]
ModuleName : D:\Programme\0190_und_0900 Warner\w0svc.exe
Command Line : "D:\Programme\0190_und_0900 Warner\w0svc.exe"
ProcessID : 1876
ThreadCreationTime : 15.09.2005 13:11:44
BasePriority : Normal
FileVersion : 4.0.0.22
ProductVersion : 4.0
ProductName : 0190/0900 Warner
CompanyName : Mirko Böer
FileDescription : 0190/0900 Warner Service
InternalName : w0svc
LegalCopyright : Copyright © 2003-2004 Mirko Böer
OriginalFilename : w0svc.exe

#:17 [aolacsd.exe]
ModuleName : D:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
Command Line : "D:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe"
ProcessID : 1892
ThreadCreationTime : 15.09.2005 13:11:44
BasePriority : Normal


#:18 [incd.exe]
ModuleName : D:\Programme\Ahead\InCD\InCD.exe
Command Line : "D:\Programme\Ahead\InCD\InCD.exe"
ProcessID : 1908
ThreadCreationTime : 15.09.2005 13:11:44
BasePriority : Normal
FileVersion : 4, 2, 4, 2
ProductVersion : 4, 2, 4, 2
ProductName : Ahead Software AG InCD
CompanyName : Ahead Software AG
FileDescription : InCD
InternalName : InCD
LegalCopyright : Copyright 1995-2004 Ahead Software AG and its licensors. All Rights Reserved.
LegalTrademarks : InCD is a trademark of Ahead Software AG
OriginalFilename : InCD.exe

#:19 [realplay.exe]
ModuleName : D:\Programme\Real\RealPlayer\RealPlay.exe
Command Line : "D:\Programme\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
ProcessID : 1936
ThreadCreationTime : 15.09.2005 13:11:45
BasePriority : Normal
FileVersion : 6.0.9.584
ProductVersion : 6.0.9.584
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealPlayer
InternalName : REALPLAY
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2000
LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc.
OriginalFilename : REALPLAY.EXE

#:20 [avkservice.exe]
ModuleName : D:\Programme\Virenschutz\AVKService.exe
Command Line : D:\Programme\Virenschutz\AVKService.exe
ProcessID : 1972
ThreadCreationTime : 15.09.2005 13:11:47
BasePriority : Normal
FileVersion : 1, 0, 0, 3
ProductVersion : 11, 0, 0, 0
ProductName : AVKService Module
FileDescription : AVKService Module
InternalName : AVKService
LegalCopyright : Copyright G DATA Software AG 2001-2003
OriginalFilename : AVKService.EXE

#:21 [avgnt.exe]
ModuleName : D:\Programme\AVPersonal\AVGNT.EXE
Command Line : "D:\Programme\AVPersonal\AVGNT.EXE" /min
ProcessID : 1980
ThreadCreationTime : 15.09.2005 13:11:47
BasePriority : Normal


#:22 [avkwctl.exe]
ModuleName : D:\Programme\Virenschutz\AVKWCtl.exe
Command Line : D:\Programme\Virenschutz\AVKWCtl.exe
ProcessID : 1996
ThreadCreationTime : 15.09.2005 13:11:48
BasePriority : Normal
FileVersion : 16, 0, 0, 8
ProductVersion : 12, 0, 0, 0
ProductName : AVK
FileDescription : AVKWCtl Monitor Service
InternalName : AVKWCtl
OriginalFilename : AVKWCtl.EXE

#:23 [aoldial.exe]
ModuleName : D:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
Command Line : "D:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe"
ProcessID : 2032
ThreadCreationTime : 15.09.2005 13:11:49
BasePriority : Normal
FileVersion : 2.6.6.3.DE.55
ProductVersion : 2.6.6.3.DE.55
ProductName : AOL Connectivity Service
CompanyName : America Online, Inc
FileDescription : AOL Connectivity Service Dialer
LegalCopyright : Copyright © 2003 America Online, Inc.
OriginalFilename : AOLDial.exe

#:24 [avwupsrv.exe]
ModuleName : D:\Programme\AVPersonal\AVWUPSRV.EXE
Command Line : "D:\Programme\AVPersonal\AVWUPSRV.EXE"
ProcessID : 196
ThreadCreationTime : 15.09.2005 13:11:50
BasePriority : Normal


#:25 [winampa.exe]
ModuleName : D:\Programme\Winamp\winampa.exe
Command Line : "D:\Programme\Winamp\winampa.exe"
ProcessID : 200
ThreadCreationTime : 15.09.2005 13:11:50
BasePriority : Normal


#:26 [rundll32.exe]
ModuleName : D:\WINDOWS\System32\RUNDLL32.EXE
Command Line : "D:\WINDOWS\System32\RUNDLL32.EXE" D:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
ProcessID : 208
ThreadCreationTime : 15.09.2005 13:11:50
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Betriebssystem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Eine DLL-Datei als Anwendung ausführen
InternalName : rundll
LegalCopyright : © Microsoft Corporation. Alle Rechte vorbehalten.
OriginalFilename : RUNDLL.EXE

#:27 [nvsvc32.exe]
ModuleName : D:\WINDOWS\System32\nvsvc32.exe
Command Line : D:\WINDOWS\System32\nvsvc32.exe
ProcessID : 240
ThreadCreationTime : 15.09.2005 13:11:50
BasePriority : Normal
FileVersion : 6.14.10.5216
ProductVersion : 6.14.10.5216
ProductName : NVIDIA Driver Helper Service, Version 52.16
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 52.16
InternalName : NVSVC
LegalCopyright : (C) NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:28 [svchost.exe]
ModuleName : D:\WINDOWS\System32\svchost.exe
Command Line : D:\WINDOWS\System32\svchost.exe -k imgsvc
ProcessID : 300
ThreadCreationTime : 15.09.2005 13:11:50
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:29 [aim.exe]
ModuleName : D:\programme\aim95\aim.exe
Command Line : "D:\programme\aim95\aim.exe" -cnetwait.odl
ProcessID : 404
ThreadCreationTime : 15.09.2005 13:11:50
BasePriority : Normal
FileVersion : 5.1.3036
ProductVersion : 5.1.3036
ProductName : AOL Instant Messenger
CompanyName : America Online, Inc.
FileDescription : AOL Instant Messenger
InternalName : AIM
LegalCopyright : Copyright © 1996-2002 America Online, Inc.
OriginalFilename : AIM.EXE

#:30 [wdfmgr.exe]
ModuleName : D:\WINDOWS\System32\wdfmgr.exe
Command Line : D:\WINDOWS\System32\wdfmgr.exe
ProcessID : 444
ThreadCreationTime : 15.09.2005 13:11:51
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:31 [aoltray.exe]
ModuleName : D:\Programme\AOL 9.0a\aoltray.exe
Command Line : "D:\Programme\AOL 9.0a\aoltray.exe" -check
ProcessID : 792
ThreadCreationTime : 15.09.2005 13:11:54
BasePriority : Normal
FileVersion : 9.00.001
ProductVersion : 9.00.001
ProductName : America Online
CompanyName : America Online, Inc.
FileDescription : AOL Tray Icon
InternalName : AolTray
LegalCopyright : Copyright (C) America Online, Inc. 1999 - 2004

#:32 [calcheck.exe]
ModuleName : D:\Programme\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
Command Line : "D:\Programme\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe"
ProcessID : 1632
ThreadCreationTime : 15.09.2005 13:11:56
BasePriority : Normal
FileVersion : 4, 0, 0, 0
ProductVersion : 1, 0, 0, 1
ProductName : Calendar Checker Application
CompanyName : Ulead Systems, Inc.
FileDescription : Photo Express -- Calendar Checker
InternalName : CalCheck
LegalCopyright : Copyright (C) 1992-1999.Ulead Systems, Inc.
LegalTrademarks : Ulead Systems, MediaStudio, PhotoImpact and Photo Express are registered trademarks of Ulead Systems, Inc.
OriginalFilename : CalCheck.EXE

#:33 [remind32.exe]
ModuleName : D:\Programme\HP DeskJet 610C Series\ereg\Remind32.exe
Command Line : "D:\Programme\HP DeskJet 610C Series\ereg\Remind32.exe"
ProcessID : 1644
ThreadCreationTime : 15.09.2005 13:11:57
BasePriority : Normal


#:34 [bwgo000099ee.exe]
ModuleName : D:\DOKUME~1\Ich2\LOKALE~1\Temp\bwgo000099ee.exe
Command Line : "D:\DOKUME~1\Ich2\LOKALE~1\Temp\bwgo000099ee.exe" 476 1.1 "D:\Programme\Logitech\Desktop Messenger\8876480\enabled.txt" "" -restart
ProcessID : 1224
ThreadCreationTime : 15.09.2005 13:12:00
BasePriority : Normal


#:35 [wmiprvse.exe]
ModuleName : D:\WINDOWS\System32\wbem\wmiprvse.exe
Command Line : D:\WINDOWS\System32\wbem\wmiprvse.exe -Embedding
ProcessID : 2404
ThreadCreationTime : 15.09.2005 13:12:05
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI
InternalName : Wmiprvse.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : Wmiprvse.exe

#:36 [ad-aware.exe]
ModuleName : D:\Programme\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "D:\Programme\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 2524
ThreadCreationTime : 15.09.2005 13:12:19
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : adp.urlcatcher

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : adp.urlcatcher.1

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{8eee58d5-130e-4cbd-9c83-35a0564e5678}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c6906a23-4717-4e1f-b6fd-f06ebed15678}

BargainBuddy Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{4eb7bbe8-2e15-424b-9ddb-2cdb9516b2c3}

DyFuCA Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{0be10b0d-b4db-4693-9b1f-9aead54d17dc}

DyFuCA Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : dyfuca_bh.sinkobj.1

DyFuCA Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : dyfuca_bh.sinkobj

DyFuCA Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{cea206e8-8057-4a04-ace9-ff0d69a92297}

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{1c896551-8b92-4907-8c06-15db2d1f874a}

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{d36f70b1-7df5-4fd4-a765-70ccc8f72cd7}

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{e2bf1bf3-1fdb-4c93-8874-0b09e71c594c}

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{f3155057-4c2c-4078-8576-50486693fd49}

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : imitoolbar.bottomframe

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : imitoolbar.bottomframe.1

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : imitoolbar.leftframe

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : imitoolbar.leftframe.1

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : imitoolbar.popupbrowser

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : imitoolbar.popupbrowser.1

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : imitoolbar.popupwindow

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : imitoolbar.popupwindow.1

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{220959ea-b54c-4201-8df2-1cfac8b59fd7}

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{3e589169-86ad-44fe-b426-f0bf105d5582}

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{6a288140-3e1c-4cd9-aac5-e20fdd4f5d64}

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{7371ad3f-c419-4dc0-8e8a-e21fafad53e0}

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{98b2ddba-6da2-4421-af2b-814e98f53649}

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{e4458b4a-6149-4450-84f2-864adb7e8c52}

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{57add57b-173e-418a-8f70-17e5c9f2bcc9}

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : wbho.band

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : wbho.band.1

istbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{67907b3c-a6ef-4a01-99ad-3fcd5f526429}

istbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{0985c112-2562-46f2-8da6-92648ba4630f}

istbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{86227d9c-0efe-4f8a-aa55-30386a3f5686}

WhenU Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : wusn.1

TopMoxie Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-789336058-2077806209-1801674531-1003\software\microsoft\internet explorer\menuext\web rebates

TopMoxie Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-789336058-2077806209-1801674531-1003\software\microsoft\internet explorer\menuext\web rebates
Value : Contexts

WhenU Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-789336058-2077806209-1801674531-1003\software\whenu

MicroGaming Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-789336058-2077806209-1801674531-1003\software\microgaming

TopMoxie Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\untopr1150

TopMoxie Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\untopr1150
Value : DisplayName

TopMoxie Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\untopr1150
Value : UninstallString

WebHancer Object Recognized!
Type : Regkey
Data :
TAC Rating : 9
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\webhancer

WebHancer Object Recognized!
Type : RegValue
Data :
TAC Rating : 9
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\webhancer
Value : BaseDir

WhenU Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : db_script_update

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : InstallDir

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : pats_url

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : pat_chunks_url

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : script_url

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : update_url

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : ver_url

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : InstallTime

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : Partner

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : ccode

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : PartnerDesc

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : FullDBTime

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : HeartbeatTime

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : extra_url

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : extraver_url

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : ziptomsa_url

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : UpdateTime

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : TotalPartner

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : PartnerB

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : brandskin_url

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : brandstrip_rs

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : brandstrip_url

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : himp_url

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : iptomsa_url

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : maxPopups_rs

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : timedDBUpdate_rs

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : uninstalltag_rs

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : db_stamp_rs

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : db_server_update

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : MSA

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : IPToMsaTime_rs

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : TotalPopup

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : Version

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : bstat_rs

WhenU Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\whenusave
Value : UrlChangeCount

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-21-789336058-2077806209-1801674531-1003\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

istbar Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment : "{86227D9C-0EFE-4f8a-AA55-30386A3F5686}"
Rootkey : HKEY_USERS
Object : S-1-5-21-789336058-2077806209-1801674531-1003\software\microsoft\internet explorer\toolbar\webbrowser
Value : {86227D9C-0EFE-4f8a-AA55-30386A3F5686}

Roings Object Recognized!
Type : RegValue
Data :
TAC Rating : 8
Category : Malware
Comment : "Date"
Rootkey : HKEY_USERS
Object : S-1-5-21-789336058-2077806209-1801674531-1003\software\intexp
Value : Date

Windows Object Recognized!
Type : RegData
Data : "%1" /s "%3"
TAC Rating : 3
Category : Vulnerability
Comment : Possible virus infection, SCR file extension compromised
Rootkey : HKEY_CLASSES_ROOT
Object : scrfile\shell\open\command
Value :
Data : "%1" /s "%3"

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 85
Objects found so far: 85


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Possible Browser Hijack attempt : {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (http://www.ysbweb.com/ist/softwares/v4.0/ysb_lyricsviewer.cab)

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt : http://www.ysbweb.com/ist/softwares/v4.0/ysb_lyricsviewer.cab
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt : http://www.ysbweb.com/ist/softwares/v4.0/ysb_lyricsviewer.cab
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}
Value : Installer
Possible Browser Hijack attempt : {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (http://www.ysbweb.com/ist/softwares/v4.0/ysb_lyricsviewer.cab)

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 87

MRU List Object Recognized!
Location: : D:\Dokumente und Einstellungen\Ich2\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-789336058-2077806209-1801674531-1003\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-789336058-2077806209-1801674531-1003\software\microsoft\mediaplayer\medialibraryui
Description : last selected node in the microsoft windows media player media library


MRU List Object Recognized!
Location: : S-1-5-21-789336058-2077806209-1801674531-1003\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : S-1-5-21-789336058-2077806209-1801674531-1003\software\microsoft\ntbackup\log files
Description : list of recent logfiles in microsoft backup


MRU List Object Recognized!
Location: : S-1-5-21-789336058-2077806209-1801674531-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-789336058-2077806209-1801674531-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-789336058-2077806209-1801674531-1003\software\smartftp\connection data
Description : list of recently accessed servers using smartftp


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-789336058-2077806209-1801674531-1003\software\microsoft\windows media\wmsdk\general
Description : windows media sdk



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : ich2@2o7[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:7
Value : Cookie:ich2@2o7.net/
Expires : 14.09.2010 14:40:02
LastSync : Hits:7
UseCount : 0
Hits : 7

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : ich2@mediaplex[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:ich2@mediaplex.com/
Expires : 22.06.2009 02:00:00
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 101



Deep scanning and examining files (C
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 101


Deep scanning and examining files (D
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

BargainBuddy Object Recognized!
Type : File
Data : backup-20050914-203239-219.dll
TAC Rating : 8
Category : Malware
Comment :
Object : D:\Dokumente und Einstellungen\Ich2\Eigene Dateien\download\HiJackthis\backups\
FileVersion : 8, 0, 3, 6
ProductVersion : 8, 0, 3, 6
ProductName : ADP Module
CompanyName : eXact Advertising
FileDescription : ADP Module
InternalName : apuc
LegalCopyright : Copyright © 2003-2005 eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : apuc.DLL


180Solutions Object Recognized!
Type : File
Data : sais.exe
TAC Rating : 6
Category : Data Miner
Comment :
Object : D:\Programme\180searchassistant\
FileVersion : 6, 9, 95, 0
ProductVersion : 6, 9, 95, 0
ProductName : Search Assistant
CompanyName : 180solutions, Inc.
FileDescription : Search Assistant
LegalCopyright : Copyright © 2005, 180solutions Inc.


DyFuCA Object Recognized!
Type : File
Data : optimize.VIR
TAC Rating : 3
Category : Malware
Comment :
Object : D:\Programme\AVPersonal\INFECTED\



WhenU Object Recognized!
Type : File
Data : Save.exe
TAC Rating : 3
Category : Misc
Comment :
Object : D:\Programme\Save\
FileVersion : 2, 6, 4, 7
ProductVersion : 2, 6, 4, 7
ProductName : Save!
CompanyName : WhenU.com, Inc.
FileDescription : Save!
InternalName : WhenUSave
LegalCopyright : Copyright 2001
OriginalFilename : Save.exe


WhenU Object Recognized!
Type : File
Data : SaveUninst.exe
TAC Rating : 3
Category : Misc
Comment :
Object : D:\Programme\Save\
FileVersion : 2, 6, 4, 7
ProductVersion : 2, 6, 4, 7
ProductName : Save! Uninstall
CompanyName : WhenU.com, Inc.
FileDescription : Save! Uninstall
InternalName : SaveUninst
LegalCopyright : Copyright 2001
OriginalFilename : SaveUninst.exe


SideFind Object Recognized!
Type : File
Data : sfbho.dll
TAC Rating : 5
Category : Malware
Comment :
Object : D:\Programme\SideFind\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : BrowserHelperObject Module
FileDescription : BrowserHelperObject Module
InternalName : BrowserHelperObject
LegalCopyright : Copyright 2003
OriginalFilename : BrowserHelperObject.DLL


TopMoxie Object Recognized!
Type : File
Data : disp1150.exe
TAC Rating : 3
Category : Data Miner
Comment :
Object : D:\Programme\Web_Rebates\



TopMoxie Object Recognized!
Type : File
Data : WebRebates1.exe
TAC Rating : 3
Category : Data Miner
Comment :
Object : D:\Programme\Web_Rebates\



WebHancer Object Recognized!
Type : File
Data : A0082518.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : D:\System Volume Information\_restore{864F5BDD-374B-4107-88CA-A8213FD1D97A}\RP34\
FileVersion : 3.7.0
ProductVersion : 3.7.0
ProductName : webHancer Customer Companion
CompanyName : webHancer Corporation
FileDescription : webHancer Customer Companion
InternalName : whAgent
LegalCopyright : Copyright © 1999-2005 webHancer Corporation
OriginalFilename : whAgent.exe


WebHancer Object Recognized!
Type : File
Data : A0082519.dll
TAC Rating : 9
Category : Data Miner
Comment :
Object : D:\System Volume Information\_restore{864F5BDD-374B-4107-88CA-A8213FD1D97A}\RP34\
FileVersion : 3.7.0
ProductVersion : 3.7.0
ProductName : webHancer Customer Companion
CompanyName : webHancer Corporation
FileDescription : webHancer IE Helper Module
InternalName : WhIeHelper
LegalCopyright : Copyright © 1999-2005 webHancer Corporation
OriginalFilename : whiehlpr.dll


WebHancer Object Recognized!
Type : File
Data : A0082520.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : D:\System Volume Information\_restore{864F5BDD-374B-4107-88CA-A8213FD1D97A}\RP34\
FileVersion : 3.7.0
ProductVersion : 3.7.0
ProductName : webHancer Survey Companion
CompanyName : webHancer Corporation
FileDescription : webHancer Survey Companion
InternalName : whSurvey
LegalCopyright : Copyright © 1999-2005 webHancer Corporation
OriginalFilename : whSurvey.exe


WebHancer Object Recognized!
Type : File
Data : A0082521.dll
TAC Rating : 9
Category : Data Miner
Comment :
Object : D:\System Volume Information\_restore{864F5BDD-374B-4107-88CA-A8213FD1D97A}\RP34\
FileVersion : 3.7.0
ProductVersion : 3.7.0
ProductName : webHancer Customer Companion
CompanyName : webHancer Corporation
FileDescription : webHancer Winsock2 SPI
InternalName : webhdll
LegalCopyright : Copyright © 1999-2005 webHancer Corporation
OriginalFilename : webhdll.dll


WebHancer Object Recognized!
Type : File
Data : A0082522.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : D:\System Volume Information\_restore{864F5BDD-374B-4107-88CA-A8213FD1D97A}\RP34\
FileVersion : 3.7.0
ProductVersion : 3.7.0
ProductName : webHancer Customer Companion
CompanyName : webHancer Corporation
FileDescription : webHancer Installer
InternalName : whInstaller
LegalCopyright : Copyright © 1999-2005 webHancer Corporation
OriginalFilename : whInstaller.exe


WebHancer Object Recognized!
Type : File
Data : A0082531.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : D:\System Volume Information\_restore{864F5BDD-374B-4107-88CA-A8213FD1D97A}\RP34\
FileVersion : 3.7.0
ProductVersion : 3.7.0
ProductName : webHancer Customer Companion
CompanyName : webHancer Corporation
FileDescription : webHancer Customer Companion
InternalName : whAgent
LegalCopyright : Copyright © 1999-2005 webHancer Corporation
OriginalFilename : whAgent.exe


WebHancer Object Recognized!
Type : File
Data : A0082532.dll
TAC Rating : 9
Category : Data Miner
Comment :
Object : D:\System Volume Information\_restore{864F5BDD-374B-4107-88CA-A8213FD1D97A}\RP34\
FileVersion : 3.7.0
ProductVersion : 3.7.0
ProductName : webHancer Customer Companion
CompanyName : webHancer Corporation
FileDescription : webHancer IE Helper Module
InternalName : WhIeHelper
LegalCopyright : Copyright © 1999-2005 webHancer Corporation
OriginalFilename : whiehlpr.dll


WebHancer Object Recognized!
Type : File
Data : A0082533.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : D:\System Volume Information\_restore{864F5BDD-374B-4107-88CA-A8213FD1D97A}\RP34\
FileVersion : 3.7.0
ProductVersion : 3.7.0
ProductName : webHancer Survey Companion
CompanyName : webHancer Corporation
FileDescription : webHancer Survey Companion
InternalName : whSurvey
LegalCopyright : Copyright © 1999-2005 webHancer Corporation
OriginalFilename : whSurvey.exe


WebHancer Object Recognized!
Type : File
Data : A0082534.dll
TAC Rating : 9
Category : Data Miner
Comment :
Object : D:\System Volume Information\_restore{864F5BDD-374B-4107-88CA-A8213FD1D97A}\RP34\
FileVersion : 3.7.0
ProductVersion : 3.7.0
ProductName : webHancer Customer Companion
CompanyName : webHancer Corporation
FileDescription : webHancer Winsock2 SPI
InternalName : webhdll
LegalCopyright : Copyright © 1999-2005 webHancer Corporation
OriginalFilename : webhdll.dll


BargainBuddy Object Recognized!
Type : File
Data : A0088952.exe
TAC Rating : 8
Category : Malware
Comment :
Object : D:\System Volume Information\_restore{864F5BDD-374B-4107-88CA-A8213FD1D97A}\RP35\
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 2
ProductName : Upload Module
CompanyName : eXact Advertising
FileDescription : Upload Module
InternalName : Upload Utility
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : exul.exe


BargainBuddy Object Recognized!
Type : File
Data : A0089019.exe
TAC Rating : 8
Category : Malware
Comment :
Object : D:\System Volume Information\_restore{864F5BDD-374B-4107-88CA-A8213FD1D97A}\RP35\
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 2
ProductName : Upload Module
CompanyName : eXact Advertising
FileDescription : Upload Module
InternalName : Upload Utility
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : exul.exe


BargainBuddy Object Recognized!
Type : File
Data : A0091160.exe
TAC Rating : 8
Category : Malware
Comment :
Object : D:\System Volume Information\_restore{864F5BDD-374B-4107-88CA-A8213FD1D97A}\RP35\
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 2
ProductName : Upload Module
CompanyName : eXact Advertising
FileDescription : Upload Module
InternalName : Upload Utility
LegalCopyright : Copyright © 2003, 2004. eXact Advertising, LLC. All Rights Reserved.
OriginalFilename : exul.exe


BargainBuddy Object Recognized!
Type : File
Data : A0091296.exe
TAC Rating : 8
Category : Malware
Comment :
Object : D:\System Volume Information\_restore{864F5BDD-374B-4107-88CA-A8213FD1D97A}\RP35\
File

#12 Hallo@Zim-Zum

nun poste bitte den Rest vom Log /Adaware) , das Scanlog vom Ewido und das neue Log vom HijackThis
__________
MfG Sabina

rund um die PC-Sicherheit

#13 oh .. em huch ja das speichert sich nicht irgendwo oder? ... naja hier ist erst einmal der von ewido ...


ewido security suite - Scan Report
---------------------------------------------------------

+ Erstellt am: 15:47:56, 15.09.2005
+ Report-Checksumme: 3D91BD45

+ Scanergebnis:

HKLM\SOFTWARE\Classes\ADP.UrlCatcher -> Spyware.BargainBuddy : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\ADP.UrlCatcher\CLSID -> Spyware.BargainBuddy : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\CLSID\{86227D9C-0EFE-4f8a-AA55-30386A3F5686} -> Spyware.YourSiteBar : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\CLSID\{CEA206E8-8057-4A04-ACE9-FF0D69A92297} -> Spyware.SafeSurfing : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.SinkObj -> Spyware.MoneyTree : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.SinkObj\CLSID -> Spyware.MoneyTree : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.SinkObj\CurVer -> Spyware.MoneyTree : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame -> Spyware.IEPlugin : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CLSID -> Spyware.IEPlugin : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CurVer -> Spyware.IEPlugin : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame -> Spyware.IEPlugin : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CLSID -> Spyware.IEPlugin : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CurVer -> Spyware.IEPlugin : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser -> Spyware.IEPlugin : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CLSID -> Spyware.IEPlugin : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CurVer -> Spyware.IEPlugin : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow -> Spyware.IEPlugin : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CLSID -> Spyware.IEPlugin : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CurVer -> Spyware.IEPlugin : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\Interface\{0985C112-2562-46F2-8DA6-92648BA4630F} -> Spyware.ISTBar : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678} -> Spyware.BargainBuddy : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTBar : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678} -> Spyware.BargainBuddy : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0} -> Dialer.Generic : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\TypeLib\{0BE10B0D-B4DB-4693-9B1F-9AEAD54D17DC} -> Spyware.SafeSurfing : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3} -> Spyware.NaviSearch : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\TypeLib\{67907B3C-A6EF-4A01-99AD-3FCD5F526429} -> Spyware.ISTBar : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\Wbho.Band -> Spyware.IEPlugin : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\Wbho.Band\CLSID -> Spyware.IEPlugin : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\Wbho.Band\CurVer -> Spyware.IEPlugin : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer -> Spyware.YourSiteBar : Gesäubert mit Backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer\CLSID -> Spyware.YourSiteBar : Gesäubert mit Backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Gesäubert mit Backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Gesäubert mit Backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Spyware.InternetOptimizer : Gesäubert mit Backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\untopr1150 -> Spyware.WebRebates : Gesäubert mit Backup
HKLM\SOFTWARE\webHancer -> Spyware.Webhancer : Gesäubert mit Backup
HKLM\SOFTWARE\webHancer\CC -> Spyware.Webhancer : Gesäubert mit Backup
HKLM\SOFTWARE\WhenUSave -> Spyware.SaveNow : Gesäubert mit Backup
HKLM\SOFTWARE\WhenUSave\Partners -> Spyware.SaveNow : Gesäubert mit Backup
HKLM\SOFTWARE\WhenUSave\Partners\VIDG -> Spyware.SaveNow : Gesäubert mit Backup
HKU\S-1-5-21-789336058-2077806209-1801674531-1003\Software\intexp -> Spyware.IEPlugin : Gesäubert mit Backup
HKU\S-1-5-21-789336058-2077806209-1801674531-1003\Software\intexp\Config -> Spyware.IEPlugin : Gesäubert mit Backup
HKU\S-1-5-21-789336058-2077806209-1801674531-1003\Software\intexp\MyFileSystem2 -> Spyware.IEPlugin : Gesäubert mit Backup
HKU\S-1-5-21-789336058-2077806209-1801674531-1003\Software\Microsoft\Internet Explorer\MenuExt\Web Rebates -> Spyware.WebRebates : Gesäubert mit Backup
HKU\S-1-5-21-789336058-2077806209-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Gesäubert mit Backup
HKU\S-1-5-21-789336058-2077806209-1801674531-1003\Software\WhenU -> Spyware.SaveNow : Gesäubert mit Backup
D:\Dokumente und Einstellungen\Ich2\Cookies\ich2@2o7[2].txt -> Spyware.Cookie.2o7 : Gesäubert mit Backup
D:\Dokumente und Einstellungen\Ich2\Cookies\ich2@advertising[1].txt -> Spyware.Cookie.Advertising : Gesäubert mit Backup
D:\Dokumente und Einstellungen\Ich2\Cookies\ich2@ivwbox[2].txt -> Spyware.Cookie.Ivwbox : Gesäubert mit Backup
D:\Dokumente und Einstellungen\Ich2\Cookies\ich2@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Gesäubert mit Backup
D:\Dokumente und Einstellungen\Ich2\Cookies\ich2@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Gesäubert mit Backup
D:\Dokumente und Einstellungen\Ich2\Eigene Dateien\download\HiJackthis\backups\backup-20050914-203239-219.dll -> Spyware.BargainBuddy : Gesäubert mit Backup
D:\Dokumente und Einstellungen\Ich2\Eigene Dateien\download\HiJackthis\backups\backup-20050914-203240-940.dll -> Spyware.180Solutions : Gesäubert mit Backup
D:\Programme\180searchassistant\sais.exe -> Spyware.180Solutions : Gesäubert mit Backup
D:\Programme\AVPersonal\INFECTED\Dtpj.VIR -> Trojan.Small.cy : Gesäubert mit Backup
D:\Programme\AVPersonal\INFECTED\optimize.VIR -> TrojanDownloader.Dyfuca.ei : Gesäubert mit Backup
D:\Programme\AVPersonal\INFECTED\pxckdla.VIR -> TrojanDownloader.OneClickNetSearch.i : Gesäubert mit Backup
D:\Programme\GDivX Zenith Player\SaveInstWm.exe -> Adware.SaveNow : Gesäubert mit Backup
D:\Programme\Save\Save.exe -> Adware.SaveNow : Gesäubert mit Backup
D:\Programme\SideFind\sfbho.dll -> Spyware.SideFind : Gesäubert mit Backup
D:\Programme\Web_Rebates -> Spyware.WebRebates : Gesäubert mit Backup
D:\Programme\Web_Rebates\Ap1150 -> Spyware.WebRebates : Gesäubert mit Backup
D:\Programme\Web_Rebates\Da1150 -> Spyware.WebRebates : Gesäubert mit Backup
D:\Programme\Web_Rebates\Da1150\administrator -> Spyware.WebRebates : Gesäubert mit Backup
D:\Programme\Web_Rebates\Da1150\Ich2 -> Spyware.WebRebates : Gesäubert mit Backup
D:\Programme\Web_Rebates\disp1150.exe -> Spyware.WebRebates : Gesäubert mit Backup
D:\Programme\Web_Rebates\Sy1150 -> Spyware.WebRebates : Gesäubert mit Backup
D:\Programme\Web_Rebates\Sy1150\Html -> Spyware.WebRebates : Gesäubert mit Backup
D:\Programme\Web_Rebates\Sy1150\Images -> Spyware.WebRebates : Gesäubert mit Backup
D:\Programme\Web_Rebates\Sy1150\Sy1150 -> Spyware.WebRebates : Gesäubert mit Backup
D:\Programme\Web_Rebates\Sy1150\Tp1150 -> Spyware.WebRebates : Gesäubert mit Backup
D:\Programme\Web_Rebates\Sy1150\Tp1150\log.txt -> Spyware.WebRebates : Gesäubert mit Backup
D:\Programme\Web_Rebates\WebRebates1.exe -> Spyware.WebRebates : Gesäubert mit Backup
D:\WINDOWS\LastGood\webhdll.dll -> Spyware.WebHancer : Gesäubert mit Backup
D:\WINDOWS\LastGood\whInstaller.exe -> Spyware.WebHancer : Gesäubert mit Backup
D:\WINDOWS\NDNuninstall6_30.exe -> Spyware.NewDotNet : Gesäubert mit Backup
D:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet : Gesäubert mit Backup
D:\WINDOWS\pxckdlauninstall.exe -> Spyware.NoName : Gesäubert mit Backup
D:\WINDOWS\wxxrquu.exe -> TrojanDownloader.IstBar.ij : Gesäubert mit Backup


::Report Ende

#14 kopiere bitte alle 4 logs hier in deinen Thread
http://virus-protect.org/datfindbat.html

und das neue Log vom HijackThis bitte posten
__________
MfG Sabina

rund um die PC-Sicherheit

#15 Logfile of HijackThis v1.99.1
Scan saved at 16:05:03, on 15.09.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Programme\Ahead\InCD\InCDsrv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Programme\ICQLite\ICQLite.exe
D:\Programme\QuickTime\qttask.exe
D:\Programme\0190_und_0900 Warner\w0svc.exe
D:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
D:\Programme\Ahead\InCD\InCD.exe
D:\Programme\Real\RealPlayer\RealPlay.exe
D:\Programme\Virenschutz\AVKService.exe
D:\Programme\AVPersonal\AVGNT.EXE
D:\Programme\Virenschutz\AVKWCtl.exe
D:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
D:\Programme\AVPersonal\AVWUPSRV.EXE
D:\Programme\Winamp\winampa.exe
D:\WINDOWS\System32\RUNDLL32.EXE
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\programme\aim95\aim.exe
D:\Programme\AOL 9.0a\aoltray.exe
D:\Programme\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
D:\Programme\HP DeskJet 610C Series\ereg\Remind32.exe
D:\DOKUME~1\Ich2\LOKALE~1\Temp\bwgo000099ee.exe
D:\Programme\AOL 9.0a\waol.exe
D:\Programme\AOL 9.0a\shellmon.exe
D:\Programme\Gemeinsame Dateien\Aol\aoltpspd.exe
D:\Programme\ewido\security suite\ewidoguard.exe
D:\Programme\ewido\security suite\ewidoctrl.exe
D:\Programme\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
D:\Dokumente und Einstellungen\Ich2\Eigene Dateien\download\HiJackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.aol.de
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Programme\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Programme\ICQToolbar\toolbaru.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Programme\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ICQ Lite] D:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [QuickTime Task] "D:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RealTray] D:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LogitechGalleryRepair] D:\Programme\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] D:\Programme\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [AVGCtrl] "D:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [AOLDialer] D:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Programme\Winamp\winampa.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] D:\programme\aim95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [LDM] D:\Programme\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Startup: Reminder-hpc41003.lnk = D:\Programme\HP DeskJet 610C Series\ereg\Remind32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 9.0 Tray-Symbol.lnk = D:\Programme\AOL 9.0a\aoltray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Ulead Kalendar Checker 4.0 SE.lnk = D:\Programme\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://D:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Backward &Links - res://D:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://D:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\programme\aim95\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {54B21599-6962-4DB7-B9EB-343C25A403F8} - D:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {54B21599-6962-4DB7-B9EB-343C25A403F8} - D:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU)
O12 - Plugin for .spop: D:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_lyricsviewer.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.de/computercheckup/qdiagcc.cab
O16 - DPF: {53B8B406-42E4-4DD3-96E7-9DEC8CEB3DD8} (ICQVideoControl Class) - http://xtraz.icq.com/xtraz/activex/ICQVideoControl.cab
O16 - DPF: {DA511858-B44C-439E-A0EA-704ED20035E7} (EphoxEditLive4.EditLive) - http://www.beepworld.de/hp/activexeditor/editlive4.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22C325C3-389F-44E2-BA63-E718CF16BEBC}: NameServer = 205.188.146.145
O23 - Service: 0190/0900 Warner Überwachungsdienst (0190_0900_Warner_MonitorService) - Mirko Böer - D:\Programme\0190_und_0900 Warner\w0svc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - D:\Programme\Gemeinsame Dateien\AOL\ACS\AOLAcsd.exe
O23 - Service: AVK Service (AVKService) - Unknown owner - D:\Programme\Virenschutz\AVKService.exe
O23 - Service: G DATA Virenschutz Wächter (AVKWCtl) - Unknown owner - D:\Programme\Virenschutz\AVKWCtl.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - D:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - D:\Programme\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Programme\ewido\security suite\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: AntiVir Update Temp (TmpUpSrv) - Unknown owner - D:\DOKUME~1\ICH2\LOKALE~1\TEMP\_VWUPSRV.EXE (file missing)

--------------------

Verzeichnis von D:\WINDOWS\system32

02.09.2005 13:59 2.206 wpa.dbl
10.08.2005 00:13 831.488 libeay32.dll
10.08.2005 00:13 159.744 ssleay32.dll
10.08.2005 00:12 3.596.288 qt-dx331.dll
10.08.2005 00:12 3.136 dtu_de.qm
13.07.2005 14:08 331.776 RWX20.DLL
13.07.2005 14:08 339.968 RWDX8D20.DLL
13.07.2005 14:08 423.424 RWDX6D20.DLL
11.07.2005 08:43 288.496 FNTCACHE.DAT
13.06.2005 22:16 2.778 qtplugin.log
30.05.2005 21:10 877.303 My Pet Skeleton.scr
14.05.2005 14:04 4.102 lvcoinst.log
19.04.2005 14:55 372.736 TidyAtl.dll
19.04.2005 14:55 66.848 filter.exe
19.04.2005 14:55 279.800 FTPX.dll
19.04.2005 14:55 53.248 SSubTmr6.dll
31.03.2005 18:21 316.594 perfh007.dat
31.03.2005 18:21 311.604 perfh009.dat
31.03.2005 18:21 39.992 perfc009.dat
31.03.2005 18:21 48.156 perfc007.dat
31.03.2005 18:21 723.744 PerfStringBackup.INI
12.03.2005 00:48 108.544 pxcpyi64.exe
12.03.2005 00:48 56.320 pxinsa64.exe
12.03.2005 00:48 109.568 pxinsi64.exe
12.03.2005 00:48 56.832 pxcpya64.exe
12.03.2005 00:48 61.440 pxhpinst.exe
12.03.2005 00:28 151.552 pxwma.dll
12.03.2005 00:28 339.968 pxwave.dll
12.03.2005 00:28 28.672 vxblock.dll
12.03.2005 00:28 405.504 pxdrv.dll
12.03.2005 00:28 172.032 pxmas.dll
12.03.2005 00:28 339.968 px.dll
27.11.2004 19:02 16.832 amcompat.tlb
27.11.2004 19:02 23.392 nscompat.tlb
09.11.2004 21:36 225.280 AOLDial.dll
04.09.2004 22:37 33.505 HDMPATH.INI
04.09.2004 22:36 463 WHDM.INI
03.09.2004 17:00 47.610 interceptor.sys
29.08.2004 19:16 2.272 w95inf16.dll
29.08.2004 19:16 4.608 w95inf32.dll
29.08.2004 13:57 157.696 rmoc3260.dll
29.08.2004 13:57 25.088 prefscpl.cpl
29.08.2004 13:57 6.656 pndx5016.dll
29.08.2004 13:57 5.632 pndx5032.dll
29.08.2004 13:57 278.528 pncrt.dll
11.08.2004 21:45 228.352 wmerror.dll
11.08.2004 21:45 9.216 asferror.dll
11.08.2004 21:45 3.407.872 wmploc.dll
11.08.2004 21:45 86.016 wmpshell.dll
11.08.2004 21:45 311.808 MSWMDM.dll
11.08.2004 21:45 482.816 Audiodev.dll
11.08.2004 02:39 2.362.104 wmvcore.dll
11.08.2004 02:39 773.368 wmsdmod.dll
11.08.2004 02:38 871.160 wmvdmod.dll
11.08.2004 02:38 1.181.944 wmvadvd.dll
11.08.2004 02:38 531.192 wmspdmod.dll
11.08.2004 02:38 380.144 wmadmod.dll
11.08.2004 02:38 360.176 MSSCP.dll
11.08.2004 02:38 253.688 drmclien.dll
11.08.2004 02:37 290.816 WMDRMNet.dll
11.08.2004 02:37 344.064 WMDRMdev.dll
11.08.2004 02:36 527.360 drmv2clt.dll
11.08.2004 02:36 233.472 blackbox.dll
11.08.2004 02:36 141.312 msnetobj.dll
11.08.2004 02:36 95.232 drmstor.dll
11.08.2004 01:45 221.184 qasf.dll
11.08.2004 01:45 1.509.376 WMVADVE.DLL
11.08.2004 01:45 161.792 cewmdm.dll
11.08.2004 01:45 25.088 MsPMSNSv.dll
11.08.2004 01:45 712.704 wmadmoe.dll
11.08.2004 01:45 30.208 WMDMLOG.dll
11.08.2004 01:45 282.624 wmpdxm.dll
11.08.2004 01:45 34.304 WMDMPS.dll
11.08.2004 01:45 169.472 MsPMSP.dll
11.08.2004 01:45 135.168 wmpasf.dll
11.08.2004 01:45 1.589.760 wmpencen.dll
11.08.2004 01:45 999.424 wmvdmoe2.dll
11.08.2004 01:45 1.116.160 wmsdmoe2.dll
11.08.2004 01:45 936.960 wmspdmoe.dll
11.08.2004 01:45 175.104 wmpsrcwp.dll
11.08.2004 01:41 5.550.080 wmp.dll
11.08.2004 01:41 1.027.072 wmnetmgr.dll
11.08.2004 01:41 229.376 wmasf.dll
10.08.2004 23:07 150.016 wmidx.dll
10.08.2004 23:07 6.656 laprxy.dll
10.08.2004 23:05 38.912 wpd_ci.dll
10.08.2004 23:05 327.680 wpdsp.dll
10.08.2004 23:05 331.776 wpdmtpdr.dll
10.08.2004 23:05 114.176 wpdmtp.dll
10.08.2004 23:05 66.560 wpdmtpus.dll
10.08.2004 23:05 61.952 wpdconns.dll
10.08.2004 23:05 10.752 wpdtrace.dll
10.08.2004 23:05 47.104 uwdf.exe
10.08.2004 23:05 38.912 wdfmgr.exe
10.08.2004 23:05 15.872 wdfapi.dll
10.08.2004 22:52 360.448 l3codecp.acm
10.08.2004 22:52 20.480 setb2.tmp
10.08.2004 22:52 20.480 wmp.ocx
10.08.2004 22:52 20.480 wmpcore.dll
10.08.2004 22:52 20.480 wmpcd.dll
10.08.2004 22:52 20.480 wmpui.dll
10.08.2004 22:46 96.768 logagent.exe